Stealthy Google Play apps recorded calls and stole e-mails and texts

Enlarge (credit: portal gda)

Google has expelled 20 Android apps from its Play marketplace after finding they contained code for monitoring and extracting users’ e-mail, text messages, locations, voice calls, and other sensitive data.

The apps, which made their way onto about 100 phones, exploited known vulnerabilities to “root” devices running older versions of Android. Root status allowed the apps to bypass security protections built into the mobile operating system. As a result, the apps were capable of surreptitiously accessing sensitive data stored, sent, or received by at least a dozen other apps, including Gmail, Hangouts, LinkedIn, and Messenger. The now-ejected apps also collected messages sent and received by Whatsapp, Telegram, and Viber, which all encrypt data in an attempt to make it harder for attackers to intercept messages while in transit.

The apps also contained functions allowing for:

Read 3 remaining paragraphs | Comments

Microsoft expands bug bounty program to cover any Windows flaw

Some bugs aren’t worth very much cash. (credit: Daniel Novta)

Microsoft today announced a new bug bounty scheme that would see anyone finding a security flaw in Windows eligible for a payout of up to $15,000.

The company has been running bug bounty schemes, wherein security researchers are financially rewarded for discovering and reporting exploitable flaws, since 2013. Back then, it was paying up to $11,000 for bugs in Internet Explorer 11. In the years since then, Microsoft’s bounty schemes have expanded with specific programs offering rewards for those finding flaws in the Hyper-V hypervisor, Windows’ wide range of exploit mitigation systems such as DEP and ASLR, and the Edge browser.

Many of these bounty programs were time limited, covering software during its beta/development period but ending once it was released. This structure is an attempt to attract greater scrutiny before exploits are distributed to regular end-users. Last month, the

Continue reading “Microsoft expands bug bounty program to cover any Windows flaw”

Mac malware that went undetected for years, spied on everyday users

Enlarge (credit: Tim Malabuyo)

A mysterious piece of malware that gives attackers surreptitious control over webcams, keyboards, and other sensitive resources has been infecting Macs for at least five years. The infections—known to number nearly 400 and possibly much higher—remained undetected until recently and may have been active for almost a decade.

Patrick Wardle, a researcher with security firm Synack, said the malware is a variant of a malicious program that came to light in January after circulating for at least two years. Dubbed Fruitfly by some, both malware samples capture screenshots, keystrokes, webcam images, and information about each infected Mac. Both generations of Fruitfly also collect information about devices connected to the same network. After researchers from security firm Malwarebytes discovered the earlier Fruitfly variant infecting four Macs, Apple updated macOS to automatically detect the malware.

The variant found by Wardle, by contrast, has infected a much larger

Continue reading “Mac malware that went undetected for years, spied on everyday users”

Microsoft targets Fancy Bear’s domains in trademark lawsuit

Enlarge (credit: Harald Deischinger)

On Friday, representatives of the notorious hacking entity known as Fancy Bear failed to appear in a federal court in Virginia to defend themselves against a civil lawsuit brought by Microsoft.

As the Daily Beast first reported on Friday, Microsoft has been waging a quiet battle in court against the threat group, believed to be affiliated with the GRU, Russia’s foreign intelligence agency. For now, the company has managed to seize control of 70 domain names, but it’s going after many more.

The idea of the lawsuit, which was filed in August 2016, is to use various federal laws including the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and American trademark law as a way to seize command-and-control domain names used by the group, which goes by various monikers including APT28 and Strontium. Many of the domain names used by Fancy

Continue reading “Microsoft targets Fancy Bear’s domains in trademark lawsuit”

Google drops the boom on WoSign, StartCom certs for good

(credit: Michael Rosenstein)

Last August, after being alerted by GitHub’s security team that the certificate authority WoSign had errantly issued a certificate for a GitHub domain to someone other than GitHub, Google began an investigation in collaboration with the Mozilla Foundation and a group of security professionals into the company’s certificate issuance practices. The investigation uncovered a pattern of bad practices at WoSign and its subsidiary StartCom dating back to the spring of 2015. As a result, Google moved last October to begin distrusting new certificates issued by the two companies, stating “Google has determined that two CAs, WoSign and StartCom, have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome.”

WoSign (based in Shenzen, China) and StartCom (based in Eliat, Israel) are among the few low-cost certificate providers who’ve offered wildcard certificates. StartCom’s StartSSL offers free Class 1

Continue reading “Google drops the boom on WoSign, StartCom certs for good”

FCC has no documentation of DDoS attack that hit net neutrality comments

Enlarge / John Oliver takes on FCC Chairman Ajit Pai in net neutrality segment. (credit: HBO Last Week Tonight)

The US Federal Communications Commission says it has no written analysis of DDoS attacks that hit the commission’s net neutrality comment system in May.

In its response to a Freedom of Information Act (FoIA) request filed by Gizmodo, the FCC said its analysis of DDoS attacks “stemmed from real time observation and feedback by Commission IT staff and did not result in written documentation.” Gizmodo had asked for a copy of any records related to the FCC analysis that concluded DDoS attacks had taken place. Because there was no “written documentation,” the FCC provided no documents in response to this portion of the Gizmodo FoIA request.

The FCC also declined to release 209 pages of records, citing several exemptions to the FoIA law. For example, publication of documents related to “staffing

Continue reading “FCC has no documentation of DDoS attack that hit net neutrality comments”

Russian man who helped create notorious malware sentenced to 5 years

Mark Vartanyan, seen here in 2014. (credit: Mark Vartanyan / Instagram)

A Russian man who helped create and spread the notorious Citadel malware back in 2011 was sentenced Wednesday to five years in prison by a federal judge in Atlanta.

According to the Associated Press, Mark Vartanyan will receive two years’ credit for time already served in Norway, where he had been living previously. He was extradited to the United States in December 2016 and was arraigned and pleaded guilty to hacking charges in March 2017. Vartanyan had apparently been helping prosecutors with their investigation “from the start.”

In September 2015, another Russian man, Dimitry Belorossov, was sentenced to 4.5 years on similar charges. In 2014, Ars reported how the malware was being used to target password managers and financial data.

Read 1 remaining paragraphs | Comments

Security experts from Google, Facebook, Crowdstrike want to save US elections

Enlarge / Eric Rosenbach, who served as the chief of staff to the secretary of defense from 2015 until 2017, seen here in 2014. (credit: Center for Strategic & International Studies)

A new group at Harvard University staffed by the former campaign managers of the Hillary Clinton and Mitt Romney campaigns, along with other top security experts, have banded together to help mitigate various types of online attacks that threaten American democracy.

The initiative, dubbed “Defending Digital Democracy,” will be run by former chief of staff for the secretary of defense, Eric Rosenbach.

“Americans across the political spectrum agree that political contests should be decided by the power of ideas, not the skill of foreign hackers,” Rosenbach said in a Tuesday statement. “Cyber deterrence starts with strong cyber defense—and this project brings together key partners in politics, national security, and technology to generate innovative ideas to safeguard our key

Continue reading “Security experts from Google, Facebook, Crowdstrike want to save US elections”

Samba puts out new security update to address exploit that fueled WannaCry

Enlarge (credit: kelly sweeney)

On Wednesday, the Samba Team released new security updates to fix a vulnerability in “all versions of Samba from 4.0.0 onward using embedded Heimdal Kerberos,” according to an announcement from the United States-Computer Emergency Readiness Team (US-CERT).

The upgrade comes in response to an invasive piece of malware which virally spread ransomware known as “WannaCry,” “WCry,” or “WannaCrypt.” As Ars reported in May 2017, within hours of the attack, computer systems around the world were crippled, prompting hospitals to turn away patients while telecoms, banks, and companies such as FedEx were forced to turn off computers for the weekend.

Because of WannaCry, Microsoft took the rare step of issuing patches for three discontinued versions of Windows that hadn’t been updated in years. In a blog post released at the time, Microsoft believed that the ransomware worked due to a SMB protocol exploit.

Read

Continue reading “Samba puts out new security update to address exploit that fueled WannaCry”

Miscreants have been pillaging credit cards from Trump Hotels’ booking system

Enlarge / Trump Chicago was one of the hotels targeted. (credit: Don Sniegowski)

If you stayed at one of 14 Trump hotel properties between July 2016 and March 2017, there’s a chance your credit card data and other personal information may have been pilfered. (We have posted the full list of new hacks here.)

According to a Tuesday statement posted on the Trump Hotels website, a booking service called Sabre notified the Trump Organization that “an unauthorized party gained access to account credentials that permitted access to payment card data and certain reservation information for some of our hotel reservations…”

In short, they got hacked.

Read 3 remaining paragraphs | Comments

Kaspersky under scrutiny after Bloomberg story claims close links to FSB

Enlarge / Kaspersky Lab CEO and Chairman Eugene Kaspersky speaks at a conference in Russia on July 10, 2017. (credit: Anton NovoderezhkinTASS via Getty Images)

Shortly after Bloomberg Businessweek published an explosive story under the headline: “Kaspersky Lab Has Been Working With Russian Intelligence,” the security firm released a lengthy statement noting that the company does not have “inappropriate ties with any government.”

The article, which was published in the early morning hours on Tuesday, says that the Moscow-based firm “has maintained a much closer working relationship with Russia’s main intelligence agency, the FSB, than it has publicly admitted. It has developed security technology at the spy agency’s behest and worked on joint projects the CEO knew would be embarrassing if made public.” Media organization McClatchy made seemingly similar claims in a July 3 report.

In the same statement, Kaspersky responded further: “It’s important to be clear:

Continue reading “Kaspersky under scrutiny after Bloomberg story claims close links to FSB”

How I learned to stop worrying (mostly) and love my threat model

Enlarge / We are not Batman. But you get the idea. (credit: Tiffany Liu, MIT)

I have a healthy level of paranoia given the territory I inhabit. When you write things about hackers and government agencies and all that, you simply have a higher level of skepticism and caution about what lands in your e-mail inbox or pops up in your Twitter direct messages. But my paranoia is also based on a rational evaluation of what I might encounter in my day-to-day: it’s based on my threat model.

In the most basic sense, threat models are a way of looking at risks in order to identify the most likely threats to your security. And the art of threat modeling today is widespread. Whether you’re a person, an organization, an application, or a network, you likely go through some kind of analytical process to evaluate risk.

Threat modeling is  a key part of the practice people in

Continue reading “How I learned to stop worrying (mostly) and love my threat model”

FBI-DHS “amber” alert warns energy industry of attacks on nuke plant operators

(credit: Nuclear Regulatory Commission)

The Department of Homeland Security and FBI have issued a joint report providing details of malware attacks targeting employees of companies that operate nuclear power plants in the US, including the Wolf Creek Nuclear Operating Corporation, the New York Times reports. The attacks have been taking place since May, as detailed in the report issued by federal officials last week, sent out to industry.

The “amber” alert to industry—the second highest level of severity for these types of reports from the FBI and DHS—noted that the attacks had been focused on employees’ personal computers but had not managed to jump to control systems. Administrative computers and reactor control systems in most cases are operated separately, and the control networks are generally “air-gapped”—kept disconnected from networks that attach to the Internet.

There is no evidence that information on plant operations was exposed. FBI and DHS analysts

Continue reading “FBI-DHS “amber” alert warns energy industry of attacks on nuke plant operators”

Heavily armed police raid company that seeded last week’s NotPetya outbreak

Enlarge (credit: National Police of Ukraine)

The third-party software updater used to seed last week’s NotPetya worm that shut down computers around the world was compromised more than a month before the outbreak. This is yet another sign the attack was carefully planned and executed.

Researchers from antivirus provider Eset, in a blog post published Tuesday, said the malware was spread through a legitimate update module of M.E.Doc, a tax-accounting application that’s widely used in Ukraine. The report echoed findings reported earlier by Microsoft, Kaspersky Lab, Cisco Systems, and Bitdefender. Eset said a “stealthy and cunning backdoor” used to spread the worm probably required access the M.E.Doc source code. What’s more, Eset said the underlying backdoored ZvitPublishedObjects.dll file was first pushed to M.E.Doc users on May 15, six weeks before the NotPetya outbreak.

“As our analysis shows, this

Continue reading “Heavily armed police raid company that seeded last week’s NotPetya outbreak”

HTTPS Certificate Revocation is broken, and it’s time for some new tools

Enlarge / Damn computer hackers, always trying to steal all my stuff. (credit: Getty Images / C.J. Burton)

This article was originally published on Scott Helme’s blog and is reprinted here with his permission.

We have a little problem on the web right now and I can only see it becoming a larger concern as time goes by: more and more sites are obtaining certificates, vitally important documents needed to deploy HTTPS, but we have no way of protecting ourselves when things go wrong.

Certificates

We’re currently seeing a bit of a gold rush for certificates on the Web as more and more sites deploy HTTPS. Beyond the obvious security and privacy benefits of HTTPS, there are quite a few reasons you might want to consider moving to a secure connection that I outline in my article Still think you don’t need HTTPS?. Commonly referred to as “SSL certificates”

Percentage of top one million sites on HTTPS.

Continue reading “HTTPS Certificate Revocation is broken, and it’s time for some new tools”

NotPetya developers may have obtained NSA exploits weeks before their public leak

Enlarge / A computer screen displaying Eternalromance, one of the hacking tools dumped Friday by Shadow Brokers. (credit: Matthew Hickey)

Update:This post was revised throughout to reflect changes F-Secure made to Thursday’s blog post. The company now says that the NotPetya component completed in February didn’t have any definitive bearing on when the NSA exploits were obtained. F-Secure Security Advisor Sean Sullivan tells Ars that the component weaves in the NSA exploits so well that it’s likely the developers had access to the NSA code. “It strongly hints at this possibility,” he said. “We feel strongly that this is the best theory to debunk.” This post is being revised to make clear the early access is currently an unproven theory.

The people behind Tuesday’s massive malware outbreak might have had access to two National Security Agency-developed exploits several weeks before they were published on the Internet, according

Continue reading “NotPetya developers may have obtained NSA exploits weeks before their public leak”

Tuesday’s massive ransomware outbreak was, in fact, something much worse

Enlarge / Code in Tuesday’s attack, shown on the left, was altered to permanently destroy hard drives. (credit: Matt Suiche)

Tuesday’s massive outbreak of malware that shut down computers around the world has been almost universally blamed on ransomware, which by definition seeks to make money by unlocking data held hostage only if victims pay a hefty fee. Now, some researchers are drawing an even bleaker assessment—that the malware was a wiper with the objective of permanently destroying hard drives.

Initially, researchers said the malware was a new version of the Petya ransomware that first struck in early 2016. Later, researchers said it was a new, never-before-seen ransomware package that mimicked some of Petya’s behaviors. With more time to analyze the malware, researchers on Wednesday are highlighting some curious behavior for a piece of malware that was nearly perfect in almost all other respects: its code is so aggressive

Continue reading “Tuesday’s massive ransomware outbreak was, in fact, something much worse”

Microsoft bringing EMET back as a built-in part of Windows 10

Enlarge / The new security analytics dashboard. (credit: Microsoft)

The Windows 10 Fall Creators Update will include EMET-like capabilities managed through a new feature called Windows Defender Exploit Guard.

Microsoft’s EMET, the Enhanced Mitigation Experience Toolkit, was a useful tool for hardening Windows systems. It used a range of techniques—some built in to Windows, some part of EMET itself—to make exploitable security flaws harder to reliably exploit. The idea being that, even if coding bugs should occur, turning those bugs into actual security issues should be made as difficult as possible.

With Windows 10, however, EMET’s development was essentially cancelled. Although Microsoft made sure the program ran on Windows 10, the company said that EMET was superfluous on its latest operating system. Some protections formerly provided by EMET had been built into the core operating system itself, and Windows 10 offered additional protections far beyond the scope of what

Continue reading “Microsoft bringing EMET back as a built-in part of Windows 10”

Ohio Gov. Kasich’s website, dozens of others defaced using year-old exploit

Enlarge

The official website of Ohio Governor John Kasich and the site of Ohio First Lady Karen Kasich were defaced on June 25 by a group calling itself Team System DZ. The group is a known pro-Islamic State “hacktivist” group that has repeatedly had its social media accounts suspended for posting IS propaganda videos and other activity. Kasich’s site was but one of a number of state and local government websites that were hijacked by Team System DZ early this week, all of which had one thing in common: they were running on an outdated version of the DotNetNuke (DNN) content management platform.

DNN Platform is a popular content management system (particularly with state and local governments) based on Windows Server and the ASP.NET framework for Microsoft Internet Information Server. DNN Platform is open source and available for free—making it attractive to government agencies looking for something low cost

Continue reading “Ohio Gov. Kasich’s website, dozens of others defaced using year-old exploit”

Check Point says Fireball malware hit 250 million; Microsoft says no

Enlarge (credit: Corinne Kuhlmann)

Microsoft sparked a curious squabble over malware discovery and infection rates. At the start of the month security firm Check Point reported on a browser hijacker and malware downloader called Fireball. The firm claimed that it had recently discovered the Chinese malware and that it had infected some 250 million systems.

Today, Microsoft said no. Redmond claimed that actually, far from being a recent discovery, it had been tracking Fireball since 2015 and that the number of infected systems was far lower (though still substantial) at perhaps 40 million.

The two companies do agree on some details. They say that the Fireball hijacker/downloader is spread through being bundled with programs that users are installing deliberately. Microsoft further adds that these installations are often media and apps of “dubious origin” such as pirated software and keygens. Check Point says that the software was developed by a Chinese

Continue reading “Check Point says Fireball malware hit 250 million; Microsoft says no”