As if Bitcoin malware and Bitcoin mining malware weren’t enough to worry about, there was more trouble for the users of the digital crypto-currency last week as 96,000 Bitcoins disappeared from the Sheep Marketplace exchange.
Bicoin’s value has surged in recent weeks, peaking at an astonishing $1,203 per coin last week before dropping back nearly $200 in value over the weekend. The Bitcoin exchange rate is climbing again and currently rests at $1,102 per coin, meaning that the value of the heist is currently $105,792,000.
To put that in a historical perspective – as far as popular heists go – the New York Times estimated in 2008 that cross-dressing thieves made off with roughly $105 million in the famous robbery of the Harry Winston jewelry store in Paris. According to a Wired article from 2009, Leonardo Notarbartolo made off with $100 million worth of loose diamonds, jewelry, and gold after robbing the Antwerp Diamond Center in Antwerp, Belgian in the early 2000s.
Certain reports without sources claim that the attackers managed to spoof user-interfaces so that member-accounts seemed to contain their correct balances. While it is not clear at the moment if this is true, user-interface spoofing is a common tactic among online bank account theft.
According to Tom Gorup, a security operation center (SOC) analyst at Rook Consulting, there are a number of factors that may have helped the attackers cover their tracks during and immediately following the attack.
For one, based on a description of the attack from the forum Bitcointalk.org, Gorup said it’s likely that the attackers hijacked the Sheep Marketplace’s domain name system (DNS) servers and routed incoming traffic through a set of servers under their control. Thus, the attackers could have displayed whichever content they liked to anyone attempting to access their account. Gorup said it’s probable that the thieves are operating a botnet, because as the robbery was ongoing, the service was experiencing a distributed denial of service attack. The DDoS attack would have the effect of knocking the Sheep Marketplace offline, making it impossible for the users to access and monitor their accounts.
Gorup told Threatpost that the most challenging aspect of the attack would have been finding an exploitable vulnerability in the vendor’s software. Once the attacker gained proper privileges via exploit, the process of actually stealing the Bitcoins, he said, is trivial.
Once an attacker has the money in hand, so to speak, another challenge presents itself: how do you use it without all your victims realizing? It would seem simple enough, given that Bitcoin is pseudo-anonymous, but, like all functional currencies, Bitcoin cannot be truly anonymous because there must be safeguards against double-spending.
This is where Bitcoin’s public ledger, the BlockChain comes into play. Every public transaction is recorded on the BlockChain. Therefore, the instant someone tries move a massive some of money, like 96,000 Bitcoins, from one wallet to another, the BlockChain will make record of that movement. More so, each Bitcoin is uniquely identifiable, creating another avenue for tracking the stolen digital crypto-currency.
It’s well known that Bitcoins are widely used to launder traditional currencies, but there are, of course, services for “cleaning” stolen Bitcoins as well. These services are called “tumblers.” Essentially, tumblers, like any money laundering service, take stolen Bitcoins or fractions of Bitcoins and re-distribute them with completely different fractions of completely different Bitcoins. Gorup notes that one downfall to tumbler services, from a criminal’s standpoint, is that many tumblers are replacing stolen Bitcoins with other stolen Bitcoins.
Both Gorup and a Reddit-thread dedicated to tracking the thief or thieves responsible for the theft indicate that it is still possible – albeit difficult – to use the BlockChain to track money going through tumblers.
Gorup noted that the vast scope of this theft is going to make it considerably more difficult for the attackers to tumble their newly acquired Bitcoins. However, he believes their botnet – if they do indeed have one – could make the process slightly easier.
“It can be safe to say that the attacker could have created a number of wallets distributed throughout his/her botnet in preparation for this attack and automated the exchange to distribute throughout these wallets,” Gorup told Threatpost. “Then potentially, if they felt it wasn’t clean enough already, utilize multiple tumbler services to further clean these coins. It would be complicated, but with proper preparation, like any decent attacker should do, this is probably close to how it was done.”
Initially, a New Statesman report indicates that the Sheep Marketplace’s administrators believed that an error by a third party vendor had caused a much smaller sum of money to go missing. It quickly became apparent that the amount lost was far greater.
Gorup claims that the drop in Bitcoin value over the weekend is not related to the theft:
“I think the drop wasn’t due to theft as the Sheep Marketplace theft took place five days prior to Bitcoins reaching an all-time high. I think it was a natural drop after a huge peak, just as this happens time to time in the stock exchange when everyone wants to capitalize on their investment. I wouldn’t be surprised to see one or two more surges like this before Bitcoin settles to a normal rate like any other traded material like gold or silver.”
Straight-up Bitcoin theft along with infections from Bitcoin mining malware and Bitcoin stealing malware are becoming daily occurrences. Recently published research suggested there are frailties within the underpinnings of the Bitcoin economy itself. Trouble isn’t likely to abate any time soon for digital crypto-currency, given that it is completely unregulated. That reality presents a number of very real problems, not the least of which is, how do you recover stolen coins? Users certainly won’t be repaid in civil or criminal suits. Not yet at least.
The skies may soon be full of drones–some run by law enforcement agencies, others run by intelligence agencies and still others delivering novels and cases of diapers from Amazon. But a new project by a well-known hacker Samy Kamkar may give control of those drones to anyone with $400 and an hour of free time.
Small drones, like the ones that Amazon is planning to use to deliver small packages in short timeframes in a few years, are quite inexpensive and easy to use. They can be controlled from an iPhone, tablet or Android device and can be modified fairly easily, as well. Kamkar, a veteran security researcher and hacker, has taken advantage of these properties and put together his own drone platform, called Skyjack. The drone has the ability to forcibly disconnect another drone from its controller and then force the target to accept commands from the Skyjack drone. All of this is done wirelessly and doesn’t require the use of any exploit or security vulnerability.
The drone platform that Kamkar built uses readily available components such as a Raspberry Pi and open-source software he developed. He said that, using the detailed instructions he’s published, anyone with a familiarity with Linux could build a Skyjack drone of his own in under an hour. With that and a controller, the builder is then ready to hijack his neighbor’s drone-delivered Christmas presents. The Parrot drones are available for less than $300 and the other components are relatively inexpensive, as well.
“My instructions are pretty detailed, I’ve made the code entirely free and open source, and fortunately all the technology is so low-cost and easy to acquire (< $400 for all of it, including your very own drone) that to put it all together from my instructions would take someone under an hour if they were familiar with Linux,” Kamkar said via email.
“I may also release an ISO that users can simply drop onto a Raspberry Pi without performing any configuration at all, and in that case it would potentially just take minutes without any setup required besides plugging components in!”
The method that Kamkar’s code uses to take over a target drone is deceptively simple. The Skyjack drone detects the wireless signal sent out by a target drone, injects WiFi packets into the target’s connection, de-authenticates it from its real controller and then authenticates it to the Skyjack drone. Kamkar then has the ability to send any commands he wants to the hijacked drone. This can all be done from the ground, as well, he said, using a normal Linux box and his code.
Kamkar uses Aircrack-ng, a wireless key cracking application, to find target drones and then the Skyjack software deactivates the clients and then connects to them. He finds the drones by looking for MAC addresses owned by Parrot, the company that makes the small drones he used for his project. The target range of the Skyjack drones is limited by the range of the WiFi card, but Kamkar said he uses a very powerful WiFi adapter called the Alfa AWUS036H, which produces 1000mW of power.
“The only security on the Parrot drones is that when the owner is connected to it, no one else is able to control it. This is why I need to use a wifi chipset that allows me to inject packets as I need to exploit wifi and deauthenticate the true owner who is controlling it,” Kamkar said.
“Once deauth’d, I can then take over control without ever actually exploiting the Parrot itself since it creates its own open, wireless network.”
Amazon’s Jeff Bezos said the company’s Prime Air drone delivery program is several years away yet, and it’s unclear which drone platform it will use if it’s ever deployed. Kamkar’s Skyjack code is available free on Github.
Image from Flickr photos of Unten44.
The soundest security advice managers of critical computing systems have been given is to air gap those machines. Don’t network them and don’t expose them to the Internet, and there’s no way hackers reach them from the Web and no way a direct infection replicates.
Recently, there’s been reason for pause in that thinking, starting with the speculation and skepticism over badBIOS, malware that allegedly can not only cross platforms, but can infect air-gapped machines using sound waves.
Now comes another attack using high-frequency sound waves to infect machines, bypassing the good old-fashioned ways of phishing emails and infected USB drives. Researchers at the Fraunhofer Institute for Communication, Information Processing and Ergonomics in Germany had a paper published last week in the scientific journal, Journal of Communications of San Jose, in which they describe how to use a communication system designed for underwater use to deliver or intercept short bits of code, such as passwords, over hops of air-gapped computers. The computers act as a mesh network where each node can send or receive code—in this case an audio emanation—and acts as a router sending data to the next hop in the chain before it’s received by the attacker.
Michael Hanspach, one of the researchers, along with colleague Michael Goetz, told Threatpost that there is no connection between their paper “On Covert Acoustical Mesh Networks in Air” and badBIOS. Hanspach said their attack is practical today because the utilized techniques are well documented.
“If we were able to come up with this research with very few people, time and budget (and with good intentions), so would be larger groups (maybe with a different intention),” Hanspach said via email. “Therefore, anyone working in a security critical context should be thinking about protection measures.”
The two scientists were able to use this underwater communication system based on the Generic Underwater Application Language (GUWAL), used for communication on networks with low bandwidth to exchange data between unconnected systems using only the built-in microphones and speakers that accompany today’s computers. They used a Lenovo T400 laptop running the Debian operating system. Devices such as microphones and speakers are not generally considered when network and security policies are developed, the scientists said, making them the perfect pawns for this kind of covert communication.
“The concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered,” the scientists wrote in their paper.
The scientists were able to use ultrasonic frequencies, inaudible to humans, to transmit data almost 65 feet between laptops at a slow 20 bits per second rate with latency of 6 seconds per hop. Adding additional hops overcomes the distance problem, but for this particular scenario, limits the sophistication of the code sent.
“Of course, you could only transfer small-sized information over this network,” Hanspach told Threatpost. “But, the limit of 20 bit/s is just what we could reasonably achieve in the presented setup and is not necessarily a general limit.”
The research paper presents several scenarios in which such an attack would work. Starting with a computer compromised with a keylogger called logkeys, for example, keystrokes are written to a named pipe read out by the acoustic transmitter, the paper said, which sends the data to through the covert network until it reaches the attacker. Hanspach said the keylogger has been successfully tested in this setup.
Hanspach and Goetz also said that this type of covert network could be used to break two-factor authentication by listening for and transmitting the authentication feedback of a hardware dongle or smartcard. They also speculate it could be used to send data such as private encryption keys or text files of stolen data.
As for countermeasures, it may not always be possible to turn off audio devices because they would be needed for VoIP or video conferencing, so the scientists recommend the use of audio-filtering guards or a host-based audio intrusion detection guard, both of which analyze audio input and output looking for anomalous signals or hidden messages.
While the possibilities presented in this paper and by badBIOS might seem outlandish, they are new areas of research that defenders have not considered in policies or preventative technology.
“We have shown that the establishment of covert acoustical mesh networks in air is feasible in setups with commonly available business laptops,” the paper said. “Acoustical networking as a covert communication technology is a considerable threat to computer security and might even break the security goals of high assurance computing systems based on formally verified micro kernels that did not consider acoustical networking in their security concept.”
The researchers who discovered a serious vulnerability in Android 4.3 Jelly Bean that enables a malicious app to disable the security locks on a vulnerable device have published a proof-of-concept app that exploits the bug, as well as source code for the app.
The vulnerability in question lies in the way that Jelly Bean handles the flow of requests when a user attempts to change one of the many security locks in the operating system. If a user goes in to change, for example, the gesture lock, Android will ask the user to confirm her PIN code or another security mechanism. The vulnerability enables a malicious app to disable this check and all of the security locks in the OS. Researchers at Curesec in Germany discovered the bug in October and reported it to Google, which included a fix in Android 4.4 Kit Kat.
However, Android 4.3 Jelly Bean is by far the most widely deployed version of the mobile OS and it has become obvious in the last couple of years that few carriers bother to push security updates to their users, preferring to have them buy new handsets with newer software instead. This means that there are millions of Android devices potentially vulnerable to this attack. The researchers at Curesec on Tuesday published an app that demonstrates the attack and also released the source code for the app, giving other researchers the ability to reproduce the exploit.
Marco Lux, a researcher at Curesec, said that he doesn’t know of any workarounds for the vulnerability, and there’s no patch available for Jelly Bean at this point.
“I am not aware of any workaround. By my current knowledge it can be only done by a malicious app,” Lux said via email.
Unlike Apple, which pushes updates directly to users via the software update mechanism in iOS, Android updates are the responsibility of the various carriers who sell Android devices. The ACLU has asked the Federal Trade Commission to investigate the carriers’ failure to send security updates to users and security and privacy researchers have been critical of the carriers for this oversight, as well.
In order to exploit the vulnerability discovered by Curesec, an attacker would need to entice a target user to download a malicious app to her device, something that has proven to be rather easy to do in recent years. Malicious apps, as well as legitimate ones laden with hidden malware, have shown up regularly in Google Play and third-party app stores.
Image from Flickr photos of Milind Alvares.
The United Nations has joined the growing chorus of people, organizations and activists denouncing government mass surveillance of citizens without cause and says that such programs are a violation of basic human rights.
The Social, Humanitarian, and Cultural – Third Committee of the United Nations General Assembly has adopted a draft resolution affirming that arbitrary surveillance and collection of personal information violate the universal human right to privacy and expression.
While the UN document does not call out any specific nations by name, it seems clear that resolution is a direct response to the United States’ and United Kingdom’s increasingly public spying operations.
The resolution is derived from and implements the recommendations of separate report by Frank LaRue, UN Special Rapporteur on Free Expression, made public earlier this year. LaRue’s report stated the following:
“Undue interference with individuals’ privacy can both directly and indirectly limit the free development and exchange of ideas…. An infringement upon one right can be both the cause and consequence of an infringement upon the other.”
The purpose of the resolution is essentially to reaffirm the human right to privacy despite the fact that emerging technologies make pervasive and boundless spying easier to undertake than ever before.
It also stresses “the importance of the full respect for the freedom to seek, receive and impart information, including the fundamental importance of access to information and democratic participation” while noting that the need to ensure national security is not justification for nations to scoff at international human rights laws.
Jillian York and Katitza Rodriguez, the directors for international freedom of expression and international rights, respectively, at the Electronic Frontier Foundation boiled the resolution down to the five following points:
- To respect and protect the right to privacy, including in the context of digital communication.
- To take measures to put an end to violations of those rights and to create the conditions to prevent such violations.
- To review their procedures, practices and legislation regarding the surveillance of communications, their interception and collection of personal data, including mass surveillance, interception and collection … by ensuring the full and effective implementation of all their obligations under international human rights law.
- To establish independent national oversight mechanisms capable of maintaining transparency and accountability for state surveillance of communications.
- Requests the United Nations High Commissioner for Human Rights to submit a report to the General Assembly on the protection of the right to privacy, including in the context of domestic and extraterritorial surveillance and/or interception of digital communications and collection of personal data, including on a mass scale.
“While we see this as a small victory for privacy, we must note that the resolution was weakened by the United States and its allies who stripped out a sentence that explicitly defined mass surveillance as a violation of human rights,” wrote York and Rodriguez. “The US also tried (and failed) to remove any suggestion that privacy protestations apply extraterritorially. The final text of the draft resolution noted that states have only ‘deep concerns’ with the ‘negative impacts’ of surveillance and collection of personal data, at home and abroad, when carried out on a mass scale.”
The digital advocacy group went on to call the draft important for restating the already accepted international legal precedent that any state conducting surveillance outside its own borders remains bound to upholding the right to privacy for everyone.
Google is reportedly looking into a problem with the latest versions of Nexus smartphones that could force the devices to restart, lock or fail to connect to the Internet.
All Galaxy Nexus, Nexus 4 and Nexus 5 devices that run Android 4.0 contain a flaw that can render the phones vulnerable to a denial-of-service attack when a large number of Flash SMS messages are sent to them.
According to a description on the programming site Stack Overflow, Flash SMS messages, also known as Class 0 SMS, are messages that show up – or flash – on screens immediately and dim the screen around the text. The messages are part of the GSM messaging infrastructure and are often used for sending emergency messages. Since the messages are not saved in phone’s inboxes by default and simply appear, users can elect to read or dismiss them. If a message is received on top of another however, they can stack up quickly.
If a phone receives a certain number of these messages, around 30 in this case, the phone will restart itself. In some cases if a PIN is required to unlock the SIM card, the device will not connect to the Internet after the reboot. On “rare occasions” the phone can also lose connection to the mobile network and the messaging app can crash.
Bogdan Alecu, a Romanian independent security researcher who also works as a system administrator at the Dutch IT firm Levi9 discovered the issue and discussed it in a panel (.PDF) on Friday at DefCamp, a security conference in Bucharest, Romania.
Alecu told PC World last week that while he found the problem more than a year ago (the video above was first published five months ago) and has tested it on a handful of Nexus phones since then, Google has largely ignored his research. A fix in Android 4.3 was promised to Alecu by a member of Google’s Security Team in July but never surfaced when 4.3 (Jellybean) was released later that month.
Now Google claims it’s looking into the vulnerability.
“We thank him [Alecu] for bringing the possible issue to our attention and we are investigating,” a Google representative told PC Magazine via email.
In the meantime Alecu has developed and published a proof of concept firewall application for Android that should prevent most Nexus devices from being exploited by the Flash SMS attack vector.
Class0Firewall, posted today on Google’s Play marketplace, lets Nexus users determine how many Flash SMS messages they can receive from a certain number before blocking them entirely. The app can also be set to block Flash SMS messages for a set amount of time.
Alecu warns that while his app isn’t foolproof, he hopes to release an update for it soon that addresses a few remaining issues.
For example Alecu aims to include a fix in a future version that will let users know if a Flash SMS attacker is spoofing their own number, thus preventing messages from being blocked. Alecu also hopes to find a workaround for an SMS API change in Android 4.4 (KitKat) that still puts Nexus users running that build of Android in danger.
D-Link has patched a backdoor present in a number of its routers that was publicized almost two months ago and could allow an attacker to remotely access the administrative panel on the hardware, run code and make any number of changes.
The Thanksgiving patch parade addressed the issue in a number of affected routers, most of them older versions that are still in circulation and largely untouched by consumers in particular.
Customer premise equipment such as wireless routers, modems and other set-top devices pose a real security issue because patches require a firmware update that are often ignored. There’s plenty of research too that examines the risks posed not only by buggy routers, but by other home and small business networking equipment.
Using available tools and online search engines such as Shodan, attackers can easily find Internet-facing equipment that’s vulnerable, and target those boxes with any number of exploits or scripts focusing on weak or default credentials, giving someone remote access to the gear.
The D-Link issue is much more serious given the access it could afford a remote attacker. Researcher Craig Heffner reported finding the vulnerability in October; he said that an attacker using a certain string “xmlset_roodkcableoj28840ybtide” could access the Web interface of a number of different D-Link routers without credentials.
D-Link routers DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240, along with Planex routers BRL-04R, BRL-04UR and BRL-04CW also use the same firmware, Heffner said. The firmware revisions issued last Thursday are for DI-524, DI-524UP, DIR 100 and DIR-120 routers, D-Link said in its advisory.
“Various D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string,” the company’s original advisory said. “This backdoor allows an attacker to bypass password authentication and access the router’s administrative web interface.”
Backdoors in hardware such as networking gear are generally for remote administration purposes. Researcher Travis Goodspeed told Heffner that this backdoor is used by a particular binary in the firmware enables an administrator to use this particular string to automatically reconfigure the device’s settings.
“My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something,” Heffner wrote. “The only problem was that the web server required a username and password, which the end user could change.”
After opening a malicious attachment in a phishing email, an employee at University of Washington Medicine in Seattle may have exposed the personal information of more than 90,000 Harborview Medical Center and University of Washington Medical Center patients.
The breach took place in October. According to a press release on the UW Medicine website, upon opening the malware-laden attachment, the unnamed piece of malicious software then “took control of the computer.” The infected computer contained patient data and the malware went unnoticed for one day before staff members “took measures to prevent any further malicious activity.”
UW Medicine says that it conducted an internal investigation and does not believe that patient data was sought or targeted in the attack. Despite this belief, the malware is said to have accessed the personal information of more than 90,000 current and former patients. The potentially exposed data include names, medical record numbers, “other demographics (which may include address, phone number),” dates of service, charge amounts for services received, dates of birth, and Social Security Numbers or Health Insurance Claim (Medicare) numbers.
The press release also announces that UW Medicine has implemented a review and is conducting employee training and other outreach efforts in response to the incident.
UW Medicine apologized for the breach, saying it will attempt to contact each individual affected via email. As is the industry standard, the company has also hired a firm specializing in data breach prevention and response to manage a call center on behalf of UW Medicine.
Threatpost attempted to contact UW Medicine for comment and clarification, but the company’s spokesperson was not available at the time of publication.
If your organization needed more incentive to move off Windows XP, a new zero-day vulnerability made public recently may be it.
The bug, which is being exploited in the wild, allows local privilege escalation and kernel access. But in the bigger picture, it’s another indicator that attackers might be readying a cache of attacks for the impending April 8, 2014 end-of-support deadline for the aged operating system.
Microsoft began an overt campaign with the release of its latest Security Intelligence Report explaining the dangers of keeping endpoints and servers on the OS, which is now a dozen years old.
“From a security perspective, this is a really important milestone,” Microsoft spokesperson Holly Stewart said. “Attackers will start to have a greater advantage over defenders. There were 30 security bulletins for XP this year, which means there would have been 30 zero-day vulnerabilities on XP [without support].”
In the October SIR, Microsoft said computers running XP Service Pack 3 are six times more vulnerable to malware infection than a computer running on Windows 8; Microsoft said data from its Malicious Software Removal Tool indicates that 9.1 XP computers are disinfected by MSRT versus 1.6 Windows 8 machines.
“The real story is that this zero day is just the tip of the iceberg. Malware authors today are sitting on their XP zero day vulnerabilities and attacks, because they know that after the last set of hotfixes for XP is released in April 2014 that their exploits will work forever against hundreds of thousands (millions?) of XP workstations,” wrote Rob VandenBrink on the SANS Internet Storm Center website. “If you are still running Windows XP, there is no project on your list that is more important than migrating to Windows 7 or 8. The ‘never do what you can put off until tomorrow’ project management approach on this is on a ticking clock, if you leave it until April comes you’ll be migrating during active hostilities.”
Microsoft released an advisory late Wednesday on the latest zero-day after an earlier report from security company FireEye identified the vulnerability. FireEye researchers said they found an exploit in the wild being used alongside a PDF-based exploit against a patched Adobe Reader vulnerability. Reader versions 9.5.4, 10.1.6, 11.0.02 and earlier on XP SP3 are affected, later versions are not, FireEye said, adding that this exploit gives a local user the ability to execute code in the kernel, such as install new software, manipulate data, or create new accounts. The exploit cannot be used remotely.
Microsoft said it is working on a patch and urged XP users to delete NDProxy.sys and reroute to null.sys in the system registry. NDProxy.sys is a driver that aids in the management of Microsoft Telephony API (TAPI). The mitigation will of course impact TAPI operations.
“For environments with non-default, limited user privileges, Microsoft has verified that the following workaround effectively blocks the attacks that have been observed in the wild,” Microsoft group manager Trustworthy Computing Dustin Childs said.
There is a vulnerability in Android 4.3 Jelly Bean that enables a malicious app to disable all of the security locks on a given device, leaving it open to further attacks. Jelly Bean is the most widely deployed version of Android right now.
The vulnerability in Android exists in the way that the operating system handles the flow of events when a user wants to change one of the security locks on a device. There are several different kinds of security locks on Android devices, including PIN codes, facial recognition and gesture locks. When a user wants to change one of these locks, he is asked to enter one of the other ones in order to confirm his control of the device. The vulnerability in Jelly Bean, discovered by researchers at Curesec in Germany, allows a malicious app to skip this step and disable the other security locks.
“The bug exists on the ‘com.android.settings.ChooseLockGeneric class’. This class is used to allow the user to modify the type of lock mechanism the device should have. Android implements several locks, like pin, password, gesture and even face recognition to lock and unlock a device. Before a user can change these settings, the device asks the user for confirmation of the previous lock (e.x. If a user wants to change the pin or remove it it has to first enter the previous pin),” the advisory from Curesec says.
If a malicious app is installed on a vulnerable device, it could control the code flow that determines whether Android enables the mechanism that requires a security code in order to change one of the other security locks. A Google representative said the problem was fixed in Android Kit Kat 4.4.
“We can control the flow to reach the updatePreferencesOrFinish() method and see that IF we provide a Password Type the flow continues to updateUnlockMethodAndFinish(). Above we can see that IF the password is of type PASSWORD_QUALITY_UNSPECIFIED the code that gets executed and effectively unblocks the device. As a result any [rogue] app can at any time remove all existing locks,” the advisory says.
The researchers at Curesec said that they reported the vulnerability to the Android security team at Google on Oct. 11, received a reply the next day and then didn’t get any further feedback from Google after that. The advisory includes a short bit of proof-of-concept code which the researchers say could be used by an installed malicious app. In the comments of their blog post on the bug, the researchers explained that the permissions model in Android can be bypassed with this bug.
“The commandline shown is just a simple PoC so the problem is understood by anyone without needing to write his own application to test it. For executing actions in Android your application needs the exact permission to do this.
For instance an app wants to read SMS or use the Internet, there is a Permission for that. However due the bug you do not need any permission to remove all device locks,” the researchers said.
If CryptoLocker is teaching enterprise IT and security people anything, it’s that backup is king.
The ransomware is unforgiving; it will find and encrypt documents on local and shared drives and it will not give them back. Experts don’t advise victims to pay the ransom, which means infected computers must be wiped, and lost files must be recovered from backup.
However, one Boston-area forensics specialist and malware analyst working for a large enterprise may have found a clue as to identifying the files CryptoLocker encrypts, which could mean the difference between restoring terabytes of backup data versus a few gigabytes.
The infection at this particular enterprise happened in October. A user fell victim to a phishing email and followed a link to a site where CryptoLocker awaited. The malware was detected within a couple of hours by the firm’s antivirus, but not before it had encrypted thousands of files on the local drive and drives mapped to the user’s laptop, and presented the user with the now-familiar bitmap image explaining the attacker’s demand for ransom.
The laptop was pulled from the network, wiped and analyzed. That’s when the analyst, who goes by the Twitter handle @Bug_Bear and asked not to be otherwise identified, noticed that the NTFS Master File Table creation and file modified dates on the encrypted files were unchanged. He then compared those results to the Master File Table from the Windows file server as well, using a pair of tools, analyzeMFT and MFTParser, to go through close to 10GB of Master File Table data.
“Identifying some known encrypted files by the $FN file name, I noted the only date in the MFT record that coincided with the infection was the MFT Entry Date or date the MFT record itself was modified,” he wrote on his Security Braindump blog. “Using this, I filtered out all records that had $SI or $FN time stamps that preceded this.”
Through this method, he was able to identify more than 4,000 files that had been encrypted by CryptoLocker and recover those files from backup.
He told Threatpost that he believes the malware uses a technique called File System Tunneling to avoid detection, and that’s what led him to find the encrypted files.
“In NTFS, if you delete a file and then recreate it with the same name in the same folder within 15 seconds, it takes on the attributes of the original files; all the file dates would match up,” he said. “I think that’s what we’re seeing. The only date that won’t change is the NTFS Master File Table date which is the date it was created in the database for NTFS itself. That will change and that’s what I’m seeing and that’s what I used to find these files.”
CryptoLocker, unlike other ransomware, encrypts files and then demands a ransom for the decryption key. It is spreading primarily through phishing campaigns heralding phony Federal Express or UPS tracking notifications. Victims are told they must make payments via MoneyPak or Bitcoin before a 72-hour payment deadline expires and the files are lost forever.
Bug_Bear called the attack straightforward, efficient and effective. He also said backup is a company’s best defense, along with a solid incident response plan.
“The only way I know of to find these files is what I used,” he said. “I’m thankful for other people out there writing these tools because if I didn’t have these tools, [parsing] 10GB of hexadecimal would be quite the chore.”
The European Commission is urging the United States government to make some changes to the way it handles surveillance to help restore the trust in the relationship between the EU and the U.S. The commission is asking for the U.S. to promote privacy rights internationally, adopt the EU’s data protection reforms and respond to the commission’s problems with the U.S.’s surveillance reform process.
Since the public exposures of the NSA’s widespread surveillance programs and collection methods began in June, there have been a number of pronouncements from politicians in various European countries about the privacy and economic effects the programs might have. The volume has increased in recent months after news broke that the agency, and others it is allied with, may have been conducting surveillance on European leaders’ mobile phones. But this represents one of the first public statements from a European government body on the subject.
“Large-scale US intelligence collection programmes, such as PRISM affect the fundamental rights of Europeans and, specifically, their right to privacy and to the protection of personal data. These programmes also point to a connection between Government surveillance and the processing of data by private companies, notably by US internet companies. As a result, they may therefore have an economic impact. If citizens are concerned about the large-scale processing of their personal data by private companies or by the surveillance of their data by intelligence agencies when using Internet services, this may affect their trust in the digital economy, with potential negative consequences on growth. These developments expose EU-US data flows to new challenges,” the communication from the EC says.
The communication is the result of a joint working group of U.S. and EU members that looked at ways that the two parties could restore trust in the flow of data that is vital to the economic health of both the EU and America. The group found that there are a number of thing that should be done to fix the problem:
- A swift adoption of the EU’s data protection reform
- Making Safe Harbour safe
- Strengthening data protection safeguards in the law enforcement area
- Using the existing Mutual Legal Assistance and Sectoral agreements to obtain data
- Addressing European concerns in the on-going U.S. reform process
- Promoting privacy standards internationally
The working group noted that one of the main issues is that there are different standards and protections applied to U.S. citizens and Europeans, which leads to problems for EU citizens.
“There is a lower level of safeguards which apply to EU citizens, as well as a lower threshold for the collection of their personal data. In addition, whereas there are procedures regarding the targeting and minimisation of data collection for U.S. citizens, these procedures do not apply to EU citizens, even when they have no connection with terrorism, crime or any other unlawful or dangerous activity. While U.S. citizens benefit from constitutional protections (respectively, First and Fourth Amendments) these do not apply to EU citizens not residing in the U.S.,” the working group’s statement says.
The statements from the EC come a day after the EFF and other digital and human rights groups formed a new coalition to urge politicians to reform the mass surveillance programs run by the NSA. And while much has been made of the privacy and civil rights effects of the surveillance, it’s just recently that more of the attention has been focused on the economic effects of what’s been going on.
“Massive spying on our citizens, companies and leaders is unacceptable. Citizens on both sides of the Atlantic need to be reassured that their data is protected and companies need to know existing agreements are respected and enforced. Today, the European Commission is setting out actions that would help to restore trust and strengthen data protection in transatlantic relations,” said Vice-President Viviane Reding, the EU’s Justice Commissioner. “There is now a window of opportunity to rebuild trust which we expect our American partners to use, notably by working with determination towards a swift conclusion of the negotiations on an EU-U.S. data protection ‘umbrella’ agreement. Such an agreement has to give European citizens concrete and enforceable rights, notably the right to judicial redress in the U.S. whenever their personal data are being processed in the U.S.”
Image from Flickr photos of Thomas Quine.
A large group of privacy and digital rights organizations has put together a new effort to urge politicians to curtail the mass surveillance operations that have been exposed in the last few months. The new coalition has developed a set of 13 principles for governments to follow in their intelligence gathering efforts and started a petition that it plans to deliver to the United Nations and governments around the world.
Known as Necessary and Proportionate, the anti-surveillance group includes the EFF, Privacy International, Access, the Chaos Computer Club and many others. The petition that the group has started has been signed by a slew of other organizations and privacy and security experts from around the world, including the Citizen Lab, Digital Courage, the Internet Governance Project, Bruce Schneier, Morgan Marquis-Boire and Jennifer Granick.
“Surveillance can and does threaten human rights, ” EFF International Rights Director Katitza Rodriguez said in a statement. “Even laws intended to protect national security or combat crime will inevitably lead to abuse if left unchecked and kept secret. The Necessary and Proportionate Principles set the groundwork for applying human rights values to digital surveillance techniques through transparency, rigorous oversight and privacy protections that transcend borders.”
The Necessary and Proportionate effort is just the latest response to the revelations of the surveillance methods employed by the National Security Agency, GCHQ in the U.K. and other intelligence agencies. There have been other petitions started, including one to demand the resignation of NSA Director Keith Alexander. The Necessary and Proportionate coalition has put together a list of 13 principles that the groups involved say should be used to guide the “determination of whether the State may conduct communications surveillance that interferes with protected information”.
The principles include legality, legitimate aim, necessity, adequacy and proportionality. The latter principle is at the center of what the coalition is trying to achieve.
“Communications surveillance should be regarded as a highly intrusive act that interferes with the rights to privacy and freedom of opinion and expression, threatening the foundations of a democratic society. Decisions about communications surveillance must be made by weighing the benefit sought to be achieved against the harm that would be caused to the individual’s rights and to other competing interests, and should involve a consideration of the sensitivity of the information and the severity of the infringement on the right to privacy,” the principle’s text says.
Once the petition is finished, the group plans to deliver copies to the U.N. and government leaders around the world to ask for their support.
“In 2013, we learned digital surveillance by world governments knows no bounds. Their national intelligence and other investigative agencies can capture our phone calls, track our location, peer into our address books, and read our emails. They do this often in secret, without adequate public oversight, and in violation of our human rights. We won’t stand for this anymore,” Rodrigues wrote in a blog post.
Image from Flickr photos of Frederic Bisson.
A lingering security issue in Ruby on Rails that stems from a setting in the framework’s cookie-based storage mechanism is still present in almost 2,000 websites.
Sites using an old version of Ruby on Rails that relies on CookieStore, the framework’s default cookie storage mechanism, are at risk. CookieStore saves each user’s session hash in the cookie on the client side, something that keeps each cookie valid for life. This makes it possible for an attacker to glean a user’s log-in information – either via cross-side scripting or session sidejacking – and log in as them at a later date.
Security researcher G.S. McNamara, who detailed the initial vulnerability on his MaverickBlogging site in September recently spent four days scouring 90,000 sites, running specialized scripts and analyzing data from each domain. When all was said and done, he found 1,897 sites that use old versions of Ruby on Rails (version 2.0 to version 4.0) that do not encrypt its users’ cookie values.
Some of the sites even fail to use SSL after their log-in pages, meaning they are communicating each user’s permanent session cookie without encryption for anyone to sniff and steal.
Most of the websites McNamara found belong to small startup companies but some, such as crowdsourcing site Kickstarter.com, restaurant review site Urbanspoon.com, and the site that belongs to the motion picture studio Warner Brothers (WarnerBros.com) are affected by the vulnerability.
McNamara has reached out to a handful of the sites but with more than 1500 affected, it’s a lengthy list to go through. Kickstarter for example – one of the sites that doesn’t use SSL the entire time a user is logged in – is aware of the issue. Meanwhile sites such as Urbanspoon.com and 500px.com, an online photo community with more than 10 million monthly users, still have not responded to the researcher.
In addition to the sites, McNamara also found a handful of online tools and utilities, applications such as Redmine, Zendesk and Spiceworks that also store user session hashes on the client side. While the last two use SSL as an added layer of security, on Redmine, it’s up to the user to properly configure the software’s security.
While Ruby on Rails moved to encrypt cookies by default in version 4.0, it doesn’t change the fact that users’ information is still at risk. Just because users’ cookies are encrypted and therefore unreadable doesn’t make the cookies useless to an attacker.
“Version 4.0 and beyond still have this problem,” McNamara told Threatpost in an email. “The attacker could save the encrypted cookie and send it to the server to log in as the victim without having to read the contents of the cookie.”
“The encryption does not protect against reusing the cookie after logout,” McNamara warned, comparing an encrypted cookie to a black box that a hacker simply needs to plug into the correct hole to work.
The technical classification for this problem is defined by the Web Application Security Consortium as an Insufficient Session Expiration weakness, basically stating that on sites “the log-out function should… disallow reuse of the session token,” something these sites clearly don’t do.
McNamara points out that anyone looking to see if the Ruby on Rails site they’re visiting is using CookieStore just needs to look for the string “Bah7” at the beginning of the value of the cookies. He adds that a cursory search on SHODAN, the search engine that gained notoriety a few years ago for sniffing out unprotected SCADA devices, reveals 60,000+ vulnerable sites.
NcNamara’s list isn’t exhaustive. In this case it’s only limited to Rails sites, not sites run on Django, another web framework the D.C.-based researcher has also found cookie-centric vulnerabilities in as of late.
To fix the issue McNamara has previously advocated that Rails developers switch to a different cookie storage mechanism, one that stores session information on the server side of the database instead of the client side.
Researchers at FireEye have been reporting on intrusive ad clients for more than a month, shedding some light on the potential risks with these programs that come packaged with mobile applications in order to simplify the display of mobile advertisements. The clients may not be malicious, but they do expose apps, devices and users to unnecessary risk, the company said.
“They are aggressive at collecting sensitive data, embedding functionalities and capabilities to perform dangerous operations such as downloading and running new code on demand, and they are also plagued with various classes of vulnerabilities that enable attackers to turn their aggressive behaviors against users,” researchers, Yulong Zhang, Hui Xue, Tao Wei and Dawn Song wrote today on the company’s blog. The researchers also point out that the 2,000 Google Play apps have been downloaded more than 100,000 times each, putting 2.56 billion total downloads at risk. FireEye said it has informed Google and InMobi.
“InMobi builds a sidedoor in host apps with these aggressive features to endow content in WebViews with these capabilities,” the FireEye researchers wrote.
InMobi responded with a new SDK,version 4.0.4 which changed its methods for making phone calls, requiring user permission and added a downloads folder storing files grabbed from the Internet, FireEye said. FireEye said the changes are a step in the right direction, but still leave users vulnerable to social engineering attacks.
“We understand that library vendors like InMobi have the incentive to add rich functionality, however, it is important for the vendors to advise app developers about such features and functionality that cause sensitive security and privacy risks, so that app developers can make informed decisions,” the FireEye researchers wrote.
Banking malware with a particular liking for Fidelity Investments has infected several thousand victims worldwide, and has the capacity for much greater harm, in particular during the upcoming holidays, according to researchers at Kaspersky Lab.
A report released today describes the threat posed by a Trojan called Neverquest, which is self-replicating malware programmed to activate when a victim visits any of more than 100 banks and financial institutions. The malware sends credentials and other personal information back to the attackers, who then via a VNC connection established by the Trojan, are able to conduct transactions on the victim’s behalf and wipe accounts clean.
“This threat is relatively new, and cybercriminals still aren’t using it to its full capacity,” wrote researcher Sergey Golovanov. “In light of Neverquest’s self-replication capabilities, the number of users attacked could increase considerably over a short period of time.”
The threat was spotted in July on an underground forum where the attackers had posted the Trojan for sale, boasting that it could be used to attack 100 banks by plugging in code onto websites viewed with Internet Explorer or Firefox.
When a user on an infected machine visits one of the sites on the list, the malware controls the browser’s connection with the server. Malicious users can obtain usernames and passwords entered by the user, and modify webpage content,” Golovanov wrote. “All of the data entered by the user will be entered onto the modified webpage and transmitted to malicious users.”
Illicit transactions are conducted over a SOCKS server that is remotely connected to the infected computer via VNC, Golovanov wrote. Stolen funds are either wired directly to the attackers, or to other stolen accounts.
After gaining access to a user’s account with an online banking system, cybercriminals use a SOCKS server and connect remotely to the infected computer via a VNC server, then conduct transactions and wire money from the user to their own accounts, or — in order to keep the trail from leading directly to them — to the accounts of other victims.
The list of targeted banks can be expanded, Golovanov said. The configuration file also comes equipped with a list of keywords related to banking activity, i.e., “available balance,” “checking account,” “account summary,” and many others, that if show in a webpage, the malware will send the page back to the attackers. The attackers may then use that page to develop attacks specific to the bank in question if it’s not already on the list, which is then added back to the configuration file for future infection attempts. Most of the attacks so far, Golovanov wrote, have been against Fidelity customers.
As for Neverquest’s replication capabilities, it moves about similarly to Bredolab, a botnet blamed for millions of infections worldwide via a three-pronged approach. Neverquest uses any of dozens of programs to access FTP servers in order to steal credentials that are used to distribute the malware via the Neutrino Exploit Kit. Also, it can harvest data from victims’ email clients during SMTP/POP sessions, including credentials, which are then used to spam out the Neverquest dropper. It is also designed to harvest credentials from social networks, including Facebook, Live.com, Twitter, Amazon Web Services and many others to spread links via social networks to infected online resources.
“As early as November, Kaspersky Lab noted instances where posts were made in hacker forums about buying and selling databases to access bank accounts and other documents used to open and manage the accounts to which stolen funds are sent,” Golovanov wrote. “We can expect to see mass Neverquest attacks towards the end of the year, which could ultimately lead to more users becoming the victims of online cash theft.”
When authorities in Russia arrested Paunch, the alleged creator of the Blackhole exploit kit, last month, security researchers and watchers of the malware underground predicted that taking him off the board would put a dent in the use of Blackhole and force its customers onto other platforms. Six weeks later, it now appears that Blackhole is almost gone and the Cool exploit kit, another alleged creation of Paunch, has essentially disappeared, as well.
The Cool exploit kit isn’t as well-known as Blackhole, but it is just as dangerous and was being sold at a much higher price during its heyday. Blackhole is one of the more venerable exploit kits for sale on the underground markets and it has been very popular with a variety of attackers and malware gangs over the years. It’s often used in drive-by download scenarios to compromise users’ machines through the use of browser exploits or exploits for plug-ins such as Java or Flash. Blackhole customers could buy a yearly license for about $1,500 or even just rent it for a day for $50. Cool could rent for as much as $10,000 a month.
A malware researcher who uses the name Kafeine and closely follows the sale and use of exploit kits has looked at the major groups that have been using Cool and Blackhole in recent years and found that Cool is virtually gone from the exploit kit landscape. The only crew still using Cool is the Reveton gang, which Kafeine said was the first major customer for the exploit kit, and has been using it for more than a year to push their ransomware. Reveton has taken many forms in its lifetime, showing up as fake FBI or Justice Department warnings about illegal content on a user’s machine.
The Reveton gang is still using Cool, but it’s not the main version of the kit. Like many of the other exploit kits, there are so-called private versions of Cool available for sale to premium customers at premium prices. They often will include private zero day vulnerabilities not available to other users and extra features. Kafeine said via email that the Reveton crew is using its own version of Cool these days.
“Cool has disappeared with Paunch. Main user (reveton Team) is now on a ‘private’ EK that we decided to name Angler EK,” Kafeine said.
The Angler exploit kit was the first to add the Microsoft Silverlight vulnerability CVE-2013-0074. As for Blackhole, there are still a handful of attack groups using it, but Kafeine said that he has seen about a 98 percent drop in the usage of that exploit kit since the arrest of Paunch.
“[Blackhole] is almost dead,” he said.
The one main group that’s using Blackhole is known as /closest/ and has been pushing out LinkedIn spam with malicious links to pages that deliver the exploits. The crew is using Blackhole for a variety of purposes, including pushing the Cutwail bot, some pay-per-click malware and other threats.
Image from Flickr photos of NASA Goddard Space Flight Center.