WordPress Delayed Disclosure of Critical Vulnerability

2.2.2017 securityweek Vulnerebility
WordPress has disclosed a critical privilege escalation vulnerability patched on January 26 with the release of version 4.7.2. The developers of the content management system (CMS) said they wanted to make sure users were protected against potential attacks before making the details public.

When it announced the release of version 4.7.2, WordPress said the latest version patched three vulnerabilities, including SQL injection, cross-site scripting (XSS) and access control issues.

However, it turns out that WordPress 4.7.2 also addresses a severe privilege escalation flaw that can be exploited to hijack websites. Fortunately, there is no evidence that the weakness has been exploited in the wild.

The security hole, discovered by researchers at Sucuri, has been described by WordPress developers as an unauthenticated privilege escalation vulnerability in a REST API endpoint. The flaw affects WordPress websites running versions 4.7.0 and 4.7.1.

By sending a specially crafted request, an unauthenticated attacker can change the content of any post on the targeted website. Next, they can add plugin-specific shortcodes and exploit other flaws that would normally be restricted to users with elevated privileges. An attacker can also abuse the compromised website for SEO spam, to inject ads, and even execute PHP code, depending on which plugins are enabled.

In a blog post published on Wednesday, WordPress Core Contributor Aaron D. Campbell explained that the disclosure of the vulnerability was delayed by one week to give websites time to update their installations.

Sucuri’s Marc-Alexandre Montpas reported the vulnerability to WordPress on January 20 and a fix was created shortly after. While the patch was being tested by developers, Sucuri configured its Web Application Firewall (WAF) to block exploitation attempts and WordPress reached out to companies such as SiteLock, Incapsula and CloudFlare so that they could protect their customers as well. WordPress hosts were also notified and provided instructions on how to protect users.

“Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild,” Campbell said. “As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public.”

2017 Singapore ICS Cyber Security Conference Call for Papers is Open!

2.2.2017 securityweek Cyber
The Largest and Longest Running Cyber Security-focused Conference for the Industrial Control Systems (ICS) Sector is Coming to Singapore!

The official Call for Papers (presentations) for SecurityWeek's 2017 Singapore Industrial Control Systems (ICS) Cyber Security Conference, being held April 25–27 at the Fairmont Singapore is now open.

As the largest and longest-running cyber security-focused event series for the industrial control systems sectors, the conference caters to the energy, water, utility, chemical, transportation, manufacturing, and other industrial and critical infrastructure organizations.

With a long history, the conference has proven to bring value to attendees through the robust exchange of technical information, actual incidents, insights, and best practices to help protect critical infrastructures from cyber attacks.

Produced by SecurityWeek, the conference addresses ICS/SCADA topics including protection for SCADA systems, plant control systems, engineering workstations, substation equipment, programmable logic controllers (PLCs), and other field control system devices.

The Conference is unique and has historically focused on control system end-users from various industries and what cyber vulnerabilities mean to control system reliability and safe operation. It also has a long history of having discussions of actual ICS cyber incidents.

The 2017 Conference is expected to attract hundreds professionals from the Asia Pacific (APAC) region, including large critical infrastructure and industrial organizations, military and government officials.

Through the Call for Papers, a conference committee will accept speaker submissions for possible inclusion in the program at SecurityWeek’ 2017 ICS Cyber Security Conference | Singapore.

The conference committee encourages proposals for both main track and “In Focus” sessions. All sessions are 45 minutes in length including Q&A.

The Conference Committee is particularly interested in submissions on the following topics: ICS/SCADA cyber incidents in the APAC region, results and observations from ICS/SCADA mitigation measures, results and observations from ICS/SCADA vulnerability assessments, live attack demonstrations, vulnerabilities and exploits, and results and observations from joint IT/ICS projects.

To be considered, interested speakers should submit proposals by email to events(at)securityweek.com with the subject line “ICSS2017 CFP” by February 28, 2017. Submissions will be reviewed on an ongoing basis so early submission is encouraged.

Submissions must include proposed presentation title, an informative session abstract, including learning objectives for attendees if relevant; and contact information and bio for the proposed speaker.

All speakers must adhere to the 100% vendor neutral / no commercial policy of the conference. If speakers cannot respect this policy, they should not submit a proposal.

Plan on Attending the 2017 ICS Cyber Security Conference | Singapore? Online registration is now open, with discounts available for early registration.

Passwords Are Not Dead; There Are 90 Billion of Them, Report Says

2.2.2017 securityweek Security
The Total Number of Passwords Will Likely Grow from Approximately 90 Billion Today to 300 Billion by 2020, Report Says

There are 90 billion instances of something-you-know (that is, some flavor of the password mechanism) being used around the globe as the primary form of protecting cyber secrets today. This is a huge attack landscape that is frequently broken; but despite repeated claims that the password is dead -- for example, by Bill Gates in 2004, by IBM in 2011 and by Google in 2013 -- passwords show no sign of going away.

This is the conclusion of a new research report (PDF) from Cybersecurity Ventures and Thycotic. Not only is the password here to stay for the foreseeable future, its use will increase by threefold to around 300 billion instances by 2020. "Passwords are absolutely not dead -- they are not even declining -- and there is currently no technology that is replacing them," explains Thycotic's Joseph Carson, co-author of the report. "The current rate of growth is significant and the threat landscape for passwords will, by 2020, be three times what it currently is."

That growth will be fueled by more people coming online, by more people using social media logons and generating 'hidden' passwords in the process, and perhaps above all by the internet of things.

Part of the study included examining alternative technology that could replace passwords, such as biometrics. "We could find nowhere that biometrics have ever replaced passwords," said Carson. "They have complemented passwords, but have never replaced them. And they bring their own problems: processing power, storage costs, potential data protection issues (because they identify an individual rather than the possessor of an item of knowledge), and because they cannot be changed once compromised."

Carson is not a supporter of biometric authentication. "Once my fingerprint is disclosed, I can no longer use it. For example, the DHS collects all fingerprints during immigration. If they were ever breached and the fingerprints were disclosed, you would never be able to use any of your fingers again as a method of authentication." The same problem, he added, exists with retina and facial biometrics. "Many facials can be broken by using videos or recordings. So biometrics are good; but once they're compromised you can never use them again." Some are simply unreliable. "Heart rate and pulse, voice and others, can be impacted by the environment -- such as altitude, current health etc. Or you could injure an eye or finger and you always get back to the back-up -- the password."

Carson's argument is that if passwords are here to stay and there is no technology currently capable of replacing them, they need to be better supported. "Passwords are good," he said. Provided they are done correctly, "they work and are effective." But they can always, eventually, be broken by brute force computing power, "so depending on the sensitivity of what you are protecting, you will need to consider additional protections on top of the password."

So there are two ways forward: to improve the use of passwords at the user level, and to support the operation of passwords at the system level. He advocates the use of password managers to offset user password fatigue, and he believes that where multi-factor authentication is used, it should be mandated, not simply recommended. "We found in a separate study that in 2016 less than 10% of people and companies are actually managing their passwords, so this needs to be done more effectively and more efficiently."

One increasing option that Carson rejects is the use of social media logons to simplify user effort. Counter-intuitively, it increases the number of passwords in play, increases the threat level, and can have privacy implications for the user. "When we visit an airport or hotel or anywhere else that offers wifi that asks 'would you like to login using your Facebook account?' and we say yes, then it creates an application password in the background. Whenever this happens," he warns, "all those sites and applications can continuously profile the information in our social media account. Most people don't realize or know about that. But now we're creating this continuous growth of application passwords that don't expire, that don't change, but have continuous access to our data -- and there is no easy way to revoke them. Single sign on and social media is a convenience, but from a security perspective it is a major security risk. Those application passwords can be obtained by attackers and used against us."

One of the problems is that there is little consistency in either recommendations or options. For example, in September 2015 the UK's GCHQ issued password guidance that included, "Regular password changing harms rather than improves security, so avoid placing this burden on users."

"GCHQ's recommendations are good in one sense," said Carson, "but they differ from Australia's recommendations, they differ from security researchers' recommendations, and in the end, they just add to the global inconsistency. We really need a global collective approach. Right now there is too much inconsistency regarding policies, and multi-national companies end up having to deal with multiple national password policies. Personally, I'm more of a mandate person. Recommendations are good, but unless they are mandated, nobody really takes it seriously."

At the system level, he believes that we will begin to see behavioral analytics increasingly being used to support passwords. "I'm not a big fan of things that use my physical ability as a measure of behavior," he said, "but I do like things based on predictability. Humans are by nature repetitive -- we tend to do the same things many times. For example, when we access an application or service we typically use the same browser from mostly the same location and we generally open applications in the same order -- so we tend to have a repetitive behavioral pattern. If this pattern changes, then that means there should be a challenge to verify that we really are who we say we are." Identity systems could be used for this, and Carson is a firm believer in government controlled identities.

"If the challenge comes back with a valid response then the new behavior can be added to the behavioral pattern. Behavioral analytics will become a major and important part of complementing passwords in organizations' future security posture."

Cisco Patches WebEx Flaw in Firefox, IE Plugins

2.2.2017 securityweek Vulnerebility
Cisco has shared additional information on the recently disclosed vulnerability affecting WebEx, and informed customers that patches have also been made available for the Internet Explorer and Firefox plugins.

The vulnerability, identified as CVE-2017-3823, allows an unauthenticated attacker to remotely execute arbitrary code with the privileges of the web browser by getting the targeted user to access a specially crafted web page.

The flaw was discovered by Google Project Zero researcher Tavis Ormandy in the WebEx extension for Chrome and disclosed after it was apparently patched by Cisco. Further investigation by Ormandy and Cisco revealed that the initial fix was incomplete and that the security hole also affected the plugins for Firefox and Internet Explorer.

Cisco has determined that the vulnerability also impacts WebEx Meetings Server and WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center) on Windows.

According to the networking giant, the flaw has been patched in Chrome with the release of version 1.0.7 of the WebEx extension, and in Firefox with the release of version 106 of the ActiveTouch General Plugin Container.

In Internet Explorer, version 10031.6.2017.0126 and version of the GpcContainer Class ActiveX and Download Manager ActiveX control plugins, respectively, address the issue.

The patches for Internet Explorer and Firefox were released on January 28. Both Google and Mozilla have restored the WebEx extension after temporarily removing it from their web stores.

Cisco pointed out that the security hole does not affect Microsoft’s Edge browser or other operating systems.

Users have been advised to ensure that they have the latest version installed, although browsers typically check for updates at regular intervals and install them automatically. Some customers of WebEx Meetings Server and WebEx Meeting Centers may need to request the patches from their service providers or download them from Cisco’s website.

While the details of the vulnerability have been publicly available for more than a week, Cisco says it has not found any evidence of exploits in the wild.

RIG Exploit Kit Drops New CryptoMix Ransomware Variant

2.2.2017 securityweek Exploit
A new variant of the CryptoMix ransomware is being distributed via the RIG exploit kit (EK), security researchers have discovered.

The distribution of CryptoMix was previously associated with RIG, which has been used to drop other ransomware families, including Cerber. In the past, the threat was also associated with the activity of one of the long-standing infection chains out there, namely EITest, and the new distribution campaign features it as well.

EITest, which has been distributing malware such as the Spora ransomware, Gootkit information stealer, and the Chthonic and Ursnif banking Trojans, among others, has seen some changes since October 2016, when it stopped using a gate between the compromised website and the EK landing page, and no longer employed obfuscation for the scripts injected on legitimate sites.

The campaign makes use of two variants of the RIG exploit kit, namely RIG-E (or Empire Pack) and Rig-V (an improved, “VIP” version of the EK), and was most recently associated with a malware distribution campaign specifically targeting users of the Chrome browser on Windows computers.

As mentioned above, CryptoMix (also known as CryptFile2), has been distributed through EITest and RIG before, and the only thing that changed in this regard recently is the ransomware variant, which BleepingComputer refers to as CryptoShield 1.0.

Similar to other EITest attacks, as soon as a victim accesses a compromised site, the injected code redirects them to the RIG EK’s landing page. The exploit kit then attempts to leverage vulnerable software on the potential victim’s machine and, if successful, installs the newly discovered ransomware variant.

Once installed on the compromised computer, the malware generates a unique ID for the machine, along with an encryption key, both of which are then uploaded to the command and control (C&C) server. Next, the malware starts scanning the computer for targeted files, and then proceeds to encrypt them. The ransomware targets over 400 file extensions.

The new CryptoMix variant encrypts every file using AES-256 encryption, while also encrypting the filename using ROT-13, and appending the .CRYPTOSHIELD extension to it. The malware creates ransom notes in each of the folders where encrypted files are located, while also attempting to disable the Windows startup recovery and to delete the Windows Shadow Volume Copies, so as to prevent users from recovering their data.

Next, the malware displays a fake alert informing the user that Exporer.exe has encountered a problem. Only an “OK” button is available on the window, and, when the user clicks it, a User Account Control prompt is displayed, requesting permission to execute a process. If the user agrees, the ransomware displays a note informing them on the infection and how they can pay the ransom to recover the files.

The note refers to the ransomware as CryptoShield 1.0 and provides victims with three email addresses they can contact to kick off the ransom payment and file recovery process. The ransom note is essentially unchanged from what CryptoMix was dropping last year, except for the new malware name and the use of different email addresses in the newly spotted campaign.

Dutch to Count Election Votes by Hand to Thwart Hackers

2.2.2017 securityweek Hacking
The Hague - Dutch authorities will count by hand all the votes cast in next month's general elections, ditching "vulnerable" computer software to thwart any cyber hacking bid, a top minister said Wednesday.

"I cannot rule out that state actors may try to benefit from influencing political decisions and public opinion in The Netherlands," Interior Minister Ronald Plasterk said in a letter to parliament.

On March 15 The Netherlands kicks off a key year of elections in Europe, due to be closely watched amid the rise of far-right and populist parties on the continent.

Dutch officials are already on alert for signs of possible cyber hacking following allegations by US intelligence agencies that Russia may have meddled in November's US presidential polls to help secure Donald Trump's victory.

Plasterk told parliament that fears over "the vulnerabilities of the software" used by the country's election committee "had raised questions about whether the upcoming elections could be manipulated."

He insisted in a letter to MPs that "no shadow of a doubt should hang over the results" of the parliamentary polls, which some analysts predict could result in a five-party coalition.

Therefore the interior ministry and the election committee had decided "to calculate the results based on a manual count."

Some 12.6 million Dutch voters are eligible to cast ballots to usher in a new 150-seat lower house of parliament, with some 31 parties having so far registered for permission to field candidates. The election committee will rule on Friday how many parties will be allowed to run.

Far-right anti-Islam MP Geert Wilders and his Freedom Party (PVV) have been leading the opinion polls for months, leaving Prime Minister Mark Rutte's Liberal party (VVD) trailing in second place.

A polls aggregate on Wednesday predicted Wilders would emerge as the largest party with 27-31 seats, with Rutte's party gathering just 23-27 seats -- both far short of the 76-seat majority needed.

That would presage a period of intense haggling to form the next government.

Fake Chrome Font Update Attack Distributes Ransomware

2.2.2017 securityweek Virus
A malware campaign targeting Chrome users with fake font update notifications is now distributing ransomware instead of ad fraud malware, researchers have discovered.

The malicious campaign, supposedly launched for the first time on December 10, 2016, was initially observed dropping the Fleercivet ad fraud malware, as Proofpoint security researcher Kafeine revealed a couple of weeks ago. The campaign tied to the EITest compromise chain, which has been around for some time, mainly associated with exploit kit activity.

The campaign stood out because it was targeting Chrome for Windows users with clever social engineering tactics: code injected into compromised websites would fingerprint visitors and, if certain criteria were met, it would make the text on the page look unreadable while also displaying a fake alert informing users they needed to install a font pack update to properly view content.

Victims were told that the browser couldn’t find the font needed to properly display the page and that the update should be installed immediately. Users were prevented from closing the fake alert via the “x” button, and the malware would immediately start installing in the background if the user approved the update.

Recently, the campaign has seen some changes, with the final payload replaced with the Spora ransomware, Brad Duncan, Palo Alto Networks threat intelligence analyst and handler at the SANS Internet Storm Center, reveals. The infection mechanism, however, remained the same: a fake Chrome popup appears when visiting an infected website and the user installs malware masquerading as a legitimate font update.

The final payload is no longer delivered under the name “Chrome_Font.exe,” but “Update.exe” is used instead. The same as before, however, the file has malicious intent: it installs a piece of ransomware (Spora) that encrypts users’ data and holds it for ransom.

The Spora ransomware emerged last month as one of the most powerful threats in its category. Although new, the malware packed well-implemented encryption procedures, a well-designed payment site, and provided victims with several “packages” to choose from, all of which made researchers believe the threat was the offspring of professionals.

Leveraging Windows CryptoAPI for encryption, the malware uses a mix of RSA and AES and a complex key generation operation that allows it to encrypt files without access to a command and control (C&C) server. What’s more, the encryption process was found to be strong enough to ensure that a decryption tool destined for one victim would not work for another.

Zimperium Throws $1.5 Million at Mobile N-day Exploits

2.2.2017 securityweek Vulnerebility
Zimperium Launches Exploit Acquisition Program for Android and iOS N-Days, But No Interest in 0-Days

Bug bounty programs exist to encourage researchers to find and report zero-day vulnerabilities. The theory is that the vulnerability is patched and the threat goes away. In reality, however, the zero-day vulnerability simply becomes an N-day exploit; where 'n' is the number of days between the patch and its deployment. During this period, an N-day exploit is as dangerous as a 0-day exploit.

This is a particular problem in the mobile world, where millions of users remain at risk for extended periods due to poor deployment processes that never reach the majority of mobile devices. Now Zimperium, which raised $12 million in Series B funding in February 2015, is attempting to upset the status quo with the announcement of a zLabs $1.5 million N-day exploit acquisition program.

Mobile N-Days and Zero-Days

"Unfortunately, the security patching process for mobile devices' operating systems is extremely slow, which leaves companies and individuals highly vulnerable to dozens of security threats," explains Zuk Avraham, CTO and founder at Zimperium. "Through zLab's new Exploit Acquisition Program, our customers, partners, and the rest of the cybersecurity community will be notified of these vulnerabilities so that they will be able to provide the highest level of protection possible."

There are several actual and hoped-for effects. The first is that once an N-day exploit is known, it will apply pressure to the mobile ecosystem to rethink and improve the security process update. The second is that it will encourage and reward those researchers that develop exploits that immediately become worthless, in bug bounty terms, as soon as the vulnerability is known to the vendor.

The third is that it will simply make for a more secure mobile market. With the researcher's approval, the exploit will be released to members of the Zimperium Handset Alliance (ZHA). This includes Samsung, Softbank, Telstra, Blackberry and more than 30 members of well-known handset vendors and mobile carriers around the world. Zimperium will publicly release the exploit crediting the researcher after between one and three months.

The fourth is Zimperium's own reward. It will use the exploits and the techniques used in the exploit to enhance its own machine learning z9 threat detection engine. This will give customers protection against the exploit even before the patch is released and deployed.

The reporting process is relatively simple for researchers who produce relevant N-day exploits. They should simply email ninja_exploits at nothuman.ninja, describe the exploit, quote the CVE number, explain how the exploit chain works, and state whether they wish to release the code publicly, and receive credit for it.

The exploit is then evaluated by a zLabs committee, and a researcher compensation offer raised. "As a rule," Avraham told SecurityWeek, "critical flaws -- such as a full, remote exploit chain -- will receive more compensation than local exploits. Once we are able to trigger a vulnerability on an older device/OS, we will provide a quote."

"It's simple," he wrote in a blog post today. "We'll buy remote or local exploits targeting any version other than the latest version of iOS and Android."

It could be argued that by encouraging the development of N-day exploits and incorporating their solution into the z9 detection engine, Zimperium is increasing the threat level for any user not using Zimperium. Avraham refutes this suggestion. "While individual device owners won't see the benefits of this program immediately," he told SecurityWeek, "we're doing everything we can to enhance the way that users receive security updates.

"Sophisticated attackers," he continued, "didn't wait for this program to research the monthly security bulletins. These vulnerabilities already exist and are explored by sophisticated actors. Making these vulnerabilities available to the Zimperium Handset Alliance (ZHA) and then the security community, decreases the chances that they will be used in targeted attacks, increases the chances of the carriers to stop these attacks, increases the chances of the vendors allocating resources to provide an update, and helps the entire ecosystem."

In reality, the scheme formalizes and increases what Zimperium has already done. In September 2015 it published an exploit for a critical Android Stagefright vulnerability. The vulnerability had already been patched by Google, but the existence of a published exploit applied pressure on Android suppliers to deliver the patch.

It is certainly true that anything done to decrease the duration of an N-day exploit must be beneficial. But what happens if the $1.5 million runs out? "That will be a great problem to have," said Avraham. "Depending on the success of the program we may allocate more."

HPE Acquires Behavioral Analytics Startup Niara

2.2.2017 securityweek Cyber
Hewlett Packard Enterprise (NYSE: HPE) announced on Wednesday that it has acquired Niara, a provider of User and Entity Behavior Analytics (UEBA) software, for an undisclosed sum.

Sunnyvale, California-based Niara offers a security that platform blends diverse data sources, analytics and forensics to help discover compromised users, provide insight into malicious insiders, enable threat hunting efforts, and efficiently prioritize alerts for investigation.

Niara has raised roughly $30 million in funding, including a $20 million Series B round in April 2015. The company has been operating out of stealth mode for less than two years.

This past summer Niara launched a new UEBA tool designed to detect existing and unknown ransomware.

Gartner defines the UEBA as follows: "User and Entity Behavior Analytics offers profiling and anomaly detection based on a range of analytics approaches, usually using a combination of basic analytics methods and advanced analytics… Examples of these activities include unusual access to systems and data by trusted insiders or third parties, and breaches by external attackers evading preventative security controls."

According to HPE, Niara will operate within HPE’s Aruba unit to enhance the company's ClearPass network security portfolio.

“Adding Niara to the HPE Aruba ClearPass portfolio advances HPE's Intelligent Edge strategy for transforming workplace and operational experiences within the fast-growing wired and wireless network infrastructure market for traditional and IoT devices," HPE explained.
After a security incident is discovered by Niara’s platform, HPE says, a ClearPass network access policy can be triggered to automatically isolate or disconnect a user or device from the network to prevent access to sensitive data.

"Integrating Niara's advanced behavioral analytics with ClearPass is a natural extension that will now deliver network-wide, real time visibility and predictive assessment of potential risks inside the enterprise, said Sriram Ramachandran, CEO and co-founder of Niara.

Earlier this week, Exabeam launched a new security intelligence platform that leverages UEBA to challenge traditional SIEM solutions. Another player in the UEBA space is E8 Security, which raised $12 million in a Series B funding round led by Strategic Cyber Ventures in October 2016.

Foreign hackers broke into the Czech Foreign Ministry email
2.2.2017 securityaffeirs Cyber

A nation state actor could be behind the security breach suffered by the Czech Foreign Ministry, experts are investigating the case.
On Tuesday the Czech Foreign Minister Lubomir Zaoralek announced that threat actors have breached dozens of email accounts at the Czech Foreign Ministry. Zaoralek added that the cyber-attacks were likely conducted by a foreign state, but he did not blame any states for the attack.

The list of the compromised accounts includes the Zaoralek’s one.

The Czech Foreign Minister confirmed that hackers did not penetrate the ministry’s internal communication system and no confidential material was compromised, even if attackers have stolen a huge quantity of data.

“When I discussed this with the best experts that we have here, they told me that the character of the attack was such that the attack was very sophisticated, that it must have been, according to them, conducted by some foreign state, from the outside,” Zaoralek told a news conference who was also reported by the Reuters Agency.

“They also told me that the way the attack was done very much resembles the character of attacks against the system of the Democratic Party in the United States.”

A government source told Reuters that Czech authorities suspect the attacks originated from Russia. The Czech experts discovered the security breach early January and are currently investigating whether other key government institutions have also been targeted by the same group.

The Czech Republic is one of the NATO alliance, according to the Reuters in October Czech authorities arrested Russian citizen Yevgeniy Nikulin, who has been indicted in the United State for computer hacking. Both U.S. and Russia requested his extradition.

It is alert on cyber espionage in Europe, recently Franche Defense Minister Le Drian comments expressed concerns about cyber attacks against defense systems and warns of hacking campaigns on the upcoming elections.

Routery od Netgearu obsahují kritickou bezpečnostní trhlinu. Opět

2.2.2017 Novinky/Bezpečnost Zranitelnosti
Na pozoru by se měli mít majitelé routerů od společnosti Netgear. Tyto brány do světa internetu totiž obsahují kritickou bezpečnostní trhlinu, kterou mohou počítačoví piráti zneužít ke vzdáleným útokům. Stejnému riziku přitom byli uživatelé vystaveni už na konci loňského roku.
Před chybou týkající se zabezpečení routerů varoval český Národní bezpečnostní tým CSIRT, který je provozován sdružením CZ.NIC. „Mnohé modely routerů společnosti Netgear obsahují zranitelnosti, které lze zneužít v případě, že je povolen vzdálený management routeru,“ varoval bezpečnostní analytik Pavel Bašta z týmu CSIRT.

„Pokud je tato funkcionalita povolena, mohou útočníci získat heslo do zařízení pomocí webového dotazu sloužícího obvykle pro obnovu hesla. Vzdálený management není ve výchozím nastavení povolen,“ konstatoval Bašta.

Závažná chyba se objevila již loni
Stejně závažnou chybu měly routery od společnosti už na konci loňského roku. 

Útok tehdy také začínal ve chvíli, kdy uživatel navštívil podvodnou webovou stránku. Prostřednictvím ní se dostane do routeru záškodník, s jehož pomocí může kyberzločinec například řídit síťový provoz.

Že je router zavirovaný, mohou uživatelé poznat například podle toho, že jim přestane z připojených počítačů zcela fungovat internetové připojení, případně se při snaze o připojení na nějakou webovou stránku zobrazí úplně jiný web.

Přesně to se stalo už v minulosti kvůli zranitelnosti známé jako „rom-0“. Místo serverů, jako jsou například Seznam.cz nebo Google.com, se poškozeným zobrazila hláška o nutnosti instalace flash playeru. Místo té se ale do PC stáhnul další virus. Útočníci tak rázem měli přístup nejen k routeru, ale i k připojenému počítači.

Oprava je již k dispozici
„Společnost Netgear již vydala aktualizaci firmwaru pro některé z dotčených modelů,“ podotkl bezpečnostní analytik. Právě zmiňovaná oprava zavře počítačovým pirátům zadní vrátka do routeru.

S instalací aktualizace by tak lidé neměli rozhodně otálet.

Critical WordPress REST API Bug: Prevent Your Blog From Being Hacked!
2.2.2017 thehackernews Hacking
Last week, WordPress patched three security flaws, but just yesterday the company disclosed about a nasty then-secret zero-day vulnerability that let remote unauthorized hackers modify the content of any post or page within a WordPress site.
The nasty bug resides in Wordpress REST API that would lead to the creation of two new vulnerabilities: Remote privilege escalation and Content injection bugs.
Wordpress is the world's most popular content management system (CMS) used on millions of websites. The CMS recently added and enabled REST API by default on WordPress 4.7.0.
Flaw lets Unauthorised Hacker Redirect Visitors to Malicious Exploits
The vulnerability is easy to exploit and affects versions 4.7 and 4.7.1 of the Wordpress content management system (CMS), allowing an unauthenticated attacker to modify all pages on unpatched sites and redirect visitors to malicious exploits and a large number of attacks.
The vulnerability was discovered and reported by Marc-Alexandre Montpas from Sucuri to the WordPress security team who handled the matter very well by releasing a patch, but not disclosing details about the flaw in an effort to keep hackers away from exploiting the bug before millions of websites implement the patch.
"This privilege escalation vulnerability affects the WordPress REST API," Montpas writes in a blog post. "One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site."
Why WordPress Delayed the Vulnerability Disclosure
The issue was discovered on January 22nd, patched on January 26th and the fix was made available in release 4.7.2 to websites using the popular CMS.
Sucuri security providers and hosts worked closely with Wordpress security team for over a week to install the patch, ensuring that the issue was dealt with in short order before it became public.
The company also tipped off security companies including SiteLock, Cloudflare, and Incapsula over 9 days between disclosure and patch.
Here's what the Wordpress core contributor Aaron Campbell says about the delay in the vulnerability disclosure:
"We believe transparency is in the public's best interest...[and]... in this case, we intentionally delayed disclosing the issue by one week to ensure the safety of millions of additional WordPress sites."
"Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild. As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public."
Patch your CMS Now!
The flaw has been rated critical, although the fix has automatically been deployed on millions of WordPress installations in the few hours after the patch was issued.
For a more technical explanation about the vulnerability, you can head on the Sucuri's official blog post.
WordPress admins who have not yet implemented the patch against the nasty vulnerability are strongly advised to update their CMS to Wordpress version 4.7.2.

WhatsApp may let you Recall Sent Messages and Track Friends Location in Realtime
2.2.2017 thehackernews Privacy
Are you the victim of sending awkward WhatsApp messages to your friends, families, and colleagues while you're drunk?
No need to panic now, as you'll soon be able to recall your drunk or mistakenly sent text messages on WhatsApp – a much-demanded feature.
Recall Unread Messages Sent Mistakenly
The most popular instant messaging service is reportedly testing the ability to edit or completely recall messages that have already been sent, allowing you to edit or delete a message from your friend's phone if it is yet to be read.
This new feature, first spotted by Twitter account @WABetaInfo, may be included in a new beta version of WhatsApp's next update before making it into a full consumer release.
If so, the update will add "Revoke" and "Edit" options for messages with gray tick marks that have not yet been viewed by the recipient. Blue ticks on WhatsApp represents that the recipient has seen your sent messages.
If the sender clicks on the Revoke option, the message from the recipient inbox will be replaced with "Sender revoked the message," as shown in the screenshots, telling the recipient that the sender is keeping something away from them.
However, the Facebook-owned messaging service has not officially announced the edit and recall feature, so it is unclear if or when these features will make its way to the popular messaging app's stable release.
Track Your Friends Location In Realtime
Besides giving its users more control over their sent messages, WhatsApp is also testing a new feature called "Live Location" in group chats to make it a lot easier for users to track the location of the group members while coordinating a group meeting.
WhatsApp's Live Location Tracking feature will allow users to enable other members in a group to track their location in real time. The feature will be built on WhatsApp's send your location feature, and users can opt in the feature to share their moving position for one, two or five minutes or indefinitely.
Other upcoming features being tested in the beta version of WhatsApp include the ability to reply to status messages, as well as shaking your smartphone within a conversation to contact WhatsApp and report spam.

Zero-day Content Injection Vulnerability found in WordPress
2.2.2017 securityaffeirs  Vulnerebility
A new dangerous Zero-day Content Injection vulnerability has been discovered in the WordPress CMS, it affects the WordPress REST API.
A new dangerous vulnerability has been discovered in the WordPress CMS, it is a zero-day content injection flaw in the WordPress REST API.

The vulnerability discovered by a security researcher at firm Sucuri could be exploited by an unauthenticated attacker to inject malicious content as well as for privilege escalation.

The attacker could exploit the zero-day content injection vulnerability to modify posts, pages, as well any other content.

“This privilege escalation vulnerability affects the WordPress REST API that was recently put into widespread use across WordPress sites with the introduction of official API endpoints in version 4.7.” states a blog post published by Sucuri. “One of these endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site.

The REST API is enabled by default on all sites using WordPress 4.7 or 4.7.1. If your website is on these versions of WordPress then it is currently vulnerable to this bug.”

The impact of the flaw is severe, at least 18 million websites run the popular WordPress CMS, roughly 26% of the top 10,000 websites are running WordPress.

Experts from Sucuri have worked with the WordPress development team that fixed the zero-day content injection vulnerability in the last release 4.7.2.

Experts at Sucuri did not provide technical details about the flaw to prevent that crooks can exploit the vulnerability in attacks in the wild.

“This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. We are hiding some technical details to make it harder for the bad guys, but depending on the plugins installed on a site, it can lead to a RCE (remote command execution). Also, even though the content is passed through wp_kses, there are ways to inject Javascript and HTML through it. Update now!” continues the post.

Administrators that have not enabled automatic updates on their website need to update it as soon as possible.

Spanish police claim has arrested Phineas Fisher, the hacked denied it
2.2.2017 securityaffeirs  Crime

The Spanish law enforcement claims to have arrested the popular hacker Phineas Fisher, but someone using his email account denied it.
Spanish law enforcement has arrested the notorious hacked Phineas Fisher (@GammaGroupPR), the cyber security expert that breached the surveillance firms Hacking Team and Gamma International.

In May 2016, Phineas Fisher stole $10,000 from a bank and donated the equivalent in Bitcoin to Kurdish anticapitalists in Rojava.

Phineas Fisher hack bank

The Spanish police arrested the popular hacker as a result of an investigation on an attack against the Catalan police union, the Sindicat de Mossos, that occurred on May 2016. The Spanish authorities have arrested three men, including a man that is suspected to be Phineas Fisher.

“The Police on Tuesday arrested a person suspected of hacking the Sindicat dels Mossos d’Esquadra (SME) in May last year. The man, 31, who was arrested in Barcelona with his partner, 35, is accused of having illegally entered the EMS system and get data from 5,500 agents, according to sources of the case.” reported the El Pais. “At the same time, in Salamanca, the police detained a third person, 33, for disseminating this data.”

According to local media, the Spanish police arrested a couple in Barcelona and a 33-year-old man in Salamanca.

At the time I was writing, the identity of the men was not disclosed by the Spanish police.

Is the suspect Phineas Fisher?

A few hours after the arrest, someone using Phineas Fisher’s email address sent the following message:

“I think the Mossos just arrested some people that retweeted the link to their personal info, or maybe just arrested some activisty/anarchisty people to pretend they are doing something,” Phineas Fisher, or someone who is in control of his email account said, in an email shared by a source of Motherboard who asked to remain anonymous.

How to succeed in online investigations and digital forensics
2.2.2017 Kaspersky Forensics

Maltego, the tool best known for deep data mining and link analysis, has helped law enforcement and intelligence agencies, banking organizations, financial institutions and others in security-related work since it was released in 2008.

To benefit from using Maltego, come to SAS 2017 for intensive Digital Intelligence Gathering training from the experts who created the tool from scratch: there won’t be any questions that they can’t answer. The course runs for two days, from April 1st and 2nd 2017 on St. Maarten. Book a seat now — the class is limited to 15 people maximum!

Down with the Excel worksheets

Maltego brings power to any online investigation, processing publicly available information that is hard to see with the naked eye. But it’s not just about mining — it’s also about analyzing and visualizing relationships between people and groups of people, companies, organizations, web sites, Internet infrastructure (domains, DNS names, netblocks, IP addresses) and affiliations (documents and files). The tool grabs information from DNS and whois records, search engines, social networks, online APIs and metadata. The results are provided in different graphical orders for better clustering, which brings into view hidden connections even if they are three or four degrees of separation, and even attempts makes attribution attainable.

Why do you need the training before you start using Maltego

During the two-day course participants will discover the entire Maltego ecosystem and learn how to use the tool properly to get most out of it. The trainers guarantee that you will go out with an understanding of how to apply the tool in your organizations and how to accurately interpret this kind of node based graph:


Source: www.paterva.com

All practical exercises will involve real world data.


Roelof Temmingh, Managing Director and founder of Paterva, the South African company that introduced Maltego to the world in 2008, and Andrew MacPherson, the operations manager at Paterva and lead Maltego server developer.

Roelof and Andrew invite pen-testers, LEAs, intelligence agencies and security experts from any industry dealing with digital data gathering.

Technical skills

Applicants should meet the following prerequisites. They should have knowledge of common Internet services (HTTP, DNS), search engines (Google hacking), basic IT security principles (such as port scanning), scripting or programming experience (Python, PERL). You’ll need a PC or Mac with an external mouse and at least 2GB of RAM, a decent resolution display and some space to install the latest version of Maltego.

Researchers Dissect Potent "Locky Bart" Ransomware

1.2.2017 securityweek Virus
A closer look at the inner workings of the Locky Bart ransomware and its backend have provided security researchers with a better understanding of its features compared to those of its predecessors.

According to security researchers at Malwarebytes Labs, Locky Bart is the third variant of a threat that saw two very successful ransomware campaigns called “Locky” and “Locky v2”. The latest threat iteration can encrypt files without being connected to the command and control (C&C) server and features a much faster encryption mechanism, while its backend infrastructure appears maintained by a different actor.

Previous variants placed every file in a password protected ZIP archive and used an older protection algorithm that allowed researchers come up with a decryption tool. Locky Bart, however, creates a key for encryption, enumerates targeted files, encrypts them, encrypts the used key with a master key that becomes the victim’s UID, and then creates a ransom note on the desktop with a link to a payment page and the UID. The malware also wipes System Restore Points with VSSadmin.

Locky Bart gathers information on the victim’s machine to generate the encryption key, uses it for encryption, then leverages a one-way encryption mechanism - using the public key of a public / private key pair method - to encrypt the key. The private key for this second encryption process is stored on the attackers’ server and never accessible to the victim, Malwarebytes Labs researchers explain.

However, the ransomware generates a URL on the victim’s machine, with the link to a TOR cloaked .onion address (the malicious backend website is hosted there) and the user ID included within it (the UID is the original decryption key, in encrypted form). When the user accesses the website, the malicious server harvests the encrypted UID, meaning that the user in fact unknowingly sends their decryption key to the criminals.

Without the private key hosted on the server, the UID is actually useless to the victim. The server, on the other hand, uses the UID to identify the victim and also deciphers it into their victim’s key upon payment of the ransom. This also means that only the ransomware creators can decrypt victim’s files, but that the malware doesn’t need access to the malicious server to encrypt them.

The Bart Locky binary uses a software protection technique known as code virtualization, implemented using the “WPProtect” software. The protection is meant to make reversing the binary significantly more difficult and is usually used to prevent piracy. The anti-tampering mechanism is free, open source, and provides many features, which explains why Locky Bart’s author used it.

The Locky Bart server provides the victims with a payment mechanism and is also used to receive the Bitcoins from the payments, transfer the money to other wallets, generate and provide a decryption EXE for the victims, and accrue additional information on the victims. The Bart Locky backend, which runs on the yii high-performance PHP framework, contains a great deal of information about the inner workings of the ransomware, Malwarebytes Labs security researchers say.

Through access to the control panel, the researchers were able to make an idea of the configuration setting for all the software running on the server, such as PHP, Bootstrap, Javascript, Apache (if used), Nginx (if used), ZIP, and more. The backend also revealed details on every request made to it, including request information, header information, body, timestamp, and where it originated from.

Moreover, the server contained logs for every error, trace, and debug item, as well as the available automated email functions, and MySQL Monitoring that showed every statement made and its return, the security researchers say. Locky Bart was found to store information in a MySQL database: the victim’s UID, the encryption key, Bitcoin Address, Paid Status, and Timestamps.

A second database that contains further information on the victims of the ransomware was also found on the server, along with a “BTCwrapper.php” file that eventually exposed information on two Bitcoin addresses used by the malware authors to redirect victims’ payments to.

According to Malwarebytes Labs, the server part of the ransomware was designed to function very similar to a legitimate business, as users are even provided with a support section, where they can contact the ransomware authors with any questions they might have. The server checks every minute if payment was made and, after confirming the payment, automatically marks the victim as Paid in the database.

For victims marked as Paid, the server generates a Decryption Tool EXE, writes the user’s Encryption Key in the binary of that exe, and then provides the victim with a link to download the file. The victim can find the link on their payment page, can download the decryption tool, and then regain access to their files.

“This research into Locky Bart ransomware gives a great view of the side of a ransomware operation that we typically do not get to see, the backend. The criminals who run these operations do so on an extremely professional level, and users should always take an extra step in protecting themselves from these types of attacks,” the security researchers note.

Critical Flaws Patched in MailStore Server

1.2.2017 securityweek Vulnerebility
An update released earlier this month for MailStore Server patches a couple of cross-site scripting (XSS) and open redirect vulnerabilities found by a researcher from Germany-based security firm Secuvera.

MailStore Server is one of the most widely used solutions for email archiving, management and compliance. According to MailStore, the product is used by thousands of organizations around the world, including private companies and government agencies.

The security holes, classified by MailStore as “critical,” affect Web Access, the component that allows users to access their mail archive through a web browser.

Secuvera’s Tobias Glemser discovered that MailStore Server’s Web Access component did not properly filter user input, allowing malicious actors to launch both XSS and open redirect attacks.

The reflected XSS flaw, which affects the search function in Web Access, can allow an attacker to gain access to an organization’s email archive by getting an authenticated user to click on a specially crafted link.

The open redirect vulnerability, which affects the dereferrer component, can be exploited by an attacker to lure users to a potentially malicious website by tricking them into clicking on a specially crafted link that appears to point to a trusted domain. The user does not need to be authenticated for the attack to work.

The XSS vulnerability affects MailStore Server 9.2 and newer, while the open redirect issue affects version 9.0 and newer. The flaws were reported to the vendor on January 9 and they were patched on January 18 with the release of version 10.0.2. MailStore has advised users to update their installations as soon as possible.

Only a few MailStore Server vulnerabilities have been disclosed in the past years, including one in 2016 and two in 2014.

A new CryptoShield Ransomware being distributed via EITest campaign
1.2.2017 securityaffeirs Virus

Security researcher Kafeine discovered a new ransomware dubbed CryptoShield that is being distributed via EITest campaign through the RIG exploit kit.
The ProofPoint security researcher Kafeine discovered a new CryptoMix, CrypMix, variant called CryptoShield 1.0 Ransowmare. Crooks are distributing it via EITest campaign that leverages RIG exploit kit.

“As a note, in this article I will be calling this ransomware CryptoShield as that will most likely be how the victim’s refer to it. It is important to remember, though, that this ransomware is not a brand new infection, but rather a variant of the CryptoMix ransomware family.” reads the article published by Bleepingcomputer.com.

Cyber criminals use to hack websites to distribute the CryptoShield ransomware. EITest is a JavaScript malware that is injected into sites, the malicious code will be executed when victims visit the site.
It downloads the exploit kit from another web site to deliver the CryptoShield ransomware in victim’s computer.

Rig Exploit Kit Traffic – Kafeine credits

When the ransomware is downloaded and executed, it will generate a unique ID for each victim and along with an encryption key. The unique ID and encryption key will be uploaded in the C&C server, then the ransomware encrypts all files with target extensions.

“When CryptoShield encounters a targeted file it will encrypt it using AES-256 encryption, encrypt the filename using ROT-13, and then append the .CRYPTOSHIELD extension to the encrypted file. For example, a file called test.jpg would be encrypted and renamed as grfg.wct.CRYPTOSHIELD In each folder that CryptoShield encrypts a file, it will also create ransom notes named # RESTORING FILES #.HTML and # RESTORING FILES #.TXT.”

Furthermore, the ransomware disables the Windows startup recovery and to clear the Windows Shadow Volume Copies. So, it’s impossible to recover backup files.

“CryptoShield will then display a fake alert stating that there was an application error in Explorer.exe. At first, I was not sure if this was an error produced by the ransomware or just a crashing explorer.exe. As you read the alert closely, though, you can see spelling mistakes such as “momory” and an odd request that you should click on the Yes button in the next Window “for restore work explorer.exe“. The broken English really should have been the giveaway for me.”

Fake Explorer.exe Alert

“Once you press OK on the above prompt, you will be presented with a User Account Control prompt, which asks if you wish to allow the command “C:\Windows\SysWOW64\wbem\WMIC.exe” process call create “C:\Users\User\SmartScreen.exe” to execute. This explains why the previous alert was being shown; to convince a victim that they should click on the Yes button in the below UAC prompt.”

It is important to keep up to date every program and the OS, exploit kit triggers vulnerabilities in installed software to infect your computer.

The hash for this varian of the ransomware is:

sha256: bb65f0bf3d827958ae447c80ba824e214601094d4dc860b9decc08caae7dd89c

Hackeři při útoku na Černínský palác stáhli přes sedm tisíc záznamů

1.2.2017 Novinky/Bezpečnost BigBrother
Neznámí hackeři získali podle zjištění Práva v rámci dlouhodobého útoku na e-mailový systém ministerstva zahraničních věcí mimo jiné i citlivý zápis z jednání řídícího výboru Auditu národní bezpečnosti z června loňského roku. Ten přitom z podnětu vlády pod patronací vnitra připravoval strategii, jak se má stát bránit proti hackerským útokům.
Podle informací Práva útočníci stáhli z resortních serverů také některé z pohledu státu strategické informace, stejně jako data týkající se vnitřních rozhodovacích procesů na ministerstvu zahraničních věcí.

Vyplývá to z analýzy specializovaného Národního centra kybernetické bezpečnosti spadajícího pod Národní bezpečnostní úřad z 25. ledna letošního roku.

Od 8. ledna loňského roku do 18. ledna letošního roku hackeři stáhli ze serverů ministerstva zahraničních věcí 7119 souborů, a to od 168 uživatelů. Ze schránky ministra Lubomíra Zaorálka (ČSSD) bylo takto staženo 48 dokumentů.

Hackeři napadli ministerstvo zahraničí. Útok přišel z Ruska, naznačil Zaorálek
Experti na kybernetickou bezpečnosti v tomto dokumentu podle informací Práva z bezpečnostní komunity označili prolomení e-mailových účtů ministerstva za mimořádný bezpečnostní incident.

„Podle analýzy stáhli hackeři i strategické informace, které mohou Českou republiku významně oslabit při dvoustranných a mnohostranných jednáních,“ řekl Právu k podrobnostem o útoku zdroj z bezpečnostní komunity.

Útoky vždy brzy ráno
Ministerstvo zahraničních věcí odhalení útoku oznámilo Národnímu bezpečnostnímu úřadu (NBÚ) podle analýzy 19. ledna. Vyznačoval se tím, že se hackeři nemuseli spoléhat na „slepé“ odhadování hesel do jednotlivých schránek, ale podařilo se jim získat přímo heslo administrátora celého systému.

Představitelé resortu v této souvislosti už dříve konstatovali, že mezi ukradenými daty nebyly žádné utajované informace.

Mezi ukradenými soubory jsou podle zdroje mimo jiné i zápisy z několika našich zastupitelských úřadů - například z Tokia, Bagdádu či Bruselu.

Úřady už v úterý naznačily, že útok byl vedený ze zahraničí a že nese shodné znaky jako útoky hackerů na e-mailové účty americké Demokratické strany před tamními loňskými prezidentskými volbami. Právu se nyní podařilo zjistit, že podobnost tkví v IP adresách, ze kterých hackeři útočili.

Některé z nich, konkrétně adresy z Ruska a také Německa, totiž figurují jako podezřelé i v případě útoků na americké demokraty. Server Neovlivní.cz ve středu informoval, že další „útočící“ adresy směřují také do Velké Británie, ale i České republiky.

Analýza specializovaného kybernetického centra v této souvislosti podle informací Práva konstatuje, že k útokům na účty českého ministerstva zahraničních věcí docházelo vždy mezi šestou a sedmou hodinou ranní.

Zpráva pro vládu v režimu utajení
Podrobnou zprávu o útoku probere na svém příštím zasedání vláda. U příležitosti uvedení někdejšího dlouholetého šéfa tuzemské kontrarozvědky Jiřího Langa do nové funkce ředitele NBÚ to ve středu novinářům na tiskové konferenci oznámil premiér Bohuslav Sobotka (ČSSD).

„To, co se stalo, v žádném případě nebereme na lehkou váhu. Vláda se tím bude zabývat,“ konstatoval k tomu Sobotka. Jakékoliv další informace ale s odkazem na probíhající šetření uvést odmítl.

Doplnil pouze, že jednání kabinetu se účastní právě i Lang, stejně jako jeho předchůdce ve funkci a od středy nový vládní zmocněnec pro kybernetickou bezpečnost Dušan Navrátil. Na vládní zasedání pak podle premiéra bude přizván i současný šéf kontrarozvědky - tedy Bezpečnostní informační služby - Michal Koudelka.

Lang po převzetí funkce šéfa NBÚ uvedl, že materiál pro vládu bude v režimu utajení a kromě zhodnocení celé situace bude obsahovat i některá doporučení úřadům, jak se podobných útoků v budoucnu vyvarovat.

Sobotka novinářům také sdělil, že oblast kybernetické bezpečnosti považuje za jednu z priorit dosluhujícího kabinetu. „Je třeba si uvědomit, že proti nám stojí organizované týmy hackerů, ať už jsou to hackeři na nevládní úrovni, nebo jsou to hackeři, kteří jsou přímo organizovaní nebo sponzorovaní některými státy,“ řekl premiér v souvislosti s potřebou posílení kybernetické bezpečnosti České republiky.

Student objevil obrovskou botnet síť na Twitteru, tvoří ji statisíce falešných účtů Star Wars

1.2.2017 Novinky/Bezpečnost BotNet
Náhodný objev rozsáhlé botnet sítě, kterou tvoří 350 tisíc falešných účtů sociální sítě Twitter, oznámil student britské University College London Juan Echeverria.
Síť mohla být využita k šíření nevyžádané pošty, malwaru nebo manipulaci s veřejným míněním. Juan Echeverria na ni narazil při analýze náhodně vybraného vzorku jednoho procenta anglicky píšících uživatelů Twitteru v rámci svého studentského projektu.

Při bližším monitoringu zjistil, že velké množství účtů funguje automatizovaně a jsou ovládány buď jedním uživatelem anebo skupinou lidí. Síť pojmenoval Star Wars botnet, protože řada těchto falešných účtů tweetovala náhodné citace ze slavné filmové ságy.

Botnet funguje od roku 2013
Znepokojivý je fakt, že tato botnet síť funguje skrytě již od roku 2013, protože jednotlivé účty byly schválně navrženy a spravovány tak, aby se vyhnuly běžným filtrům pro odhalování automatizovaně spravovaných identit na Twitteru. Tvůrci sítě u všech účtů přidávali klasické profilové obrázky a vytvářeli na první pohled „normální“ uživatelském profily.

Vyhýbali se používání URL v tweetech, oslovovali jen malý počet uživatelů a tweetovali jen zřídka. Zveřejňované zprávy představovaly většinou jen náhodné citace z filmů Star Wars, které se na Twitteru objevují běžně, a tudíž nejsou zachytitelné ochrannými filtry proti botnetu.

Síť je možné využít k šíření spamu nebo názorové manipulaci
Juan Echeverria, student University College London
Student, který rozsáhlou botnet síť na Twitteru objevil, tvrdí, že neexistují žádné důkazy o zneužití těchto účtů k botnet útokům, ale nelze to podle něj vyloučit. „Je velmi pravděpodobné, že provozovatel těchto účtů je stále schopen aktivovat všech 350 tisíc účtů, které tvoří Star Wars botnet a zneužít je k čemukoli,“ uvedl Juan Echeverria.

„Síť je možné využít k šíření spamu, falešných témat, názorové manipulaci, falešnému vyvolávání dojmu pozitivní spontánní reakce uživatelů Twitteru a šíření různých druhů malware. Fakt, že tuto síť tvoří tolik účtů, výrazně navyšuje její potenciální nebezpečnost. Možná jde o nejvážnější hrozbu na Twitteru, s níž jsme se dosud setkali.“

Pozor na neznámé osoby
Podle technického ředitele společnosti ESET Miroslava Dvořáka na Twitteru i ostatních sociálních sítích platí jednoduché pravidlo, že by uživatelé neměli důvěřovat žádnému obsahu, který se k nim dostane z neznámého a neověřeného účtu.

„Základní pravidlo zní, nepouštět si mezi přátele nebo sledované účty ty, které osobně neznáme nebo nemáme potvrzeno, že jde o oficiální prezentace. A když už to z nějakého důvodu uděláte, rozhodně neberte příspěvky z těchto účtů 100% vážně. Rovněž klikat na odkazy, které se v nich mohou objevit, není rozhodně dobrý nápad,“ varuje Dvořák.

V Rusku obvinili ze zrady tři lidi z oblasti kyberbezpečnosti

1.2.2017 Novinky/Bezpečnost BigBrother
Ruské úřady obvinily ze zrady v zájmu Spojených států dva bývalé pracovníky Federální bezpečnostní služby (FSB) a zaměstnance ruské softwarové společnosti Kaspersky Lab. Informovaly o tom ve středu ruské agentury s odvoláním na sdělení obhájce jednoho ze tří obviněných Ivana Pavlova.
Advokát podle agentury TASS uvedl, že obvinění se týká vedoucího jednoho z oddělení centra informační bezpečnosti FSB Sergeje Michajlova, jeho podřízeného Dmitrije Dokučajeva a o manažera firmy Kaspersky Lab Ruslana Stojanova.

„Všem osobám tohoto případu bylo sděleno obvinění ze zrady. To je jediný bod kauzy, jiná obvinění nejsou,“ citoval TASS Pavlova.

Právník přitom popřel, že by šlo o spolupráci obviněných s americkou Ústřední zpravodajskou službou (CIA). „Žádná CIA v případu nefiguruje. Řeč je o Americe, ne o CIA,“ poznamenal.

Bílý dům potvrdil, že chce detailně analyzovat návštěvníky USA. Touží po jejich Facebooku
1.2.2017 Živě.cz BigBrother
Americké ministerstvo vnitra (Department of Homeland Security) ústy svého šéfa Johna Kellyho potvrdilo, že plány na detailní analýzu sociálních sítí a historie surfování těch, kteří chtějí navštívit USA, míní Trumpova administrativa vážně a ministerstvo již připravuje kroky, jak toho docílit.

„Nevíme, co je to za lidi, s jakým motivem k nám cestují, co tu chtějí dělat a jaké je jejich pozadí.“
Žadatelé o americké vízum mohli poslední měsíce dobrovolně v žádosti sdělit, pod jakými profily vystupují na sociálních sítích, podle tiskové konference by se z toho nicméně mohla stát i povinnost. Ministerstvo pro vnitřní bezpečnost zajímá Facebook, Instagram, Google+, Linkedin a YouTube a stejně tak údaje o tom, s kým si žadatel o vstup do USA telefonuje a obecně komunikuje skrze mobilní telefon.
Poradci v Bílém domě: Chcete do USA? Ukažte nám historii v prohlížeči, Facebook i kontakty v mobilu
Kelly nicméně zdůraznil, že jeho úřad na novém systému teprve pracuje, takže není vůbec jasné, koho by se přísnější kontrola opravdu týkala. Jestli pouze cestovatelů z pochybných zemí, žadatelů o vízum, anebo i těch v bezvízovém styku, kam patří i turisté z ČR, kteří jen vyplňují formulář ESTA a zaplatí drobný poplatek.
Trumpova administrativa nicméně zvažuje i revizi systému pracovních víz, čehož se obávají někteří zahraniční pracovníci. Týká se to ostatně i Silicon Valley, kde pracují tisíce inženýrů z Evropy a Asie.

Routery Netgear mají závažnou chybu. Pokud takový máte, aktualizujte si firmware
1.2.2017 Živě.cz Zranitelnosti

Routery Netgear obsahují závažnou bezpečnostní chybu, která umožní získat přístup ke správě zařízení. Chyba není až tak vážná, jako prosincový případ, protože se vyskytuje jen v případě, že na routeru máte povolen vzdálený management. Ten ve výchozím stavu není povolen, a proto se ohrožení dotkne jen menší části uživatelů, upozornil CSIRT.
Do Česka dorazila další vlna útoků na domácí routery. Obrana je přitom triviální
Netgear rychle zareagoval a vydal pro svá zařízení aktualizace firmwaru. Přestože přímý dopad nově objevené zranitelnosti není velký, je vhodné, aby si firmware aktualizoval každý. Nikdy nevíte, kdy se vám vzdálený management bude hodit a při jeho povolení už si na chybu nevzpomenete.

Chyba spočívá v možnosti získat heslo k administraci routeru pomocí webového skriptu. Poté už útočník získá kontrolu nad routerem a může ho zneužít.
Pětice extrémních routerů, které jsou dražší než obyčejný počítač
Chyba se týká konkrétně těchto modelů:


Dávejte si pozor na falešné SMS od České pošty. Snaží se uživatelům vnutit malware
1.2.2017 Živě.cz Viry
Pokud v těchto dnech obdržíte podezřelou SMS od České pošty, rozhodně neklikejte na obsažené odkazy. Ty směřují na stažení nebezpečné aplikace pro Android, která se má tvářit jako oficiální aplikace České pošty pro sledování zásilky.

Klepněte pro větší obrázek
SMS dorazí v tomto formátu. Odkazy vedou na stažení podvodné aplikace (foto: @TerezaChlubna)

V textu zprávy najdete informaci o tom, že zásilka byla převezena na svozové depo z důvodu nezastihnutí adresáta. Vyzývá ke kontaktování pošty nebo stažení aplikace prostřednictvím odkazu.

Ten využívá doménu ceskaposta.online a vede na instalační balíček APK s názvem PostaOnlineTracking.apk. Pokud jej uživatel nainstaluje, najde sice na ploše ikonu pošty, nicméně s názvem Flash Player 10 Update. Jde tedy o variaci malwaru, který má s největší pravděpodobností odcizit platební údaje uživatele. Aplikace si zároveň vyžádá kompletní přístup k telefonu či tabletu s Androidem.

Klepněte pro větší obrázek
Aplikace s ikonou České pošty pod názvem Flash Player 10 Update by měla varovat i méně zkušené uživatele

Pokud jste aplikaci nainstalovali, minimálně ji ze zařízení odstraňte v nastavení. V případě, že jste zadali platební údaje do podezřelého formuláře, obraťte se na svoji banku.

Schneider Data Center Monitoring Product Leaks Passwords

1.2.2017 securityweek Krypto
Schneider Electric has released an update for its StruxureWare Data Center Expert software suite to address a high severity vulnerability related to how the product stores passwords.

StruxureWare Data Center Expert is a DCIM (Data Center Infrastructure Management) solution designed for monitoring physical infrastructure, including security, power and the environment. The product has been used by financial institutions, media companies, insurers, and healthcare organizations.

Researchers at Positive Technologies discovered that the software stores passwords in cleartext in the random access memory (RAM), allowing a remote attacker to obtain the valuable information.

“A hacker could use this flaw to penetrate the internal network at a data center, obtain confidential information, or even cause physical harm,” explained Ilya Karpov, head of the ICS Research and Audit Unit at Positive Technologies. “Data Center Infrastructure Management (DCIM) platforms have the 'keys to the kingdom' at a data center, since they are connected to all installed systems.”

“A vulnerability such as this threatens the functioning of critical systems on which data centers depend: video surveillance, fire suppression, backup generators and generator control units, switches, pumps, UPS systems, and precision cooling,” Karpov added.

SAVE THE DATE: ICS Cyber Security Conference | Singapore - April 25-27, 2017

The flaw affects StruxureWare Data Center Expert 7.3.1 and prior, and it has been addressed with the release of version 7.4.0.

While ICS-CERT has not released an advisory for this weakness, the organization did disclose other Schneider Electric vulnerabilities in the past two weeks.

Users have been warned of a medium severity cross-site scripting (XSS) vulnerability in the homeLYnk logic controller for home automation, and a high severity credentials management issue (i.e. default passwords) affecting Wonderware Historian.

Schneider rolled out a firmware update to patch the XSS flaw in the homeLYnk controller, and provided mitigation advice for the Wonderware Historian security hole.

Insider Recruitment Growing on Dark Web: Report

1.2.2017 securityweek Crime
Cybercriminals are increasingly using dark web forums to recruit employees and contractors willing to help them achieve their goals, according to a report published on Tuesday by security firms IntSights and RedOwl.

The anonymity provided by the dark web has attracted many people offering their services as insiders. IntSights has monitored hundreds of dark web forums and tens of black markets in the past few years and determined that discussions about insiders nearly doubled from 2015 to 2016.

Over the course of two years, researchers identified roughly 1,000 references to insiders – each reference represents a unique forum post, including cases where insiders are not the main topic of a thread.

While insiders were mentioned only a few times in the beginning of 2015, the number increased considerably in the second half of 2016.

Insider threat references

Experts have identified three main types of activities: insider trading, retail insiders, and what they refer to as “weaponized insiders.”

In the case of insider trading, while there is some activity on general forums, researchers found that the most profitable schemes are discussed in smaller, closed groups. Only people who can prove their capabilities can become members of these exclusive groups.

One such forum, named “KickAss marketplace,” specializes in various types of insider trading. The website’s operators try to maintain high standards and a 1 BTC ($980) membership fee must be paid by users who want to join.

According to researchers, there are roughly five posts per week on the KickAss forum and transactions total 40 BTC (roughly $39,000). The site’s administrators claim some members make over $5,000 per month using the leaked information.

The most common types of insiders offering their services on dark web forums are low-level employees (e.g. cashiers) who can help with carding activities. These retail insiders can provide credit card data or they can help fraudsters purchase items using stolen cards.

In one such scheme, a fraudster was trying to recruit a retail insider who could help them buy iPhone 6 phones from a known retailer. The recruiter offered the insider £100 ($126) for each successful purchase.

Sophisticated threat actors are seeking to recruit insiders they can arm with the tools and knowledge necessary to help them steal data, commit fraud and cover their tracks.

In one example provided by IntSights and RedOwl, a cybercriminal was looking to recruit someone who could plant malware on a bank’s systems, particularly devices that access accounts and conduct wire transfers, and they were prepared to pay seven-figure amounts per week for ongoing access.

“The higher employees rank in a given organization, the less common they will be in the black market, and the higher their damage-potential becomes,” researchers told SecurityWeek.

The complete report, which also includes recommendations for enterprises looking to build an insider threat program, is available for download in PDF format.

Weaponizing of the insider in the Dark Web, a dangerous phenomenon

1.2.2017 securityaffairs Security

A study revealed how hackers in the dark web are arming insiders with the tools and knowledge necessary to help steal corporate secrets.
The dark web is the right place where to buy and sell corporate secrets, experts at the risk management firm RedOwl and Israeli threat intelligence firm IntSights made an interesting research titled “Monetizing the Insider: The Growing Symbiosis of Insiders and the Dark Web.”

The research is disconcerting, hackers are operating services in the dark web to arm insiders with the tools and knowledge necessary to help steal corporate secrets, commit fraud, and conduct other illegal activities without leaving any tracks.

The researchers accessed the hidden service Kick Ass Marketplace (http://kickassugvgoftuk.onion/) and collected evidence of staff offering for sale internal corporate secrets to hackers, in some the unfaithful staff offered its support to attackers to compromise the network of their company.

Dark Web

The research revealed that at least in one case, someone at an unnamed bank was helping crooks to remain hidden in the corporate networks by using a malicious code.

The subscription for the service is of up to one bitcoin a month for access to corporate information offered in various threads.

The administrator of the service who goes with online moniker “h3x,” claimed that Kick Ass Marketplace has seven administrators, three hackers and two trading analysts that check the integrity of stolen data.

Months ago, the administrator claimed that its service boasted 15 investment firm members and 25 subscribers.

According to the researchers, the Kick Ass Marketplace is posting about five high confidence insider trading reports a week that allows the hidden service to pulls roughly US$35,800 a week. The analysis of the associated bitcoin wallet confirmed a total of 184 bitcoins that accounts for US$179,814.

The researchers also analyzed another hidden service dubbed The Stock Insiders (http://b34xhb2kjf3nbuyk.onion.to/) that allows its clients to recruit retail staff as mules to help cash out stolen credit cards for reliably-resellable goods like Apple iPhones.

” Another forum (see Figure 3), called “The Stock Insiders,” is also dedicated solely to insider trading. The forum was opened in April 2016. Its objective was to “…create a long-term and well-selected community of gentlemen who confidently exchange insider information about publicly traded companies.”

The report is very interesting, it includes posts used by crooks to recruits money mule in charge of cashing out the stolen card data buy goods.

Below key findings of the report:

“By studying dark web forums focused on recruiting and collaborating with insiders, we found:

The recruitment of insiders within the dark web is active and growing. We saw forum discussions and insider outreach nearly double from 2015 to 2016.
The dark web has created a market for employees to easily monetize insider access. Currently, the dark web serves as a vehicle insiders use to “cash out” on their services through insider trading and payment for stolen credit cards.

Sophisticated threat actors use the dark web to find and engage insiders to help place malware behind an organization’s perimeter security. As a result, any insider with access to the internal network, regardless of technical capability or seniority, presents a risk.”

Insider illegal activities are devastating for the victims, they can fully compromise entire organizations due to the disclosure of company secrets, the weaponizing of the insider is a criminal phenomenon that must carefully monitor.

Gaza Cybergang is back and is targeting Governments under DustySky campaign
1.2.2017 securityaffairs Virus

Security experts at PaloAlto Networks have observed a new campaign that has been launched by a cyber espionage group known as Gaza Cybergang.
Security experts at Palo Alto Networks have uncovered a new cyber espionage campaign conducted by the Gaza Cybergang hacker group, also known as “Gaza Hackers Team” and “Molerats.”

On September 2015, security experts at Kaspersky Lab observed an increase in the activity of the group that targeted IT and Incident Response Team in the Mena (Middle East North Africa) area. The Gaza cybergang appears to be politically motivated and has been active since at least 2012, but it has intensified its activity in the Q2 2015.

Security experts speculate the group composed of Palestinian militant of Hamas, it also targeted organizations in Europe and the United States.

In the recent attacks, dubbed DustySky campaign, Gaza Cybergang targeted government organizations with two strains of malware: a downloader called Downeks and a remote access tool (RAT) named QuasarRAT.

“Palo Alto Networks Traps Advanced Endpoint Protection recently prevented recent attacks that we believe are part of a campaign linked to DustySky. DustySky is a campaign which others have attributed to the Gaza Cybergang group, a group that targets government interests in the region.” states the analysis published by PaloAlto Networks.

Researchers noticed many similarities in the TTPs of a recent campaign and the DustySky attacks that were linked to the Gaza Cybergang.

The experts noticed that the attacks were launched and the malware samples were built on days that coincide with the workweek in the Middle East.

Gaza Cybergang

Quasar is a free and open source RAT that was developed starting from the xRAT malware, the researchers believe that the members of the Gaza Cybergang have customized their own version starting from the source code available on GitHub.

Quasar could be used by attackers to gather information of the target, exfiltrate data and gain the complete control over the machine.

While the researchers were analyzing the C&C server used by QuasarRAT discovered it was affected by remote code execution vulnerabilities that could be exploited by a second attacker to take control of the infected machine.

“With further analysis of the Quasar RAT C2 Server, we uncovered vulnerabilities in the server code, which would allow remote code execution. This might allow a second attacker to install code of their choice – for example, their own Quasar RAT – on the original attacker’s server. We refer to this (somewhat ironic) technique as a “Double Edged Sword Attack”. We did not apply this to any live C2 servers – we only tested this with our own servers in our lab.”

“In the lab, we changed our Quasar RAT source code to use the known encryption key, and to send fake victim IP address, City, Country code, Flag, and Username. The Quasar server does not verify the RAT data, and displays this data in the RAT Server GUI when the RAT is executed and connects to the server. We found this could be used to supply compelling “victim data” to convince the attacker to connect to this “victim” via the GUI.”

As for Downeks, experts discovered that attackers used new versions of the malware written in .NET while the earlier samples had been written in native code. The malware is used to deliver other threats on the infected machine and also for reconnaissance activities (i.e. Check the infected system for the presence of security solutions)

The samples analyzed by the experts were used to hit Hebrew-speaking targets.

I suggest you read the report published by PaloAlto Network that is full of details on the reading the report published by PaloAlto Network that is full of details on the DustySky attacks and other information on the Gaza Cybergang.

An IndyCar archive left unprotected online, details on 200k racing fans exposed
1.2.2017 securityaffairs Hacking

A notorious security expert has discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.
The notorious expert Chris Vickery has discovered an open Rsync server hosting the personal details for at least 200,000 racing fans.

Further analysis revealed that data belongs to the archive of a defunct racing forum called DownForce that was a component of a platform used by IndyCar.

Accessing the DownForce was costing a $28.99 fee, but racing fans could get access to a number of other services, including a private message board for “the INDY DownForce community” by paying a $13.99 supplemental fee.

According to Vickery, the archive included data related to the daily operations of the users of the forum, including employee login credentials.

IndyCar racing fans data leak

Vickery has found open on the Internet the entire DownForce backup that contains details of hundreds of thousand users’ details, including first and last name, date of birth, gender, mailing address, password hash, security questions, and answers.

“The online security of over 200,000 Indycar racing fans was put in jeopardy recently. Earlier this month I discovered a large collection of publicly exposed MySQL database backup files at an IP resolving to ims-mysql.indycar.com.” reads a blog post published by the expert.

“It’s important to point out that the IndyCar bulletin board these accounts come from has since been retired. So, there is no need to change your IndyCar forum login password,”

Why users’ data were left unprotected online?

“That’s nothing but liability. They are putting customers at risk for no gain,” said Vickery.

“I can only assume the attorneys and risk-management folks working for IndyCar were unaware that defunct forum logins were being stored.”

According to Salted Hash, the person who is managing the IndyCar account told Vickery the company was handling the issue.

Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In December 2015 the security expert discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.

In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

Islamic Jihad master hacker pleads guilty to hacking IDF drones in Gaza
1.2.2017 securityaffairs Cyber

An Islamic Jihad master hacker resident in the Gaza strip pleads guilty to hacking into drones belonging to the Israeli Defense Force, faces up to nine years in jail.
A resident in the Gaza strip pleads guilty for hacking into drones belonging to the Israeli Defense Force.

An Israeli court accepted a guilty plea from Islamic Jihad master hacker Maagad Ben Juwad Oydeh for the alleged hack of Israeli drones while the UAVs were involved in reconnaissance activities over Gaza.

The guilty plea was accepted by the Beersheba District Court based on charges filed in a March 2016 indictment.

“An indictment filed by the Southern District Attorney’s Office in March 2016 also charged Oydeh with hacking into the IDF, the police and the transportation authority’s video cameras, enabling the terrorist group to study the location of civilians and IDF personnel in real-time, at a time during conflicts when it was firing rockets.” states The Jerusalem Post.

Oydeh is a computer and electronics engineer and master hacker who joined Islamic Jihad in 2011. When the hacker joined the group worked as an engineer and a presenter for the group’s radio station, later he demonstrated his abilities in hacking into Israel’s transportation authority cameras.

He first successfully hacked into the IDF drones as early as 2012.

“Up until his arrest in 2016, Oydeh continued to repair and upgrade the organizations’ computers, video cameras and technology. He was also charged with spying, conspiracy, contact with enemy agents and membership in an illegal organization.” continues The Jerusalem Post.

According to the indictment, Oydeh hacking activities allowed to monitor airport traffic at the Ben-Gurion Airport, the hackers tracked flights, passengers, and other info.

Islamic Jihad drones hacking

Hacking IDF drones, the Islamic Jihad militants were able to obtain the UAV’s video feed in realtime, while they were flying over Gaza.

The hacked Maagad Ben Juwad Oydeh faces up to nine years in jail.

Hacking printers exploiting Cross-site printing (XSP) attacks
1.2.2017 securityaffairs Hacking

A group of researchers from the University Alliance Ruhr has found a cross-site printing bug in the old PostScript language.
Popular printer models manufactured by Dell, Brother, Konica, Samsung, HP, and Lexmark are affected by security vulnerabilities that could be exploited by hackers to steal passwords, steal information from the print jobs, and shut down the devices.

The discovery was made by researchers at the University Alliance Ruhr who published a series of advisories and a wiki regarding their research.

20 printer models are affected by flaws related to common printing languages, PostScript and PJL, used in most laser printers. The flaws are not a novelty, according to the experts they have existed for decades.

“In the scope of academic research on printer security, various vulnerabilities in network printers and MFPs have been discovered.” reads the advisory 2 of 6 of the `Hacking Printers’ series. “This post is about accessing a printers file system through ordinary PostScript or PJL based print jobs — since decades a documented feature of both languages. The attack can be performed by anyone who can print, for example through USB or network. It can even be carried out by a malicious website, using advanced cross-site printing techniques in combination with a novel technique we call `CORS spoofing’ (see http://hacking-printers.net/wiki/index.php/Cross-site_printing)”

The researchers published a Python based proof of concept application entitled Printer Exploitation Toolkit (PRET) that could be used to simplify PostScript and PJL based file system access on printers.

The tool connects to a printer via network or USB and exploits could be used to exploit the security flaw discovered by the researchers in the printer’s PostScript or PJL language. “This (tool) allows stuff like capturing or manipulating print jobs, accessing the printer’s file system and memory or even causing physical damage to the device,”

“This (tool) allows stuff like capturing or manipulating print jobs, accessing the printer’s file system and memory or even causing physical damage to the device,” states a PRET description published on GitHub.

The researchers published six distinct advisories reporting multiple issues, including buffer overflow, password disclosure, and print job captures vulnerabilities.

Among the attacks, there is a technique that could allow attackers to access a printer’s file system. The method exploits the Cross-Origin Resource Sharing (CORS) mechanism that allows a third-party domain to read web page data such as fonts when printing.

The combination of the CORS spoofing and Cross-Site Printing (XPS) can be exploited by attackers to access a printer via a web-based attack using “a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim’s internal network.”

“Cross-site printing (XSP) attacks empower a web attacker to access the printer device as demonstrated by who use a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim’s internal network. The HTTP header is either printed as plain text or discarded based on the printer’s settings. The POST data however can contain arbitrary print jobs like PostScript or PJL commands to be interpreted.” reads the Wiki.

cross-site printing

According to the researchers, it is possible to send data back to the browser from the printer by manipulating the PostScript output commands.

“By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS Access-Control-Allow-Origin fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a hole into the same-origin policy.” continues the Wiki.

cross-site printing 2

The experts reported the issued to all the vendors.

Spam Rises Amid Lower Exploit Kit Activity in 2016: Cisco

1.2.2017 securityweek Spam
Spam messages accounted for 65% of overall email in 2016, with 8-10% of spam considered malicious, a recent report from Cisco reveals.

According to the Cisco 2017 Annual Cybersecurity Report (PDF), activity of the Necurs botnet, which has been distributing the Locky ransomware and Dridex banking Trojan, is driving spam volume up. In fact, data from the Composite Blocking List (CBL), a DNS-based “blackhole list” of suspected spam-sending computer infections, shows that spam volume is close to the record-high levels seen in 2010.

Citing data from the SpamCop Block List (SCBL), Cisco explained that Necurs’ activity has generated spikes in the number of IP addresses associated with spam. Because the botnet’s operators use an address for only 2-3 days in a row but then stop using it for weeks, researchers have a hard time responding to spam attacks.

In October, 75% of spam had malicious attachments, with Necurs responsible for most of it. As attackers are experimenting with various attachment types to ensure they can avoid detection, .docm, JavaScript, .wsf, and .hta files emerged as popular among spammers. In July, .wsf accounted for 22% of malicious attachments, while .docm accounted for 8% of them. Last week, Google decided to block JavaScript attachments in Gmail.

Attackers are also using different types of spam attacks to circumvent defenses, with "hailstorm" and "snowshoe" attack emerging as a popular methodd last year. A hailstorm spam attack usually involves the sending of a massive amount of spam from a single IP address in a short period of time, so that defenders don’t have enough time to react, while snowshoe attacks rely on keeping spam volumes low enough to fly under radar.

In addition to malicious spam, adware that packs nefarious behavior represents yet another risk organizations are facing. Legitimate adware is meant to download or display advertisements through redirections, pop-ups, and ad injections, but cybercriminals are using adware to facilitate other malware campaigns, such as DNSChanger malware, in addition to injecting ads.

According to a Cisco investigation that took place between November 2015 and November 2016, 75% of a set of 130 organizations across verticals faced adware infections. These included ad injectors (usually residing in the browser), browser-settings hijackers, utilities (web applications that supposedly offer a useful service to users, such as PC optimization, but which turn to be scams in many cases), and downloaders (adware that can deliver toolbars or other software).

Adware that evolved into Potentially Unwanted Programs has been already said to be putting enterprise data at risk, but Cisco believes that all adware can place users and organizations at risk for malicious activity. “Security teams must recognize the threat that adware infections pose and make sure that users in the organization are fully aware of the risks,” Cisco notes.

Malvertising was yet another issue for both users and companies, as malvertising activity jumped132% last year, a recent report from RiskIQ reveals. According to Cisco, attackers recently started using brokers (also known as gates) to ensure they can switch quickly from one malicious server to another without changing the initial redirection. Malvertising is one of the primary means for redirecting users to exploit kits (in addition to compromised websites) with one long-standing malvertising campaign being ShadowGate, which emerged in 2015.

“Even though ShadowGate saw a high volume of web traffic, only a tiny fraction of interactions led to a user being directed to an exploit kit. The malicious ads were mostly impressions—ads that render on the page and require no user interaction. This online advertising model allowed the actors responsible for ShadowGate to operate their campaign more cost-effectively,” Cisco notes.

Initially, ShadowGate was redirecting to the Angler exploit kit (EK) only, but it switched to Neutrino after the toolkit disappeared in the summer of 2016. Angler’s disappearance was tied to the Lurk gang arrests and resulted in a 96% decrease in EK activity. The second largest EK a year ago, Nuclear, had disappeared a month before Angler, while Neutrino abruptly ceased operations in September.

These changes resulted in a massive overall decrease in exploit kit landing page blocks, from 7407 in March to 1051 in November (the number dropped below 1000 in September). Flash vulnerabilities remained the most popular in EKs in 2016, with Internet Explorer and Silverlight bugs also targeted by attackers.

However, with Flash being used less and less on websites and with major browsers turning it off by default, EKs and other types of threats are seeing a decrease in the available viable options. Java and PDF Internet traffic experienced notable declines in 2016, while Silverlight traffic is so low that “is not worthwhile for threat researchers to track regularly,” Cisco notes.

However, adversaries have a large array of tools to take advantage of when conducting their attacks, including social engineering, malware injections in legitimate ads, lapses in patching and updating, middleware vulnerabilities, malicious spam, and more. Internet traffic is growing, largely driven by faster mobile speeds and the proliferation of online devices, and attackers are taking advantage of this, because it expands their attack surface.

“Reducing—and ideally, eliminating—the unconstrained operational space of adversaries, and making attackers’ presence known, must be top priorities for defenders. The reality is that no one can stop all attacks, or protect everything that can and should be protected. But if you focus on closing the operational space that cybercriminals must have for their campaigns to be effective and profitable, you can prevent them from reaching critical systems and data without entirely evading detection,” Cisco says.

The State of Malware: 1 Billion Samples Under the Microscope

1.2.2017 securityweek Virus
2016 was not a good year for information security. The inexorable rise of ransomware, major breach reports, the emergence of massive IoT-based DDoS attacks, the rise of the Kovter malware family, and the arrival of alleged international political interference all combined to make 2016 an exceptional year. Now a new state of malware analysis puts figures behind the malware element of 2016 threats.

Anti-virus firm Malwarebytes examined almost 1 billion malware instances from June to November 2016. Data was drawn from nearly 100 million Windows and Android devices in more than 200 countries, together with additional data from its own honeypots. The ensuing report (PDF) looked at six threat categories: ransomware, ad fraud malware, Android malware, botnets, banking trojans, and adware.

The two standout malware categories are ransomware and ad fraud. Malwarebytes suggests this indicates a growing trend among cybercriminals -- the desire to realize monetary return as quickly and easily as possible. "Kovter [the most prevalent of the ad fraud malware]," notes Malwarebytes, "and ransomware both provide a source of direct profit for the attackers. Rather than selling password dumps, credit card information, and social media accounts to other criminals, these attacks demand payment from victims directly to retrieve their important files or use the victims to defraud the advertising industry, resulting in more profit for less effort."

"The use of ransomware and ad fraud, specifically Kovter," explains Adam Kujawa, Malwarebytes director of malware intelligence, "have taken off because they provide a source of direct profit for attackers. This is the future of cybercrime, and it is imperative that we continue to study how these methods evolve over time."

In both ransomware and ad fraud, the United States is the most attacked country. Ransomware attackers, suggests the report, "target Americans not only because of the populace's wide accessibility to technology, but also their means to pay the ransom and, possibly, their ideological views." Russia does not figure highly in either category. While this may be unsurprising for ad fraud, Malwarebytes suggests that fewer ransomware incidents may be "an indicator that Russian ransomware developers might shy away from targeting their own."

Noticeably, while 81% of ransomware detected in corporate environments occurred in North America, 51% of home/consumer detections occurred in Europe.

The three most prevalent ransomware families in 2016 were TeslaCrypt, Locky and Cerber. In May, the TeslaCrypt authors shut down and released their encryption master key. TeslaCrypt disappeared from radar, but the void it left was rapidly filled by Cerber and Locky; with Cerber being the dominant family by the end of the year.

Kovter dominates the ad fraud detections. Although the malware first appeared in 2015, in 2016 it started to concentrate on ad fraud. Kovter now hijacks the victim computer and uses it to add fraudulent clicks to ad campaigns run either by the criminals behind the malware or their clients. This offers huge potential. In January 2016, the Association of National Advertisers estimated that $7.2 billion would be lost globally because of non-human traffic.

Kovter is sophisticated and evolving malware. It has "the ability to infect systems without dropping a file but instead creating a special registry key, making it difficult for many antivirus products to detect. In addition, Kovter employs rootkit capabilities to further hide its presence, and will actively identify and disable security solutions." Malwarebytes also noticed that the drive-by exploit method of distribution was augmented in 2016 by "a massive surge in malicious phishing emails".

"One of the biggest changes in distribution in 2016 was the use of attached scripts to phishing emails," reports Malwarebytes. Email delivered malware also saw the return of malicious macros embedded within Office documents. The documents are often contained within protected Zip files that attempt to bypass anti-malware defenses. Social engineering in the email body then seeks to persuade the target to open the attachment and allow the macro to run. The attachment password is contained within the email. "This gives an increased sense of legitimacy to the attack as well as being an effective method of defeating automatic analysis of the attack e-mail by malware research tools, including honeypots and sandboxes."

The rise of email-borne malware coincides with the decline of the Angler exploit kit. Like TeslaCrypt, Angler shut its doors early in 2016. Since then, however, the RIG EK has grown in popularity and is likely to increase doing so in 2017. But one of the biggest threats going forwards will be the growing likelihood of massive and disruptive denial of service campaigns.

IoT-based denial of service attacks came to prominence with the Mirai botnet. In September 2016, it was used to bring down several individual websites, including KrebsOnSecurity. A month later it was used against DNS service provider, Dyn. Mirai infects susceptible internet-connected devices. It scans the internet looking for such devices, and uses an internal database of default usernames and passwords to gain access. Since many users never change these defaults, it is a rich source. The botmaster is then able to direct the entire botnet against any target of choice.

The process has since been adopted by other botnets. For example, the Kelihos botnet grew 785 percent in July and 960 percent in October, while IRCBot grew 667 percent in August and Qbot grew 261 percent in November.

"Our findings," says Marcin Kleczynski, Malwarebytes CEO, "demonstrate that the frequency and variety of new cyberattacks has crashed into people and businesses at an alarming rate. The last year involved an onslaught of ransomware, a surge of pernicious ad fraud and new, dangerous uses for botnets. These threats have the potential to erode many of the gains that computing is providing global society. Both consumers and businesses need to better understand how these new attack methodologies may impact them."

Exabeam Challenges Traditional SIEMs With New Security Intelligence Platform

1.2.2017 securityweek Safety
Exabeam Leverages UEBA Experience to Launch New Next-Generation Security Intelligence Platform

SIEMs, although still a must-have for most enterprises, are considered to be past their sell-by date; and are being supplanted by the rising star of user and entity behavior analytics (UEBA). Now one UEBA leading light claims that it was just the beginning -- UEBA was part of a route map on the path to a complete next generation security management platform.

"We started," Nir Polak, Exabeam's CEO and founder, told SecurityWeek, "as a SIEM-helper." The intention was always to be more, but the route to a complete platform was designed to be in steps. SIEMs, he suggested are broken, difficult to use and no longer fit for today's needs; and a SIEM-helper was the obvious starting point. "SIEMs were born some 20 years ago, before the age of big data and before the skills gap became as severe as it is today. So, we used machine language and analytics to help find the threats for the SIEMs."

Now, he added, "we're moving to the next phase, ready to take on the incumbents -- Splunk, ArcSight and QRadar -- head on." He announced Tuesday the arrival of the Exabeam Security Intelligence Platform, with the two most important additions being a log manager and an incident responder.

The UEBA side works by building a user fingerprint for all employees. This is compiled automatically from logs. Whenever user behavior deviates from that fingerprint it can be indicative of an intrusion. False positives are minimized, explained Polak, by marrying data science with security experience. In science, a sudden change of logon IP address would be a big anomaly; but it could signify nothing more than a change of home ISP. Security experience will say that it only becomes an issue if combined with other anomalies. "If the user IP address changes and uncommon credentials are used or perhaps access is attempted from a strange location, then it becomes a security concern."

Analytics work best on big data, and the bigger the better. This is the reasoning behind the launch of the new Exabeam Log Manager product. While many products have, or are, log managers, they are priced by the byte collected. "This can rapidly become expensive," explained Polak; "so customers reduce their bills by reducing the number of logs they try to collect."

But threat detection through analyzing big data works better with bigger data -- the analytics improve their accuracy with more data to analyze. "We have built," said Polak, "a log management system based on open source big data technology, and we're changing the market by eliminating cost-per-byte charges. Our system is priced not by byte but by the number of employees in the organization. Customers can put in as much data as they want and the cost will change relatively little."

He illustrated the effect by saying that one beta customer who used the system for a month "has already put 30x the amount of data into the Exabeam log manager as he had previously put into Splunk."

The new Exabeam Incident Responder is designed to improve the efficiency and speed of response. Detecting an anomaly is only the first step -- it needs response. Not all companies have senior analysts to cover all eventualities, and junior staff might have neither the knowledge or experience to respond efficiently. "To address chronic security hiring shortfalls," explains Exabeam, "Incident Responder provides automated playbook creation and execution, so that detected attacks are shut down quickly and completely."

It includes out-of-the-box playbooks for most common attacks, such as phishing attacks, malware, stolen passwords, and data theft. "We've developed playbooks for different events so that the customer knows exactly how to respond to any particular situation," said Polak. He expanded on phishing as an example. "A large organization may get hundreds or thousands of suspected phishing emails per day. The playbook knows how to respond to a suspected phishing email; examine, check links, sandbox and detonate, etc." Done automatically, they can all be examined in a fraction of the time it would take without the automated playbook.

"Threat detection is one side of the picture; effective incident response is the other," said Ryan Makamson, senior infosec analyst for Washington State University. "Exabeam Incident Responder helps even new analysts respond consistently and efficiently to internal and external threats."

Both the new Log Manager and Incident Responder will be on show at the RSA Security Conference, February 13-17, in San Francisco.

PayPal Users Targeted in Sophisticated Phishing Attack

1.2.2017 securityweek Phishing
A recently observed phishing campaign is targeting PayPal users with fake pages that are well designed and difficult to distinguish from the real ones, ESET researchers warn.

The attack was observed only a couple of weeks after Gmail users were targeted in a phishing campaign that used legitimate-looking URLs capable of tricking even tech-savvy people. The attackers were even able to bypass two-factor authentication protection by accessing the compromised email accounts immediately.

The attack against PayPal users, ESET reveals, uses a very convincing bait as well, with fake websites and email messages meant to trick users into revealing their login credentials and other personal information.

The phishing emails include logos and wording that seems legitimate, yet users paying attention can immediately spot grammar and syntax errors that suggest the author isn’t a native English speaker, which is a clue that something is not right.

The email urges the user to log into their account and includes what looks like a “Log In” button, which in fact takes the victims to a landing page that presents them with a fake login screen. Because it uses an SSL certificate, the page attempts to fool users into believing it is authentic.

The domain, however, has nothing to do with PayPal sites, and are clearly scam URLs. After the user enters their information, another message with fake information is presented to them, asking for more personal details. Thus, the security researchers suggest that the attackers aren’t looking only for the victims’ money, but also after their identities.

To give a sense of urgency, the page claims that the user won’t be able to access the PayPal account until the requested information is provided. The page, however, contains more clues that something isn’t right, as it even asks for the user’s Social Security Number, which applies to US citizens only, but also asks which country the victim is from.

“If you’re concerned about PayPal security, you should log directly into PayPal.com itself and update your security settings, and if you know someone who has fallen victim, the first step should be to change their PayPal password before more damage occurs,” ESET notes.

Users should keep in mind that attackers spend a lot of time and effort to make their phishing pages look exactly like those of real vendors. Users of well-known online services such as Gmail, PayPal, and many more are more likely to be targeted in such attacks.

To stay protected, users should avoid opening attachments or clicking on links included in unsolicited emails. When an alert appears while browsing the Internet, users should immediately check the URL in the address bar, to make sure they are on the expected website (it should be http://www․paypal․com/ or https://www․paypal․com/ when PayPal is involved).

“Since phishing becomes more of a problem when the same password is utilized across multiple sites and services, consider deploying two-factor authentication (2FA). By requiring a one-time password generated by a user’s smartphone as a second form of authentication, 2FA helps block unauthorized access,” ESET also notes.

Popular PlayStation and Xbox Gaming Forums Hacked; 2.5 Million Users' Data Leaked
1.2.2017 thehackernews Hacking
Do you own an account on one of the two hugely popular PlayStation and Xbox gaming forums?
Your details may have been exposed, as it has been revealed that the two popular video gaming forums, "XBOX360 ISO" and "PSP ISO," has been hacked, exposing email addresses, account passwords and IP addresses of 2.5 Million gamers globally.
The attackers hacked and breached both "XBOX360 ISO" and "PSP ISO" forums in September 2015, but the details of this massive hack just emerge, reports The Sun.
Mostly gamers who look for free versions of popular games are members of these two gaming forums, which provide download links for gaming ISO files – digital copies of online video games lifted from physical game disks – to the owners of Microsoft's Xbox 360 and Sony's Playstation Portable.
Visiting such forum websites and downloading games through the provided links often involve an illegal breach of copyright.
So, if you are one of those gamers using both forum or one of these forums, you are being advised to review your account and change the password for all of your accounts immediately.
Although the hackers behind the attacks are still unknown, it is believed that they dumped the stolen data once they've made enough money by selling the leaked information within private dark web trading sites.
Here's What Gamers Can Do:
Like I always advise, change your passwords for your forum accounts as well as other online accounts immediately, especially if you use the same password for multiple websites.
The reason behind the data breach took so long to emerged is 'Password Reuse.' Your habit of reusing your same email/password combination across multiple services gives hackers opportunity to use the same credentials gathered from one breach to break into your other accounts.
So stop reusing passwords across multiple sites. If it's difficult for you to remember and create complex passwords for different services, you can make use of a good password manager.
We have listed some best password managers that could help you understand the importance of password manager and choose one according to your requirement.

Police Arrested Suspected Hacker Who Hacked the 'Hacking Team'
1.2.2017 thehackernews Crime
Remember the Hacker who hacked Hacking Team?
In 2015, a hacker named Phineas Fisher hacked Hacking Team – the Italy-based spyware company that sells spying software to law enforcement agencies worldwide – and exposed some 500 gigabytes of internal data for anyone to download.
Now, the Spanish authorities believe that they have arrested Phineas Fisher, who was not just behind the embarrassing hack of Hacking Team, but also hacked the UK-based Gamma International, another highly secretive company which sells the popular spyware called "FinFisher."
During an investigation of a cyber attack against Sindicat De Mossos d'Esquadra (SME), Spain's Catalan police union, police in Spain have arrested three people, one of which detained in the city of Salamanca is suspected of being Fisher, according to local newspaper ARA.
The cyber attack was carried out in May last year when Fisher announced via his own Twitter account that he had hacked the SME and also published the personal information of over 5,500 police officers online.
The incident attracted worldwide attention after Fisher posted a detailed tutorial video on how he hacked SME and how he stole the data.
On Tuesday evening, Spain's National Police Corps detained a couple in Barcelona, suspected of being behind the SME attack, and one person in Salamanca, suspected as Phineas Fisher who exposed the data stolen from SME.
However, hours after the news of the arrests and raids went public, someone using Phineas Fisher's email address said the police have got it all wrong.
"I think the Mossos just arrested some people that retweeted the link to their personal info, or maybe just arrested some activisty/anarchisty people to pretend they are doing something," someone claiming to be Phineas Fisher said in an email shared by an anonymous intermediary with Motherboard.
The hacker also said he wanted the media to report that he was not in prison or under custody "so there does not start a bunch of theories around [his] disappearance."
Well, it's difficult to say, at this moment, if Phineas Fisher is arrested or someone just trying to mislead the investigation.
What do you guys think? Let us know in the comments below.

VMware Patches Vulnerabilities in AirWatch Android Apps

31.1.2017 securityweek Vulnerebility
VMware has released updates for some of its AirWatch Android applications to address a couple of important vulnerabilities related to local data encryption and rooted device detection.

In the first security advisory released in 2017, VMware informed customers that Finn Steglich from SySS GmbH discovered flaws in several components of the company’s AirWatch enterprise mobility management solution.

One of the security holes, tracked as CVE-2017-4895, affects AirWatch Agent for Android, which allows users to authenticate and enroll their devices in the system. During the enrollment process, the application checks if the smartphone has been rooted – AirWatch classifies rooted and jailbroken devices as “compromised.”

The AirWatch Agent vulnerability found by Steglich allows a device to bypass root detection during enrollment, which, according to VMware, could lead to the device having unrestricted access over local AirWatch security controls and data. The flaw was patched earlier this month with the release of version 7.0.

The second vulnerability patched by VMware affects the secure email client AirWatch Inbox and AirWatch Console on Android. This weakness allows a rooted device to decrypt the local data used by the app, which could result in disclosure of sensitive information.

Patches and workarounds have been made available to address the security hole tracked as CVE-2017-4896. VMware pointed out that Pin-Based Encryption (PBE), a feature introduced in AirWatch Console 9.0 FP1 and AirWatch Inbox 2.12, must be enabled in order to resolve the vulnerability.

VMware has only published one other security advisory for AirWatch products since it acquired AirWatch in early 2014. In December 2014, the company informed users of an AirWatch update that addressed information disclosure vulnerabilities which exposed sensitive IT-related organizational information.

Other flaws, including a root detection bypass issue, were discovered before VMware acquired AirWatch.

Malvertising Jumped 132% in 2016: Report

31.1.2017 securityweek Virus
Malvertising experienced a 132% growth rate over 2015 levels, with a total of 7,623,099 malicious ads detected throughout the year, a RiskIQ report reveals.

One of the factors fueling the increase, the security firm’s 2016 Malvertising Recap report reveals, was the rise of programmatic advertising, which provides sophisticated profiling capabilities that threat actors can abuse to target precise groups of users with their malicous ads.

The highly targeted nature of malvertising results in a big return on investment but also in a slowdown in the growth of digital advertising revenue, because more and more users try to protect themselves from malvertising by using ad blockers, the report says.

In 2017, 86.6 million Americans are expected to use an ad blocker, a 24% increase over the 69.8 million people who supposedly did so last year (2016 marked a 34.4% increase over 2015, RiskIQ says).

A report compiled by eMarketer has already revealed that the worldwide paid media market has recently hit more than half a trillion dollars. Because it is accelerating every year, the market is expected to reach $674 million by 2020, the report says.

“Malvertising as a digital threat is particularly effective as it’s difficult to detect and take down malicious ads because they are delivered through ad networks such as Google and Facebook and not resident on web pages. Threat actors use malvertising to propagate malware, ransomware, and scams (disingenuous advertising), as well as redirect victims to phishing pages and pages hosting exploit kits,” RiskIQ reveals.

Looking at the type of malvertisements recorded last year, RiskIQ reveals that redirects to phishing pages saw the largest increase compared to 2015: 828,402 incidents versus 39,848, for a 1,978.9% increase. Scams (disingenuous ads) also registered a massive growth, though of only 845.9% (4,619,794 in 2016 versus 488,416 in 2015).

Fake software ads rose 69.9%, scareware/browser lockers saw a 58.1% increase, malicious injects registered a 25.8% increase, and antivirus binary detections went up by 22%, while traffic distribution systems registered a 1.9% growth. Third party detections, on the other hand, went down 14% last year, the report reveals.

RiskIQ says it scans over 2 billion pages and nearly 20 million mobile apps per day for malicious ads, and each of the discovered ones is added to a blacklist that helps the company mitigate this risk for digital advertisers and publishers. The list also allows ad ops, brand managers, and security staff vet new demand sources and prevent malware within their ad infrastructure.

The blacklist, the company explains, is curated in such a way that all individual incidents associated with an ad are counted as a single instance of malvertising. For that, every incident is linked to an ad sequence and categorized. For the total number of malvertising incidents, the company pulled landing page submissions (a single ad markup submission) that resulted in any number of blacklist incidents.

“Malvertising is so nefarious because it’s a direct attack on the lifeblood of the internet as we know it. Digital media marketing is what funds the ‘free’ websites we all know and enjoy online. The success of the internet and all the people that rely on it is inextricably linked to online advertising success and safety. Publishers, ad platforms, and ad operations teams need active visibility, forensic information, and mitigation capability to enable them to effectively detect and respond to malicious ads in the wild,” James Pleger, threat researcher RiskIQ, said.

Facebook Proposes New Account Recovery Method

31.1.2017 securityweek Social
Facebook has proposed a new method for recovering accounts when users forget their passwords or their credentials are stolen by hackers, and it will be first tested by the members of GitHub.

The social media giant wants users to be able to recover their accounts via a method it calls “delegated recovery,” where an application delegates the capability to recover an account to a different account controlled by the same user at a third-party service provider.

GitHub users who want to test the method need to save a special recovery token in their Facebook account. If access to the GitHub account is lost, the user can re-authenticate to Facebook and the token is sent to GitHub with a time-stamped counter-signature to verify their identity.

The token is encrypted and Facebook will not share any personal information with GitHub. Furthermore, the data is transmitted over HTTPS to prevent it from being intercepted by a third-party.

This account recovery system will be covered by the Facebook and GitHub bug bounty programs. Based on feedback received from users, the social media company wants to improve the system and have it adopted by more services. Both Facebook and GitHub will release open source reference implementations in various programing languages.

“Usable security must cover all the ways we access our accounts, including when we need to recover them. We hope this solution will improve both the security and the experience when people forget a password or lose their phone and need to get back into their accounts,” said Brad Hill, a security engineer at Facebook.

Delegated recovery is promoted as an alternative to security questions, which are known to be risky, and email- and SMS-based methods, which do not offer the security guarantees many users expect today.

The announcement comes just days after Facebook announced support for Universal 2nd Factor (U2F) security keys.

Hackers Target Czech Foreign Ministry's Email System

31.1.2017 securityweek Cyber
Prague - The Czech foreign minister said Tuesday his office had fallen prey to hackers who worked their way into the email accounts of dozens of employees including himself.

"Since early January we have known one of the attacks was partly successful as the hackers managed to penetrate the email system of the ministry," Lubomir Zaoralek told reporters.

He added however that no classified information was compromised as hackers failed to get into the ministry's inner system.

"The data leak was considerable. The attack was very sophisticated," Zaoralek said.

"It must have been carried out from the outside, by another country. The way it was done bears a very strong resemblance to the attacks on the US Democratic Party's internet system," said the foreign minister, citing experts.

In July 2016, the Democratic National Committee faced a leak of e-mails that Hillary Clinton's campaign blamed on Russia.

In early January, US intelligence said Russian President Vladimir Putin had ordered a campaign of hacking and media manipulation aimed at undermining Clinton's presidential campaign and boosting Donald Trump.

Last October, Czech police arrested a Russian hacker in Prague in cooperation with the FBI and accused him of staging cyber attacks on the United States.

The hacker is in custody in the Czech Republic pending extradition to the United States or Russia as both countries have asked Prague to hand over the suspect.

In neighboring Poland, the Rzeczpospolita daily reported Monday that a group of Russian hackers called APT28 had tried to attack local foreign ministry servers in December through emails pretending to be sent by the NATO secretary general.

This group, also known as Pawn Storm, Sofacy and Fancy Bears, is believed to be behind other high-profile cyber attacks and to be linked to Russia's security services.

Ruské tajné služby stihl kyberskandál, důstojníka zatkli přímo během porady

31.1.2017 Novinky/Bezpečnost BigBrother
Ruskými tajnými službami cloumá nebývalý skandál spojený s místními hackery. V médiích a na sociálních sítích se objevily spekulace, podle nichž bylo několik vysokých důstojníků Federální bezpečnostní služby (FSB) zatčeno a čelí obvinění z vlastizrady. Spekuluje se o jejich možné účasti na údajném vměšování ruských hackerů do amerických prezidentských voleb.
Sídlo a znak ruské Federální bezpečnostní služby FSB
Sídlo a znak ruské Federální bezpečnostní služby FSB
Koncem prosince byl podle listu Novaja Gazeta zatčen vysoký důstojník FSB Sergej Michajlov, který řídil tamní Centrum informační bezpečnosti. S odvoláním na vlastní zdroje list napsal, že Michajlov byl zatčen přímo během zasedání kolegia FSB v budově tajné služby.

„Provázely to prvky divadelního představení: důstojníkovi FSB podezřelému z vlastizrady byl na hlavu navlečen neprůhledný pytel,“ popsala Novaja Gazeta okolnosti s tím, že podle informovaných zdrojů měl Michajlov pod svou správou v podstatě veškerý internetový byznys v Rusku.

Napojen na CIA?
Server tsargrad.ru, který provozuje Konstantin Malofejev označovaný za „pravoslavného oligarchu“, pak napsal, že Michajlov byl spojen se skupinou hackerů známou pod názvem „Shaltay Boltay“. Podle informace portálu za touto skupinou mohla stát americká CIA, a Michajlov tudíž mohl spolupracovat s tajnými službami USA.

Ruská média dále tvrdí, že důstojník měl řídit hackery, kteří pronikali na weby vysokých ruských státních činitelů včetně premiéra Dmitrije Medvěděva, vicepremiéra Arkadije Dvorkoviče, zaměstnanců prezidentské kanceláře či ministerstva obrany. Deník Kommersant zdůraznil, že zadržený není obviněn z korupce nebo zneužívání moci, ale přímo z vlastizrady, za což mu hrozí až 20 let žaláře. 

Podle Kommersantu byl v souvislosti se zatčením Michajlova zadržen také Ruslan Stojanov, vysoký manažer ruské společnosti Kaspersky Lab (Laboratoře Kasperského), která se specializuje na počítačovou bezpečnost. Vyšetřovatelé FSB prověřují informace, podle nichž měl obdržet úplatek „od jedné zahraniční organizace“. Firma potvrdila, že její zaměstnanec, který měl na starosti vyšetřování kybernetických trestných činů a v minulosti těsně spolupracoval s orgány činnými v trestním řízení, byl zadržen. Tvrdí ale, že s činností společnosti to nijak nesouvisí.

Kvůli americké stopě zadrženo už šest osob
Novaja Gazeta napsala, že stopa k Michajlovovi byla odhalena, když americké služby obvinily Rusa Vladimira Fomenka z kybernetických útoků na volební systémy v amerických státech.

Ruští detektivové při sledování jeho činnosti prý zjistili, že Michajlov měl americké rozvědce předávat informace spojené s činností ruských hackerů.

Zatčeni prý byli také dva další jeho spolupracovníci včetně kontrarozvědčíka Dmitrije Dokučajeva. Celkem je ve vazbě šest osob. Podle médií se však útok ruských hackerů na americké servery zatím prokázat nepodařilo.

Soud v moskevském Lefortovu podle listu potvrdil, že již loni na podzim byl zatčen zakladatel blogu Shaltay Boltay, kde byla v minulosti zveřejněna korespondence vysokých ruských státních úředníků. Jde o Vladimira Anikejeva, novináře z dagestánské Machačkaly, který byl známý pod přezdívkou Lewis.

Naboural prý mimo jiné elektronickou korespondenci poradce ruského prezidenta Vladislava Surkova, jejíž zveřejnění loni způsobilo velký rozruch na Ukrajině. Obsahovala totiž jakýsi plán nového Majdanu. Zatčení Michajlova ani žádného dalšího příslušníka FSB oficiální zdroje zatím nekomentují.

Osiris nadělá v počítači pěknou neplechu. Zašifruje data a chce výkupné

31.1.2017 Novinky/Bezpečnost Viry
Na pozoru by se měli mít v poslední době majitelé počítačů, tabletů či chytrých telefonů před Osirisem. Řeč není o egyptském bohu mrtvých, nýbrž o novém vyděračném viru, před kterým varovali v pondělí výzkumníci z bezpečnostní společnosti Acronis.
Podle bezpečnostních expertů se Osiris šíří především prostřednictvím nevyžádaných e-mailů a infikovaných on-line inzerátů.

Napadnout přitom může nejen počítače s Windows, ale také stroje postavené na platformě MacOS a Android. Tedy i tablety a chytré telefony. „Kromě toho přímo napadá také zálohovací systémy jako například Volume Shadow Copy Service (VSS). To zabraňuje uživatelům spustit obnovu systému z dat uložených na napadaném stroji,“ konstatovali výzkumníci ze společnosti Acronis.

Jdou po výkupném
Samotný útok probíhá u Osirise úplně stejně jako u dalších vyděračských virů z rodiny ransomware. Nejprve zašifruje všechna data uložená na pevném disku. Za jejich zpřístupnění pak útočníci požadují výkupné, a to klidně i několik tisíc korun.

Ani po zaplacení výkupného se ale uživatelé ke svým datům nemusí dostat. Místo placení výkupného je totiž nutné virus z počítače odinstalovat. Zpřístupnit nezálohovaná data je už ale ve většině případů nemožné.

O tom, jak nepříjemný může útok Osirise být, ví své například policie v texaském městě Crockrell Hill. Ta přišla o záznamy z posledních let poté, co jí tento nezvaný návštěvník zablokoval její počítač i záložní server.

Krade SMS zprávy a kontakty
Jak je z řádků výše patrné, vyděračné viry už dávno nepředstavují hrozbu pouze pro klasické počítače, ale například také pro chytré telefony a tablety. To platí například i o ransomwaru zvaném Charger, před kterým minulý týden varovali bezpečnostní analytici z antivirové společnosti Check Point. 

Charger se soustředí výhradně na chytré telefony s operačním systémem Android. Útočníkům se jej dokonce podařilo propašovat i do oficiálního obchodu Google Play, a to jako součást aplikace EnergyRescue.

„Infikovaná aplikace krade kontakty a SMS zprávy z uživatelského zařízení a snaží se získat administrátorská oprávnění. Pokud je uživatel udělí, ransomware uzamkne zařízení a zobrazí zprávu požadující platbu,“ vysvětlil David Řeháček, bezpečnostní odborník ze společnosti Check Point.

Útočníci se snažili zprávou uživatele jednoznačně vyděsit. „Budete nám muset zaplatit, jinak prodáme každých 30 minut na černém trhu část vašich osobních informací,“ stojí ve výzvě počítačových pirátů.

Hackeři úspěšně napadli e-maily ministerstva zahraničí. Dostali se i ke komunikaci samotného ministra
31.1.2017 Živě.cz Hacking
Začátkem letošního roku odhalily interní mechanismy Ministerstva zahraničních věcí hackerský útok na e-maily zaměstnanců MZV. Podle ministra zahraničních věcí, Lubomíra Zaorálka, došlo k úniku velkého množství komunikace včetně té z nejvyšších míst – náměstků a samotného ministra.

Zaorálek na tiskové konferenci ubezpečil, že se únik dat týká e-mailových schránek, a nikoliv klasifikovaných informací, pro jejichž správu využívá ministerstvo interní oddělený systém. Pro vyšetřování byla vytvořena pracovní skupina pod vedení Národního bezpečnostního úřadu, na které se podlí i úřad vlády, informační služby či Národní centrum kybernetické bezpečnosti.

Klepněte pro větší obrázek
Při útoku na e-mail Ministerstva zahraničních věcí útočníci získali komunikaci ministra i jeho náměstků

Ministr Zaorálek uvedl, že útok podle odborníků připomínal svým charakterem napadení e-mailů Demokratické strany ve Spojených státech a vyjádřil domněnku, že byl útok proveden cizím státem. Podle ministra je třeba posílit personální i finanční prostředky pro kyberochranu veřejných institucí.

O způsobu útoku můžeme zatím pouze spekulovat a počkat na závěry pracovní skupiny, která incident vyšetřuje. Vzhledem k rozsahu útoku se dá předpokládat proniknutí přímo k e-mailovému serveru nebo chabé zabezpečení e-mailových schránek bez šifrování, které by umožnilo odposlech komunikace. O úniku dat ještě před samotným prohlášením ministra zahraničí informoval web Neovlini.cz, který uvedl, že útok trval několik měsíců a vážnost situace dokládá fakt, že unikly i citlivé informace o spojencích.

Facebook Unveils 'Delegated Recovery' to Replace Traditional Password Recovery Methods

31.1.2017 thehackernews Social

How do you reset the password for your Facebook account if your primary email account also gets hacked?
Using SMS-based security code or maybe answering the security questions?
Well, it's 2017, and we are still forced to depend on insecure and unreliable password reset schemes like email-based or SMS code verification process.
But these traditional access recovery mechanisms aren't safe enough to protect our all other online accounts linked to an email account.
Yahoo Mail can be used as an excellent example.
Once hackers have access to your Yahoo account, they can also get into any of your other online accounts linked to the same email just by clicking the link that says, "Forgot your password?"
Fortunately, Facebook has a tool that aims to fix this process, helping you recover access to all your other online accounts securely.
At the Enigma Conference in Oakland, California on Monday, Facebook launched an account recovery feature for other websites called Delegated Recovery — a protocol that helps applications delegate account recovery permissions to third-party accounts controlled by the same user.
Starting today, Delegated Recovery is available to GitHub users for account recovery, allowing them to set up encrypted recovery tokens for their Github accounts in advance and save it with their Facebook accounts.
So in case they ever lose access to their Github account, they can re-authenticate to Facebook and request the stored token be sent from their Facebook account back to Github with a time-stamped signature, proving their identities and securely regaining access to their accounts.
This whole process takes place over encrypted HTTPS Web links and completes within a few seconds.
Since the stored token is encrypted, even Facebook can not read the personal data stored in that token.
The social network giant also assured that except its assertion that the person recovering the GitHub account is the same who saved the token, the company doesn't share any personal information about the user with GitHub.
According to the social networking giant, the Delegated Recovery service will be especially helpful for online users who have lost their smartphones, physical tokens or keys used as a second factor of authentication.
"We also want to offer the ability for people to use other accounts, such as a GitHub account, to help you recover your access to Facebook." said Brad Hill, Security Engineer at Facebook
Facebook has published the protocol behind the feature and the technical specifications on its GitHub page. You can also read more information about the feature on Facebook's official post.
Since no system is hacker-proof, Facebook has invited hackers and security community for reporting bugs, submit suggestions, and feedback.
Delegated Recovery is part of Facebook's bug bounty program, allowing security researchers and bug hunters to test and find out security vulnerabilities in it.
This tool is being released as open-source that would allow other third-party sites to implement it, but for now, the service is available only for GitHub.

Radware Acquires Threat Detection firm Seculert

31.1.2017 securityweek Attack
Radware (NASDAQ: RDWR), a company best known for its DDoS protection and application delivery solutions, announced on Tuesday that it has acquired Seculert, a provider of cloud-based threat detection solutions.

Founded in 2010, Seculert helps enterprises detect if they have been compromised, and provides information on the attacks carried against them. The company does this through a cloud-based service that leverages a crowdsourcing and Big Data analytics platform to identify and block attacks.

According to Radware, the acquisition enhances its attack mitigation system, which will allow for advanced threat analysis with a focus on enhancing data center security.

“The Seculert acquisition allows Radware to leverage machine learning technology and its data analytics platform in order to expand our core expertise beyond attack analysis to threat analysis, which provides a panoramic view of the data center’s posture,” said David Aviv, Radware’s Chief Technology Officer. “These capabilities expand Radware’s attack mitigation from real-time and near-time to include detection of stealth attack campaigns.”

Seculert, which has received more than $15 million in funding, including a $10 million Series B round in July 2013, has offices in the U.S., the U.K., and Israel.

The terms of the acquisition were not disclosed, but Radware says the acquisition is unlikely to be material to its 2017 revenues, slightly dilutive to its fully diluted 2017 Non-GAAP EPS, and accretive to its fully diluted 2018 Non-GAAP EPS.

As part of a security startup series, SecurityWeek interviewed Dudi Matot, Seculert co-founder and former CEO, back in June 2014.

Gaza Cybergang Uses QuasarRAT to Target Governments

31.1.2017 securityweek Virus
Researchers at Palo Alto Networks have spotted new attacks they believe have been launched by the cyber espionage group known as Gaza Cybergang, and discovered that one of the servers used by the threat actor is vulnerable to remote attacks.

Gaza Cybergang, also known as Gaza Hackers Team and Molerats, has been active since at least 2012. The actor, which some believe is run by the Palestinian militant group Hamas, has mainly targeted organizations in Middle Eastern countries, but victims have also been observed in Europe and the United States.

Palo Alto Networks recently spotted new attacks aimed at government organizations and determined that they are likely related to a Gaza Cybergang campaign dubbed DustySky.

In the recent attacks analyzed by the security firm, the threat group used two pieces of malware: a downloader called Downeks and a remote access tool (RAT) named QuasarRAT.

Researchers noticed similarities in the code, decoys, targets and the command and control (C&C) infrastructure of the recent campaign and DustySky. They pointed out that the attacks were launched and the malware samples were built on days that coincide with the workweek in the Middle East.

Quasar is a free and open source RAT that has evolved from xRAT. The sample spotted in the Gaza Cybergang attacks appears to be a customized version developed using source code available on GitHub.

Once it infects a system, the malware can steal files, collect system information, download and execute files, open the task manager, kill or start processes, open a remote desktop connection, remotely control the mouse and keyboard, capture passwords, log keystrokes, visit websites, and display a message box.

An analysis of the C&C server used by QuasarRAT revealed the existence of remote code execution vulnerabilities allowing a second attacker to take control of the machine. While they haven’t made tests on the live server, lab simulations conducted by Palo Alto Networks showed that an attacker can change the QuasarRAT code on the server and report fake victim data.

Since the server does not check the validity of the data it receives, an attacker can trick the Gaza Cybergang into connecting to a specially crafted “victim” system, which can be used to deliver arbitrary files.

“Quasar is a .NET Framework assembly, loading multiple DLLs upon launch, for example ‘dnsapi.dll’. Quasar server is vulnerable to a simple DLL hijacking attack, by using this technique to replace server DLLs,” Palo Alto Networks researchers explained. “When the attacker restarts the Quasar application, our uploaded ‘dnsapi.dll’ will instead be loaded. Through this vector, we could drop our own Quasar client on the attacker’s server and execute it. Our Quasar RAT will connect to our own (secured, of course) Quasar server, allowing us to control that attacker’s server with his own RAT.”

As for Downeks, experts noticed new versions of the threat written in .NET – unlike the earlier samples which had been written in native code. The new versions, used against Hebrew-speaking targets, provide basic backdoor capabilities.

While Downeks’ primary role is to download other malware, it can also capture screenshots and check the infected system for the presence of security products.

Hrozí odposlechy na internetu? Novela zákona tomu prý nasvědčuje

31.1.2017 SecurityWorld BigBrother
Zástupci tří významných profesních internetových organizací poslali předsedovi vlády České republiky otevřený dopis, v němž ho upozorňují na nedostatky, které přináší novela zákona o Vojenském zpravodajství. Ta se včera projednávala na půdě poslanecké sněmovny.

V otevřeném dopise, pod nímž jsou podepsáni Ondřej Filip, výkonný ředitel sdružení CZ.NIC, Zdeněk Zajíček z ICT Unie a Martin Semrád za neutrální propojovací uzel NIX.CZ se mimo jiné píše: "Je alarmující, že ačkoliv je deklarováno, že zařízení VOZ nebudou realizovat plošný odposlech, ze své podstaty přes ně bude nekontrolovaně procházet téměř veškerý internetový provoz.“

V dopise se dále uvádí, že ačkoliv to zákon vylučuje, bude technicky možné odposlechnout jakýkoliv provoz v síti (libovolného uživatele) pouze na základě rozhodnutí administrátora systému.

To podle autorů dopisu generuje vysoká bezpečnostní rizika v případě selhání konkrétního jedince nebo například v situaci, kdy nějaký hacker prolomí systém VOZ a využije tuto infrastrukturu ke svým cílům.

Hackeři napadli e-maily ministerstva zahraničí. A rovnou v nejvyšších patrech

31.1.2017 Novinky/Bezpečnost Hacking
E-mailové účty ministra zahraničí Lubomíra Zaorálka (ČSSD) a jeho náměstků napadly hackeři. V úterý o tom informoval server Neovlivní.cz.
„Jde o tisícovky dat, která byla postupně stažena ze schránek ministra a náměstků. Včetně tajných informací,” citoval server zdroj obeznámený s případem.

Mluvčí resortu Michaela Lagronová napadení účtů potvrdila. Uvedla však, že nemá informace o tom, že by došlo k vyzrazení utajovaných informací.

Hackeři loni ukradli 4 miliardy digitálních záznamů. Rekord překonali o miliardu
31.1.2017 Živě.cz Hacking
Kyberzločinci kradou data zneklidňujícím tempem. Během roku 2016 počet útoků a ukradených dat výrazně vzrostl na nový rekord. Informuje o tom bezpečnostní agentura Risk Based Security. Celkem 4,149 zaznamenaných útoků znehodnotilo 4,2 miliardy digitálních záznamů. Je to o miliardu více než byl předchozí rekord z roku 2013.

Na internet unikly nahrané hovory marketingové firmy, obsahují detaily o jménech, adresách i kreditních kartách
Hlavními cíli byly podniky. Celkem stály za 55 % všech případů. Hackeři ale také útočili na zdravotnická zařízení nebo vládní agentury. „Počet zaznamenaných případů překonal všechna očekávání. A nejhorší je, že skutečná čísla budou pravděpodobně mnohem vyšší,“ sdělila Inga Goddijn, viceprezidentka Risk Based Security.

Velký podíl na výši čísla mělo Yahoo a jeho stovky tisíc ukradených dat. Není však samo. V průměru se počet kradených dat pohyboval mezi 500 tisíc a 10 miliony. Nejvíce útoků bylo zaznamenáno v USA (1,971) a v Británii (204), ale také v Kanadě (119), Brazílii (71), Austrálii (59) a Rusku (49).
„Válku proti kyberzločincům opravdu nevyhráváme. Daří se jim lépe než kdy dříve,“ uvádí Goddijn na stránkách společnosti. Často jsou podle ní kradeny citlivé údaje, jejichž vlastnictvím můžou útočníci přijít ke značnému zisku.

Rozdílem oproti předchozím rokům bylo, že loni útočníci útočili více cíleně. Dříve bylo hodně útoků oportunistických, ale nyní hackeři cílí na konkrétní společnosti, které shromažďují konkrétní data. Nezisková organizace Online Trust Alliance proto varuje, že obětí útoků se můžou stát i malé společnosti. Situace navíc bude postupně horší než lepší, takže pokud ještě někdo nevzal digitální zabezpečení svého podniku vážně, je nejvyšší čas to udělat.

Na internet unikly nahrané hovory marketingové firmy, obsahují detaily o jménech, adresách i kreditních kartách
31.1.2017 Živě.cz Incidenty
Většina čtenářů jistě zná klasické začátky marketingových hovorů, které začínají obvyklým vyjádřením „Váš hovor bude nahráván“. Jak se ukazuje, jedná se o další nebezpečné ukládání osobních dat, kterého se mohou hackeři zmocnit.

Hackeři zamkli pokoje hotelovým hostům a odstavili rezervační systém, za odblokování požadovali výkupné
Dle informací MacKeeperu totiž na internet uniklo celkem 400 000 nahrávek hovorů, které prováděla telemarketingová společnost VICI Marketing LLC v USA jak s koncovými uživateli, tak i zaměstnanci firem.

Klepněte pro větší obrázek
Ukázka vybraných informací

Hovory přitom obsahovaly údaje jak o telefonních číslech, jménech a adresách, tak i o rodných čísel. Přibližně 17 tisíc hovorů pak zahrnoval i čísla kreditních karet a další finanční informace. Vzhledem k tomu, že databáze o velikosti 28 GB byla neznámou dobu veřejně dostupná přes internet, není jasné, kdo všechno se dat zmocnil.

Jak je vidět, nebezpečí úniku osobních dat se skrývá všude, takže si dávejte pozor při předávání osobních informací i při telefonních hovorech.

Check If Your Netgear Router is also Vulnerable to this Password Bypass Flaw
31.1.2017 thehackernews Vulnerebility
Again bad news for consumers with Netgear routers: Netgear routers hit by another serious security vulnerability, but this time more than two dozens router models are affected.
Security researchers from Trustwave are warning of a new authentication vulnerability in at least 31 models of Netgear models that potentially affects over one million Netgear customers.
The new vulnerability, discovered by Trustwave's SpiderLabs researcher Simon Kenin, can allow remote hackers to obtain the admin password for the Netgear router through a flaw in the password recovery process.
Kenin discovered the flaw (CVE-2017-5521) when he was trying to access the management page of his Netgear router but had forgotten its password.
Exploiting the Bug to Take Full Access on Affected Routers

So, the researcher started looking for ways to hack his own router and found a couple of exploits from 2014 that he leveraged to discover this flaw which allowed him to query routers and retrieve their login credentials easily, giving him full access to the device.
But Kenin said the newly discovered flaw could be remotely exploited only if the router's remote management option is enabled.
While the router vendor claims the remote management option is turned off on its routers by default, according to the researcher, there are "hundreds of thousands, if not over a million" routers left remotely accessible.
"The vulnerability can be used by a remote attacker if remote administration is set to be internet facing. By default this is not turned on," Kenin said. "However, anyone with physical access to a network with a vulnerable router can exploit it locally. This would include public Wi-Fi spaces like cafés and libraries using the vulnerable equipment."
If exploited by bad actors, the vulnerability that completely bypasses any password on a Netgear router could give hackers complete control of the affected router, including the ability to change its configuration, turn it into botnets or even upload entirely new firmware.
After trying out his flaw on a range of Netgear routers, Kenin was surprised to know that more than ten thousand vulnerable devices used the flawed firmware and can be accessed remotely.
He has also released an exploit code for testing purpose, written in Python.
List of Vulnerable NETGEAR Router Models
The SpiderLabs researcher stressed that the vulnerability is very serious as it affects a large number of Netgear router models. Here's a list of affected Netgear routers:
C6300 (firmware released to ISPs)
Update the Firmware of your NETGEAR Router Now!
Kenin notified Netgear of the flaw, and the company confirmed the issue affects a large number of its products.
Netgear has released firmware updates for all of its affected routers, and users are strongly advised to upgrade their devices.
This is the second time in around two months when researchers have discovered flaws in Netgear routers. Just last month, the US-CERT advised users to stop using Netgear's R7000 and R6400 routers due to a serious bug that permitted command injection.
However, in an effort to make its product safe, Netgear recently partnered up with Bugcrowd to launch a bug bounty program that can earn researchers cash rewards of up to $15,000 for finding and responsibly reporting flaws in its hardware, APIs, and the mobile apps.

Google Paid Out $9 Million in Bug Bounties Since 2010

31.1.2017 securityweek Security
Google has awarded researchers more than $9 million since the launch of its bug bounty program in 2010, including over $3 million paid out last year.

According to the company, more than 1,000 payments were made last year to roughly 350 researchers from 59 countries. The biggest single reward was $100,000 and over $130,000 were donated by the search giant to charity.

Google also said it had paid out nearly $1 million each for vulnerabilities affecting the Android operating system and the Chrome web browser. In June, one year after the launch of its Android bug bounty program, the company decided to increase rewards for Android flaws.

In 2016, the company opened its Chrome Fuzzer Program to the public. The program allows experts to run fuzzers at large scale and they receive rewards automatically.

Google also highlighted the stories of an expert who donated his rewards to a Special Olympics team in the U.S., and an Indian researcher who funds his startup with bug bounty rewards.

The “2016 year in review” report also shows a proof-of-concept (PoC) video submitted by Frans Rosén, in which the researcher’s actions are synchronized to the background music. The video demonstrates a cross-site scripting (XSS) vulnerability in the payments.google.com domain.

Google has been involved in third-party hacking competitions such as Pwn2Own and Pwnfest, but it also runs its own events. A contest that will run until March 14, named The Project Zero Prize, offers significant rewards to anyone who can achieve remote code execution on Nexus 6P and Nexus 5X smartphones by knowing only their email address and phone number.

Hundreds of thousands, if not over a million Netgear routers open to hack
31.1.2017 securityaffeirs Vulnerebility

Hundreds of thousands of Netgear routers are vulnerable to password bypass, the company issued updates only for a number models.
An impressive number of Netgear routers is affected by two flaws that can lead to password disclosure.

It has been estimated that hundreds of thousand devices, potentially more than one million Netgear routers, could be hacked, by both a local or a remote attacker.

Simon Kenin, a security researcher at Trustwave, discovered the flaw and confirmed the vulnerabilities can be remotely exploited when the remote management option of the Netgear routers is enabled.

While Netgear claims remote management is turned off on routers by default,

Kenin explained that despite Netgear claims remote management is turned off on routers by default, there are “hundreds of thousands, if not over a million” Netgear routers with the feature turned on.

Hacking the Netgear routers by exploiting this password bypass it is quite simple, attackers just need to send a simple request to the web management server running on the device.

In this way the expert is able to determine a number that corresponds to a password recovery token, then he could use it to call the passwordrecovered.cgi script.

Kenin discovered by the password bypass by leveraging two exploits disclosed in 2014 on some Netgear routers.

“After few trials and errors trying to reproduce the issue, I found that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send. This is totally new bug that I haven’t seen anywhere else. When I tested both bugs on different NETGEAR models, I found that my second bug works on a much wider range of models.” Kenin wrote in a blog post.

“A full description of both of these findings as well as the python script used for testing can be found here. The vulnerabilities have been assigned CVE-2017-5521 and TWSL2017-003.”

Trustwave reported the vulnerability to Netgear in April 2016, but Netgear only in in July provided firmware updates for a fraction of the affected router models.

This week Netgear published detailed instructions on the affected models and the way to download and install firmware updates. According to the security advisory, there are 31 vulnerable models, but only 18 of them have been patched.

The owners of the unpatched devices have to manually enable password recovery and disable remote management on their Netgear routers in order to avoid problems.

“The potential for password exposure remains if you do not complete both steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification,” the company writes.

Kenin points out the dangers caused by malware like the Mirai bot that once obtained a login credential for the routers could cause serious problems.

“With malware such as the Mirai botnet being out there, it is also possible that some of the vulnerable routers could be infected and ultimately used as bots as well. If running a bot is not possible, the DNS can be easily changed to a rogue one, as described by Proofpoint, to further infect machines on the network,” Kenin added.

Printer Vulnerabilities Expose Organizations to Attacks

30.1.2017 securityweek Vulnerebility
A team of researchers from Ruhr-Universität Bochum in Germany has analyzed 20 printers and multifunction printers (MFPs) from several vendors and discovered that each of them is affected by at least one vulnerability, including flaws that can be exploited to crash the device or obtain sensitive information that provides access to the organization’s network.

The experts conducted their tests on printers from HP, Brother, Lexmark, Dell, Samsung, Konica, OKI and Kyocera using a Python-based piece of software they named PRinter Exploitation Toolkit (PRET). The analysis revealed the existence of both old and new vulnerabilities and attack vectors that can be exploited locally or remotely.

Some of the attack methods detailed by the researchers involve what they call PostScript malware. PostScript, created more than 30 years ago by Adobe, is a computer language used to describe the appearance of text and graphics on a page. The language is supported by all major printer manufacturers.

According to researchers, an attacker can abuse PostScript to manipulate documents, such as in the attack where thousands of printers were hijacked and made to print anti-Semitic flyers, or to capture the content of documents that are printed.

Such attacks can be launched through USB, remotely over the local network, or from the Internet via a malicious website using cross-site printing (XSP) and cross-origin resource sharing (CORS) spoofing.

Experts also showed how PostScript and Printer Job Language (PJL) can be leveraged to access the entire file system on some printers, including passwords for the embedded web server. This vulnerability has been known for several years, but experts say it still hasn’t been completely fixed.

“OKI MC342dn allows an attacker to execute one level of path traversal, where a directory called ‘hidden/’ is located which contains stored fax numbers, email contacts and local users’ PINs as well as the SNMP community string,” researchers said in their paper. “More interesting, however, is the fact that this MFP can be integrated into a network using features like Email-to-Print or Scan-to-FTP. An attacker could find passwords for LDAP, POP3, SMTP, outbound HTTP proxy, FTP, SMB, and Webdav as well as the IPsec pre-shared keys. This is a good example how an attacker can escalate her way into a company’s network, using the printer device as a starting point.”

They also discovered that buffer overflow vulnerabilities in the Line Printer Daemon (LPD) and the PJL interpreter can be exploited for denial-of-service (DoS) attacks and possibly even arbitrary code execution. PJL commands can also be used to cause physical damage to the device’s non-volatile memory (NVRAM) and gain access to sensitive information stored in the NVRAM, such as web server passwords.

These security holes can also be exploited locally, or remotely using XSP and CORS spoofing.

Printer vulnerabilities

The experts have also analyzed Google Cloud Print, a service that allows users to print from anywhere, including their mobile device, to any printer. They showed that the Google service was also affected by some security issues, for which they earned a $3,133.7 reward from the search giant.

The researchers have also notified other affected vendors of their findings. However, they pointed out that the old vulnerabilities they had identified affected the latest versions of the firmware. In some cases, the vulnerabilities have been known for more than a decade, which they believe suggests that printer manufacturers don’t take security seriously, or they lack the proper security analysis tools.

Netflix Login Generator Distributes Ransomware

30.1.2017 securityweek Virus
A newly observed piece of ransomware is being distributed via a Netflix login generator, Trend Micro security researchers warn.

Netflix is certainly a high-profile target for cybercriminals, given its subscriber base of 93 million users in more than 190 countries, and stolen credentials can be abused in various ways. Attackers often attempt to monetize compromised accounts by selling them on the dark web or by exploiting server vulnerabilities, but also for the distribution of Trojans to steal users’ financial and personal information.

The newest manner in which miscreants are leveraging stolen Netflix credentials is ransomware distribution, and the attack method is pretty straightforward. Interested parties are lured with free Netflix accounts via a login generator that has been packed with malicious code.

Detected as RANSOM_ NETIX.A, the ransomware is targeting Windows 7 and Windows 10 computers and terminates itself if it runs on a different platform variant. The login generator is a tool typically used in software and account membership piracy, which can be usually found on websites for cracked applications, Trend Micro explains.

When the user executes the Netflix login generator, the executable drops another copy of itself (netprotocol.exe) and executes. The program’s main window provides users with a button to generate logins, which displays another prompt window when clicked on. This second window supposedly presents the user with the login information of a genuine Netflix account.

However, these are fake prompts and windows, and the ransomware uses them to distract the user while it has already started to encrypt files in the background. The malware, security researchers say, targets 39 file types that could be found under the C:\Users directory.

The ransomware uses AES-256 encryption and appends the .se extension to the affected files. After completing the encryption process, the malware displays ransom notes to the victim, demanding $100 worth of Bitcoin (0.18 BTC) from its victims.

The malware was also observed connecting to its command and control (C&C) servers to send and receive information (customizing the ID number, for instance) and to download the ransom notes. One of these notes is set as the wallpaper of the infected machine.

“Malefactors are diversifying the personal accounts they target. Phished Netflix accounts, for instance, are an attractive commodity because one can be used simultaneously by different IP addresses. In turn, the victim doesn’t immediately notice the fraud—as long as it’s not topping the device limit. This highlights the significance for end users to keep their subscription accounts safe from crooks,” Trend Micro notes.

This incident brings to the spotlight not only the importance of keeping good account security, to ensure one’s credentials don’t end up being used by malicious actors, but also the risks involved in pirating content. It’s not only the ransom amount that users should take into consideration when thinking about ransomware, but also the fact that there is a possibility that they might never get their files back, even if they pay.

“Bad guys need only hack a modicum of weakness for which no patch is available—the human psyche. Social engineering is a vital component in this scam, so users should be smarter: don’t download or click ads promising the impossible. If the deal sounds too good to be true, it usually is,” Trend Micro concludes.

Keylogger, Bitcoin Stealer Dropped via Fake Bank Transfer Emails

30.1.2017 securityweek Virus
A recently detected spam campaign uses phony bank transfer emails to distribute a piece of malware that can steal information stored in browsers, log keystrokes and steal Bitcoin from crypto-currency wallets.

Discovered by Cyren security researchers, the attack relies on fake bank transfer emails drop a versatile keylogger malware onto their computers. The fake emails supposedly inform the victims that they received a deposit or that they include information pertaining to other types of financial transactions.

The spam messages are sent from bots in the United States and Singapore, and use the branding of several different banks, including Emirates NDB and DBS, to hide their malicious intent. The financial transfer-related subjects used in the campaign include Online wire transfer payment notification, Payment update, and Swift copy, Cyren explains.

Each of the spam messages includes an attachment, featuring a name that includes variations of “Swift” (such as swift copy_pdf.ace, swift copy.zip, and swift_copy.pdf.gz. The attachment clearly makes reference to SWIFT codes, which are used to uniquely identify banks and financial institutions all around the world when transfers are made, and they attempt to provide a sense of legitimacy to the emails.

The attachment, however, is an executable that saves a file called filename.vbs onto the compromised machine in the Windows startup folder, to ensure that it runs every time the victim restarts or logs into their PC. The script is meant to run the malware that is saved in the AppData\Local\Temp\ subfolder as filename.exe. The attachment file also deletes itself after execution.

Once it has infected the victim’s computer, the malware starts scraping the registry for passwords and other sensitive information. The threat targets mainly software used to access FTP servers, as well as web browsers, and other types of applications that could store credential information.

“It gathers information from all the web browsers on the computer (stored passwords and usernames, history, cookies, cache etc.) and email clients as well. The malware also searches the computer for crypto-currency wallets to steal,” Cyren notes.

The crypto-currency stealer was found to target a couple of dozen wallets, including Anoncoin, BBQcoin, Bitcoin, Bytecoin, Craftcoin, Devcoin, Digitalcoin, Fastcoin, Feathercoin, Florincoin, Freicoin, I0coin, Infinitecoin, Ixcoin, Junkcoin, Litecoin, Luckycoin, Megacoin, Mincoin, Namecoin, Phoenixcoin, Primecoin, Quarkcoin, Tagcoin, Terracoin, Worldcoin, Yacoin, and Zetacoin.

What’s more, the malware functions as a keylogger as well, meaning that it creates hooks for both the keyboard and the mouse. The security researchers note that the threat calls the “GetAsyncKeyState” API, which clearly indicates that it attempts to log every keystroke.

Many NETGEAR Routers Leak Admin Passwords

30.1.2017 securityweek Vulnerebility

NETGEAR has released firmware updates for many of its routers after an expert discovered that they are affected by serious vulnerabilities that can be exploited to obtain the administrator password for the user interface.

Trustwave researcher Simon Kenin started analyzing NETGEAR routers nearly one year ago, when he was too lazy to get out of bed to perform a cold reboot of his router, and instead attempted to reboot it from its web interface. Since he had forgotten the password, he started looking for ways to remotely hack the device.

The researcher discovered a couple of exploits from 2014 that could be used to obtain a NETGEAR router’s login password via the unauth.cgi and passwordrecovered.cgi script files. Experts had previously demonstrated that a numeric password recovery token provided by unauth.cgi can be used in a request to passwordrecovered.cgi to obtain the device’s username and password in clear text.

Passwordrecovered.cgi is related to a password recovery feature present in NETGEAR routers. If the password recovery feature is disabled, which is the default setting, the current password can be obtained by sending a request to passwordrecovered.cgi with the correct recovery token.

Kenin noticed that the old exploits still worked, but he also discovered a new variant of this authentication bypass flaw. He determined that the token is not checked properly on the very first request after a reboot of the device, allowing an attacker to obtain the password by passing any data to passwordrecovered.cgi, not necessarily a correct token.

The vulnerabilities, tracked as CVE-2017-5521, can be exploited by an attacker with access to the local network or from the Internet if the remote administration feature, which is disabled by default, is enabled on the device.

NETGEAR was informed about the vulnerabilities in April 2016. The vendor released an initial advisory in June, but only workarounds were made available at the time.

The latest version of the advisory shows that NETGEAR has released security updates for 20 affected routers, but there are still a dozen models and firmware versions that remain unpatched. For devices that don’t have a firmware fix available, the manufacturer recommends manually enabling the password recovery feature – the exploits do not work if this feature is enabled – and disabling remote management.

Trustwave has identified more than 10,000 vulnerable devices that are remotely accessible. However, considering that NETGEAR is one of the top router manufacturers and has a significant market share, experts believe hundreds of thousands and possibly even more than one million routers could be affected.

“As many people reuse their password, having the admin password of the router gives us an initial foothold on the network. We can see all the devices connected to the network and try to access them with that same admin password,” Kenin said in a blog post. “With malware such as the Mirai botnet being out there, it is also possible that some of the vulnerable routers could be infected and ultimately used as bots as well.”

NETGEAR recently announced the launch of a bug bounty program, with rewards of up to $15,000 per vulnerability. The decision to launch the program came after several researchers complained about how the company handled vulnerability disclosures.

A sophisticated spear phishing campaign is targeting NATO Governments
30.1.2017 securityaffeirs Phishing

Researchers from Cisco’s Talos security intelligence and research group.discovered a sophisticated spear phishing campaign on NATO Governments.
Security experts at Cisco Talos are warning of a new sophisticated espionage campaign targeting NATO Governments with specially designed documents used to deliver Flash exploits. The campaign started during the Christmas and New Year holidays, the hackers used Word document titled “Statement by the NATO Secretary General following a meeting of the NATO-Russia Council” as bait.

The attacks aim to perform reconnaissance activity on infected systems and avoid sandboxes. The researchers dubbed the framework “Matryoshka Doll Reconnaissance Framework” due to its complexity.

NATO Matryoshka Doll Reconnaissance Framework attack

The content of the document has been copied from an official NATO statement published on its website and the RTF file does not contain any exploits, both circumstances make hard for the victims to detect the attack.

The malicious document contains a succession of embedded objects, including OLE and Adobe Flash objects, that are extracted in a specific order.

“The OLE object contains an Adobe Flash object. The purpose of the Adobe Flash is to extract a binary blob embedded in itself via ActionScript execution,” reads a blog post . “This blob is a second encoded and compressed Adobe Flash object. The encoded algorithm is based on XOR and zlib compression. This is the second Adobe Flash in the final payload located within the document.”

The analysis of the payload revealed its most relevant component is located in the ActionScript. The first action of the ActionScript is to contact a specific URL of the C&C.

In this way, the attacker gathers information about the target, including the OS version or the Adobe Flash version that are used to evaluate if attack the machine or not.

The collected data can allow the attacker to determine if the infected system is a sandbox or a virtual machine and stop the operations.

At this point, the malicious code performs two additional nested requests that use data obtained from the response to the previous request.

In the final phase of the attack, a Flash exploit is fetched, decoded and executed.

Talos observed a significant traffic on the C&C domain starting with January 16, it was mainly composed of requests coming from the security research community.

The attacker noticed the source of the request and decided to replace the malicious payload with junk data in order to interfere with an investigation conducted by the principal security firms.

“It’s important to note that the actor realized security researchers were poking around their infrastructure and then rigged the infrastructure to create resource issues for some security devices. These are the characteristics of reasonably advanced attackers who have designed an efficient minimalist framework that was able to adapt purposes on the fly.” states the analysis.

Over 70% of Washington DC's CCTV Were Hacked Before Trump Inauguration
30.1.0217 thehackernews Cyber

Just days before the inauguration of President Donald Trump, cyber criminals infected 70 percent of storage devices that record data from feds surveillance cameras in Washington D.C. in a cyber attack.
Any guess, What kind of virus could have hit the storage devices?
Once again, the culprit is Ransomware, which has become a noxious game of Hackers to get paid effortlessly.
Ransomware is an infamous piece of malware that has been known for locking up computer files and then demanding a ransom in Bitcoins in order to help victims unlock their files.
But over time, the threat has changed its way from computers and smartphones to Internet-of-Thing (IoT) devices.
Ransomware Infected 70% Surveillance Cameras in Washington D.C.
This time the hackers managed to plant ransomware in 123 of its 187 network video recorders, each controlling up to four CCTVs used in public spaces throughout Washington D.C, which eventually left them out from recording anything between 12 and 15 January.
Officials told the Washington Post that the incident forced them to take the storage devices offline, remove the infection and rebooted the systems across the city, but did not fulfill any ransom demands by the hackers.
While the storage devices were successfully put back to rights and the CCTV cameras were back to work, it is still unclear if any valuable data was lost or if the ransomware infection merely crippled the affected computer network devices.
Washington's chief technology officer Archana Vemulapalli said the officials are now investigating the source of hacking, assuring that the incident was limited to the storage devices tied to closed-circuit TV system and did not affect other D.C. government networks.
Rise in Ransomware: Both in Numbers and Sophistication
Ransomware is the hackers sure-shot way to get paid effortlessly. The threat has been around for a few years, but nowadays it has become one of the most used types of hacking methods.
Recently, hundreds of guests of a luxurious hotel in Austria were locked out of their rooms when ransomware malware hit the hotel's IT system, and the hotel paid the attackers to get back the control of their systems.
We saw an enormous rise in Ransomware threats, both in numbers and sophistication. You would be surprised to know about KillDisk data wiping ransomware that encrypts files and asks for an unusually large ransom of around $218,000 in Bitcoins, but did not provide decryption keeps even after the payment has made.
Another weird ransomware variant was Popcorn Time that was designed to give victims options to either pay a ransom to hackers or infect two more people and have them pay the ransom to get a free decryption key.
Prevention is the Best Practice
The only safe way of dealing with ransomware is prevention. The best defense against Ransomware malware is to create awareness within the organizations, as well as to maintain back-ups that are rotated regularly.
Most viruses and infections are introduced by opening infected attachments or clicking on malicious links usually served in spam emails. So, don't click on links provided in emails and attachments from unknown sources.
Besides this, always ensure that your systems and devices are running the latest version of Antivirus software with updated malware definitions.

IBM Patches XSS Flaws in InfoSphere BigInsights

30.1.0217 securityweek Vulnerebility

IBM has released patches for two cross-site scripting (XSS) vulnerabilities affecting the company’s InfoSphere BigInsights analytics platform.

Fortinet researcher Honggang Ren has identified a couple of stored XSS flaws in the web console of InfoSphere BigInsights, a software platform that allows organizations to discover, analyze and visualize data from disparate sources.

One of the flaws, tracked as CVE-2016-2924, affects the “name” field in the “Add Alert Type” window of the “User-Defined Alerts” feature in the InfoSphere BigInsights user interface. The second vulnerability, identified as CVE-2016-2992, affects the “SQL Editor” feature.

IBM BigInsights XSS

The vulnerabilities allow an attacker to use a guest account to inject malicious JavaScript code into the system. The code is executed when an administrator performs various operations on the pages containing the code. An attacker could leverage the flaws to obtain authentication data from the targeted admin.

“IBM Infosphere BigInsights is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked,” IBM and Fortinet said in their advisories.

The flaws affect IBM BigInsights 4.1 and 4.2. The vendor has classified them as “medium severity,” but their exploitability is “high.”

This was not the first time Ren identified XSS vulnerabilities in IBM products. In October, the expert reported finding a similar security hole in IBM Rational Collaborative Lifecycle Management (CLM).

IBM also informed customers last week of vulnerabilities introduced by various third-party components. For instance, cURL, NTP and Python flaws affect PowerKVM, and a vulnerability in GnuPG impacts IBM Security Network Protection.

Sophisticated Documents Used to Attack NATO Governments

30.1.0217 securityweek Attack
A threat actor has used sophisticated Word documents to deliver Flash exploits in attacks aimed at NATO governments, reported Cisco’s Talos security intelligence and research group.

According to researchers, attackers have used specially designed documents to perform reconnaissance on infected systems and avoid sandboxes. Talos has compared this reconnaissance framework to the Russian Matryoshka nesting doll due to its complex workflow.

The attacks observed by Cisco were launched during the Christmas and New Year holidays. The Word document used as bait was titled “Statement by the NATO Secretary General following a meeting of the NATO-Russia Council,” which has led experts to believe that the targets were likely NATO member countries.

The text in the document has been copied from the official NATO website and the file itself does not contain any actual exploits, making it more difficult to detect.

The document, an RTF file, contains several embedded objects, including OLE and Adobe Flash objects, that are extracted in succession.

“The OLE object contains an Adobe Flash object. The purpose of the Adobe Flash is to extract a binary blob embedded in itself via ActionScript execution,” Talos researchers explained in a blog post. “This blob is a second encoded and compressed Adobe Flash object. The encoded algorithm is based on XOR and zlib compression. This is the second Adobe Flash in the final payload located within the document.”

In the first phase, ActionScript is used to send an HTTP request containing information about the infected system to the command and control (C&C) server. This information can allow the attacker to determine if the infected system is a virtual machine or a sandbox.

Two additional requests are made, each using data obtained from the response to the previous request. In the final phase, a Flash exploit is fetched, and loaded and executed on the fly.

DNS data from Cisco’s Umbrella system showed that numerous requests were made to the C&C domain starting with January 16. These requests came from the security research community, which has triggered a response from the attackers.

They replaced the malicious payload with junk data in order to create resource issues for some security products and disrupt investigation efforts.

“[The] actor realized security researchers were poking around their infrastructure and then rigged the infrastructure to create resource issues for some security devices,” experts said. “These are the characteristics of reasonably advanced attackers who have designed an efficient minimalist framework that was able to adapt purposes on the fly.”

While Cisco has not shared any information on who might be behind the attacks, NATO governments have often been targeted by Russia-linked threat actors, including the cyber espionage group known as Pawn Storm (aka APT28, Fancy Bear and Sofacy). Comparison of the reconnaissance framework to a Matryoshka doll also suggests Russian involvement.

Anonymous promises war on Trump, and only line experts say how to hack his mobile
30.1.0217 securityAffeirs Hacking

Anonymous declared war to US President-elect Donald Trump, hackers are threatening to expose his alleged affairs with Russians.
Anonymous declared war to US President-elect Donald Trump, recently the collective threatened to expose his “financial and personal ties with Russian mobsters.”

The group is claiming to have inside information on some of Trump’s dirty affairs with Russians, but at the time I was writing nothing was disclosed. Trump is sure that someone is orchestrating a misinformation campaign against his administration, he referred the “Fake news” reported in the document written by the British spy Christopher Steele.

Anonymous hack Trump

“Fake news” refers to a report written by British spy Christopher Steele, which alleges that Trump paid prostitutes to urinate on his hotel bed in Moscow as a “dirty protest” against Barack Obama – who had previously stayed in the same hotel suite.” reported The Mirror.

Donald Trump published a direct message to outgoing CIA chief John Brennan saying, “Was this the leaker of fake news?”

Now Anonymous has published a simple guide on how to hack Donald Trump’s phone that according to the media is the same smartphone he owned before being elected.

Anonymous @YourAnonNews
Trump refuses to use another smartphone other than the Galaxy S3. How you could hack and get access to his phone:
2:25 PM - 27 Jan 2017
987 987 Retweets 1,189 1,189 likes
President trump could be easily hacked by tricking him into clicking on a malicious link, and this is possible with a social engineering attack or

“A Galaxy S3 does not meet the security requirements of a teenager, let alone the purported leader of the free world.” states the analysis on the President Trump’s Insecure Android.

“Without exaggerating, hacking a Galaxy S3 or S4 is the sort of project I would assign as homework for my advanced undergraduate classes.”

The analysis suggests it could be very easy by downloading a publicly available exploit depending on the specific OS version running on the target. The analysis cites the Stagefright exploit as a possible weapon against the President’s smartphone.

“Alternatively, one could advertise malware on Brietbart and just wait for Trump to visit,” the hacktivists added.

Chcete slevu 500 Kč? Podvodníci to zkoušejí přes SMS zprávy

30.1.2017 Novinky/Bezpečnost Mobilní
Vyzrát na důvěřivce se snaží v posledních dnech podvodníci prostřednictvím SMS zpráv. Vydávají se totiž za zaměstnance internetového obchodu Alza.cz a nabízejí lidem slevy. Ve skutečnosti se však snaží pouze do jejich chytrého telefonu propašovat škodlivý kód.
„Vyhráváte nákup v hodnotě 500 Kč. Pokud do 12 hodin provedete objednávku přes naši aplikaci, bude zcela zdarma,“ tvrdí podvodníci v SMS zprávách.

Součástí došlé zprávy je také přímo odkaz vedoucí a stažení aplikace Alza.cz, prostřednictvím které se má transakce uskutečnit. Pouze tak mohou lidé údajně vyhrát.

Ve skutečnosti však internetový obchod žádnou podobnou akci nemá. „Evidujeme podvodné SMS vydávající se za propagaci Alza.cz,“ varovali během víkendu zástupci obchodu na svém profilu na Facebooku.

Podvodná aplikace
Problém představuje právě aplikace, kterou podvodníci prostřednictvím SMS zprávy propagují. „Upozorňujeme, že odkaz v SMS nevede ke stažení naší aplikace, ale nejspíše viru,“ podotkli zástupci Alzy.

Podobný trik zkoušeli počítačoví piráti už v minulosti také na klienty bank. Například na Facebooku už od loňského roku vytvářejí falešné profily České spořitelny a lákali důvěřivce na novou verzi internetového bankovnictví. Pokud ji uživatelé vyzkoušejí, náleží jim údajně bonus ve výši 400 Kč. Nabídka je přitom psána česky a bez chyb, a nejeden uživatel se tak může nechat napálit.

Ve skutečnosti jde samozřejmě o podvod. „Upozorňujeme na podvodný profil na Facebooku, který se snaží vzbudit dojem, že patří České spořitelně. Podvodníci na tomto profilu nabízejí nové internetové bankovnictví SERVIS 24,“ varovali již dříve zástupci banky.

Nové internetové bankovnictví bylo ve skutečnosti podvodné, a když jej uživatelé použili, rovnou dali útočníkům své přihlašovací údaje k účtu, případně si mohli do svých počítačů z podvodných stránek stáhnout nějaký škodlivý kód.

Útoky na mobily na vzestupu
Prakticky stejnou neplechu může v chytrém telefonu nadělat také podvodná aplikace Alza.cz. „Pro nákup na Alza.cz vždy využívejte pouze aplikace z oficiálních ochodů Google Play a Apple AppStore,“ doporučili zástupci obchodu.

Na chytré telefony se zaměřují počítačoví piráti v posledních měsících stále častěji. Uživatelé na těchto přístrojích totiž velmi často podceňují bezpečnost. Vhodné je smartphone vybavit podobně jako stolní počítač antivirovým programem a pravidelně stahovat všechny důležité aktualizace nainstalovaných aplikací i samotného operačního systému.

Obětí viru se stalo přes deset miliónů mobilů a tabletů. Teď útočí znovu

30.1.2017 Novinky/Bezpečnost Viry
Doslova jako lavina se šířil v minulém roce internetem škodlivý kód HummingBad, který se zaměřoval na chytré telefony a tablety s operačním systémem Android. Tomu se podařilo infikovat více než deset miliónů mobilních zařízení. Nyní jej počítačoví piráti v inovované verzi nasazují znovu.
HummingBad byl jednou z nejobávanějších mobilních hrozeb loňského roku. V chytrém telefonu nebo počítačovém tabletu totiž dokázal tento nezvaný návštěvník nadělat pěknou neplechu. Virus totiž dovoluje počítačovému pirátovi převzít nad napadeným strojem absolutní kontrolu.

Škodlivý kód měl navíc schopnost se v napadeném zařízení velmi dobře maskovat. Odhalit jej tak nebylo vůbec jednoduché. I to byl jeden z důvodů, proč se tak masově šířil.

Virus obsahovaly desítky aplikací
S novým rokem jej zkoušejí počítačoví piráti nasadit znovu, jak varovali výzkumníci z bezpečnostní společnosti Check Point. Právě oni totiž v oficiálním obchodě Google Play, z něhož se stahují aplikace pro operační systém Android, objevili více než dvě desítky infikovaných programů obsahující škodlivý kód.

„Aplikace infikované v rámci této kampaně byly staženy milióny nic netušících uživatelů. O aplikacích jsme informovali bezpečnostní tým Google a aplikace byly následně z Google Play staženy,“ upozornil David Řeháček, bezpečnostní odborník ze společnosti Check Point.

Podle něj se nová varianta tohoto mobilního malwaru liší od původní verze. I proto dostala nové jméno – HummingWhale. „Využívá nové techniky, takže reklamní podvody jsou sofistikovanější než kdy dříve,“ podotkl Řeháček.

„HummingBad byl nejvýraznějším mobilním malwarem roku 2016. Obětí se stalo více než 10 miliónů uživatelů a škodlivý kód vydělával svým tvůrcům více než 300 000 dolarů (přes 7,5 miliónu korun) měsíčně, takže bylo jen otázkou času, kdy se objeví nějaká nová verze a najde si cestu na Google Play,“ doplnil bezpečnostní expert.

Antivirus by měl být samozřejmostí
Zajímavé je mimochodem také to, jak se nová verze škodlivého kódu zvaná HummingWhale na Google Play dostala. „Všechny nové podvodné aplikace byly publikovány pod falešnými jmény čínských vývojářů,“ vysvětlil Řeháček.

S ohledem na možná rizika by uživatelé neměli novou hrozbu rozhodně podceňovat. Jak bylo již zmiňováno několikrát – i na chytrém telefonu nebo počítačovém tabletu by měl být samozřejmostí antivirový program.

Ransomware shutdown 70% of Washington DC CCTV ahead of President’s inauguration
30.1.2017 securityaffairs Virus

A Ransomware attack compromised 70% of Washington DC CCTV ahead of inauguration of President Trump, technical staff wiped and rebooted the devices.
A ransomware infected 70 percent of storage devices used by the Washington DC CCTV systems just eight days before the inauguration of President Donald Trump.

The attack occurred between 12 and 15 January, the ransomware infected 123 of 187 network video recorders, each controlling up to four CCTVs. IT staff was forced to wipe the infected systems in order to restore the situation, fortunately, the ransomware did not affect other components of the Washington DC network.

“City officials said ransomware left police cameras unable to record between Jan. 12 and Jan. 15. The cyberattack affected 123 of 187 network video recorders in a closed-circuit TV system for public spaces across the city, the officials said late Friday.” states the Washington Post.

“Brian Ebert, a Secret Service official, said the safety of the public or protectees was never jeopardized. Archana Vemulapalli, the city’s Chief Technology Officer, said the city paid no ransom and resolved the problem by taking the devices offline, removing all software and restarting the system at each site.

An investigation into the source of the hack continues, said Vemulapalli, who said the intrusion was confined to the police CCTV cameras that monitor public areas and did not extend deeper into D.C. computer networks.”

Washington DC CCTV ransomware

The first infections were discovered by the Police on Jan. 12 D.C. when the authorities noticed four camera sites were not functioning properly. Experts at the city technology office detected two distinct ransomware in four recording devices, then they extended the analysis to the entire surveillance network and wiped all the infected equipment.

“There was no access from these devices into our environment,” Vemulapalli said.

Interim Police Chief Peter Newsham confirmed that the incident was contained in about 48 hours and there was “no significant impact” overall.

There are some points still no clear:

Did the local police receive a ransom request? For sure they did not pay it.
It is no clear if valuable data was lost in the attack or if the police were able to decrypt information for free, for example by using tools like the No More Ransom.
Who is behind the attack? Cyber criminals that acted to extort money or hacktivist that tried to shut down the CCTV cameras to avoid being recorded during the street protests.
City officials declined to comment.

Hong Kong brokers blackmailed by hackers with DDoS Attacks
30.1.2017 securityaffairs Attack

The Hong Kong Securities and Futures Commission revealed some brokerage websites have been hit by DDoS attacks and blackmailed by crooks.
The Hong Kong’s SFC (Securities and Futures Commission) confirmed several brokers in the city has suffered DDoS attacks and were blackmailed by hackers.

“We are alerted by the Police that some securities brokers have recently encountered distributed denial of service (“DDoS”) attacks targeting their websites and received blackmails from criminals.” reads a notice issued by the SFC. “The DDoS attacks have caused service disruption to the brokers for a short period. It is possible that similar cybersecurity incidents would be observed across the securities industry. “

The Hong Kong’s securities regulator also warned of possible further incidents across the industry.

The regulators in the country have spent a significant effort over the past year to fight cyber threats. According to a survey conducted in November 2016, the average number of cyber attacks detected by businesses in China and Hong Kong grew at 969 percent between 2014 and 2016.

“In a circular to licensed firms late on Thursday, the Securities and Futures Commission (SFC) said it had been informed by the Hong Kong police that brokers had encountered so-called “distributed denial of service” (DDoS) attacks targeting their websites and received blackmails from criminals.” reported the Reuters agency.

The SFC urged companies in the financial center to adopt protective measures, such as DDoS mitigation plans.

“Network architecture, computer servers and network devices should be properly designed and configured to mitigate the risk of advanced and persistent cybersecurity attacks,” SFC said.

SFC urged brokers should configure their servers to avoid ‘reflective amplification’ DDoS attacks.

“Licensed corporations are expected to take immediate actions (including seeking advice from external contracted vendors if they do not possess such expertise and/or resources in-house) to critically review and assess the effectiveness of their cybersecurity controls in place,” SFC added.

Uber pays $9,000 bug bounty payoff for partner firm’s vulnerability
30.1.2017 securityaffairs Vulnerebility

A security expert discovered a flaw in a ransomware protection service that opened Uber service, and many others, to cyber attacks.
The Russian penetration tester Vladimir Ivanov from the security firm Positive Technologies has discovered a vulnerability in anti-ransomware backup service Code42. The flaw could be exploited by attackers to steal data from the organizations using the services, including Uber, Adobe, and Lockheed Martin.

Uber flaw

Ivanov discovered the XML external entity vulnerability while it was searching for flaws in the Uber service that was covered by the bug bounty program of the company.

Ivanov reported the flaw to Uber that agreed to pay him US$9,000 considering that Code42 doesn’t have a bug bounty program.

“The only option to break the service and get a bounty for pwning the [Code42] application was to find a zero day,” Ivanov says.

“[The vulnerability] could give access to backups of all users in a given company. Uber security guys were excited with this vulnerability: they contacted vendor and confirmed that this vulnerability was a zero day.”

An XML External Entity issue occurs everytime an XML input containing a reference to an external entity is processed by a not properly configured XML parser, as a result, it can cause the disclosure of confidential data, denial of service conditions and trigger server-side request forgery attacks.

Ivanov reported the issue to Uber in May through its HackerOne bug bounty, then the company informed Code42 of the flaw that promptly fixed it.

“As a proof-of-concept for Uber, I retrieved the contents of /home/ directory of the server, which was a nice impact illustration to my report at Hackerone,” wrote Ivanov.

“I like to show impact of a given vulnerability, so you don’t have to ask me twice. Given permission to show further exploitation, I quickly found the folder, where backup logs were stored. ”

Uber flaw

Code42 asked Ivanov to wait all customers had applied the security updates to fix the flaw before publicly disclose it.

Ransomware infected systems at a luxury hotel locking guests in and out of the rooms
30.1.2017 securityaffairs Virus

The Romantik Seehotel Jäegerwirt 4-Star Superior Luxury Hotel was hit by a ransomware attack that locked guests in and out of the rooms.
Another singular incident involved a ransomware, the victims are hundreds of guests of a luxurious hotel in Austria, the Romantik Seehotel Jäegerwirt 4-Star Superior Hotel. The guests were locked in or out of their rooms. The malware infected the systems at the hotel and its administration opted to pay the ransom to restore a normal operation.

luxury hotel ransomware

The administration of the Romantik Seehotel Jäegerwirt 4-Star Superior Hotel has admitted having paid €1,500 in Bitcoin to restore the electronic key card system that was compromised by the ransomware.The luxury hotel uses the electronic key card system to manage key cards of the hotel doors.

This isn’t the first cyber attack suffered by the luxury hotel, the hotel management confirmed its systems have been hit multiple times, but this time crooks compromised the internal key management system.

According to the news agency, cyber criminals gained control over the general computer system paralyzing almost any activity at the luxury hotel, including the reservation system and the cash desk system.

“One of Europe’s top hotels has admitted they had to pay thousands in Bitcoin ransom to cybercriminals who managed to hack their electronic key system, locking hundreds of guests in or out of their rooms until the money was paid.” reported The Local website.

I always suggest avoiding the payment of the ransom because there is no certainty that the files are decrypted. Fortunately, in the specific case, after the hotel management paid the ransom the systems were completely restored.

But never trust a cyber criminal!

Even after the payment of the ransom, hackers left a backdoor to the hotel system and conduct further attacks later.

The IT staff at the hotel detected the backdoor and neutralized it, it also adopted further security measures to repel further attacks.

Hotel managers decided to publicly disclose the story to warn hotel about the dangers of cyber attack.

“The house was totally booked with 180 guests; we had no other choice. Neither police nor insurance helps you in this case.” explained the Managing Director Christoph Brandstaetter.

“The restoration of our system after the first attack in summer has cost us several thousand Euros. We did not get any money from the insurance so far because none of those to blame could be found. Every euro that is paid to blackmailers hurts us. We know that other colleagues have been attacked, who have done similarly.”

Last Dridex Trojan variant uses a new tactic to bypass Windows UAC
30.1.2017 securityaffairs Virus

A new variant of the Dridex Trojan recently observed is leveraging a new tactic to bypass the UAC (User Account Control).
Researchers at the security firm Flashpoint have discovered a new campaign leveraging on a new variant of the Dridex Trojan that uses a new tactic to bypass the UAC (User Account Control).

The Dridex Trojan was first spotted in 2014, it is considered one of the most pervasive banking trojan. It was most active between 2014 and 2015, and just smaller campaigns were observed throughout 2016.

Dridex Trojan

The last campaign observed by Flashpoint is targeting UK financial institutions, crooks are using “previously-unobserved” Dridex UAC bypass technique that leverages Windows default recovery disc executable recdisc.exe.

“On January 25, 2017, the criminal syndicate behind Dridex launched another small campaign targeting UK financial institutions.” reads the analysis published by the security firm.

“Flashpoint identified a previously-unobserved Dridex User Account Control (UAC) bypass method characterized by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via impersonated SPP[.]dll.”

This variant of the Dridex Trojan is using svchost and spoolsrv to communicate with peers and the first-layer of the Command & Control infrastructure.

Crooks are using spam emails as the attack vector, the malicious messages come with attached Word documents that embed macros that download and execute the Dridex Trojan.

Once infected the Windows machine, the malware moves itself from the current location to the %TEMP% folder.

“After malware infection, the Dridex token grabber and webinject modules allow the fraud operators to quickly request any additional information that is required to subvert authentication and authorization challenges imposed by anti-fraud systems at financial institutions. The fraud operators are able to create a custom dialog window and query the infected victims for additional information as if it was sent from the bank itself,” continues the analysis.

Dridex leverages the Windows default recovery disc executable recdisc.exe to load an impersonated SPP.dll with administrative privileges and bypass the UAC protection on Windows 7.

The mechanism leverage the Windows utility because it is white-listed for auto-elevation.

In order to bypass UAC, the malware creates a directory in Windows\System32\6886, then copies the legitimate binary from Windows\System32\recdisc.exe to Windows\System32\6886\.

Then Next, it copies itself to %APPDATA%\Local\Temp as a tmp file, and moves itself to Windows\System32\6886\SPP.dll. The Dridex Trojan then deletes wu*.exe and po*.dll from Windows\System32, after which it executes recdisc.exe and loads itself as impersonated SPP.dll with administrative privileges.

Ransomware Hijacks Hotel Smart Keys to Lock Guests In and Out of the Rooms

29.1.2017 thehackernews Virus

Ransomware Hijacks Hotel Smart Keys to Lock Guests In and Out of the Rooms
What's the worst that could happen when a Ransomware hits a Hotel?
Recently, hundreds of guests of a luxurious hotel in Austria were locked in or out of their rooms when ransomware hit the hotel's IT system, and the hotel had no choice left except paying the attackers.
Today, we are living in a digital age that is creating a digital headache for people and organizations around the world with cyber attacks and data breaches on the rise.
Ransomware is one of them.
The threat has been around for a few years, but during 2016, it has turned into a noxious game of Hackers to get paid effortlessly by targeting hospitals, Universities, private businesses and even police departments and making hundreds of millions of dollars.
Now, the Romantik Seehotel Jäegerwirt 4-Star Superior Hotel has admitted it paid €1,500 (£1,275/$1,600) in Bitcoin ransom to cybercriminals who managed to break into their network and hack their electronic key card system that prevented its guests from entering or leaving their rooms.
The luxury hotel with a beautiful lakeside setting on the Alpine Turracher Hoehe Pass in Austria, like several other hotels in the industry, has a modern IT system that includes key cards for its hotel doors, which could not be programmed.
Also Read: This Tool Detects Never-Seen-Before Ransomware Before It Encrypts Your Data
According to the hotel management, the hotel has been hit multiple times by hackers, but this time they managed to take down the entire key system, preventing its guests to getting in or going out of their rooms, reported The Local.
Besides gaining control of the electronic key system, the hackers even gained control over the general computer system, shutting down all hotel computers, including the reservation system and the cash desk system.
Once the hotel made the payment, the system was completely restored that allowed the hotel staff to gain access to the network and hotel guests to enter and exit their rooms.
What's interesting? Even after the hotel fulfilled the hackers demand, the hackers left a backdoor to the hotel system in an attempt to conduct another cyber attack later.
Fortunately, the security standards of the hotel had been improved by its IT department, and critical networks had been separated to thwart the attack, giving attackers no chance to harm the hotel again.
Furious hotel managers decided to go public with the incident to warn others about the dangers of cyber attack, with Managing Director Christoph Brandstaetter said:
"The house was totally booked with 180 guests; we had no other choice. Neither police nor insurance helps you in this case.
The restoration of our system after the first attack in summer has cost us several thousand Euros. We did not get any money from the insurance so far because none of those to blame could be found.
Every euro that is paid to blackmailers hurts us. We know that other colleagues have been attacked, who have done similarly."
The Ransomware had stolen the nights of many businesses and organizations, as they would often be blamed to fight up to this nasty threat.
Ransomware criminals often demand the ransom in Bitcoin (BTC) for the surety of not getting caught, as Bitcoin transactions are non-trackable due to its decentralized nature.
The frequent payment to Ransomware encourages criminals to stash the cash and develop a more enticing framework for the next target. So, instead of paying or encouraging this scheme, keep your software and systems updated and avoid clicking suspicious links.

Fears Grow over Jihadist Cyber Threat

29.1.2017 securityweek Cyber
Lille, France - Jihadists have yet to shut down a power grid, paralyze a transport network or banking system or take over a key industrial site from afar, but experts say the threat of such a cyber attack should be taken seriously.

Analysts fear that while extremist groups may not have the necessary skills themselves, they could hire someone else to wreak havoc.

"Digital attacks with major impacts are unlikely in the short term," said Guillaume Poupard, head of France's digital security service ANSSI, speaking to AFP at an international cyber security conference in Lille, France.

"However, that could change very fast. Our real fear, and we may already be there, is that they will use mercenaries, people who will do anything for money," Poupard said.

The Islamic State group, Al-Qaeda and other jihadist groups are so far using the internet mainly for propaganda and recruitment purposes.

"The skills are complex, though not at the level of a nuclear weapon," Poupard said.

"With a few dozen people, a little money, but not that much, you can be effective."

Earlier this month, Europol director Rob Wainwright also warned of the use of digital mercenaries by jihadist groups at the World Economic Forum in Davos, Switzerland.

"Even if they don't have access to the capabilities, they can simply buy it on the darknet (a hidden internet realm of encrypted websites), where there is an enormous trade in cyber criminal technology," Wainwright said at a panel discussion on "Terrorism in the Digital Age".

"That said, attacking the critical national infrastructures at least of most countries is... not easily done, and it's something that is not as immediate and showy as firing automatic weapons in a theatre or in public," he added.

Data pirates and cyber criminals from several countries, often linked to organized crime, offer their services on the darknet.

Given the anonymity of the sites, some may help jihadists without realizing it.

"In fact, that's our fear," Poupard said. "It's no so much that IS can quickly develop cyberattacks but that they will be able to go through intermediaries."

- Asymmetrical warfare -

Speaking in Davos, retired Pakistani general Raheel Sharif said cyber terrorism is "a real threat".

"As technology improves, the possibility exists that someone can hack into a very sophisticated system and control that resource in such a way as to do maximum damage somewhere."

Most developed countries are steadily boosting their defenses against the cyber threat, be it terrorism, crime or espionage.

"Terrorist groups that currently use the internet for planning, propaganda and recruitment purposes could become full players in the cyber arena," French Defense Minister Jean-Yves Le Drian said last month as he unveiled his country's policy on military cyber security.

"Since asymmetrical operations are naturally etched into their DNA, cyber space gives them an obvious field of action, where major damage can be inflicted with limited means," he said.

Disturbing precursors of more insidious actions ahead are internet interlopers that do not steal or destroy data but appear to map websites, preparing offensive weapons for later use.

"This kind of attack has even begun in some countries," Poupard said. "We are closely following what's happening in Ukraine where strange breakdowns are becoming frequent that are caused by extremely sophisticated actions."

Google Launches Its Own Root Certificate Authority

29.1.2017 securityweek Security
Google announced on Thursday the expansion of its certificate authority (CA) efforts with the launch of a root CA that will allow the company to independently handle its certificate needs.

The company has been on the frontline of efforts to make the Internet safer by getting all web services to use HTTPS, including by boosting secure pages in search results and by tracking the use of HTTPS on the world’s top 100 websites.

Google has been operating the subordinate certificate authority GIAG2, signed by the GeoTrust Global CA, and the next step is to gain the ability to issue root certificates for products on its own. The new entity responsible for operating the CAs on behalf of Google and Alphabet is Google Trust Services.

Google Trust Services

In an effort to start issuing certificates as soon as possible, Google has decided to acquire two existing root CAs, namely GlobalSign R2 and R4. The company will also continue to use its GIAG2 certificate authority as it transitions to an independent infrastructure.

“If you are building products that intend to connect to a Google property moving forward you need to at minimum include the above Root Certificates. With that said even though we now operate our own roots, we may still choose to operate subordinate CAs under third-party operated roots,” Ryan Hurst, security and privacy engineer at Google, said in a blog post. “For this reason if you are developing code intended to connect to a Google property, we still recommend you include a wide set of trustworthy roots.”

Commenting on Hacker News, some applauded Google’s decision, while others pointed out that the search giant is gaining more and more control over the Internet.

Over the past years, Google has identified several CAs that had issued unauthorized certificates for its domains. The list includes the China Internet Network Information Center (CNNIC), India's National Informatics Center (NIC), Turkish firm TURKTRUST, and Symantec.

Last year, the company announced the introduction of a new Certificate Transparency (CT) log for CAs that have been removed from trusted root programs.

Dridex Trojan Uses New Tactic to Bypass User Account Control

29.1.2017 securityweek Virus
A recently observed Dridex distribution campaign is leveraging a new UAC (User Account Control) bypass method, Flashpoint security researchers warn.

Initially discovered in 2014, Dridex is considered the successor of the GameOver ZeuS (GoZ) malware, as it uses an improved version of GoZ’s peer-to-peer architecture to protect its command and control (C&C) server. Dridex has emerged as one of the most prevalent banking Trojan families out there, yet its recent activity has subsided compared to levels seen in 2014 and 2015.

A recently observed small distribution campaign targeting UK financial institutions was characterized by the use of a “previously-unobserved” Dridex UAC bypass that leverages recdisc.exe, a Windows default recovery disc executable. The malware was also observed loading malicious code via impersonated SPP.dll, and using svchost and spoolsrv to communicate to peers and first-layer C&C servers.

As usual, Dridex is being distributed through spam emails with attached Word documents that feature malicious macros designed to download and execute the malware. The initially dropped module was designed to download the main Dridex payload. After infection, the Trojan moves itself from the current location to the %TEMP% folder.

“After malware infection, the Dridex token grabber and webinject modules allow the fraud operators to quickly request any additional information that is required to subvert authentication and authorization challenges imposed by anti-fraud systems at financial institutions. The fraud operators are able to create a custom dialog window and query the infected victims for additional information as if it was sent from the bank itself,” Flashpoint Senior Intelligence Analyst Vitali Kremez explains.

On the infected machine, Dridex leverages the Windows default recovery disc executable recdisc.exe to load an impersonated SPP.dll and bypass the UAC protection on Windows 7. It does so because the platform automatically elevates the program, along with other applications white-listed for auto-elevation. Dridex leverages this feature to execute two commands on the computer.

To bypass UAC, Dridex creates a directory in Windows\System32\6886, then copies the legitimate binary from Windows\System32\recdisc.exe to Windows\System32\6886\. Next, it copies itself to %APPDATA%\Local\Temp as a tmp file, and moves itself to Windows\System32\6886\SPP.dll. The malware then deletes wu*.exe and po*.dll from Windows\System32, after which it executes recdisc.exe and loads itself as impersonated SPP.dll with administrative privileges.

The security researchers also discovered that the banking Trojan also communicates to peers on ports 4431-4433. In this specific campaign, the peers are other machines that Dridex has already enslaved, Flashpoint’s Kremez notes.

CVE-2017-3792 – Cisco TelePresence MCU affected by a Remote Code Execution issue
29.1.2017 securityAffeirs Vulnerebility

A critical flaw tracked as CVE-2017-3792 affects three different models of the CISCO TelePresence MCU platform, MCU 5300 Series, MSE 8510
and MCU 4500.
A critical vulnerability tracked as CVE-2017-3792 affects three different models of the CISCO TelePresence MCU platform.

Cisco TelePresence MCU platform is a high-definition multimedia conferencing bridge that is widely adopted due to its ability to work with endpoint systems of the many vendors.

The flaw could be exploited by attackers to remotely execute code on the affected systems or to trigger a denial-of-service (DoS) condition. The flaw was discovered during the resolution of a support case.

The vulnerability affects a proprietary device driver in the kernel of the Cisco TelePresence Multipoint Control Unit (MCU) Software running on platform models 4500, MSE 8510 and 5300 Series.

An attacker could exploit the flaw to trigger a buffer overflow and execute an arbitrary code or cause a DoS condition on the vulnerable system.

“A vulnerability in a proprietary device driver in the kernel of Cisco TelePresence Multipoint Control Unit (MCU) Software could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition.” reads the Cisco security bulletin.

“The vulnerability is due to improper size validation when reassembling fragmented IPv4 or IPv6 packets. An attacker could exploit this vulnerability by sending crafted IPv4 or IPv6 fragments to a port receiving content in Passthrough content mode. An exploit could allow the attacker to overflow a buffer. If successful, the attacker could execute arbitrary code or cause a DoS condition on the affected system.”

Systems running software version 4.3(1.68) or later configured for “Passthrough” content mode are affected by the flaw.

Cisco issued two security updates for MSE 8510 and 5300 Series users, the Cisco TelePresence MCU 4500 platform will not be fixed because it has reached the end-of-software on July 9, 2016.

Cisco confirmed that there are no workarounds to fix the flaw. In order to prevent exploitation of this vulnerability, the company suggests configuring the CISCO TelePresence MCU Software to use Transcoded content mode instead of Passthrough content mode.

WordPress 4.7.2 release addresses XSS, SQL Injection vulnerabilities
29.1.2017 securityAffeirs Vulnerebility

According to the release notes the latest version of WordPress 4.7.2 addresses three security, including XSS, SQL Injection flaws.
The WordPress development team has pushed the WordPress 4.7.2 version that fixed three security issues, including a cross-site scripting and a SQL injection vulnerability.

The new update comes just two weeks after WordPress released its previous version. Two weeks ago WordPress released the WordPress 4.7.1, a security release for all previous versions that according to the release notes addressed eight security flaws and other 62 bugs.

“WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.” reads the official announcement published on the WordPress’ blog.

WordPress 4.7.2

The SQL injection affected the WordPress’ WP_Query class that is used to access variables, checks, and functions coded into the WordPress core. The expert Mohammad Jangda discovered the class is vulnerable when passing unsafe data. The flaw didn’t affect the core of the WordPress CMS, but there was the risk that plugins and themes would cause further vulnerabilities.

“WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo).” states the announcement published by WordPress.

The cross-site scripting vulnerability fixed with this last update affected the class that manages the posts list table. The flaw was discovered by the member of WordPress’ Security Team Ian Dunn.

The third flaw resided the Press This function that allows WordPress users to publish blog posts with a web browser bookmarklet.

“The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive.” states WordPress advisory.

According to the WordPress team, the previous WordPress 4.7 release has been downloaded over 10 million times since its release on December 6, 2016.

Police Arrest 5 Cyber Thieves Who Stole 3.2 Million From ATMs Using Malware
28.1.2017 thehackernews Virus
Law enforcement authorities from Europe and Russia have arrested five members of an international cyber criminal gang for stealing $3.2 million cash from ATMs using malware.
Three of the suspects, Andrejs Peregudovs (41), of Latvia, Niklae Penkov (34) of Moldova, and Mihail Colibaba (30) of Romania, were arrested in Taiwan by the Taiwanese Criminal Investigation Bureau last summer, have already been sentenced to 5 years in prison for their role in a massive ATM heist operation, involving 22 individuals from 6 countries.
The European-based cyber criminal gang used a variety of different hacking techniques to infect ATMs with malware and force them to dispense cash.
According to Europol that began its investigation in early 2016, the gang used spear-phishing emails containing malicious attachments to target bank employees and penetrate the bank's internal networks.
From there, the cyber crooks then located and hacked into the network of ATMs from the inside, and used a malicious software program to delete almost all traces of their activities.
However, three suspects have already been arrested convicted, one has been arrested by the Romanian National Police, and one arrest has been made by the Belarusian Central Office of the Investigative Committee.
Europol estimates the five arrested suspects caused damages to banks of around $3.2 Million, although in some cases,the stolen money was partially recovered from the criminals after the cashing-out.
The ruling three of them will be deported back to their home countries, when their jail terms will end.
Here's the statement by Steven WILSON, Head of Europol's European CyberCrime Centre (EC3):
"The majority of cyber crimes have an international dimension, taking into account the origins of suspects and places where crimes are committed. Only through a coordinated approach at the global level between law enforcement agencies can we successfully track down the criminal networks behind such large-scale frauds and bring them to justice."
Europol did not provide names of any of the five criminals arrested, but has credited the success of its investigation to international cooperation by police across the world.
Europol's European CyberCrime Centre (EC3) assisted the investigation by organizing operational meetings in Europe and Asia, providing analytical support, as well as analyzing the seized data and equipment.

Facebook Adds FIDO U2F Security Keys Feature For Secure Logins
28.1.2017 thehackernews Social
Facebook Adds FIDO U2F Security Keys Feature For Secure Logins
Hacking password for a Facebook account is not easy, but also not impossible.
We have always been advising you to enable two-factor authentication — or 2FA — to secure your online accounts, a process that requires users to manually enter, typically a six-digit secret code generated by an authenticator app or received via SMS or email.
So even if somehow hackers steal your login credentials, they would not be able to access your account without one-time password sent to you.
But, Are SMS-based one-time passwords Secure?
US National Institute of Standards and Technology (NIST) is also no longer recommending SMS-based two-factor authentication systems, and it’s not a reliable solution mainly because of two reasons:
Users outside the network coverage can face issues
Growing number of sophisticated attacks against OTP schemes
So, to beef up the security of your account, Facebook now support Fido-compliant Universal 2nd Factor Authentication (U2F), allows users to log into their Facebook account using a physical security key, such as the YubiKey, instead of relying on a one-time passcode sent via text message or email.
Compared with the traditional authentication protocols, Universal 2nd Factor Authentication (U2F) is a hardware-based authentication aims to simplify, fasten and secure two-factor authentication process.
U2F standard as a security feature has already been implemented by major companies including Google, Dropbox, GitHub, Salesforce and supported by Chrome and Opera web browsers.
Facebook Adds FIDO U2F Security Keys Feature For Secure Logins
The best thing about this standard is that one tiny little device can be used to authenticate with any number of online services and no mobile connection or batteries are required.
These hardware-based security keys are easy to use and deploy. You just need to simply plug-in the inexpensive USB device (which starts at about $10) into your computer's USB port to get into your Facebook account from any computer anywhere.
Ready to activate your security key for your Facebook account?
Go to Security settings of your Facebook account.
Open Login Approval and Click "Add Key" shown in front of 'Security Key.'
'Add Key ' and Facebook will ask you to "Insert your security key into a USB port."
Note: Hardware-based Security Key will only work if you're using the Chrome or Opera browser.
For more detailed instructions on setting up a security key, you can head on to this page.

How to Authenticate to your Account using the Fido-compliant U2F device? Simple, whenever next time you log into your Facebook account you'll be asked to plug your security key into the USB slot.
Once you plug in, the tiny device generates an encrypted, one-time security passcode for use in two-factor authentication (2FA) systems and logs you into your Facebook account.
These hardware-based security keys are thought to be more efficient at preventing phishing, man-in-the-middle (MITM) and other types of account-takeover attacks than 2FA via SMS, as even if your credentials are compromised, account login is impossible without that physical key.
"By adding FIDO authentication to its security portfolio, Facebook gives their users the option to enable unphishable strong authentication that is no longer vulnerable to social engineering and replay attacks using stolen 'shared secrets' like passwords and one-time-passcodes," said Brett McDowell, executive director of the FIDO Alliance.
At this moment, security key logins for the mobile Facebook app is not supported, but users with NFC-capable Android device and the latest version of Chrome and Google Authenticator installed can use a security key to log in from their mobile website.

Google becomes its own Root Certificate Authority
28.1.2017 thehackernews Security
Google Root Certificate Authority
In an effort to expand its certificate authority capabilities and build the "foundation of a more secure web," Google has finally launched its root certificate authority.
In past few years, we have seen Google taking many steps to show its strong support for sites using HTTPS, like:
Giving more preference to HTTPS websites in its search rankings than others.
Warning users that all HTTP pages are not secure.
Starting an industry-wide initiative, Certificate Transparency − an open framework to log, audit, and monitor certificates that CAs have issued.
However, Google has been relying on an intermediate Certificate Authority (Google Internet Authority G2 - GIAG2) issued by a third party, with the latest suppliers being GlobalSign and GeoTrust, which manages and deploys certificates to Google's products and services.
Google announced Thursday the creation of its own certified, and independent Root Certificate Authority called Google Trust Services, allowing the company to issue its own TLS/SSL certificates for securing its web traffic via HTTPS, instead of relying on third party certs.
"As we look forward to the evolution of both the web and our own products it is clear HTTPS will continue to be a foundational technology," writes Ryan Hurst, product manager at Google, in a blog post. "This is why we have made the decision to expand our current Certificate Authority efforts to include the operation of our own Root Certificate Authority."
The newly established Google Trust Services (GTS) will issue certificates on behalf of Google and parent company Alphabet.
Like others, Google Trust Services can now be used to sign other subordinate certificates to authenticate the identity of other websites.
However, the process of embedding root CAs into products can take time, so Google acquired two existing Root Certificate Authorities from GlobalSign: R2 and R4.
The acquisitions will allow independent certificate issuance from the company "sooner rather than later."
Developers, who will have to include the new Root Certificates into their services, can head to the Google's official announcement for more details about the newly established Google Trust Services (GTS).

Business Driven Security: The Case of Building an Advanced Security Operations Centre
28.1.2017 SecurityAffeirs Security

In the journey towards business-driven security one of the niche weapon is the roadmap to Advanced Security Operations Centre (ASOC).
Now that we have gotten over from new year’s greetings– let’s get to the basics to refresh as what is required in terms of achieving maturity within your organisations. There is no doubt that this year will bring more sophisticated & coordinated attacks aimed specifically towards the supply chain. Organisations must integrate the concept of business-driven security where security is seen as business enabler rather than operational hindrance. The investment from preventive measures need to move swiftly towards pre-empted and intelligence driven response.

In the journey towards business-driven security one of the niche weapon (if we are allowed to say this) is the roadmap to Advanced Security Operations Centre (ASOC).

Most large organisations nowadays have some level of security monitoring for their networks; even SME’s have security staff although, they tend to be IT Operations staff wearing two hats. If you are managing a Security Operations Centre or are a board member considering their security organisation, there are a few fundamental questions that you must ask yourself.

What have we done to Detect and Respond to advanced integrated attacks?
Do I know how we address Processes and Procedures relating to Incident Management?
Actually do we have any Processes and Procedures???
What do we do if we are breached?
What do we need to do to reduce the Breach Exposure Time?
Is our security program aligned against the threats we face?
Do we have a plan in place for the security of our data over the next few years?
These are the sort of questions which will generate some of the answers you are looking to drive the Advanced Security Operations Centre program.

So just what is an ASOC? Is it just a marketing term to get organisations to buy more equipment or is it more of a shift in the way we do our day to day business and Incident Response? I guess for us it is one’s understanding of the difference between a SOC and an ASOC.

A SOC is designed to detect and respond to threats against a network. Put a couple of IDS boxes and Logging/SIEM in place with staff to monitor it and you have a SOC. An Advanced Security Operations Centre is more of a program where every piece of the defence of the organisations networks is reviewed, understood and proactive appropriate controls, procedures, training (hunting capability) and management are put in place to protect an organisation. In fact it is a whole operational security life cycle for an organisation.

Another term which has been labeled against an ‘ASOC’ is that of an Intelligence Driven SOC. This is mainly because of the interpretation of Intelligence Analysts and use of the information gained to assist with their SOC program. Another popular interpretation is that all their Security Infrastructure is integrated and the SOC is taking a proactive approach to their security. These statements are partially correct, but they don’t form the whole picture. This blog aims to pull all of the pieces together into one (hopefully) holistic view (bed time story book for the new year )

So let’s take a look at an ASOC program which will give us our new build.

The key to an ASOC is understanding both the Business Requirements (which include regulatory considerations), and the Business Risk. These two elements drive everything else within an ASOC program. Once the Business issues have been identified, the Mission for the ASOC can be drafted which will frame all of the other activities which will drive the program.

Next we have to identify the assets we are looking to protect. Whilst a portion of this will have been identified in the Business Risk assessment we are now looking at exactly where we have to place our detection capability. In most cases this is going to involve some level of IDS/IPS or Full Packet Capture (FPC) at the network Gateway(s) (preferably on the inside of the network – although an additional feed from the outside is desirable to identify what threats are “knocking on the door”) and at pinch points within our Enterprise network. We should also identify the log sources and Netflow required for detection Use Cases.

Having identified the technical detection capabilities which are required to initialise a monitoring capability the next step is putting the “Advanced” into the Advanced Security Operations Centre. This is done by taking our Business Risk and Requirements and using them to define a Threat Centric approach to our Business Security Monitoring. To do so we must:

Identify attack vectors and TTP’s (Tools, Techniques and Procedures) to build out Attack Scenarios
Use these Attack Scenarios to enable us to create individual Use Cases and ultimately build a Use Case Library
Whilst we covered off Use Cases in an earlier blog post (which gave the individual requirements to build your Use Case) we will focus here on the Library itself.

Building Use Case Library enables us to identify the required data sources. This may sound trivial and be viewed as a typical requirement for building any SOC however, in taking a view of the entire library we are building, it enables us to identify where we have weaknesses in our detection capability (and as such where we should invest in new equipment or controls). In the example below we can see that Use Case 4 is capable of being deployed with all required data sources available, however to deploy Use Case 3 we require DHCP and VPN logs neither of which is available to the Security Operations Centre at this time. Use Cases 1 and 2 also have a requirement for DHCP and VPN logs but have additional detection capabilities and whilst not ideal can be deployed without DHCP and VPN Logs. Mapping out all of the Use Cases in this way will identify to Management just where our detection capability is compromised and what must be implemented/purchased to resolve these issues.

Advanced Security Operations Centre

Having built the Library and now having alerts flow into the ASOC we must turn to our staffing and this is by far the most important differentiator between a SOC and an ASOC. Typically SOC’s are reactive in their posture whereas ASOC’s are actively looking to develop their detection and hunting capability at all times. To do this a number of traditional SOC roles are utilised but with an addition set of staff and hunters:

L1 & L2 Analysts
Platforms Engineers
SOC Management
Advanced Security Operations Centre Requirement
L3 Analysts
Malware Analyst
Forensic Analyst
Content (Use Cases, Signatures & Rules) Engineer
Threat Intelligence Analysts
Data Scientist
Whilst all of these roles do not have to be deployed to give us a greater increase in our detection and response capability, the more that are, the better the Advanced Security Operations Centre service will be. For instance Malware and Forensic Analysis could be outsourced whilst keeping the Content Engineers and Threat Intelligence analysts as an internal resource (focused on the specific threats to our organisation). As to when to hire these individuals that would be established in the Target Operating Model (TOM).

The TOM acts as a visual representation of an organisations ASOC and its continuing design decisions. The focus of the TOM is upon the day to day structure of the Advanced Security Operations Centre, how it is managed and governed. It acts as a roadmap for the development of the services as it is gapped at (typically) 6 months, 12 months, 18 months and 24 months with key development aims mapped out over the months and years. Portions of the TOM include:

SOC Structure and Roles
Shift Cycles
Resource Skills
Performance Management
Incident Response Plan
Technology is a defining factor in any Security Operations Centre but to take this all together and deliver an Advanced package we must look at working smarter, and by that delivering all our tools into “One Single Pane of Glass”. To do so we would use an Incident Management tool which will pull all of our Alert and Incident Information into one centralised location (allowing a global view of the ASOC program (depending on the User Access rights)). Using a centralised tool also allows us to create Incident Response Procedures aligned against the detection rules (as part of our defined Use Cases) which will automatically be added to a new Incident for our analysts to follow. The other advantages of a centralised IM tool are:

Ease of Incident Escalation
Metrics for the entire ASOC Program
Secure Information store of Incident Information (No more e-mails!)
Enrichment of Incident data from external sources such as CMDB
Automated Integration with other ticketing systems for teams external to ASOC i.e. IT Ops
Bespoke Dashboards per User Roll
A word of warning though; No IM is disastrous, but a badly managed IM is even worse! Make sure that when planning your Use Cases that you identify just how many “typical” Incidents are expected. Implementing an IM which replicates every single alert you have is a recipe for failure (and an expensive one at that). Plan your ASOC and hire new staff as is required for your Use Cases and TOM.

However no single tool is ever going to be our “Silver Bullet” and even if it was we still have to make sure that our staff will utilise it in the manner that we as managers are expecting. Which brings us onto our Policies and Procedures. Now just asking one of your technical staff to write a procedure will make their face go ashen “ OH Paperwork!!!!”. To enable our ASOC to work in a standard and repeatable fashion we must lay out our Standard Operating Procedures which cover everything from turning on the lights in the morning to procedures for Malware Analysis and Forensics. Having these documents pre-produced will allow the ASOC staff to function more effectively and in a targeted fashion to the perceived threats to the organisation. This will also allow smooth on-boarding of new team members and harmonisation among staff with different skillsets and experience. The requirement date for production of these documents can also be aligned in the TOM.

Next we have to look into constantly improving our ASOC and the results that are being given to the company. Metrics play a large part in an ASOC (which any manager or C Level executive will be glad to hear!). Peter Drucker once wrote “What’s measured improves” and this is entirely true of an ASOC. In an age where the one metric everyone wants to know “Have my systems been compromised? Yes/No” you can bet that there are going to be a lot more requests for data if the answer is yes! And rest assured that the answer is always yes!

Just before we get into the sort of things we would look to add to any ASOC Metrics program lets have a look at why we need good metrics:

Situation Overview
Analyse where the attacks are coming from
Regional Trends
Where our organisation is most vulnerable
Increased visibility of the Security Program (which is a GOOD thing)
Identifies which security devices are giving us our best value for detection
Identifies analysts which are struggling and require additional training
Measures the effectiveness of our Controls
Improvements in Patch Management
Decrease in Threat Landscape
Identifies the Business Units being targeted the most and which reacts better to attacks.
Resource Allocation
Allow staff planning in line with attack patterns
Identify new rolls for recruitments
Identify which security devices are no longer adequate for a given throughput of traffic.
Target the correct detection capabilities for future purchases.
And the best bit about all of this……. When you require investment for future enhancements in your Security Program you have all of your historical evidence to back it up.

Below are the main subsections for a Metrics program you would require with a few of the typical metric types included:

Incidents Metrics
Source of Incidents Created
Incident % False Positive
Incident % Escalated from L1 to L2
Incidents Created & Closed
Incident Count by Monitored Company/Organisation
Heat Maps

Categorization and Classification Metrics
Actors: Origin
Actors: Motive
Actions: Vector
Actions: Malware.Variety

Performance Metrics
Incidents Remediated Count by Analyst ID
Longest Open Tasks

Information from Logs and Packets
EPS Rates
Top 10 Source Addresses of Alerts
Top 10 Alerts
Top 20 Denied Inbound by Address
Tool Efficacy
Number of Incidents detected with # Tool
Number of Incidents missed with # Tool

The above are just a little introduction to what Metrics would be required as part of an ASOC program (we will delve further into this in a later blog post).

And that is your basic introduction to an ASOC (or at least what we can fit into a Blog post!). We will dig into this subject in greater depth over our forthcoming book. https://www.amazon.co.uk/d/Books/Advanced-Cyber-Security-Intelligence-Corporate/1118997646 ( Dave Gray is the contributing author around threat intelligence and use cases framework). Please remember that Planning out your ASOC build is crucial. To quote an old RAF phrase “Prior Planning Prevents P*ss Poor Performance”.

Law Enforcement Raid Blamed For LeakedSource Shutdown

27.1.2017 SecurityWeek Incindent
The controversial data breach notification service LeakedSource has been down for nearly 24 hours and it is rumored that the website has gone offline following a law enforcement raid.

LeakedSource is the service that disclosed many of the mega breaches that came to light in 2016, including the ones affecting FriendFinder Networks, VerticalScope, Last.fm, LinkedIn, DailyMotion and Rambler. These leaks have led to 2016 being a record year for data breaches, with a total of more than 4.2 billion records exposed.

The operators of LeakedSource have not been active on Twitter since January 10 and users have complained on several occasions about the website being down. The service is now once again offline, but this time some people believe it will not be returning.

A message (cached) posted on Thursday by a user on a hacking forum claimed “LeakedSource is down forever and won’t be coming back.”

“Owner raided early this morning. Wasn't arrested, but all SSD's got taken, and Leakedsource servers got subpoena'd and placed under federal investigation. If somehow he recovers from this and launches LS again, then I'll be wrong. But I am not wrong,” the user said.

While this statement has led some to believe that the owner of LeakedSource has been targeted by law enforcement in the United States, the company claimed in the past that it was based outside the U.S.

Users have complained on several hacker forums that they had just purchased a subscription on LeakedSource. Others have already started advertising alternative services.

SecurityWeek has reached out to LeakedSource representatives and will update this article if they respond.

Some members of the industry said they would not be surprised if the reports of a raid turn out to be true. Troy Hunt, the Australian security expert who runs the breach notification service Have I Been Pwned, pointed out that, unlike the website he operates, LeakedSource has often been used for malicious purposes.

LeakedSource stored a lot of sensitive information – its databases allegedly held 3.1 billion accounts – and users who paid for a subscription were given access to data such as usernames, passwords (hashed and clear text), email addresses, and IP addresses.

Hunt noted that while LeakedSource had been operating from behind CloudFlare, its real IP address could have been easily obtained by law enforcement using freely available services such as CrimeFlare.

“By late 2016, it was becoming apparent that their actions were erring very much on the black side of grey. There was a constant flow of data that wasn't appearing anywhere else in the usual trading circles before first coming to air via their service,” Hunt said in a blog post.

“Speculation was rife that there was incentivisation occurring not just to provide data that had already been obtained, but to actively seek out new targets that could subsequently be added to the feed of data then monetised by selling the personal information of the victims to whomever was willing to pay for it. This was always rumoured amongst those ‘in the scene’, but it's not yet clear whether this contributed to the take down or if it was solely due to the services directly provided on the site,” he added.

Nasty VirLocker Ransomware Returns

27.1.2017 SecurityWeek Virus
VirLocker, a nasty piece of ransomware that has been making the rounds for a few years, has recommenced its nefarious activity, Malwarebytes Labs researchers warn.

The one feature that sets this piece of polymorphic ransomware apart from other threats in the category is its ability to propagate through all the files it has touched. Specifically, VirLocker copies itself into the infected files, making it very easy for victims to accidentally leak it to their friends or to copy it to removable storage.

“Backups become infected, and even applications and EXE’s are not safe. Basically, when getting infected by VirLocker, you can no longer trust a single file that is on the affected machine,” Malwarebytes Labs’ Nathan Scott explains.

The main issue is to clean up the machine, because even the tools that the victim attempts to use for this process might be infected. What’s more, the malware attempts to infect newly downloaded files even before they are opened, so grabbing a disinfection tool from the web might not help either, the security researcher says.

VirLocker’s polymorphic abilities are the root cause of everyone’s headache, mainly because the malware can change a file differently every time it infects it: it can add fake code in certain sections to modify the file differently, can choose between multiple API’s in the main loader to avoid section fingerprinting, can use different XOR and ROL seeds to make the encrypted content of the exe entirely different, and more.

This makes the malware very difficult to detect, because infected files can’t be used in this regard, considering that any infected file is “practically different in many ways than any other version of itself:” the malware always seeds the encrypted code differently, and the stub can be different each creation.

“When the infection is executed, the FUD packer (which can be in some ways polymorphic itself) unpacks the first decryption function which is a mixture of Base64 and XOR and is always differently seeded. This new decryption function then decrypts another new decryption function that is a mixture of XOR/ROL and is always differently seeded. This decryption function then finally gets to the malicious code intended to run on the machine,” the security researcher notes.

The malware checks whether it has already infected the machine and if it was paid. If it has been paid, it switches to decrypting and extracting the original file that it had embedded inside of itself, then closes. If the user hasn’t paid, the ransomware opens the screen locker, if it’s not already open.

If the computer hasn’t been infected before, VirLocker opens the file embedded inside itself to trick the user into believing there’s no issue at all. In the background, however, the malware continues to infect the machine. Thus, the ransomware can spread without its author’s intervention: if a user sends an infected photo to a friend who opens it on their computer, the second machine is automatically infected.

“If anyone ever infected by VirLocker happened to send out any files after they were infected, thinking it was just a screen locker, those files will infect more people. This continuous loop of infection can cause VirLocker to spread like wildfire,” Scott notes.

Because extensions are turned off, users might not even see that the files on their machine have the .exe extension appended to it. What’s more, VirLocker adds itself to virtually every file on the computer, including media files and applications, and opening any of these files causes the malware to run again.

When trying to clean their machines, users are advised to first trick the malware into believing that the ransom has been paid, to avoid being infected once again. For that, when VirLock displays a screen lock, which usually impersonates some type of legal authority, users should enter a 64-length string in the “Transfer ID” text-box, and the ransomware will accept it as a real payment. This means that even typing in 64 zeros would do the trick.

After that, users should click on the “Pay Fine” button, to remove the ransom Lock Screen and to trick the malware into believing the ransom was paid. Next, users can start double-clicking on their infected files, as the malware will automatically extract the original files inside of them.

The security researchers recommend that users recover files that are important to them and save them on an external drive, while making sure that they avoid copying .exe files as well. Next, users should format the computer’s hard drive and re-install the operating system, for a fresh, clean start. “A complete reformat should be done, since nothing on the machine should be trusted after this infection,” Malwarebytes Labs says.

A few years back, ESET released a standalone cleaner for VirLock-infected files, available here.

Does Trump Executive Order Threaten EU/US Business? Probably Not.

27.1.2017 SecurityWeek Security
U.S. President Donald Trump's executive order titled 'Enhancing Public Safety in the Interior of the United States' appears to threaten the future of the EU/US Privacy Shield, but that may not be the case.

Privacy Shield is the agreement that allows US organizations to store personal data of EU citizens on servers in the US. Without it, US companies trading with Europe will almost certainly and automatically be in breach of the General Data Protection Regulation (GDPR).

Sec 14 of the executive order states "Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."

Privacy Shield does not directly rely on the US Privacy Act, but rather on the Judicial Redress Act which extends benefits of the Privacy Act to Europeans and gives them access to US courts. The executive order phrase, 'to the extent consistent with applicable law', consequently provides some wiggle room but remains ambiguous. If 'applicable law' implies that European PII is still protected, then all might still be well.

The European Commission seems to be optimistic. In a statement, it says, "The US Privacy Act has never offered data protection rights to Europeans... [We] are following closely any changes in the U.S. that might have an effect on European's data protection rights."

But other European politicians are more concerned. Sophie in ‘t Veld Veld, an MEP, has written to the Commission saying, "It is therefore urgent that the Commission provides clear answers with regards to the exemptions to the US Privacy Act and their impact on the legality of transatlantic transfer of personal data."

Jan Philipp Albrecht, the European Parliament's rapporteur for the GDPR, is more forthright, tweeting, "If this is true @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-US umbrella agreement."

The stakes are high. If Privacy Shield is revoked, then any US organization using it to allow the removal of European PII to the US will immediately be contravening European law. In the most extreme interpretation, this would mean that Facebook, Google, Microsoft and a host of commercial enterprises, around 1500, would have to cease European operations or risk GDPR fines.

"The Privacy Shield agreement," wrote the WSJ this morning, "which replaced the Safe Harbor data-sharing pact that was struck down in October 2015 by Europe's top court, may no longer apply since the executive order was signed on Monday."

"Moreover," writes Michael Geist, "the order will raise major concerns in the European Union, creating the possibility of restrictions on data transfers as it seemingly kills the Privacy Shield compromise."

It is more than possible, however, many that people are making a rapid emotional judgment on the executive order rather than a considered legal judgment.

Dr. Brian Bandey, a Doctor of Law specializing in Computer Law and the International application of Intellectual Property Law, suggests that Section 14 needs to be considered in the context of the full executive order. Executive orders are specifically designed to aid the management of existing legislation. The first paragraph of this order specifies that it is designed "to ensure that our Nation's immigration laws are faithfully executed."

Dr. Bandey also points out that Section 1 of the order specifies, "The purpose of this order is to direct executive departments and agencies (agencies) to employ all lawful means to enforce the immigration laws of the United States."

He also notes that Section 18 repeats 'applicable law' condition. Sec. 18 (b) states, "This order shall be implemented consistent with applicable law and subject to the availability of appropriations."

"I suspect strongly," Dr. Bandey told SecurityWeek, "that it can be argued that the Executive Order is a creature of Immigration Law and is directed to illegal (and other) aliens present in the US." If he is correct, and if it is interpreted within US law to be so, then Section 14 has nothing to do with European personal information stored within the US under Privacy Shield. But he added, "I also strongly suspect that nobody, right now, really knows one way or the other."

Cisco Starts Patching Critical WebEx Flaw

27.1.2017 SecurityWeek Vulnerebility
Cisco has released a proper fix for the critical remote code execution vulnerability affecting the WebEx browser extension, but the patch is currently only available for the Chrome version.

Google Project Zero researcher Tavis Ormandy reported a few days ago that Cisco’s WebEx extension for Chrome, which has roughly 20 million active installs, was affected by a serious flaw that could have been exploited to execute arbitrary code simply by getting a user to access a specially crafted website.

The expert disclosed the details of the flaw after Cisco claimed to have patched it, but it later turned out that the initial fix was incomplete. Ormandy warned that the security hole could still be exploited without any user interaction if an attacker could find a cross-site scripting (XSS) vulnerability on *.webex.com domains – which he did find.

Cisco on Thursday released version 1.0.7 of the WebEx extension for Chrome and Ormandy said he had not found a way to defeat the new patch.

According to Cisco, the vulnerability also affects Firefox and Internet Explorer on Windows, but patches have yet to be released for these web browsers.

Google has restored the WebEx extension in its Chrome Web Store, but Mozilla is still blocking it in Firefox. The networking giant said Mac OS X and Linux systems are not impacted.

The vulnerability, tracked as CVE-2017-3823, can be exploited through a “magic string” used to activate the WebEx extension inside the browser. In an advisory describing the security hole, Cisco said the flaw is caused by a design defect in an API response parser.

In addition to the patch for the Chrome extension, Cisco released Snort rules to help organizations detect potential attacks. Other security vendors have also provided information on how their products can block exploitation attempts. For the time being, there is no evidence that the vulnerability has been exploited in the wild.

WordPress 4.7.2 Patches Three Vulnerabilities

27.1.2017 SecurityWeek Vulnerebility
The developers of WordPress have released version 4.7.2 on Thursday to address three vulnerabilities affecting earlier versions of the content management system (CMS).

One of the flaws addressed by this security release is a SQL injection in WP_Query, a class that handles the intricacies of a post’s requests to a WordPress blog.

The vulnerability, reported by developer Mohammad Jangda, affects WP_Query when passing unsafe data. While the WordPress core is not affected, some improvements have been made to prevent themes and plugins from accidentally introducing a flaw.

Another weakness patched in WordPress 4.7.2 is a cross-site scripting (XSS) vulnerability found by Ian Dunn of the WordPress security team in the posts list table.

David Herrera of Alley Interactive discovered an access control issue. He found that the user interface for assigning taxonomy terms in “Press This” is shown to users who don’t have the necessary permissions.

While none of these vulnerabilities seem critical from the description provided by WordPress developers, an advisory published by US-CERT says a “remote attacker could exploit some of these vulnerabilities to take control of an affected website.”

WordPress 4.7.2 was released less than two weeks after version 4.7.1, which addressed 62 bugs and eight security holes, including remote code execution, information disclosure, cross-site request forgery (CSRF), XSS and crypto-related issues.

WordPress is still the most targeted CMS. According to web security firm Sucuri, of all the hacked websites monitored by the company last year, a majority ran WordPress.

A recent study conducted by RIPS Technologies has showed that over 8,800 of the plugins available in the official WordPress plugins directory are affected by at least one vulnerability.

A hacker confirmed that President Trump Twitter account is linked to a private account
27.1.2017 SecurityAffeirs Social

A security researcher has discovered that the President Trump’s Twitter account is exposed to the risk of hack due to security misconfigurations.
While the experts are warning the press about the fact that the American President Trump is still using his personal insecure Android smartphone, we have discovered that his Twitter is exposed to the risk of hack due to security misconfigurations.

The official @POTUS Twitter account was linked to a private Gmail account owned by President Trump.

The choice of using a private email and non-government email address put at serious risk the Trump account.

We don’t know if the @POTUS Twitter account is protected by a 2FA mechanism anyway in order to take over it hacked just need to access the Trump private email account.

Only Trump’s personal Twitter account seems to be protected by two-factor verification leveraging on a one-time passcode sent to the mobile device.

In the past, similar errors were made by Hillary Clinton and George W. Bush whom private email servers/accounts were breached by hackers.

The bad choice was discovered by the researcher who goes online with moniker @WauchulaGhost.

WauchulaGhost made headlines in June 2016 when he hacked Twitter accounts used by ISIS militant and replaced content with images of porn and gay pride messages.

On Monday night, WauchulaGhost shared the disconcerting news posting the following message on Twitter

“Change your emails & Fix Settings.”

WauchulaGhost @WauchulaGhost
Change your emails & Fix Settings. @FLOTUS
5:03 AM - 24 Jan 2017
247 247 Retweets 260 260 likes
WauchulaGhost also reported similar problems with the email accounts linked to the First Lady Melania Trump (@FLOTUS) and VP Mike Pence (@VP).

“According to WauchulaGhost, @POTUS, @FLOTUS and @VP are more vulnerable because they haven’t selected a basic security feature on Twitter that requires you to provide a phone number or email address to reset your password. The current security setting for these three accounts allows anyone to click on “forgot password” and type in @FLOTUS, @POTUS or @VP. The next screen says “we found the following information associated with your account” and gives a partially redacted email address to which it will send a password recovery link.” reported the CNN.

“WauchulaGhost says being able to fill in the missing letters and guess someone’s email address is the first step hackers take when trying to breach an account.”

“It’s not hard for us to go figure out that email,” he told CNNTech

WauchulaGhost don’t want to hack the @POTUS Twitter account or Twitter accounts of his staff, he just wants to warn them of a wrong security posture.

The hacker has found the alleged Melania Trump’s email address associated her Twitter account in twenty minutes. He added that the email associated with Vice President Mike Pence was easy to guess, seeing the redacted version: vi***************@gmail.com it is easy to imagine that it is vicepresident2017@gmail.com. The worst news is that the VP account isn’t protected by a second factor of authentication.

Once a hacker has discovered the email address for an account he can try to access the email to take over the Twitter account. This is possible by infecting the target machine with a malware or through a spear phishing attack.

“All I have to do is guess the email. Which I have been rather good at doing,” WauchulaGhost told CNNTech via Twitter DM. “Then verify the email exists. At that point take the email account, reset Twitter password, boom….I own the Pres. Not saying I’m going to..haha. But it’s rather easy for some.”

The situation is not so simple, a representative from Twitter confirmed that the White House Communications Agency manages security protocols for White House accounts that go beyond two-factor authentication.

“But according to former State Department Senior Advisor Chris Bronk, the absence of this security setting on White House accounts opens a potentially dangerous door.” states the CNN.

Dear President Trump, fix your security settings as soon as possible.

Hacker discovered security flaws in Amazon, Apple and Google epub services
27.1.2017 SecurityAffeirs Vulnerebility

A hacker discovered a XXE flaw in the EpubCheck library that affects major epub services causing information disclosure and denial of service conditions.
The security expert and bug hunter Craig Arendt (@craig_arendt) has discovered flaws in major eBook readers including the ones commercialized by Amazon, Apple, and Google.

The expert discovered different XML external entity (XXE) vulnerabilities in the online epub ebook services that use leverages the ‘EpubCheck’ library. The library is used for the operations of format conversions into the universal Epub book format.

“Applying a familiar XXE pattern to exploit services & readers that consume the ePUB format. Exploiting vulnerabilities in EpubCheck <= 4.0.1 (ePub Validation Java Library & tool), Adobe Digital Editions <= 4.5.2 (book reader), Amazon KDP (Kindle Publishing Online Service), Apple Transporter, and Google Play Book uploads, etc.”

“ePub is a standard format for open books maintained by IDPF (International Digital Publishing Forum). IDPF is a trade and standards association for the digital publishing industry, set up to establish a standard for ebook publishing. Their membership list: http://idpf.org/membership/members” reads a blog post published by Arendt.

The researcher focused its tests the tool/Java library called EpubCheck (provided by IDPF) used to validate books in the ePub format. Publishers perform a validation step using the library to verify that the format is valid and Arendt discovered the XML external entity (XXE) issue.

“The validator tool (EpubCheck) was vulnerable to XXE, so any application that relies on a vulnerable version to check the validity of a book would be susceptible to this type of attack.” continues the analysis.

epub services

Arendt explained that in the case of Amazon, the KDP Kindle file upload service used to help publishers upload their books was affected by an XXE flaw that could be exploited by attackers to steal books and data.

A similar flaw affected the Apple Transporter service that ships books to the App Store.

“Parsing maliciously crafted EPUB may lead to disclosure of user information

Description: An information disclosure issue existed in the parsing of EPUB. This issue was addressed through improved parsing. CVE-2016-7666: Craig Arendt of Stratum Security” state the advisory published by Apple.

Arendt confirmed that during the test he accidentally grabbed the shadow password file for one of the epub services using the vulnerable EpubCheck library.

The Google Play Books service was not affected by the XXE flaw, but the expert discovered the possibility to trigger an XML Entity expansion flaw that could be exploited to cause denial of service through an explosive growth of parsed data.

“The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.” states the advisory published by the Mitre.org.

“If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.”

Similar problems affect other services that permit Java and Flash, Arendt will disclose further attacks once the vendors have fixed the vulnerabilities he reported.

All the vendors above have already applied the necessary security patches to the vulnerable epub services.

Dávejte si pozor na falešné SMS od České pošty. Snaží se uživatelům vnutit malware
27.1.2017 Živě.cz Viry
Pokud v těchto dnech obdržíte podezřelou SMS od České pošty, rozhodně neklikejte na obsažené odkazy. Ty směřují na stažení nebezpečné aplikace pro Android, která se má tvářit jako oficiální aplikace České pošty pro sledování zásilky.

Klepněte pro větší obrázek
SMS dorazí v tomto formátu. Odkazy vedou na stažení podvodné aplikace (foto: @TerezaChlubna)

V textu zprávy najdete informaci o tom, že zásilka byla převezena na svozové depo z důvodu nezastihnutí adresáta. Vyzývá ke kontaktování pošty nebo stažení aplikace prostřednictvím odkazu.

Ten využívá doménu ceskaposta.online a vede na instalační balíček APK s názvem PostaOnlineTracking.apk. Pokud jej uživatel nainstaluje, najde sice na ploše ikonu pošty, nicméně s názvem Flash Player 10 Update. Jde tedy o variaci malwaru, který má s největší pravděpodobností odcizit platební údaje uživatele. Aplikace si zároveň vyžádá kompletní přístup k telefonu či tabletu s Androidem.

Klepněte pro větší obrázek
Aplikace s ikonou České pošty pod názvem Flash Player 10 Update by měla varovat i méně zkušené uživatele

Pokud jste aplikaci nainstalovali, minimálně ji ze zařízení odstraňte v nastavení. V případě, že jste zadali platební údaje do podezřelého formuláře, obraťte se na svoji banku.

Google začne v Gmailu blokovat JavaScript

27.1.2017 SecurityWorld Zabezpečení
Od poloviny února se přílohy s koncovkou .js ocitají v Gmailu na černé listině. Jsou totiž podle Googlu významným zdrojem potíží spojených s distribucí malwaru včetně ransomwaru.
Lidé tak už od 13. února nebudou moci ke svým zprávám elektronické pošty v Gmailu připojovat soubory .JS, -- bez ohledu na to, zda je připojí přímo, nebo prostřednictvím nějakých archivů, jako například.gz, .bz2, .zip nebo .tgz.

Pro případ, kdy je nezbytné takové soubory .js přes elektronickou poštu posílat, budou muset uživatelé využít cloudových úložných služeb – jako třeba Google Drive – a pak sdílet jejich adresu (link).

Soubory typu .js tak doplňují několik desítek „zajkázaných příloh, které už dříve Gmail oznámil. Jde třeba o soubory s přílohou .ade, .adp, .bat, .chm, .cmd, .com, .cpl, .exe, .hta, .ins, .isp, .jar, .jse, .lib, .lnk, .mde, .msc, .msp, .mst, .pif, .scr, .sct, .shb, .sys, .vb, .vbe, .vbs, .vxd, .wsc, .wsf nebo .wsh. Napřrostá většina z nich se rovněž používala pro distribuci malwaru mezi uživatele e-mailu.

Problém s .js se vystupňoval hlavně poté, co soubory JavaScriptu jde přímo spouštět v prostředí Windows prostřednictvím systémové komponenty Windows Script Host (WSH).

JavaScript si oblíbili i šiřitelé ransomwaru – například tvůrci TeslaCrypt nebo Locky hojně využívali pro distribuci tohoto malwaru právě JavaScript a například ransomwarový program RAA byl kompletně vytvořený v JavaScriptu.

Další skriptovací soubory, jako třeba .vbs (VBScript), .vbe (VBScript Encoded), .wsh (Windows Script Host Settings File) and .wsf (Windows Script File) už přitom Gmail už nějakou dobu blokuje.

Podvodné e-maily cílí na klienty ČSOB

27.1.2017 Novinky/Bezpečnost Phishing
Kyberzločinci si vzali na mušku klienty ČSOB, snaží se je v podvodných e-mailech přesvědčit, že jsou pracovníky banky. Ve skutečnosti se však pouze snaží vylákat přihlašovací informace do internetového bankovnictví.
Ukázka podvodné zprávy, která cílí na klienty ČSOB.
Ukázka podvodné zprávy, která cílí na klienty ČSOB.
„Upozorňujeme na podvodný e-mail označený jako ‚Message Alert‘ (Upozornění na novou zprávu) a podepsaný jménem naší společnosti,“ uvedli zástupci ČSOB.

Už podle zmiňovaného předmětu zprávy je zřejmé, že podvodná zpráva není psaná v češtině, ale i přesto by se mohli nechat méně ostražití uživatelé napálit. Není navíc vyloučeno, že podvodníci začnou šířit stejnou zprávu v dohledné době také v češtině.

„Tato e-mailová zpráva avizuje novou zprávu vystavenou ČSOB. Jedná se podvrh, který se prostřednictvím falešného prokliku do internetového bankovnictví snaží z klientů vylákat přihlašovací informace,“ stojí v prohlášení banky.

Před podobnými podvodnými e-maily by měli být lidé velmi ostražití. Rozhodně by neměli klikat na odkaz uvedený ve zprávě.

Kontrola adresních řádků je nezbytná
Pozornější uživatelé mohou poznat, že jde o podvod, také podle řádku s internetovou adresou. „V každé chvíli, kdy pracujete s internetovým bankovnictvím nebo se do něj přihlašujete, musí být v adresním řádku vašeho prohlížeče adresa https://ib24.csob.cz a vedle ní ikona zámku,“ uvedli zástupci ČSOB.

„V případě pochybností neváhejte kontaktovat Helpdesk elektronického bankovnictví na telefonním čísle 495 800 111,“ doplnili zástupci banky.

Podobně by měli uživatelé postupovat také v případě, že podobné snahy počítačových pirátů zaznamenají v případě jiných bank či finančních institucí. V minulosti se například kyberzločinci snažili několikrát napálit klienty České spořitelny, a to nejen prostřednictvím nevyžádaných zpráv, ale také skrze sociální sítě.

Ransomware je na vzestupu, vydírání si můžete objednat
27.1.2017 Root.cz Viry
Zašifrovat soubory a požadovat výkupné za dešifrování. To je ve zkratce princip ransomware. V minulém roce takto kyberzločinci „vydělali“ miliardu dolarů, mimo jiné díky rozmachu ransomware-as-a-service.
Ransomware je druh malwaru, který v posledních letechy rychle roste na popularitě. Jeho princip spočívá v tom, že uživateli zamezí v přístupu k jeho souborům Buď je to tak, že ransomware v systému postaví jednoduchou zeď, nebo tak, že rovnou zašifruje uživatelská data, takže k nim nelze přistupovat ani z jiného systému. Druhá varianta je vzhledem k dostupnosti šifrování častější a efektivnější.

Cílem je samozřejmě vylákat z oběti peníze. Žádné relevanatní statistiky sice nemáme, ale je pravděpodobné, že výnosnost ransomware oproti jiným typům malwaru bude podstatně vyšší. Zařazení počítače do botnetu útočníkovi přinese možná několik málo korun, ransomware v mnohých případech může vydělat i tisíce. Pokud uživatel nemá zálohy, tak jde o částku, kterou za obnovení dat mnohdy rád zaplatí.

Některé ransomware jsou navrženy velmi jednoduše, hlavně ze šifrovací stránky. Existují tak nástroje, které data dokážou rozšifrovat. Pokud je však šifrování implementováno správně a používají se silné šifrovací algoritmy, je skutečně nemožné se k datům bez šifrovacího klíče dostat. Ani nemluvě o tom, že některé ransomware ani s dešifrováním nepočítají a po zaplacení žádný klíč nedosanete.

Trendem posledních měsíců je ransomware-as-a-service (RaaS). V podstatě jde o to, že pokud se chcete stát internetovým kriminálníkem, můžete si od autorů malware koupit a často i personalizovat. Pokud byste čekali, že to bude stát tisíce dolarů, tak jste na omylu. Cena se typicky pohybuje v nižších stovkách dolarů. Autoři ransomware totiž nechtějí vydělávat na prodeji, ale na podílu ze zisku – zkrátka si určité procento ze získaných peněz (jak jinak než v bitcoinech) nechají. Jedinou starostí kupujícího je tak škodlivý software nějak rozšířit.

Dříve to bylo tak, že existovala možnost koupit si balíček kódu a na jeho základě ransomware postavit. Dnes už se ale dostáváme do bodu, kdy kupující nemusí umět téměř nic (doslova mu stačí proklikat se formulářem) a dostane personalizovaný ransomware za relativně nízkou cenu. Amatérskému kriminálníkovi tedy stačí vyrobit nějakou podvodnou stránku, ramsomware na ni umístit a poté jen sledovat, jak se mu na účtu objevují peníze nebohých obětí.

Přichází Satan – ransomware pro každého
Na novou úroveň celý byznys posouvá nedávno uvedený ransomware Satan. Zatímco většinu ransomware-as-a-service není až tak snadné najít, Satan se prezentuje naprosto otevřeně – i když samozřejmě v anonymizační síti Tor a na doméně .onion. Satan je průkopnický také v tom, že nevyžaduje ani žádný počáteční poplatek za zakoupení malware. Získat ho může zdarma každý, tvůrci vydělávají pouze na poplatcích, které jsou stanoveny na 30 % ze zaplaceného výkupného.

Po jednoduché registraci spočívající pouze v zadání přihlašovacího jména a hesla se kriminálník-začátečník dostane do administrátorského rozhraní pro svůj malware. Vytvoření vlastního ransomware je otázka chvíle. Stačí vyplnit výši výkupného a specifikovat systém, kterým se po uplynutí určitého období bude násobit. Docela vtipně potom působí poznámka nenahrávejte malware do VirusTotal nebo jiného on-line skeneru. Je vidět, že Satan skutečně cílí na v úvozovkách běžné uživatele. Součástí rozhraní je dokonce formulář, kde lze ransomware překládat do dalších jazyků.

Stejně tak Satan nezahrnuje klienta zbytečnými detaily. V ovládacím panelu lze sledovat v podstatě jen to, kolik systémů bylo infikovaných a za kolik z nich bylo zaplaceno výkupné. Výkupné přistává na bitcoinových adresách provozovatele, ale partner si ho může kdykoliv vybrat. Provozovatel dokonce slibuje, že svůj procentuální poplatek s rostoucím počtem zaplacení bude snižovat. Ve všech ohledech to zkrátka vypadá jako normální byznys. Až na to, že je samozřejmě velmi nelegální.

Ransomware je miliardový byznys
Jak ukazují různé statistiky, minulý rok byl pro ransomware opravdu úspěšný. Bezpečnostní společnost Trend Micro např. v roce 2015 identifikovala 29 rodin ransomware, minulý rok to bylo 145. A to jsou čísla pouze do září. Vyděrači jsou také mnohem troufalejší a dovolují si požadovat větší výkupné. Průměrný požadavek výkupného se zvýšil více než dvojnásobně na 679 dolarů z 294 dolarů na konci roku 2015, uvedla zase Orla Cox ze Symatecu. To však může být do určité míry dáno i volatilním kurzem Bitcoinu, ve kterém se výkupné vybírá.

V roce 2016 se škody způsobené ransomware odhadují na cca jednu miliardu dolarů, a to pokud počítáme pouze zaplacené výkupné. Škody samozřejmě budou ještě podstatně větší, vezmeme-li v potaz ztrátu dat. Nicméně takové škody se velmi obtížně vyčíslují. Pro srovnání, v roce 2015 se na výkupném vybraly jen nízké desítky miliónů dolarů. Podle Osterman Research se někdy obětí ransomware stala už polovina společností ve Spojených státech.

Nejúčinnější obranou je zdravý rozum
Jak se proti ransomware bránit? Žádná nová řešení neexistují, stále platí tradiční poučky: zálohovat a nestahovat a nespouštět software z podivných zdrojů, zvlášť s administrátorskými právy. Částečně pomůže detekce malware či škodlivých stránek v prohlížeči a také antivir, ale detekce nových rodin ransomware není okamžitá a antivirový software tedy určitě neposkytne stoprocentní ochranu.

Úplně imunní není ani Linux, pro který už se několik ransomware objevilo. Zřejmě prvním byl na podzim roku 2015 Linux.Encoder.1, který jsme na Rootu podrobně rozebrali. Důležité je si uvědomit, že ransomware málokdy zneužívá nějaké zranitelnosti systému a většinou spoléhá jen na to, že ho alespoň část uživatelů do systému dobrovolně pustí. A díky blbosti uživatelů a čím dál dostupnějším řešením RaaS se zdá, že ransomware bude bujet i nadále.

Co poradit, pokud už jsou data zablokována/zašifrována? Obecné doporučení samozřejmě zní vyděračům neplatit. Pro mnoho lidí jsou však data natolik důležitá, že se rozhodnou zaplatit i s vidinou nejistého výsledku. Nicméně po zašifrování ještě nemusí být všem dnům konec. Ideální je vypnout úložiště (vyndat ho z počítače) a vyčkávat, zda se časem neobjeví nějaký nástroj, který by data dokázal rozšifrovat. V několika málo případech se dokonce stalo, že autoři ramsomware z byznysu odešli a zveřejnili instrukce/klíče pro dešifrování.

Na Play Storu byla zázračná appka, která zvýší výdrž baterie. Nakonec se z ní vyklubal vyděračský ransomware
27.1.2017 Živě.cz Viry
Specialisté z Check Pointu zmapovali další zajímavý ransomare. Říkají mu Charger, cílil na telefony s Androidem a svůj skutečný účel skryl dostatečně kvalitně, aby pronikl i do oficiálního Play Storu, kde se vydával za aplikaci Energy Rescue, která zvýší výdrž telefonu na baterii.

Autoři malwaru si dali záležet, aby aplikace vypadala skutečně atraktivně, a tak se může pochlubit vkusnou ikonou i rozhraním, které na první pohled opravdu evokuje funkční program.

Klepněte pro větší obrázek
Mobilní ransomware pronikl na i Play Store

Jenže ouha, po spuštění se rozbalí samotný malware, který zašifruje data ve veřejné paměti (SD/sdílená paměť), SMS, kontakty, a pokud bude telefon rootnutý, požádá o administrátorská práva a případně zašifruje celý telefon.

Poté se už Charger chová jako každý jiný ransomware a po oběti bude požadovat výkupné ve výši 0,2 BTC (asi 4,5 tis. CZK). Zajímavá je nicméně i výhružka, podle které útočník v případě nezaplacení prodá zašifrovaná data na černém trhu.

Ještě zajímavější než samotná funkce ransomwaru je ale v tomto případě rozbor, jak je možné, že virus neodhalila předběžná automatická kontrola Googlu a malware se dostal do Play Storu. Google před publikací každý programu automaticky spustí ve virtuálním prostředí a audituje jeho chování.

Autoři mobilního malwaru se tomu ale začínají přizpůsobovat a kód svých aplikací upravují tak, aby se pokusily detekovat běh v emulovaném prostředí. V takovém případě se pak záškodnická část kódu neaktivuje.

Klepněte pro větší obrázek
Úryvek kódu, který nespustí záškodnickou aktivitu, pokud je lokalizace telefonu nastavení na ruštinu, ukrajinštinu a běloruštinu (RU, UA a BY)

Tento malware šel ve své vlastní ochraně ještě mnohem dál a třeba textové řetězce, ve kterých byly uložené sdělení o tom, že byl telefon zašifrován a oběť má zaplatit výkupné, dodatečně šifruje převedením do pole bajtů. Automat Googlu tedy nemůže provést analýzu vložených textů. Do třetice útočníci do samotných instrukcí malwaru vnášejí určitou formu soli (šumu), která má znepříjemnit analýzu jejich posloupnosti. Malwarové instrukce tedy střídají všemožné další nesmyslné instrukce, které mají odvádět pozornost případného auditu a skrýt skutečný význam programu.

Virus mají na svědomí nejspíše programátoři z východní Evropy, ransomware totiž neútočí na mobilech s ruskou, ukrajinskou nebo běloruskou lokalizací. Důvodem nejspíše není to, že by se snad jednalo o patrioty, ale chrání se tím před případnou trestně-právní zodpovědností. V zemi jejich původu se jednoduše řečeno nejedná o malware, protože nijak neútočí.

NCIIPC: It's Time to Step Forward And Protect Our Critical Infrastructures from Cyber Attacks

27.1.2017 thehackernews Cyber

The IT threat landscape has changed dramatically over the last three-four years.
With no shortage of threat actors, from hacktivists to nation-states, criminals to terrorists, all of them are now after something new.
It's no more just about stealing your money, credit cards and defacing websites, as now they are after the intellectual property, mass attacks and most importantly, our critical infrastructures.
We have long-discussed nightmare scenarios of cyber attacks against nation's critical infrastructure, but now these scenarios have come to the real world, and we have seen many such incidents in the past years.
The latest example is cyber attacks against Ukrainian power grid. Just two weeks back, Ukraine's national power company Ukrenergo confirmed that electricity outage on 17-18th December last year was caused by a cyber attack.
Such sophisticated cyber attacks have revealed the extent of vulnerabilities in the systems that are operating the most critical sectors in a country.
Around 13 years ago, the Indian government established the Computer Emergency Response Team (CERT-In), and just like CERTs in other nations; it is responsible for collecting and sharing reports on cyber attacks against non-critical systems.
Every minute, we see about half a million attack attempts that are happening in cyberspace.
But, we are living in a dramatically fast changing world and unfortunately, which now includes threats not only against people, places, and information but also against strategic sectors and critical infrastructure of a nation, for which most organizations were never prepared for.
In order to address cybersecurity of critical infrastructure and evolve related practices, policies, and procedures to protect our most critical properties, the government set up a special body in 2014, named NCIIPC.
NCIIPC — National Critical Information Infrastructure Protection Centre — works under the country's technical Intelligence Agency, NTRO and vowed to work with public and private sectors to identify the nation's most critical assets and systems, and help them to create a foolproof firewall around these networks and overall risk management strategies.
Just last week, NCIIPC organized an event to celebrate its third anniversary of its foundation day, and I got an opportunity to attend the event and represent The Hacker News, among others, including — cyber security experts, policymakers, industry leaders, Academia and Government representatives.

The event aimed to provide a platform for all stakeholders of the CII ecosystem to converge, deliberate and formalize action plans for optimizing and improving protection of the vast array of CII deployed across the nation.
Here's a brief of last week's main events, in case you've missed them:
The event was inaugurated with the welcome address from Mr. Alok Joshi, Chairman NTRO, who briefly said that the cybersecurity threats are becoming more severe over time.
Attacks are happening now… but not only this, it is constantly changing and, in the case of cyber, the threats are becoming ever more sophisticated and insidious.
And It’s true, everything is under attack… from highly critical infrastructures to medical devices.
Mr. Joshi’s talk was followed by Dr.Arvind Gupta, Deputy National Security Advisor (NSA), Chief guest for the event, who primarily focused his talk on critical issues originated due to a massive number of unreported cyber-attacks.
He also showed support for the need of developing capabilities to strengthen cybersecurity research and development (R&D) community, which must include researchers, industry experts, and academia.
The event also witnessed insightful keynotes including Dr.Gulshan Rai, India’s first National Cyber Security Coordinator and Dr. Sanjay Bahl, Director General CERT-In.
Both officials collaboratively said that NCIIPC is intended to promote collaboration and information sharing between government and industry to facilitate safe, secure and resilient Information Infrastructure for Critical Sectors of the Nation.
Moreover, delegates also discussed the security of Internet of Things -- the next generation critical Infrastructure.
Just as critical infrastructure is essential for everyday living, the rapidly growing "Internet of Things" is changing the way we use technology and helping people live more efficiently.
So, it has been concluded that to prevent our critical assets from sophisticated cyber attacks, we and organizations like NCIIPC, need to work together to identify the list of infrastructures that need special protection and know, who are after them.... waiting for opportunities to harm nation's economy and steal our secrets.

President Trump's @POTUS Twitter Linked To A Private Gmail Account

27.1.2017 thehackernews Social

It seems like the new American President's Twitter account could easily be hacked due to security blunders he made with the most powerful Twitter account in the world, experts warned.
Days after we got to know that the newly inaugurated President Donald Trump was still using his old, insecure Android smartphone, it has now been revealed that the official @POTUS Twitter account was linked to a private Gmail account.
Since we are already aware of the potential scandal with government officials using outside email systems following the hack of private e-mail servers of Hillary Clinton and George W. Bush, the choice of using private, non-government email address by Trump has raised serious concerns about the security of the White House's closely watched account.
To gain control of the official @POTUS Twitter account, which may or may not is secured with some form of two-factor authentication, all an attacker needs to do is hack the email address associated with the account, which controls the password reset process.
A hacker, @WauchulaGhost, who discovered this issue also reported similar weaknesses in the email linked to the First Lady Melania Trump (@FLOTUS) and VP Mike Pence (@VP), said CNN.
WauchulaGhost, who took down more than 500 ISIS Twitter accounts in the past, said he would not hack the @POTUS Twitter account or Twitter accounts of other White House officials; instead, he just wanted to issue a warning to upgrade the security of these accounts.
Fortunately, all those Twitter accounts were switched over to the White House-affiliated private email clients by just yesterday morning, but so far only Trump's personal Twitter account is apparently protected by two-factor verification, which requires users to enter a one-time passcode sent to their phone.
Also Read: Donald Trump's Email Servers are Horribly Insecure — Researcher Reveals
However, Trump's personal Twitter account still involves some substantial information security risks, since he is still using the insecure device to post messages from the White House, according to numerous reports quoting unnamed White House sources, which could allow malicious actors to gain access to the account through his phone itself.
Trump Press Secretary May Have Just Tweeted His Password, Twice!

Another example of security blunders came yesterday when Press Secretary Sean Spicer believed to have tweeted his own Twitter password — particular combination of letters and numbers (n9y25ah7) — by mistake.
And since the email address used for the Spicer's Twitter account (@PressSec) was already known, it would have taken just a few seconds to log into it.
Overall, it is not a good start for the nascent Trump administration as far as cyber security is concerned. And if this continues, the new president will be the next target for hackers.

Chrome 56 Patches 51 Vulnerabilities

27.1.2017 Securityweek Vulnerebility
Google this week released Chrome 56 in the stable channel, patching no less than 51 vulnerabilities in the popular browser.

Available for download for Windows, Mac and Linux as Chrome 56.0.2924.76, the new browser iteration patches 21 vulnerabilities reported by external researchers, 7 of which were assessed with a High severity rating, 8 as Medium risk, and 6 as Low severity. Google paid a total of more than $54,000 in bug bounties for these flaws.

Four of the High severity flaws, all Universal XSS issues in Blink (CVE-2017-5006, CVE-2017-5007, CVE-2017-5008, and CVE-2017-5010), were found by Mariusz Mlynski, who earned $32.337 in bug bounties for his discoveries.

The remaining flaws included an Unauthorised file access in Devtools (CVE-2017-5011), found by Khalil Zhani ($3000), an Out of bounds memory access in WebRTC (CVE-2017-5009), found by Sean Stanek and Chip Bradford ($3000), and a Heap overflow in V8 (CVE-2017-5012), found by Gergely Nagy ($5500).

The Medium severity flaws included two Address spoofing in Omnibox, discovered by Haosheng Wang and Armin Razmdjou, respectively ($2000 each), a Heap overflow in Skia, found by sweetchip ($2000), a Use after free in Renderer, credited to Wadih Matar ($2000), a UI spoofing in Blink, found by Haosheng Wang ($1000), an Uninitialised memory access in webm video, discovered by danberm ($500), and two Universal XSS issues in chrome://apps and chrome://downloads, both discovered by Rob Wu.

The Low severity vulnerabilities included a Use after free in Extensions, a Bypass of Content Security Policy in Blink, a Type confusion in metrics, two Heap overflows in FFmpeg, and an UI spoofing. Google has yet to detail the bounties paid for these flaws.

Last month, Google released Chrome 55 to resolve 36 vulnerabilities affecting the application, but also to turn off Flash in the browser. By blocking Flash content by default, Google was pushing for a safer browsing experience when using Chrome, given that Adobe’s plugin has been long considered one of the most vulnerable programs. Microsoft Edge and Mozilla’s Firefox also started blocking Flash content recently.

4.2 Billion Records Exposed in Data Breaches in 2016: Report

27.1.2017 Securityweek Incindent
2016 was a record year for data breaches, as the number of exposed records exceeded 4.2 billion, nearly four times than the previously set record.

The latest release of Risk Based Security’s annual Data Breach QuickView report shows that there were 4,149 data breaches reported during 2016, down from the 4,326 data breaches reported in 2015. The number of exposed records, however, reached an all-time high that might not be easily equaled: 4.281 billion. The previous record was established in 2013 at 1.106 billion.

Over half of the compromised records came from Myspace and Yahoo last year. The former confirmed in May that over 400 million accounts were compromised in a data breach that took place in 2013, while the latter revealed two different hacking incidents, a 2014 one, which resulted in 500 million compromised accounts, and a 2013 one, with over 1 billion compromised accounts.

However, these weren’t the only popular services to have suffered massive data breaches that were reported last year: Mail.Ru (25 million compromised records), LinkedIn (167 million), Tumblr (65 million), VK (170 million), VerticalScope (45 million), and Last.fm (43 million) are also on the list. In fact, the top 10 breaches in 2016 exposed a total of more than 3 billion records.

According to Risk Based Security’s report (PDF), no less than 94 breaches in 2016 had exposed one million or more records. However, 50.4% of the data breaches reported last year exposed only between one and 10,000 records, while 37.2% of them exposed less than 1,000 records.

Business (80.9% of the number of records exposed) and Government (5.6%) sectors were hit the most in last year’s incidents, with the Medical industry (0.3%) and Education (less than 0.1%) next on the list. A great amount of breaches hit “Unknown” industries (13.1% of the exposed records).

The report also notes that 53.3% of the breaches were the result of hacking operations, and that they accounted for 91.9% of the exposed records. Malware accounted for 4.5% of the data breaches, but only 0.4% of the compromised records were affected. Misconfigured databases and other inadvertent web based disclosures exposed over 253 million records in 2016, the report reveals.

Breaches involving U.S. entities accounted for 47.5% of the breaches last year, and for 68.2% of the exposed records, the firm notes. A report from CyberScout (formerly IDT911) and the Identity Theft Resource Center (ITRC) this week revealed that 1,093 breaches were disclosed by organizations in the United States last year, up 40% compared to 2015.

Only 18.3% of the incidents reported last year were the result of insider activity, including accidental, malicious and unknown intent. “56.3% of incidents originating from malicious insiders had no confirmed record count, while 39.3% of incidents originating from insider accidents had no confirmed count,” the report reads.

Email addresses were exposed in 42.6% of the data breaches, with emails and passwords considered the prize targets of these incidents. In fact, the number of impacted passwords skyrocketed last year, reaching 3.2 billion, although it was of only 151 million in 2015.

“With 102 countries reporting at least one data breach in 2016, Risk Based Security’s research suggests that no industry, organization size or geographic location, is immune to a data breach. The total number of reported breaches tracked by Risk Based Security has exceeded 23,700, exposing over 9.2 billion records,” the security firm notes.

The Application Security Testing Conundrum

27.1.2017 Securityweek Security
It is my humble opinion that we have allowed our daily rush into an increasingly digital world to negatively affect our ability to address challenges. We look at the world in the sharp, square and discreet lens of digital and ignore the smooth and contiguous thinking of analog.

This phenomenon can be readily seen in the world of software security, where there is a preponderance of binary sounding decisions that may have an analog solution. Static application security testing or dynamic application security testing? On premises or managed services? The answer may simply be “yes” with lots of shading based on each organization’s needs.

The funny thing about the rush to apply digital thinking to software security is that at its heart, software security is fighting a very analog pursuit. Yes, software is a digital manifestation, but identifying and exploiting flaws and bugs in software is a highly creative and largely human endeavor. In other words, it is a very analog exercise. Logic would say that to stop an analog exercise, analog thinking might be in order.

Code AnalysisLet me take the managed service versus on premises deployment question for example. My experience, validated by my discussions with industry analysts, is that organizations with a mature software security initiative (SSI) tend to use both methods. For high profile, high risk applications, they likely will do testing on premises with their own team and a set of tools. For the other applications in their portfolio, they use managed services to provide them full breadth of portfolio coverage without the need to invest in staff and additional products.

The analog answer in not just for mature organizations - An organization getting started with a testing program may have on premises as their goal. However, installing a new product, ramping up staff, establishing expertise, and building processes and procedures take time and push back the benefits of testing the software. The organization can use managed services to offload some of the initial testing while they ramp up the on premises testing machine, and slowly transition off managed services over time.

Back to the static versus dynamic question - It is well known that static and dynamic find very different vulnerabilities, and even when combined leave some vulnerabilities un-identified. Savvy organizations have learned how to use a mix of the two testing types to increase their coverage and lower their risk. They go even more analog by varying what test is applied to what application based on factors like risk.

How did we get to this digital thinking? As the software security market emerged and evolved, vendors appeared with solutions to the problem of testing applications, each taking a unique angle to the problem. Some were SAST, some DAST. Some on premises, some managed services. Then the marketing machines kicked in employing a derivation of Maslow’s Law of the Instrument - If your only tool is a hammer then every problem looks like a nail. The vendors set out to convince the market that their problem – the nail – could only be driven by a very specific hammer, which was of course their product or service. I often refer to the RSA Conference as a hammer salesperson convention.

In my previous article, “Make a New Year's Resolution to Get Serious About Software Security”, I threw out several challenges. One was to challenge your application security testing vendor portfolio to ensure you have not been lulled into a status quo. Look for partners that take a more smooth and contiguous approach that blends multiple products and services so you are not artificially locked into digital thinking.

I also warned against the Box Checker mentality, which can also breed a highly digital mindset. This is because many organizations limit themselves to running tests simply to satisfy a regulatory mandate or another compelling event and are happy just to check the box. Such an approach naturally puts you on the path of least resistance where you seek the easy button product that will get the box checked. It lulls you into digital thinking.

My challenge for those involved in software security is to step away from a digital mindset and embrace some analog thinking. Walk away from the sharp edges and embrace a more open minded approach. Blend multiple products, offerings and approaches to what best fits the needs of your organization. Use the flexibility of this mindset to enable agility so the organization can quickly adapt to market conditions, emerging threats, and the evolution of the business. Eschew a cookie cutter approach for the right stuff for the job outlook. Don’t be afraid to engage new technologies to see what value they can bring your organization.

Take it to the next level - Consider how to break out of the traditional testing cycles and push testing deeper into the development cycle. Or get really analog and build security into every application by starting with secure architecture and design. You may find that some smooth, contiguous thinking puts you and your organization in a much better place to reduce risk and eliminate many of the common bugs and flaws found in software.

Hiding in Plain Sight: Why Your Organization Can't Rely on Security by Obscurity

27.1.2017 Securityweek Security
Attackers Don't Examine Market Size When Deciding Whether or Not to Target an Organization or a Person

Recently, on a trip to visit potential customers in one of Europe’s smaller markets, I ran into a recurring theme. When I speak to any audience about security, including potential customers of course, I tend to focus on concepts and ideas, rather than specific products and services. Choosing the components of a solution is important, but can only be done once an approach is well understood. This comes much later in the discussion. Not surprisingly, most people prefer this approach, particularly when they are able to map between the concepts and ideas and the specific problems and challenges they face.

As you can imagine, one of the concepts I often discuss is the identification, prioritization, and mitigation of risk. As I’ve discussed previously, this is one of the most critical components of a mature and successful security program. This particular trip was no different from most others in that I broached this particular topic with nearly everyone I met with. What was different on this trip, however, was one response I received repeatedly: “We are in a small market. No one will attack us.” This surprised me quite a bit.

Cybercrime Indeed, I have heard this line of reasoning many times in the past. What surprised me was not that people would be inclined to think this way, but that they would be inclined to think this way in 2017. It is surprising given how interconnected the world is, how we’ve repeatedly seen that no target is too small or too remote for the motivated attacker, and how organizations that do not come to terms with this reality ultimately pay for it, sometimes dearly.

Sadly, market size isn’t the only way in which people lure themselves into a false sense of security. Let’s take a look at a few of the different ways in which people convince themselves that they do not need to understand the threat landscape they face and mitigate the risk it presents them with.

Organizational Size

Some people, organizations, and boards seem to think that if their organization is under a certain threshold (either employee-wise or revenue-wise), then the organization can simply fly under the attacker radar. This line of reasoning is reminiscent of the old “security by obscurity” way of thinking. As experienced security professionals know, this is a dangerous way of thinking that generally winds up producing disastrous results.

Attackers have shown time and time again that they care about one thing and one thing only: the location of the prize they are after. It doesn’t matter if that prize is money, information, disruption, or any of the other ends that motivate attackers. If an organization has what the attackers are after, they will go after it. It doesn’t matter if the organization has 10 employees or 10,000 employees.

Geographic Isolation

There is a somewhat natural tendency to feel safe and secure due to geographic isolation. If we look at the history of kinetic wars and the kinetic battlefield, it is easy to understand why this is the case. But this sense of security does not and should not translate to the virtual world.

Whereas to commit a physical crime in a given city, I generally need to be in that city, this is obviously not the case in the virtual world. I can sit on one side of the world and commit cybercrime on the other side of the world. Similarly, I can just as easily attack targets in places that may be geographically isolated as I can attack places that may be just around the corner from me. Unfortunately, there is really nowhere to hide in the virtual world.

Language Barriers

There are many languages that a relatively small number of people speak. In the countries that speak these languages, people may be inclined to think that they are not at risk. For example, people may think that because all intellectual property, customer data, employee data, or other sensitive data is written in a language that is not widely spoken, then no one will ever be able to target, navigate to, and exfiltrate that data. This is another type of “security by obscurity” that is a dangerous way of thinking. Unfortunately for those native speakers, this could not be farther from the truth. Attackers have shown tremendous creativity and resourcefulness when it comes to gaining access to the information they are after, regardless of the language it is written in and how many people speak that language.

Market Size

As I mentioned above, being in a smaller market does not protect an organization from attack. No matter how small the market, there will still be people, organizations, and information that attackers will want to target. To be quite frank, it doesn’t much matter where information resides nowadays. The fact that it exists in an interconnected world puts it at risk. Attackers do not examine market size when deciding whether or not to target an organization or a person that has a specific piece of information they are after. They simply go after it.

My purpose in this piece isn’t to cause panic or present a doom and gloom scenario. Rather, I’m hoping that the clever reader will see in this piece an opportunity to help educate management, executives, the board, and others of the need to approach security strategically, regardless of organization size, geographic location, spoken language, or market size. Any of the points I’ve raised above can be countered and mitigated by approaching security as a risk mitigation exercise complete with a robust security operations and incident response capability. No one should rely on security by obscurity and expect to fly under the radar of the modern attacker. It’s just too risky.

The Nuke HTTP bot Malware offered for sale on a Dark Web forum
27.1.2017 SecurityAffeirs BotNet

The security researchers at security firm Sixgill discovered a new malware dubbed Nuke HTTP bot offered for sale on a forum in the Dark Web.
Darknets are the right places where to find illegal product and services, it is quite easy to find malicious code and also botnets of any type.

On December 16th, a new malware dubbed Nuke HTTP bot was discovered by the security researchers at security firm Sixgill on a popular cybercrime forum in the dark web. The author of the malware, who goes by the moniker Gosya, claims the malicious code was developed from scratch. Nuke was offered for $4,000, a good price for such kind of commodity.

Researchers at Sixgill who analyzed the Nuke malware confirmed that the malware request a significant skill for its development. The authors of the malware implemented sophisticated features, including the ability to inject malicious code on Firefox and Chrome browsers.

Nuke is also able to get through User Account Control (UAC) and Windows Firewall executions, and it supports both 32-bit and 64-bit systems.

Nuke HTTP bot

Below the full list of featured implemented in the Nuke HTTP bot:

– SOCKS proxy module
– Formgrabber and Web-Injection module
– Remote EXE file launcher module
– Hidden VNC module for WinXP-Win10
– Rootkit for 32-Bit and 64-Bit machines
– Bot-killer – a mini anti-virus meant to remove all competing malware from the infected machine, if any are present.

The SOCKS proxy module allows the malware to retrieve data from the infected machine and send it back to the C&C server. Another interesting feature it the so-called “bot killer,” that indicated the capability of the malicious code of removing all other existing malware on the target machine.

The malicious code is very small in size, just 83kb when uncompressed.

“Nuke HTTP Bot boasts a fairly small file size of just 83kb uncompressed, and 54kb compressed. The detection rate at the moment of writing this article is extremely low as well. Gosya presented evidence supporting the fact the malware is currently undetected by mainstream AV engines.” reads the analysis published by Sixgill.

Researchers at Sixgill are monitoring the diffusion of the Nuke HTTP bot in the wild and are supporting law enforcement in the investigation.

“A test version was already found in the wild by Netscout’s Arbor Networks. The author went on and mentioned that he is aware of it. The analyzed variation was a test version of the malware. The current version, according to Gosya, has much of the inner workings changed since Arbor’s report was published.” states the report.

Data breach notification website LeakedSource raided by feds
27.1.2017 SecurityAffeirs Crime

LeakedSource is down! According to a message appeared in the OGF forum, the popular data breach notification website has apparently been raided by feds.
The Data breach notification website LeakedSource has apparently been raided by feds. The service is one of the most important available online, it reported some of the largest data breaches last year and now is facing a serious problem.

Among the data breaches reported by LeakedSource there are the ones that affected Last.fm, Rambler.ru, FriendFinder Networks, LinkedIn, and MySpace.

According to a post on the marketplace ogflip.com, the owner of LeakedSource was raided earlier this week, it is still unclear the reason for the raid.

At the time I was writing the service appears to have been shut down.

“Leakedsource is down forever and won’t be coming back. Owner raided early this morning. Wasn’t arrested, but all SSD’s got taken, and Leakedsource servers got subpoena’d and placed under federal investigation. If somehow he recovers from this and launches LS again, then I’ll be wrong. But I am not wrong. (sic)” reads the message from OGF.


The data breach notification service was offering access to the full archive with the payment of a membership fee.

LeakedSource indexed more than 3 billion records that were obtained through information sharing between a number of sources, including the hackers who broke in the compromise archives.

The U.S. Department of Justice did not comment the news of an alleged investigation related to the data breach notification service.

Zákeřný virus krade kontakty a SMS zprávy. A pak chce výkupné

26.1.2017 Novinky/Bezpečnost Viry
Bezpečnostní analytici antivirové společnosti Check Point objevili novou hrozbu zvanou Charger. Tento nezvaný návštěvník útočí výhradně na chytré telefony, ze kterých následně krade uložené kontakty a SMS zprávy. Pak útočníci požadují po uživateli výkupné.
Charger se soustředí výhradně na chytré telefony s operačním systémem Android. Útočníkům se jej dokonce podařilo propašovat i do oficiálního obchodu Google Play, a to jako součást aplikace EnergyRescue.

„Infikovaná aplikace krade kontakty a SMS zprávy z uživatelského zařízení a snaží se získat administrátorská oprávnění. Pokud je uživatel udělí, ransomware uzamkne zařízení a zobrazí zprávu požadující platbu,“ vysvětlil David Řeháček, bezpečnostní odborník ze společnosti Check Point.

Zaplaťte, vyzývají kyberzločinci
Útočníci se snažili zprávou uživatele jednoznačně vyděsit. „Budete nám muset zaplatit, jinak prodáme každých 30 minut na černém trhu část vašich osobních informací,“ stojí ve výzvě počítačových pirátů.

„Dáváme vám 100% záruku, že všechny soubory budou obnovené, jakmile obdržíme platbu. Odemkneme mobilní zařízení a smažeme všechna vaše data z našeho serveru! Vypnout telefon nepomůže, všechna vaše data jsou již uložena na našich serverech! Můžeme je prodat na spamování, podvody, bankovní zločiny a podobně. Shromažďujeme a stahujeme všechna vaše osobní data. Veškeré informace o vašich sociálních sítích, bankovních účtech, kreditních kartách. Shromažďujeme veškerá data o vašich přátelích a rodině,” vyhrožují dále kyberzločinci.

Výkupné chtějí zaplatit ve virtuální měně bitcoin, kterou prakticky není možné vystopovat. Konkrétně požadovali 0,2 bitcoinu, tedy v přepočtu více než 4,5 tisíce korun. I přes prohlášení počítačových pirátů ale samozřejmě uživatelé nemají žádnou jistotu, že se ke svým datům po zaplacení výkupného dostanou.

Zajímavá je i analýza tohoto škodlivého kódu. „Podobně jako u jiných malwarů z minulosti, také Charger kontroluje lokální nastavení a nespustí škodlivé aktivity, pokud je přístroj lokalizován na Ukrajině, v Rusku nebo Bělorusku. Pravděpodobně aby se vývojáři vyhnuli stíhání ve svých vlastních zemích nebo vydání mezi zeměmi,“ konstatoval Řeháček.

Riziko nepředstavuje pouze aplikace EnergyRescue. Škodlivý kód Charger se totiž může objevit klidně i v nějakém dalším programu, do kterého jej kyberzločinci implementují.

Android pod palbou kyberzločinců
Na Android se počítačoví piráti zaměřují stále častěji. Loni se například objevila podvodná aplikace vydávající se za aktualizaci klienta sociální sítě Facebook. Ta cílila opět na Android. 

Před tímto nezvaným návštěvníkem v chytrých telefonech varovali zástupci Air Banky: „Pokusy útočníků nás nepřestávají překvapovat. Nově to zkoušejí tak, že vám s pomocí viru zablokují mobilní aplikaci pro přístup na Facebook a nabídnou vám instalaci nové.“

„Pokud se vám něco takového stane, rozhodně nic neinstalujte. Jinak by útočníci mohli získat přístup k vašim ověřovacím SMS, které vám chodí pro potvrzování plateb. Místo toho raději rovnou celý telefon resetujte do továrního nastavení,“ stojí v doporučení banky.

Vhodné je tak používat i na chytrém telefonu nějaký antivirový program.

Nestahujte do telefonu aplikaci Pošta Online. Je to podvod, varuje Česká pošta

26.1.2017 Novinky/Bezpečnost
Uživatelé mobilních telefonů s operačním systémem Android by si v žádném případě neměli stahovat aplikaci „Pošta Online”. Jak uvedl mluvčí České pošty Matyáš Vitík, jedná se o podvod. Podvodné SMS vyzývají jménem České pošty ke stažení aplikace, za kterou se ukrývá nebezpečný trojský kůň.
Trojský kůň, který si uživatel nevědomky stáhne do mobilu, útočí na elektronické bankovnictví uživatelů. Pošta podle Vitíka zatím zaznamenala asi desítku případů.

„Česká pošta se od těchto zpráv a podvodných stránek distancuje a upozorňuje zákazníky a všechny občany, aby na případné SMS, které obsahují výzvu k instalaci a odkaz na aplikaci Pošta Online na internetu, nereagovali a raději ji smazali. Česká pošta neposílá zákazníkům odkazy na instalaci aplikací přes SMS,” dodal Vitík.

V minulých letech se jménem České pošty šířily podvodné e-maily, které se vydávaly za zprávy o sledování poštovní zásilky. Podvodné e-maily obsahovaly odkaz vedoucí na web, který do počítače stáhl škodlivý kód.

Expensive free apps
26.1.2017 Kaspersky Android

This post is the result of collaboration between Elevenpaths (Telefónica Cyber Security Unit) and Kaspersky Lab. Both companies have used their own expertise, researchers and tools, such as Tacyt (an innovative tool for the monitoring and analysis of mobile threats) and GReAT’s internal tools and resources.

Big Brother and Google Play

Fraudulent apps trying to send Premium SMS messages or trying to call to high rate phone numbers are not something new. Actually, it is easy to find them specially in Spain, Russia and some other european countries. Of course, it is much more interesting to talk about how certain groups bypass detection mechanisms such as those used by Google Play, since this has become difficult to achieve in the past few years.

Some years ago it was pretty easy to upload a dialer (or other similar fraudulent app) to Google Play [1] [2], but new detection mechanisms made attacker to focus on alternative markets, at least for a period of time.

Recently, we have found a Spanish group that successfully uploaded a non-official Big Brother (Gran Hermano) TV show app, which is one of the most popular TV shows in Spain even being on the air for 16 years now.


This was not a very sophisticated app, but they were able to upload it into Google Play using an old trick. First, they uploaded a clean an innocuous version that of course passed or the security controls from Google Play. Then, some days later, a new version was uploaded with a major features update, including subscription to paying services. This trick was extremely simple but successful, since the app was in the Google Play for around two months (from mid September to mid November 2015).


It seems this was not the first time this group tried to upload a Big Brother-like app. We have detected (via Tacyt [3]) at least another 4 similar applications that, regarding some particular logging messages we found in the code, could have the same origin:

com.granhermano.gh16_1; from 2015-09-15 to 2015-09-22;
com.granhermano162; from 2015-09-29 to 2015-11-14;
com.granhermanodieciseis; from 2015-09-29 to 2015-11-11
com.granh.gh16_3; from 2015-10-05 to 2015-10-15;
com.hisusdk; from 2015-09-16 to 2015-11-14 (the one analyzed).

As we said before, this group was found to be using a specific string “caca” as a logging tag, which is not something usual:


The word “caca” is a colloquial word in Spanish referring to an excrement (very similar to the word “poo” in English). We could find it in certain testing code, referring to lines of code that should be removed later, but it is unusual to find it in such similar applications and used in the same way. Because of that, it makes sense to think that those applications were developed by the same group. Other strings and function names used in the code make us conclude that those applications could be developer by native Spanish speakers.

This app is using several commercial third party services such as Parse.com for the first network communication. This first API call is used in order to get all the information necessary to run further actions (URLs, authentication, etc).

{“results”:[{“Funcionamiento”:” Ahora la única pestaña importante es la de VOT.”,”action1″:”http://tempuri.org/getPinCode”,”action2″:”http://tempuri.org/crearSubscripcion”,”activa”:”si”,”createdAt”:”2015-09-08T16:17:24.550Z”,”estado”:true,”id_categoria”:”2608″,”id_subscripcion”:”400″,”metodo1″:”getPinCode”,”metodo2″:”crearSubscripcion”,”namespace”:
”http://tempuri.org/”,”nombreApp”:”GH16 – españa”,”numero_corto”:”795059″,”numero_sms”:”+34911067088″,”objectId”:”tNREzkEocZ”,”password”:”15xw7v7u”,”updatedAt”:”2015-11-27T10:28:00.406Z”,”url”:”http://ws.alertas.aplicacionesmonsan.net/WebSubscription.asmx?WSDL”,”urlcode”:”http://spamea.me/getcode.php?code=”,”usuario”:”yourmob”,”vot”:true}]}

As we can see above, it references to different URLs:

spamea.me is service that no longer exists at the time of writing, but that used to be hosted on, which seems a hosting service shared with many other websites.


ws.alertas.aplicacionesmonsan.net is legitimate service focused on mobile monetization, including SMS premium and direct carrier billing. It is used from the app in order to subscribe the user to a service called “yourmob.com”.


Of course, using paying services is not malicious itself, since it is legitimate that companies could bill for their services, but user should be clearly noticed about service cost and conditions beforehand.


Despite we found a reference to “Terms and Conditions” (in Spanish) poiting to the website servimob.com , we could not verify that this information is shown to users and, anyway, users don’t have the opportunity to reject the agreement and don’t be subscribed.

Presence outside Google Play

It make sense that if a group have included this kind of app in Google Play, They were going to try something similar using other app sources (thanks to Facundo J. Sánchez that spotted this).

Analysis: 9b47070e65f81d253c2452edc5a0eb9cd17447f4


This app worked slightly different. It uses other 3rd party services and it sends Premium SMSs for monetization. They got from the server what number to use, for how many seconds and if the screen should be on or off.

We found that they used very similar words for comments and method names (most of them in Spanish, including “caca”), same topic (Big Brother), references to “yourmob” and much more, so definitely we can link it with the Spanish group mentioned before.


One of the webservices used by this application ( exposed a control panel showing information about people using this app:


As you probably know, groups developing this kind of apps usually reuse their servers and supporting infrastructure for multiple apps, for example this one:


It was using this vps as well http://vps237553.ovh.net. Some of the panels and services provided by the VPS were located here:



As we can see in their control panel, they have been quite successful in terms of spread, since there are registered phones from many different countries (Spain, Holland, Poland, etc).

In addition, an iterative search on terms such as IP addresses, unique paths, etc, has shown that other apps could be using the same supporting infrastructure that was shown above, including the following IP addresses and domain names: (vps237553.ovh.net)
In particular, was pointed by different domain names in the past months:

kongwholesaler.tk (2016-05-22)
acc-facebook.com (2016-04-11)
h-instagram.com (2016-04-11)
msg-vk.com (2016-04-11)
msg-google.ru (2016-04-10)
msg-mail.ru (2016-04-10)
iwantbitcoins.xyz (2015-11-04)
These domains have probably been used for fraudulent initiatives such as phishing attacks, since they are very similar to well-known and legitimate services.

Something that kept our attention was that “vps237553.ovh.net”, used from a sample and resolving to, was also used at some point (June 2016 regarding our passive DNS) by “servimob.com” domain (same domain referenced in the app from Google Play).


Back to Google Play

As you can imagine, they tried again to upload a new app to Google Play, following a similar philosophy and techniques that we have seen before.



These apps were available in Google Play for a few weeks in September 2016, using similar techniques, especially to those applications that we found outside Google Play.


This Spanish group has been quite successful on uploading this kind of apps in Google Play, using interesting topics such as the Big Brother TV show. Spain and Poland have been two countries traditionally targeted by SMS scams and similar malware. However, we have never seen in the past few years any group that was able to upload apps to legitimate markets in such an easy way. Perhaps the key point is that they try to be close enough to the border between a legitimate business and a malicious one.

Machine learning versus spam
26.1.2017 Kaspersky Spam
Machine learning methods are often presented by developers of security solutions as a silver bullet, or a magic catch-all technology that will protect users from a huge range of threats. But just how justified are these claims? Unless explanations are provided as to where and how exactly these technologies are used, these assertions appear to be little more than a marketing ploy.

For many years, machine learning technology has been a working component of Kaspersky Lab’s security products, and our firm belief is that they must not be seen as a super technology capable of combating all threats. Yes, they are a highly effective protection tool, but just one tool among many. My colleague Alexey Malanov even made the point of writing an article on the Myths about machine learning in cybersecurity.

At Kaspersky Lab, machine learning can be found in a number of different areas, especially when dealing with the interesting task of spam detection. This particular task is in fact much more challenging than it appears to be at first glance. A spam filter’s job is not only to detect and filter out all messages with undesired content but, more importantly, it has to ensure all legitimate messages are delivered to the recipient. In other words, type I errors, or so-called false positives, need to be kept to a minimum.

Another aspect that should not be forgotten is that the spam detection system needs to respond quickly. It must work pretty much instantaneously; otherwise, it will hinder the normal exchange of email traffic.

A graphic representation can be provided in a project management triangle, only in our case the three corners represent speed, absence of false positives, and the quality of spam detection; no compromise is possible on any of these three. If we were to go to extremes, for example, spam could be filtered manually – this would provide 100% effectiveness, but minimal speed. In another extreme case, very rigid rules could be imposed, so no email messages whatsoever would pass – the recipient would receive no spam and no legitimate messages. Yet another approach would be to filter out only known spam; in that case, some spam messages would still reach the recipient. To find the right balance inside the triangle, we use machine learning technologies, part of which is an algorithm enabling the classifier to pass prompt and error-free verdicts for every email message.

How is this algorithm built? Obviously, it requires data as input. However, before data is fed into the classifier, is must be cleansed of any ‘noise’, which is yet another problem that needs to be solved. The greatest challenge about spam filtration is that different people may have different criteria for deciding which messages are valid, and which are spam. One user may see sales promotion messages as outright spam, while another may consider them potentially useful. A message of this kind creates noise and thus complicates the process of building a quality machine learning algorithm. Using the language of statistics, there may be so-called outlier values in the dataset, i.e., values that are dramatically different from the rest of the data. To address this problem, we implemented automatic outlier filtration, based on the Isolation Forest algorithm customized for this purpose. Naturally, this removes only some of the noise data, but has already made life much easier for our algorithms.

After this, we obtain data that is practically ‘clean’. The next task is to convert the data into a format that the classifier can understand, i.e., into a set of identifiers, or features. Three of the main types of features used in our classifier are:

Text features – fragments of text that often occur in spam messages. After preprocessing, these can be used as fairly stable features.
Expert features – features based on expert knowledge accumulated over many years in our databases. They may be related to domains, the frequency of headers, etc.
Raw features. Perhaps the most difficult to understand. We use parts of the message in their raw form to identify features that we have not yet factored in. The message text is either transformed using word embedding or reduced to the Bag-of-Words model (i.e., formed into a multiset of words which does not account for grammar and word order), and then passed to the classifier, which autonomously identifies features.
All these features and their combinations will help us in the final stage – the launch of the classifier.

What we eventually want to see is a system that produces a minimum of false positives, works fast and achieves its principal aim – filtering out spam. To do this, we build a complex of classifiers, and it is unique for each set of features. For example, the best results for expert features were demonstrated by gradient boosting – the sequential building up of a composition of machine learning algorithms, in which each subsequent algorithm aims to compensate for the shortcomings of all previous algorithms. Unsurprisingly, boosting has demonstrated good results in solving a broad range of problems involving numerical and category features. As a result, the verdicts of all classifiers are integrated, and the system produces a final verdict.

Our technologies also take into account potential problems such as over-training, i.e., a situation when an algorithm works well with a training data sample, but is ineffective with a test sample. To preclude this sort of problem from occurring, the parameters of classification algorithms are selected automatically, with the help of a Random Search algorithm.

This is a general overview of how we use machine learning to combat spam. To see how effective this method is, it is best to view the results of independent testing.


OpenSSL Patches Four Vulnerabilities

26.1.2017 Securityweek Vulnerebility
The OpenSSL Project announced on Thursday the availability of OpenSSL versions 1.1.0d and 1.0.2k, which address a total of four low and moderate severity vulnerabilities.

One of the flaws, tracked as CVE-2017-3731, allows an attacker to trigger an out-of-bounds read using a truncated packet and crash an SSL/TLS server or client running on a 32-bit host.

The weakness, reported in mid-November by Google security researcher Robert Swiecki, affects both the 1.1.0 and 1.0.2 branches when certain ciphers are used, specifically the ChaCha20-Poly1305 for version 1.1.0 and RC4-MD5 for 1.0.2.

Both OpenSSL branches are also affected by a carry propagation bug in the x86_64 Montgomery squaring procedure (CVE-2017-3732). A successful attack relying on a carry propagation bug can allow an attacker to recover encryption keys.

However, in this case, the OpenSSL Project said elliptic curve (EC) algorithms are not affected and attacks against RSA and DSA are difficult to carry out.

“Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline,” the OpenSSL Project said in its advisory. “The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients.”

The flaw, reported earlier this month by Google’s OSS-Fuzz project, is very similar to CVE-2015-3193, which OpenSSL patched in December 2015.

The third vulnerability, identified as CVE-2017-3730, affects the 1.1.0 branch and it can be exploited in a denial-of-service (DoS) attack. A malicious server that supplies bad parameters for a DHE or ECDHE key exchange can cause the client to crash.

The flaw, reported recently by Guido Vranken, was fixed by OpenSSL developers before knowing that it had security implications.

OpenSSL 1.0.2k also addresses a low severity vulnerability that was patched in the 1.1.0 branch in November.

Currently, the only supported versions of OpenSSL are 1.0.2 and 1.1.0. Version 1.0.1 no longer receives security updates since January 1.

Cisco Patches Serious Flaws in Collaboration Products

26.1.2017 Securityweek Vulnerebility
Cisco has released software updates that patch critical and high severity vulnerabilities in its TelePresence and Expressway collaboration products.

The most severe of them is a critical remote code execution vulnerability affecting the device driver in the kernel of Cisco TelePresence Multipoint Control Unit (MCU). The flaw can be exploited by a remote, unauthenticated attacker to trigger a buffer overflow and execute arbitrary code or cause a denial-of-service (DoS) condition.

The security hole, tracked as CVE-2017-3792, affects TelePresence MCU 5300 Series, MCU MSE 8510 and MCU 4500 when running version 4.3(1.68) or later of the software – versions prior to 4.3(1.68) are not impacted. Affected users have been advised to update to version 4.5(1.89).

Cisco TelePresence, specifically the Video Communications Server (VCS) software, is also affected by a DoS vulnerability that can be exploited remotely without authentication. The same issue also affects the Expressway Series collaboration gateway.

The flaw exists in all versions of the Cisco Expressway Series and TelePresence VCS software prior to X8.8.2.

A separate advisory published by Cisco this week describes a high severity DoS vulnerability affecting the ASA CX Context-Aware Security module. An attacker can exploit the flaw to cause the module to no longer process traffic. Patches have yet to be released and there are no workarounds, but Cisco has provided some recommendations for limiting exposure.

These weaknesses have been found during the resolution of support cases and Cisco is not aware of any exploits in the wild.

Still no complete patch for critical WebEx flaw

A few days ago, Google Project Zero researcher Tavis Ormandy disclosed a critical remote code execution vulnerability affecting the Cisco WebEx browser extensions for Chrome, Firefox and Internet Explorer. The expert made the details of the flaw public after the networking giant informed him that the issue had been patched, but it later turned out that the fix was incomplete.

Cisco has confirmed that version 1.0.5 of the add-on does not fully address the problem found by Ormandy. The company is currently working on a proper patch.

The vulnerability allows an attacker to execute arbitrary code on WebEx users’ systems simply by getting them to access a specially crafted website. According to Cisco, the flaw is caused by a “design defect in an application programing interface (API) response parser within the plugin.”

Americans Distrustful After Hacking Epidemic: Survey

26.1.2017 Securityweek Hacking
Washington - Nearly two-thirds of Americans have experienced some kind of data theft or fraud, leaving many mistrustful of institutions charged with safeguarding their information, a poll showed Wednesday.

The Pew Research Center survey found 41 percent of Americans have encountered fraudulent charges on their credit cards, and 35 percent had sensitive information like an account number compromised.

Smaller percentages said their email or social media accounts had been compromised or that someone had impersonated them in order to file fraudulent tax returns.

Taken together, the survey found 64 percent said they had some form of personal data stolen or compromised.

Many Americans fail to follow cybersecurity best practices in their own digital livesFollowing the epidemic of data breaches and hacks, "many Americans lack faith in specific public and private institutions to protect their personal information from bad actors," the study authors wrote.

Those surveyed were concerned about telecom firms, credit card companies and others, but especially wary of the government and social media companies.

Only 12 percent said they had a high level of confidence in the government's ability to protect their data and nine percent said the same of social media sites.

Yet the survey also found most Americans fail to take a proactive role in their own security with steps such as password management and enhanced authentication.

While half of those surveyed said they have used two-factor authentication on their online accounts -- requiring a code sent to a phone or separate account -- many use similar passwords in multiple sites or share passwords with others, Pew found.

The vast majority -- 86 percent -- said they keep track of passwords by memory, and only 12 percent used password management software which is believed to be the most secure.

More than one in four respondents said they did not lock their smartphone screen, and some neglect to install important updates for their phones or applications.

The report is based on a survey conducted from March 30 to May 3, 2016, among 1,040 adults, with a margin of error for the full group estimated at 3.4 percentage points.

Android VPNs Introduce Security, Privacy Risks: Study

26.1.2017 Securityweek Android
Researchers have analyzed hundreds of virtual private network (VPN) applications for Android and determined that many of them introduce serious privacy and security risks.

A team of experts from the University of California, Berkeley, the Data 61 research unit at Australia’s Commonwealth Scientific and Industrial Organisation (CSIRO) and the University of New South Wales have analyzed 283 Google Play apps that request the BIND_VPN_SERVICE permission, which provides native support for VPN clients.

After running a series of passive and active tests, researchers determined that while 67% of the analyzed apps claim to enhance privacy and security, three-quarters of them include third-party tracking libraries and 82% of them request access to sensitive information, such as text messages and user accounts.

Experts discovered that more than one-third of these Android VPN apps, including ones that are highly popular, appear to include some malicious code when tested with Google’s VirusTotal service. Worryingly, only a small number of users have raised security or privacy concerns in the comments posted to Google Play when reviewing these applications.

Android VPN analysis

Another problem identified during the study is that 18% of the applications do not provide any information on the entity hosting the VPN server, and 16% of them forward traffic through the devices of other users, which can pose serious trust, privacy and security issues. Furthermore, a small percentage of the apps implemented local proxies designed to inspect user traffic, mainly for filtering and security purposes.

VPN applications are supposed to provide anonymity and security, but researchers found that 18% of the ones from Google Play implement tunneling protocols without encryption, and many of them don’t tunnel IPv6 and DNS traffic.

A small number of Android VPN apps have been found to intercept TLS traffic and even inject JavaScript code for advertising and tracking purposes.

Researchers have contacted the developers of problematic apps and while some of them confirmed the findings and provided arguments in support of their methods, others did not respond.

“The ability of the BIND_VPN_SERVICE permission to break Android’s sandboxing and the naive perception that most users have about third-party VPN apps suggest that it is urging to re-consider Android’s VPN permission model to increase the control over VPN clients,” researchers wrote in their paper. “Our analysis of the user reviews and the ratings for VPN apps suggested that the vast majority of users remain unaware of such practices even when considering relatively popular apps.”

The complete paper, titled “An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps,” is available for download in PDF format.

'Perfect Cyber Storm' Threatens Europe, Report Says

26.1.2017 Securityweek Cyber
Intensifying Threat Climate and Regulatory Changes are Fundamental Challenges Facing the European Union

A perfect storm is threatening, and 'cyber storm clouds are gathering over Europe on three fronts'. Those fronts are a dramatically intensifying threat landscape; a profoundly changing regulatory landscape; and the need for significantly more work from organizations to confront the combined challenge.

This is the conclusion that FireEye draws from its own insights combined with the results of a preparedness survey of 750 European clients by Marsh & McLennan. Published under the title 'Cyber Threats: A perfect storm about to hit Europe' (PDF), the findings formed the basis of a panel discussion at last week's World Economic Forum annual meeting in Davos, Switzerland. Panel members comprised Tony Cole (FireEye Global Government CTO); Peter Beshar (Marsh Executive VP and General Counsel); and Robert Wainwright (Europol director).

Europe Cyber Challenges

The first 'storm cloud front' in FireEye's perfect storm metaphor is the intensifying threat landscape.

"Hackers and purportedly nation states," says the report, "are increasingly targeting industrial control systems and networks — power grids, chemical plants, aviation systems, transportation networks, telecommunications systems, financial networks and even nuclear facilities," the report says. This is a reality facing most of the developed world that has such industries; it is not limited to Europe.

FireEye names government, financial services, manufacturing and telecommunications as the main targets for European cyber-attacks -- but again, this is little different to the rest of the developed world. The report does, however, make one Europe-specific point: from May 2018, there will be a dramatic increase in the number of reported European breaches.

This will follow the arrival of the new European General Protection Regulation (GDPR). Under existing European data protection laws there is little requirement for European organizations to make public breach notifications, and they tend not to. This will change with GDPR when notifications of personal data loss will be required. The US already has a variety of breach notification requirements; but in general, GDPR will be even more strict. The effect will be similar to this year's UK crime statistics that doubled over the previous year. There wasn't really such an increase in crime; it's just that cybercrime was included and therefore disclosed for the first time.

Under GDPR, companies "will soon be required to publicly disclose data breaches to national data protection authorities and," notes the report, "where the threat of harm is substantial, to affected individuals. Failure to do so could result in fines of as much as four percent of a company’s global turnover — a staggering sum."

This must be done within 72 hours of the organization becoming aware of the breach -- but it is not an absolute. Article 31(1) of the Regulation states that notifications must be made "unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals." This suggests that if stolen personal data is adequately encrypted, the breach need not be notified.

GDPR places far-reaching requirements on the storage and protection of European personal data that go beyond just security. One particular aspect, the data subject's right to erasure (also called the right to be forgotten), will require organizations to know the location and have rapid access to every single piece of personal data they store anywhere in the world. The right to erasure is again not an absolute. It can be refused under certain circumstances (such as legal obligations and in the interest of public health); but these exemptions are not sufficient to allow an organization to ignore the requirement in total.

GDPR is the second front in Europe's perfect storm described by FireEye. But GDPR doesn't just affect Europe -- it affects any organization anywhere in the world that does business in Europe and collects European personal data. FireEye itself quotes Jan Philipp Albrecht, Europe's GDPR rapporteur: "The GDPR will change not only the European Data protection laws but nothing less than the whole world as we know it." So, like the threat landscape front, this second front also applies to the greater part of the developed world.

FireEye's third front claims a general lack of preparedness against the first two. For this, the report draws on the research of Marsh. "The study found that while high-profile events, government initiatives, and legislation have pushed cybersecurity to the forefront, far more work needs to be done." Again, this statement could be applied to just about any region in the world.

"Marsh found that the percentage of companies indicating that they assessed "key suppliers" for cyber risk actually decreased from 23 percent in 2015 to 20 percent in 2016." Proof of the importance of securing the supply chain comes from the US. "As numerous attacks in the US and elsewhere have shown, hackers often gain access to larger organizations by initiating attacks against smaller vendors that provide services like air conditioning or takeout food." Empirically, then, poor preparedness in securing the supply chain can also be applied to 'the US and elsewhere'.

The goal of the paper, according to FireEye's Tony Cole, is to "make the EU community more aware of emerging cyber threat storm clouds and encourage organizations to prioritize cyber defense by partnering with experts in industry and government."

The Perfect Storm is an interesting metaphor. Its validity could be debated, but it is used to highlight that the combination of an intensifying threat landscape, an expanding regulatory framework, and a general lack of cyber security preparedness will present a major challenge to business in the coming years. While this may be true, it is a challenge that must be faced by the entire world. This Perfect Storm threatens all business and not just European business.

Possible Information warfare scenarios behind the Shamoon resurrection
26.1.2017 securityaffairs

The dreaded Shamoon has resurrected, which are possible political and technological scenarios behind the recent wave of attacks?
The dreaded Shamoon has resurrected, a new version called Shamoon 2 was spotted by the security experts at Palo Alto Networks. Saudi Arabia Computer Emergency Response Team (CERT)’s Abdulrahman al-Friah confirmed to Al Arabiya that at least 22 institutions were affected by the wave of Shamoon attacks.

Shamoon, also known as Disttrack, was first spotted in a wave of attacks that targeted companies in Saudi Arabia in 2012. Among the victims, there was the petrol giant Saudi Aramco and RasGas Co Ltd.

In the 2012 attacks, threat actors used images of a burning U.S. flag to overwrite the drives of victims.

The principal capability of Shamoon is a feature that allows it to wipe data from hard drives of the infected systems. The Sadara Chemical Co, a joint venture firm owned by Saudi Aramco and Dow Chemical, confirmed it had suffered a network disruption on Monday morning. The experts at the company are still working to resolve the problem.

Sadara | صدارة ✔ @Sadara
Sadara has experienced a network disruption this morning, and are working to resolve it. Our operations have not been affected.
3:49 PM - 23 Jan 2017
15 15 Retweets 9 9 likes
Who is behind the attack?

A first possible scenario sees Iranian state-sponsored hackers targeting Saudi Arabian infrastructure in retaliation for cyber attacks against Iranian petrochemical facilities.

Iranian facilities suffered a string of cyber attacks last year between July and September, a fire at the Bou Ali Sina Petrochemical Complex in Iran caused $67m in damage.

The first incident occurred on July 6, in the Bou Ali petrochemical plant on the Persian Gulf coast, a couple of days after the fire was put out, a liquefied gas pipeline exploded in the Marun Oil and Gas Production Company. On July 29 another fire occurred at the Bisotoon petrochemical plant.

The incidents were originally blamed on human error but after another explosion of a gas pipeline near Gonaveh the Iranian Petroleum Ministry started an investigation to understand the real cause of the anomalous string of incidents.

“The Iranian Petroleum Ministry, in charge of all of the affected sites denied the plants were sabotaged and the Iranian oil minister Bijan Namdar Zanganeh said the fires and explosions were due to technical faults and human error.” reported the Time.com “However when an explosion in a gas pipeline near Gonaveh, which killed a worker, and another fire in the Imam Khomeini petrochemical plant, occurred within hours of each other on Aug. 6, the ministry refused to comment until after investigations.“

Mr. Abolhassan Firouzabadi, the secretary of Iran’s Supreme National Cyberspace Council, confirmed that a team of investigators were working on the case trying to understand if the incidents are linked and if they were caused by a cyber attack.

fires cyber attacks Iran Shamoon
Source The Tehrantimes.com

“The viruses had contaminated petrochemical complexes,” Brig. Gen. Gholam Reza Jalali told the IRNA news agency. “Irregular commands by a virus may cause danger.”

In this scenario, we can imagine an ongoing cyber dispute between Iran and Saudi Arabia.

A second scenario, even more disconcerting, sees a third nation-state actor that could spread the Shamoon 2 variant in the wild to feed political tension in the Middle East. The attribution problem is difficult to solve and a foreign government could benefit from a crisis in the area.

180,000 members of an underground ‘Upskirt’ porn website have been leaked online
26.1.2017 securityaffairs Incindent

The personal details of 180,000 members of the underground ‘Upskirt’ porn website The Candid Board have been leaked online.
Some data breaches are more uncomfortable the others due to the nature of the affected services, porn and dating websites belong to these categories.

The personal details of roughly 180,000 members of the underground ‘Upskirt’ porn website The Candid Board have been leaked online due to a misconfigured database. The Candid Board is an ‘Upskirt’ porn website focused on the sharing of images, videos, and discussions about girls and women who appear to be unaware they are being spied.

The leaked data includes 178,201 unique email addresses, usernames, hashed passwords, dates of birth, IP addresses and other information such as ‘join date’, ‘last post date’ and ‘reputation’ point statistics.

The subscription fee is at $19.99 a month, but it seems that there were no financial data included in the data leak.

The IBTimes UK obtained the leaked data from a source who wished to remain anonymous and analyzed it.

“The details from the leaked database, which has now been secured, were reportedly obtained from September 2015. They were being managed by a US-based cloud hosting provider called Webair.”

“Rather than try to track down a forum administrator, who probably doesn’t want to be tracked down, I decided to contact the hosting company Webair,” our source said. “I made my way through an automated system and pushed the buttons for tech support.

“When I described the issue to the support on the other side, he immediately understood what the problem was. It was almost as if they were aware of the problems in their system. We didn’t talk for long. He said he would contact the client and then we hung up.”

Among the leaked details there were 70 military records and 19 government email addresses.

If you want to verify if your email has been exposed you can visit the data breach notification website HaveIBeenPwned that has uploaded the data to its service. In this specific case, the service will allow only verified owners to check for their email.

“It’s amazing how much personal data people will entrust sites of this nature with,” said the popular expert Troy Hunt. “Members provided accurate email addresses and birthdates which combined with their IP address now very clearly ties them back to a site of very questionable legal status.”

IBTimes UK tested a number of the IP numbers in the leaked data and verified that they match their corresponding email address.

“In one example, an IP search for the person using the email “wales.gsi.gov.uk” brought up the result: http://host246.welsh-ofce.gov.uk.”

The source also confirmed to be in possession of another large chunk of data from multiple boards operated by the same company, it seems he had access to another leaked database containing tens of thousands of records from a website called NonNudeGirls.

The recent incident is not an isolated case, in September records belonging to 800,000 users of Brazzers porn website were leaked online.

While the stolen data relates to login details for the Brazzers forum rather than the main site, it is thought that many users have duplicated their passwords across both.

Gmail will stop allowing JavaScript (.js) file attachments starting February 13, 2017
26.1.2017 securityaffairs Safety

Google announced Gmail will soon stop allowing users to attach JavaScript (.js) files to emails for obvious security reason.
Google announced Gmail will soon stop allowing users to attach JavaScript (.js) files to emails for obvious security reason. JavaScripts files, like many other file types (i,e, .exe, .jar, .sys, .scr, .bat, .com, .vbs and .cmd) could represent an insidious threat for the recipient, for this reason starting with February 13, 2017, .js files will no more be allowed.

“Gmail currently restricts certain file attachments (e.g. .exe, .msc, and .bat) for security reasons, and starting on February 13, 2017, we will not allow .js file attachments as well. Similar to other restricted file attachments, you will not be able to attach a .js file and an in-product warning will appear, explaining the reason why.” states Google.

It will be not possible to attach such kind of files, if users will try to attach a .js file the Google will display a warning message while blocking the potentially dangerous file.

Google suggests users share such kind of potentially harmful files through Google Drive, Cloud Storage or similar online storage services.

“If you still need to send .js files for legitimate reasons, you can use Google Drive, Google Cloud Storage, or other storage solutions to share or send your files.”

JavaScript Google

JavaScript files have been exploited in several malicious campaigns recently, crooks leveraged on this kind of file to spread download and install various malware such as the dreaded Locky Locky were embedding the Locky binary in JavaScript files attached to spam emails.

The analysis of the JavaScript revealed the existence of numerous variables that contain chunks of strings that are concatenated at runtime to compose the malicious code.ealed

“Loading the JavaScript into an editor shows the same familiar obfuscation found in the previous Locky downloader script variants.” continues the analysis.

“It also shows the use of numerous variables containing chunks of strings, which are concatenated at runtime to build needed strings like ActiveXObject names and methods.”

The encrypted Locky ransomware binary was stored in a set of large arrays, at runtime it was decrypted and saved to disk. When the ransomware binary is decrypted it is possible to notice a significant surge in CPU usage from wscript.exe.

In previous campaigns, the experts only noticed the use of scripts as a container for the downloader, instead of the malicious code itself.downloader, instead of the malicious code itself.downloader, instead of the malicious code itself.downloader, instead of the malicious code itself.

Recently security experts spotted a new ransomware, Ransom32, that is the first ransomware variant that has been developed in the JavaScript scripting language.

Do you need another proof to consider JavaScript attachments potentially dangerous?

adrotate banner=”9″]

Phishingové podvody číhají i na inzertních serverech

25.1.2017 Novinky/Bezpečnost Phishing
Počítačoví piráti neustále hledají nové cesty, jak vylákat z uživatelů na internetu důvěrné informace, které by mohli následně zneužít. Využívají k tomu velmi často nevyžádané e-maily, v poslední době to zkouší ale také přes nejrůznější inzertní servery.
Pojem phishing je možné přeložit do češtiny jako rybaření. Útočníci si totiž podobně jako rybáři skutečně počínají. Při této technice trpělivě vyčkávají na své oběti, aby je mohli nalákat na nějakou návnadu – například výhru či finanční hotovost.

V případě phishingových útoků na inzertních serverech to platí samozřejmě také. Útočníci například lákají na atraktivní koupi nemovitosti. Až podezřele výhodné nabídky se v minulosti objevily například na serverech Sreality.cz či Bezrealitky.cz.

Případně se kyberzločinci snaží využít nějakého slavného jména známé služby, ale ve skutečnosti důvěřivce vedou na podvodné webové stránky. Na celosvětové počítačové síti tak lidé mohou narazit například na falešné nabídky serveru airbnb.com.

Cílem je získat hesla nebo čísla karet
Ve všech případech je však cíl útoku stejný. Jde o získání hesel, čísel kreditních karet nebo jiných citlivých údajů. Uživatelé tak nevědomky pomáhají počítačovým pirátům ovládnout vlastní účet nebo klidně kvůli nepozornosti umožní i ukrást peníze přes internetové bankovnictví.

Zajímavé je sledovat, jak samotný útok probíhá. Kyberzločinci se totiž často ani nesnaží vytvářet smyšlené nabídky. Zaměřují se na subjekty, které se věnují inzerci – například realitní kanceláře či autobazary. Od nich získají reálné nabídky, na které pak mohou lákat své oběti.

Samozřejmostí je velmi kvalitní čeština a věrné kopírování konkrétního inzerenta.
Táňa Lálová, PR specialistka společnosti Seznam.cz
Nabídky pak mohou šířit opět prostřednictvím nevyžádaných e-mailů, případně pomocí podvodných stránek, které z tohoto důvodu vytvoří. I když poškození jsou samotní inzerenti, nakonec se útok obrátí na koncové uživatele.

„Samozřejmostí je velmi kvalitní čeština a věrné kopírování konkrétního inzerenta – například realitní kanceláře, které člověk na první pohled nemá důvod nevěřit,“ varovala Táňa Lálová, PR specialistka společnosti Seznam.cz.

Uživatel by tak měl v první řadě vždy kontrolovat internetovou adresu, na které je nabídka umístěna. Tak prakticky vyloučí šanci, že se nechá napálit nějakým falešným webem. Vhodné je také inzerující firmy kontaktovat osobně, například telefonicky či fyzickou prohlídkou nabízeného produktu – ať už nemovitosti, vozu či nějakého zboží.

Peníze dopředu neposílat
Vhodné je také ignorovat jakékoliv snahy o zaslání peněz předem. Podvodníci totiž často vyžadují zaslání zálohy na byt ještě před předchozí osobní návštěvou. Tato podmínka se typicky objevuje u extrémně výhodných nabídek. Nápovědou může být i špatná čeština a skladba slov v textu inzerátu.

Lidé by při procházení jednotlivých nabídek měli myslet také na základy bezpečného chování na webu. Například na to, že heslo je stejně cenné a snadno zneužitelné jako klíče od bytu. Právě proto by nemělo být jedno heslo stejné pro všechny služby, uživatel by jich měl aktivně používat několik.

Změna hesla by měla být samozřejmostí při jakémkoliv náznaku toho, že se uživatel stal obětí útoku. V takovém případě jej vhodné také neprodleně kontaktovat poskytovatele dané služby, tedy inzertní server. „Každá seriózní služba tuto možnost nabízí přímo z inzerátu. Těm je pak při kontrole věnována přednostní pozornost. Například na inzertních službách společnosti Seznam.cz každý den přibude několik tisíc nových inzerátů. Proto není v našich silách kontrolovat ručně každý,“ podotkla Lálová.

Pomoci může policie
„Ve chvíli, kdy je útok úspěšný a dojde k odcizení kontaktů či vylákání peněz, je vždy na místě kontaktovat policii. Pouze v součinnosti s ní je cesta, jak dalším útokům předejít a současným útočníkům v jejich chování zamezit. Pro doložení podvodu není třeba žádných složitých důkazů. Jednou z nejefektivnějších se ukázal být obyčejný otisk obrazovky,“ doplnila PR specialistka společnosti Seznam.cz.

Kontaktovat policii je v těchto případech možné prostřednictvím webu, konkrétně prostřednictvím odkazu „hlášení kyberkriminality“. Na uvedených stránkách se uživatelé zároveň dozví, jaké konkrétní informace by mělo hlášení obsahovat.

Heartbleed po třech letech ohrožuje stále zhruba 200 000 zařízení
25.1.2017 Root.cz
Jsou to téměř tři roky, co byla objevena a popsána vážná bezpečnostní chyba v OpenSSL, známá pod jménem Heartbleed. Po třech letech je stále na internetu přibližně 200 000 zařízení umožňující chybu zneužít.
Chyba s názvem Heartbleed (CVE-2014–0160) byla veřejnosti odhalena 7. dubna 2014. Jednalo se o chybu v knihovně OpenSSL od verze 1.0.1 až do verze 1.0.1f včetně. Chybná verze knihovny dovolovala vyčíst data z paměti aplikace. V té se může nacházet spousta citlivých informací včetně přihlašovacích údajů nebo třeba privátních klíčů. Podrobně jsme celý problém rozebrali v článku Heartbleed bug: vážná zranitelnost v OpenSSL.

Oprava byla vydána zároveň s oznámením a mnoho významných vývojářů bylo varováno předem. Některé firmy proto záplatovaly ještě o několik dní dříve než se o problému dozvěděla média a veřejnost. Většina velkých webů byla už dva dny po zveřejnění záplatována, některé své uživatele vyzvaly ke změně hesla.

Po více než měsíci bylo napadnutelných jen něco přes 12 tisíc stránek z žebříčku Alexa, ve kterém figuruje 800 000 nejnavštěvovanějších webů. To je asi 1,5 % webů z této statistiky. Přesto je zřejmé, že tyto weby sice tvoří většinu návštěvnosti, ale jde jen o zlomek z celkového počtu webových serverů vystavených do internetu.

Po třech letech
Jsou to přibližně tři roky a je tu nová statistika: stále je napadnutelných přibližně 200 000 zařízení. Informace vychází z měření služby Shodan, která skenuje internet a dokáže podat informaci o otevřených portech a použitých službách. Takto je možné zjistit, jaká verze knihovny OpenSSL na daném serveru běží.

Počet zranitelných serverů už přitom dlouho klesá jen velmi pomalu. Podobné měření totiž proběhlo už v květnu 2014, kdy bylo naměřeno přes 318 000 děravých instalací. Poté bylo v listopadu 2015 Shodanem změřeno 238 000 zranitelných serverů, v březnu 2016 pak číslo mírně kleslo na 237 539. Nyní ukazuje 199 594. V Česku máme 1284 serverů s nezáplatovaným OpenSSL.

John Matherly, šéf projektu Shodan, tvrdí, že mezi hříšníky figurují i takové firmy jako Amazon, Verizon Wireless, německý poskytovatel připojení Strato, OVH, 1&1 Internet a americký telekomunikační gigant Comcast. Poznámka: SK Broadband je jihokorejský poskytovatel připojení.

Mezi nejčastěji nezabezpečené služby patří web server Apache (hlavně verze 2.2.22 a 2.2.15), přičemž nejčastěji je využíván Linux s jádrem 3.x, následovaný verzí 2.6.x a Windows 7 a 8. Ohroženy jsou ale řady dalších aplikací, jako je web server Nginx, konfigurační rozhraní firewallů FortiGate, DD-WRT nebo služba Kerio Connect.

Dá se očekávat, že jde o služby, o které se nikdo pořádně nestará a neudržuje je záplatované. Ukazuje to i fakt, že velká část certifikátů na těchto službách již expirovala. Pokud správci nevadí ani tento fakt, pravděpodobně mu nevadí ani děravé OpenSSL nebo na server jednoduše zapomněl.

Bylo dokázáno, že chyba je zneužitelná a posloužila pravděpodobně k ukradení lékařských záznamů 4,5 milionů pacientů. Pokud provozujete nějaké služby vystavené do internetu, podívejte se, jestli tam nestraší tři roky stará knihovna, která byla dávno záplatována.

Může FBI nahlížet do evropských e-mailů na Outlook.com? Stále to nikdo neví jistě
25.1.2017 Živě.cz

V zámoří již roky probíhá nekonečný boj mezi tamním Ministerstvem spravedlnosti a Microsoftem o to, kde opravdu končí pravomoc amerických úřadů.

Vyšetřovatelé před lety požádali Microsoft, ať jim zpřístupní poštovní schránku na Outlooku v rámci jistého případu ohledně narkotik. Na tom by nebylo nic zvláštního, kdyby se ovšem ona schránka nenacházela na evropské půdě – v v irském datacentru redmondské korporace.

Klepněte pro větší obrázek
Američtí vyšetřovatelé chtějí nahlížet do schránek Outlooku. Microsoft nesouhlasí, pokud se nacházejí v evropských datacentrech mimo jurisdikci USA.

Americké úřady se cítily být v právu, poněvadž provozovatelem datacentra je americká společnost podléhající americkým zákonům, Microsoft to však odmítl udělat s tím, že datacentrum provozuje jeho evropská filiálka a platí tam tedy irské zákony.

Kauza měla obrovský přesah, pokud by totiž soudy uznaly nárok ministerstva, znamenalo by to, že se zahraniční úřady mohou dostat k údajům o milionech Evropanů. Evropa hrozila, že by se v takovém případě zachovala recipročně, nicméně amerických služeb je dnes na západním internetu nepoměrně více než těch evropských – ostatně kolik evropských twitterů, facebooků a googlů používáte, viďte?

Vítězství pro Microsoft. Společnost nemusí americké vládě poskytnout data z evropských serverů
Soudy daly loni zapravdu Microsoft, případ se však táhl dál a teprve v úterý Federální odvolací soud odmítl smést původní rozhodnutí ze stolu. Jenže je to složitější, soudci se totiž v názorech rovně rozdělili 4:4, takže vítězství Microsoftu není jednoznačné a soudci, kteří zastávali názor ministerstva, možná předloží případ k posouzení Kongresu a Nejvyššímu soudu.

Nový Acronis dokáže zálohovat také Facebook, zabrání i škodám ransomwaru

25.1.2017 SecurityWorld Zabezpečení
True Image 2017 New Generation, novou verzi softwaru pro osobní zálohování dat s ochranou proti ransomwaru, doplněnou o Notary (verifikace dat na základě technologie blockchain) a ASign (služba elektronického podpisu), uvedl na trh Acronis.

Nový Acronis doká&zcaron;e zálohovat také Facebook, zabrání i škodám ransomwaru

Podle výrobce je to první řešení na trhu, které obsahuje funkci aktivní ochrany k detekci a prevenci před ransomwarovými útoky v reálném čase, dále pak automatickou obnovu všech dat a ochranu vlastní zálohovací aplikace.

True Image nabízí kompletní ochranu dat pro osobní i rodinné použití s využitím šifrování AES 256 a úložišti na nejrůznějších lokalitách včetně externích disků, NAS zařízení, síťových sdíleních a zabezpečeném úložišti Acronis Cloud.

Novinky v True Image ve verzi 2017 podle výrobce:

Active Protection pro aktivní ochranu před ransomwarem v reálném čase. Identifikuje neobvyklou aktivitu na počítačích a zabraňuje škodlivým aplikacím poškozovat uživatelská data, zálohy a zálohovací software. Behaviorální heuristika detekuje nové i známé ransomwarové útoky a brání před nimi, přičemž integrované zálohovací funkčnosti umožňují obnovit neomezený počet souborů jakékoliv velikosti.
Notary pro autentizaci dat na bázi blockchain. Nabízí certifikaci obsahu jakéhokoliv souboru a verifikaci obsahových modifikací v porovnání s původní verzí. Jedinečný „otisk digitálního souboru“ je uložen a v distribuované, nezměnitelné databázi postavené na technologii blockchain, která umožňuje uživatelům kdykoliv verifikovat autentičnost informací. To je důležité zejména v případě cenných dokumentů, jako jsou smlouvy, mediální záznamy a finanční dokumenty.
ASign pro certifikaci dokumentů chráněných technologií blockchain. Dovoluje více stranám vytvářet a certifikovat dokumenty se zabezpečeným a veřejně auditovatelným podpisem. Uživatelé mohou chránit své zálohované dokumenty, které jsou verifikovány s pomocí Notary a elektronicky podepsány – vše v rámci jednoho spolehlivého zálohovacího řešení.

Kromě toho nabízí novinka také řadu vylepšení, jako je třeba přepracované uživatelské rozhraní s přehledným webovým prostředím pro vzdálený přístup a správu dat, podpora NAS pro zálohovací zdroje a úložiště, bezdrátové zálohování mobilních zařízení na počítače Mac, šifrování dat pomocí AES 256, prohlížení a obnova souborů, možnost prohledávání všech cloudových záloh z mobilního zařízení.

Novinkou je i zálohování a obnova účtů na Facebooku – je tak možné prohledávání a obnova dat facebookového účtu na existující či nové účty s daty zašifrovanými a uloženými v cloudu Acronisu.

Cena se pohybuje od 2 800 Kč/rok v případě jednouživatelské licence s 1 TB záložního prostoru v cloudu až po 4 480 Kč za 5uživatelskou licenci, ve všech případech s možností zálohování libovolného počtu mobilů.

Fake Netflix App Takes Control of Android Devices

25.1.2017 Securityweek Android
A recently spotted fake Netflix app is in fact installing a Remote Access Trojan (RAT) variant onto the victims’ devices, Zscaler security researchers have discovered.

Preying on the popularity of applications isn’t a new technique, with fake Super Mario Run games for Android recently used to distribute the Marcher and DroidJack Trojans. Now, it seems that the actors behind the SpyNote RAT have decided to use the same technique and leverage the enormous traction Netflix has among users looking to stream full movies and TV programs to their mobile devices.

Instead of a video streaming app, however, users end up with a RAT that can take advantage of their device in numerous ways, such as listening to live conversations by activating the microphone, executing arbitrary commands, sending files to a command and control (C&C) server, recording screen captures, viewing contacts, and reading SMS messages.

The fake Netflix app was supposedly created using an updated version of the SpyNote RAT builder, which leaked online last year, Zscaler reveals. Once installed, the app would display the icon that the legitimate Netflix app on Google Play has, but it should by no means be mistaken for it.

When the user clicks on the icon for the first time it disappears from the homescreen and nothing else seems to happen, a trick commonly used by mobile malware. In the background, however, the malware starts preparing its onslaught of attacks.

SpyNote RAT was found to use a free DNS service for C&C communication, as well as to leverage the Services, Broadcast Receivers, and Activities components of the Android platform to remain up and running on the infected device.

“Services can perform long-running operations in the background and does not need a user interface. Broadcast Receivers are Android components that can register themselves for particular events. Activities are key building blocks, central to an app’s navigation, for example,” Zscaler researchers note.

Additionally, the malware can uninstall apps from the infected device (such as antivirus protections), was designed to function only over Wi-Fi (to avoid raising suspicion), and can even click photos, the security researchers say. SpyNote RAT also collects the device’s location to identify the exact location of the victim, and packs various data exfiltration capabilities.

According to Zscaler, the SpyNote RAT builder was seen gaining popularity in the hacking community. It can be used to create various fake apps to masquerade the malware, such as WhatsApp, YouTube Video Downloader, Google Update, Instagram, Hack Wifi, AirDroid, WifiHacker, Facebook, Photoshop, SkyTV, Hotstar, Trump Dash, and Pokemon GO (the game was abused for malware distribution even before being launched on Android).

“Furthermore, we found that in just the first two weeks of 2017, there have been more than 120 such spyware variants already built using the same SpyNote Trojan builder as SpyNote RAT and roaming in the wild,” the security researchers say. A similar trend is usually observed after the source code of a piece of malware leaks online.

To stay protected, users should refrain from installing applications via third-party app stores or to side-load them, especially if they are games that haven’t yet been released on Android, such as Super Mario Run or Pokemon GO. “You should also avoid the temptation to play games from sources other than legitimate app stores; such games are not safe and may bring harm to your reputation and your bank account,” Zscaler concludes.

Dutch Man on Trial in 'Sextortion' Cyberbully Case

25.1.2017 Securityweek Crime
Amsterdam - A man accused of a worldwide cyberbullying racket that got young girls to pose naked before blackmailing them went on trial Wednesday in Amsterdam, saying he is innocent of the charges.

The defendant Aydin C. is suspected of forcing dozens of young women from as far as Britain, Canada, Norway and the United States into performing sex acts in front of their webcams.

"I deny all charges and will remain silent until my closing statement," a defiant Aydin C. -- identified only by his first name because of Dutch privacy rules -- told judges at a high-security courthouse.

The 38-year-old Dutchman faces 72 charges including computer sex crimes such as making and storing of child pornography, blackmail, fraud and hard drug possession, prosecutors said.

Aydin C. is also wanted for trial in Canada in the case of teen Amanda Todd who committed suicide in October 2012 after being tormented by an anonymous cyberbully.

Sexual acts

"He posed online as a young woman and established trust relationships with 34 young girls, eventually getting them to pose naked in front of a webcam," Dutch public prosecution service spokesman Lars Stempher told reporters outside the courtroom.

Once Aydin C. obtained the images, his tone changed and he would start to threaten the girls, telling them he would show the images to parents, relatives and school friends if they did not do as told.

"This included performing sexual acts and in the end the girls became trapped in his web," Stempher said.

Five gay men -- mainly in Australia -- were also lured in, when Aydin C. allegedly posed as a young boy and "eventually he threatened them that he would expose their sexuality, leading to blackmail."

In one case, an amount of 1,000 euros ($1,100) was then paid into an account, the court heard. Aydin C. used dozens of aliases like "Tyler Boo" and "Kelsy Rain" and employed different computer tricks, including a program to fool young girls into thinking they were chatting live to a girl of similar age. Investigators found some 204,000 images on hard disks belonging to the accused, but prosecutors did not say what the images depicted.

Aydin C., who leaned back in his chair during the hearing, his long greying hair slicked back behind his ears, did not respond to questions posed by the judge.

He was arrested after Facebook rang alarm bells in 2013, telling Dutch police a "sextortionist" -- somebody who uses sex to blackmail others -- was at work in The Netherlands.

Teen suicide

Canada has asked for Aydin C. to be extradited in the case of teen Amanda Todd who committed suicide in October 2012 after being tormented by an anonymous cyberbully.

"The notorious case, that of Amanda Todd regularly pops up in this case docket," Judge Karel Brunner said.

"That case is not before the court today. Obviously the Canadian authorities are planning to prosecute," the judge said.

A Dutch court in June last year ruled in favour of Aydin C.'s extradition to Canada to stand trial in connection with Todd's death. The extradition case is under appeal before the Dutch highest Supreme Court.

The 15-year-old's suicide sparked a worldwide debate about appropriate online behaviour, and prompted calls for cyberbullying to be criminalised.

In a YouTube video watched by millions worldwide, Todd said before her death that she suffered from anxiety, "major depression" and panic attacks after a photo of her breasts, flashed in an online video chat with a stranger, was distributed in her community.

If extradited, Aydin C. however will be sent to Canada only after the end of his trial in the Netherlands prosecutors said, meaning it could still take years.

Commenting on the Dutch case, Aydin C.'s lawyer Robert Malewicz told AFP outside the courtroom "we are disputing that there is a proper link between the evidence presented and my client."

"We will ask for an acquittal," he said.

Cisco Buys App Performance Tuning Startup for $3.7 Billion

25.1.2017 Securityweek IT
San Francisco - Cisco Systems on Tuesday announced a $3.7 billion deal to buy a startup specializing in improving the performance of applications, continuing to expand beyond computer networking hardware.

The acquisition of AppDynamics came as the San Francisco-based startup was on the cusp of going public with an initial offering of stock.

AppDynamics software enables businesses to monitor performance of applications and figure out ways to avoid problems and get them to run more smoothly.

"Applications have become the lifeblood of a company's success," Cisco internet of things and business group general manager Rowan Trollope said in a release.

"The combination of Cisco and AppDynamics will allow us to provide end to end visibility and intelligence from the network through to the application."

Consumers are increasingly using applications, typically on mobile devices, to interact with businesses.

"As companies across industries are expanding their digital infrastructure, IT departments are faced with vast amounts of complex, siloed data," Cisco corporate business development vice president Rob Salvagno said in a blog post.

"AppDynamics helps many of the world's largest enterprises translate this data into business insights."

The deal was expected to close by the end of September.

Cisco last year announced it was trimming its global workforce by seven percent as it shifts its focus from networking hardware to software and services.

The plan to eliminate 5,500 positions came as part of a corporate restructuring aimed at reducing expenses in "lower growth areas" and investing in Cisco priorities such as security, cloud computing, data centers, and the internet of things, executives said at the time.

Faced with a slowdown in its traditional products such as routers for telecom networks, Cisco has been trying for several years to reorient to fast growing sectors.

The company also seeks to increase revenue from ongoing subscriptions for services or software, as compared to sales of equipment.

Cisco built its fortune on hardware for private data centers, but businesses are increasingly turning to "super-clouds" such as Amazon Web Services and Microsoft Azure which rent processing muscle as needed.

Switches and routers remain a big chunk of Cisco's business.

Northern California-based Cisco has had waves of job cuts from 2011 through 2014, eliminating a total of more than 17,000 positions.

Western Digital Patches Vulnerabilities in "My Cloud" Products

25.1.2017 Securityweek Vulnerebility
The latest firmware update released by Western Digital for the My Cloud Mirror personal cloud storage product patches serious remote command execution and authentication bypass vulnerabilities.

ESET researcher Kacper Szurek recently discovered that WD My Cloud Mirror devices running firmware version 2.11.153, which had been the most recent version, were affected by several vulnerabilities caused by the lack of proper user input escaping.

The most serious of the flaws affects the index page of the product’s web interface and it allows an attacker to execute arbitrary commands via the “username” parameter. Commands can be executed using the following line as “username”: a" || your_command_to_execute || "

Szurek also discovered that an attacker can bypass authentication to the WD My Cloud Mirror interface. The problem, according to the expert, is that the function designed to check if the user has logged in can be easily bypassed as it only checks if the “username” and “isAdmin” cookies exist.

An attacker can bypass authentication by setting the values “username=1” and “isAdmin=1,” and then accessing one of the webpages (e.g. php/users.php).

The vulnerabilities were reported to WD in mid-November and they were patched on December 20 with the release of version 2.11.157 of the firmware. The vendor’s release notes describe these issues as a “security vulnerability related to remote access.”

Earlier this month, researcher Steven Campbell also reported finding a couple of flaws in WD’s My Cloud devices, including a command injection issue. The vendor patched the command injection vulnerability (CVE-2016-10108) in December with the release of firmware version 2.21.126. The second bug, tracked as CVE-2016-10107 and described as “variable checking for PHP pages for authenticated users,” will be addressed with an upcoming update.

This was not the first time researchers found security holes in WD’s personal cloud storage products. VerSprite identified a remote command injection vulnerability in My Cloud in September 2015.

Charger Android Ransomware Infects Apps on Google Play

25.1.2017 Securityweek Android
A newly discovered piece of Android ransomware embedded in apps available on Google Play threatens to sell a victim's personal data on the black market if they don’t pay, Check Point security researchers warn.

Dubbed Charger, the threat was found embedded in an application called EnergyRescue, and had the ability to steal contacts and SMS messages, while also asking for admin permissions on the device. If permissions are granted, the ransomware locks the device and displays a message demanding payment.

While threatening to sell victim’s personal information on the black market, the malware authors also claim that all of the victim’s data has been already saved on an attacker-controlled server. The miscreants say that the stolen information includes social network details, bank accounts, credit cards, as well as all data about the victim’s “friends and family.”

The demanded ransom is 0.2 Bitcoins (around $180), which “is a much higher ransom demand than has been seen in mobile ransomware so far,” Check Point notes. Previously spotted mobile ransomware such as DataLust only demanded a $15 ransom. Charger victims are asked to send the payments to a specific Bitcoin account.

With Android ransomware inflicting direct harm to users, it’s clear that Charger is yet another attempt by mobile malware developers to catch up with the PC ransomware, which has been wreaking havoc for the past couple of years. Recently, even the Tordow Android banking Trojan was seen packing data collection capabilities and ransomware-like behavior.

Charger was observed checking the infected device’s location to ensure it doesn’t run on those located in Ukraine, Russia, or Belarus, supposedly in an attempt to avoid being prosecuted in their own countries or being extradited between countries.

While other malware in Google Play uses a dropper to download the malicious payload, Charger uses a heavy packing approach, which makes it harder for it to stay hidden. However, the ransomware authors did boost its evasion capabilities to ensure it can stay hidden in Google Play: the malware encodes strings into binary arrays to make it hard to inspect them, loads code from encrypted resources dynamically, and checks whether it runs in an emulator before running its routine.

According to Check Point, most detection engines cannot penetrate and inspect dynamically-loaded code, and the authors added an extra layer of protection by flooding the code with meaningless commands to mask the actual commands passing through. The researchers also point out that more and more mobile malware is running checks to avoid running in emulators and virtual machines, just as it happens in the PC malware landscape.

"Ripper" Service Helps Cybercriminals Identify Fraudsters

25.1.2017 Securityweek Crime
Researchers at threat intelligence firm Digital Shadows have analyzed a relatively new service named Ripper that aims to expose fraudsters who target the users of cybercrime marketplaces.

The people behind Ripper.cc started discussing the idea in mid-2015, but the service was only launched in June 2016. Currently, it stores information on more than 1,200 monikers that have been used to commit fraud on cybercrime forums.

While some cybercriminals earn money by selling stolen information, others, known as “rippers,” make a profit by selling fake login credentials, invalid payment card data, or items they don’t actually possess.

Escrow systems and blacklists have been used to minimize the risks posed by fraudsters, but these methods can be inconvenient or inefficient. One service that has been trying to fight rippers since 2005 is Kidala, a Russian website that provides a database of users known to have committed fraud.

However, some believe Kidala is not always impartial and it allows rippers to remove their name by paying a fee.

Ripper is available in English and it provides some highly useful features. Users can install Chrome and Firefox extensions that automatically highlight the name of a ripper on a website. The service also provides a plugin for the Jabber client Psi Plus, which highlights fraudsters in the messaging app’s contact list.


The website allows users to create ripper profiles that track a user across multiple forums, and it also stores specific examples of scams conducted by rippers.

Digital Shadows has pointed out that the development of Ripper is similar to how legitimate tech startups create their products.

“The founders plainly acknowledge their intention to displace the previous main player – kidala.info – and try to win customers over by promising better features. They also have to prove their credentials – in this case by saying that a number of well-known forums support this project and their existing reputation on these forums,” Digital Shadows analysts explained.

The site’s operators have promised to make the code open source to show that the plugins don’t include any malicious functionality, and they plan on making a profit by displaying ads on the website. In the future, they might launch an escrow service of their own and a mobile application.

“Ripper[.]cc is another example of the industrialization of hacking and the growing professionalism of cybercrime. If such a service becomes successful, it enables cyber criminals to significantly reduce the risks associated with rippers and the overall cybercrime economy can become more profitable allowing for further growth,” analysts said.

New Trojan Turns Thousands Of Linux Devices Into Proxy Servers
25.1.2017 thehackernews

"Linux doesn't get viruses" — It's a Myth.
A new Trojan has been discovered in the wild that turns Linux-based devices into proxy servers, which attackers use to protect their identity while launching cyber attacks from the hijacked systems.
Dubbed Linux.Proxy.10, the Trojan was first spotted at the end of last year by the researchers from Russian security firm Doctor Web, who later identified thousand of compromised machines by the end of January this year and the campaign is still ongoing and hunting for more Linux machines.
According to researchers, the malware itself doesn't include any exploitation module to hack into Linux machines; instead, the attackers are using other Trojans and techniques to compromise devices at the first place and then create a new backdoor login account using the username as "mother" and password as "fucker."
Once backdoored and the attacker gets the list of all successfully compromised Linux machines, and then logs into them via SSH protocol and installs the SOCKS5 proxy server using Linux.Proxy.10 malware on it.
This Linux malware is not at all sophisticated since it uses a freeware source code of the Satanic Socks Server to setup a proxy.
According to the security firm, thousands of Linux-based devices have already been infected with this new Trojan.

Besides this, the same server — belonging to the cybercriminals who distribute the Linux.Proxy.10 malware — not only contained the list of compromised devices but also hosted the control panel of a Spy-Agent computer monitoring software and a Windows malware from a known family of Trojan spyware, called BackDoor.TeamViewer.
This is not the first time when such Linux malware has been discovered.
Over a year ago, ESET security researchers uncovered a similar malware, dubbed Moose, that also had the capability to turn Linux devices into proxy servers that were then used for launching armies of fake accounts on social media networks, including Instagram, and Twitter.
Linux users and administrators are recommended to tighten SSH security by limiting or disabling remote root access via SSH, and to know if your system has already been compromised, keep a regular watch on newly generated login users.

AlphaBay Dark Web Marketplace Hacked; Exposes Over 200,000 Private Messages
25.1.2017 thehackernews Hacking
AlphaBay, possibly the largest active dark web marketplace at the moment, has paid a hacker after he successfully exploited vulnerabilities in the internal mailing system of the website and hijacked over 200,000 private unencrypted messages from several users.
The hacker, using the pseudonym Cipher0007, disclosed two "high-risk bugs" two days ago on Reddit that allowed him to gain access to troves of private messages belonging to buyers and sellers on the dark website, AlphaBay admins announced on Tuesday.
It turns out that the messages were not encrypted by default, which gave the hacker ability to view all messages between vendors and buyers selling and purchasing everything from illicit drugs to exploits, malware, and stolen data.
Over 218,000 Private Messages of Anonymous Dealers Exposed

To prove he had successfully compromised the AlphaBay website, the hacker posted five screenshots of random user private conversations, showing that AlphaBay users had openly exchanged their names, personal addresses and tracking numbers without encryption.
"We have been made aware of the bug that allowed an outsider to view marketplace private messages, reads a statement from the AlphaBay administrators on Pastebin, and "we believe that the community has the right to be made aware of what information was obtained."
A first vulnerability allowed the hacker to obtain more than 218,000 personal messages sent between their users within the last 30 days, while the second bug allowed him to obtain a list of all usernames and their respective user IDs.
However, the AlphaBay admins assured that those users who did not receive any message in their inboxes in the last 30 days were not affected. They also claimed the bugs were only exploited by one single hacker.
AlphaBay Fixes the Bugs and Pays the Hacker
The admins also assured their users that AlphaBay forum messages, order data, and Bitcoin addresses of users are all safe, and the issue was fixed just within four hours after the Reddit user went public.
"The attacker was paid for his findings, and agreed to tell us the methods used to extract such information," AlphaBay admins said. "Our developers immediately closed the loophole in order to protect the security of our users."
Meanwhile, they advised AlphaBay users to make use of a PGP key and always encrypt their sensitive data, including delivery addresses, Bitcoin wallet IDs, tracking numbers, and others.
Since AlphaBay is a Dark Web marketplace, which is only accessible via the Tor Browser, the bug could have been exploited by law enforcement to unmask users real identities who deal in drugs and other illegal activities.
But, AlphaBay members using the PGP key and encrypting their account details would be on a safer side.
This is not the very first time when a hacker discovered a flaw in the AlphaBay dark website. AlphaBay faced a similar vulnerability in April last year when its users' private messages were left exposed due to a flaw in its newly-launched API, allowing an attacker to obtain 13,500 private messages.

Russia arrested Ruslan Stoyanov the head of the investigation unit at the Kaspersky in ‘Treason Probe’
25.1.2017 securityaffairs Congress

Russian authorities arrested Ruslan Stoyanov the head of the investigation unit at the Kaspersky Lab in ‘Treason Probe’.
A sad news is shocking the IT security industry, the Russian authorities arrested Ruslan Stoyanov, one of the most important cybercrime investigators working for the Kaspersky Lab.

Ruslan Stoyanov is the head of the investigation unit at the Kaspersky Lab, according to the security firm he is under investigation for a period predating his employment at Kaspersky Lab. Stoyanov was involved in every big anti-cybercrime operation in Russia in past years, including the one against the components of the Lurk cybercrime gang.

“This case is not related to Kaspersky Lab. Ruslan Stoyanov is under investigation for a period predating his employment at Kaspersky Lab,” reported Forbes citing a Kaspersky spokesperson’s statement. “We do not possess details of the investigation. The work of Kaspersky Lab’s Computer Incidents Investigation Team is unaffected by these developments.”

According to the “Kommersant” the arrest may be linked to the investigation on into Sergei Mikhailov, deputy head of the information security department of the FSB (The Russia national security service).

Stoyanov and Mikhailov were both arrested in December, according to the Kommersant the investigation was exploring the receipt of money from foreign companies by Stoyanov and his links to Mikhailov.

The case appears to be very important, according to a source quoted by FORBES the details of the investigation were likely to remain private.
“A Russia-based information security source told FORBES the details of the case were likely to remain private. The case has been filed under article 275 of Russia’s criminal code, the source said, meaning it should result in a secret military tribunal. Article 275 allows the government to prosecute when an individual provides assistance to a foreign state or organization regarding “hostile activities to the detriment of the external security of the Russian Federation” (translation from source). According to the source, this can be applied broadly. For instance, furnishing the FBI with information on a botnet may amount to treason.” reported FORBES.

Who is Stoyanov?

Before Stoyanov joined Kaspersky in 2012, he served six years as a major in the Ministry of Interior’s cybercrime unit between 2000 and 2006, then he moved into the private sector.

FORBES was also informed that while Ruslan Stoyanov was working for the Russian government, he was the lead investigator into a hacker crew that extorted $4 million to U.K. betting shops under the DDoS threat.

Three members of the cyber gang were identified and arrested by the investigators.

Stay tuned.

Symantec speculates Shamoon 2 attacks aided by Greenbug hackers
25.1.2017 securityaffairs

Security researchers at Symantec believed that Shamoon 2 attacks leveraged credentials stolen by hackers of the Greenbug group.
A few days ago security experts at Palo Alto Networks have spotted a new strain of the Shamoon 2 malware that was targeting virtualization products.

In December malware researchers from Palo Alto Networks and Symantec discovered a new variant of Shamoon, so-called Shamoon 2, that was used at least in a targeted attack against a single Saudi organization, the Saudi Arabia’s General Authority of Civil Aviation (GACA).

“Why Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice,” reported Symantec.

“Last week, Unit 42 came across new Disttrack samples that appear to have been used in an updated attack campaign. The attack targeted at least one organization in Saudi Arabia, which aligns with the targeting of the initial Shamoon attacks. It appears the purpose of the new Disttrack samples were solely focused on destruction, as the samples were configured with a non-operational C2 server to report to and were set to begin wiping data exactly on 2016/11/17 20:45. In another similarity to Shamoon, this is the end of the work week in Saudi Arabia (their work week is from Sunday to Thursdays), so the malware had potentially the entire weekend to spread. The Shamoon attacks took place on Lailat al Qadr, the holiest night of the year for Muslims; another time the attackers could be reasonably certain employees would not be at work.” reads an analysis published by Palo Alto Networks.

shamoon 2

Shamoon, also known as Disttrack, was first spotted in a wave of attacks that targeted companies in Saudi Arabia in 2012. Among the victims, there was the petrol giant Saudi Aramco. The principal capability of Shamoon is a feature that allows it to wipe data from hard drives of the infected systems.

In the attack against Saudi Aramco Shamoon wipe data on over 30,000 computers and rewrite the hard drive MBR (Master Boot Record) with an image of a burning US flag.

The second variant of Shamoon 2 was spotted by Palo Alto Networks that had been configured to start wiping infected systems at 1:30 AM (Saudi Arabia time) on November 29, when the employees of the targeted organization’ were likely at home.

The first variant of Shamoon 2 analyzed by the experts presented a default configuration that allowed the execution of the disk-wiping component at 8:45pm local time on Thursday, November 17. Considering that in Saudi Arabia the working week runs from Sunday to Thursday, the attacker tried to exploit the pause in order to maximize the effects of the attack.

Both payloads were similar, but the analysis of the experts revealed some differences.

Threat actors used stolen credentials to deliver the malware on the target systems, according to researchers at Symantec they may have been provided by another cyber espionage group called Greenbug.

Greenbug hackers used the Ismdoor remote access Trojan (RAT) and other tools in attacks against organizations in the Middle East.

The Ismdoor establish a backdoor on the target machine and leverages PowerShell for command and control (C&C).

The group targeted organizations in multiple industries, including aviation, investment, government and education organizations in several countries (i.e. Saudi Arabia, Iran, Iraq, Bahrain, Qatar, Kuwait and Turkey, and a Saudi company in Australia).

“Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors. The group uses a custom information-stealing remote access Trojan (RAT) known as Trojan.Ismdoor as well as a selection of hacking tools to steal sensitive credentials from compromised organizations.” states the Symanted report on Greenbug.

“Although there is no definitive link between Greenbug and Shamoon, the group compromised at least one administrator computer within a Shamoon-targeted organization’s network prior to W32.Disttrack.B being deployed on November 17, 2016.”

The Greenbug launched spear phishing attacks against its victims in order to trick users into downloading the malicious code onto their systems. The email messages are fake business proposals that delivered a RAR archive that stored a clean PDF and a compiled HTML help file (.chm) that contained the Ismdoor Trojan.

The Greenbug hackers exploited the alternate data streams (ADS) to avoid detection.

“Windows Alternate Data Streams (ADS) is a feature of NTFS which is used to store details about a file. The information stored in ADS is hidden to the user, which makes it an attractive feature for attackers. ADS is sometimes abused by attackers to hide malware or other hacking tools on a compromised computer.” continues the analysis.

Researchers at Symantec speculate that Greenbug may have supplied credentials for the Shamoon 2 attacks. The experts detecting the Ismdoor malware on an administrator computer belonging to one of the organizations targeted with Shamoon 2.

It is important to highlight that there is no technical evidence that Greenbug and Shamoon 2 attackers are linked, but it is interesting to note that Greenbug seems to have vanished one day before the November 17 attacks.

“The presence of Greenbug within an organization prior to the destructive attack involving W32.Disttrack.B provides only a tentative connection to Shamoon. Greenbug’s choice of targets and the fact that Ismdoor and associated tools downloaded by the threat appear to have gone quiet a day prior to the November 17, 2016 Shamoon attack is, however, suspicious.” reads the report.

Saudi Arabia is warning organizations of a wave of Shamoon 2 attacks
25.1.2017 securityaffairs

Saudi Arabia is warning organizations in the country of a resurrection of the dreaded Shamoon malware.
A new strain of the Shamoon 2 malware was spotted by the security experts at Palo Alto Networks, this variant targets virtualization products.

Shamoon, also known as Disttrack, was first spotted in a wave of attacks that targeted companies in Saudi Arabia in 2012. Among the victims, there was the petrol giant Saudi Aramco and RasGas Co Ltd.

In the 2012 attacks, threat actors used images of a burning U.S. flag to overwrite the drives of victims.

The principal capability of Shamoon is a feature that allows it to wipe data from hard drives of the infected systems.

In the attack against Saudi Aramco Shamoon wipe data on over 30,000 computers and rewrite the hard drive MBR (Master Boot Record) with an image of a burning US flag.

The first team that discovered the malware was Kaspersky Lab that had analyzed some instances of the threat linked to the “wiper agent” due to the presence of a module of a string with a name that includes “wiper” as part of it.

On Monday, the Saudi Arabian labor ministry revealed it had been attacked and also a chemical firm reported a network disruption.


A state news agency confirmed the attack against the labor ministry, but excluded any impact on the data.

The Reuters agency also revealed that the telecoms authority is inviting all parties to be vigilant for the spreading of a new version of the malware, the Shamoon 2.

According to security experts, the threat actor behind the Shamoon attacks was likely working on behalf of the Iranian government in 2012.

“The Shamoon hackers were likely working on behalf of the Iranian government in the 2012 campaign and the more-recent attacks, said Adam Meyers, vice president with cyber security firm CrowdStrike. “It’s likely they will continue,” he said.” reported the Reuters.

The State-controlled Al Ekhbariya TV confirmed that multiple Saudi organizations had been targeted in recent string of cyber attacks.

The Sadara Chemical Co, a joint venture firm owned by Saudi Aramco and Dow Chemical, confirmed it had suffered a network disruption on Monday morning. The experts at the company are still working to resolve the problem.

Sadara | صدارة ✔ @Sadara
Sadara has experienced a network disruption this morning, and are working to resolve it. Our operations have not been affected.
3:49 PM - 23 Jan 2017
15 15 Retweets 9 9 likes
As part of the incident response, the company had stopped all services related to the network.

The Reuters said that other companies in petrochemicals Jubail hub also experienced network disruptions.

“Those companies sought to protect themselves from the virus by shutting down their networks, said the sources, who declined to identify specific firms.” states the Reuters.

Saudi Arabia Computer Emergency Response Team (CERT)’s Abdulrahman al-Friah confirmed to Al Arabiya that at least 22 institutions were affected by the wave of Shamoon attacks.

“We cannot definitely determine the financial costs of such breaches yet as it depends on each institutions platform. Websites which sell and buy will obviously be affected the most,” Fiah said.

Sage 2.0 Ransomware is spreading and demands a $2,000 Ransom
25.1.2017 securityaffairs

A newly observed spam campaign is spreading a ransomware variant known as Sage 2.0 that is demanding a $2,000 ransom for the decryption key.
Sage 2.0 is a new ransomware recently spotted by security experts, it was first observed in December and not now it is distributed via malicious spam. Sage is considered a variant of CryLocker ransomware, it is being distributed by the Sundown and RIG exploit kits. The current campaign also leverages steganography to exfiltrate information about the victim’s PC inside a PNG image.

sage 2.0

The malicious messages have a ZIP attachment that contains a Word document with malicious macros that once executed download and install the Sage ransomware. In some cases the experts also observed that the ZIP archive contains a .js file with the same functionality.

Duncan also explained that some of the malicious attachments are double-zipped and often the recipient’s name is part of the attachment’s file name.

“Emails from this particular campaign generally have no subject lines, and they always have no message text. The only content is a zip attachment containing a Word document with a malicious macro that downloads and installs ransomware. Sometimes, I’ll see a .js file instead of a Word document, but it does the same thing.” Duncan wrote in a report. “Often, the recipient’s name is part of the attachment’s file name. I replace those names with [recipient] before I share any info. A more interesting fact is the attachments are often double-zipped. They contain another zip archive before you get to the Word document or .js file.”

When the Sage 2.0 ransomware infects a Windows 7 machine it triggers the User Account Control (UAC) technology, this means that the user has to authorize its execution.

The ransom note includes instructions to pay an initial $2,000 ransom (or 2.22188 bitcoin). The ransomware uses a Tor-based domain with a decryptor screen.

In case of non-payment, the fee will increase over the time, but after a deadline reported on the Tor website the victim will be able possible to recover its files.

“The infected Windows host has an image of the decryption instructions as the desktop background. There’s also an HTML file with the same instructions dropped to the desktop. The same HTML file is also dropped to any directory with encrypted files. ‘.sage’ is the suffix for all encrypted files,” the security researcher explains.

The Sage ransomware maintains persistent on the infected machine by a scheduled task, and it’s stored as an executable in the user’s AppData\Roaming directory.

The Sage 2.0 ransomware generates post-infection traffic, like the CryLocker ransomware, in the form of HTTP POST requests. Sage traffic is different from CryLocker one because it is encrypted in some way.

“When the callback domains for Sage didn’t resolve in DNS, the infected host sent UDP packets sent to over 7,000 IP addresses. I think this could be UDP-based peer-to-peer (P2P) traffic, and it appears to be somehow encoded or encrypted,” added the security researcher.

“I’m not sure how widely-distributed Sage ransomware is. I’ve only seen it from this one malspam campaign, and I’ve only seen it one day so far. I’m also not sure how effective this particular campaign is. It seems these emails can easily be blocked, so few end users may have actually seen Sage 2.0. Still, Sage is another name in the wide variety of existing ransomware families. This illustrates how profitable ransomware remains for cyber criminals,” Duncan concludes.

TorWorld helps you to manage a Tor node, promising an upcoming Tor-as-a-Service
25.1.2017 securityaffairs Safety

The TorWorld initiative aims to build a community area for those people that desire to set up either a Tor Relay or a Tor Exit node.
We all recognize the importance of the Tor network, an important instrument to protect users’ anonymity and avoid censorship. Today I desire to present you an interesting initiative launched by Tor passionates, the TorWorld, belonging to the CryptoWorld Foundation.

The CryptoWorld Foundation groups several organizations that provide anonymity services. The TorWorld aims to build a community area for those people that desire to set up either a Tor Relay or a Tor Exit node.

According to Bleepingcomputer.com, the project born out of a real necessity:

“The idea for ‘TorWorld’ came about four months ago,” Beard, one of TorWorld’s founding members told Bleeping Computer.

“We originally ran a few Guard Relays for a little over a year privately,” Beard continued. “After we had an issue with our Guard nodes being removed by our ISP at the time because of a misunderstanding, we thought about possibly setting up a service dedicated to running Tor nodes, and educating people on Tor.”

“Eventually we started that [idea], and at first we looked for automation scripts to make it easier for us to deploy multiple Tor servers in a fast and dynamic way,” Beard said. “To our surprise, we couldn’t find a single script.”

The team at the TorWorld published scripts simplify the set up of a Tor node, including Bash scripts for quickly deploying Tor guard (entry) nodes, Tor relay (middle) servers, Tor bridges (unlisted relays), and Tor exit nodes.

The project is ambitious and we can only wish the team great success, representatives from the TorWorld confirmed that the intention of the team to become a hosting provider for Tor servers and they are thinking to a sort of Tor-as-a-Service (TaaS).

Beard explained that the final goal it to allow users to create a Tor nodes on top of TorWorld’s server infrastructure in a single click thanks to a set of open-sourced Bash scripts.

This is an important step, unfortunately, today the set up of a Tor node is not a simple operation for everyone despite it is very well documented on the official Tor Project website.

“We’ll be adding more dynamic customization options for the FastRelay, and FastExit scripts,” Beard added.

TorWorld will also offer a platform to manage abuse notices for Tor servers operated by its users. It will be a paid service because a TorWorld team will handle their abuse notifications.

We all know that darknets represent a facilitator and aggregator for cyber criminal communities and the Tor network is one of the most popular anonymizing netwotk in the criminal underground.

The TorWorld will not allow criminal uses of its infrastructure.

Currently, there is no certainty about when and how the TorWorld TaaS service will be ready, anyway I’ll monitor its progress with a great interest and admiration.

HummingWhale – HummingBad Android Malware returns even more dangerous than before
25.1.2017 securityaffairs Android

Last year, the HummingBad Android malware infected as many as 85 million devices, now it has returned under the new name of HummingWhale.
CERT-EU and other sources corroborated Check Point researchers’ findings which recently confirmed a new variant of the ad-fraud-big-money-making, HummingBad, is spreading rapidly on the Android marketplace Google Play. HummingBad was first seen and released almost a year ago in January/February 2016 by malware authors Yingmob, and racking upwards of approx. $300,000 USD per month for the better half of 2016. Approximately 10 million Android devices were infected in the firm part of the last year.

Now, dubbed by Check Point, “HummingWhale” is at large with better ad fraud capabilities and sophisticated techniques than HummingBad affecting several applications and has been downloaded several million times from the combined list of applications downloaded.

“Check Point researchers have found a new variant of the HummingBad malware hidden in more than 20 apps on Google Play. The infected apps in this campaign were downloaded several million times by unsuspecting users” reads the report published by CheckPoint security.


Check Point first came to know this when they uncovered something interesting with Trojan-riddled apps published under the “fake” names of developers of Chinese origin and the apps behavior at startup. In addition, the startup behavior, closing the application normally does not exit cleanly. Instead, it “minimizes” covertly and remains running in the virtual environment.

Moreover, the apps carried a payload of 1.3MB and disguised itself as an image called group.png however it is anything but. The payload contained is an executable apk file.

“This .apk operates as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad. However, this dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine.”, said Oren Koriat, Mobile Cyber Security Analyst @ Check Point

What makes HummingWhale unique from the original is that it runs the downloaded application without having to get root and or elevated privileges making the phone susceptible to further fraudulent applications or further deployment of remote access tools (RATs).

Further information is available in the report, including Indicators of Compromise (IoCs).

Apple Patches Dozens of Vulnerabilities Across Product Lines

24.1.2017 Securityweek Apple
Apple this week released a new set of important security updates for its products, to patch dozens of vulnerabilities in macOS, iOS, watchOS, tvOS, and Safari, as well as in the iCloud and iTunes for Windows applications.

The newly released macOS Sierra 10.12.3 resolves 11 vulnerabilities in components such as apache_mod_php, Bluetooth, Graphics Drivers, Help Viewer, IOAudioFamily, Kernel, libarchive, and Vim. Most of the plugged issues could allow applications to execute arbitrary code, while others could allow malicious archives or web content to execute code. One of the bugs could allow an application to determine kernel memory layout.

Released on Monday, iOS 10.2.1 resolves 18 vulnerabilities in multiple components, including Auto Unlock, Contacts, Kernel, libarchive, WebKit, and Wi-Fi. WebKit was the most affected component, with no less than 12 flaws resolved in it, most of which were discovered by Google Project Zero researches.

Affecting iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation and later, the patched security holes included one where Auto Unlock may unlock when Apple Watch is off the user's wrist, unexpected application termination when processing a maliciously crafted contact card, arbitrary code execution with kernel privileges, data exfiltration, popups being opened by malicious websites, and the possibility to manipulate an activation-locked device to briefly present the home screen.

A total of 33 vulnerabilities were addressed with the release of watchOS 3.1.3, affecting all Apple Watch models. The issues were found in components such as Accounts, Audio, Auto Unlock, CoreFoundation, CoreGraphics, CoreMedia Playback, CoreText, Disk Images, FontParser, ICU, ImageIO, IOHIDFamily, IOKit, Kernel, libarchive, Profiles, Security, syslog, and WebKit.

The resolved vulnerabilities could be exploited for arbitrary code execution, to gain root privileges, to automatically trust certificates, to cause a denial of service, to overwrite existing files, to cause an unexpected system termination, to read kernel memory, to leak memory remotely. There’s also the issue where Auto Unlock could unlock when Apple Watch is off the user's wrist.

The release of tvOS 10.1.1 was meant to resolve 12 vulnerabilities in Kernel, libarchive, and Webkit. Affecting Apple TV (4th generation). These could result in an application executing arbitrary code with kernel privileges, arbitrary code execution when unpacking a malicious archive, and data exfiltration and arbitrary code execution when processing maliciously crafted web content.

No less than 12 bugs were patched in Safari 10.0.3, which is now available for download for OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.3. While one of these was an address bar spoofing, 11 were found in Webkit and could result in data exfiltration and arbitrary code execution.

Some of the Webkit issues were found to affect iCloud and iTunes for Windows too, and were addressed with the release of iCloud for Windows 6.1.1 and iTunes 12.5.5. The same four bugs affected both applications, resulting in arbitrary code execution.

Shamoon Attacks Possibly Aided by Greenbug Group

24.1.2017 Securityweek Virus
The stolen credentials used in the recent Shamoon attacks aimed at organizations in the Persian Gulf may have been supplied by a threat group tracked by Symantec as “Greenbug.”

Shamoon, aka Disttrack, is a disk-wiping malware that became widely known in 2012, when it damaged 35,000 computers belonging to petroleum and natural gas company Saudi Aramco. Shamoon 2, a more recent version of the threat, was recently used to target organizations in Saudi Arabia, including the country’s General Authority of Civil Aviation (GACA).

The first wave of Shamoon 2 attacks was launched on November 17 and a second wave on November 29. The attacks, which some have attributed to Iran, relied on the Disttrack malware to automatically start wiping infected systems at a specified time.

The malware was planted on targeted systems using stolen credentials, and security firm Symantec believes the information may have been obtained in a prior attack launched by a threat actor named Greenbug.

This cyber espionage group has used a remote access Trojan (RAT) called Ismdoor and various other tools in attacks aimed at organizations in the Middle East. The attackers targeted aviation, investment, government and education organizations in several countries, including Saudi Arabia, Iran, Iraq, Bahrain, Qatar, Kuwait and Turkey, and a Saudi company in Australia.

Greenbug has sent out fake business proposal emails to trick users into downloading malware onto their systems. The attackers delivered a RAR archive that stored a clean PDF and a compiled HTML help file (.chm) that contained the Ismdoor Trojan.

In order to avoid detection, the malware has been hidden in alternate data streams (ADS). Once executed, Ismdoor opens a backdoor and uses PowerShell for command and control (C&C) purposes. The Trojan is designed to install other pieces of malware, including ones capable of logging keystrokes and collecting browser, email and other sensitive data.

Symantec determined that Greenbug may have supplied credentials for the Shamoon attacks after detecting an Ismdoor infection on an administrator computer housed by one of the organizations targeted with Disttrack.

Researchers have not found any solid evidence linking the threat actors, but they pointed out that Ismdoor and other Greenbug tools became inactive just one day before the November 17 attacks.

Palo Alto Networks reported earlier this month that a variant of the Shamoon 2 malware is also designed to target virtualization products, likely in an effort to make recovery more difficult for attacked organizations.

Saudi Arabia has warned organizations to be on alert following a series of new attacks, Reuters reported on Monday. The country’s labor ministry, a chemicals firm and other companies have been allegedly hit.

Microsoft Unveils Windows Defender Security Center

24.1.2017 Securityweek Security
The upcoming Windows 10 Creators Update was designed to make available security protections easily accessible via a new experience called the Windows Defender Security Center, Microsoft says.

Last month, the tech giant shared some information on the security enhancements that the upcoming platform upgrade will bring. Microsoft is now providing more details on Windows Defender Security Center, a core feature of the operating system.

Since announcing Windows 10, Microsoft claimed that it was the most secure Windows version ever, but already proved that there was room for improvement with the release of Windows 10 Anniversary Update. One of the most important enhancements included mitigation techniques to stop the exploitation of new or undisclosed vulnerabilities.

The Windows Defender Security Center in Windows 10 Creators Update should make it easier for users to view and control the security protections the platform has to offer. The main functionality, Microsoft says, is to help users better understand and use the security features protecting them and their Windows 10 devices, even if they lack advanced knowledge on the matter.

As Rob Lefferts, Partner Director, Windows & Devices Group, Security & Enterprise, notes in a blog post, Windows Defender Security Center includes five “pillars” that users can take advantage of for controlling and keeping track of their device’s security, health and online safety experiences.

The first of these pillars is Virus & threat protection, where users can view information on their anti-virus protection, regardless of whether it is Windows Defender Antivirus or another application. For those who use Windows Defender Antivirus, scan results and threat history are available there. Those using a different anti-virus application will be able to launch it from there.

The second pillar is Device performance & health, where users can access a single view of Windows updates, drivers, battery life, and storage capacity. It also provides a Refresh Windows feature for those who want to get started with a clean install of Windows. The option maintains personal files and some Windows settings intact, but removes most apps for a fresh start that can offer performance improvements.

By going to Firewall & network protection, users can view information on the network connections and active Windows Firewall settings and can access links to network troubleshooting information. For those interested in adjusting SmartScreen settings for apps and browsers, App & browser control is the option to go to. It should prove useful to those looking to stay more informed and to remain safe online, as it warns them of potential malicious sites, downloads and unrecognized apps and files on the web.

Finally, there will be Family options, to link users to information about parental controls and to provide them with options for setting up good screen time habits and activity reports of kids’ online activity. It will also be useful for the management of controls for purchasing apps and games, as well as to view the health and safety of other family devices.

“Our goal with the new Windows Defender Security Center is to help you become more informed and make safety simple. It is equally important to us that you are protected by default and continuously protected – never giving the bad guys an opportunity to harm you. This new experience naturally supports customer choice in selecting an AV product,” Lefferts notes.

Since the upcoming experience is also meant to ensure that users are always protected, it will keep track of antivirus subscriptions and expiration dates and will automatically launch Windows Defender Antivirus when that happens. According to Lefferts, the new option should provide users with increased control over their PC, allowing them to choose the protection software and services that they like best.

“We believe the new Windows Defender Security Center lives up to these principles and we are committed to working with you, as well as security experts and organizations throughout the technology industry to create safer experiences for everyone with Windows 10,” Lefferts concluded.

Nasty Android Malware that Infected Millions Returns to Google Play Store
24.1.2017 thehackernews Android
HummingBad – an Android-based malware that infected over 10 million Android devices around the world last year and made its gang an estimated US$300,000 per month at its peak – has made a comeback.
Security researchers have discovered a new variant of the HummingBad malware hiding in more than 20 Android apps on Google Play Store.
The infected apps were already downloaded by over 12 Million unsuspecting users before the Google Security team removed them from the Play Store.
Dubbed HummingWhale by researchers at security firm Check Point, the new malware utilizes new, cutting-edge techniques that allow the nasty software to conduct Ad fraud better than ever before and generate revenue for its developers.
The Check Point researchers said the HummingWhale-infected apps had been published under the name of fake Chinese developers on the Play Store with common name structure, com.[name].camera, but with suspicious startup behaviors.
"It registered several events on boot, such as TIME_TICK, SCREEN_OFF and INSTALL_REFERRER which [were] dubious in that context," Check Point researchers said in a blog post published Monday.
HummingWhale Runs Malicious Apps in a Virtual Machine

The HummingWhale malware is tricky than HummingBad, as it uses a disguised Android application package (APK) file that acts as a dropper which downloads and runs further apps on the victim's smartphone.
If the victim notices and closes its process, the APK file then drops itself into a virtual machine in an effort to make it harder to detect.
The dropper makes use of an Android plugin created by the popular Chinese security vendor Qihoo 360 to upload malicious apps to the virtual machine, allowing HummingWhale to further install other apps without having to elevate permissions, and disguises its malicious activity to get onto Google Play.
"This .apk operates as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad," researchers said. "However, this dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine."
HummingWhale Runs Without having to Root the Android Device
Thanks to the virtual machine (VM), the HummingWhale malware no longer needs to root Android devices unlike HummingBad and can install any number of malicious or fraudulent apps on the victim's devices without overloading their smartphones.
Once the victim gets infected, the command and control (C&C) server send fake ads and malicious apps to the user, which runs in a VM, generating a fake referrer ID used to spoof unique users for ad fraud purposes and generate revenue.
Alike the original HummingBad, the purpose of HummingWhale is to make lots of money through ad fraud and fake app installations.
Besides all these malicious capabilities, the HummingWhale malware also tries to raise its reputation on Google Play Store using fraudulent ratings and comments, the tactic similar to the one utilized by the Gooligan malware.

A flaw in the Cisco WebEx Extension allows Remote Code Execution
24.1.2017 securityaffairs

Tavis Ormandy, a security expert at Google Project Zero, has discovered a critical remote code execution vulnerability in the Cisco WebEx browser extension.
Google Project Zero researcher Tavis Ormandy has discovered a critical remote code execution vulnerability in the Cisco WebEx browser extension. Cisco’s initial fix does not appear to be complete, which has led to Google and Mozilla temporarily removing the add-on from their stores.

Tavis Ormandy @taviso
There was a secret URL in WebEx that allowed any website to run arbitrary code. ¯\_(ツ)_/¯ https://bugs.chromium.org/p/project-zero/issues/detail?id=1096 …
10:23 PM - 23 Jan 2017
1,289 1,289 Retweets 937 937 likes
The popular Google Project Zero researcher Tavis Ormandy has discovered a critical code execution vulnerability in the Cisco WebEx browser extension. The flaw has a significant impact considering that the WebEx extension for Google Chrome has roughly 20 million active users.

The expert discovered that an attacker can trigger the vulnerability by using any URL that contains a “magic” pattern. The flaw could be exploited to remotely execute arbitrary code on the targeted WebEx user’s system by tricking victims into visiting a specially crafted website.

Cisco tried to fix the issue limiting the magic URL to https://*.webex.com and https://*.webex.com.cn domains but the Google researcher highlighted the it could still be exploited due to a potential cross-site scripting (XSS) flaw on webex.com.

“The extension works on any URL that contains the magic pattern “cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html”, which can be extracted from the extensions manifest. Note that the pattern can occur in an iframe, so there is not necessarily any user-visible indication of what is happening, visiting any website would be enough.” states the advisory published by Ormandy.

“The extension uses nativeMessaging, so this magic string is enough for any website to execute arbitrary code (!!).”

The expert discovered that even without the XSS an attacker can remotely execute arbitrary code on the target system if the victims click “OK” when they are prompted to allow a WebEx meeting to launch on the rogue website.

Ormandy published and PoC exploit and published a demo here for testing. A successful execution of the demo needs a working WebEx installation on the victim machine. Below the link to the PoC exploit:


CISCO WebEx flaw

Mozilla representatives also remarked that webex.com does not use HTTP Strict Transport Security (HSTS) and Content Security Policy (CSP).

“If I’m an adversary and I can find a single XSS on that domain, all I need to do at any point in the future is intercept an outgoing HTTP request from Chrome, insert a 302 redirect, and I have an instant RCE on who knows how many machines?” said April King, information security engineer at Mozilla.

Both Google and Mozilla have decided to remove the WebEx extension from their stores until Cisco releases will solve the issue.

A new loophole allowed an expert to delete any video on Facebook
24.1.2017 securityaffairs

Facebook has fixed a serious security bug that could have been exploited by hackers to delete any video shared by anyone on their wall.
A new bug was discovered in the Facebook platform by the security researcher Dan Melamed, the flaw could be exploited to delete any video shared by anyone on their wall.

Dan Melamed explained that a similar issue was discovered in June 2016 by the Indian security researcher Pranav Hivarekar who demonstrated that was able to delete any video by exploiting a security issue that exists in the recently introduced video comment feature.

The new but discovered by Melamed allowed him to delete any video on Facebook shared by anyone without having any permission or authentication. The expert also discovered that was possible to disable commenting on the video of your choice.

“Back in June of last year I discovered a critical vulnerability that allows me to remotely delete any video on Facebook. In addition, I also had the ability to disable commenting on any video. This allows a bad actor the ability to delete videos on Facebook without permission or authentication.” states the blog post published by Melamed.

The expert detailed the steps to exploit the vulnerability. He first created a public event on the Facebook page and uploaded a video on the Discussion part of the event.
The expert analyzed a POST request while uploading a video using the Fiddler debugging proxy and noticed the presence of a Video ID that could be manipulated. Melamed discovered that was possible to replace the Video ID value of the video he uploaded with Video ID value of any other video, in turn, the platform responded with a server error (i.e. “This content is no longer available,“).
Despite the error message the new video was successfully posted and displayed on the user’s wall.

Once posted the video, Melamed deleted the event post and eventually deleted the attached video, this operation triggered the removal of the video from Facebook and the wall of the victim.

“You will also notice in the drop down section that there is the option to “Turn off commenting.” This allows you to disable commenting on the video of your choice,” Melamed writes.

This simple sequence of action allowed the researcher to delete any video on Facebook, below a video PoC of the hack:

Melamed reported the vulnerability to Facebook which solved the problem in a couple of weeks earlier 2017. Facebook rewarded the bug hunter $10,000 under its bug bounty program.

Apple vydává balík oprav, chyby mají všechny operační systémy

24.1.2017 Novinky/Bezpečnost Zranitelnosti
Velký balík aktualizací vydala tento týden společnost Apple. Chyby obsahují prakticky všechny její operační systémy, tedy verze pro klasické počítače, chytré telefony, tablety, ale například i nositelnou elektroniku. Trhliny obsahuje také webový prohlížeč Safari, upozornil Národní bezpečnostní tým CSIRT.CZ.
„Dotčený je operační systém macOS, mobilní operační systém iOS, systém pohánějící chytré hodinky Apple Watch - watchOS, ale také internetový prohlížeč Safari a multimediální aplikace iTunes,“ podotkl Pavel Bašta, bezpečnostní analytik CSIRT.CZ, který je provozován sdružením CZ.NIC.

Jak je z řádků výše patrné, chyb byla opravena celá řada. S instalací aktualizací se přitom nevyplácí otálet, neboť některé trhliny se týkají také bezpečnosti. Jedna z vydaných oprav řeší chybu v iOS, při jejím zneužití je možné iPhone odemknout i pomocí neautorizovaných Apple Watch, nastínil Bašta.

Převezmou kontrolu nad zařízením
„Některé zranitelnosti byly označeny jako kritické a jejich zneužití by mohlo umožnit útočníkovi převzetí kontroly nad zařízením,“ varoval bezpečnostní analytik.

Jinými slovy tedy mohou prostřednictvím některých trhlin kyberzločinci propašovat do zařízení s logem nakousnutého jablka prakticky jakýkoli škodlivý kód. Z napadeného stroje také mohou odcizit prakticky libovolná data.

Sluší se podotknout, že v bezpečí nejsou ani uživatelé Windows, kteří používají softwarové řešení od Applu. Tedy pokud mají nainstalovanou multimediální aplikaci iTunes či webový prohlížeč Safari. Ani v těchto případech se nemusí vyplatit otálení s instalací aktualizace.

Stahovat updaty je možné prostřednictvím automatických aktualizací v samotných operačních systémech nebo dotčených aplikacích, či prostřednictvím webových stránek společnosti Apple.

Chyby mají Office, Edge i Java
Chybám v tomto měsíci neunikly ani aplikace od společnosti Microsoft. Kritické bezpečnostní trhliny byly objeveny v internetovém prohlížeči Edge a kancelářském balíku Office. Stahovat aktualizace je nicméně také možné. [celá zpráva]

Naprostým rekordmanem v počtu nalezených trhlin je však společnost Oracle, která nabízí desítky nejrůznějších softwarových nástrojů a utilit pro korporátní klientelu, ale také programy pro běžné uživatele – například Javu. V aplikacích tohoto podniku bylo v lednu nalezeno 270 trhlin.

Bojíte se odposlechů? Tohle vám může výrazně pomoci

24.1.2017 SecurityWorld Zabezpečení
Nový protokol DIME dokáže sofistikovaným způsobem ukrýt e-maily před cizími zraky.

Jeden z vývojářů stojící za e-mailovou schránkou Lavabit, kterou využíval kupříkladu i Edward Snowden, veřejně poskytl zdrojový kód nového end-to-end šifrovaného e-mailového standardu. Ten by měl nabídnout bezpečné konverzování přes elektronickou poštu bez obavy z externího špehování.

Kód nového standardu nazývaného DIME (Dark Internet Mail Environment) bude brzy dostupný na Githubu spolu s přidruženým e-mailovým serverovým programem, řekl minulý pátek vývojář standardu Ladar Levison.

DIME bude fungovat napříč různými poskytovateli e-mailových služeb a bude „dostatečně flexibilní na to, aby umožnil uživatelům nadále využívat své e-maily i bez nutnosti doktorátu v kryptografii“.

V souvislosti s uveřejněním standardu zároveň Levison oživuje původní Lavabit. E-mailový klient s pokročilým šifrováním skončil v roce 2013 po žádosti amerických federálních agentů, kteří po službě požadovali přístup k e-mailovým zprávám jeho 410 000 zákazníků, a to včetně privátních šifrovacích klíčů jednotlivých uživatelů.

Státní zpravodajské služby tehdy podrobně zkoumali kauzu kolem Snowdena a uniklých dokumentů NSA. Levison -- než aby pomohl vládě Spojených států porušit podmínky soukromí svých zákazníků -- službu raději ukončil, píše se v jeho pátečním příspěvku.

„Vybral jsem si svobodu,“ píše emotivně. „Mnoho se od mého rozhodnutí změnilo, ale mnoho bohužel ne ani v našem post-snowdenovském světě.“ Nyní službu znovu rozjíždí, jako důvod uvedl „nedávné šokující informace“ o tom, jak nezabezpečené e-maily ve skutečnosti jsou.

„Dnes začínáme novou cestu svobody a otevíráme dveře příští generaci e-mailového soukromí a zabezpečení,“ píše na stránkách Lavabitu.

Obnovený Lavabit rovněž staví na standardu DIME, který Levison vyvíjí díky službě komunitního financování projektů Kickstarter z roku 2014. Standard má šifrovat e-mail samotný i jeho přenos, včetně metadat typu titulek zprávy a adresa odesílatele nebo příjemce.

Lavabit nově představí tři různé úrovně šifrování, nazvané Trustful, Cautious a Paranoid – tedy důvěřivý, opatrný a paranoidní. Každá úroveň pracuje s šifrováním zprávy a ukládáním privátních klíčů rozdílně, největší rozdíl je v pohodlnosti užívání.

Nejvyšší úroveň Paranoid například znamená, že servery Lavabitu nebudou privátní klíče uživatelů ukládat vůbec. Zprvu bude Lavabit dostupný pouze existujícím uživatelům služby, a to pouze na úrovni Trustful. Noví uživatelé se musí předregistrovat a čekat na oficiální vydání Lavabitu.

Lavabit pracuje na základě předplatného. V pátek byla služba nabízena se slevou – za 15 dolarů ročně má uživatel přístup k 5 GB úložného prostoru, za 30 dolarů pak k 20 GB.

Velký čínský firewall je ještě účinnější, vláda postavila VPN mimo zákon
24.1.2017 Živě.cz

„Vyčistit národní internet od neautorizovaných služeb“ – to je účel nového nařízení, které během víkendu začalo platit v Číně. Primárně se přitom zaměřuje na prostředek, který Číňané využívají k obejití státního firewallu – VPN. Po dobu 14 měsíců mají přijít opatření, která využívání tohoto typu připojení maximálně ztíží a postaví mimo zákon.

Nově je VPN zařazeno do kategorie tzv. speciálního typu připojení, jež musí být povoleno státní institucí. Ministerstvo průmyslu a informačních technologií počítá, že bude nařízení platit minimálně do 31. března 2018.

Národní regulátoři se budou zaměřovat na poskytovatele VPN, kteří umožňují obcházení firewallu. Podle odborníků na čínský internet bude ze strany státu vyžádána spolupráce v podobě ukládání a sdílení kompletních logů, nebo bude poskytovatel výrazně sankcionován a činnost mu bude znemožněna.

Národní firewall se v Číně stará o blokování stovek tisíc webů, mezi nimiž se nachází i ty nejnavštěvovanější – Google, Youtube, Facebook nebo Twitter.

Čína zasáhne proti službám, které obcházejí cenzuru internetu

24.1.2017 Novinky/Bezpečnost BigBrother
Čína se chystá zpřísnit dohled nad internetem. Nová kampaň vlády je zaměřena na služby, které umožňují obcházet cenzuru internetu a dostávat se k blokovaným informacím ze zahraničí. Ministerstvo průmyslu a informačních technologií na konci minulého týdne uvedlo, že zakazuje používání virtuálních privátních sítí (VPN).
Sítě VPN fungují jako šifrovaný kanál mezi počítačem a vzdáleným serverem. Umožňují přístup k zahraničním webovým stránkám bez svolení vlády. Peking přísně cenzuruje internet a blokuje obsah, který by podle něj mohl ohrozit vládu komunistické strany či narušit v zemi stabilitu. Blokovány jsou on-line služby, které provozuje řada velkých zahraničních společností, jako je Google, Facebook nebo Twitter.

„Internet je obrovská síť spojující počítače po celém světě. Ve chvíli, kdy by někdo chtěl zablokovat vybrané internetové stránky nebo služby, musel by k tomu donutit největší centrální poskytovatele internetu,“ řekl Novinkám počítačový expert Václav Vaněček.

Poskytovatelé internetu v zemích jako Čína nebo Írán dostanou od státu nařízeno, na které stránky mají znemožnit lidem přístup. Ti musí do svých routerů – zařízení, která se starají o propojení jednotlivých částí internetu – zadat příkazy, jež lidem tento přístup znemožní.

Škodlivé viry trápily na konci roku statisíce lidí. Šly hlavně po penězích

24.1.2017 Novinky/Bezpečnost Viry
Škodlivým virům se na konci loňského roku opravdu dařilo, počet úspěšných útoků totiž stoupl meziročně o více než 22 procent. Kyberzločinci šířili především nezvané návštěvníky, kteří jsou schopni ukrást z účtu peníze nebo snadno zneužitelná data, jako jsou například čísla platebních karet.
Viry, které se snaží ukrást peníze, bylo podle statistik antivirové společnosti Kaspersky Lab napadeno ve čtvrtém kvartálu na 319 000 uživatelů z různých koutů světa. Markantní nárůst útoků byl zaznamenán především během dnů Black Friday a Cyber Monday, ale také ve vánočním období.

„Vánoční období je vrcholem celého roku nejen pro obchodníky očekávající vysokou poptávku a pro nakupující, kteří vyhledávají lákavé nabídky. Ale také pro kyberzločince, kteří nezahálejí a vynalézají nové možnosti, jak se dostat k penězům lidí, kteří v tuto dobu utrácejí více než jindy,“ podotkl Oleg Kupreev, bezpečnostní expert v Kaspersky Lab.

Počet útoků roste
Analýza antivirové společnosti pojednává o tom, jak se měnily snahy počítačových pirátů v posledních třech letech.

„Počet útoků na koncové uživatele detekovaných našimi bezpečnostními řešeními se během posledního loňského čtvrtletí oproti stejnému datovému rozhraní roku 2015 zvýšil o 22,49 %,“ konstatoval Kupreev.

„Oproti poklesu z roku 2014 se tak zdá, že kyberzločinci opět investují do vývoje malwaru schopného ukrást finanční data, jakými jsou informace o platebních kartách či údaje k online bankovnictví,“ doplnil bezpečnostní expert.

Útoky finančního malwaru jsou opět na vzestupu.
Oleg Kupreev, bezpečnostní expert v Kaspersky Lab
Dynamika útoků jasně naznačuje, že v podzimním období byl pro počítačové piráty nejatraktivnějším dnem Cyber Monday. Počet napadených uživatelů byl nadprůměrný prakticky během celého listopadu, nicméně 28. listopadu – v den označovaný za Cyber Monday – bylo napadeno dvakrát více uživatelů než předešlý den.

Kontrolovat výpisy z účtů
Chování kyberzločinců během vánočních svátků a Black Friday bylo trochu jiné. „Vrchol útoků nastal den nebo dva před daným svátkem. Odlišná strategie útoků může spočívat v rozdílné povaze těchto svátků. Oproti Black Friday a Vánocům jde v případě Cyber Monday výhradně o on-line prodeje, v nichž podvodníci vidí velkou příležitost, a proto své útoky cílí přímo na tento konkrétní den,“ uvedl Kupreev.

„Útoky finančního malwaru jsou opět na vzestupu. V návaznosti na útoky posledních tří měsíců bychom zákazníkům, kteří v této době použili své platební karty, doporučovali, aby v následujících měsících pravidelně kontrolovali své výpisy. Kyberzločinci totiž obvykle nezačnou vybírat peníze prostřednictvím ukradených dat hned po útoku. Většinou vyčkají několik týdnů či dokonce měsíců, během nichž se na samotnou finanční krádež připravují,“ uzavřel bezpečnostní expert.

China makes VPNs illegal to tighten its Great Firewall
24.1.2017 thehackernews Security
China is long known for its strict Internet censorship laws through the Great Firewall of China – China's Golden Shield project that employs a variety of tricks to censor Internet and block access to various foreign websites in the country by its government.
The Great Firewall has blocked some 171 out of the world's 1,000 top websites, including Google, Facebook, Twitter, Tumblr, Dropbox, and The Pirate Bay. Therefore, to thwart these restrictions and access these sites, hundreds of millions of Chinese citizens use virtual private networks (VPNs).
But now, the Chinese government has announced the mass shutdown of VPNs in the country, making it harder for internet users to bypass its Great Firewall, according to a report published by the South China Morning Post.
'Clean-Up' of China's Internet Connections
Calling it a "clean-up" of China's Internet connections, the Ministry of Industry and Information Technology said on Sunday that it had launched a 14-month-long crackdown on the use of unsupervised internet connections, including VPNs.
VPN services encrypt your Internet traffic and route that traffic through a distant connection so that web surfers in China can hide their location data and access websites that are usually restricted or censored by the country's so-called Great Firewall.
The new rules make it illegal to use or operate a local VPN service without government approval, and require all VPNs and leased cable lines operating in China have a license from the government.
According to the ministry, "all special cable and VPN services on the mainland needed to obtain prior government approval—a move making most VPN service providers in the country of 730 million Internet users illegal."
Moreover, every internet service provider (ISP), cloud services provider and VPN reseller are also required to carry out "self-inspections" for any illegal activity taking place on their servers.
VPN Ban will Remain until March 31, 2018
In a statement, the ministry said that the country's VPN and cloud computing market "has signs of disordered development that require urgent regulation and governance" and that the crackdown is designed to "strengthen cyberspace information security management."
The ban on VPNs and cable connections would begin immediately and will remain in place until March 31, 2018.
Besides the VPNs ban, China's IT ministry also said the government would be investigating ISPs, content delivery networks and internet data centers for failing to receive the right business permits and operating in areas that exceed their intended scope.
The move is the latest in a long series of attempts by the Chinese government to stop its citizens using VPNs and other filter-busting systems, which made them unable to have a tight grip on their people.

Cisco WebEx Extension Flaw Allows Code Execution

24.1.2017 Securityweek Vulnerebility
Google Project Zero researcher Tavis Ormandy has discovered a critical remote code execution vulnerability in the Cisco WebEx browser extension. Cisco’s initial fix does not appear to be complete, which has led to Google and Mozilla temporarily removing the add-on from their stores.

While analyzing the WebEx extension for Chrome, which has roughly 20 million active users, Ormandy noticed that it works on any URL that contains a “magic” pattern. This allows an attacker to execute arbitrary code on the targeted WebEx user’s system by getting them to access a specially crafted website.

Cisco has attempted to patch the security hole by limiting the magic URL to https://*.webex.com and https://*.webex.com.cn domains. Ormandy said the fix was acceptable, but pointed out that the vulnerability could still be exploited silently through a potential cross-site scripting (XSS) flaw on webex.com.

Furthermore, even without the XSS, an attacker can still execute arbitrary code as long as the victim clicks “OK” when they are prompted to allow a WebEx meeting to launch on the malicious website.

Mozilla representatives said they were unhappy with Cisco’s fix and pointed out that webex.com does not use HTTP Strict Transport Security (HSTS) and Content Security Policy (CSP).

“If I'm an adversary and I can find a single XSS on that domain, all I need to do at any point in the future is intercept an outgoing HTTP request from Chrome, insert a 302 redirect, and I have an instant RCE on who knows how many machines?” noted April King, information security engineer at Mozilla.

Others said they could still get Ormandy’s proof-of-concept (PoC) exploit to work even on the updated version.

As a result, both Google and Mozilla have decided to remove the WebEx extension from their stores until Cisco releases a proper fix.

“This is exactly the kind of ‘just visit this random website and now you have malware’ scenarios that we haven't seen in a while (on a large scale), and that we don't want to go back to,” said Filippo Valsorda, a researcher at CloudFlare.

Valsorda has published a blog post with advice on how to prevent these types of attacks in Chrome using browser profiles.

Researchers Link "de-identified" Browsing History to Social Media Accounts

24.1.2017 Securityweek Safety
Researchers Demonstrate How "de-identified" Web Browsing Histories Can be Linked to Social Media Accounts

While the use of cookies and other tracking mechanisms used to track computers is widespread and well understood, it is often believed that the data collected is effectively de-identified; that is, the cookies track the computer browser, not the person using the computer.

This is the message often promulgated by the advertising industry: tracking cookies allow targeted advertising without compromising personal privacy. Now new research from academics at Stanford and Princeton universities demonstrates that this need not be so.

In the new study 'De-anonymizing Web Browsing Data with Social Networks' (due to be presented at the 2017 World Wide Web Conference Perth, Australia, in April) the researchers show that de-identified web browsing histories can be linked to social media profiles using only publicly available data. Once the social media profile associated with a browsing pattern is known, the person is known.

The basic premise is that social media users are more likely to click on links posted by people they follow. This creates a distinctive pattern that persists in the browsing history. "An adversary can thus de-anonymize a given browsing history," states the report, "by finding the social media profile whose 'feed' shares the history's idiosyncratic characteristics."

The theory was tested against Twitter -- chosen because it is largely public, has an accessible API, and wraps its links in the t.co shortener. Assuming an 'adversary' has access to browsing histories, he can then easily deduce (through timing or referrer information) which links came from Twitter. The pattern of those referrals from Twitter can then be used to identify the user concerned by matching it with users' Twitter profile characteristics. The same approach could also be used against users with Facebook or Reddit accounts.

"Users may assume they are anonymous when they are browsing a news or a health website," comments says Arvind Narayanan, an assistant professor of computer science at Princeton and one of the authors of the research, "but our work adds to the list of ways in which tracking companies may be able to learn their identities."

The approach is not foolproof. Nevertheless, say the researchers, "given a history with 30 links originating from Twitter, we can deduce the corresponding Twitter profile more than 50 percent of the time." In fact, in a test involving 374 volunteers who submitted web browsing histories, the method was able to identify more than 70 percent of those users by comparing their web browsing data to hundreds of millions of public social media feeds.

"All the evidence we have seen piling up over the years showing the strong limits of data anonymization, including this study," comments Yves-Alexandre de Montjoye, an assistant professor at Imperial College London (not associated with the research), "really emphasizes the need to rethink our approach to privacy and data protection in the age of big data."

The problem goes beyond simple user privacy, since it could be used to target persons of interest. "The idea would be to look at something such as my Twitter account (as in who I'm following) and to determine what links I'm seeing," explains F-Secure security advisor Sean Sullivan. "And then, to find the 'User X' with the highest correlation between site visits and links seen. At which point, if I'm User X, I could be targeted by somebody who controls one of the sites visited."

At a purely 'commercial' level, this could be used to target individuals with high value goods. But it could also be used to find and target specific individuals prior to a network attack.

The researchers accept that their current methodology is not 100% accurate, but add an "adversary may fruitfully make use of other fingerprinting information available through URLs, such as UTM codes. Thus, the main lesson of our paper is qualitative: we present multiple lines of evidence that browsing histories may be linked to social media profiles, even at a scale of hundreds of millions of potential users."

Furthermore, it claims, "our attack has no universal mitigation outside of disabling public access to social media sites, an act that would undermine the value of these sites." It calls for "more research into privacy-preserving data mining of browsing histories."

China Cracks Down on Bids to Bypass Online Censorship

24.1.2017 Securityweek Safety
Beijing - China has announced a 14-month campaign to "clean up" internet service providers and crack down on devices such as virtual private networks (VPNs) used to evade strict censorship.

The ruling Communist party oversees a vast apparatus designed to censor online content deemed politically sensitive, while blocking some Western websites and the services of internet giants including Facebook, Twitter and Google.

It passed a controversial cybersecurity bill last November, tightening restrictions on online freedom of speech and imposing new rules on service providers.

But companies and individuals often use VPNs to access the unfettered internet beyond China's "Great Firewall".

Telecom and internet service providers will no longer be allowed to set up or rent special lines such as VPNs without official approval, the ministry of industry and information technology said Sunday.

Its "clean up" campaign would last through March 2018, it said in a statement on its website.

The announcement comes days after President Xi Jinping extolled globalisation and denounced protectionism in a keynote speech at the World Economic Forum in Davos, where he insisted that China was committed to "opening up".

China's internet access services market has grown rapidly, and the "first signs of disorderly development are also appearing, creating an urgent need for regulation", the statement said.

The new rules were needed to "strengthen internet information security management", it added.

IT expert Li Yi told the Global Times newspaper, which often takes a nationalistic tone, the new regulations were "extremely important".

While some multinationals such as Microsoft needed VPNs to communicate with overseas headquarters, other companies and individuals "browse overseas internet pages out of illegal motivations", Li said.

A 2015 report by US think tank Freedom House found that China had the most restrictive Internet policies of 65 countries it studied, ranking below Iran and Syria.

China is home to the world's largest number of internet users, which totaled 731 million as of December, the government-linked China Internet Network Information Center said Sunday.

Millions Download HummingBad Variant via Google Play

24.1.2017 Securityweek Android
A newly discovered variant of the HummingBad Android malware has been downloaded millions of times after infecting 20 applications in Google Play, Check Point security researchers warn.

Discovered in early 2016, HummingBad already proved one of the most prolific Android malware families out there, accounting for over 72% of attacks in the first half of the year.

In a report published last July, Check Point suggested that around 10 million Android devices might have been compromised by HummingBad and that its rootkit capabilities allowed attackers take full control over the infected devices. The researchers also said that Yingmob, the group behind the malware, might have compromised over 85 million devices.

Dubbed HummingWhale, the newly discovered variant is said to include cutting edge techniques that allow it to perform its nefarious activities (ad fraud) better than before.

While HummingBad was spreading mainly through third-party app stores, the HummingWhale variant made its way into Google Play and infected 20 apps, all of which have been already removed by Google. The main giveaway feature, the researchers say was a 1.3MB encrypted file called ‘assets/group.png’ also found in some later HummingBad samples that were masquerading as an app called “file-explorer.”

Offending apps were found to register several events on boot, such as TIME_TICK, SCREEN_OFF and INSTALL_REFERRER, as well as to feature a common name structure – com.XXXXXXX.camera (e.g. com.bird.sky.whale.camera, com.color.rainbow.camera, com.fishing.when.orangecamera). Apps outside of the camera family were also identified.

The HummingWhale samples were also observed registering to certain events and packing some identical strings in their code and certificates when compared to the previous HummingBad variants. HummingWhale was also observed being promoted by several new HummingBad samples, Check Point says.

The new malware variant, researchers say, is heavily packed and has its main payload in the ‘group.png’ file, which is actually an .apk that operates as a dropper. This executable file can download additional apps, a functionality observed in previous versions of HummingBad as well. The new dropper, however, uses the DroidPlugin Android plugin to upload fraudulent apps on a virtual machine.

“First, the Command and Control server (C&C) provides fake ads and apps to the installed malware, which presents them to the user. Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and run as if it is a real device. This action generates the fake referrer id, which the malware uses to generate revenues for the perpetrators,” the security researchers explain.

By using this method, the cybercriminals ensure that the malware installs apps without gaining elevated permissions first, and that the malicious activity is disguised, thus allowing the malware to infiltrate Google Play. What’s more, the embedded rootkit in the previous HummingBad variant is no longer needed, since the same results are achieved without it. On top of that, the malware can now install an infinite number of fraudulent apps without overloading the device.

“HummingWhale also conducted further malicious activities, like displaying illegitimate ads on a device, and hiding the original app after installation, a trait which was noticed by several users. As can be seen in the image below, HummingWhale also tries to raise its reputation in Google Play using fraudulent ratings and comments, similar to the Gooligan and CallJam malware before it,” the security researchers say.

Lavabit Email Service Returns with New Encryption Platform

24.1.2017 Securityweek Safety
Lavabit, the secure email service that shut down in 2013 after the NSA requested access to Eduard Snowden's email account, is recommencing operations on a new secure end-to-end communications platform, Lavabit owner Ladar Levison announced on Friday.

In August 2013, the service was suspended after the NSA requested its Secure Sockets Layer (SSL) private keys to access the email account of its users. The NSA was reportedly interested in Snowden’s account at the time, but Lavabit suggested that, with the SSL key in its hands, the US government would have been able to access any account.

Lavabit’s closing at the time prompted other online services to take a similar route, including Silent Circle, which shut down its Silent Mail service “to prevent spying,” and Groklaw, a technology news site focused on legal issues. Several months later, Silent Circle and Lavabit formed the Dark Mail Alliance, focused on offering the “next-generation of private and secure email.”

The relaunch of Lavabit’s email service, Levison says, isn’t meant only to continue sustaining online freedom, justice, and liberty, but also to address some of the main issues that email services today face. He also points out that the reopening builds on the Dark Internet Mail Environment (DIME), open source secure end-to-end communications platform for asynchronous messaging across the Internet.

“Today, we start a new freedom journey and inaugurate the next-generation of email privacy and security,” Levison notes on the Lavabit website.

DIME was created with Kickstarter funding, which also helped Levison come up with Magma, an associated DIME-capable free and open source mail server. Released on Friday together with Magma, the end-to-end encrypted global standard was designed to offer multiple modes of security (Trustful, Cautious, and Paranoid), and to address security problems so far have neglected.

The platform was designed as an evolution of OpenPGP and S/MIME, which don’t provide automatic encryption and don’t protect metadata. DIME, on the other hand, encrypts all facets of an email transmission (body, metadata and transport layer), thus aiming to deliver the greatest protection possible without sacrificing functionality.

“DIME is the only automated, federated, encryption standard designed to work with different service providers while minimizing the leakage of metadata without a centralized authority. DIME is end-to-end secure, yet flexible enough to allow users to continue using their email without a Ph.D. in cryptology,” Levison says.

Users can rely on the server to handle all privacy issues, meaning they would have to “trust” the server (Trustful mode), can set it to only store and synchronize encrypted data, including encrypted copies of a user’s private keys and encrypted copies of messages (Cautious mode), or can place a minimum amount of trust in the server, denying it access to private keys (encrypted or decrypted), but losing functionality, as webmail access won’t be available (Paranoid mode).

The service is available for existing users to regain access to their accounts in “Trustful” mode and update their credentials to the new DIME standard, as well as for new users to pre-register for an account.

Lavabit also made the free, open source library, and the associated command line tools for creating and handling the new DIME standard available for everyone, and says that any domain admin can deploy Magma or implement their own encrypted DIME compatible server. Clients for Windows, Mac OS X/iOS, and Linux/Android are also expected to be released.

“Today, the democratic power we transfer to keep identities safe is our own. With your continued patronage, we will restore privacy and make end-to-end encryption an automatic, ubiquitous and open source reality,” Levison concluded.

In 2014, Snowden’s revelations about widespread online surveillance resulted in a push to encrypt email and keep messages free from the government, and the move regained momentum last year, after Apple decided not to provide the FBI with assistance to access San Bernardino’s iPhone, claiming that it was actually asking for a backdoor to all iPhones out there.

'Star Wars' Botnet Has 350,000 Twitter Bots

24.1.2017 Securityweek BotNet
A newly discovered Twitter botnet has been lying dormant for over three years, although it includes more than 350,000 bot accounts, researchers at the University College London have discovered.

Discovered by Juan Echeverria and Shi Zhou, the botnet stands out because all of the bots forming it present several specific characteristics, including the fact that all of them tweeted quotes from Star Wars. In a recently published paper (PDF) called The `Star Wars' botnet with >350k Twitter bots, the researchers also explain that all of the bots used Twitter for Windows Phone to post the messages.

Focused mainly on discussing the manner in which Twitter botnets can be discovered, the paper reveals other characteristics of these bots as well: they all used fake locations within a specific set of geographical coordinates (in Europe and North America), none had more than 11 tweets, more than 10 followers or more than 31 friends, none retweeted or mentioned another user, and all of their IDs were confined to a narrow range.

The researchers also discovered that the bots’ tweets included only the Star Wars quotations, along with either hashtags that are usually associated with earning followers, or the hash symbol # inserted in front of a randomly chosen word. After manually identifying 3,244 such bots, the researchers used machine learning to automatically detect all of the bots featuring the above characteristics (thus part of the Star Wars botnet).

For that, they looked into the content of the tweets created by these bots and a data set of 9,000 real users, and came up with a set of 80,000 words, including 30,000 most frequent words tweeted by the bots, and 50,000 words tweeted by the real users. By creating word count vectors and training the classifier (a machine learning technique) with the vectors, the researchers achieved over 99% precision in the detection of the bots.

The method revealed a total of 356,957 bots that were created between June 20 and July 14, 2013, all of which started tweeting immediately after creation, for a total of 150,000 tweets per day. However, all bots went silent on July 14, 2013, and the creation of new bots also stopped that day, suggesting that they were controlled by a botmaster, the researchers say.

Discussing the manner in which the botnet remained undetected for so long, the paper notes that “the Star Wars bots were deliberately designed to keep a low profile.” The bots tweeted a few times, did nothing special, only tweeted random quotations from novels to use real human's language, used normal profiles (some even had pictures), and included no URLs in their tweets (in addition to never replying or mentioning users and to following only a small number of friends).

The paper notes that the botnet was discovered because tweets were location-tagged, and the used locations created an anomaly that only a human eye could see. While the discovery of the Star Wars bots was “real luck,” the researchers say that it inspired them to look for other similar botnets, and that an even larger one, with over 500,000 bots, was spotted.

“However, the process of discovering these botnets is unique. It is unlikely that we can repeat our luck, because future botnets could easily be programmed to avoid the design `mistakes' of the Star Wars bots. For example bots do not need to tag their locations at all, because most users do not; and bots can quote from all sorts of sources, including other series of books, magazines, web pages, or even social media postings,” the paper reads.

Although the Star Wars bots stayed inactive for more than three years, they shouldn’t be considered harmless, because the botmaster likely still has control over them, the researchers say. Thus, these bots can be easily used for spam, promotion of fake topics, opinion manipulation, astroturfing attacks, fake followers and sample contamination.

What’s more, because these bots are so old and managed to avoid detection for so long, they are believed to be more valuable to cybercriminals. Pre-aged bots are likely to be sold at premium rates on black markets, and “the Star Wars bots are perfectly suited to be sold,” the researchers say. In fact, because 15,000 Star Wars bots have been following a small number of Twitter users outside the botnet, it’s possible they were already sold as fake followers.

“One of the major challenges of research on Twitter bots is the lack of ground truth data,” the security researchers note, calling for new detection methods to find other hidden bots, as well as future bots that are likely to look more and more like normal users. “We argue that more research is needed to fully understand the potential security risks that a large, hidden botnet can pose to the Twitter environment, and research in general,” the researchers say.

Sale of Core Yahoo Assets to Verizon Delayed

24.1.2017 Securityweek IT
Yahoo Sale to Verizon Delayed

San Francisco - Yahoo said Monday its $4.8 billion deal to sell its core internet assets to US telecom titan Verizon has been delayed several months.

The closing originally set for this quarter has been pushed into next quarter due to "work required to meet closing conditions," the California online pioneer said in a statement, adding that it was "working expeditiously to close the transaction as soon as practicable."

The news came in an earnings release showing Yahoo swung to a profit of $162 million in the final three months of last year.

The deal with Verizon, which would end Yahoo's run of more than 20 years as an independent company, has been thrown into doubt following disclosures of two huge data breaches.

Yahoo said Monday it is hustling to ramp up security as it grapples with the aftermath of epic hacks.

"Our top priority continues to be enhancing security for our users," Yahoo chief executive Marissa Mayer said.

She added that "approximately 90 percent of our daily active users have already taken or do not need to take remedial action to protect their accounts, and we're aggressively continuing to drive this number up."

Yahoo boasted having more than a billion users monthly in 2016, with more than 650 million of those people connecting from mobile devices.

Hack aftershocks

The US Securities and Exchange Commission has opened an investigation into whether Yahoo should have informed investors sooner about two major data breaches, the Wall Street Journal reported Sunday, citing people familiar with the matter.

US law requires companies that fall victim to such hacks disclose them as soon as they are deemed to affect stock prices.

Yahoo announced in September that hackers in 2014 stole personal data from more than 500 million of its user accounts. It admitted another cyber attack in December, this one dating from 2013, affecting over a billion users.

The SEC's investigation is focusing on why it took Yahoo several years to reveal the 2013 and 2014 attacks.

The data breaches have been a major embarrassment for a former internet star that has failed to keep up with Google, Facebook and other rising stars.

The cyber attacks, and how notifying users was handled, has also raised concerns by investors that Verizon may seek to pay a lower price for Yahoo or even back out of the deal.

The earnings report showed Yahoo swung to profit a year after a massive $4.4 billion loss in the same period a year earlier, resulting from a large writedown on the value of its holdings.

Revenue in the fourth quarter rose to $1.47 billion from $1.27 billion a year earlier.

Yahoo reported a loss of $214 million for the full year on revenue that inched up to $5.2 billion from $5 billion in 2015, according to the earnings report.

Mayer has been driving a shift to mobile, video, social, and native advertising offerings at Yahoo, and revenue in those areas - which she dubbed '"avens," continued to climb.

Mavens revenue for last year slightly topped $2 billion as compared to $1.7 billion in 2015.

"I'm very pleased with our Q4 results and incredibly proud of the team's execution on our 2016 strategic plan, particularly given the uniquely eventful past year for Yahoo," Mayer said.

Source Code for BankBot Android Trojan Leaks Online

24.1.2017 Securityweek Android
The source code of Android banking Trojan BankBot, along with instructions on how to use it, recently emerged on a hacker forum, Doctor Web security researchers have discovered.

The source code was published about a month ago, but Android malware based on the code was spotted last week. Once the malware gets admin privileges on an infected device, it removes its shortcut from the homescreen to hide itself and hinder removal. Next, it connects to a command and control (C&C) server to retrieve instructions.

The BankBot Trojan is distributed masquerading as benign applications. On the infected devices, it can request administrative privileges to display phishing pages to steal login credentials, intercept and send SMS messages, send USSD requests, retrieve contacts list, track the device, make calls, and receive an executable file containing a list of banking apps to attack.

Malicious programs that provide such capabilities are usually being sold as commercial products on underground forums. However, with the source code of this application leaked online, chances are that the number of attacks involving Android banking Trojans will register a significant increase soon, Dr.Web suggests.

The malware can track the launch of banking applications on the user’s device and overlay phishing dialogues to trick users into revealing their login information. The malware is targeting over three dozen such financial applications, including banking and payment system software.

The security researchers have discovered that the malware can also steal bank card information. For that, the Trojan tracks the launch of multiple popular applications on the device, including Facebook, Viber, Youtube, WhatsApp, Uber, Snapchat, WeChat, imo, Instagram, Twitter, and Play Store, to display a phishing dialog on top of them, tricking users into believing it is a Google Play purchase page.

“Information on found matches is sent to the C&C server. The Trojan receives a list of files to be monitored from execution. After one of them is launched, Android.BankBot.149.origin displays WebView on top of the attacked application with a fraudulent authentication form to access the user account. Then the entered information is sent to the server,” Dr.Web says.

BankBot was also designed to steal SMS messages. When an SMS arrives, the malware turns off sounds and vibrations and sends the content of the message to the cybercriminals, while also attempting to delete the original entry from the list of incoming SMS. This would result in users missing bank notifications about unplanned transactions that cybercriminals are performing.

Data stolen from the device, which includes information on the anti-virus applications installed on the infected device, is uploaded to the C&C server, making it accessible to the cybercriminals. What’s more, the security researchers say, an administration panel provides operators with control over the malicious app.

“In general, the possibilities of this Trojan are quite standard for modern Android bankers. However, as cybercriminals created it with publicly available information, one can anticipate that many Trojans similar to it will appear,” Doctor Web’s security researchers conclude.

“Dumping malware code is great way to allow others to contribute to the code and modify it to help evade detection. This tactic was very successful for distributing Zeus. When you have a larger group modifying the code, the number of variants increases rapidly, making it very hard for security products that rely on pattern matching to detect it,” Lamar Bailey, Senior Director of Security R&D for Tripwire, told SecurityWeek in an emailed comment.

Auto vás může šmírovat! FBI využívá bezpečnostní systémy aut pro sledování i odposlech
23.1.2017 Živě.cz
Bezpečnostní systémy automobilů umožňují získat polohu kradeného vozidla nebo dokonce vypnout motor
Ty stejné systémy ale lze použít ke sledování a odposlechu
FBI tyto možnost již několik let využívá

O tom, že operátoři ukládají metadata hovorů či SMS zpráv, aby je následně mohli zpřístupnit policii, víme všichni. S narůstajícím množstvím elektroniky, která komunikuje se vzdálenými servery, se však nabízí i další možnosti pro bezpečnostní orgány, jak sledovat podezřelé osoby. Jednou z nejdůležitějších kategorií jsou potom systémy v automobilech.

Za normálních okolností zvyšují bezpečnost pasažérů nebo chrání před krádeží, ovšem mohou posloužit i ke sledování či dokonce k odposlechu. Forbes se na toto téma zaměřil poté, co získal soudní spisy odkrývající rozsah využívání těchto prostředků.

Pod neustálým dohledem

Jeden z prvních případů, na které Forbes upozorňuje, pochází z roku 2014, kdy společnost Sirius XM obdržela požadavek na sledování podezřelého vozidla, jež bylo vybaveno právě trackovacím zařízením. To je primárně určeno pro nalezení automobilu v případě jeho krádeže a funguje stejně jako funkce Find My iPhone nebo alternativa pro telefony s Androidem. Pokud majitel nahlásí odcizení vozidla, operátor společnosti aktivuje tuto funkci a okamžitě tak získá polohu auta. Jeho následné nalezení tak není velkým problémem. Takto to funguje o Chevroletu:

Zároveň však jde o perfektní možnost, jak sledovat takto vybavené vozidlo v případě, že někdo potřebuje znát jeho polohu i za jiným účelem. A tím je v tomto případě vyšetřování federálního úřadu FBI. SiriusXM tedy v roce 2014 aktivovala funkci pro sledování vozidla Toyota 4runner a veškerá získaná data o poloze předávala bezpečnostním orgánům. Ty tak mohly podezřelého sledovat celých deset dnů a monitorovat každou jeho cestu. Nakonec došlo k jeho zatčení a obvinění ve spojitosti s hazardem. K tomu zásadní měrou pomohla i funkce Connected Vehicle původně určena k ochraně vozidla. Každoročně je potom prý k této spolupráci společnost vyzvána v asi pěti případech.

Chevrolet v plné výbavě, štěnice v ceně

Poté, co redaktoři Forbesu získali informace o případu sledované Toyoty začali pátrat také u dalších výrobců či poskytovatelů podobných služeb po četnosti spolupráce s FBI. Zaměřili se proto na General Motors, třetího největšího výrobce automobilů na světě.

Hackeři útočili na automobil. Přes web ovládli brzdy i motor
Prvním z případů, na který narazili, bylo sledování drogového dealera v automobilu Chevrolet Tahoe se zabudovaným systémem OnStar. Ten rovněž slouží pro ochranu a nalezení vozidla v případě krádeže. Zde však byl soudním příkazem využit ke sledování podezřelého, který byl zatčen po ujetí 540 km z texaského Houstonu do Ouchita Parish v Louisianě. Podobně dopadl další dealer, u kterého bylo nalezeno 43 gramů heroinu po sledování jeho vozidla GMC Envoy rovněž se systémem OnStar.

Nejzajímavějším případem byl však ten z roku 2007, který se stal osudný Garethu Wilsonovi. Ten ve svém Chevroletu Tahoe náhodou stisknul tlačítko pro rychlou pomoc, které kontaktuje operátora systému OnStar. A protože řidič nereagoval na jeho výzvy, aktivoval odposlech v automobilu, při němž vyslechnul rozhovor o obchodu s drogami. Následně jej zpřístupnil místnímu šerifovi, který kontaktoval další bezpečnostní složky a ty se postarali o zatčení.

Chevrolet Tahoe je těžké díky systému OnStar ukradnout, zároveň jej lze ale sledovat nebo odposlouchávat

Mluvčí GM dodává, že tyto prostředky využívá společnost pouze v nouzi, při požadavku zákazníka (krádež) anebo po soudním příkazu. Počet požadavků, které na GM a jeho systém OnStar vznáší vyšetřující orgány, společnost nezveřejnila. Podělila se pouze s číslem šesti stovek požadavků zákazníků na sledování kradeného vozidla každý měsíc.

Kde končí soukromí?

U žádného z popsaných případů obžalovaní neuspěli při obhajobě a za své činy, nejčastěji obchod s drogami, byli odsouzeni. Soudy trvají na tom, že při vyšetřování jde soukromí stranou a po zahájení trestné činnosti jej nelze očekávat.

Rozdílným případem byl Gereth Wilson, který obchod s drogami vyzradil nechtěně po stisknutí bezpečnostního tlačítka. Ani zde však s obhajobou neuspěl. Podle soudu plnil svoji povinnost jak operátor, jenž aktivoval odposlech v automobilu, tak zasahující šerif, který byl na pravděpodobné nezákonné jednání upozorněn.

Problémem jsou však potenciální případy sledování vozidel či dokonce odposlechů, jenž se nikdy k soudu nedostaly a mohly se týkat nevinných osob. Zda k takovým případům dochází a v jaké míře samozřejmě nelze zjistit, v každém případě by však šlo o vážné narušení soukromí.

Minimálně americké soudy a bezpečnostní orgány jsou v tomto případě neústupné. O tom se přesvědčila společnost ATX, která provozuje podobnou službu pro sledování vozidel a bylo požádána o zjišťování polohy podezřelého vozidla na dobu jednoho měsíce. Když ale FBI chtěla lhůtu sledování prodloužit o další měsíc, zástupci společnosti to odmítli, čímž ale tvrdě narazili. Soud společnosti pohrozil mařením vyšetřování a v případě neuposlechnutí hrozil výraznými sankcemi.

Tady si ale můžeme připomenout kauzu, která nejen americkými médii hýbala před necelým rokem – FBI vs. Apple. V té Apple odmítnul spolupracovat s vyšetřujícím úřadem, ačkoliv se jednalo o těžký zločin, při němž bylo usmrceno 14 lidí. FBI požadovala po Applu přístup do zamknutého telefonu, jenž patřil vrahovi a jehož zpřístupnění by vyšetřování usnadnilo. Apple si nakonec ale svoji pozici uhájil bez jakéhokoliv postihu nebo obvinění z maření vyšetřování. Z tohoto případu by se tedy mohl stát precedens, který by nemusel platit pouze v kategorii mobilních zařízení.

Bezpečí vs. soukromí

O tom, že podobných sledovacích funkcí bude přibývat, není sporu. Pomůže tomu rozšíření elektromobilů a později autonomních vozidel i všudypřítomné chytré elektronky. Její primární účel je jasný – zkvalitňovat lidem život. Zároveň s sebou ale přináší mnohá úskalí, mezi nimiž je i tenká etická linie mezi tím, co je (nejen) při vyšetřování nutnou praktikou a co narušením soukromí.

This Bug Could Allow Hackers to Delete Any Video On Facebook
23.1.2017 thehackernews
A security researcher has discovered a critical vulnerability in Facebook that could allow attackers to delete any video of the social networking site shared by anyone on their wall.
The flaw has been discovered by security researcher Dan Melamed in June 2016, allowing him not only to remotely delete any video on Facebook shared by anyone without having any permission or authentication but also to disable commenting on the video of your choice.
Here's how to exploit this flaw:
In order to exploit this vulnerability, Melamed first created a public event on the Facebook page and uploaded a video on the Discussion part of the event.
While uploading the video, the researcher tampered the POST request using Fiddler and then replace the Video ID value of his video with Video ID value of any other video on the social media platform.
Although Facebook responded to this issue with a server error, i.e. "This content is no longer available," but the new video was successfully got posted and displayed just fine.
Once this task was accomplished, Melamed deleted his event post, which eventually deleted the attached video.
And guess what? This in turned removed the video from the social networking site and the wall of the victim.
"You will also notice in the drop down section that there is the option to "Turn off commenting." This allows you to disable commenting on the video of your choice," Melamed writes.
Video Demonstration


For more step by step details about the vulnerability and how it works, you can watch the proof-of-concept video demonstration above which shows the Facebook video deletion attack in action.
Melamed responsibly reported the vulnerability to the Facebook security team, which patched the vulnerability within two weeks at the beginning of this year.
Shortly after patching the flaw, the social media giant rewarded him $10,000 bug bounty for his efforts.
This is not the very first time when such vulnerability has been disclosed in Facebook that could have allowed attackers to delete any video from Facebook. Bug bounty hunters continuously find and report such bugs to keep the social media platform safe and secure.

Heartbleed Still Affects 200,000 Devices: Shodan

23.1.2017 Securityweek Vulnerebility
While the number of services affected by the OpenSSL flaw known as Heartbleed has decreased, the Shodan search engine has still found nearly 200,000 vulnerable devices.

Heartbleed, tracked as CVE-2014-0160, is a critical vulnerability that allows attackers to steal information protected by SSL/TLS encryption. Some researchers believe the flaw was used in an attack where hackers managed to steal 4.5 million healthcare records.

A search for vulnerable devices conducted by Shodan in November 2015 returned 238,000 results and the number dropped by roughly 1,000 by late March 2016. A new search carried out on Sunday showed that 199,594 services are still vulnerable to Heartbleed attacks.

Many of the affected devices are located in the United States (42,000), followed by South Korea (15,000), China (14,000), Germany (14,000), France, (8,700), Russia (6,600), UK (6,500), India (5,800), Brazil (5,500) and Italy (4,800). HTTPS accounts for a large majority of impacted services.

Geographical distribution of devices affected by Heartbleed

South Korea occupied only the 8th place after previous scans, but it has now become the second most affected country, apparently due to devices operated by SK Broadband, Boranet and KT Corporation (formerly Korea Telecom).

The list of top affected organizations also includes Amazon, Verizon Wireless, German ISP Strato, OVH in France, German hosting firm 1&1 Internet, Comcast, and Taiwan-based HiNet.

Apache HTTP Server (httpd) is by far the most affected product, particularly versions 2.2.22 and 2.2.15, while the top operating system is Linux 3.x. Shodan also found that more than 70,000 of the affected services have expired SSL certificates.

Yahoo Faces SEC Probe into Breach Disclosures

23.1.2017 Securityweek IT
In November 2016 Yahoo announced that it was cooperating with federal, state and foreign agencies, including the US Securities and Exchange Commission (SEC), who were seeking information on the data breaches also announced during 2016. In December, the SEC issued requests for relevant documents from Yahoo, and Yahoo is now reported to be under investigation.

In September 2016 Yahoo announced that it had suffered a breach in 2014. It claimed that 'state-sponsored' attackers had stolen data from 500 million users. Two months later it disclosed that an earlier breach from August 2013 had led to the compromise of 1 billion user accounts. Yahoo has not said when it knew about these breaches.

Different agencies have different rules about the disclosure of data breaches. The SEC's own 2011 rules are considered to be vague, and have never been enforced. It investigated the Target breach, but concluded that its own rules were not broken. These require that incidents that could have a "material adverse effect on the business" should be disclosed, but they do not define what this would be. The sheer size of the two Yahoo breaches combined with the intended acquisition of the organization by Verizon could make this a new test case for the SEC rules.

Yahoo may consider that simply disclosing the breaches before the Verizon acquisition is completed (expected to be during Q1 2017) may be sufficient to comply with the SEC rules. The SEC's primary concern is to protect investors rather than users. Although it was thought that the breaches might cause Verizon to pull out of the acquisition, this is now thought to be unlikely. Yahoo can therefore argue that non-disclosure has not affected investors.

Verizon originally agreed to pay $4.8 billion for Yahoo, although the New York Post reported that it subsequently sought a $1 billion discount following the first disclosure. The report added, "At the same time, the Yahoo deal team is pushing back hard against any attempts to negotiate the price down, sources said."

The SEC is best known for its actions against fraud rather than data protection. In October 2016, it ordered one of the Big 4 global audit companies, Ernst & Young, to pay $11.8 million ($1 million fines and $10.8 million in audit fee give-backs plus interest) for missing a major accounting fraud at Weatherford International.

Other agencies are more concerned about the compromise of personal data. In Europe, current data protection laws are enforced by individual national authorities (such as the Information Commissioner in the UK). The Article 29 Working Group comprises representation from all of the national regulators. In October 2016 it wrote to Yahoo asking for breach details: "As Data Protection Authorities (DPAs) in charge of the protection of European individuals' data, we are deeply concerned by the report and the significant number of EU data subjects which may be affected."

Any subsequent action from European regulators would come from each individual country concerned. For example, the ICO fined TalkTalk $510,000 in October 2016. Such fines could, however, be dwarfed by those available under the upcoming General Data Protection Regulation. Here, the ICO warns, "A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organization becoming aware of it... Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of your global turnover."

It seems almost certain that Yahoo did not make its breach notifications within 72 hours of discovery. The implication is that if the GDPR were already operational, Yahoo would have even more problems than it already has.

Francie se připravuje na kyberútoky během květnových prezidentských voleb

23.1.2017 Novinky/Bezpečnost Hacking
Nejen Německo se obává narušení voleb, o které se při loňském výběru nového prezidenta Spojených států pokusili hackeři z Ruska. V pohotovosti je i Francie.
Francouzská státní agentura Anssi, zaměřená na kybernetickou obranu, se pilně připravuje na nadcházející prezidentské volby, které proběhnou letos v květnu. Podle šéfa Anssi Guillauma Pouparda chce zabránit pokusům o ovlivňování veřejného mínění, kterého se měli dopouštět hackeři spojovaní s Kremlem při amerických prezidentských volbách.

Poupard v rozhovoru pro francouzskou zpravodajskou televizi France 24 uvedl, že samotné politické strany nejsou schopny čelit sofistikovaným hackerským útokům, které jsou navíc podporovány cizím státem.

„Je to dost vážná situace, protože na jedné straně stojí silní útočníci, zatímco na straně druhé jsou politické strany. Je třeba si uvědomit, že politické strany jsou v podobné situaci jako malé a střední podniky – nejsou vybaveny k tomu, aby se samy s touto situací dokázaly vypořádat,“ prohlásil Poupard.

„Nejde o útoky jednotlivců, kteří je provádějí jen proto, aby viděli, co se pak stane. Jde o řízenou strategii, která zahrnuje kybernetické útoky, narušování sítí a úniky informací,“ dodal.

Rizikové sčítání hlasů
Podle Pouparda je situace o to vážnější, že si francouzská agentura pro kybernetickou obranu nemůže být jista, zda mezi útočníky nejsou i ti, kteří „pravidelně chodí klepat na dveře ministrů“. Anssi je podle svého šéfa připravena okamžitě varovat veřejnost, pokud dojde k únikům citlivých politických informací před samotnými prezidentskými volbami.

Bezpečnostní experti ale nesdílejí obavy, že by mohlo dojít k reálnému ovlivnění výsledku voleb. Například podle Ilji Kolochenka, generálního ředitele bezpečnostní společnosti High-Tech Bridge, k takovému scénáři nemůže dojít v tak rozvinuté zemi, jakou je Francie.

Velkým rizikem je elektronické hlasování.
Miroslav Dvořák, technický ředitel společnosti ESET
Určitá obezřetnost je ale na místě, doplňuje Miroslav Dvořák, technický ředitel společnosti ESET. „Jedna věc je snaha o ovlivňování veřejného mínění, druhá samotné zajištění ochrany sčítání hlasů. Jakákoli elektronická komunikace je napadnutelná a v případě voleb musí být opravdu dobře zabezpečena,“ vysvětluje.

„Velkým rizikem je elektronické hlasování, ale i když tato forma není v některých zemích povolena, výsledky sčítání hlasů z jednotlivých volebních místností se poté odesílají elektronicky do centrály a to je určitá slabina, která je zneužitelná,“ uvedl Dvořák.

Francouzská média v souvislosti s prezidentskými kandidáty upozorňují, že populární šéfka krajně pravicové Národní fronty Marie Le Penová, jíž průzkumy přisuzují hladký postup do druhého kola voleb hlavy státu, získala k financování své kampaně úvěr od ruských bank. Nový prezident nahradí v Elysejském paláci dosluhujícího Françoise Hollanda, který kvůli mimořádné nepopularitě u voličů ani nezkouší obhájit mandát.

Lavabit, mail používaný Snowdenem, je zpět a bude bezpečnější
23.1.2017 Root.cz
Bezpečná e-mailová služba, kterou používal i Edward Snowden, opět otevřela své brány. Zatím jen dřívějším uživatelům, ale slibuje výrazné zvýšení zabezpečení, aby nebylo možné uživatele v budoucnu ohrozit.
Ladar Levison oznámil, že opět spouští bezpečnou e-mailovou službu Lavabit. Ta se stala nejpopulárnější na svém konci v roce 2013, protože se ukázalo, že ji používal i Edward Snowden. Spekulovalo se dokonce o tom, že právě informace z jeho účtu měly být za nátlakem na provozovatele, který raději službu vypnul, než aby přistoupil na spolupráci a vydání uživatelských dat.

Později se ukázalo, že je to pravda a že NSA chtěla přístup ke všem datům včetně TLS klíčů (dříve SSL). Levison se z této nepříjemné zkušenosti poučil a před několika dny nenápadně naznačil, že se chystá spuštění nového Lavabitu. K tomu nakonec došlo v pátek 20. ledna a na webu Lavabit.com se objevilo veřejné prohlášení.

Píše se v něm, že nová verze je založena na projektech Dark Internet Mail Environment (DIME) a Magma, které byly v roce 2014 úspěšně zafinancovány na Kickstarteru. DIME je nový standard pro bezpečnou komunikaci s podporou end-to-end šifrování a Magma je otevřený e-mailový server, který DIME implementuje.

Prozatím je Lavabit dostupný uživatelům, kteří na něm měli založené účty už dříve – těch existuje 410 000. Uživatelé sice nemají k dispozici svou starou poštu (měli možnost ji zálohovat na konci roku 2013), ale mohou začít novou službu okamžitě využívat. V zašifrované podobě prý existuje více než 50 milionů zpráv ze starého systému, ale není jasné, zda bude možné e-maily přenést do nového Lavabitu.

Časem bude možné se běžným způsobem registrovat, zatím to ale není možné a spuštěny jsou pouze předregistrace s výhodnější poloviční cenou.

Více šifrování, žádná metadata
Služba už nechce v budoucnu vystavit uživatele podobnému riziku jako před více než třemi lety, proto se rozhodla pro několik razantních změn. Aby nebylo možné získat TLS klíče, nemají ji k dispozici ani lidé Lavara Levisona. Soukromé klíče jsou prý uloženy v HSM (Hardware Security Module), který je nikomu nevydá, ale umožní jejich použití v infrastruktuře Lavabitu. Podobná zařízení používají například certifikační autority, ale i další společnosti, které chtějí zabránit odcizení privátních klíčů například při bezpečnostním průniku.

Klíče prý byly vygenerovány „naslepo“, takže je nikdo neviděl. Poté byly vloženy do HSM a původní kopie byla zničena. Jakmile jsou klíče uvnitř, už je nikdo nedokáže dostat ven, potvrdil jeden z vývojářů služby, který veřejně vystupuje jen pod jménem Sean. Je jedním z mnoha dobrovolníků, kteří se na vývoji systému podílejí, ale nechtějí prozradit svou identitu.

Ladar Levison, Lavabit
Autor: Albert Herring, podle licence: CC BY-SA 2.0
Ladar Levison, Lavabit
Klíče jsou zatím pro bezpečnost Lavabitu kritické, ale během následujících měsíců má být uvolněn nový systém end-to-end šifrování, který jejich důležitost sníží. Uživatelé totiž své zprávy zašifrují už na svém vlastním zařízení, včetně všech metadat. To má být jedna z klíčových vlastností nového Lavabitu, který neumožní vládním agenturám a jiným subjektům sbírat vůbec žádná data, tedy ani metadata.

Jde o veškerá transakční data z hlaviček, tedy kdo, komu a například předmět zprávy. V případě použití normálního e-mailu jsou tyto informace otevřené, i když je zbytek zprávy zašifrován. Různé subjekty mohou ale číst tyto servisní informace a v mnoha případech je i z nich možné vyčíst poměrně hodně. Lavabit slibuje, že zpráva bude zašifrovaná end-to-end jako celek, takže poslouchající agent se nedozví nic.

Model anonymizovaného zasílání zpráv je vypůjčen z principu fungování sítě Tor. Jakmile uživatel odesílá zašifrovanou zprávu, jen jeho poskytovatel připojení ví, že někomu píše. Nezná však cílovou adresu příjemce, jen jeho doménu. Plná adresa je zašifrována pro cílový server, který ji dokáže rozšifrovat, nezná ale zase plnou adresu odesílatele. Všechny informace znají jen uživatelé na obou stranách end-to-end šifrovaného kanálu.

Tři stupně bezpečnosti
Jakmile se Lavabit otevře veřejnosti, přijde se třemi režimy bezpečnosti: Trustful, Cautious a Paranoid. Česky bychom mohli říct: Důvěřivý, Obezřetný a Paranoidní.

První zmiňovaný bude určen uživatelům, kteří nepotřebují příliš mnoho skrývat a dají přednost pohodlnému používání. Tento způsob bude připomínat starý Lavabit – zprávy jsou šifrovány na serverech provozovatele. Znamená to ale, že uživatel musí věřit Ladaru Levisonovi a jeho týmu. Pro mnohé z nich je ale dostatečným důkazem fakt, že je ochoten službu raději zavřít než by ji otevřel někomu cizímu.

Zároveň je software Lavabitu otevřený, takže kdokoliv má možnost si jej zkontrolovat. To znamená, že pokud celé službě odmítáte věřit, můžete si vytvořit vlastní. Zdrojové kódy jsou na GitHubu: libdime a Magma. Jaká jiná služba pro posílání zašifrovaných zpráv vám dovolí stáhnout si její server a použít u sebe? ptá se řečnicky Levison.

Prostřední stupeň zabezpečení přesouvá šifrování ze serverů Lavabitu na uživatelská zařízení. Klíč je vygenerován přímo u uživatele, poté zašifrován zadanou frází a uložen na serveru. To umožňuje pohodlně službu používat napříč několika zařízeními, protože Lavabit nemá k dešifrované podobě klíče přístup a zároveň je možné tento klíč pohodlně získat při vybalení nového zařízení z krabice. Stačí se přihlásit.

Pokud bude uživatel chtít ještě víc, sáhne po třetím stupni. Ten zcela ruší ukládání klíčů na serveru a ponechává je jen v uživatelově zařízení. Správa klíčů je pak plně v rukou uživatele. Pokud bude chtít Lavabit používat třeba i v mobilu, bude muset klíče přenést ručně ze svého počítače. Samozřejmě zároveň platí, že v případě ztráty klíčů neexistuje způsob, jak je obnovit. Server je nezná a nedokáže pomoci. Data jsou v tu chvíli ztracena.

Má šanci, díky Snowdenovi
Právě zmíněná historie spojená s Edwardem Snowdenem dává Lavabitu šanci prorazit. Podobných služeb se za posledních několik let vyrojily tucty, ale známé jméno a zajímavá historie mohou na službu zapůsobit jako živá voda. Má však jen jednu šanci.

Sám Snowden říká, že tím nejcennějším, co může Lavabit nabídnout je ochota raději firmu zavřít než prodat uživatele. To je hodně velká věc. Jsou možná jediní na světě, kteří to mohou tvrdit, řekl v jednom z rozhovorů Snowden.

Over 199,500 Websites Are Still Vulnerable to Heartbleed OpenSSL Bug
23.1.2017 thehackernews

It's more than two and half years since the discovery of the critical OpenSSL Heartbleed vulnerability, but the flaw is still alive as it appears that many organizations did not remediate properly to the serious security glitch.
It was one of the biggest flaws in the Internet's history that affected the core security of as many as two-thirds of the world's servers i.e. half a million servers at the time of its discovery in April 2014.
However, the critical bug still affects more than 199,500 systems even after 2 years and 9 months have already passed, according to a new report published today on Shodan, a search engine that scans for vulnerable devices.
Over 199,500 Systems Still Vulnerable to Heartbleed
Heartbleed (CVE-2014-0160) was a serious bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allowed attackers to read portions of the affected server’s memory, potentially revealing users data that the server isn't intended to reveal.
According to Shodan CEO John Matherly, about 199,500 services remain exploitable by the Heartbleed vulnerability due to unpatched OpenSSL instances.
The countries most affected by Heartbleed still remain the United States, followed by Korea, China, Germany, France, Russian Federation, United Kingdom, India Brazil and Italy.
Matherly discovered 42,032 heartbleed-exploitable services in the United States, 15,380 in Korea, 14,116 in China, and 14,072 services in Germany.
With top organizations vulnerable to the OpenSSL bug is SK Broadband and Amazon.com, and about 75,000 of the vulnerable services use expired SSL certificates and run Linux 3.x.
Heartbleed is one of many flaws that often exist unpatched in the wild, and now that the bug has been more than two and half years old and known to everybody, anyone can simply use it to carry out attacks against the still affected systems.
Around 200,000 is really a troubling number, and one can imagine the danger and damages caused by the bug if exploited.
Software bugs may come and go, but this flaw is more critical and probably the biggest Internet flaw in recent history as it left the contents of a server's memory, where the most sensitive data is stored, exposed to the attackers.
What are the Steps to Protect your Systems against Heartbleed?
It takes roughly three steps to remediate the Heartbleed bug.
Patching: Update your software to the latest versions of OpenSSL; thankfully almost all organization have accomplished this step.
Creation of New Private Keys: Creating new private keys will prevent an attacker, who already exploited the flaw before patching, from being able to spy on your encrypted.
Reissuance of Security Certificates: This step will eliminate the ability of any attacker to spoof organizations and fool or phish their customers.

Expert Hacks Internal DoD Network via Army Website

23.1.2017 Securityweek Hacking

A security researcher who took part in the Hack the Army bug bounty program managed to gain access to an internal Department of Defense (DoD) network from a public-facing Army recruitment website.

Hack the Army ran via the HackerOne platform between November 30 and December 21, and the results of the program have now been made public. A total of 371 people registered, including 25 government employees, and they submitted 416 vulnerability reports – the first one came within five minutes of launch.

Roughly 118 of the reports have been classified as unique and actionable, and participants have been awarded a total of approximately $100,000. The final amount may be larger as bounties are still being paid out.

The most noteworthy submission came from a researcher who managed to chain multiple vulnerabilities in order to get from the goarmy.com Army careers website to an internal DoD network that can normally be accessed only by authorized users.

“They got there through an open proxy, meaning the routing wasn’t shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system,” the Army said in a blog post on HackerOne.

The Army believes an automated testing system could not have known how to chain less serious flaws into a potentially dangerous exploit.

Hack the Army was announced in mid-November after the DoD awarded a combined $7 million contract to HackerOne and Synack for helping the organization’s components launch bug bounty programs similar to Hack the Pentagon.

Hack the Pentagon received 138 valid submissions and it cost the U.S. government $150,000, half of which went to participants. Thanks to the success of these programs, similar events will likely be launched in the future.

In the meantime, researchers who find flaws in the DoD’s *.defense.gov and *.mil websites are still encouraged to report them. The Pentagon recently published its vulnerability disclosure policy in an effort to provide guidance to white hat hackers on how to legally report their findings.

Symantec Revokes Wrongly Issued Certificates

23.1.2017 Securityweek Safety

Symantec has revoked numerous wrongly issued certificates, including for domains such as example.com and test.com. This is not the first time the security firm’s certificate issuance practices have come under scrutiny.

The misissued certificates were spotted via the Certificate Transparency (CT) system by Andrew Ayer, founder of SSLMate. The expert discovered several certificates for example.com, which he confirmed were not authorized by the domain’s owner. He also identified certificates for domains such as test.com, test1.com, test2.com, and others containing the string “test.”

Ayer found more than 100 wrongly issued certificates attributed to Symantec and its subsidiaries GeoTrust and Thawte. The problematic certificates have several entries with the value “test,” which suggests they have been issued for testing purposes.

19 Jan
Andrew Ayer @__agwa
This is a HUGE no-no. There are very specific rules certificate authorities must follow to verify that a certificate request is authorized.
Andrew Ayer @__agwa
Even if the certs were only for testing, if a system allows employees to bypass authorization, it will allow attackers to bypass it too.
10:50 PM - 19 Jan 2017
Retweets likes

Steven Medin, PKI policy manager at Symantec, said the certificates had been issued by one of the company’s WebTrust audited partners. Medin said this partner’s privileges have been reduced to restrict further issuance and the reported certificates have all been revoked.

Ayer has advised domain owners to monitor CT logs to determine if unauthorized certificates have been issued for their websites. Since this is not the first time Symantec has misissued certificates, the expert has also recommended excluding the company via CAA records, which allow users to specify which CA can issue certificates for their domain.

In October 2015, Google asked Symantec to improve its certificate issuance practices after Thawte was caught releasing certificates for google.com domains. The company claimed to have issued the certificates for testing purposes, but it ultimately decided to terminate some employees after completing its investigation.

Symantec’s certificate business also made the news in February 2016, when the company asked browser vendors to allow it to issue nine new SSL certificates signed with SHA-1 for Worldpay after the payment processor failed to upgrade some devices before the December 31, 2015, deadline.

Mozilla Internet Health Report calls for more security and privacy

23.1.2017 securityaffairs Security

The Mozilla foundation has published its first Internet Health Report to analyze the dangers of the Internet that we can consider as a global commodity.
The Mozilla foundation has published its first Internet Health Report to analyze the dangers of the Internet that we can consider as a global commodity.

The oligarchy of internet companies. internet monitoring, censorship and new threats posed by Internet of Things devices every day menace our privacy.

Mozilla aims to track the health of the Internet focusing on aspects such as the Open Innovation, Digital Inclusion, Decentralization, Privacy and Security and Web literacy.

“We want to work with people and organizations that care about a healthy internet to engage the general public in caring more deeply about ‘internet health,’ in the way that the environmental movement was able to grow mainstream using terms like ‘global warming’ that no one previously had heard of,” explained the editor Solana Larsen.

Positive news from the security and privacy perspective, communications over the Internet is more secure thanks to the efforts of organizations and private companies.

The Internet Health Report appreciates the adoption of end-to-end encryption by messaging apps and other web services and welcomes the upcoming new version of the Transport Layer Security (TLS 1.3) cryptographic protocol that will make the web more secure and fast.

“More messaging apps, including WhatsApp, now offer end-to-end encryption, meaning that conversations are protected from eavesdroppers, including the service provider.” states the report.

“Web traffic encryption is rising too. One factor is the launch of Let’s Encrypt, a new certificate authority that makes it easy and free to add HTTPS to any website. This helps protect the privacy of users, and offers some guarantee they are not looking at spoof pages. Also driving adoption, search engines and browsers are now subtly rewarding HTTPS websites.

Unknown to most, Internet communication will be more private, and possibly also faster, due to an upcoming new version of the cryptographic protocol called Transport Layer Security (TLS 1.3) that is used to secure all communications between Web browsers and servers.”

Unfortunately, snooping powers continues to grow, several states continues to spend a significant effort in surveillance activities threatening users’ privacy.

“There is more public scrutiny of surveillance laws than before, but it hasn’t stopped greater snooping powers from being proposed in Britain, Pakistan, France and several other countries,” states the report.

The report also warns of the risks related to a rapid and uncontrolled diffusion of unsecured IoT device. The lax of security is the root cause for the success of botnet like Mirai and open the door to surveillance and hacking activities.

“In November 2016, a malware program called Mirai mobilized 100,000 connected devices, including webcams and baby monitors, in a distributed denial-of-service attack (DDOS) that briefly took down parts of the internet,” states the report.

“The owners of those compromised devices may never know (or care) what happened, and cheap and insecure devices will continue to be manufactured, unless safety standards, rules and accountability measures take hold,” they said.

Mozilla Foundation is calling to action everyone to improve and ensure security and privacy.

“Above all, we should be more critical about what information we share voluntarily. Will the online dating profile you posted 6 years ago ever get deleted? How long do the online ads you view track you? Even if you’d like to know the privacy conditions of online platforms, they are usually not written in English,” closes the report.

Do web injections exist for Android?
23.1.2017 Kaspersky Android
Web injection attacks

There’s an entire class of attacks that targets browsers – so-called Man-in-the-Browser (MITB) attacks. These attacks can be implemented using various means, including malicious DLLs, rogue extensions, or more complicated malicious code injected into pages in the browser by spoofing proxy servers or other ways. The purpose of an MITB attack may vary from relatively innocuous ad spoofing on social networks or popular websites to stealing money from user accounts – the latter is what happened in the Lurk case.


A malicious app masquerades as a Kaspersky Lab product in an MITB attack

Web injection is used in most cases when an MITB-class attack targets online banking. This type of web injection attack involves malicious code being injected into an online banking service webpage to intercept the one-time SMS message, harvest information about the user, spoof banking details, etc. For example, our Brazilian colleagues have long reported about barcode spoofing attacks performed when users print out Boletos – popular banking documents issued by banks and all kind of businesses in Brazil.

Meanwhile, the prevalence of MITB attacks in Russia is decreasing – cybercriminals are opting for other methods and attack vectors to target banking clients. For the average cybercriminal, it is much easier to use readily available tools than develop and implement web injection tools.

Despite this, we’re often asked if there are any web injection attacks for Android devices. This is our attempt to investigate and give as full an answer as possible.

Web injection on Android

Despite the term ‘inject’ being used in connection with mobile banking Trojans (and sometimes used by cybercriminals to refer to their data-stealing technologies), Android malware is a whole different world. In order to achieve the same goals pursued by web injection tools on computers, the creators of mobile Trojans use two completely different technologies: overlaying other apps with a phishing window, and redirecting the user from a banking web page to a specially crafted phishing page.

Overlaying apps with phishing windows

This is the most popular technology with cybercriminals and is used in practically all banking Trojans. 2013 was when we first encountered a piece of malware overlaying other apps with its phishing window – that was Trojan-Banker.AndroidOS.Svpeng.

Today’s mobile banking Trojans most often overlay the Google Play Store app with their phishing window – this is done in order to steal the user’s bank card details.


The Marcher malware

Besides this, Trojans often overlay various social media and instant messaging apps and steal the passwords to them.

Do web injections exist for Android?


However, mobile banking Trojans typically target financial applications, mostly banking apps.

Three methods of MITB attacks for mobile OS can be singled out:

1. A special Trojan window, crafted beforehand by cybercriminals, is used to overlay another app’s window. This method was used, for example, by the Acecard family of mobile banking Trojans.


Acecard phishing windows

2. Apps are overlaid with a phishing web page located on a malicious server. This way, the cybercriminals can modify its contents any time they need to. This method is used by the Marcher family of banking Trojans.


Marcher phishing page

3. A template page is downloaded from a malicious server, to which the icon and the name of the attacked application is added. This is how one of the Trojan-Banker.AndroidOS.Faketoken modifications manages to attack over 2,000 financial apps.


FakeToken phishing page

It should be noted that starting from Android 6, for the above attack method to work, the FakeToken Trojan has to request the privilege of displaying its window on top of other app windows. It’s not alone though: as new versions of Android are gaining popularity, a growing number of mobile banking Trojans are beginning to request such privileges.

Redirecting the user from the bank’s page to a phishing page

We were only able to identify the use of this technology in the Trojan-Banker.AndroidOS.Marcher family. The earliest versions of the Trojan that redirected the user to a phishing page are dated late April 2016, and the latest are from the first half of November 2016.

Redirecting the user from a bank’s webpage to a phishing page works as follows. The Trojan subscribes to modify browser bookmarks, which includes changes in the current open page. This way the Trojan knows which webpage is currently open, and if it happens to be one of the targeted pages, the Trojan opens the corresponding phishing page in the same browser and redirects the user there. We were able to find over a hundred web pages belonging to financial organizations that were targeted by the Marcher family of Trojans.

However, two points need to be raised:

All new modifications of the Marcher Trojan that we were able to detect no longer use this technology.
Those modifications that used this technology also used a method of overlaying other apps with their phishing window.
Why then was the method of redirecting the user to a phishing page used by only one family of mobile banking Trojans, and why is this technology no longer used in newer modifications of the family? There are several reasons:

In Android 6 and later versions, this technology no longer works, meaning the number of potential victims is decreasing every day. For example, around 30% of those using Kaspersky Lab’s mobile security solutions now use Android 6 or a later version;
The technology only worked on a limited number of mobile browsers;
The user can easily spot that they are being redirected to a phishing site and they may also notice that the URL of the webpage has changed.
Attacks launched using root privileges

With superuser privileges, Trojans can perform any attack, including real malicious injections into browsers. Although we were unable to find a single case of this happening, the following should be noted:

Some modules of Backdoor.AndroidOS.Triada can substitute websites in certain browsers, using superuser privileges. All the attacks we found were launched with the purpose of making some money from advertising only, and did not result in the theft of banking information.
The banking Trojan Trojan-Banker.AndroidOS.Tordow, using superuser privileges, can steal passwords saved in browsers, which may include passwords to financial websites.

We can state that, despite all the available technical capabilities, cybercriminals that target banks do not make use of malicious web injections in mobile browsers or injections in mobile apps. Sometimes they use these technologies to spoof adverts, but even then that requires highly sophisticated malicious software.

So why do cybercriminals ignore the available opportunities? Most probably it is because of the diversity of mobile browsers and apps. Malware writers would have to adapt their creations to a long list of programs, which is rather costly, while simpler and more versatile attacks involving phishing windows do not require so much effort to target a larger number of users.

Nonetheless, the Triada and Tordow examples suggest that similar attacks may well take place in the future as malware creators gain more expertise.

Source Code for another Android Banking Malware Leaked
23.1.2017 thehackernews Android
Another bad news for Android users — Source code for another Android banking malware has been leaked online via an underground hacking forum.
This newly discovered banking Trojan is designed to steal money from bank accounts of Android devices' owners by gaining administrator privileges on their smartphones.
Apparently, it will attract the attention of many cyber criminals who can recompile the source code or can also use it to develop more customized and advanced variants of Android banking Trojans.
According to security researchers from Russian antivirus maker Dr. Web, the malware's source code was posted online, along with the information on how to use it, meaning Android devices are most likely to receive an increasing number of cyber attacks in upcoming days.
Leaked: Trojan Source Code + 'How to Use' Instructions
Dr. Web researchers said they have already discovered one banking trojan in the wild developed using this leaked source code, adding that the Trojan is distributed as popular apps either directly injected in APKs available online or in third-party app stores.
Dubbed BankBot, the trojan has the ability to get administrator privileges on infected devices. Once it gets full privileges, the malware trojan removes the app's icon from the phone's home screen in order to trick victims into believing it was removed.
However, the BankBot trojan remains active in the background, waiting for commands from attacker's command and control (C&C) server. It found targeting only users of Russian banks.
Also Read: GM Bot (Android Malware) Source Code Leaked Online
BankBot has the ability to perform a broad range of tasks, including send and intercept SMS messages, make calls, track devices, steal contacts, show phishing dialogs, and steal sensitive information, like banking and credit card details.
"Like many other Android bankers, [BankBot] steals confidential user information by tracking the launch of online banking apps and payment system software. One sample examined by Doctor Web's security researchers controls over three dozen such programs," the researchers explains.
"Once Android.BankBot.149.origin detects that any of the aforementioned applications have been launched, it loads the relevant phishing input form to access user bank account login and password information and displays it on top of the attacked application."
Why Should You Worry about BankBot?
The malware hides itself until the victim opens any mobile banking or social media app. Once the victim opens one such app, BankBot launches a phishing login overlays, tricking victims to re-authenticate or re-enter their payment card details.
The collected data is then sent back to online servers, where the attackers can access the stolen data.
BankBot can phish credentials for apps including Facebook, WhatsApp, Instagram, Twitter, Youtube, Snapchat, Viber, WeChat, imo, Uber, and the Google Play Store.
Besides this, the BankBot trojan can also intercept text messages, send them to the attackers, and then delete them from the victim's smartphone, which means bank notifications never reach the users.
How to Protect Yourself against such Attacks?
Now, this is just one piece of malware developed using the publicly available source code and discovered by researchers. There are chances that more such malware are out there targeting Android devices but not yet caught.
To prevent yourself against such attacks, as I previously recommended, you are advised to:
Always be super-careful when downloading APKs from third-party app stores. Go to Settings → Security and then Turn OFF "Allow installation of apps from sources other than the Play Store."
Never open attachments from unknown or suspicious sources.
Never click on links in SMS or MMS sent to your mobile phone. Even if the email looks legit, go directly to the website of origin and verify any possible updates.
Always keep your Anti-virus app up-to-date.
Keep your Wi-Fi turned OFF when not in use and Avoid unknown and unsecured Wi-Fi hotspots.

Number of U.S. Data Breaches Increased in 2016: Report

23.1.2017 Securityweek Crime
The number of data breaches disclosed by organizations in the United States has increased by 40 percent in 2016 compared to the previous year, according to a report released on Thursday by CyberScout (formerly IDT911) and the Identity Theft Resource Center (ITRC).

ITRC has counted 1,093 breaches and more than 36 million exposed records across sectors such as financial, business, education, government and military, and healthcare. While this is an all-time record high and a significant increase from the 780 breaches reported in 2015, experts believe this upwards trend is also due to more states disclosing incidents on their websites.

It’s also worth noting that while 36 million records might not seem much, ITRC has pointed out that half of the breach notifications did not disclose the number of exposed records.

Nearly half of the data breaches disclosed last year affected the business sector (494), followed by healthcare (377), education (98), government (72) and financial (52). Hacking, phishing and skimming attacks, including business email compromise (BEC) schemes, accounted for more than 55 percent of incidents.

Data breach trends

ITRC has determined that at least 52 percent of the breaches reported in 2016 involved social security numbers and 13 percent involved payment cards. While the number of incidents exposing credit and debit cards has decreased compared to 2015, exposure of SSNs increased by 8.2 percent.

“More than half of the breaches reported by the ITRC included the skeleton key to our lives: the Social Security number. This trend, which has accelerated since 2015— when just four breaches exposed over 120 million Social Security numbers to state-sponsored hackers and cyber criminals— represents the point of no return for millions of Americans,” said Adam Levin, Chairman and Founder of CyberScout. “While credit and debit card numbers can be changed, SSNs cannot. Therefore, monitoring and damage control become even more important than ever before.”

The complete list of breached organizations and information on each incident are available in ITRC’s 2016 Data Breach Report.

OurMine crew hacked the New York Times Twitter video account
23.1.2017 securityaffairs
The New York Times is investigating the hack of its Twitter video account (@nytvideo) that was used to post a fake news on Sunday morning.
@nytvideo is the newspaper is the New York Times video account and has more than 250,000 followers on the platform.
Yesterday around 9:40 a.m. ET the Twitter account shared a fake news about a missile attack from Russia against the United States. The message about the “missile attack” quoted a “leaked statement” from Russian President Vladimir Putin.

New York Times hacked

That fake news was quickly deleted, while other tweets were claiming the involvement of the dreaded OurMine hacker group. The group, who hacked the Netflix US Twitter account (@Netflix) in December to promote its website and hacking services, is known for its attacks against high-profile Twitter accounts. The list of victims is very long and includes Mark Zuckerberg, Twitter co-founder Evan Williams, David Guetta Daniel Ek, former Twitter CEO Dick Costolo, Twitter CEO Jack Dorsey, the CEO and founder of Spotify, Google CEO Sundar Pichai, and many others.

One of the messages shared by OurMine confirmed that the group is responsible for the hijacking of the Sony Music’s Twitter account occurred last month when the hackers tweet a hoax about Britney Spears’ death.

Below the messages shared by the group:

“Message from OurMine: We detected unusual activity on the account and we re-hacked it to make sure if the account is hacked or not,” read one tweet posted to the @nytvideo account Sunday.

New York Times hacked

All the messages were deleted by IT staff at The York Times, the account also posted a message to confirm that a series of tweets published from the account “without our authorization” were removed.

New York Times Video ✔ @nytvideo
We deleted a series of tweets published from this account earlier today without our authorization. We are investigating the situation.
4:17 PM - 22 Jan 2017
188 188 Retweets 146 146 likes
“We are investigating the situation,” that tweet read.

Western Union agreed to pay $586 Million to settle fraud charges
23.1.2017 securityaffairs Incindent

The money transfer leader company Western Union has agreed to forfeit $586 million to settle fraud charges and admitted it facilitated scammers.
Money transfer leader company Western Union has admitted to facilitating wire fraud and it has agreed to pay $586 million to settle fraud charges from the U.S. Federal Trade Commission (FTC) and the Department of Justice.

The services offered by the Western Union’s have often exploited by crooks and fraudsters because the company has failed to maintain a proper anti-fraud program.

The U.S. Federal Trade Commission (FTC) and the Department of Justice accused the company of not taking immediate action against cyber criminals that used its service to transfer money that is the result of illicit activities.

Since 2001, the US authorities have convicted 29 owners and employees of Western Union agents for their active participation in fraud schemes.

“As this case shows, wiring money can be the fastest way to send it – directly into the pockets of criminals and scam artists,” said Acting Assistant Attorney General David Bitkower. “Western Union is now paying the price for placing profits ahead of its own customers. Together with our colleagues, the Criminal Division will both hold to account those who facilitate fraud and abuse of vulnerable populations, and also work to recoup losses and compensate victims.”

“Our investigation uncovered hundreds of millions of dollars being sent to China in structured transactions designed to avoid the reporting requirements of the Bank Secrecy Act, and much of the money was sent to China by illegal immigrants to pay their human smugglers,” said U.S. Attorney Eileen M. Decker. “In a case being prosecuted by my office, a Western Union agent has pleaded guilty to federal charges of structuring transactions – illegal conduct the company knew about for at least five years. Western Union documents indicate that its employees fought to keep this agent – as well as several other high-volume independent agents in New York City – working for the Western Union because of the high volume of their activity. This action today will ensure that Western Union effectively controls its agents and prevents the use of its money transfer system for illegal purposes.”

Western Union has been charged with violating several laws, including the Bank Secrecy Act (BSA) and the FTC Act.

The FTC said Western Union had received, between January 1, 2004 and August 29, 2015, 550,928 complaints regarding fraudulent transfers.

Fraudulent money transfers are related to online dating, lottery, family emergency scams and other illegal activities. The total of the transfers totaled more than $632 million, but prosecutors believe it is just the tip of the iceberg. Many victims don’t file a complaint and fraud-reporting mechanisms are not available everywhere.

“Western Union maintains a database of complaints it receives about fraud-induced money transfers. Based on information in that database, between January 1, 2004 and August 29, 2015, Western Union received at least 550,928 complaints about fraud-induced money transfers, totaling at least $632,721,044. Over 80% of the complaints in the database were from U.S. consumers” reads the complaint.

Western Union

Western Union has agreed to forfeit $586 million, the money will be used to compensate the victims of the frauds.

“The Western Union Company (Western Union), a global money services business headquartered in Englewood, Colorado, has agreed to forfeit $586 million and enter into agreements with the Federal Trade Commission, the Justice Department, and the U.S. Attorneys’ Offices of the Middle District of Pennsylvania, the Central District of California, the Eastern District of Pennsylvania and the Southern District of Florida. In its agreement with the Justice Department, Western Union admits to criminal violations including willfully failing to maintain an effective anti-money laundering program and aiding and abetting wire fraud.” states the settlement.

The FTC has ordered Western Union to implement and maintain a comprehensive anti-fraud program, it prohibits the company from transmitting a money transfer that it knows or reasonably should know is fraud-induced, and requires it to:

block money transfers sent to any person who is the subject of a fraud report;
provide clear and conspicuous consumer fraud warnings on its paper and electronic money transfer forms;
increase the availability of websites and telephone numbers that enable consumers to file fraud complaints; and
refund a fraudulently induced money transfer if the company failed to comply with its anti-fraud procedures in connection with that transaction.
Western Union isn’t the unique money transfer company targeted by the FTC, MoneyGram agreed to pay $18 million in 2009 to settle charges.

Russian Hacker behind 'NeverQuest' Malware, Wanted by FBI, Is Arrested in Spain
22.1.2017 thehackernews Hacking
A Russian computer hacker wanted by the FBI on hacking allegations was arrested and jailed in Spain earlier this week, while a decision on his extradition to the United States has yet to be made.
The Guardia Civil, Spanish law enforcement agency officers, have detained 32-year-old Stanislav Lisov at Barcelona–El Prat Airport based on an international arrest warrant issued by Interpol at the request of the FBI.
Lisov is arrested on suspicion of creating and operating the NeverQuest Banking Trojan, a nasty malware that targeted financial institutions across the world and caused an estimated damage of $5 Million.
The arrest was made after U.S. intelligence agencies found that Russian hackers were behind the November 2016 election hacks that possibly influenced the presidential election in Donald Trump's favor.
However, Spanish police made an official statement, saying that the FBI had requested the arrest of Lisov after an investigation that started in 2014.
NeverQuest banking trojan provided fraudsters access to computers of people and financial institutions to steal banking data.
The Trojan, which spreads itself via social media, email and file transfer protocols, can modify content on banking websites and inject rogue forms into these sites, allowing attackers to steal login credentials from users.

NeverQuest can also allow malicious attackers to take control of a compromised computer through a Virtual Network Computing (VNC) server and then use those computers to log into the victim’s online bank and perform the theft.
"A thorough investigation of the servers operated by Lisov in France and Germany revealed databases with stolen lists of information from accounts of financial institutions, with data indicating, among other things, account balances," the Spanish Civil Guard said Friday.
"One of the servers leased by Lisov contained files with millions of login credentials, including usernames, passwords, and security questions and answers, for the bank and financial website accounts."
Lisov reportedly works as a systems administrator and website developer for a local company in Taganrog, Russia.
The Russian hacker is being held under observation by authorities in the north-eastern region of Catalonia before Spain's High Court decides whether to extradite him to the United States.

Cyber crimes spike in England and Wales, says ONS
22.1.2017 securityaffairs Hacking
For the first time the England the Office for National Statistics (ONS) includes data related hacking and fraud, and findings are shocking.
Cyber criminal activities in England and Wales have shown a spike in the last twelve months, Cyber frauds and computer misuse offences are most common crimes of this worrisome trend.

According to the report “Crime in England and Wales: year ending Sept 2016” published by the UK Office for National Statistics (ONS) there were 6.2 million reported incidents of crime in the 12 months to September 2016 in England and Wales.

The ONS crime report is an annual analysis of the criminal phenomena and has been produced every year for the past 35 years. Data belonging Scotland and Northern Ireland are not included because the two countries have separate judicial and policing regime.

“Headline figures from the Crime Survey for England and Wales (CSEW) produced on a consistent basis showed an estimated 6.2 million incidents of crime in the survey year ending September 2016; no statistically significant change compared with the previous year’s survey.” states the report.

“Following an extension of the coverage of the survey, Experimental Statistics showed there were 3.6 million fraud and 2.0 million computer misuse offences for the first full year in which such questions have been included in the CSEW.”

This overall figure is unchanged compared with the previous 12 months, except for the weight of the cyber criminal activities.

Experts noticed that adding 3.6 million cases of fraud and 2 million computer misuse offences to 6.2 million figure of crime, the number of reported incidents reached 11.8 million. This data represent a 90 per cent surge in criminal activities.


The most important consideration to do reading the report is the inclusion of computer crime and fraud, this means that the awareness of cyber threats is increasing.

Supercell, Clash of Clans authors, hacked. 1 Million accounts compromised
22.1.2017 securityaffairs Hacking
Reportedly, over a million accounts on the Supercell community forum have been compromised after a data breach occurred in 2016.
The firm Supercell, the authors of the notorious “The Clash of Clans” mobile game admitted that accounts on Supercell community forum have been hacked. Supercell is the creator of popular games such as Clash of Clans, Hay Day, Clash Royale, and Boom Beach.

According to an official statement issued by the company, hackers compromised more than 1 million accounts in a data breach occurred in September 2016.

LeakBase confirmed that the number of affected user account is 1 million.

The cyber attack affected the Supercell community forum said in an official statement that the breach happened in September 2016 and that the site’s forums were affected. According to the company, hackers exploited a vulnerability in the Vbulletin CMS used by Supercell for its forums.

The company confirmed that game accounts weren’t affected by the data breach.

“As we’ve said before, to provide our forum service we use software from vbulletin.com. We’re currently looking into report that a vulnerability allowed third-party hackers to gain illegal access to some forum user information, including a number of emails and encrypted passwords.” reads the official statement from the company. “Our preliminary investigation suggests that the breach happened in September 2016 and it has since been fixed. ”


Supercell urges users to change the password they are using on the affected forum as soon as possible. You can reset your password here:

Users can reset their password here: https://forum.supercell.com/login.php?do=lostpw

As usual, let me suggest users change the password in any other web service they are using with the same login credentials. As a general guideline, matching credentials should not be used on multiple sites.

“We take any such breaches very seriously and we follow very strict policies when it comes to security. Please note that this breach only affects our Forum service. Game accounts have not been affected.” the company added.

Ruští hackeři sestřelili web fotbalového mistrovství Afriky

22.1.2017 Novinky/Bezpečnost Hacking
Skupina ruských hackerů se v sobotu přihlásila k tomu, že vyřadila z provozu internetové stránky probíhajícího fotbalového mistrovství Afriky. Protestují tak proti tomu, že se turnaj koná v Gabonu, kde se po loňských volbách a následných nepokojích drží u moci prezident Ali Bongo.
Internetové stránky probíhajícího fotbalového mistrovství Afriky
Internetové stránky probíhajícího fotbalového mistrovství Afriky
Skupina, která se nazývá New World Hackers, kontaktovala agenturu AP s tím, že web CAFonline.com vyřadila z provozu. Stránky v sobotu večer skutečně nebyly v provozu.

Představitelé afrického fotbalu však zatím nepotvrdili, zda je to skutečně kvůli hackerskému útoku, uvádí AP.

Vše nicméně nasvědčuje tomu, že šlo o tzv. DDoS útok. Ten má vždy stejný scénář. Stovky tisíc počítačů začnou přistupovat v jeden okamžik na konkrétní server. Ten zpravidla nezvládne tak vysoké množství požadavků zpracovat a spadne. Pro běžné uživatele se pak takto napadená webová stránka tváří jako nedostupná.

"Udělali jsme to na protest proti Gabonu. Pořádají mistrovství Afriky v zemi, kde diktátor Ali Bongo zabíjí nevinné lidi," stálo v e-mailu doručeném AP. Srpnové volby v zemi loni zpochybnil opoziční kandidát Jean Ping a prohlásil se za jejich vítěze. Výsledky vyvolaly nepokoje se zhruba stovkou obětí. Gabonský ústavní soud v září potvrdil vítězství dosavadního prezidenta Bonga.

Bezpečnostních chyb jako máku. Oracle opravuje najednou 270 trhlin

22.1.2017 Novinky/Bezpečnost Zranitelnosti
Bez nadsázky obří balík záplat vydala společnost Oracle, obsahuje totiž opravy pro bezmála tři stovky chyb. Aktualizace se týká prakticky celého softwarového portfolia této společnosti. Nemalé množství trhlin bylo přitom označováno jako velmi kritické.
Oracle nabízí desítky nejrůznějších softwarových nástrojů a utilit. Běžní uživatelé se ale s nimi přímo setkají jen málokdy, zpravidla jde totiž o řešení určená pro nasazení v menších či větších firmách. Jde o různé databázové a vývojářské nástroje, stejně jako o nástroje určené k řízení podniků.

Právě proto je ale celá hrozba napadení ještě závažnější. Ve firmách totiž mohou napáchat počítačoví piráti daleko více škody než v domácnostech.

U více než stovky chyb je přitom možné vzdálené zneužití. To jinými slovy znamená, že je počítačoví piráti mohou zneužít k tomu, aby do konkrétních počítačů nebo podnikové sítě propašovali prakticky libovolný škodlivý kód. Stejně tak ale mohou přistupovat k nastavení napadeného stroje či uloženým datům na discích.

Problémy mohou mít i běžní uživatelé
Některé chyby se ale týkají i přímo běžných uživatelů. V portfoliu společnosti Oracle je totiž například Java, která je často využívána pro korektní chod některých webových stránek. V počítači ji tak mají nainstalovanou desítky miliónů lidí po celém světě.

A právě u zmiňované Javy bylo odhaleno 17 chyb, z toho 16 mohou vzdáleně zneužít kyberzločinci ke vzdáleným útokům. Kritické chyby obsahuje například také Virtual Box, který se mezi zběhlejšími uživateli těší poměrně velké popularitě.

Jak je z řádků výše patrné, obezřetnost je tedy na místě. Stahovat opravy je možné prostřednictvím automatických aktualizací v jednotlivých programech, případně prostřednictvím webových stránek společnosti Oracle.

Kyberzločinci mohou zaútočit dokonce už i na hřeben

22.1.2017 Novinky/Bezpečnost Hacking
Přibývá tzv. chytrých přístrojů, které sbírají nejrůznější, více či méně užitečná data. A roste také nebezpečí jejich zneužití. Teoreticky tak mohou kyberzločinci v dnešní době napadnout na dálku klidně i hřeben.
Chytrý může být v dnešní době už i hřeben. Na snímku je nový model od společnosti L’Oréal, který byl odhalen na veletrhu CES.
Chytrý může být v dnešní době už i hřeben. Na snímku je nový model od společnosti L’Oréal, který byl odhalen na veletrhu CES.
Tak například chytré sportovní hodinky – změří vám vzdálenost, kterou jste uběhli, a údaj odešlou do programu v telefonu. Tam už se můžete podívat, kolik jste uběhli včera, před měsícem nebo jakou vzdálenost zaběhl váš kamarád na druhém konci republiky.

Jenže výrobci se u těchto relativně užitečných věcí nehodlají zastavit. „Veletrh spotřební elektroniky (CES) v Las Vegas byl přehlídkou nápadů, jak připojit k internetu věci, u nichž by to mohlo být prospěšné,“ uvádějí stránky popsci.com.

Zmiňují hřeben od společnosti L’Oréal, jenž provede rozbor vašich vlasů, nebo polštář nahrávající zvuk vašeho chrápání či pohyby během spánku. Jakmile je takový výrobek připojen k internetu, může být teoreticky ovládnut někým cizím, hackerem.

Ten jej využije ve své armádě počítačů a s ní vyřadí z provozu třeba poskytovatele určité služby na internetu.

Armáda zotročených zařízení
Vojsko složené z chytrých polštářů, hřebenů či odpadkových košů může vypadat legračně, ovšem podobně se chytré fotoaparáty loni v říjnu zapojily do útoku, jenž způsobil problémy i společnostem jako Amazon či Twitter. 

S desítkami tisíc napadených zařízení, která je poslechnou na slovo, jsou schopni šířit nevyžádané e-maily nebo provádět DDoS útoky.

Na zařízení tzv. internetu věcí, tedy na chytré přístroje, které jsou schopny připojovat se na internet a komunikovat mezi sebou prostřednictvím této celosvětové počítačové sítě, se tak zaměřují kyberzločinci stále častěji. U nich totiž bezpečnost zatím nikdo nijak dramaticky neřeší, čehož se snaží kyberzločinci využít.

National Aids Research Institute NARI hacked by the Shad0w Security crew
21.1.2017 securityaffairs Hacking

The hacker @Sc0rp10nGh0s7 from the Shad0w Security group has broken in the server of the National Aids Research Institute NARI (India).
The hacker @Sc0rp10nGh0s7 from the Shad0w Security crew has broken in the server of the National Aids Research Institute NARI (India). The hacker accessed a more than 1 GB archive containing the results for dozens Hiv test.

The hacker just released a small portion of the compromised archive as proof of the data breach. They explained to me that they want to avoid problems with the patients, but this hack aims to demonstrate that the security staff at the Institute is not able to protect so sensitive information.

“this time we won’t leak everything, since our purpose is to hurt the gov not the people. The database file I have is more than 1Gb” told @Sc0rp10nGh0s7.

When I asked more technical details about the attack, the hacker told me that they prefer to keep secret the flaws.

I decided to avoid publishing the link to the data due to nature of the victim.

He also told me that the National Aids Research Institute NARI (India) has a good level of security despite the hack. The hacker breached an internal server of the organization and noticed the admin likes to put username & password in a text file.

“the way we choose the targets is random that helps us to not be expected, we will be in a place they least expect us to be” added the hacker.

The overall internal network was breached by the hackers.

In November 2016, the hacker Shad0wS3C hacked the Institute of the Registral Function of the State Mexico (FREM) and leaked the database online.

In August 2016, the group hacked the Paraguay’s Secretary of National Emergency (SNE) website and leaked online a dump from a PostgreSQL database.

Supercell, Clash of Clans authors, hacked. 1 Million accounts compromised
21.1.2017 securityaffairs Hacking

Reportedly, over a million accounts on the Supercell community forum have been compromised after a data breach occurred in 2016.
The firm Supercell, the authors of the notorious “The Clash of Clans” mobile game admitted that accounts on Supercell community forum have been hacked. Supercell is the creator of popular games such as Clash of Clans, Hay Day, Clash Royale, and Boom Beach.

According to an official statement issued by the company, hackers compromised more than 1 million accounts in a data breach occurred in September 2016.

LeakBase confirmed that the number of affected user account is 1 million.

The cyber attack affected the Supercell community forum said in an official statement that the breach happened in September 2016 and that the site’s forums were affected. According to the company, hackers exploited a vulnerability in the Vbulletin CMS used by Supercell for its forums.

The company confirmed that game accounts weren’t affected by the data breach.

“As we’ve said before, to provide our forum service we use software from vbulletin.com. We’re currently looking into report that a vulnerability allowed third-party hackers to gain illegal access to some forum user information, including a number of emails and encrypted passwords.” reads the official statement from the company. “Our preliminary investigation suggests that the breach happened in September 2016 and it has since been fixed. ”


Supercell urges users to change the password they are using on the affected forum as soon as possible. You can reset your password here:

Users can reset their password here: https://forum.supercell.com/login.php?do=lostpw

As usual, let me suggest users change the password in any other web service they are using with the same login credentials. As a general guideline, matching credentials should not be used on multiple sites.

“We take any such breaches very seriously and we follow very strict policies when it comes to security. Please note that this breach only affects our Forum service. Game accounts have not been affected.” the company added.

Necurs botnet is back and starts delivering the Locky ransomware
21.1.2017 securityaffairs

Cisco Security Team has noticed traces of traffic from the dormant Necurs botnet and they are warning of a possible new massive ransomware spam campaign.
Security researchers at Cisco Security Team have noticed traces of traffic from the dormant Necurs botnet and they are warning of a possible new massive ransomware spam campaign.

“The research from Talos shows that Locky spam activity has picked up again, but not nearly the volumes seen previously. “A couple of days ago we finally started seeing some spam campaigns start delivering Locky again,” the researchers wrote. “The key difference here is around volume. We typically would see hundreds of thousands ” reads a post published by Cisco.


At the time I was writing, experts just found fewer than a thousand Necurs spam messages, but the situation could rapidly degenerate. The Necurs Botnet, one of the world’s largest malicious architecture, was used to spread the Dridex banking malware and the dreaded Locky ransomware, it has vanished since June 1.

On October 2015, an international joint effort of law enforcement agencies, including the FBI and the NCA, destroyed the botnet, but it resurrected after and was used to mainly spread the Locky ransomware.


Now the Necrus botnet was being used by crooks to deliver the Locky ransomware, the overall number of attacks has quietly increased over the last week.

“Since late December we haven’t seen the typical volume of Locky, however, a couple of days ago we finally started seeing some spam campaigns start delivering Locky again,” Cisco’s researchers explained.

“The key difference here is around volume. We typically would see hundreds of thousands of Locky spam, [and now] we are currently seeing campaigns with less than a thousand messages.

“With both of these campaigns being relatively low volume these could be one offs or indicators of changes to come to the campaigns in the future.”

The researchers at the Talos team have observed two specific campaigns that are a little different than what they have seen before. One of the new campaigns delivers a malicious dropper inside a zip file that is delivered via spam email messages. Once opened, the JSE file is able to download two pieces of malware, the Locky ransomware and the Kovter Trojan.

A second campaign leverages on RAR files instead of the common zip archives. If the user extracts the archive they find a js file, doc_details.js.

“Crimeware is a lucrative endeavor with revenue rapidly approaching a billion dollars annually,” Cisco added. “This doesn’t come without significant risk and we may be entering a period where adversaries are increasingly cashing out from this activity early, to avoid severe penalties.”

Lavabit, the Snowden recommended encrypted email service, is back
21.1.2017 securityaffairs Security

Lavabit, the Snowden recommended encrypted email service, is back. Its CEO Ladar Levison announced new privacy-enhancing features.
Do you remember Lavabit? It was the US Encrypted Email Service used by the popular whistleblower Edward Snowden.
Lavabit was an encrypted webmail service founded in 2004 by Ladar Levison, it closed on August 8, 2013 after the US authorities ordered it to turn over its Secure Sockets Layer (SSL) private keys to order government surveillance activities. The US Government was interested in spying on the Edward Snowden‘s emails.
In March 2016, a redaction error in the court-ordered release of Lavabit case files confirmed that Edward Snowden was the target of the FBI that caused the termination of the secure email service.

Snowden was using the Lavabit encrypted email service and that FBI drove the company into closure because it refused to serve the US Government’s requests.

The US Government ordered to install a surveillance implant on the Lavabit servers and later to turn over Lavabit’s encryption keys allowing the Feds to access Snowden’s messages. The court order also revealed that the US Government ordered not to disclose the surveillance activity to third-party entities.

After a few weeks of legal dispute, Levison shuttered Lavabit refusing to become not become complicit in criminal surveillance operated by the US Government.

“After 38 days of legal fighting, a court appearance, subpoena, appeals and being found in contempt of court, Levison abruptly shuttered Lavabit citing government interference and stating that he would not become “complicit in crimes against the American people”.” reported the Guardian.

US authorities revealed the mysterious circumstances behind the Lavabit shut down by publishing a collection of case files that were not correctly redacted allowing to discover the target of the FBI activity, the email address Ed_Snowden@lavabit.com.

The document was integrally published by Cryptome, it is visible the Snowden’s email address was left unredacted.

Lavabit shuttered Edward Snowden email

The documents were publicly disclosed in the result of Levison’s battle against the US Government, he filed a motion in December 2015 that prompted the court to order the release of files related the Lavabit case.

Now, Levison has announced that he is reviving the Lavabit service fixing the SSL issue and implementing new privacy-enhancing features.
The Lavabit CEO is releasing the source code for an open-source end-to-end encrypted global email standard, dubbed Dark Internet Mail Environment (DIME). The code aims to avoid government surveillance and hides the metadata.

“Developed by Lavabit, DIME is an open source secure end-to-end communications platform for asynchronous messaging across the Internet. DIME follows in the footsteps of innovative email protocols, but takes advantage of the lessons learned during the 20-year history of PGP based encrypted communication. DIME is the technological evolution over current standards, OpenPGP and S/MIME, which are both difficult to deploy and only narrowly adopted. Recent revelations regarding surveillance have pushed OpenPGP and S/MIME to the forefront, but these standards simply can’t address the current privacy crisis because they don’t provide automatic encryption or protect metadata. By encrypting all facets of an email transmission (body, metadata and transport layer), DIME guarantees the security of users and the least amount of information leakage possible. A security first design, DIME solves problems that plague legacy standards and combines the best of current technologies into a complete system that gives users the greatest protection possible without sacrificing functionality.” states the description of the standard published by Lavabit.

Lavabit features

The Dark Internet Mail Environment (DIME) the standard will be available on Github along with a mail server application dubbed Magma that was designed to allow users with existing email clients to easily use Lavabit service.
“To learn more about DIME & Magma we invite you to join the Dark Mail Technical Alliance https://darkmail.info/ where you can find the latest code & specifications, provide feedback, and contribute to the development effort.”

DIME: https://darkmail.info/spec
DMAP: https://tools.ietf.org/id/draft-melnikov-dmap-00.txt
STACIE: https://tools.ietf.org/id/draft-ladar-stacie-00.txt
MAGMA: https://github.com/lavabit/magma
LIBDIME: https://github.com/lavabit/libdime
The DIME standard implements the ‘Trustful’ encryption mode that requires users to trust the server to manage the encryption and their keys.
“The server performs the encryption on your behalf, and as such, you must trust that the server will not be rewritten in such a way that it captures your password, or peeks at your messages during processing,” Levison said.

The DIME standard also implements a more strictly control over their encryption keys, it allows the users to choose the Cautious Mode and Paranoid Mode, for example, Paranoid means Lavabit will never store a user’s private keys on its server.

Lavabit service will only be accessible to existing customers in Trustful mode, others can pre-register and wait for it.

Lavabit — Encrypted Email Service Once Used by Snowden, Is Back
21.1.2017 thehackernews Safety
Texas-based Encrypted Email Service 'Lavabit,' that was forced to shut down in 2013 after not complying with a court order demanding access to SSL keys to snoop on Edward Snowden's emails, is relaunching on Friday.
Lavabit CEO Ladar Levison had custody of the service's SSL encryption key that could have helped the government obtain Snowden's password. Although the FBI insisted it was only after Snowden's account, that was the key to the kingdom that would have helped the FBI agents obtain other users’ credentials as well.
But rather than complying with the federal request that could compromise the communications of all of its customers, Levison preferred to shut down his encrypted email service, leaving its 410,000 users unable to access their email accounts.
Now, Levison has announced that he is reviving Lavabit with a new architecture that fixes the SSL problem — which according to him, was the biggest threat — and includes other privacy-enhancing features that will help its users send emails that he can't eavesdrop, even if ordered to do so.

Levison is releasing the source code for an open-source end-to-end encrypted global email standard that promises surveillance-proof messaging that even hides the metadata on emails to prevent agencies like the NSA or FBI from being able to find out with whom Lavabit users communicate.
Dubbed Dark Internet Mail Environment (DIME), the standard will be available on Github today, along with an associated mail server program called Magma, which is ready for use with the Dark Internet Mail Environment.
"DIME is the only automated, federated, encryption standard designed to work with different service providers while minimizing the leakage of metadata without a centralized authority," Levison said in a blog post.
"By encrypting all facets of an email transmission (body, metadata, and transport layer), DIME guarantees the security of users and the least amount of information leakage possible."
According to Levison, Magma server is designed to offer an easy-to-use application so that even non-technical users with existing email clients can use Lavabit encrypted email service with ease.

DIME standard includes a ‘Trustful’ encryption mode, which requires users to trust the server to manage the encryption and their keys.
"The server performs the encryption on your behalf, and as such, you must trust that the server will not be rewritten in such a way that it captures your password, or peeks at your messages during processing," Levison said.
Also, the DIME also offers Cautious Mode and Paranoid Mode for users who want absolute control over their encryption keys, so that their keys never transmits anywhere. Paranoid means Lavabit will never store a user’s private keys on its server.
Initially, the new Lavabit service will only be accessible to its existing customers and only in Trustful mode.
However, if you were not LAvabit customer in the past before the service shut down, you can pre-register and wait for the eventual rollout.

Carbanak Group Used Numerous Tools in Recent Attacks

20.1.2017 Securityweek Virus
The infamous Carbanak group of hackers has been using multiple tools in a series of attacks over the past several months, Trustwave security researchers reveal.

Starting in September 2016, the Carbanak hackers began targeting large companies in the hospitality sector in Europe and the United States, in a series of attacks that are now said to have employed different types of malicious software.

In a recent report (PDF), Trustwave researchers revealed details on the malware used, some of the executables were signed with digital certificates issued by Comodo, in an attempt to bypass security controls. Most likely, the certs were acquired using fake identities, all featuring Russian details (city, address etc.).

The Carbanak group, also known as Anunak, was exposed in 2015 after supposedly stealing upwards of $1 billion from more than 100 banks across 30 countries.

Called Grand Mars, after one of the fake company names used to purchase certificates from Comodo, these latest attacks were not aiming at financial gains alone.

“The motivation of this operation appears to be financial gain, total control of the infrastructure and collection of bots within the victim organizations. During the forensics investigation and analysis, we were given the impression that several activities have been performed by different persons or even different groups of people,” Trustwave notes.

Multiple cybercrime organizations might have cooperated in the Grand Mars operation to establish a complex system of network hosts, using numerous malicious files to attack multiple victims. During the campaign, they switched command and control (C&C) servers to ensure they remain undetected, with majority of IP addresses associated with C&Cs located in Europe (UK, France, Sweden, and Germany), but some located in the United States.

Just as with other attacks performed by Carbanak, malicious macros in Microsoft Word documents attached to emails were used as entry points. As soon as the attachment was opened and the included VisualBasic script executed, four files were dropped onto the system, in an attempt to gain some foothold to it.

The dropped files include Starter.vbs, which uses registry Autorun and Task Scheduler to achieve persistence, TransbaseOdbcDriver.js, meant to connect to Google services (Forcepoint described the process earlier this week) and Pastebin for victim ID, tracking, and command retrieval, LanCradDriver.vbs, reads and executes the commands written in a LanCradDriver.ini file, initially created empty but later populated by the previous script, and dttsg.txt.

The attackers used a variety of tools to achieve persistence as well, namely a PowerShell Script (downloaded from Google Docs), Registry Autorun (they create a key in the registry to ensure the payload runs immediately after reboot), and Task Scheduler (a scheduled task is triggered every 30 minutes indefinitely to run starter.vbs and launch the execution chain: Starter.vbs> TransbaseOdbcDriver.js> LanCradDriver.vbs> LanCradDriver.ini).

Other tools used in this campaign and deemed malicious include AdobeUpdateManagementTool.vbs (designed to connect to C&C and perform data exfiltration), UVZHDVlZ.exe (a variant of the Carbanak malware), Update.exe (Cobalt Strike’s post-exploitation tool beacon), and 322.exe (a TCP reverse shell). These files were primarily designed for persistence or data exfiltration.

“Using services such as Google Docs in order to keep track of victims and spreading malicious files becomes a very big challenge for defenders because this way is very difficult to distinguish between good and bad guys using these popular public cloud services,” the report reads.

For lateral movement in the compromised networks, the attackers used pass-the-hash, which allowed them to steal credentials of a domain level, high privileged user, the security researchers reveal. Using this technique, actors steal credential hashes from a compromised system and can expand their foothold in the network if local accounts share the same password within the infrastructure.

“Ultimately this allowed attackers to achieve domain or even enterprise admin access and gain network access by utilizing several resources as Command & Control points in Europe and US. Further investigation of the attacked infrastructure showed that the intruders deployed similar PowerShell scripts or embedded batch files in order to spread within the environment,” Trustwave’s report reads.

While some of the attacks associated with this campaign might have been performed by various malicious groups (sometimes different stages of the same attack might have been performed by different groups, with others carrying later attack stages), “the attack characteristics of this family of malware share several common traits with the, original, well understood Carbanak APT campaign, which has been positively attributed to the Russian underground financial cybercrime network,” Trustwave concludes.

Western Union Pays $586 Million to Settle Fraud Charges

20.1.2017 Securityweek Incindent
Global financial services company Western Union has admitted to facilitating wire fraud and it has agreed to forfeit $586 million as part of a settlement with the U.S. Federal Trade Commission (FTC) and the Department of Justice.

Western Union’s services have often been used by fraudsters and cybercriminals, and authorities in the United States have been displeased with the fact that the company has failed to maintain a proper anti-fraud program.

Furthermore, the company has been accused of not taking immediate action against agents that knowingly processed fraud payments in return for a cut of the illegal profits. Since 2001, the Department of Justice has convicted 29 owners and employees of Western Union agents for their role in fraud schemes.

According to authorities, Western Union has violated several laws, including the Bank Secrecy Act (BSA) and the FTC Act.

The FTC said Western Union had received, between January 2004 and August 2015, more than 550,000 complaints regarding fraudulent transfers involving advance-fee, online dating, lottery, and family emergency scams. These transfers totaled more than $632 million, but they are believed to represent only a fraction as not all complaints have been logged, not all victims filed a complaint, and fraud-reporting mechanisms are not available everywhere.

As part of its settlement with the FTC and the Justice Department, Western Union has agreed to forfeit $586 million, a sum that will be used to compensate fraud victims. The process through which the money will be distributed will be established at a later date.

The company will also implement and maintain a comprehensive anti-fraud program, thoroughly vet new and renewing agents, and suspend or terminate agents that don’t comply with its policies.

The FTC has ordered Western Union to stop processing fraud-induced and telemarketing-related money transfers, provide more fraud warnings, create additional channels for fraud complaints, and refund fraudulent transfers.

MoneyGram, Western Union’s main competitor, was also targeted by the FTC. The company agreed to pay $18 million in 2009 to settle charges.