Thursday, August 18, 2011

News - Security


New Android bug renders device silent, unresponsive
Denial-of-service flaw affects more than half of all current users.
New Android bug renders device silent, unresponsive
A newly-discovered vulnerability in the Android operating system would allow attackers to place a target device in a vegetative state, rendering it unusable, security researchers have found.


Modular Android malware dev kit to be released
By Darren Pauli on Aug 3, 2012 10:13 AM
"An open source framework has emerged that allows Android malware to be built from modules that enable data to be stolen, phone calls to be eavesdropped and root exploits to be run.
The modules slashed the time and difficulty to build malware and allowed users to select from some 20 prebuilt features such as the ability to siphon contacts, emails and SD card data off phones, and force victims to dial premium calls.
Malware authors could currently select from eight pre-designed templates and insert a custom IP addresses to which siphoned obfuscated data would be delivered.
It could even pack the malware into legitimate-looking signed applications like file system explorers and games so they were ready to be uploaded to Android app stores...."


AVG issues smartphone malware warning
By Ken Presti, on Aug 3, 2012 8:04 AM
"Cybercriminals are increasing their focus on Android-based smartphones given the relative openness of the platform, especially when combined with effective social engineering tactics.
That's according to security vendor, AVG, which recently released its Threat Report for the second quarter of 2012.
The Android platform represents approximately 59 percent of the global market and has been heavily targeted by malware authors, particularly from China and neighboring markets, according to the report.
The second quarter of this year witnessed the introduction of the first Android bootkit, "DKFbootkit," which masquerades as a fake version of a legitimate application and damages the smartphone’s Linux kernel code by replacing it with malicious code......."



Malware disguised as updates pushed over hotel wi-fi
By Dan Kaplan on May 10, 2012 10:40 AM

Feds warn update before travel.
Now  travelers to be on the lookout for malware on their hotel's wireless connection.
According to the alert, attackers are using the hotel's Wi-Fi hotspot to distribute malware to guests under the guise of a security update.
The alert was issued by the Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center, and funded by the Bureau of Justice Assistance.
"In these instances, the traveler was attempting to set up the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely-used software product," the alert said.
"If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available."



Hackers break into 55,000 Twitter accounts, leaving passwords bare
8th May 2012 by Alex Wilhelm

"In a massive leak, some 55,000 Twitter accounts have been compromised, leaving them open for abuse. According to AirDemon, accounts belonging to celebrities were attacked in the process.
The leak is large enough that 5 PasteBin pages were required to host the list. I’m going to link to them, only so that you can see if you are among the hacked: one, two, three, four, five. The pages have racked up thousands of views, implying that the accounts could have already been compromised. If you see any funny tweets in your stream, this might be why."


First drive-by Android malware detected
By Marcos Colon on May 4, 2012 9:12 AM

"   Malware writers "even lazier than before".
Now The first mobile malware infection via drive-by-download has been detected.
The Android trojan was detected by Symantec researchers delivered through a fake security update hosted on malicious websites.
Drive-by-download transmitted malware to a victim's computer when victims visited infected web pages, but users still had to accept permission prior to installing.
“This is more of a social engineering attack,”  Symantec Security Response Center operations director Liam O Murchu said. “At the end of the day, the user still needs to see a message and decide if it's something that they want to install or not.”   "




Why malware authors don't need to try
By Michael Lee, ZDNet.com.au on April 18th, 2012
"We often assumehttp://www.scmagazine.com.au/News/299371,first-drive-by-android-malware-detected.aspx
First drive-by Android malware detected
By Marcos Colon on May 4, 2012 9:12 AM

"   Malware writers "even lazier than before".
Now The first mobile malware infection via drive-by-download has been detected.
The Android trojan was detected by Symantec researchers delivered through a fake security update hosted on malicious websites.
Drive-by-download transmitted malware to a victim's computer when victims visited infected web pages, but users still had to accept permission prior to installing.
“This is more of a social engineering attack,”  Symantec Security Response Center operations director Liam O Murchu said. “At the end of the day, the user still needs to see a message and decide if it's something that they want to install or not.”   "

 that malware writers are the sort of evil geniuses who work tirelessly to exploit unheard-of or secretly hidden backdoors in order to make a quick dollar or use your computer's resources for their own means. But recently, it feels like they haven't even been trying that hard.
On the back of Flashback, we saw another piece of malware, SabPab, that exploited the same Java vulnerability. Then, it wasn't long before a variant of SabPab was released, and Intego noted that SabPab's authors had begun to use Word documents to deliver their payloads. Strangely, the Word vulnerability that it used to spread itself was patched in 2009.
Although Kaspersky considers SabPab to be an advanced persistent threat, which usually indicates a high-level über hacker, I'm more inclined to see it as the work of someone who is relying on their victims being clueless about security. Why? Well, other than the ability to humiliate your victims for falling for such an old vulnerability, why would you pick one that is expected to have been patched?
I think the answer is that the authors are banking on users not bothering to patch, even though it's expected of them."
http://www.flashbackcheck.com/ - Kaspersky free detection website and removal tool
http://www.f-secure.com/weblog/archives/00002336.html - F-Secure how to detect and remove Flashback manually
http://support.apple.com/kb/HT5242 - Apple official patches and tools




Android concept app siphons sensitive data
By Darren Pauli on Apr 11, 2012 11:12 AM
Application bypasses permissions to steal SD and app data.

"A security researcher has developed an application that demonstrates how sensitive data can be stolen from Android phones without user permission.
The application can access contents of a phone's SD card, tap into app data and upload sensitive data without requiring permissions.
The No Permissions app
Permissions were a security system on Android phones that require applications to ask users for access rights to phone contents like contacts, data and the ability to access communications."



Wicked exploit found in Linux WiFi
By Darren Pauli on Apr 12, 2012 3:13 AM
Anonymous student hacker finds holes in WICD tool.

"A zero day exploit has been discovered in popular wireless Linux manager WICD that allows an attacker to spawn a root shell on a target machine.
The privileged escalation exploit affects the latest versions of WICD (pronounced wicked) and was successfully tested on a handful of Linux distributions including the latest release of the penetration testing operating system BackTrack.
It was not yet tested for remote exploitation vectors."




Five million machines potentially vulnerable to RDP exploit
By Darren Pauli on Mar 20, 2012 5:21 PM
Scan shows not just 'stupid users' are vulnerable.
"Up to 5 million computers have Remote Desktop Protocol (RDP) activated meaning many were potentially exploitable via the MS12-020 bug.
The results derived from an ongoing TCP port scan to locate machines runing RDP services. It was preformed by security researcher Dan Kaminsky and was about 20 per cent complete.
It found 415,000 of 300 million machines (0.4 per cent or extrapolated to about 8.3 per cent of total internet users) had RDP activated.
The RDP vulnerability provided attackers with remote access to networks that have RDP enabled and was predicted to cause mayhem for organisations this year with small businesses most notably at risk."
Other RDP news



Open source Android bug seeker launched
By Dan Raywood on Mar 17, 2012 10:25 AM
"MWR InfoSecurity is to launch an Android security testing framework this afternoon at the Blackhat EU conference.
An open source Android security testing framework had been launched that analyses vulnerabilities in the mobile platform. The technology dubbed 'Mercury'  was launched at BlackHat EU on the back of media coverage of security issues on Android phones, and in light of the fact that researching vulnerabilities in mobile phones is time-consuming. The tool was designed to allow testing of applications before, during and after development, MWR InfoSecurity managing director Ian Shaw told SC Magazine.
“This comes with the Android platform that OEM vendors have taken and added to links to reduce security vulnerabilities in the development process," he said."




Bank tokens swiped from Android phones
By Marcos Colon on Mar 20, 2012 9:16 AM
"Intercepts one time tokens through SMS.
The banking credentials of Android device users are being threatened by a new, self-updating trojan that poses as a one-time password application (OTP).
Once users downloaded the token-generator application from a third-party forum -- the official Android Market is not affected -- attackers could siphon data from phones, according to McAfee Labs security researcher Carlos Castillo.
The malware mostly targeted users of Spanish banks like Santander and Banesto and appeared credible because it disguised itself with the logo and color of the bank in the application."



Allphones hacked, staff passwords exposed
By Darren Pauli on Mar 6, 2012 10:55 AM
Hacker claims 703 accounts listed.
"Telecommunications retailer Allphones has had hundreds of staff usernames, passwords and company administrator logins exposed following a hacking attack.
The breach occurred when the company's web administration interface was accessed through a SQL injection attack that targeted the Allphones website.
SC Magazine Australia informed the Allphones website designer of the breach including the vulnerable link and a captured HTML page of the admin console."



DIY mobile phone tracking using open source
By Darren Pauli on Feb 21, 2012 1:35 PM
Researchers locate target without help from phone carriers.
"US researchers have developed a cheap and simple method for tracking the location of GSM mobile phones.
Mobile carriers typically transmit unencrypted signals between GSM towers and phones to determine location. This is required for phone services to be provisioned.
But the new research has revealed that anyone running the open source Osmocom GSM software could use the same functionality to determine whether or not a mobile phone is in an area of between one and 100 square kilometers."



Trojan leverages patched Microsoft Office flaw
By Dan Kaplan on Feb 12, 2012 8:22 PM
"The exploit arrives as an email.
Researchers at Symantec said they have spotted a trojan taking advantage of a previously patched Microsoft Office vulnerability.
The exploit, which is being used in targeted attacks, arrives as an email that contains a Microsoft Word file and a separate DLL file, a rare combination considering DLL files are not typically sent over email."



Crims make $3 million a year off Android botnet
By Dan Kaplan on Feb 12, 2012 10:03 PM
Uni researcher finds world's biggest Android botnet.
"Researchers claim to have found the world's largest and most lucrative mobile botnets.
Saxon Jiang, a researcher from North Carolina State University, found a botnet containing hundreds of thousands of infected nodes.
Symantec confirmed the botnet. Security response engineer Cathal Mullaney said the malware used to grow the bot was contained in almost 30 rogue applications on Chinese app stores."


Bug means iPhone thieves get iMessages, too
By Darren Pauli on Feb 6, 2012 12:18 PM
iMessages relayed to strangers' iPhones.

"A bug in Apple iPhones was discovered that could relay iMessages to strangers’ phones.
The flaw meant that stolen iPhones would continue to receive iMessages that were sent by and delivered to victims who used iMessages on a replacement device.
iMessages was an Apple proprietary system for iOS 5 and an alternative to SMSes that allowed iPhones to send text and multimedia for free over a data network."


Google employs Bouncer to cleanse Android malware
By Dan Kaplan on Feb 5, 2012 9:41 AM
Claims malware app downloads had dropped 40 per cent.

""Google has developed an in-house anti-virus service to remove malware on its marketplace.
The Bouncer service emulates the operating of application on Google's cloud and searches for anomalies that may be indicative of malware.
"We also analyse new developer accounts to help prevent malicious and repeat-offending developers from coming back," Android engineering vice president Hiroshi Lockheimer said.
Lockheimer credited Bouncer with lowering the number of "potentially" malicious downloads in the Android Market by 40 per cent, between the first and second half of last year.""


HTC phones reveal Wi-Fi logins
By Dan Kaplan on Feb 5, 2012 9:41 AM
Apps could swipe SSIDs, passwords.

""A software bug was found in some HTC Android phones that could allow attackers to steal Wi-Fi credentials and SSID.
The US Computer Emergecy Response Team (US-CERT) said the flaw could be exploited by  users who installed applications on affected phones that contained specific permissions.
"There is an issue in certain HTC builds of Android that can expose the user's 802.1X password to any program with the 'android.permission.ACCESS_WIFI_STATE' permission," US-CERTresearcher Bret Jordan said in a vulnerability note.
"When paired with the 'android.permission.INTERNET' permission, an app could easily send usernames and passwords to a remote server for collection."   ""



Build Up Your Phone’s Defenses Against Hackers
By KATE MURPHY
January 25, 2012
"Chuck Bokath would be terrifying if he were not such a nice guy. A jovial senior engineer at the Georgia Tech Research Institute in Atlanta, Mr. Bokath can hack into your cellphone just by dialing the number. He can remotely listen to your calls, read your text messages, snap pictures with your phone’s camera and track your movements around town — not to mention access the password to your online bank account."

PcAnywhere code stolen, Symantec warns of exploits
By Dan Kaplan on Jan 26, 2012 12:08 PM
"Company recommends to stop using its product pending fixes.
Symantec is advising users of its pcAnywhere remote access product to disable the software if they don't absolutely need it.
Warnings come amid confirmation by the security giant that hackers stole a portion of the company's source code dating back to 2006.
The code related to the 2006 versions of Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks and pcAnywhere."


Symantec finds huge Android malware infection
Antone Gonsalves on Jan 30, 2012
"Up to 5 million smartphone users at risk.
Symantec has found a massive Android malware infection in which several million smartphone users downloaded from the Android Market a Trojan capable of stealing information and displaying advertising.
The security vendor discovered the malware, called Android Counterclank, in 13 apps with titles such as "Counter Ground Force," "Heart Live Wallpaper" and "Sexy Girls Puzzle." The malware has the ability to receive commands from a remote server and to steal information, Symantec reported Friday."


Cyber criminals launch underground search engine
Brian Krebs  January 24, 2012 - 7:58AM
"Australian stolen credit card details in search results.
A new service aims to be the Google search of underground websites, connecting scammers to a vast sea of web forums that offer an array of dodgy goods and services, from stolen credit card numbers to identity information and anonymity tools."




Hacking Google for Fun and Profit
Posted by Andrew Cantino Dec 14th, 2011
In my opinion, this is the most subtle, but also the most disturbing, of the three bugs. As with the other bugs that I found, this was an example of Cross Site Request Forgery- the practice of convincing a user’s browser to make a request on their behalf to a remote server. This type of attack generally only works when the user is logged in to the remote service. In this case, if a user is already logged into Gmail (and they usually are), a malicious website could make a series of requests for Gmail profile images and, based on the return codes, determine whether or not the visitor had communicated with another Gmail user. This worked because Gmail, as a well-intentioned privacy measure, would only show profile images to a viewer if they had had mutual contact. Here is some example code that worked at the time:




Malicious apps discovered in Android Market
By Angela Moscaritolo on Dec 13, 2011 8:31 AM Malicious devs lose registration but still turn a profit.
Large numbers of malware-laden popular apps such as Angry Birds have hit Google's official Android Market.
A rogue developer with the handle “Lagostrod” uploaded infected versions of at least a dozen popular games, including Cut the Rope, Need for Speed: Shift, and Assassin's Creed: Revelations, F-Secure researcher Sean Sullivan said.
After being notified of the issue, Google removed the apps and suspended the developers' accounts.

Phone porting used to unlock net banking codes
By Brett Winterford on Dec 6, 2011
The scam is sophisticated, as one recent example illustrates.
George Craig*, a small business owner from Sydney’s Northern Beaches, received a call on his home phone from the Commonwealth Bank in mid-July.
He was told that his mortgage account had been accessed by fraudsters, who had funnelled out some $45,000. And his mobile phone – which hadn’t rang off the hook as it usually did during business hours – was used as a tool in the attack.
Craig cannot be 100 percent sure how his online bank account was compromised. He blames himself for conducting online banking sessions on a company laptop without adequate security software.



Four eBay scams to avoid
By Darren Pauli on Nov 28, 2011 10:00 AM

It should be no surprise that auction site eBay is a target of fraudsters.

With an arsenal of virtual credit cards, identity theft and social engineering, fraudsters with the will and persistence have long battled the security teams working to protect eBay's millions of buyers and sellers.

But where other forms of online fraud have been dominated by Russian criminals, it is fraudsters operating from Romania that have caused the biggest headaches for the online auction mega site.



You say 'rootkit,' I say 'diagnostic tool'

by Elinor Mills  November 17, 2011 3:15 PM PST

"Android developer Trevor Eckhart recently noticed something odd on several EVO HTC devices: hidden software that phoned home to the carrier with details about how the phone was being used and where it was.
The software, Carrier IQ, tracked the location of the phone, what keys were pressed, which Web pages were visited, when calls were placed, and other information on how the device is used and when."



Certificate phishing sucks bank customers into Blackhole
By Dan Raywood on Sep 19, 2011 12:50 PM
Bank business customers warned of invalid certificates.

"Spammers are telling bank business customers that their SSL certificates had expired in efforts to exploit the blacklisting of certificate authority DigiNotar.
DigitNotar was blacklisted by major browsers after it was hacked and issued fraudulent certificates.
Barracuda Networks security researchers Dave Michmerhuizen and Luis Chapetti said the spam carried a dangerous message.
"The spammers try to create a sense of urgency with the hope that you will click one of the links to see what happens; which in this case is a particularly bad idea because the second link in the message directs the browser to a server hosting an exploit kit," they said."


By Greg Masters on Sep 15, 2011 7:47 AM
Anti-virus won't detect it.
A variant of the SpyEye trojan dubbed SpitMo can steal bank account details and redirect transaction validation SMSes from Android phones.
SpitMo, or SpyEye for mobile, imposed templated fields on targeted banks' web pages requesting that customers fill in a mobile phone number and the international mobile equipment identity (IMEI) number of the device, a unique signature for a specific phone.
It meant criminals no longer needed to generate a certificate and issue an updated installer to snag the IMEI number, saving them up to three days.






Hackers steal SSL certificates for CIA, MI6, Mossad
http://www.computerworld.com/s/article/9219727/Hackers_steal_SSL_certificates_for_CIA_MI6_Mossad
By Gregg Keizer
September 4, 2011 05:35 PM ET15
"The Dutch government has since audited DigiNotar's performance and rescinded this assessment," Nightingale said. "This is not a temporary suspension, it is a complete removal from our trusted root program."
On Saturday, Piet Hein Donner, the Netherlands's Minister of the Interior, said the government could not guarantee the security of its websites because of the DigiNotar hack, and told citizens not to log into its sites until new certificates had been obtained from other sources.



Hackers acquire Google certificate, could hijack Gmail accounts
http://www.computerworld.com/s/article/9219569/Hackers_acquire_Google_certificate_could_hijack_Gmail_accounts
Repeat of Comodo affair last March; foreign government may be behind theft, says researcher
By Gregg Keizer, August 29, 2011 05:26 PM ET

Hackers have obtained a digital certificate good for any Google website from a Dutch certificate provider, a security researcher said today.
Criminals could use the certificate to conduct "man-in-the-middle" attacks targeting users of Gmail, Google's search engine or any other service operated by the Mountain View, Calif. company.
"This is a wildcard for any of the Google domains," said Roel Schouwenberg, senior malware researcher with Kaspersky Lab, in an email interview Monday.
"[Attackers] could poison DNS, present their site with the fake cert and bingo, they have the user's credentials," said Andrew Storms, director of security operations at nCircle Security.



Android tops mobile hacking charts
http://www.scmagazine.com.au/News/267861,android-tops-mobile-hacking-charts.aspx
By Tom Brewster on Aug 24, 2011 12:52 PM
Filed under Applications
But malware hasn't reached a tipping point.

Android officially became the most attacked mobile operating system by far in the second quarter (Q2), indicating it is emerging as the Windows of the mobile hacking world.
....
The information grabbed includes: user identifier, SIM card number, telephone number, IMEI number, IMSI number, screen resolution and local time… If the root exploit is successful, the system partition is remounted as writable and various additional utilities installed, supposedly to make removal more difficult and allow for additional functionality.




Top ASX-listed companies vulnerable to Apache DoS exploit
http://www.scmagazine.com.au/News/267894,top-asx-listed-companies-vulnerable-to-apache-dos-exploit.aspx
By Darren Pauli on Aug 24, 2011 12:17 PM
Attack launched over 3G

Twenty six of the top 200 ASX-listed companies are vulnerable to an Apache web server denial of service exploit according to a penetration testing company.
The exploit issues partial content requests to Apache httpd which causes the daemon to swap memory to the file system, eventually triggering a denial of service attack



Think Twice Before Installing Any Chrome Extension

http://blog.arpitnext.com/2011/08/chrome-extension-awesome-screenshot.html
Google Needs to Moderate Chrome Extension Gallery
If you are a Google Chrome user and have installed extensions from the Chrome Web Store, you need to know one important thing. The extensions available in official gallery are not as safe as you think. These extensions are not checked by Google for possible malicious behaviour. This means that these Chrome extensions may track your browsing habits, send data to a remote server, manipulate contents of a web page etc. without your consent.
The most unfortunate thing is that the Chrome team has no intention to implement an approval process for the items available at Web Store. I raised this issue earlier, but then the Chrome team said, “We’ve purposely avoided having a pre-review process for the extensions gallery / Chrome Web Store.”.


Jailbroken idevices pwned by charging stations
http://www.scmagazine.com.au/News/267479,jailbroken-idevices-pwned-by-charging-stations.aspx
By Darren Pauli on Aug 19, 2011 4:04 PM
USB mode silently comes to life.
Data can be stolen from Windows, Android and Apple devices by unassuming power charging towers.
In an attack demonstrated at the Defcon hacking conference, mobile phone charging units were rigged to pull data from phones plugged into them.
They were laced with different power charging adaptors to make them more appealing.
Some stock phones were safe since they deactivated USB mode when they were powered off, but others were not so lucky.
Many jailbroken and modified devices activated USB functions when  they were plugged in, or simply rebooted.
That gave security researchers Brian Markus, Joseph Mlodzianowski and Robert Rowley the access they needed to pull data, though they instead served victims with a warning.
“If the phone died due to lack of power, in most cases the phone would boot up upon
plugging it in, then expose the data,” Marcus said.

Droid spyware answers phone calls
http://www.crn.com.au/News/267333,droid-spyware-answers-phone-calls.aspx
By Angela Moscaritolo on Aug 18, 2011 4:10 PM (9 hours ago)
"A malicious Android app that disguises itself as Google's new social networking platform, Google+, is capable of stealing data, and answering and recording incoming phone calls, researchers said this week.
The spyware app disguises itself as Google+ by installing itself with the name “Google ++,” Jamz Yaneza, threat research manager at Trend Micro.
The malware contained in the app shares the same code structure as previously discovered Android spyware that also can steal information and record phone calls made from infected devices."

Written on April 1, 2011 by Uri Rivner
"The first thing actors like those behind the APT do is seek publicly available information about specific employees – social media sites are always a favorite.  With that in hand they then send that user a Spear Phishing email. Often the email uses target-relevant content; for instance, if you’re in the finance department, it may talk about some advice on regulatory controls.
The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.”............


Keywords: 

No comments: