Posts in News

Android Spyware Targeting Middle East

June 26, 2019 Posted by News 0 thoughts on “Android Spyware Targeting Middle East”

Amidst the news that Chinese hackers have gained a foothold on the global telecommunications network, comes news that is familiar to many Android users: Android apps hiding spyware are being used to target individuals–this time in Israel. This espionage campaign was first reported by Bitdefender in August 2018. The researchers dubbed the spyware Triout. Following their investigation, they were able to discover that the spyware is capable of recording every phone call, log every SMS message, capture pictures and videos taken, and gather GPS location data. All of that information is routed to a command and control server. The only problem that the researchers faced was in homing in on the means of disseminating the malware.

That issue is addressed, albeit partially, in a report that Kaspersky released today. In their detailed analysis, the security company calls the hackers’ operation ViceLeaker(we’ll stick with Kaspersky’s apropos title). Kaspersky’s researchers expanded on Bitdefender’s overview of ViceLeaker by revealing that the attackers can upload, download, and delete files. They can also actively record audio, take pictures, make calls, and send text messages.

More importantly, the report reveals that attackers were able to backdoor some legitimate apps by dissembling them with Backsmali, injecting them with malicious code, and reassembling them with Smali. As a result of this finding, the researchers narrow the infection vector to “the spread of Trojanized applications directly to victims via Telegram and WhatsApp messengers.”

 

credit: Kaspersky

Speaking of messengers, the researchers discovered that code used to parse C&C server commands in the malware conveniently resembled code found in Conversations, an open source XMPP/Jabber client. The app itself is legitimate; it’s the modified version of the app that bears the fingerprints of the attackers. In order to backdoor the application, the attackers did things the old fashioned way: they simply copied the code into an IDE, added their code, and hit compile. That said, the researchers found nothing malicious in the app, leading them to believe that it was being used for internal communication. “All the detections of this backdoored app were geolocated in Iran,” the researchers added. It’s an interesting footnote, one that dangles implications, but the researchers don’t seem to know where the attack originates from.

The report also doesn’t elaborate on the amount or type of victims that this malware targets. Though, if you compare this operation to Operation Soft Cell, you can assume that the targets are of significant value. An important thing to note is the fact that there is more information in Kaspersky’s private report to its clients. At the moment, Kaspersky’s researchers are continuing their investigation.

The researchers’ findings highlight the importance from guarding against downloading apps from untrustworthy sources or third party applications.

Please follow and like us:
0

Hackers Have Been Stealing Call Records for Years

June 26, 2019 Posted by News 0 thoughts on “Hackers Have Been Stealing Call Records for Years”

Malicious hackers have been infiltrating our telecommunication for years, and, thanks to a group of researchers, we’ve just now begun to uncover the potential damage. Recently, Cybereason Nocturus, a security research group, has linked menuPass, a China-based hacker collective that often target critical industries like healthcare and government sectors, to an “advanced, persistent attack targeting global telecommunications providers.” Lior Div, co-founder of Cybereason, calls the attack  “massive-scale espionage.”

Cybereason dubs this persistent attack as Operation Soft Cell and claims that it’s been in operation since 2012. The security researchers also claim that the operation’s goal was to obtain the call detail records(CDRs) of a large mobile carrier. This type of activity suggested to researchers that the attack originates from a nation state; the operation seems to be only concerned with specific targets. There is no real monetary value in infiltrating CDRs assuming that you’re dealing with a rational actor.
Law enforcement usually leverage CDRs to gain information about a specific target. The metadata provided makes for a handy espionage tool, so there’s no reason to think that a malicious nation state would employ this same tactic to track the source, destination and duration of calls.

In order to gain such a fine grain control on their targets, the hackers implemented a multi stage attack that began with taking advantage of a publicly facing server to perform reconnaissance attacks to judge the security of a network, steal credentials, and deploy tools that would facilitate in a lateral movement across the networks of over a dozen mobile carriers. Then came the credential dumping phase, which is akin to trying to steal specific armament from a fort in the dark. Once the attackers gained the credentials and mapped out the network, it was time for D Day; the attackers laterally stormed the network and were able to fully take over a Domain Controller. What makes attacks like these really  insidious is the fact that the stolen credentials are then used to escalate privileges so that in the event of a patch, the attackers can remain in the network.

The attackers have escalated their privilege with these mobile carriers to such a degree that, according to Amit Serper, head of security research at Cybereason, “They can do whatever they want. Since they have such access, they could shut down the network tomorrow if they wanted to.”

An attack of this magnitude is what many security researchers feared following the discovery of Stuxnet. It opened up Pandora’s box, a box riddled with state sponsored malware that can, for example, shut down power grids, infiltrate dams, and disrupt telecommunications. For now, it appears that APT10(a specific description of menuPass that pertains to the types of technique, techniques, and procedures used to infiltrate systems) is only concerned with espionage.  But just as a persistent attack comes in phases, an act of warfare also comes in stages. Only time will tell if the hacker group leverages their power before the mobile carriers find a solution to the problem.

It’s sobering to think that you can be tracked without ever becoming aware of it. The security report cites that 30% of mobile carriers reported sensitive stolen as a result of an attack in 2018 alone. Nation states that are committed to tracking dissidents theoretically have the power to do so without arousing suspicion for quite a while. We certainly live in a brave new world.

 

 

Please follow and like us:
0

NASA’s Jet Propulsion Laboratory Compromised Due to Poor Security Practices

June 24, 2019 Posted by News 0 thoughts on “NASA’s Jet Propulsion Laboratory Compromised Due to Poor Security Practices”

NASA’s Jet Propulsion Laboratory was hacked as recently as April 2018, according to a report from the U.S. Office of Inspector General. The attacker stole 500MB of data from a major mission system. This attack was only the latest in a decade-long string of breaches; according to NASA’s security audit, “in 2011 cyber intruders gained full access to 18 servers supporting key JPL missions and stole 87 gigabytes of data.” Two years prior, the same Chinese-based hackers stole 22 gigabytes of data. More attacks against JPL occurred in 2014, 2016, and 2017.

So, NASA’s JPL system administrators and engineers have become accustomed to data breaches, as have other admins and devs who work with critical systems. However, according to the audit, there are a litany of missteps that have negatively impacted JPL’s ability to “prevent, detect, and mitigate attacks targeting its systems and networks.”

Many of the “security control weaknesses” documented in the audit are due to human error while some others smack of negligence. In terms of human error, JPL’s Technology Security Database did not contain a complete inventory of all of the devices connected to its network. This includes the type, location, and value of components. The most alarming point was the fact that ITSDB wouldn’t always be updated to account for new devices added to the network. So, the most recent JPL hacker was able to hijack a Rasberry Pi that was never vetted, made possible by the fact that the device wasn’t registered in the database. The hacker was then able to freely travel through various systems despite the level of permission required to access them. Why was that? Well, JPL failed to segment their network gateway.

Added to the glaring technical issues is the fact that when potential vulnerabilities were spotted, they “were not resolved for extended periods of time—sometimes longer than 180 days.” Since waivers weren’t reviewed annually, tickets would pile up, creating a backlog of outdated issues that expose JPL to attacks.

The above issues and many other issues that the audit exposes is the reason why data has been siphoned from JPL over the last decade. To combat these security issues, the Office of Inspector General provided an actionable list of procedures to NASA management. NASA then responded positively to 9 out of the 10 recommendations, saying that threat-hunting is not the responsibility of Caltech, their contractor.

Please follow and like us:
0

SSH Adds Protection for Private Keys in DRAM

June 24, 2019 Posted by News 0 thoughts on “SSH Adds Protection for Private Keys in DRAM”

To protect users from having private keys that they’ve stored in RAM stolen by attackers, SSH now provides protection from side channel attacks. These attacks become feasible when RAM encryption isn’t prioritized. Even if systems include RAM encryption, a null default setting undermines any benefit this important feature can serve. One reason for the lack of emphasis on RAM encryption may be due to the assumption that attacking volatile memory isn’t worth the effort. Ironically, it’s this thinking that often leads to major security gaffs, like not segmenting memory into increasingly difficult to decrypt chunks.

The swarming amount of side-channel attacks really undermines the impracticability argument. In the OpenBSD Journal, Paul de Weerd quotes Damien Miller’s commit message, which says, “Add protection for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown, Rowhammer and Rambleed.”

Just to get a taste of the type of attack the new SSH commit seeks to address, let’s examine RAMBleed, an add-on to Rowhammer that researchers essentially created, though the researchers aren’t completely sure if RAMBleed was ever used. Where the Rowhammer attack remotely mutates data in DRAM, RAMBleed leverages Rowhammer to actually read data stored in the computer’s physical memory. In the case of Rowhammer, technically speaking, an attacker can  flip bits by manipulating surrounding bits to create a polarizing charge, like hot-wiring a car. The researchers took this concept to another level, saying “we developed novel memory massaging techniques to carefully place the victim’s secret data in the rows above and below the attacker’s memory row. This causes the bit flips in the attacker’s rows to depend on the values of the victim’s secret data. The attacker can then use Rowhammer to induce bit flips in her own memory, thereby leaking the victim’s secret data.”

Using this method, the researchers were able to leak a 2048 bit RSA key. That’s an event that Damien Miller is seeking to avoid with this new commit. Miller says that the update “encrypts private keys when they are not in use with a symmetic key that is derived from a relatively large “prekey” consisting of random data.” You’re basically going to have to pry the entire prekey from the cold, dead hands of memory before you can even begin to think about decrypting the protected private key. Miller asserts that it’s unlikely that an attacker will even be able to acquire an accurate representation of a prekey due to the inevitable accumulation of bit errors.

The new commit is a timely improvement since RAMBleed is currently undetectable. RAMBleed’s researchers will unveil their findings at the 41st IEEE Symposium on Security and Privacy in May, 2020. Hopefully, SSH’s new feature will be heavily used by that date.

 

 

Please follow and like us:
0

Atlanta Tapped to Host Global Smart City Expo

June 20, 2019 Posted by News 0 thoughts on “Atlanta Tapped to Host Global Smart City Expo”

Smart technology has infiltrated our lives. Our watches are smart, our thermometers are smart, and now our cities are becoming smart. That’s where the Smart City Expo World Congress comes in; the organization invites corporate leaders, public representatives, entrepreneurs, and academics to discuss how to build better cities in the context of the recent smart technology boom.

This year, Atlanta’s officials, in an attempt to come to terms with what the social responsibility of a smart city entails, will be hosting the annual Smart City Expo in the Georgia World Congress Center. The expo will be dubbed Smart City Expo Atlanta or SCATL. According to SCATL’s press release, “more than 2,500 attendees, 200 speakers and 50 exhibitors” are expected to be at the expo.

The goal of this event is to come away with what it means to be a “smart city.” The solutions that these thought leaders can conjure up will have drastic implications on our future. That’s because one of the biggest issues effecting some of the leading smart cities is social isolation. Take Songdo, South Korea’s smartest city and, arguably, the smartest city in the world. According to a City Lab article, the city features pneumatic tubes that send your garbage to waste facilities so that you never have to hear the sound of a garbage truck, street sensors that monitor energy use and traffic, and smart phone-enabled adjustable heating and lighting in apartments.

For all of its modernity, the problem with the city is its lack of face-to-face social cohesion. Lindy Wenselaers, an expat Belgian woman interviewed in City Lab’s article, claimed that most of her social interactions with fellow residents came from Facebook groups. Of course, culture plays a role in Songdo’s emptiness. But there’s also a lesson to be learned about expecting people to interact in smart cities the same way they interact in other cities. The costs of these cities may exclude a large segment of the population from renting homes in the area, forcing them to live on the fringes.

Problems like social exclusion is what the Smart City Expo was founded to resolve. Atlanta’s mayor, Keisha Lane Bottoms, sees the expo’s mission as a way to boost Atlanta’s image, saying, “The focus on cutting-edge technologies, smart city innovation, and equity and inclusion directly align with our One Atlanta vision of affordability, resiliency, and fairness. We look forward to hosting cross-sector leaders from around the globe to this internationally-recognized summit.”

Ricard Zapatero, the International Director of Fira de Barcelona, in many ways agrees with the Mayor Bottoms when he says, “Atlanta is on an accelerated path to becoming a model for Smart Cities across the country.

Atlanta will host the expo from September 11 to September 13.

Please follow and like us:
0

Some Mozilla Users Potentially Vulnerable to RCE and UXSS Attacks

June 19, 2019 Posted by News 0 thoughts on “Some Mozilla Users Potentially Vulnerable to RCE and UXSS Attacks”

Mozilla has released version 67.0.3 of Firefox and version 60.7.1 of Firefox ESR to patch a critical vulnerability that, if exploited, allows malicious attackers to enslave a computer. That’s because attackers can gain remote access through the vulnerability. The likely outcome of the attack could be a botnet. However, we should note that actual details about any active exploit are not available. At the moment Mozilla has warned Firefox users that the zero days is currently being exploited, but hasn’t offer up further details.

The bug was discovered by Coinbase Security and Samuel Groß. In a Twitter post, Groß mentioned that he’d reported the bug to Mozilla two months ago. Due to ethical reasons, bug reports are delayed until engineers can develop a patch. As far as the potential exploit, Groß says, “the bug can be exploited for RCE but would then need a separate sandbox escape. However, most likely it can also be exploited for UXSS which might be enough depending on the attacker’s goals. Looking forward to more details from and .”

Groß downplays the potential for remote execution, but a UXSS attack may be a worse alternative for users since cross site scripting attacks allow hackers to potentially intercept sensitive information. A UXSS attack can come in the form of formjacking, a technique that according to Symantec’s 2019 report is on the rise. Attackers embed malicious JavaScript code into a payment form so that when users submit a form, their credentials are sent to the attacker’s server. Symantec reported that 4,818 different websites were compromised by formjacking in 2018 alone. According to Symantec’s researchers, “just 10 credit cards stolen from compromised websites could result in a yield of up to $2.2 million for cyber criminals each month.” So, there’s an obvious financial motive for a UXSS attack if Groß’s suspicion is proven true.

Interestingly enough, Mozilla diagnosed the bug as a “type confusion vulnerability.”  The vulnerability is caused when manipulating objects with JavaScript’s Array.pop. The report highlights the “issues” with the JavaScript method as the main cause of the vulnerability. So for some reason, a TypeError isn’t issued in certain cases, which can then allow a savvy hacker to feed malicious code to a location in memory without causing suspicion.

All that said, updating your Firefox is not a bad idea.

 

Please follow and like us:
0

Mirai Variant Targets Multiple IoT Devices with 8 new Exploits

June 10, 2019 Posted by News 0 thoughts on “Mirai Variant Targets Multiple IoT Devices with 8 new Exploits”

The Mirai malware made news in 2016 when it brought the internet down to its knees after attacking Dyn, a domain service provider. Ever since then, the malware has proliferated into several variants and those variants have then branched into more variants. Now, Palo Alto Networks Unit 42, having been tracking the botnet since 2016, have found a new variant equipped with 8 exploits.

The new variant targets IoT devices that are gaining in popularity like SD-WANs, wireless presentation systems, and smart home controllers. The researchers explain that the number of exploits allows a single botnet to compromise a range of devices, thereby increasing the effectiveness of the botnet. Many of these exploits are being farmed from public databases, most notable exploit-db, according to the researchers.

Below is a list of the exploits that the news variant employs.

 

A security researcher noticed command injection vulnerabilities in WePresent devices. Those vulnerabilities where then haphazardly patched. The problem is that a majority of WePresent devices run on software older versions that have not been patched. These devices are used in over a hundred universities in North America, and this exploit targets every single version out there.

With this vulnerability, compromised servers can be remotely accessed with a bug that allows one to gain remote access.

VMWare contains a web UI component that, if enabled, is vulnerable to remote command injection.

The U.motion Builder software that contains this remote code execution vulnerability has recently been retired. Now, it’s up to devices that use the software to move on.

Asustor’s ADM firmware 3.1.0 does not sanitize user input when making a call to a local shell script. According to the doc, “exploitation of this vulnerability allows an attacker execution of arbitrary commands on the host operating system, as the root user, remotely and unauthenticated.”

  • Dell KACE Remote Code Execution

This vulnerability was discovered by Julien Ahrens in 2018’s H1-3120 event. Dell quietly patched the vulnerability, but since vulnerabilities don’t often patch themselves on older versions, there may be machines that are still at risk.

This exploit turns Geutebruck security cameras into a potential botnet. Hackers can exploit “an arbitrary command execution vulnerability. The vulnerability exists in the /uapi-cgi/viewer/testaction.cgi page and allows anonymous user to execute arbitrary commands with root privileges.”

This exploit takes advantage of a vulnerability in a HooToo wireless travel router(which sounds like a bad idea from the get-go security-wise). The malicious code “tries to open a door in the device by exploiting the RemoteCodeExecution by creating a backdoor inside the device.”

 

Unit 42 concludes that the trend towards a multiplicity of exploits within a single variant will increase the strength of DDoS attacks.

Please follow and like us:
0

Python is Now Easy to Install on Windows 10

June 10, 2019 Posted by News 0 thoughts on “Python is Now Easy to Install on Windows 10”

2019 has been an excellent year for developers who’ve been bold enough to code on a Windows machine. The announcement of a new Windows terminal and advancements in Visual Studio 2019 have already been welcome additions to the developer toolkit. Amidst the flurry of Windows announcements was an announcement that didn’t make a huge splash. And that’s the fact that Python is now easier to install on Windows. That might not sound like a big deal, but if anyone has tried to install something like PostgreSQL on  Windows, you know about the potential difficulties one can face in making sure files are properly installed and configured.

Personally, I’ve never got my Python installation to work on my Windows machine; though I could’ve troubleshooted the problem, I thought it wasn’t worth the trouble. How many beginners and hobbyists who consider using Python on a Windows machine for experimentation may decide to forgo the language entirely? For many devs, this complaint is met with I-told-you-so’s and Virtual Machine/Linux/Mac recommendations. While those suggestions are worthwhile, PCs and Windows are still a fact of life for many  beginners and hobbyists.

So, when Windows’ Python team say that they’ve made Python easier to install, it’s a pretty big deal. Steve Dower, the Python engineer who wrote the announcement post, mentioned that even professional Python devs find that Windows does little to help Python developers, saying, “Python developers on Windows find themselves facing more friction than on other platforms.”

Again, this problem is due to Window’s history as a platform that catered to corporate professionals and students. The idea that Windows users would ever need a Python interpreter seemed asinine, so why create another security hole by including something that won’t be maintained properly?

It’s due to this reasoning that many Windows users who decided to give Python a go pre-update might have been greeted with this warning screen:

Dower also echoed my point about beginners and hobbyists encountering the above warning of death when he said, “It’s much more likely that someone will hit this problem the first time they are trying to use Python. Many of the teachers we spoke to confirmed this hypothesis – students encounter this far more often than experienced developers.”

So Microsoft fixed this issue by allowing the Python community to release new versions to the Microsoft Store. For example, python3 and python3.7 would be readily available for download. What’s even better is that a python command won’t give the inane warning you would have gotten prior to the May update. Instead, you’ll be directed to the Python store page.

I finally might give Python a try one of these days.

 

Please follow and like us:
0

Hacker Gained Nine Month Access to Flipboard’s Database

May 29, 2019 Posted by News 0 thoughts on “Hacker Gained Nine Month Access to Flipboard’s Database”

Flipboard, the news aggregation app visited by 150 million users per month, stated in a security notice that hackers breached its database “between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.” During this nine month long probe, the hackers were able to access user account information such as names, usernames, email addresses, and encrypted passwords.

The saving grace here is that Flipboard uses salted hashing, which theoretically means that users would be protected…if the exploit had taken place in 2000; see, the problem is that if users never changed their passwords after March 14 2012, their passwords would’ve still been salted and hashed with SHA-1, according to Flipboard. SHA-1 has been vulnerable since 2005, according to security experts. Not too long ago(2017), researchers were able to successfully create a collision against the SHA-1 function, creating two files with identical SHA-1 signatures. That means that a hacker with nefarious intent can reproduce the same result. Admittedly, they would have to be willing to brute force myriad passwords–still, the motivation can be worthwhile due to the fact that many people use the same password for multiple applications. A dedicated hacker could then breach a bank account, if they were to obtain a password from an irresponsible individual. Even so, the costs would be tremendous. Large nation state collectives found in China, North Korea, and Russia would be the potential customers if the data was ever sold in the black market.

All that said, the hacker would probably not have been able to do much with the information at hand besides acquiring emails for potential phishing attacks. Additionally, Flipboard mentions that they do not acquire sensitive information from users, which does contain the potential damage of the breach quite a bit. To counteract the obvious SHA-1 vulnerability, Flipboard now requires current users to create a new password, which will allow them to be encrypted with bcrypt.

Many might be wondering why the hacker went undetected for such a long period of time. Besides expressing their apologies for the security breach, Flipboard doesn’t offer an explanation. They really don’t need to. Breach detection is a problem in the security field. According to a 2017 Cost of a Data Breach study, it takes 206 days on average for a company to detect a breach. That’s assuming the hacker knows what he’s doing. And that’s the crux of the problem. The point of an exploit is to remain undetected for as long as possible. Unless there are systems in place to detect a signature before it occurs, these numbers won’t drastically decrease. It’s a bit like trying to develop a vaccine for a pathogen that you know nothing about. So, it becomes a game of cat and mouse.

Donald E. Hester, a cyber security blogger, mentions the dangers of such a prolonged access to data:

The hackers access to the system for such a longer period means they can gain more and more control of systems and find all the data of worth and exfiltrate it without being noticed.  It is like having a warehouse with no lighting and no one watching to see thieves emptying the warehouse.

In the case of Flipboard, the breach was only detected after the hacker infiltrated the system not once, but twice. They’re currently investigating the number of accounts that were affected. In the meantime, they’ve contacted law enforcement and beefed up their security.

Please follow and like us:
0

Wheels Rolls Out To Atlanta With $37M

May 24, 2019 Posted by News 0 thoughts on “Wheels Rolls Out To Atlanta With $37M”

Atlanta is known for many things, and one of them is the overabundance of scooters lining sidewalks. There may come a time when Bird, Jump, Lyme, and Lyft become common phrases learned in Elementary school when referring to transportation. This new micro-mobility phase has come with macro-sized problems for people who like to walk through a clean-looking city. The problem has gotten so bad that Atalanta’s government website has an entire page showing riders how and how not to park their electric scooters.

source: atlanta.gov

Understanding Atlanta’s seemingly unquenchable thirst for scooters and bikes, Wag founders, Jonathan and Joshua Viner have rolled out their electric bikes in the ATL. Their product is Wheels-Wheels, a dockless bike that boasts a comfortable foam seat, swappable parts, built-in Bluetooth speakers, and a charging port for your phone.

The bike follows the same “clean up” model as many other micro-transit solutions whereby you earn cash by docking the bike for upkeeping and battery swaps.

The flexibility and lower price is what Josh Viner dubs as micro mobility 2.0. Added to the modularity and affordability is safety, which may set the company apart from its competitors. The bike’s 14 inch wheels and low seating is supposed to provide stability as you ride. The company is also coming out with a smart helmet that can be unlocked with an app and returned.

The rollout to Atlanta comes on the heels of a $37 million funding round that included investors like Tenaya Capital, Bullpen Capital, Crosscut Capital, 3L Capital, and Naval Ravikant.

With that money, the demographic that Wheels is targeting isn’t the young, hip kids, but the more older generation, who can’t imagine why scooters have become so popular.

“There’s a huge market of over-35s that’s not being addressed by the scooters,” said Joshua Viner. “There’s a lot of people, a lot of my friends, parents, who are just a little bit nervous to get on the scooter. We’re able to get a much broader market with this product because people know how to ride a bike.”

It appears that the founders hope to counteract the scooter market by providing a safer, street-friendly product for those who love dockless transportation. Still, they face stiff competition from companies that are valued in the billions. Wheels arrives in a war of mobility that has bloodied the streets of Atlanta with dockless vehicles. However, the brothers seem undaunted.

“When we evaluated this market,” said Jonathan Viner, “we identified a major opportunity to better serve cities with a sustainability-first approach to dockless electric mobility. We’ve spent countless research and development hours on new manufacturing and servicing models…”

So, next time you’re driving through Atlanta and you see the Wheels bike, know that you’re not dreaming–someone actually dared to make another micro transit vehicle and place it in the mecca of transit vehicles.

Please follow and like us:
0