Archive for May 2014

New attack methods can 'brick' systems, defeat Secure Boot, researchers say

The Secure Boot security mechanism of the Unified Extensible Firmware Interface (UEFI) can be bypassed on around half of computers that have the feature enabled in order to install bootkits, according to a security researcher.
At the Hack in the Box 2014 security conference in Amsterdam, Corey Kallenberg, a security researcher from nonprofit research organization Mitre, also showed Thursday that it's possible to render some systems unusable by modifying a specific UEFI variable directly from the OS, an issue that could easily be exploited in cybersabotage attacks.
UEFI was designed as a replacement for the traditional BIOS (Basic Input/Output System) and is meant to standardize modern computer firmware through a reference specification that OEMs and BIOS vendors can use. However, in reality there can be significant differences in how UEFI is implemented, not only across different computer manufacturers, but even across different products from the same vendor, Kallenberg said.
Last year, researchers from Intel and Mitre co-discovered an issue in UEFI implementations from American Megatrends, a BIOS vendor used by many OEMs, Kallenberg said. In particular, the researchers found that a UEFI variable called Setup was not properly protected and could be modified from the OS by a process running with administrative permissions.
Modifying the Setup variable in a particular way allowed the bypassing of Secure Boot, a UEFI security feature designed to prevent the installation of bootkits, which are rootkits that hide in the system's bootloader and start before the actual OS. Secure Boot works by checking if the bootloader is digitally signed and on a pre-approved whitelist before executing it.
Bootkits have been a serious threat for years. In 2011, security researchers from Kaspersky Lab said TDL version 4, a malware program that infects the computer's master boot record (MBR), had infected over 4.5 million computers and called it the most sophisticated threat in the world. McAfee reported in 2013 that the number of malware threats that infect the MBR had reached a record high.
Aside from bypassing Secure Boot, the unprotected Setup variable can also be used to "brick" systems if the attacker sets its value to 0, Kallenberg revealed Thursday for the first time. If this happens, the affected computer will not be able to start again.
Recovering from such an attack would be hard and time consuming because it involves reprogramming the BIOS chip, which requires manual intervention and specialized equipment, the researcher said.
The attack could be launched from the OS by malware running with administrative privileges and could potentially be used to sabotage an organization's computers. It wouldn't be the first time when such destructive attacks occur.

Saturday, May 31, 2014
Posted by Unknown
0 Comments

Cryptocat offers End-to End Encryption For Facebook Messenger

Cryptocat offers End-to End Encrypted Facebook Chat for Users
It’s an era of Mass Surveillance, where Encryption has become more important today for all of us than any other time in the History. But the trouble is that Crypto programs are too hard for Non-Internet-Savvy to implement and use.

Time is loudly announcing the need to switch to some alternatives that provide end-to-end encryption for communication between two devices in order to keep your personal data away from NSA's prying eyes and respect your Privacy.

But, many services, including Facebook's messaging application, don’t support encryption and therefore are weak in providing security of our online data, which could result in data breach either by cyber criminals or by our own Government under surveillance programs.

Because Facebook's messaging application doesn't support end-to-end encryption, an Open-source and most popular crypto chat-encryption application called 'Cryptocat' has made it possible to chat with your Facebook friends and relatives over an encrypted environment.

Cryptocat is a tool that allows secure and encrypted chat which is easy and accessible for everyone. The app is well known for bringing encrypted communications to the masses and is very popular among human rights activists and journalists around the world.

GOOD NEWS FOR FACEBOOK USERS
In General, The Facebook Inbox Messages or Chat between the two are protected by Secure Sockets Layer (SSL) encryption over HTTPS Channel, but the problem is it only encrypts data between user and Facebook, but the company has access to the plain text of those conversations directly from their database, which potentially could be provided to law enforcement authorities under certain circumstances or court orders.

Felt the need of encrypting chats for roughly 1.2 billion Facebook users, Cryptocat has announced its latest update which includes the full encryption for Facebook inbox messages.

Cryptocat’s mission is to make encrypted chat accessible and easy to use. With Cryptocat celebrating its third birthday (already!), we're happy to announce the new Encrypted Facebook Chat feature in the latest Cryptocat 2.2 update,” Cryptocat's founder, Nadim Kobeissi wrote in a blog post.

Finally, Cryptocat solves the half of the Privacy related problem by offering end-to-end encryption between the Facebook users over Chat. Cryptocat application uses the Facebook account APIs to work.
Cryptocat offers End-to End Encrypted Facebook Chat for Users
If two individuals are using Cryptocat for chatting, Facebook will only know who is talking to whom over an encrypted conversation and when. But, it doesn’t allow Facebook or any other server, including Cryptocat’s own, to see the users’ plain text messages -- that's the beauty of end-to-end encryption technology.

"There's no harm in Cryptocat using this already-given metadata to allow these users to set up encrypted chats," Kobeissi wrote. "The usability benefits of being able to quickly see which friends are online and ready for an encrypted chat remain overly substantial for those users."

A BAD NEWS
But Facebook couldn’t digest this news and the social network giant has made clear its intention of shutting down its Chat API/XMPP Services by April 30th 2015, so you have almost a year to enjoy Cryptocat encryption for secure chatting with your Facebook friends.

DOWNLOAD CRYPTOCAT
Cryptocat 2.2 with Encrypted Facebook Chat is already available as a browser extension for Chrome, Safari, and Opera and as an iPhone app for Apple iPhones, whereas Android is on the way. Also by the end of this week, the updates will be available for Firefox and Mac desktop as well. So, almost anyone can download Cryptocat and start chatting with friends.

Wednesday, May 14, 2014 
Ex-NSA Director Admits 'We Kill People Based On Metadata' with Drone Strike
We All now know about the existence of the extensive metadata collection program by U.S National Security Agency (NSA), which creates an intimate repository of our lives -- whom we love, whom we’re friends with, where we work, whom we call, when we you, how long we talk over the calls, and how often calls between the two parties are made and even the your interactions on social networking sites.

Although U.S Government always argues that Metadata doesn't record the actual content (of your call) and it is used for NSA's automated analysis, but should we be worried?

You are unique in the world and therefore your metadata too. So anyone with knowledge of the subject knows that analyzing terabytes of metadata can easily reveal far more details about a person’s life than ever before.

Worldwide debate on mass surveillance still was not finished yet, but today is a new alarming report revealed that US government murdering people around the world based solely on their metadata.

Former CIA and NSA Director Michael Hayden admitted that Government select targets on the basis of metadata for killing people with Drone Strike around the world.

During a recent debate between Georgetown University Law Center professor David Cole and General Michael Hayden, concerning the National Security Agency’s bulk surveillance programs at Johns Hopkins University, General Hayden made the comments, "it is absolutely correct. We kill people based on metadata. But that’s not what we do with this metadata,”.Though immediately after realizing the gravity of the admission he had just made, he tries to qualify the statement to "But that’s not what we do with this metadata".

So NSA gets phone records, gets them from the telephone company, been getting them since October of 2001 from one authority or another, puts them in a lockbox… and under very strict limitations can access the lockbox,” Hayden said.

In an article posted at New York Review of Books, Professor David Cole elaborated, “Under the USA Freedom Act, the NSA would be prohibited from collecting phone and Internet data en masse. Instead, such records would remain with the telephone and Internet companies… and the NSA would only be authorized to approach those companies on an individual, case-by-case basis… and only when it could first satisfy the Foreign Intelligence Surveillance Court that there is reasonable suspicion that a particular person, entity, or account is linked to an international terrorist or a representative of a foreign government or political organization,” said Cole.

So, Now will you still make “phew” reactions that it is “just your metadata”?

Posted by Unknown
0 Comments

Hacking Cable TV Networks to Broadcast Your Own Video Channel

Hacking Cable TV Networks to Broadcast Your Own Video Channel
I was watching my favorite show on the television and it was just half over when I saw something which was definitely not a part of the show I was watching. My television screen gone blank for a couple of seconds and then what I saw was totally unbelievable for my eyes.

It was my friend ‘Rahul Sasi’ on the television and I was still wondering that how did he interrupted in between a television show like happens in Sci-Fi movies, someone hijacks television or computer to deliver some kind of message or warning. Also like in some horror movies in which sometime ghostly images interrupts between the television and suddenly comes out. Oh my god!

But, nothing happened like that in my case, my friend didn't came out. Just few minutes later I was again redirected to the same show I was watching, only a part of it I missed, but never mind I’ll watch it on the YouTube later.

I think you might be thinking as if I am kidding, but it’s true. My friend Rahul Sasi is a well known Indian security researcher, and founder of Garage4Hackers Forum. This was a surprise demonstration he gave me last weekend on “Hacking Your Cable TV Networks,” which he is going to present next week atHack In The Box (HITB) Security Conference in Amsterdam.

A year back, similar attack was noticed by the Television viewers in Great Falls, Montana, when a hacker interrupted the television show by a message, warning the viewers that "dead bodies are rising from their graves and attacking the living".

But, this is going to be the first time when someone will give a Live demonstration on Hacking the cable television networks. From last eight to nine months, Rahul is working with a local cable TV network provider, where he discovered insecure implementations and weak architecture of the Cable TVnetworks, that could be abused by any potential hacker to carry out large scale attacks.

Unlike Internet, Television is one way medium, and if someone hijack any cable TV network service provider and display an emergency alert or a stream in a Video stating that a riot has started in your nearby city. Which in real is only a hoax, perpetrated by as-yet unknown hackers, but can cause enough panic among the people.

In the presentation, Sasi will demonstrate how a potential attacker can leverage the weakness in the Cable TV networks to hack various standards for the broadcast transmissions including the Analogue Cable TV, DVB-C and IPTV.
The technicals details will be revealed in the HITB conference next week. Philip R. Zimmermann, the creator of Pretty Good Privacy, will also join HITB this year as a Highlight Speaker.

The Event is also hosting a 3-Days Free Haxpo, a IT security exhibition at Beurs van Berlage, Amsterdam on May 28th, 29th, 30th 2014. 
"We're excited to be celebrating our 5th year anniversary event in The Netherlands with not only an all-women keynote line but also with our brand new HITB Haxpo - an interactive event for not only hackers but makers and builders which we think will be unlike anything that's been done before. A true celebration of all things ‘hacker’ and a reminder of the original meaning of the word - exploring the limits of what is possible, in a spirit of playful cleverness." Dhillon Andrew Kannabhiran, Founder/Chief Executive Officer, Hack In The Boxtold to the 'The Hacker News'.
Some other interesting technical presentations which will also be part of the conference are listed below:
  • Dr. Marco Balduzzi will present some new vulnerabilities and attacks on AIS, Automatic Identification System.
  • Anthony Hariton, a Computer Science Undergraduate student will show you how one can hack Boarding passes to get through all the Airport security checks.
  • Michael Ossmann, a wireless security researcher and Hardware hacker will demonstrate that how you can build your own NSA Playset out of open source components.
Friday, May 30, 2014
Posted by Unknown
0 Comments

Spotify Hacked, Urges Android Users to Upgrade app and Change Password

Today, the popular Music streaming service Spotify said the company has suffered a Data breach and warned users of its Android app to upgrade it in the wake of a potential data breach in their servers.

Spotify is a commercial music streaming service launched in October 2008 by Swedish start-up Spotify AB and is freely available for Android and iOS devices as well as for desktop computers with more than 40 million active users, out of which about 10 million users are its paid subscribers. It offers offline listening and ad-free playback are also available for Premium subscribers of the service.

The company announced that a hacker had allegedly broken into its systems and gained unauthorized access to the internal company data. So far only one of its users’ accounts has been accessed in the data breach, but the company believes that there is no harm to the financial information, payment details or password of the affected user.
"Our evidence shows that only one Spotify user's data has been accessed and this did not include any password, financial, or payment information,” Spotify chief technology officer Oskar Stal said in a blog post on Tuesday. “We have contacted this one individual. Based on our findings, we are not aware of any increased risk to users as a result of this incident."
The company takes the matters seriously and immediately launched an investigation. But they do not believe users are at any extended risk following the breach.

However, Stal said the company takes such matters very seriously, and as “general precautions,” Spotify will signed out some of their desktop, iOS, Android and Windows Phone apps users in the coming days and will ask them to log-in again by re-entering their username and password, just some extra steps to ensure its customers’ private data stays safe.

Spotify will release the updates this week and will also guide its Android users to upgrade the Android app. "Please note that offline playlists will have to be re-downloaded in the new version," StÃ¥l said. "We apologize for any inconvenience this causes, but hope you understand that this is a necessary precaution to safeguard the quality of our service and protect our users."

In their statements, Spotify has not given any details that how attackers were able to compromise the database, but the above Android app recommendation hints that users of Android app are likely at great risk, as there are possibilities that the data breach was caused because of a vulnerability in the Android app. Whereas, Spotify said, ‘no action recommended for iOS and Windows Phone users’ at this time.

The news comes after the latest eBay massive data breach that affected 145 million registered users across the world after the company’s database was compromised by the hackers.

Thursday, May 29, 2014
Posted by Unknown
0 Comments

New banking Trojan 'Zberp' offers the worst of Zeus and Carberp

A new computer Trojan that targets users of 450 financial institutions from around the world appears to borrow functionality and features directly from the notorious Zeus and Carberp malware programs.
The new threat, dubbed Zberp by security researchers from IBM subsidiary Trusteer, has a wide range of features. It can gather information about infected computers including their IP addresses and names; take screen shots and upload them to a remote server; steal FTP and POP3 credentials, SSL certificates and information inputted into Web forms; hijack browsing sessions and insert rogue content into opened websites, and initiate rogue remote desktop connections using the VNC and RDP protocols.
The Trusteer researchers consider Zberp a variant of ZeusVM, a recent modification of the widely used Zeus Trojan program whose source code was leaked on underground forums in 2011. ZeusVM was discovered in February and stands out from other Zeus-based malware through its authors' use of steganography to hide configuration data inside images.
The Zberp authors use the same technique, which is meant to evade detection by anti-malware programs, to send configuration updates embedded in an image that depicts the Apple logo. However, the new threat also uses hooking techniques to control the browser that seem to have been borrowed from Carberp, another Trojan program designed for online banking fraud whose source was leaked last year.
"Since the source code of the Carberp Trojan was leaked to the public, we had a theory that it won't take cybercriminals too long to combine the Carberp source code with the Zeus code and create an evil monster," Trusteer researchers Martin Korman and Tal Darsan said last week in a blog post. "It was only a theory, but a few weeks ago we found samples of the 'Andromeda' botnet that were downloading the hybrid beast."
Zberp also uses some other techniques borrowed from ZeusVM to achieve persistence and evade detection, the researchers said. The malware program deletes its start-up registry key when running and adds it back when it detects a system shutdown.
"According to a Virus-Total scan, the Zberp Trojan was able to evade most anti-virus solutions when it was first detected," the Trusteer researchers said.


Wednesday, May 28, 2014
Posted by Unknown
0 Comments

Microsoft Outlook App for Android Devices Stores Emails Unencrypted File System

If you have an account with Microsoft's popular free email service Outlook.com, and using Outlook app for Android, then there is a bad news for you.

Microsoft's Android app for Outlook.com, provides users to access their Outlook emails on their Android devices, fails to provide security and encryption.

LOOPHOLES DISCOVERED
Researchers from 'Include Security' firm claims to have found multiple vulnerabilities in Microsoft's Outlook app for Android, that leaves users' email data vulnerable to hackers and other malicious third party apps.
  • By default, Email attachments are stored into easily accessible folders on the Android filesystem
  • Email Database (Body, Subject) is stored locally in an unencrypted manner
  • App's 'Pin Code' feature doesn't protect or encrypt email data.
EMAIL ATTACHMENTS ARE ACCESSIBLE TO ANY OTHER APPS
Microsoft Outlook App for Android Devices Stores Emails Unencrypted
Today almost every applications available at Google Play Store generally ask for READ_EXTERNAL_STORAGE permission that allows them to read the data from device storage, even if the phone is not rooted.
"READ_EXTERNAL_STORAGE and INTERNET are some of the most common permissions granted by users to applications upon installation." Erik Cabetas, managing director of Include Security said.
Include Security firm found the Outlook app for Android downloads the email attachments automatically to '/sdcard/attachments' folder on the file system, which could be accessed by any malicious application or person with the physical access to the user's device. "Phones nowadays come with preinstalled apps on them that could grab those emails." he added.

UNENCRYPTED EMAIL DATABASE
Outlook app maintains a local backup database of your emails on the device file system at "/data/data/com.outlook.Z7/" location, which could be accessed only if the device is rooted and for non-rooted Android devices, Android Debug Bridge (adb) tool can extract it.
We've found that many messaging applications (stored email or IM/chat apps) store their messages in a way that make it easy for rogue apps or 3rd parties with physical access to the mobile device to obtain access to the messages.” he said.
In this folder, the app stores a database file called 'email.db', which keeps a backup of your every email, but  in an unencrypted form i.e. once an attacker able to grab this file, he can access all of your emails and sensitive data in plain text using sqlite3 utility.
Microsoft Outlook App for Android Devices Stores Emails Unencrypted
As shown in the above image, they able to access the email.db file and connect to the unencrypted database file to read the email content and the resultant file which is shown as below:

Microsoft Outlook App for Android Devices Stores Emails Unencrypted
Earlier we reported, windows malware are now capable of hacking Android devices connect to it and can extract any file from the Android file system, even if the device is non-rooted.

PINCODE CAN'T PROTECT YOU
Microsoft implemented a unique protection mechanism in its Outlook app that nobody else provides, is its PINCODE feature (application lock), which intents to add an extra protection in case your device gets in the wrong hands.

But unfortunately this feature also fails to protect users' data from the above listed two flaws, because it only locks the Graphical User Interface of the app, and does nothing to ensure the confidentiality of messages and attachments, which are themselves stored on the filesystem of the mobile device. 
If a device is stolen or compromised, a 3rd party may try to obtain access to locally cached messages (in this case emails and attachments),” said Erik Cabetas, managing director of Include Security in the blog post.
MICROSOFT REFUSES TO PATCH IT
The only place where Microsoft lacked is Encryption. Researchers contacted Microsoft's Security Response Center in December 2013 about the security weakness in the Outlook app, but Microsoft refuses to patch the vulnerabilities and their reply was, "...users should not assume data is encrypted by default in any application or operating system unless an explicit promise to that effect has been made," Microsoft said.

Erik from Include Security suggests that Outlook for Android could use SQLcipher to encrypt the SQLite database, because this would be useful for older devices that do not support full disk encryption.

SURVEILLANCE COMPATIBLE
In response to the mass surveillance conducted by the US National Security Agency (NSA) where every service is switching towards deploying encryption across the Internet, one of the Internet’s big giant, Microsoft failed.

Today we feel the need of highly secured Networks and Encrypted Devices to safeguard our privacy from Cyber Criminals and our own Government as well. So, Encryption becomes more important today than any other time in our history. Encryption of our online messages, encryption of our emails, encryption of our voice call, encryption of our every personal data and communication.

Android users are highly recommended to use full disk encryption for Android and SD card file systems, and turn off  the USB debugging mode from Developer Options Settings.

Yesterday, in a separate news we reported about a critical zero-day vulnerability (CVE-2014-1770) in 'Internet Explorer 8' that Microsoft had kept hidden from all of us, since October 2013.

UPDATE
"Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers’ data. Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data. Please see Microsoft’s online privacy policy for more information." Microsoft said in a statement to The Hacker News.


Friday, May 23, 2014
Posted by Unknown
0 Comments

Researchers find a global botnet of infected PoS systems

Security researchers uncovered a global cybercriminal operation that infected with malware almost 1,500 point-of-sale (POS) terminals, accounting systems and other retail back-office platforms from businesses in 36 countries.
The infected systems were joined together in a botnet that researchers from cybercrime intelligence firm IntelCrawler dubbed Nemanja. The researchers believe the attackers behind the operation might be from Serbia.
The size of the botnet and the worldwide distribution of infected systems brings into perspective the security problems faced by retailers from around the world, problems that were also highlighted by the recent PoS breaches at several large U.S. retailers.
Past incidents suggest an increased attention from cybercriminals toward retailers and small businesses that use PoS terminals, the IntelCrawler researchers said Thursday in a blog post. "We predict an increasing number of new data breaches in both sectors in the next few years, as well as the appearance of new types of specific malicious code targeted at retailers' backoffice systems and cash registers."
According to IntelCrawler, the Nemanja botnet included 1,478 infected systems in countries on most continents including the U.S., the U.K., Canada, Australia, China, Russia, Brazil and Mexico.
An analysis of the Nemanja botnet revealed that the compromised systems were running a wide variety of PoS, grocery store management and accounting software that is popular in different countries. The IntelCrawler researchers identified at least 25 different such software programs used on those systems.
This doesn't mean that the identified applications are particularly vulnerable or insecure for further use, but shows that the Nemanja PoS malware was designed to work with different software. Despite the ability to collect credit card data, the malware also had keylogging functionality to intercept credentials that could provide access to other systems and databases that contained payment or personally identifiable information.
IntelCrawler predicts that very soon modern PoS malware will be incorporated as modules into malicious remote access tools (RATs) or other Trojan programs and will be used along other components, like those for keylogging or network traffic sniffing.
Security firm Trustwave recently said in a report that one in three data breaches the company investigated last year involved compromised PoS terminals. A separate report from Verizon released in April and based on a larger data breach caseload revealed that PoS intrusions was a factor in 14 percent of confirmed data breaches.
The other countries where the Nemanja botnet was detected were Argentina, Austria, Bangladesh, Belgium, Chile, Czech Republic, Denmark, Estonia, France, Germany, Hong Kong, India, Indonesia, Israel, Italy, Japan, Netherlands, New Zealand, Poland, Portugal, South Africa, Spain, Switzerland, Taiwan, Turkey, Uruguay, Venezuela and Zambia.

Wednesday, May 21, 2014
Posted by Unknown
0 Comments

Hackers put security tool that finds payment card data into their arsenal

Like a crowbar, security software tools can be used for good and evil.
Bootleg versions of a powerful tool called "Card Recon" from Ground Labs, which searches for payment card data stored in the nooks and crannies of networks, have been appropriated by cybercriminals.
This month, the security companies Trend Micro and Arbor Networks published research into point-of-sale malware, which has been blamed for data breaches at retailers such as Target and Neiman Marcus, sparking concerns over the security of consumer data.
Both companies found that unauthorized copies of Card Recon had been incorporated into a malware program and a toolkit designed for finding and attacking POS terminals.
"Card Recon looks to be a useful tool when wielded by an auditor or security staff, but it is clearly dangerous in the wrong hands," Arbor Networks wrote in its report.
Card Recon is intended for organizations seeking to comply with the Payment Card Industry's Data Security Standard (PCI-DSS), a set of recommendations to safeguard payment card data.
The software tool scans all parts of a network to see where payment card data is stored. Often, companies find card details stashed in unlikely and unknown places. Card Recon compiles a thorough report, and companies can then move to secure the data.
The software requires license authorization before it will run, which prevents direct illegitimate use, said Stephen Cavey, Ground Labs' co-founder and director of corporate development, via email. But it's impossible to restrict access to Card Recon's software executable after a genuine customer has obtained it.
More than 300 security auditors worldwide and thousands of merchant companies use Card Recon, he said.
"This is the unfortunate reality for all software vendors: It is common for criminals to acquire a copy of commercial software via unauthorized means and then reverse engineer that software to circumvent the licensing mechanisms that are designed to prevent its unauthorized use," Cavey said.
Numaan Huq, a senior threat researcher for Trend Micro, wrote on Wednesday that a version of Card Recon dating from three years ago was being used to validate payment card details in a type of POS malware.
When Card Recon is scanning, it has to be able to separate 16-digit numbers and other random data it finds from valid 16-digit credit card numbers. Credit card numbers can be validated by using a checksum formula called the Luhn algorithm.
The malware Huq studied used Card Recon to validate and identify cards by brands such as Discover, Visa and MasterCard. Using Card Recon was faster than other validation methods, especially for large volumes of card data, he wrote.
Arbor Networks wrote in its report that the attack toolkit it observed contained two cracked copies of Card Recon. In that instance, it appears Card Recon was being used for its intended purpose -- to find card numbers -- but for cybercriminals.
If anything, the abuse of Card Recon strengthens a case for its legitimate use. Ground Labs' Cavey said the best defense is to remove sensitive data.
"They can't steal what is no longer there," he said.

Saturday, May 3, 2014
Posted by Unknown
0 Comments

- Copyright © Technology for World -Metrominimalist- Powered by Blogger - Designed by Johanes Djogan -