Technology versus Privacy

[Rick Danger]

Quote:

Originally Posted by Pigulici

Do you know any website where are list of all win update that we should not install?

I don't know. This might be a tough question to answer for you. I will look into it. The problem is the availability of details on what's in each update, and of course the classification.

One thing I just realized: if Microsoft puts out an update related to a vulnerability listed using the standardized Common Vulnerabilities and Exposures (CVE) vulnerability naming standard it would certainly be an update that should be applied.

[Rick Danger]

Hacktivism
Attacks accessing Mac keychain without permission date back to 2011
Technique lets rogue apps ask for keychain access, then click OK.

by Dan Goodin - Sep 2, 2015 9:41 pm UTC

On Tuesday, Ars chronicled an OS X technique that's being actively used by an underhanded piece of adware to access people's Mac keychain without permission. Now there's evidence the underlying weakness has been exploited for four years.

As documented by Twitter user @noarfromspace, the keychain-penetrating technique was carried out in 2011 by a piece of malware known as DevilRobber. The then new threat caught the attention of security researchers because it commandeered a Mac's graphics card and CPU to perform the mathematical calculations necessary to mine Bitcoins, something that was novel at the time. Less obvious was the DevilRobber's use of the AppleScript programming language to locate a window requesting permission to access the Keychain and then simulate a mouse click over the OK button.

Thomas Reed, who is director of Mac offerings at security firm Malwarebytes, said he tested the AppleScript on the current version of Apple's OS X and found it worked, as long as a user had already allowed the app running the script to control the Mac. On Monday, Reed disclosed the same technique was being used by the Genieo adware installer to gain access to a Safari extensions list that's protected inside the Mac Keychain. Coincidentally, researchers located in Beirut independently reported the technique on Tuesday, the same day Ars Chronicled the Malwarebytes' findings involving Genieo.

Mac users should remember that the technique works only when invoked by an application already installed on their systems. There is no evidence the technique can be carried out through drive-by exploits or attacks that don't require social engineering and end-user interaction. Still, the weakness is unsettling, because it allows the same app requesting access to the keychain to unilaterally approve it and to do so quickly enough for many users to have no idea what has happened. And by default, OS X will grant the access without requiring the user to enter a password. The Mac keychain is the protected place storing account passwords and cryptographic keys.

"I think that Apple needs to isolate that particular window," Reed told Ars on Wednesday. "They need to pull that particular window out of the window list ... in a way that an app can't tell it's on the screen and get its location."


Dan Goodin / Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications.
@dangoodin001 on Twitter

source: http://arstechnica.com/security/2015...-back-to-2011/

[Rick Danger]

DarkReading.com News

Malware Pre-Installed On Over Two-Dozen Android Smartphone Brands
Threat affects several smartphones shipping from Asia including some popular ones such as Lenovo, Huawei, and Xiaomi, says G Data.

By Jai Vijayan 9/1/2015 @ 03:20 PM

Security researchers at G Data have discovered pre-installed malware on over two-dozen models of Android smartphones shipping from Asia.

The phones infected with malware out-of-the-box include some well-known brands such as Lenovo, Huawei, and Xiaomi.

In total, Germany-based G Data says it discovered over 26 models infected with malware capable of stealing personal information, recording calls, transmitting location data and serving up ads and spyware without the user’s knowledge or consent. Most of the models are sold within the Asian region.

In each case, the smartphone manufactures themselves do not appear to be involved in pre-installing the malware on brand new Android phones, says Andy Hayter, security evangelist for G Data.

Instead, the tampering appears to be happening somewhere in the distribution chain, after the manufacturer ships the devices but before the devices get into the hands of consumers. “Someone is unlocking these phones, installing the malware on them and locking them up again,” Hayter says. He added that the level of sophistication required to pull off the operation without being noticed would be fairly significant. “It takes a certain amount of risk to do this,” he says.

In most of the cases that G Data reviewed, the malware is typically hidden in a legitimate looking application like Facebook, Hayter said. The malware is concealed inside the usual functions of the legitimate application and few notice it because a majority of the malicious processes run in the background, he said.

The add-on functions that are being secretly added to Facebook and other pre-installed apps are designed to perform a wide range of malicious actions. They include surreptitiously accessing the Internet, reading and sending SMS messages, accessing contact lists, altering call data and listening to and recording phone conversations.

G Data made the news last year when its researchers discovered the Star N9500 Galaxy S4 clone, sold through online stories like Amazon and eBay, to be pre-installed extensively with spyware tools. This year’s research shows the problem has gotten significantly worse, Hayter said.

Based on the research so far, it is hard to determine if the pre-installed malware is the handiwork of one group or multiple groups. But it is very likely that multiple groups are involved considering the sheer geographic spread of the problem and the number of impacted brands.

“From the variety of phones we see, the idea [to pre-install malware] is spreading,” Hayter said. Besides Lenovo, Huawei and Xiaomi, some of the other, lesser-known, Android brands impacted by the problem include several models of Alps, the ConCorde SmartPhone6500, DJC Touchtalk, ITouch and Sesonn.

G Data’s findings on pre-installed malware on Android smartphones shipping from Asia are part of a broader report on the state of Android malware for the second quarter of 2015.

As with previous quarters, security researchers at G Data discovered a sharp increase in the number of Android malware samples in the wild.

According to G Data, its researchers analyzed some 6,100 new malware samples every day during the second quarter compared to the 4,900 malware apps per day analyzed in the previous quarter. In total, G Data researchers discovered over one million new Android malware strains in the first six months of the year, a new record for Android malware, according to Hayter.

In addition to the surging numbers, the researchers discovered that Android malware is also becoming increasingly sophisticated.

Fortunately for Android users, the malware presents a threat mostly to people who purchase their devices through less-than-reliable online sources, or those who install apps outside of Google’s Play store and other legitimate application stores. Despite the surging malware count, users who buy through legitimate sources and stick with official application stores for the most part remain relatively protected.


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication.

source: http://www.darkreading.com/mobile/ma...d/d-id/1322009

[Rick Danger]

Hacktivism

Android ransomware uses XMPP chat to call home, claims it’s from NSA
Improved Simplocker lurks disguised as legitimate Flash or video player app.

by Sean Gallagher - Sep 2, 2015 8:38 pm UTC



A new variant of mobile ransomware that encrypts the content of Android smartphones is putting a new spin on both how it communicates with its masters and how it spurs its victims into action. The updated version of Simplocker masquerades on app stores and download pages as a legitimate application, and uses an open instant messaging protocol to connect to command and control servers.

The malware requests administrative permissions to sink its hooks deep into Android. Once it's installed, it announces itself to some victims by telling them it was planted by the NSA—and to get their files back, they'll have to pay a "fine."

Ofer Caspi of Check Point's malware research team wrote in a report posted this week that the team has "evidence that users have already paid hundreds of thousands of dollars to get their files "unencrypted" by this new variant. He estimates that the number of infected devices so far is in the tens of thousands, but may be much higher. Because the software can't easily be removed once it is installed, and because the files it encrypts can't be recovered without it, victims have no choice but to either pay $500 to get their files decrypted or to wipe the device and start from scratch.

While posing as a legal or governmental authority to intimidate the victim into paying up is not new, the use of Extensible Messaging and Presence Protocol (XMPP), the instant messaging protocol used by Jabber and previously by GTalk, is a shift in tactics to evade detection by anti-malware tools. XMPP communication makes it more difficult for security and anti-malware tools to catch the ransomware before it can communicate with its command and control network because it conceals the communication in a form that looks like normal instant message communications.

Most previous ransomware packages have communicated with a website over HTTPS to obtain encryption keys; those websites can generally be identified by their URLs, IP addresses, or the signature of their Web requests and then blocked. An application making a secure HTTP request to a suspicious destination would be a good sign that something bad was afoot. But the XMPP communications channel used by the new Simplocker variant uses an external Android library to communicate with the command and control network through a legitimate messaging relay server. And these messages can be encrypted using Transport Layer Security (TLS). The messages were pulled from the command and control network by the operators of the scheme via Tor.

By reverse-engineering a sample of the malware, Check Point researchers were able to tap into its XMPP communications channel.

"During our investigation, we successfully obtained hundreds of thousands of XMPP messages sent between the C&C servers and the infected mobile devices," Caspi wrote. "After breaking the obfuscation scheme implemented in these messages, we were able to read most of the message contents. This led us to obtain evidence that suggests that there are tens of thousands of devices infected with this malware. We also observed that ~10% of the users paid between $200 and $500 in ransom to decrypt their files. This means that for every 10k infections, the malware authors raked in $200k-$500k. While these numbers are stunning, this might just be the tip of the iceberg, as our dataset is incomplete and the actual infection rate is probably much higher."

The XMPP channel allows a number of other commands to be launched remotely by the malware operators, including sending SMS messages and placing phone calls, as well as re-setting the configuration of the malware's communications (and the Bitcoin account to be used to submit victims' payments). The malware also had localized versions of its ransom demands for Saudi Arabia, the United Arab Emirates, and Iran, each using appropriately themed faked warnings from those countries' governments to victims.

Check Point has informed the operators of the XMPP relay servers being used by the ransomware, providing details that will allow those service providers to block traffic that provides the malware with the encryption keys needed to launch an attack. However, new versions of the malware "are still appearing almost every day," Caspi warned.


Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. @thepacketrat on Twitter

source: http://arstechnica.com/security/2015...-its-from-nsa/

[Rick Danger]

DarkReading.com - Attacks/Breaches

Malware Author Stamped Code 'For Targeted Attacks Only'
When the Microsoft Word Intruder Office malware creation kit got too high-profile, the developer changed terms of service, Sophos report says.

News by Sara Peters 9/2/2015 @ 03:50 PM

The author and operator of the "most influential Office malware creation kit today," according to researchers at SophosLabs, has decided to market his wares only to targeted attackers, rather than spammers or others launching broad campaigns. Russian developer "Objekt" has even written it into the terms of service for his Microsoft Word Intruder (MWI) -- an Office malware creation kit used by at least a dozen different cybercrime groups to deliver payloads via malicious documents, often attached to emails.

MWI generates rich text documents that can exploit a variety of vulnerabilities in Word. It delivers payloads through either a dropper -- which embeds executables directly -- or a downloader -- which uses shellcode to download the payload. It uses a polymorphic decryptor and has a module called MWISTAT that keeps track of attack campaigns and infection rates.

Objekt wasn't always choosy about the kinds of attacks MWI was used for. MWI first appeared in May 2013, and Sophos now believes MWI was in wide use by early 2014, when Sophos released a report stating that financially motivated cybercriminals had begun to routinely use malicious documents to deliver malware, a tactic previously popular only with nation-state actors. "Interestingly," states the report, "MWI’s dominance had faded away by the end of 2014, apparently by design."

As security teams' efforts to thwart MWI increased, Objekt's efforts to evade them necessarily increased, until he'd had enough and simply changed his terms and conditions to make sure that his customers only used MWI for small attacks that might more likely go undetected. As the report quotes:

1. Exploit DESIGNED EXCLUSIVELY FOR POINT (“Targeted”, “TARGET”) attacks. INDICATIVE PRICE FOR BUILDER: 140$

2. Exploit THIS DOES NOT QUALIFY FOR SPAM AND MASSIVE ATTACK! FOR THIS WE HAVE A SEPARATE DECISION.

The change did not keep MWI out of the spotlight altogether, though. In April, it was used in the elegant attack that used CareerBuilder as an innocent middle-man. Attackers browsed job listings on CareerBuilder, submitted "resumes" that were actually malicious documents infected with MWI droppers or downloaders. CareerBuilder would then send a notification email to the employer with that malicious document attached, and were highly likely to open it because it was coming from a source they trusted and contained content they had asked to receive.

Sophos found MWI distributing payloads from over 40 different malware families, including info-stealers, banking Trojans, and remote access Trojans. The most common were Zeus/Zbot (25%) and Carberp (18%), a Trojan backdoor that was popular with Carbanak, the infamous billion-dollllar international cybercrime ring.


Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics.

source: http://www.darkreading.com/attacks-b...d/d-id/1322033

[a435843]

Quote:

Originally Posted by pigulici

Do you know any website where are list of all win update that we should not install?

Why, yes. Right here on VEF:

http://vintage-erotica-forum.com/sho...&postcount=329

[Rick Danger]

The most basic security measures you can take are:

(1) Make sure your device is current in terms of security updates for your operating system and applications.

(2) Having a good, up-to-date security application that includes malware protection as well as malicious website protection.

(3) Avoid installing software or apps from untrusted sources.

(4) Avoid opening unsolicited emails that include attachments. As we saw in the article concerning the Microsoft Word Intruder (MWI), even a Word document can be a vehicle for malware. Image files are also popular vehicles.

Unlike PCMag.com and some other sites that post rankings of security software products, the independent testing site AV-Test.org performs testing and publishes it's findings every three months or so.

https://www.av-test.org/en/antivirus/

AV-Test.org ranks BitDefender, Kaspersky, Trend Micro, McAfee, and Norton as the top-rated products for Windows 8.x.

For Mac OS X they rate Avast, Avira, Bitdefender, Kaspersky, and Norton as the highest. It's interesting to note that Avast and Avira are free products.

For Android there are a number of products that garnered AV-Test's top ranking.

Protection, performance, and usability were considered in determining the rankings.

Cost can be a factor. One good thing about the products from the well known sources (Norton, McAfee, Kaspersky, BitDefender) is that licensing now applies to multiple devices across various plaforms. So if you have a Windows laptop, an iPad, and an Android smartphone you might save money by subscribing to a product that runs on all three platforms. If you are shopping for a single user/single device license check for online coupon offers. I was able to get an upgrade to Bitdefender 2015 for only $20 as part of a renewal offer. If you are hard up for cash check with your ISP to see if they provide security software as part of your service plan. For example Comcast makes Norton Security available to it's subscribers. Since my wife was using Norton on her laptop I took the Comcast offer rather than paying to renew her license.

While some free products can actually provide excellent protection, AV-Test and I are in agreement that you should not be relying on Microsoft's Windows Defender, which scored a dismal 0.5 out of 6.0 points in protection. If your condom has a hole in it, you aren't having safe sex !

Speaking of free products, I use Malwarebytes Anti-Malware (MBAM) as an adjunct to Bitdefender. I started using MBAM years ago on my Windows XP machines, and I recommend it. While I would not normally recommend installing two security products on the same machine, I have never experienced conflicts or performance degradation using MBAM along with my primary security software.

https://www.malwarebytes.org/

[DTravel]

Quote:

Originally Posted by Rick Danger

DarkReading.com - Attacks/Breaches

Malware Author Stamped Code 'For Targeted Attacks Only'
When the Microsoft Word Intruder Office malware creation kit got too high-profile, the developer changed terms of service, Sophos report says.

There is something truly bizarre about just the idea of a hacker even having a "Terms of Service" for his illegal software, let alone trying to tell his criminal customers "No, you can only use it against a few select victims, not to scam as much money as possible from as many people as possible."

[a435843]

Quote:

Originally Posted by DTravel

There is something truly bizarre about just the idea of a hacker even having a "Terms of Service" for his illegal software, let alone trying to tell his criminal customers "No, you can only use it against a few select victims, not to scam as much money as possible from as many people as possible."

Yes, but these sold zero-days are for the unknowledgeable amateur, who might have something to fear from the hacker from whom he is buying the code, if he does violate the "wishes" of the highly-knowledgeable seller. Anonymous, which contains certainly above average hackers, and well above my abilities, are types I wouldn't want to mess with. They generally target their attacks against certain individuals with whom they have a beef. So, this story is plausibly legitimate.

[DTravel]

Quote:

Originally Posted by a435843

Yes, but these sold zero-days are for the unknowledgeable amateur, who might have something to fear from the hacker from whom he is buying the code, if he does violate the "wishes" of the highly-knowledgeable seller. Anonymous, which contains certainly above average hackers, and well above my abilities, are types I wouldn't want to mess with. They generally target their attacks against certain individuals with whom they have a beef. So, this story is plausibly legitimate.

I'm not questioning the legitimacy of the story. It just sounds like like one criminal selling a gun to another while saying, "Now, I'm only selling this to you if you promise to only kill one or two people with it."