IT Glossary    1_9  A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X  Y  Z  .....  A                                          

EU Regulators Raise Concerns over Yahoo and WhatsApp

European data protection regulators have written to both WhatsApp and Yahoo. With Yahoo concerns center around the breach and theft of 500 million user accounts, and sharing content with the US government. The WhatsApp concern is over sharing EU personal data with US Facebook. In both cases the issues will be discussed in November.

In 2014 hackers stole details on 'at least 500 million user accounts' from Yahoo. Yahoo claimed that it was the victim of a state-sponsored attack.

In October 2016 Reuters reported that Yahoo had previously "complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI." Yahoo immediately denied that it had conducted mass email surveillance. The issue of the US government scanning European emails should not be considered lightly -- it was fundamental to the European Court's decision to strike down the original Safe Harbor agreement.

For both Yahoo issues the European Article 29 Working Party (the body comprising all EU national data protection regulators) has asked Yahoo for clarification. Concerning the breach the regulators have asked that all affected users be notified of any 'adverse effects', and that the company should "cooperate with all 'upcoming national data protection authorities' enquiries and/or investigations'." (Reuters) Over any email scanning Yahoo is asked to explain the legal basis and compatibility with EU law.

The regulators' concerns over WhatsApp focus on the recent privacy policy changes -- the first that have happened since the company was bought by Facebook. A WhatsApp spokesperson said that it was working with the regulators, had done seen even before the changes, and that it is "committed to respecting applicable law."

The relevant change is that WhatsApp now shares its customer data with the US-based Facebook parent, despite initially claiming that it would not do so. In September 2016, the German regulators acted alone and announced they had blocked Facebook from collecting WhatsApp subscriber data. WhatsApp said it would appeal the decision.

The upcoming November discussions by the Article 29 Working Party are likely to center around the 'informed consent' issue. In particular, does an opt-out option comply with regulations? WhatsApp includes an option for its users to opt out of sharing data with Facebook. However, this may not be sufficiently explicit to satisfy the regulators.



A WhatsApp screen display includes "Read our Terms and Privacy Policy and learn more about the choices you have. Please agree to the Terms and Privacy Policy to continue using WhatsApp. If you don't wish to Agree, you'll need to discontinue using WhatsApp. AGREE." There is no explicit mention here that users can both opt out of sharing data with Facebook and still continue using WhatsApp -- in fact, the implication is the opposite.

If the user decides to delve deeper 'to learn about the choices', there is another screen explaining the option to 'opt-out' of sharing. This is accompanied by a pre-selected opt-in tick box.

The November discussions are likely to consider whether this arrangement satisfies the principle of informed consent -- and a possible outcome will be a strongly worded request, backed by the threat of sanctions from individual national regulators, for WhatsApp to be more explicit. An active opt-in option would solve the problem and keep WhatsApp unambiguously in conformance with EU data protection law.

Teen Arrested for Cyberattack on 911 Emergency System

An 18-year-old teen from Arizona was arrested this week after one of his iOS exploits caused serious disruption to 911 emergency systems.

According to the Maricopa County Sheriffs Office, Meetkumar Hiteshbhai Desai was booked on three counts of Computer Tampering, which in this case is a Class 2 felony, considered an extremely serious crime in Arizona and other states, due to the fact that it involved critical infrastructure.

The Maricopa County Sheriffs Office Cyber Crimes Unit launched an investigation after being notified of disruption to the 911 service in the Phoenix metro area and possibly in other states.

Desai apparently learned of an iOS bug that can be exploited to manipulate devices, including trigger pop-ups, open email, and abuse phone features. The teen created several exploits and published one of them on a website, linking to it from his Twitter account in an effort to prank his followers.

While Desai claimed he wanted to publish a link to an exploit that only displayed pop-ups and caused devices to reboot, he mistakenly tweeted a link to an exploit that caused iPhones and iPads to continually dial 911 and hang up.

According to police, the link pointing to the exploit was shared with more than 12,000 followers and clicked over 1,800 times. The Maricopa County Sheriffs Office ultimately managed to shut down the website hosting the exploit.

The police department in Surprise, Arizona, received more than 100 hang-up calls to its 911 service within minutes, which could have caused their switches to lose service. Agencies in California and Texas, the Peoria Police Department, and the Maricopa County Sheriff's Office also received calls triggered by Desais exploit.

Desai claimed he was trying to find iOS vulnerabilities that he could report to Apple for monetary rewards and recognition. He said he did not mean to publish the exploit designed to call 911 as he knew it was illegal.

Researchers revealed last month that 911 emergency services in a U.S. state can be disrupted by a botnet powered by only 6,000 smartphones.

Security professionals sometimes get into a quarrel with the companies whose products and services they are analyzing. However, there are cases where experts have been charged and even convicted over their research.

One of the most well-known cases involves Andrew Auernheimer, who in 2013 was sentenced to 41 months in prison after he hacked into AT&T servers. A more recent case involves David Levin, owner of Vanguard Cybersecurity, who was arrested and later sentenced to 20 days in jail after exploiting a vulnerability he found on a Florida elections website.

U.S. Indicts 61 in Indian Call Center Scam

The Department of Justice this week accused a total of 61 individuals and entities for their presumed involvement in a call center scam targeting tens of thousands of individuals in the United States.

Law enforcement arrested 20 individuals in the US related to the fraudulent scheme. An additional 32 individuals and five call centers in India were charged for their alleged involvement. Moreover, a U.S.-based defendant is currently in the custody of immigration authorities, DOJ announced.

On Oct. 19, 2016, a grand jury in the U.S. District Court for the Southern District of Texas returned the indictment. Charges include conspiracy to commit identity theft, false personation of an officer of the United States, wire fraud and money laundering, DOJ says. One of the defendants was separately charged with passport fraud, the announcement.

The defendants were allegedly involved in a sophisticated fraud scheme, and investigators believe that conspirators in India, including a network of call centers in Ahmedabad, India, were behind it. Based on information gathered from data brokers and other sources, operators allegedly called potential victims and impersonated officials from the Internal Revenue Service (IRS) or U.S. Citizenship and Immigration Services.

The indictment claims that the call center operators threatened potential victims to pay taxes or penalties, telling them they would be arrested, imprisoned, fined or deported. When the victim agreed to pay, the call centers would use a network of U.S.-based co-conspirators to liquidate and launder the extorted funds as quickly as possible.

The perpetrators did the laundering by purchasing prepaid debit cards or through wire transfers, and were often registering the prepaid debit cards using misappropriated personal identifying information (PII) of thousands of identity theft victims, DOJ says. Fake names and fraudulent identifications were used to direct the wire transfers.

Hawalas were allegedly used to transfer money internationally outside of the formal banking system, to direct the extorted funds to the accounts of U.S.-based individuals. While these individuals did expect the hawala transfers, they werent aware of the illicit nature of funds, the indictment reveals. Apparently, the co-conspirators kept a percentage of the proceeds for themselves.

According to the indictment, one of the call centers extorted $12,300 from an 85-year-old victim from San Diego, California, after threatening her with arrest if she did not pay fictitious tax violations. On the same day that she was extorted, one of the U.S.-based defendants allegedly used a reloadable debit card funded with the victims money to purchase money orders in Frisco, Texas, the DOJ notes.

The defendants are also believed to have extorted $136,000 from a victim in Hayward, California. They called the victim multiple times over a 20-day period, claiming to be IRS agents and demanding payment for alleged tax violations. They instructed the victim to purchase 276 stored value cards which they transferred to reloadable debit cards and some of the cards were activated using stolen PII from US- based victims.

Alternative fraudulent schemes were also used, where operators would offer small short-term loans to their victims, or advised them that they were eligible for grants. Next, the conspirators would request a good-faith deposit that would prove the victims ability to pay back the loan, or demanded that a fee to process the grant should be paid, but the victim would never receive any money after making the requested payment.

The DOJ has created a website to provide additional information about the case.

This multi-agency, three year investigation illustrates the ability of federal, state and local agencies to successfully leverage resources, communicate and work together to achieve justice, said Inspector General John Roth of the U.S. Department of Homeland Security Office of Inspector General (DHS OIG). We commend the victims for overcoming any possible embarrassment or fear and coming forward and report this to the authorities.

LDAP Attack Vector Makes Terabit-Scale DDoS Attacks Possible

A new zero-day distributed denial of service (DDoS) attack vector could open the flood gates for terabit-scale DDoS events, researchers at Corero Network Security warn.

The new zero-day attack vector has been already observed in a live incident and relies on the Lightweight Directory Access Protocol (LDAP) protocol, which is used for accessing username and password information in databases like Active Directory. By leveraging amplification, cybercriminals can inflict significant damage to their targets, the security researchers say.

According to Corero, the technique could be used to leverage an amplification factor of 46x, but which could peak at 55x. The security company also explains that an attacker could send a simple query to a vulnerable reflector supporting the Connectionless LDAP service (CLDAP). The use of address spoofing would result in the query appearing to originate from the intended victim.

Because the CLDAP service would respond to the spoofed address, unwanted network traffic would be immediately sent to the attackers intended target. Whats more, the use of amplification techniques would allow actors to intensify the size of attacks, because the LDAP servers generate responses much larger than the attackers queries.

In this case, the LDAP service responses are capable of reaching very high bandwidth and we have seen an average amplification factor of 46x and a peak of 55x, the security company says. The CLDAP zero-day vulnerability has been observed leveraged in short but powerful attacks last week, and is expected to influence the landscape in a way that recent large-scale incidents would seem small.

The use of this technique in live attacks could result in incidents that peak at tens of terabits per second in size, the security researchers say. Such attacks would be possible if this zero-day DDoS attack vector is combined with the power of Internet of Things botnets such as Mirai, which was recently used in a 655 Gbps attack against Brian Krebss website.

With the Mirai source code released online and hundreds of thousands of Internet of Things (IoT) devices found vulnerable to it, the number of attacks leveraging the botnet has increased and the DDoS landscape could become even more volatile in the foreseeable future, researchers say. In fact, Mirai has been already used in an attack against DNS provider Dyn.

When combined with other methods, particularly IoT botnets, we could soon see attacks reaching previously unimaginable scale, with far-reaching impact. Terabit scale attacks could soon become a common reality and could significantly impact the availability of the Internet at least degrading it in certain regions, Dave Larson, CTO/COO at Corero Network Security, explains.

Because todays DDoS attacks are increasingly automated, attackers can switch vectors faster than any human can respond, Larson also said. Thus, automated mitigation techniques are required to effectively protect networks against this type of DDoS attack vector. The short duration and high volume attacks will make it impossible for legacy solutions to identify and properly mitigate such incidents, he added.

GE Machine Monitoring System Plagued by Serious Flaw

A serious vulnerability found in one of GEs Bently Nevada condition and vibration monitoring products can be exploited by remote attackers to gain unauthorized access to affected devices, ICS-CERT warned on Thursday.

The vulnerability, tracked as CVE-2016-5788 and assigned a CVSS v3 score of 10, affects the serial and USB versions of GE Bently Nevada 3500/22M, a machine monitoring system used around the world in the energy and chemical sectors.

The security hole is caused by the existence of several open ports on the affected device. The open ports allow a remote attacker to gain unauthorized access to the system with elevated privileges.

While there is no evidence that the vulnerability has been exploited for malicious purposes, ICS-CERT warned that even an attacker with low skill can exploit it.

GE has addressed the vulnerability in the USB variant of Bently Nevada 3500/22M with the release of firmware version 5.0, but the issue remains unpatched in the serial variant of the product.

The vendor has advised concerned users to segment networks and implement demilitarized zones (DMZs), leverage system hardening techniques described in the affected products documentation, and implement bump-in-the-wire solutions to secure communications.ICS Cyber Security Conference

This is the second time ICS-CERT has warned GE customers this year of a critical vulnerability in one of the companys products. In early June, the agency released an advisory describing a major security hole in GEs MultiLink managed ethernet switches.

Users were informed at the time that several ML switches had hardcoded credentials that allowed remote attackers to gain administrator access to the web-based interface.

A less severe issue was disclosed in July, when ICS-CERT warned of a flaw that could allow a local hacker to edit the configuration of the Proficy HMI/SCADACIMPLICITY service.

iOS 10's Safari Doesnt Keep Private Browsing Private

The Safari browser in iOS 10 no longer offers the same level of privacy as before when it comes to Private Browsing, a researcher has discovered.

Unlike in the previous operating system versions, Safari now saves the URLs accessed while in Private Browsing in a database, meaning that they are retrievable even after the session has been closed, Stacey Jury, IntaForensics, Digital Forensic Analyst, explains. Commercially available tools can be used to retrieve the accessed pages even after they have been deleted, she says.

It all comes down to the ability to recover Suspend State from iOS 10 devices, within both private browser and normal browser. Suspend State was designed to create a list within the web browser to allow easy switching back and forward between the recently accessed pages in the currently opened tabs. The feature would make web browsing much faster when the user decides to go backwards or forwards to recently accessed pages.

Previously, Suspend State was stored in a manner that would prevent information recovery, but iOS 10 changes that, making it possible to recover deleted records. Until now, Safari would store the information in a PList, meaning that the web page entry would be removed from the PList as soon as the tab was closed, which prevented the recovery of closed on deleted tabs.

In iOS 10, Suspend State is stored in a database, thus allowing for the recovery of deleted records, the researcher explains. Jury carried out an experiment on an iPhone 5S running iOS 10.0.1, where she successfully managed to extract web pages from a private browsing session, using a commercially available tool.

Then, she tried to extract web pages that were accessed in Private Mode and then closed, and which were no longer present in the BrowserState.db database on the phone. The attempt was successful, proving that the new approach for storing Suspend State is no longer keeping users browsing private.

So what could Apple do to ensure that the data is more private? There is a setting called Pragma Secure Delete within the database which overwrites any deleted content with zeros. If Apple enabled this setting on the database, the deleted data would be irretrievable, Jury explains.

However, she also notes that some would argue that this feature could make Safari slower than before, thus hurting the browsing experience. So I guess Apple chose user experience over user privacy, she notes.

Over the past few weeks, researchers have discovered other issues that lower the overall security offered by iOS 10 when compared to previous releases. Local backups on a PC or Mac made with the help of iTunes are easier to brute-force than before, allowing an attacker to try a total of 6,000,000 passwords per second compared to only 2,400 passwords per second for iOS 9 backups.

Last week, Apples iMessage service was revealed to send home information on who a user messages with or attempts to message, along with date and time and their IP, and Apple confirmed that it sometimes shares such information with law enforcement agencies when required. Earlier this week, the URL preview feature in iMessage was found to leak information about the user with the linked website.

VMware Patches Directory Traversal Flaw in Horizon View

VMware has released updates for the Windows versions of its Horizon View product to address an important vulnerability that could lead to information disclosure.

Security researcher Mike Arnold, known online as Bruk0ut, discovered that the desktop virtualization product is plagued by a flaw that could allow a directory traversal on the Horizon View Connection Server. A remote attacker can exploit this weakness to gain access to some potentially sensitive information.

The flaw, tracked as CVE-2016-7087, was reported by Arnold via Trend Micros Zero-Day Initiative (ZDI). ZDI has yet to make its advisory public, despite the fact that 160 days have passed since the initial report. The company typically discloses vulnerabilities after 120 days, but it is possible that VMware requested an extension of that deadline.

The security hole affects VMware Horizon View versions 5.x, 6.x and 7.x for Windows. The issue has been addressed with the release of versions 7.0.1, 6.2.3 and 5.3.7.

VMware has rated the vulnerability important, while ZDI has assigned it a CVSS score of 5.8, which puts it in the medium severity category.

VMware has released this year over a dozen rounds of security patches, including for vulnerabilities in ESXi, Fusion, Player, Workstation, vCenter, vRealize, NSX, vCNS and Identity Manager. However, this is the first security update released by the company in 2016 for the Horizon View product.

Carbon Black, IBM Partner on Attack Remediation

Endpoint security firm Carbon Black announced a new partnership with IBM Security that will allow Carbon Black endpoint threat data to feed into IBM's BigFix for instant attack remediation.

Announced today, the partnership addresses a major problem for the enterprise: vulnerability management. According to Gartner, "Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year." Rapid patching can help this problem; but enterprises have so many endpoints with so many vulnerabilities that prioritizing patches is difficult if not impossible.

The Carbon Black / Big Fix approach is to focus vulnerability management onto the most pressing need -- the endpoint vulnerabilities that are actually being exploited right now. With Carbon Black detecting the attack, Big Fix is able to prioritize patch remediation to all endpoints that contain the vulnerability, and all can be patched automatically. This process responds to the most pressing need while dramatically reducing the attack surface for the entire enterprise.

The process is conceptually simple. "We have an agent on every endpoint," explained Tom Barsi, Carbon Black's SVP business development. "That agent collects all relevant data from every endpoint and sends it to a central server. It's like a video recorder of events. We record all file modifications, registry modifications, executed binaries and more -- but we're looking at executables so we don't collect any personal information."

At the central server, Carbon Black's threat detection algorithms, driven by machine learning, can detect malicious activity in real time. "Once we detect that something has been hit," he continued, "we send that data directly through the new automated integration with Big Fix; and Big Fix immediately patches all of the endpoints with the same application and therefore the same vulnerability -- so it gives the user the ability to prioritize patching across the enterprise and reduce the attack surface."

Carbon Black claims to be the market leader in endpoint threat detection. Although it is next-gen technology, it was founded 14 years ago (as Bit9) in 2002. Bit9 acquired Carbon Black in 2014, and changed its own name to Carbon Black earlier this year. It has more than 2,000 customers including 30 of the Fortune 100, and has more than 7 million endpoints under management. With such a solid foundation in large enterprises, it makes sense to integrate its own threat detection with the vulnerability remediation available from IBM. IBM acquired BigFix in 2010.

The potential weakness in machine learning-based threat detection is that although it is good at detecting new and unknown threats, it does not itself include automatic threat removal capabilities. Traditional anti-virus, which built its reputation on detecting known threats, could also remove those threats because they were known. It is less easy to develop threat removal for unknown threats. For this reason, Barsi suggested two additional approaches. The first is that he does not believe that next-gen endpoint security should be seen as a replacement for traditional anti-virus.

"You still need a solution, such as traditional anti-virus, for known bad attacks. AV can detect, stop, and clean known bads. That need doesn't go away. So now you need the ability to address known bads (AV), and the ability to address the new unknown bads (next-gen machine learning)." The solution to the latter problem, he suggests, is the Carbon Black integration with IBM's QRadar SIEM, which can isolate compromised endpoints for investigation and cleaning.

"We've also integrated with the QRadar SIEM platform," he said, "and customized the ability to ingest our data into that SIEM. On top of QRadar," he added, "we've built a new app that allows the user to take action on Carbon Black data directly from the QRadar console. QRadar has analytics and orchestration capabilities backed by IBM's Watson technology, so while it is collecting data from Carbon Black, QRadar can apply Watson capabilities -- and the user can take action directly on the endpoint from the QRadar console. The Carbon Black app on QRadar has the ability to quarantine suspect endpoints automatically, depending on the enterprise's security policy and posture."

The key feature of this new announcement from Carbon Black is that the IBM partnership allows speedy and targeted threat remediation and vulnerability management to precisely where it is needed, in almost real time. Part of the agreement is that IBM customers will be able to purchase Carbon Black directly from IBM.

X.Org Library Flaws Allow Privilege Escalation, DoS Attacks

X.Org developers released patches and updates to address over a dozen vulnerabilities found in several client libraries. The flaws can be exploited by local or remote attackers to cause a denial-of-service (DoS) condition or escalate privileges.

X.Org is a popular open source implementation of the X Windows System (also known as X11, X or X-Windows), the graphical windowing system used by Unix and Linux operating systems. The X.Org (Xorg) libraries provide the routines used within X-Windows applications.

Tobias Stoeckmann of the OpenBSD Project discovered that many of these client libraries dont sufficiently validate the responses they receive from servers, which introduces vulnerabilities that could be exploited by local or remote attackers.

Here is a short description of the vulnerabilities, their CVE identifiers and the libraries they affect:

libX11 version 1.6.3 and earlier  out-of-bounds memory read or write error (CVE-2016-7942, CVE-2016-7943);
    libXfixes version 5.0.2 and earlier  integer overflow on 32-bit systems (CVE-2016-7944);
    libXi version 1.7.6 and earlier  DoS condition via out-of-bounds memory access error or endless loop (CVE-2016-7945, CVE-2016-7946);
    libXrandr version 1.5.0 and earlier  out-of-bounds memory write (CVE-2016-7947, CVE-2016-7948);
    libXrender version 0.9.9 and earlier  out-of-bounds memory write (CVE-2016-7949, CVE-2016-7950);
    XRecord version 1.2.2 and earlier  DoS condition via out of boundary memory access or endless loops (CVE-2016-7951, CVE-2016-7952);
    libXv version 1.0.10 and earlier  memory corruption (CVE-2016-5407);
    ibXvMC version 1.0.9 and earlier  buffer read underflow (CVE-2016-7953).
In an advisory published this week, the X.Org Foundation explained that most of the flaws are caused by the fact that the client libraries trust the server to send correct protocol data, not taking into consideration that the values could cause an overflow or other damage.

Most of the time X clients & servers are run by the same user, with the server more privileged than the clients, so this is not a problem, but there are scenarios in which a privileged client can be connected to an unprivileged server, for instance, connecting a setuid X client (such as a screen lock program) to a virtual X server (such as Xvfb or Xephyr) which the user has modified to return invalid data, potentially allowing the user to escalate their privileges, said X.Org developer Matthieu Herrb.

Cerber Ransomware Can Now Kill Database Processes

Cerber, one of the most prevalent ransomware families this year, is now using random extensions for encrypted files and is now able to kill the processes of various database servers, researchers reveal.

The Cerber ransomware, which was accounting for a quarter of ransomware detections three months ago, adopted improved key generation in early August, and was estimated to have generated $2.3 million in annual revenue. Historically, the threat has been distributed through exploit kits and spam emails, but also by other malware.

At the beginning of September, Cerber was seen being distributed by Betabot, and the latest major variant of the malware emerged soon after. Dubbed Cerber 3.0, it was using a brand new extension for the encrypted files (.cerber3) as well as a modified ransom note and reduced ransom amount. The malware continued to use an audio file to speak to its victims.

BleepingComputer now says that Cerber has switched to a four-character extension which is generated randomly. The name of the encrypted file is also scrambled, making it more difficult for users to recover their data. Additionally, the new malware variant drops a new ransom note, called README.hta.

The most important change in Cerber, however, is the threats ability to kill many database processes with the use of a close_process directive in the configuration file. These processes are terminated before the encryption process starts, so that the processes data files can be encrypted (the data file wouldnt be accessible for encryption if the processes were still running).

The list of targeted processes includes: msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exeisqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exeagntsvc.exe, agntsvc.exeencsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, and sqbcoreservice.exe.

Just as the previous Cerber variants, the new ransomware iteration sends UDP packets to the range for statistical purposes, researchers say.

Russian Hackers May Have Manipulated Leaked WADA Data

In a statement published Wednesday, October 5, the World Anti-Doping Agency (WADA) provided an update on investigations into the August Fancy Bear hack and data leak in September. FireEye/Mandiant has been employed to do the forensic investigation. As of Oct. 5, the investigation is 90% complete and has found no evidence of any additional compromise.

The statement also suggests that some of the leaked data may have been manipulated by the hackers before public release. "It should also be noted," says WADA, "that in the course of its investigation, WADA has determined that not all data released by Fancy Bear (in its PDF documents) accurately reflects ADAMS data. However, we are continuing to examine the extent of this as a priority and we would encourage any affected parties to contact WADA should they become aware of any inaccuracies in the data that has been released." ADAMS is WADAs Anti-Doping Administration and Management System.

Fancy Bear is a technically advanced Russia-linked hacking group. Although the Russian government consistently denies any association with the group it is generally considered that the WADA hack was a propaganda attack in retaliation for the exclusion of 111 Russian athletes from the 2016 Summer Olympics in Rio. In a reversal of usual practice, Russian athletes had to prove themselves clean before being accepted. Usually, athletes are accepted automatically, and tested during the Games.

In a series of six separate leaks, the hackers published data from dozens of different athletes, including some of the world's best known and most successful athletes. Since these athletes had been allowed to use some otherwise banned substances for medical purposes, the attempt was to smear the impartiality of WADA by suggesting that Russian athletes had been unfairly stigmatized. It now seems likely that the hackers altered the data prior to release to magnify that perception.

Although WADA's announcement does not provide any specific indication of the data manipulation, it highlights a particular attack vector that gets little discussion: that is, not the mass exfiltration and publication of stolen PI, but the surgical alteration of company data.

"Business leaders need to realize they are no longer just at risk from data simply being stolen," says Jason Hart, the CTP of data protection at Gemalto. "As well as exposing gaps in a companys security, the next frontier for cyber-crime will be data manipulation. Data is the new oil and the thing most valuable to hackers. Businesses can make vital decisions based on incorrect or exaggerated information, or data that has been stolen can be altered to change public sentiment regarding a business or individual, which hackers can exploit for personal or financial gain. Furthermore, it can be months or even years before this is detected and by then it's too late."

The danger he sees highlighted by the Fancy Bear data manipulation is that advanced hacking groups are capable of stealing data, changing it and publishing it for propaganda purposes (as seems likely with this incident); or simply modifying corporate data in situ and leaving without being seen. For many years, information security has concentrated on maintaining the confidentiality of corporate data by building bigger and better defenses. Fancy Bear may be showing that we need to start thinking about protecting the integrity of data with as much concern.

"There have been incidents in the past," Hart told SecurityWeek, "where a hacker has simply allowed the information that a business can be breached to be distributed, in turn affecting stock prices or investor trust." It may be that in the future, corporate data could be slightly altered on site. "If an organization then makes a business decision based on that false data, depending on what it is, it could have huge ramifications down the line."

The solution, he suggests, is that "businesses need to begin protecting the integrity of the data through security protocols including encryption, utilizing two-factor authentication, and adopting key management strategies. The world of cyber-crime is changing and data manipulation is its future. Businesses need to wise up and protect the integrity of their data to ensure the vital decisions they are making are based on accurate information."

Suspected Lizard Squad Hackers Arrested in US, Netherlands

Two teenagers suspected of being members of the Lizard Squad and PoodleCorp hacking groups were arrested last month by law enforcement authorities in the United States and the Netherlands.

Zachary Buchta, of Fallston, Maryland, and Bradley Jan Willem van Rooy, of Leiden, the Netherlands, have been charged with conspiracy to cause damage to protected computers, which carries a maximum sentence of ten years in prison.

The suspects, both aged 19, have been accused by U.S. authorities of operating a service that allowed users to launch distributed denial-of-service (DDoS) attacks. They are also suspected of trafficking payment card information stolen from thousands of individuals.

The Lizard Squad and PoodleCorp are best known for massive DDoS attacks that disrupted the servers of several gaming companies, including the PlayStation Network, Xbox Live, EA and Blizzard. The Lizard Squad is also known for hacking the websites of companies such as Lenovo, Malaysia Airlines and Cox.

According to the Department of Justice, Buchta used the online monikers @fbiarelosers, pein, xotehpoodle and lizard, while van Rooy used the nicknames Uchiha, @UchihaLS, dragon and fox.

The FBIs complaint also mentions two other individuals associated with Lizard Squad and PoodleCorp. They have not been named, but they use the online monikers Chippyshell and AppleJ4ck.

The complaint also shows that Buchta was linked by investigators to the @fbiarelosers account, which had discussed the DDoS attacks in private conversations with other members of LizardSquad, based on messages sent via Twitter. Records obtained by investigators from Twitter, AT&T and Sprint linked the Twitter account to a phone number associated with Buchtas residence.

Records from Comcast showed that his IP often connected to an overseas VPN service that had been used to access the @fbiarelosers account and the websites operated by Lizard Squad and PoodleCorp. The FBI determined that Buchtas Comcast account had accessed the @fbiarelosers account at the exact time when it had been used to discuss DDoS attacks.

Van Rooy, who is currently in custody in the Netherlands, did not even bother to hide his real IP address, which he used to access @UchihaLS and other Twitter accounts associated with the Lizard Squad. Subscriber records allowed law enforcement to link the IP to a residence in Leiden.

In private conversations with other Twitter users, @UchihaLS said he lived above a police station and claimed that even if they could trace him, they would simply think it as a hoax. These messages and a photograph shared by @UchihaLS linked van Rooy to the account.

Last year, police in the UK questioned at least two individuals suspected of being involved with the Lizard Squad, but so far there is no news of a conviction. A teen in Finland, also suspected of being a member of the group, was convicted last year on fraud and harassment charges, but he only received a suspended sentence.

Authorities in the UK also arrested six individuals accused of using the Lizard Squads LizardStresser DDoS service.

Mirai IoT Botnet Wasn't Alone in Massive DDoS Attack: Akamai

Akamai this week shared additional details on the massive 665 gigabit per second (Gbps) distributed denial of service (DDoS) attack that targeted Brian Krebs website.

While Akamai confirmed that the Mirai botnet was part the attack, the company also said that Mirai was only a major participant in the attack and that at least one other botnet might have been involved, though they couldnt confirm that the attacks were coordinated. The company also said that the 620+ Gbps DDoS attack registered on Sept. 20 was nearly double that of the previous peak attack on its platform.

Following the attack and a subsequent incident reported by hosting provider OVH, Mirai came to the spotlight, along with the issue of insecure Internet of Things (IoT) devices. Easy-to-guess default credentials and other vulnerabilities have made it easy for cybercriminals to create such IoT botnets. Furthermore, Mirais source code was released online several days ago.

Akamai says that the attack was indeed powered by an army of IoT devices, mainly security cameras and DVRs that have been used in Small Office/Home Office setups. We've confirmed that many of these devices use either easily guessable (admin, password, 1234) usernames and passwords or the default passwords originally configured on the devices, Daniel Shugrue, Director of Product Marketing at Akamai, explains.

He also reveals that the attack included a substantial amount of traffic connecting directly from the botnet to the target. Basically, the attackers didnt rely on reflection and amplification to increase the amount of traffic to the target, although other DDoS attacks employ such techniques.

Akamai, he says, has been tracking the Mirai malware, which they refer to as Kaiten (PDF), for a few months, and has published a Threat Advisory to customers on August 8. The advisory detailed how the threat was using brute-force attacks to enslave devices that existed on a Public IP and had open ports for listening services such as Telnet, SSH, HTTP, and SMTP, and more.

The company observed that around 100,000 total login attempts were made on a vulnerable device from more than 1,800 IPs within 12 days, with China (64%), Colombia (13%), South Korea (6%), and Vietnam (6%) being the main sources of attack. SSH (57%) and Telnet (42%) were the most attacked protocols, while the top used usernames were root (75%), admin (10%), shell (6%), and sh (6%).

Similar attacks were recently observed targeting a vulnerable DVR and have been previously associated with various IoT malware families. Weak credentials or default root or admin accounts on IoT devices open the door for botnets such as Mirai or BASHLITE.

According to Akamai, 47% of the DDoS traffic observed during the attack on Sept. 20 came from the EMEA region, 31% percent from North America, and 22% from Asia-Pacific. The company analyzed two other attacks performed on Sept. 22, and says that EMEA was once again the region generating the largest amount of traffic.

The company also reveals that attacks that match the Mirai/Kaiten malware-generated traffic were observed several months ago, and that one attack mitigated in June reached almost 250 Gbps at its peak. In their Threat Advisory, Akamai stresses on the fact that botnets compromise vulnerable systems through large-scale scanning and brute forcing default usernames and passwords.

Some of these systems are easily compromised with publicly available exploits and knowledge. They can also be weaponized using publicly available attack toolkits and malware. These trends and tactics are unlikely to go away and the relative ease of building and renting these botnets will continue to lower the bar even further for attackers, Akamai also says.

WildFire Ransomware Revived as "Hades Locker"

The actor behind WildFire, a piece of ransomware that emerged earlier this year, has decided to rebrand the malware after security researchers created a decryption tool for it.

WildFire was detailed in late August, when security researchers managed to seize control of its command and control (C&C) servers and gain access to many decryption keys. Previously, many users did pay the ransom, which was etimated to have generated around $80,000 in payments for its operators in just a month.

Although the ransomwares C&C servers were compromised, the actors behind it havent been caught, and it appears that they managed to bring their creation back to life under the name of Hades Locker (Hades was the ancient Greek chthonic god of the underworld). Whats more, the new malware variant comes with improved encryption.

Once ] executed on a victims computer, the ransomware connects to http://ip-api(dot)com/xml for the victims IP address and geographic location. Next, the malware sends a unique victim ID, a tracking ID, computer name, user name, country, and victims IP address to one of the configured C&C servers, which in return replies with the password for the encryption process.

The victim ID is stored in the Registry, along with status information (on whether the encryption process has been completed or not). The ransomware searches mapped drives for specific file extensions and encrypts the files using AES encryption. It appends a specific extension to these files: the .~HL string, followed by the first 5 letters of the encryption password.

Hades Locker targets a vast variety of file types, but it skips those that contain the following strings in their file path: windows, program files, program files (x86), system volume information, and $recycle.bin. The ransomware also deletes the Shadow Volume Copies to prevent its victims from restoring their files in this manner.

The ransom note dropped on the victims computer includes links to the n7457xrhg5kibr2c.onion, http://pfmydcsjib(dot)ru, and http://jdybchotfn(dot)ru sites, which the victim is encouraged to access for information on the ransom amount and on how to make the payment.

When the victim connects to the payment site, they are provided with information on the amount to be paid and on the Bitcoin address the payment should be sent to, as well as with information on how to get Bitcoins. The website supposedly belongs to a company called Hades Enterprises and includes multiple pages, such as Frequently Asked Questions, test decryption, Help Desk, and Decryption Tutorial.

Card Data Stolen From eCommerce Sites Using Web Malware

Researchers have been monitoring a campaign in which cybercriminals compromised many ecommerce websites in an effort to steal payment card and other sensitive information provided by their customers.

The campaign, dubbed Magecart by cloud-based security solutions provider RiskIQ, dates back to at least March 2016 and is still active today.

Some of the attacks aimed at Magento sites were detailed in June by Sucuri, but RiskIQ determined that the attackers have been targeting other platforms as well, including Powerfront CMS and OpenCart. As for the targeted payment processing services, the list includes Braintree and VeriSign.

RiskIQ has identified more than 100 online shops from around the world hacked as part of the Magecart campaign, including ones belonging to well-known book publishers, fashion companies, and sporting equipment manufacturers. The cybercrooks even attacked the gift shop of a UK-based cancer research organization.

JavaScript code injected by the hackers into these websites captures information entered by users into purchase forms by acting as a man-in-the-middle (MitM) between the victim and the checkout page. In some cases, the malware adds bogus form fields to the page in an effort to trick victims into handing over even more information. The harvested data is exfiltrated over HTTPS to a server controlled by the attacker.

By loading the keylogger from an external source instead of injecting it directly into the compromised website, attackers can easily update the malware without the need to re-infect the site.

According to RiskIQ, the campaign peaked in June, when the cybercriminals started using an Eastern European bulletproof hosting company to store the domains that serve the malware. In the most recent attacks, experts noticed additional obfuscated script injections.

RiskIQs report on the Magecart campaign includes the domains used by the attacker to serve the formgrabber code, the attackers IP addresses, URLs injected into websites, affected sites, and advice on how merchants and administrators can prevent such incidents.

FastPOS Malware Adopts Modular Design

FastPOS, a piece of point-of-sale (PoS) malware that emerged in early summer, has recently received a series of updates designed to make it more efficient just in time for the holiday season.

When first detailed in June, the malware stood out because of its ability to quickly exfiltrate all of the stolen credit card data. The threat was found to include a custom RAM scraping algorithm for data collection and a keylogger, to send data via HTTP GET requests, and to target only cards that could be used internationally and which dont require a PIN.

New samples observed last month revealed that the malware has been used against small-medium businesses, only one month after the command and control (C&C) domain was registered. The malware now uses a modular design with separate components for 32-bit and 64-bit systems, which makes it more difficult to detect, Trend Micro researchers say.

The threat, however, continues to use previously observed format and keywords, cdosys and comdlg64, and HTTP GET and a simple HTTP User Agent string (Firefox) for data exfiltration. While the initial FastPOS variant had one file but spawned a different process for each functionality, the new version uses different components that are hidden within its resources.

These components include Serv32.exe (which creates and monitors a mailslot and sends its contents to the C&C server), Kl32.exe and Kl64.exe (the 32-bit and 64-bit keylogger components), and Proc32.exe and Proc64.exe (the 32-bit and 64-bit RAM scrapers). The malware would copy only the appropriate component, depending on the targeted systems architecture, researchers say.

The FastPOS main file extracts all components and passes control to the main service, which creates and monitors a central communication medium and also sends all information to the C&C server. Both the keylogger components and the RAM scrapper modules send the gathered information to the main service.

The malware stores gathered information in mailslots, a mechanism that allows applications to store and retrieve messages. By using this method, FastPOS can evade malware detection, but it isnt the first to employ the technique: LogPOS, which emerged last year, used it as well. Mailslots are memory-residing temporary files and attackers can save information about the system without leaving traces of a physical file.

Trend Micro researchers explain that the modular design could hinder detection because one component can be set to not work without another. In the case of FastPOS, however, components arent dependent on other components and can be self-executed, provided that the arguments for them are known. However, discovering one component doesnt guarantee that others are also found, researchers say.

For instance, FastPOSs main service and RAM scraper can be seen running as a service, making them easier to remove. However, the keylogger component can be harder to notice as its code is injected into explorer.exes process memory, Trend Micro explains.

The use of mailslots is yet another necessary improvement, because the malware can no longer simply keep the data logs in memory, because there isnt a single process running. The newly adopted modular designed requires a central repository to store all logged data from each component and the use of mailslots allows the malware to do so while avoiding the use of a physical file.

FastPOSs update shows that its developer is active and isnt shying away from trying new tacticsfrom switching memory to mailslots for data storage to using different versions of the same platform to create the malware. The deployment is also quite suspect, as the malwares development cycle seems to keep pace with the retail sale season, the Trend Micro researchers say.

Mac Malware Can Abuse Legitimate Apps to Spy on Users

Mac malware could silently spy on users by piggybacking on webcam sessions initiated by legitimate applications such as FaceTime, Skype and Google Hangouts, a researcher has warned.

There are several OS X malware families capable of recording sound and video, including Crisis, Eleanor and Mokes (DropboxCache). However, if such threats attempt to record video via the built-in webcam, the victim is alerted by the cameras LED.

Researchers demonstrated in 2013 that the interlock between the camera and the indicator LED can be bypassed without admin privileges or physical access on some older iMacs and MacBooks (e.g. from 2008), but similar attacks have not been demonstrated in more recent years and they are believed to be very difficult to carry out.

Patrick Wardle, director of research at Synack, pointed out that while OS X malware can have trouble recording video through the webcam without alerting the victim, threats could piggyback on legitimate applications to silently spy on users.

When an application such as FaceTime or Skype enables the built-in webcam, users expect the LED indicator to be on. A piece of malware that can monitor the infected system for legitimate user-initiated video sessions can surreptitiously piggyback on this session and secretly record the victim.

Wardle has developed proof-of-concept (PoC) malware that can detect the installed camera and monitor its status in an effort to determine when a video session is initiated and when it ends. If it detects a session, the malware begins recording audio and video data, and it stops when the process that started the session exits.

Its worth noting that the malware does not actually need to inject code into the targeted process. Instead, it uses the existing session and the enabled LED indicator to record data from the webcam without being detected.

There are several advantages to this type of malware, including that it does not require root privileges (i.e. the attack can be performed by any non-sandboxed code or app), and it leverages legitimate features of the operating system, which makes it more difficult to prevent.

Wardle told SecurityWeek that he is not aware of any OS X malware family that has been leveraging this technique in the wild, but he believes such threats would not be difficult to create.

The researcher said he had an informal chat with Apple regarding the attack method, but its unlikely that the company will attempt to address the issue anytime soon.

Ill be the first to caveat its not a vulnerability, nor exploit, Wardle said via email. Sure, Id like to know whenever somebody uses the webcam or mic (especially if a session is already active) - would be nice if the OS told you that. But from a usability point of view, it makes sense that the webcam is a shared resource (like you can FaceTime and take images with PhotoBooth at the same time). I doubt Apple will do anything about this - and honestly Im not sure they should.

Concerned users can install a new tool developed by Wardle specifically for these types of attacks. The application, named OverSight, runs in the background and monitors the computers microphone and webcam via user-mode APIs, alerting the user when these components become active.

In the case of the microphone, OverSight only notifies the user that it has become active, but webcam notifications include the name of the process that wants to access the camera and allows users to permit or block the action.

This is not the first OS X security tool developed by Wardle. Earlier this year, he released RansomWhere?, an application designed to generically detect ransomware attacks by continually monitoring the system for the creation of encrypted files by suspicious processes.

NSA Contractor Arrested for Theft of Classified Material

The Department of Justice announced on Wednesday that a government contractor resident in Maryland with a top secret national security clearance was arrested in late August. According to the complaint unsealed today, a search of his home and car found "property of the United States." More specifically, this included "six classified documents obtained from sensitive intelligence and produced by a government agency in 2014."

The accused, Harold T. Martin III, worked for Booz Allen Hamilton for the NSA -- similar to the relationship between Edward Snowden and the NSA. However, the DoJ mentions neither the government agency concerned nor the contractor's place of work.

Martin's former employer, however, did comment on the announcement of the arrest.

When Booz Allen learned of the arrest of one of its employees by the FBI, we immediately reached out to the authorities to offer our total cooperation in their investigation, and we fired the employee, the consulting firm said in a statement.

We continue to cooperate fully with the government on its investigation into this serious matter. Booz Allen is a 102-year-old company, and the alleged conduct does not reflect our core values. Our employees continue to support critical client missions with dedication and excellence each day. Their professionalism, values and ethics are what define our firm, the statement added.

However, while Snowden stole a large quantity of classified documents, Martin appears to be suspected (according to The New York Times) "of taking the highly classified computer code developed by the agency to break into computer systems of adversaries like Russia, China, Iran and North Korea. Two officials said that some of the information the contractor is suspected of taking was dated."

One of the officials also said that Martin may have taken the material before Snowden's documents were made public. That would mean that the material has been in his possession for at least three years, even though the 'six classified documents' were only produced in 2014. Either the theft from the agency continued over a long period of time, or there is some discrepancy between the NYT report and the DoJ announcement.

The DoJ announcement makes no mention of computer code, but seems to imply the theft of documents. "These documents were produced through sensitive government sources, methods, and capabilities, which are critical to a wide variety of national security issues. The disclosure of the documents would reveal those sensitive sources, methods, and capabilities." That would make the theft similar to Snowden.

The Times, however, writes "the official said that investigators think Mr. Martin is not politically motivated - 'not like a Snowden or someone who believes that what we were doing was illegal and wanted to publicize that'." The NYT also says that it is unknown whether the stolen code is the same as that leaked by the Shadow Brokers in August, less than a fortnight before Martin was arrested.

The DoJ announcement states that Martin has been charged with "theft of government property and unauthorized removal and retention of classified materials by a government employee or contractor." It adds that if convicted, "Martin faces a maximum sentence of one year in prison for the unauthorized removal and retention of classified materials, and ten years in prison for theft of government property." So far there is no indication of the seriousness that has sometimes applied through the Espionage Act for similar information thefts -- but that could be added later.

John Carlin, Assistant Attorney General for National Security at the Department of Justice, commented briefly on the news today at the Cambridge Cyber Summit, hosted by The Aspen Institute, CNBC and MIT. When asked about the arrest by CNBC's Andrew Ross Sorkin, he said, "We have made an arrest of an individual who's involved in taking classified information. And what I think it points out for the private sector and others more generally is this problem of insider threat."

He would not be drawn on the specifics of this arrest, but returned to the insider threat. "Is there a problem with those who would exploit people with inside access to try to obtain information? That problem has been with us as long as the creation of these agencies." What's different now, he continued, is that while it used to be necessary to use a fleet of trucks to take away the data, now you can just use a thumb drive "take a much vaster quantity of information than you could before."

Martin was arrested on August 27, 2016, and made an initial appearance in court on August 29, 2016. He remains detained.

Iran-Linked Attackers Target Government Organizations

An Iran-linked group previously observed attacking organizations in Saudi Arabia has been improving its malware tools and expanding its target list to include other countries.

In May, Palo Alto Networks researchers reported seeing attacks launched by a threat actor against financial institutions and technology companies in Saudi Arabia. The same group also carried out attacks on the Saudi defense industry in the fall of 2015.

The campaign, dubbed by the security firm OilRig, has involved weaponized Microsoft Excel spreadsheets tracked as Clayslide and a backdoor dubbed Helminth. The attacks aimed at banks were also documented by FireEye in May.

Palo Alto Networks has been monitoring the groups activities and discovered that it has also targeted a company in Qatar and government organizations in the United States, Israel and Turkey.

The threat actor behind OilRig uses spear-phishing emails and malicious macro-enabled Excel documents to deliver Helminth. In the case of a Turkish government organization, the Excel file was designed to mimic a login portal for an airline.

Four variants of the Helminth malware have been identified by experts, including one that uses FireEyes name. The threat, capable of communicating with its command and control (C&C) server over both HTTP and DNS, can collect information about the infected device and download additional files from a remote server.

There are two types of Helminth: one that relies on VBScript and PowerShell scripts, and one that is distributed as an executable file. The executable version is delivered by a Trojan dubbed HerHer and it is also capable of logging keystrokes.

Researchers have found several clues that point to an Iran-based actor, although they admit that the data can be easily forged. This includes the use of the Persian language in the malware samples and information associated with the C&C domains.

Palo Alto Networks also discovered an IP address mentioned by Symantec last year in a report describing the activities of two Iran-based threat groups that appear to be linked.

Palo Alto Networks has analyzed the activities of several threat groups believed to be operating out of Iran, including one that relies on a piece of malware dubbed Infy. This summer, the security firm reported that it had managed to disrupt a cyberespionage campaign involving Infy.

Amid Privacy Outcry, Yahoo Denies Surveillance Allegations

Yahoo on Wednesday denied conducting mass email surveillance after a report alleging it built a special scanning program at the behest of US intelligence which sparked an outcry from privacy activists.

The report, which said the US internet giant had secretly scanned millions of emails to help American intelligence, was "misleading," Yahoo said in a statement.

"We narrowly interpret every government request for user data to minimize disclosure," the company said in a statement to AFP. "The mail scanning described in the article does not exist on our systems."

The report Tuesday by Reuters news agency, citing former employees of the internet firm as sources, said Yahoo had built a custom program in 2015 which scanned all its emails to help US intelligence and the FBI.

According to the Reuters account, Yahoo's top security officer, who had been unaware of the program, quit after learning that the company had complied with the request.

Yahoo initially issued a brief statement which neither confirmed nor denied the claims.

"Yahoo is a law abiding company, and complies with the laws of the United States," the statement on Tuesday said.

The NSA and FBI declined to comment to AFP on the report.

The report was described by some activists as a "bombshell" which could, if proven true, reveal a new level of surveillance by the National Security Agency, which was roiled by disclosures in 2013 by former contractor Edward Snowden.

"There's still much that we don't know at this point, but if the report is accurate, it represents a new -- and dangerous -- expansion of the government's mass surveillance techniques," the Electronic Frontier Foundation said in a statement.

Bruce Schneier, a cryptographer and fellow at the Berkman Klein Center for Internet & Society who has clashed with the NSA over surveillance, said he was not surprised by the latest claims.

"The NSA is spying on the internet, they use different techniques," Schneier told AFP.

The report nonetheless would be at odds with Yahoo's transparency report which claimed it received a relatively small number of US government requests in 2015.

Yahoo also backed Apple's effort to challenge a US government effort to force the iPhone maker to build a program to help decrypt a handset used by one of the shooters in a California shooting spree.

'Not comforting'

Julian Sanchez, a fellow at the Cato Institute and critic of NSA surveillance, said he was not persuaded by Yahoo's statement.

"Yahoo's meticulously worded statement not terribly comforting," Sanchez said on Twitter.

"'Does not exist on our systems' sounds a hell of a lot like 'currently under this program.' DID it exist? Does it exist somewhere else?"

The Reuters report also suggested that other US tech companies may have received similar requests, but it was not immediately clear how these firms may have responded.

Facebook, in a statement to AFP, said it "has never received a request like the one described in these news reports from any government, and if we did we would fight it."

Microsoft said in a statement, "We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo."

Twitter also denied receiving any such request. "We've never received a request like this, and were we to receive it we'd challenge it in a court," a Twitter spokesman said.

Twitter also noted it was suing the US Justice Department "for the ability to disclose more information about government requests."

Google Patches DoS Vulnerability in Android

One of the 78 vulnerabilities that the October 2016 Android Security Bulletin released this week has patched was a flaw in the GPS component that could be exploited remotely to cause denial of service on vulnerable devices.

The issue would be exploited by a Man-in-the-Middle (MitM) attacker capable of manipulating assisted GPS/GNSS data provided by Qualcomm, which could result in the device crashing or rebooting. The bug is said to affect the open source code in AOSP, as well as proprietary code in a Java XTRA downloader provided by Qualcomm.

Nightwatch Cybersecurity researchers, who discovered the vulnerability, explain that the October 2016 Android bulletin resolves the bug and that Qualcomm issued additional patches to the proprietary client last month. However, they also note that other platforms that use Qualcomm GPS chipsets might also be impacted by the security flaw.

Devices with Qualcomm GPS chipsets periodically connect to the OEMs servers to download gpsOneXtra assistance files that include current satellite location data and estimated locations for the next 7 days, researchers say. Qualcomm developed the gpsOneXtra system in 2007 and devices using it are set to request the assistance files almost every time they connect to a WiFi network.

The domains these devices connect to, namely gpsonextra(dot)net and izatcloud(dot)net, are owned by Qualcomm and are being hosted and served from Amazons Cloudfront CDN service (except for one subdomain). The assistance file is requested by an OS-level Java process (, which passes the data to a C++ JNI class (com_android_server_location_GnssLocationProvider.cpp), which then injects the files into the Qualcomm modem or firmware.

The vulnerability resides in the Java and the C++ code not performing checks to determine the size of the data file, which results in the device soft rebooting if the file is larger than the memory available on the device. By exhausting memory and crashing the device, an attacker is theoretically also capable of executing code remotely in either the Qualcomm modem or in the Android OS, but the security researchers werent able to achieve that.

To attack, an MITM attacker located anywhere on the network between the phone being attacked and Qualcomms servers can initiate this attack by intercepting the legitimate requests from the phone, and substituting their own, larger files. Because the default Chrome browser on Android reveals the model and build of the phone (as we have written about earlier), it would be possible to derive the maximum memory size from that information and deliver the appropriately sized attack file, the researchers say.

A malicious actor could perform such an attack by leveraging hostile hotspots, hacked routers, or other resources. The attack is somewhat mitigated by the fact that the actor would have to use a file as large as the available memory on the phone.

Devices running under Android with the 2016-10-01 security patch level are protected from this type of attack. According to the security researchers, GPS-capable devices manufactured by Apple (iPad, iPhone, etc.) and Microsoft (Microsoft Surface and Windows Phone devices) are not affected by this vulnerability.

TalkTalk Handed Record Fine for Data Breach

The Information Commissioners Office (ICO) in the U.K. has handed a record fine to telecoms company TalkTalk for the data breach suffered in October 2015.

The ICO, whose investigation focused on TalkTalks compliance with the United Kingdoms Data Protection Act, decided to issue a £400,000 ($510,000) fine after concluding that the company failed to properly protect customers personal data. The agency believes the attack could have been prevented had TalkTalk implemented basic security measures.

TalkTalk can appeal the decision within 28 days. However, if it decides to pay the fine in full by November 1, the ICO said the penalty will be reduced by 20 percent to £320,000 ($408,000). Its worth noting that the ICO can issue a maximum fine of £500,000 ($637,000).

The telecoms firm reported in February that it had lost over 100,000 customers and spent £60 million ($76 million) due to the cyberattack. While initially the company said the attackers accessed the details of more than 1 million users, it later determined that only 156,959 customers, representing four percent of the total, were affected.

The attackers obtained names, addresses, dates of birth, email addresses and phone numbers, but in roughly 15,000 cases they also accessed financial information.

The data came from a database that TalkTalk obtained in 2009 after acquiring the UK operations of Italian telecommunications company Tiscali. The hackers exploited known SQL injection vulnerabilities to access the information.

In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting, said Information Commissioner Elizabeth Denham. Todays record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.

Several UK-based individuals suspected of hacking or blackmailing TalkTalk were arrested following the incident, but no one has been convicted so far.

iMessage URL Preview Exposes User Data

Apples iMessage service can leak data such as location, device type, and operating system, when the user receives a URL in a message, a researcher has discovered.

The issue, researcher Ross McKillop explains, resides in a new feature in iMessage, which allows the service to extract some metadata from the URL and display it as a clickable link. The feature is available on both MacOS and iOS and behaves in a similar manner.

The feature, McKillop reveals, was supposed to work in a manner similar to that used by services such as Facebook or Slack, but it doesnt. Although it does provide meaningful content for a link, the iMessage implementation sends requests from the device itself, and not from the service, as it happens with Facebook and Slack.

Thus, when iMessage requests the data from the website, it shares information such as the receiver's IP address, device type, and OS version. With the service available on multiple Apple devices, including iPad, iPhone, Mac, both MacOS and iOS users are impacted by the vulnerability, the researcher says.

Whats more, he says, the request is sent from each of the devices the receiver has, meaning that an attacker sending an URL can determine if the potential victim is at home (based on the IP addresses the victims Mac and iPhone send back), or the victims physical location (if the IP of a foreign mobile network appears in the request).

The issue could have deeper implications, McKillop suggests: As this request is clearly being made, and parsed, by Safari from the User-Agent string it's reasonable to believe that there is potential that an exploit found in Safari could be triggered without the target even browsing to the site, simply by sending them an iMessage containing that URL.

Another issue is that the user cannot switch off the automatic request behavior, though Apple might consider a remedy for the bug in an upcoming update. One solution, McKillop says, is to extract the metadata on the sending device (they obviously trust the URL) and encapsulate that as metadata within the message.

Recently, Apples iMessage service was found to send information about a users contacts to Apple servers. Although the services end-to-end encryption would make conversations private, Apples servers received details on who a user might have contacted over iMessage, along with their date and time, and IP address. Apple admitted that it was sharing this information with law enforcement agencies when required to.

Clinton Foundation Denies Being Hacked

The hacker calling himself Guccifer 2.0 leaked hundreds of megabytes of files allegedly stolen from the Clinton Foundation, but the organizations representatives said there was no evidence of a data breach.

Guccifer 2.0 has taken credit for hacking the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC), from which he leaked numerous files. However, researchers believe Guccifer 2.0, who has claimed to be Romanian, is actually a persona used by Russia-backed threat actors.

In a post published on Tuesday on his WordPress blog, Guccifer 2.0 said he hacked a Clinton Foundation server and downloaded hundreds of thousands of documents from it. The more than 800 Mb of files store various types of information, including what appear to be donor lists.

Hillary Clinton and her staff dont even bother about the information security. It was just a matter of time to gain access to the Clinton Foundation server, the hacker said.

However, Clinton Foundation President Donna E. Shalala said on Twitter that there is no evidence of a hack.

No evidence of a #Guccifer hack at @ClintonFdn, no notification by law enforcement, and none of the files or folders shown are ours.

     Donna E. Shalala (@DonnaShalala) October 4, 2016
While some of the leaked information could come from a Clinton Foundation server, many of the files appear to originate from earlier hacks for which Guccifer 2.0 took credit. For instance, one of the sample files published by the hacker was created by someone named Kevin McKeon. Until 2014, McKeon occupied various leadership roles at the DCCC.

Evidence uncovered by Ars Technica and others also suggests that many of the files come from the DCCC and not the Clinton Foundation.

This is not the first report of a breach at the Clinton Foundation. Bloomberg learned in June that the organizations systems had been targeted by Russian hackers, but officials said they were not aware of a breach.

Security researchers believe the attacks on the U.S. Democratic Party were actually carried out by cyber espionage groups sponsored by the Russian government. One of these groups is known as Fancy Bear, APT28, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team.

Fancy Bear is believed to be responsible for, among others, the attacks on the World Anti-Doping Agency (WADA) and organizations investigating the Malaysia Airlines flight MH17 crash in Ukraine.

Endpoint Security Wars: Is Peace Breaking Out?

In May 2016 VirusTotal (VT) changed its rules. Any vendor wishing to receive antivirus results via the VT API would in future be required to integrate its own detection scanner into the public VT interface. Furthermore, such vendors would need to be certified by The Anti-Malware Testing Standards Organization (AMTSO).

At the time it looked like a coup engineered by the first-generation anti-malware industry, AMTSO and VT itself to exclude next-generation (next-gen) endpoint security products from gaining benefit from VT. Since that time, however, at least four next-gen companies have joined AMTSO and agreed to abide by the VT rules. More are likely to follow and its beginning to seem that what appeared to be a declaration of war was actually an invitation to peace.

VirusTotal is commonly seen as a service that simply allows users to test a suspicious file against more than 50 anti-malware scanning engines. This is a valuable service but the real value of VT is in sharing malicious files with the wider endpoint security industry. This allows any vendor receiving those files to ensure that its own product can detect the malware concerned.

VirusTotal is categorically not a viable method of comparing different endpoint security products. The scanning engines used by the VT public interface do not represent the endpoint product in its entirety. If VT says a particular product does not recognise a malware sample, it does not mean that the fully installed product will not detect it.

At the beginning of this year, VT comprised first-gen vendors alone. However, a new generation of endpoint security products is emerging, largely but not entirely categorized by the use of machine learning technologies to help detect malware. These vendors are young and often aggressive in their search for market share. Some have abused the VT service by subscribing to the malware sample service without supplying VT with their own samples; and by using the VT public interface to unfairly and possibly inaccurately claim that first-gen vendors do not detect known malware that they themselves do detect.

The first-gen vendors have felt increasingly aggrieved, and it is that grievance that made the new VT rules appear to be a coup aimed against the next-gen vendors. Thats not quite what happened.

The Coup that Never Was
VirusTotal, owned by Google, became increasingly concerned that the first-gen vendors would withdraw. Without those vendors, there would be no VirusTotal.

VTs solution was effectively to pass the buck to AMTSO and the first AMTSO knew was a VT blog saying that it would only allow vendors that an AMTSO member-tester had certified.

That took us by surprise, said AMTSOs General Manager, Dennis Batchelder. But it gave us a good opportunity to try to solve this problem: how do you fairly join a multi scanner system and get all the benefits of being able to get the crowdsource malware samples coming in; and how do you do that in a fair way that doesnt chase away the first-gen or the second-gen, and doesnt create a fight?

It was, he added, a classic multi-stakeholder problem ideally suited to an AMTSO solution. AMTSO developed a set of proposals: Recommendations when including detection technologies in multi-scanner services. They were designed to be inclusive rather than exclusive a roadmap for all endpoint security companies to play fair and benefit from the services of VirusTotal for the good of all customers.

There are four key points: vendors cannot use VT to market or highlight detection efficacy or deficiencies; all vendors participate in balanced two-way sample sharing with others in the industry, preferably with an industry-accessible repository; all vendors play fair in tests; and that these rules apply equally to all vendors regardless of being first-gen or second-gen vendors.

It is these AMTSO recommendations that form the basis of VTs new rules. And they seem to be working. At the time of writing, in little more than three months, four next-gen vendors have taken steps to conform: Crowdstrike, Invincea, Carbon Black and Palo Alto Networks. More are expected. Some will hold out, but as more vendors sign up to AMTSO and VT, the outsiders will find it increasingly difficult to justify their stance.

Rather than being a declaration of war between the generations, VTs new rules might well prove to be an olive branch.

First-gen Versus Next-gen: The Technologies
A big problem for the endpoint security market is that there is no uniform definition of what each term means. In practice it comes down to little more than the old anti-malware vendors and the new endpoint security vendors. This is a misleading characterization, since both sets use very similar technology, and both sets seek the same end the detection, prevention and elimination of malware.

Even then there are some companies that still fall outside of this generalization. Bromium, for example, is a genuinely different next-generation technology. Simon Crosby, CTO and co-founder of Bromium, says, Bromium uses micro-virtualization, which relies only on endpoint CPU virtualization, to hardware isolate each task on the endpoint so that if malware executes, it cannot persist, steal data or credentials, or access high value networks or sites. He has little confidence in any of the detect to protect technologies, claiming these services simply cannot keep up with malware that changes by the minute.

Cylance is another next-gen company that does not believe it can be compared to first-gen vendors. Cylance has introduced a paradigm shift in the security industry, said Chad Skipper, VP of Product Testing and Certification, utilizing machine learning to prevent advanced and commodity malware from executing on the endpoint.

This statement is true and false. Machine learning can be significantly different to signature-based detection; but there is probably no single first-gen company that relies solely on signature detection; and the suggestion that they do is misleading. The majority of first-gen companies have included machine learning for the last ten years. Andy Patel, security advisor at first-gen vendor F-Secure, comments, Our first machine learning system was taken into production use back in 2006, and it took almost 10 years for second generation vendors to figure out what we were doing.

The obvious question is that if both generations of endpoint security vendors are using machine learning to teach their engines how to detect malware, why have first-gen vendors made little use of the term. Patel suggests, We were silent about machine learning and other AI techniques, because they were so useful that we did not want out competitors to know about them and start their own research on the topic. And any other security company who figured out the usefulness of AI did pretty much the same.

But while first-gen companies have grown into machine learning, next-gen companies have started with machine learning and as newcomers they have needed something to differentiate themselves from the existing vendors. Their battlecry that new machine learning second-gen vendors are automatically superior to old signature-based engines is more marketing than reality.

It would be more realistic to stop talking about first-gen and next-gen, and simply call all of them endpoint-security products.

Can First-Gen and Next-Gen Vendors Come Together and Live Harmoniously as Endpoint Security Providers?
Both AMTSO and VirusTotal are indicators that competing vendors can collaborate for the overall benefit of their customers and security at large. AMTSOs leadership team currently comprises members from ESET, Avira, Symantec, AVG and Panda (it would benefit from the rapid inclusion of at least one next-gen vendor).

These are all first-gen vendors an industry that has been central to the security industry for many decades. You could say that it has matured. Andy Patel, again: First gen security vendors have never been all that worried about new competition arriving on the scene. New companies have popped up over the last three decades, and many of them have carved off a piece of the pie for themselves. New security vendors always bring a fresh take on the subject, with new ideas and new technologies. Cooperation between industry players in things like VirusTotal and independent testing benefits everyone who uses these technologies, and makes the Internet safer.

Luis Corrons, technical director at first-gen PandaLabs, takes a similar view, suggesting all anti-malware companies will co-exist. At the end of the day what will happen is that all of them will evolve into something similar, where we wont be able to distinguish them. A good number of the so called first-gens have been using the same kind of technologies as the next gens for years.

These are fairly typical views from the first-gen vendors. Not all next-gens agree. This all depends upon the first-gen vendors. Cylance can stand on its own accord and our customers continue to replace first generation anti-virus with Cylance. Cylance told SecurityWeek that it is not opposed to joining AMTSO in the future, and is currently exploring that possibility.

So far, just four next-gen companies have joined AMTSO since VirusTotals ultimatum: Crowdstrike, Invincea, Carbon Black and Palo Alto. All take a user and community-centric view to threat detection. We want to work with the community to contribute to community standards, said CrowdStrikes chief scientist Dr. Sven Krasser.

Carbon Black and Palo Alto did not specifically respond to a direct approach for this article; but Invincea did.

Our hope, said Invincea CEO and founder Anup Ghosh, is that the industry of the next-gen players is maturing. If all you are doing is marketing how great you are but not doing either third-party testing or listing yourself on Virus Total then you are doing a disservice to the user. Its really saying youre not willing to stand by your product.

He goes further, to explicitly agree with the concerns that have been voiced by first-gen vendors. You have these next-gen companies leeching off the IP of VirusTotal to make their products better but at the same time throwing [first-gen vendors] under the bus. I agree its patently unfair; it is a community and Invincea benefits from that community. Ghosh recognizes the value of being able to train his machine learning against the huge VirusTotal resource of malware samples, and the fairness of contributing back to that shared resource.

First-gens two primary grievances
In general, first-gen vendors have two primary concerns over next-gen marketing methods both of which would be satisfied by joining AMTSO, and by listing on VirusTotal and abiding by its rules. These are a continued attempt to define first-gen vendors as solely signature-based technology purveyors; and a disinclination to submit to independent third-party comparative testing.

For this article, Cylances Skipper said that Cylance is a significantly different technology than that of commodity signature based anti-virus or first-gen. Cylance would be better served by demonstrating how its technology is significantly different to that of first-gen vendors (who also use machine learning and behavioral analysis) rather than implying that they are simply signature-based technologies.

SentinelOnes Gainey said, In the case of SentinelOne we use machine learning based analysis to detect malware embedded in binary images with extreme precision, which is the next evolution beyond the role that signatures have played for decades. Again, the implication is that first-gen vendors are solely reliant on signatures where in reality they have employed machine learning for a lot longer than SentinelOne has existed.

Having said this, not all first-gen vendors consider next-gen vendors to be overly aggressive in their marketing. I dont see the approach of many new companies in the endpoint space that are focused on the modern threats as being particularly aggressive, per se, commented Justin Dolly, CISO & CIO at Malwarebytes.

Third-party testing
Some, but not all, of the next-gen vendors simply claim that next-gen products cannot be fairly tested by third parties. With this argument, they decline to be tested. A recent blog from SentinelOne examines a malware sample that SentinelOne sometimes fails to detect. Its conclusion is that under some test conditions, the malware simply doesnt activate; and without that activation, next-gen products will not detect it. It's easy to stuff a test set with malware samples which are either not valid executables or don't behave maliciously and many tests are performed on freshly minted VM images with no user activity history, and running in the cloud which can be detected by interrogating IP address information.

The implication is that it would be easy to create a test set that would drastically favor signature-based detection over next-gen behavioral detection. A fair test must necessarily include current and functional samples executed in a realistic environment.

But few people deny this final statement. The primary purpose of AMTSO is to develop testing standards that are fair to everyone. The testers job, Dennis Batchelder told SecurityWeek, is to simulate as close to the real world as possible, and if a tester can do that he can measure how a customer would benefit from one product versus another product.

Simon Edwards, director of independent test organization SELabs, accepts that this is his task; but doesnt ultimately see a problem. Indeed, he doesnt necessarily accept that first-gen and next-gen products cannot be directly compared.

It makes sense, Edwards told SecurityWeek, for anti-malware users to be able to read useful test reports that investigate how effective all of the available products really are. I think that some of the newer companies have started to notice this demand and, now that their products are perhaps more mature, are feeling more inclined to enter tests willingly. I don't think they will appear in separate 'next gen' reports. They claim to prevent malware and so it's logical to include their results alongside those for other anti-malware products.

The Way Forward
There is no easy, nor yet unsurmountable, solution to the arguments between first- and next-gen endpoint security vendors. Marketing is one area. First-gen vendors were so successful with the epithet anti-virus that the name and technology (signature-based detection) stuck even though their technology has become much more. Next-gen vendors have latched onto this marketing weakness with such ferocity that first-gens are as likely to develop new products that are based centrally around machine learning as they are to remarket their existing products. This occurred recently with both Symantec and Sophos, although the latter avoids machine learning and just pitches itself as next-generation.

It would be naïve to expect all next-gen vendors to relax their marketing methods not all are in it for the long haul. It is likely that some were conceived with a profitable exit already in mind. That would most likely be acquisition by a large company (possibly even an existing first-gen vendor). For this to happen they need rapid visibility and market share; and this is best gained in the short term by aggressive marketing.

Not all next-gen companies are like this. Do testing companies know how to evaluate these next gen approaches? I think they are learning. Its clear that the traditional way of testing is not optimal for the next gen companies but on the other hand its a poor excuse for next gen companies not to get tested, said Invinceas Ghosh. His solution to the difficulties in testing next-gen products is not to reject testing, but to join AMTSO and influence the test standards. Now hes helping to draft the standards around how you test next-gen products and technologies; there is a science to this and it shouldnt be done without regard to scientific methods.

So far only four next-gen companies have taken a similar route. But its a beginning. It may not yet be the beginning of the end of the endpoint wars; but it is the end of the beginning. Simon Edwards comments, I would be surprised if there will be many well-known, credible anti-malware vendors not somehow involved with AMTSO or VirusTotal by next year.

Ukraine Power Grid Attacks Part of a 2-Year Campaign

The December 2015 cyberattacks on Ukraines power grid were part of a long, multi-pronged campaign that targeted several of the countrys sectors, according to a new report from Booz Allen Hamilton.

Attackers believed to be operating out of Russia used a combination of social engineering and malware to breach SCADA systems and disrupt power for roughly 230,000 Ukrainians.

The two main pieces of malware used in this attack were the remote access Trojan known as BlackEnergy and KillDisk, a plugin designed to destroy files and make systems inoperable. However, researchers believe the attackers cut off the power supply by directly interacting with the system KillDisks role was to make recovery more difficult.

Researchers believe the attack on Ukraines energy sector started in May 2014 as part of a long-running campaign that involved several types of tools and at least 11 attacks aimed at the electricity, railway, media, mining and government sectors. The attacks against mining and railway systems were brought to light in February by security firm Trend Micro.

According to Booz Allen Hamilton, the campaign started with spear-phishing emails sent in May 2014 to employees of the Prykarpattya electric utility, which was successfully targeted in the December 2015 attack. The attackers attempted to deliver weaponized Microsoft Word documents designed to deploy a piece of malware. In the same month, similar attacks were launched against all six of Ukraines state railway operators.

In August 2014, phishing emails carrying PowerPoint files designed to exploit a zero-day vulnerability in order to deliver BlackEnergy malware were sent to five Ukrainian regional governments and the state archive of Chernivtsi, another one of the regions targeted in the December 2015 power grid attack.

Several attacks whose goal was also to deliver BlackEnergy malware were carried out in March 2015. These operations, leveraging weaponized Excel and PowerPoint files, were aimed at Ukrainian television broadcasters, electricity operators in western Ukraine, and state archives.

Several TV broadcasters were also targeted in October 2015, just as local elections were being held in Ukraine. The attackers had access to the targeted networks since May 2015. They leveraged BlackEnergy and KillDisk malware to take control of systems and destroy video data and server hardware.

In November and December 2015, BlackEnergy and KillDisk were also used to target Ukrainian railway and mining companies. Experts have not been able to determine the initial access method leveraged by the hackers in these attacks.

The attacks targeting Ukraines energy sector continued even after December 2015. In mid-January, roughly 100 organizations, including many energy firms, received emails set up to deliver a Trojan dubbed GCat.

While there is no hard evidence connecting these attacks to Russia, circumstantial evidence suggests that they were likely carried out by an actor with significant resources and whose goals aligned with Russian political interests. While BlackEnergy malware has been leveraged by multiple groups, including criminal organizations, experts believe this could be a strategy meant to deflect blame from a state-sponsored actor.

There are several possible reasons for carrying out these attacks, but Booz Allen Hamilton researchers believe the most likely scenario is that the attacker wanted to send a message to the Ukrainian government.

Experts pointed out that while the attacks were exceptionally well organized and executed, the tools needed to mitigate such threats are not difficult to implement.

Researchers Leverage RKP Module to Bypass Samsung KNOX

Security researchers from Viral Security Group Ltd. have managed to bypass the Samsung KNOX security features by exploiting vulnerabilities that render unpatched devices susceptible to compromise.

To successfully bypass Samsungs security, the researchers focused on a module called TIMA RKP (Real-time Kernel Protection), which is responsible for defending against kernel exploits. A standard root exploit can subvert the kernel and code can be executed in the system user context, researchers say.

According to a paper detailing the experiment, a malicious actor with access to the system account could replace legitimate apps with rogue software that has access to all available permissions, all without the user noticing. Furthermore, the RKP module can be abused to achieve root privileges, and the security researchers even managed to load a kernel module to remount the /system partition as writable.

To subvert the RKP module, the researchers abused the CVE-2015-1805 write-what-where kernel vulnerability, using the open-source exploit implementation dubbed iovyroot. A generic Linux exploit, iovyroot has been devised to leverage said flaw on recent Samsung devices, including Galaxy S6 and Galaxy Note 5, researchers say.

The RKP module, researchers say, has two layers, one interwoven with the Linux kernel, and another residing in the ARM TrustZone as a hypervisor. The RKP was meant to mask and protect certain areas of kernel memory, as it can perform its own checks and validations, hidden and independent of the kernel.

The issue with the RKP was found to be a special function rkp_override_creds, which replaces the regular kernel function override_creds, and which can be used to temporarily override the current process credentials. By leveraging this bug, researchers tried to achieve root by having the RKP override the credentials with root values, but failed, because the hypervisor side does not take nicely attempts to override process credentials with root values. However, it does accept system values, researchers say.

While still attempting to achieve root, the researchers discovered a file called vmm.elf, which turned out to be the RKP module itself, and were able to find in it the function that would allow them to achieve root. However, they discovered that the available permissions were limited, and that running a kernel module would provide privilege escalation, an achievable operation, especially since Samsungs Galaxy S6 allows for the insertion of kernel modules.

The modules, however, need to be signed, and the verification is performed by Mobicore micro-kernel residing in ARMs TrustZone. Nonetheless, because the verification was triggered only when the lkmauth_bootmode variable was set to BOOTMODE_RECOVERY, the security researchers used a kernel writing vulnerability to overwrite the value and disable the signature verification.

At this point, we could easily load any kernel module we desired, the researchers note. The 3 vulnerabilities that allowed for the successful exploitation of Samsung KNOX were named KNOXout. Tracked as CVE-2016-6584, the flaws are privilege escalation issues and have been already disclosed to the vendor.

Some of the remediation solutions proposed by the security researchers include treating system permissions similar to root; performing a PID check later in the permission-granting process, because RKP grants processes with PID 0 root privileges (and the researchers leveraged that); and placing the lkmauth_bootmode variable and the security_ops structure in an RKP-protected, read-only page.

Hackers Could Harm Diabetics via Insulin Pump Attacks

OneTouch Ping insulin pumps manufactured by Johnson & Johnson-owned Animas are plagued by several vulnerabilities that can be exploited by remote hackers to compromise devices and potentially harm the diabetic patients who use them. While the security holes are serious, the risk is considered relatively low and the vendor does not plan on releasing a firmware update.

Rapid7 researcher Jay Radcliffe, who has been a Type I diabetic for 17 years, analyzed Animas OneTouch Ping insulin pumps. The product has two main components: the actual insulin pump and a remote that controls the pumps functions from up to 10 feet away.

The four major vulnerabilities found by Radcliffe in the OneTouch Ping product have been detailed in a Rapid7 blog post and an advisory published by the Department of Homeland Securitys CERT Coordination Center.

The researcher discovered that the remote and the pump communicate over an unencrypted channel (CVE-2016-5084), allowing a man-in-the-middle (MitM) attacker to intercept patient treatment and device data. The vendor pointed out that while some data is exposed, it does not include any personally identifiable information.

Another vulnerability identified by Radcliffe is related to the setup process where the pump is paired with the remote pairing is needed to prevent the pump from accidentally accepting commands from other remotes. The key used by the devices when they exchange information is based on serial numbers and some header information and its transmitted without any form of encryption.

This weak pairing (CVE-2016-5085) allows an attacker to spoof the remote and issue commands to arbitrarily dispense insulin, which could lead to the patient having a hypoglycemic reaction.

The researcher also noticed that OneTouch Ping pumps lack protection against replay (CVE-2016-5086) and spoofing (CVE-2016-5686) attacks. These vulnerabilities can be exploited to capture packets and replay them at a later time, or send spoofed packets with arbitrary commands to the pump. In both cases, the attacker can instruct the device to dispense insulin and potentially harm the user.

The OneTouch Ping pump and its remote are not connected to the Internet so these attacks cannot be carried out over very long distances. However, special radio transmission equipment could allow attacks to be conducted from hundreds of feet and possibly even up to one mile, researchers warned.

While these are serious vulnerabilities, Radcliffe said the risk is relatively low and the goal of the research is to raise awareness, allow users to make informed decisions, and get manufacturers to focus more on security when designing their products.

Removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash, the expert noted.

Johnson & Johnson, which notified patients and healthcare professionals of Rapid7s findings via physical mail, said it does not plan on releasing a firmware update to address the vulnerabilities. However, the company has provided instructions on how attacks can be mitigated using various features available in the OneTouch Ping product.

Rapid7s approach contrasts with the path taken in August by medical device security firm MedSec, which decided to disclose vulnerabilities found in St. Jude Medical products without notifying the vendor. MedSec decided to team up with an investment research company that used the findings as part of an investment strategy, which led to St. Jude filing a lawsuit.

Weak Credentials Fuel IoT Botnets

Botnets powered by Internet of Things (IoT) devices have recently made headlines after powering massive distributed denial of service (DDoS) attacks. The underlying issues with IoT devices, however, are by no means new. IoT botnets are possible mainly because enslaved devices often have security flaws, many of which have been discussed numerous times before.

The rise of DDoS botnets leveraging IoT devices for their dirty work once again brought to the spotlight how easily such products can be hacked to install backdoors. A slew of IoT devices reuse cryptographic keys and/or use easy-to-guess, hardcoded default login credentials, making them susceptible to brute-force and other types of attacks, especially since many users dont or cant change those credentials.

Mirai, a Linux backdoor initially detailed in early September, was observed relying on this weakness to find and ensnare IoT devices into a botnet. The botnets source code has been released online several days ago and is said to have been used to launch DDoS attacks against Brian Krebs website and hosting provider OVH, and to be powered by more than 150,000 IoT devices, including cameras and digital video recorders (DVRs).

To find and ensnare devices into the botnet, the malware scans the Telnet service on DVRs and WebIP Cameras on Busybox, as well as on other Linux-based IoT boxes with Busybox, and on unattended Linux servers, then attempts to login using hardcoded usernames and passwords to brute-force discovered devices. BASHLITE, a botnet that supposedly abuses over 1 million IoT devices, uses the same attack method.

This modus operandi, however, might not be exclusive to these two malware families alone, considering the large number of attacks that a single DVR device is hit with: The IP address is hit by telnet attempts pretty much every minute. Instead of having to wait for a long time to see an attack, my problem was that the DVR was often overwhelmed by the attacks, and the telnet server stopped responding, Johannes B. Ullrich, Ph.D., CTO SANS Internet Storm Center, reveals.

Ullrich was attempting to test how bad it would be to expose a DVR to an Internet connection, and he didnt have to wait long to discover. The attacks tried a variety of passwords, but only one of them was set up on the honeypot, so only some attacks were successful.

Those attacks that came through, however, followed a similar pattern, starting with the attacker making sure that they didnt connect to a router or a honeypot by using specific commands. Next, the attacker would fingerprint the device and test whether a binary file could be created on it. Then, the attacker would attempt to download a tool on the exposed device, or to create a binary directly on it.

The purpose of the attack, however, was to download and install malware onto the exposed DVR, and to leverage it to scan for more vulnerable hosts at the high rate of over 100 connections per second, Ullrich explains. The security researcher reveals that the device was attacked several times an hour and that none of the attackers attempted to reset the default password, meaning that the DVR remained exposed to other attacks.

The issue, however, is that this DVR isnt the only insecure device exposed to the Internet, but that there are a great deal of other devices that also lack proper security right from the start. Mirais source code contains 68 username and password pairs, and many of those are generic and used by dozens of products, including routers, security cameras, printers and digital video recorder (DVRs), Brian Krebs reveals.

Ullrichs experiment revealed an attack pattern previously associated with both Mirai and BASHLITE, which might have been adopted by other botnets as well. Over the past several months, a botnet known as LizardStresser was also observed launching massive DDoS attacks powered by IoT devices, including a 540 Gigabits per second (Gbps) attack against public-facing properties and organizations affiliated with the Olympics.

With tens of thousands of compromised CCTV devices located all around the world also abused in DDoS attacks, and numerous Trojans targeting IoT designed specifically for this type of attacks, Symantec researchers have concluded that the primary purpose of IoT malware is the launch of DDoS attacks.

Ukrainian Group Claims Hack of Putin Advisor's Email

A hacker group calling itself Cyber Hunta leaked over 2,000 emails allegedly stolen from the account of Vladislav Yuryevich Surkov, adviser to Russian President Vladimir Putin. Kremlin representatives said the leaked emails cannot belong to Surkov as he did not use email. However, the Atlantic Council's Digital Forensic Research Lab analyzed the files and determined that the breached inbox,, was apparently managed by Surkovs assistants. The Ukrainian security service SBU said the leaked emails were genuine, but cautioned that they may have been tampered with. The agency is known for making accusations against Russia it blamed Moscow for the December 2015 attacks targeting Ukraines energy sector and a major cyber espionage campaign aimed at the Ukrainian government. Stronger evidence that the hack is legitimate is provided by the 1 Gb Outlook data file (.pst) made available by the hackers. The 2,337 messages included in the leak have legitimate-looking headers and they include boring day-to-day emails. Experts believe its unlikely that someone went to the trouble of faking all the information. The Associated Press also analyzed the leak and confirmed with some Russian journalists and businessmen, whose emails show up in the dump, that the messages are legitimate. While most of the leaked emails are uninteresting, there are some documents related to the war in Donbass, including a list of casualties, and government expense reports. The emails also appear to show connections between the Russian government and pro-Russia separatists in eastern Ukraine, and plans to destabilize the Ukrainian government. Cyber Hunta describes itself as a community of Ukrainian hackers and analysts whose goal is to fight foreign aggression and internal enemies. The group claims to have access to the internal networks of the Russian presidential administration and the parliament. Experts believe many countries have been conducting silent cyber espionage operations, but public threats of cyberwar have also increased over the past period. After formally accusing the Russian government of trying to interfere with this years elections, U.S. officials said the CIA was preparing a retaliatory attack meant to harass and embarrass the Kremlin leadership. Moscow slammed Washington over the threats and vowed to respond.



CMS faq
CSS faq
SSI faq
RSS faq
WAP faq
seo & website usability inet html os faq hardware faq memory video cpu hdd mainboard faq printer & scaner modem mobiles hackzone

Windows 10 | Registry Windows 10 | Windows7:  | Windows7:  | Windows7: faq | Windows7:  | Windows7:  | Windows7:  | Windows7:  | Windows7:  |  essay writing software  |  |  |  | SDRAM | DDR2 | DDR3 | Quad Band Memory (QBM) | SRAM | FeRAM |   | Video | nVIDIA faq | ATI faq  |  faq | TV tuners faq |  |   |  (faq) |  faq | DVD faq | DigitalVideo faq | Video faq () | CPU | HDD & Flash faq |   | HDD faq | Cable faq | SCSI & faq | SSD | Mainboard faq | Printer & Scaner | 

 | Cookie policy | Sitemap