Cyber Security

Secret chips in replacement parts can completely hijack your phone’s security

Enlarge (credit: Omer Shwartz et al.)

People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device.

The concern arises from research that shows how replacement screens—one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0—can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it.

The research, in a paper presented this week at the 2017 Usenix Workshop on Offensive Technologies, highlights an often overlooked disparity in smartphone security. The software drivers included in both the iOS and Android operating systems are closely guarded by the device manufacturers, and therefore exist within a “trust boundary.” The factory-installed hardware that communicates with the drivers is similarly assumed to be trustworthy, as long as the manufacturer safeguards its supply chain. The security model breaks down as soon as a phone is serviced in a third-party repair shop, where there’s no reliable way to certify replacement parts haven’t been modified.

Read 6 remaining paragraphs | Comments

No comments
Jeremy WebbSecret chips in replacement parts can completely hijack your phone’s security
read more

Building America’s Trust Act would amp up privacy concerns at the border

Enlarge / A U.S. Customs and Border Protection officer checks identifications as people cross into the United States from Mexico on September 23, 2016 in San Ysidro, California. (credit: John Moore / Getty Images News)

If a new Senate Republican border security bill is passed as currently drafted, it would dramatically increase the amount of surveillance technologies used against immigrants and, in some cases, American citizens traveling to and from the United States.

The bill, known as the “Building America’s Trust Act,” is authored by Sen. John Cornyn (R-Tex.). It aims for a “long-term border security and interior enforcement strategy,” according to its summary. However, the senators have yet to formally introduce the text of the bill.

So Ars is going to do it for them: we received an advance copy of the bill’s text from an anonymous source, and we are publishing it here before it has been formally introduced in the Senate. Ars repeatedly contacted the offices of all six senators who are listed as co-sponsors for comment—none made anyone available.

Read 19 remaining paragraphs | Comments

No comments
Jeremy WebbBuilding America’s Trust Act would amp up privacy concerns at the border
read more

Changing the Standard of Phishing: Attack Trends,Tips and Tricks.

As Old as the Hills

Phishing attacks are well known and still the most popular and most successful type of attack used by cyber criminals. The design remains to be simple, as this attack is aimed at the most vulnerable components of information systems – the users. Startups launching Initial Coin Offerings are experiencing an increasing number of phishing attacks. As a result of these attacks, we see multiple reports in which invested funds have been lost in recent days.

Until recently, most of these attacks were delivered through spam messages with a majority of the attacks halted at the user’s inbox. In some cases the messages will be ignored because the signs of phishing are very obvious. Other times, the messages are forwarded to I.T support with the question “Is it safe to enter a password on this page?”. Of course, some of these users will be successfully phished, but the number is quite small compared to the amount of spam sent. In a recent incident in which the Coindash website was hacked, the attack involved tricking users to send funds to an address that the company has identified as belonging to the hacker. There are also new attacks against crypto currency users through the Slack platform. We’ve seen recent spearphishing attacks contain no links or exploits in the message body. Instead there is only a title/subject and googling this title leads to an exploit site. All of these show how fast new phishing attacks are emerging among malicious actors.

At Cisco Umbrella, one way that we’ve been monitoring emerging attacks and new trends is by using NLP Rank. In this blog post, we’re sharing some of the latest detected threats.

 An Old Dog Learns New Tricks

Punycode encoding

One trend is the use of punycode characters to encode internationalized domain names to impersonate well known domain names. We’ve seen this technique in the past before it has gained the recent wide adoption by malicious actors. The use of an additional OCR based filter has helped us to recognize suspicious domains names once the suggested block appears as a result of NLP based analysis on the domain name and it’s content.

Free domain names

Most of these abused domains are from TLDs that offer the domains free of charge. In this scenario, it’s not the price, but instead it’s the opportunity to get the domain name without leaving any trace in the form of payment information that is important. All you need is an email address that can later be discarded, and that’s it. Similarly, bullet proof hosting or abused large providers have been used.

In the example below, trying to register spoofing domain for one of the Ethereum wallet providers, we can see domain name myetherwallet[.]cf is already taken.

 

Compromised and Obfuscated Emails Used for Registering

Since setting up multiple emails for domain registration can be difficult, we often see compromised email addresses are used for registering domains. Another trick is to have one email for registering multiple domains and replace or “guard” such email addresses with different whois data anonymity services. In these cases, the whois provider will return a message similar to: “Due to restrictions in the Privacy Statement, personal information about the user of the domain name can not be released.” Services that allow users to register absolutely anonymously, such as Protonmail, are being abused for this technique.

SSL certificates and free hosting

In general, people still think that the combination of HTTPS+SSL means the domain is trustworthy. In reality, this only means that your connection is private and that the traffic is protected while in transit. Another false belief exists that it is impossible to get a web server with a valid ssl certificate from CA, and leave no traces. As it turns out, this is not true. In many cases, the attackers are taking advantage of free SSL provided by hosting providers. A brief analysis of the available functions of a free package from SSL service providers reveals a storehouse of opportunities which can be abused by phishing actors:

  • Completely anonymous registration. Any valid email address is more than enough. Theoretically, an identity can be found from the analysis of the IP address used for registration, but sophisticated attackers are more than capable to hide their true IP address.
  • Abused free certificates from CAs. Some of them are not only free, but are also issued within a few minutes of registering, without any additional verification being performed.
  • The real IP address of the web server is hidden. All traffic goes through a CDN like infrastructure.
  • SSL offloading. A malicious web server can be configured to work with http, but with a service like Cloudflare, all of the traffic will go through SSL. This is important because you can easily get free hosting with HTTP, whereas you would have to pay for hosting with the HTTPS and SSL-payments, and this can be traced.
  • With rare exceptions, CA services do not sign certificates for domains at .ga, .cf, .tk, etc. And once again Cloudflare-like services solve this problem for the attacker, with the ease of which the certificate is issued.

Ads Poisoning

While AdWords phishing is not a new threat, it is one of the most used in the case of phishing cryptocurrency users, as well as other financial institutions. Google and Bing are aware of the malicious use of their advertising platforms, but recent campaigns have proven that these attacks are frequently able to surpass detection. We observed the below campaign over the past 6-9 months. There are targeted companies that rotate through the campaign duration but the rest of the scheme stayed the same. This type of campaign has been covered in detail in our previous publications. The latest iteration of this campaign targets users of MyEtherWallet.

Malicious ad

Spoofing malicious domain

Unvalidated Redirects

Phishing emails are getting better and using a lot more targeted social engineering tactics. We have analyzed links within phishing emails that would at first not seem to be malicious or be an attempt at phishing. However, the link leads to a compromised website, that makes us of an “Unvalidated Redirects” vulnerability. The exploitation of this vulnerability helps to defeat many, if not all of the anti-spam filters commonly used. In an email the link would appear similar to:

hxxps://company.com/unvalidated_redirect.php?url=http://login.company.cf/

The user sees the link directing to the original trusted site (company.com) and does not realize the redirection that could take place

Abuse of  URL shorteners

In recent mass spam campaigns, we have seen a surge in the the use of  shortened url links in the e-mail body to drive traffic to spoofed domains. Once again this technique helps to defeat a significant amount of standard defenses and creates problems for typical users. Many people believe the responsibility rests on the URL shortener’s shoulder’s to guarantee safety of a shortened link. While many URL shorteners are working to decrease malicious links in their system, to totally eliminate such abuse is a very challenging problem. These schemes typically aim not only to harvest account credentials, but also used to deliver malware.

Defeat the Phish

How do we take down malicious domains? It is the goal of many security researchers in our industry, but a unified solution does not yet exist. Conviction and punishment of the suspected phishing actor seems to be a hard goal to achieve. With the given complexity of the malicious infrastructure behind these attacks, a researcher would need to work in close collaboration with the Registrar, Cloud Service Provider, and the Email Service Provider being abused to find the actor behind such attacks. However, this approach could still leave you with only an IP address as an indicator. How would it be possible to “identify” a criminal by only their assumed IP address? I would say impossible.

Visualization of malicious spoofing domains

Conclusion

Given the research being done to identify the scale of the problem behind simple typosquatting domains, we can see there are many users exposed to this threat. The amount of phishing attacks is growing and the criminal’s methods are constantly evolving. Cisco Umbrella is able to detect and block such domains using our high frequency classifiers like NLPRank. Additionally, user’s and companies themselves are strongly encouraged to enable two-factor authentication when possible and implement layered security controls.

IOCs

This blog is a result of collaboration between Artsiom Holub of Cisco Umbrella research team and Jeremiah O’Connor of Cisco country digitization team.

 

 

The post Changing the Standard of Phishing: Attack Trends,Tips and Tricks. appeared first on OpenDNS Umbrella Blog.

No comments
Jeremy WebbChanging the Standard of Phishing: Attack Trends,Tips and Tricks.
read more

When It Comes to Startup Security, Strategize Like A Chess Master

Protecting your startup from malicious hackers can be similar to protecting your king from the enemy’s attacks in a game of chess. The similarity can begin with the way a chess grandmaster moves nimbly on the board with intent. He or she employs tactics (“short-term calculations to accomplish goals”) and a strategy (a long-term plan) not only to protect the pieces but also to capture the enemy.

If you are a novice founder, include cybersecurity in the list of things you need to establish in your first year. There is no reason to delay dealing with this issue. Avoid making the mistake of ignoring the challenges surrounding it. And make sure you tackle it with the mindset of a top chess player.

Here are 5 ways to help you get started:

Think ahead and plan

A cyberattack can halt your operations not only for days but for good. According to the US National Cyber Security Alliance, 60% of small companies closed within 6 months of a cyber attack.

The demise of Code Spaces, a source code hosting provider, serves now as a classic example. Hackers were able to gain access to its Amazon EC2 control panel and started to ask for a large sum in exchange of recovery.

When Code Spaces did not comply, the attackers deleted most of its data and other resources. The then seven-year-old startup was forced to shut down its services.

So think again. Shopping and setting up the best tools to improve your company’s security do not seem to be as high a priority as UX and product design. But you cannot risk losing your whole business because of a security crisis. Besides, clients today worry about online security as much as they fuss over system lags.

Master the opening, mid, and endgame strategies

Similar to the first, this point is about having a long-term plan regarding your startup security. It is not enough to say, “Okay, let’s try this service and see how it works.” Then you just replace it when it fails. For instance, two computer engineers identified vulnerabilities in 17 Indian startups collectively worth more than $10 billion. They concluded that “almost every startup here has security bugs.” It does not matter if you are one or 6 years old.

So how do you go about this as you are approaching 5, 10, or more years? Even Facebook has established a Bug Bounty Program. Planning to launch a mobile app soon? Set up security parameters early on. Or you will only make yourself more vulnerable than you think.

Be on the offensive and the defensive

In chess as in business, it is important to know who your enemies are. When it comes to cybersecurity, gone are the days when potential enemies would be disorganized and lack sophisticated tools to launch a devastating attack. From the get-go, you should concern yourself with protecting your organization from this kind of threat.

By playing the offensive, you are attempting to understand the plays and approaches of the attackers. You are also setting out to find your own vulnerabilities. Only after being on the offensive will you be able to develop barriers and fight off these malicious hackers.

Concentrate your efforts as an executive

Cybersecurity is a growing area of focus not only for businesses but also for governments. Even international organizations are treating it as a prominent issue. As a startup founder, it is not enough to leave it to the CIO. Take the time to look at online security, its nuances, and the changes surrounding it. Be a driving force, not just a signature on the budget approval form. Give your full support to the tech team members as they constitute an important aspect of your business.

Learn and outgrow yourself

Speaking of support, allocate resources for training your tech team. Encourage your employees to update their knowledge and skills by attending industry conferences and taking crash courses. Your security department should remain solid as hackers also make advances in their attacks. You depend on them as much as you do on the system they are in charge of protecting.

Aside from human resources, invest in infrastructure. Make sure you have the latest tools that will help you beat potential offenders.

Continuity is key in securing your online assets and services.

No comments
Jeremy WebbWhen It Comes to Startup Security, Strategize Like A Chess Master
read more

After phishing attacks, Chrome extensions push adware to millions

Enlarge / One of the ads displayed by a fraudulently updated version of the Web Developer extension for Chrome. (credit: dviate)

Twice in five days, developers of Chrome browser extensions have lost control of their code after unidentified attackers compromised the Google Chrome Web Store accounts used to issue updates.

The most recent case happened Wednesday to Chris Pederick, creator of the Web Developer extension. Last Friday, developers of Copy Fish, a browser extension that performs optical character recognition, also had their account hijacked.

In both cases, the attackers used the unauthorized access to publish fraudulent updates that by default are automatically pushed to all Chrome users who have the extensions installed. The tainted extensions were also available for download in Google’s official Chrome Web Store. Both Pederick and the Copyfish developers said the fraudulent updates did nothing more than inject ads into the sites users visited. The Copyfish developers provided this account that provided a side-by-side comparison of the legitimate and altered code. Pederick has so far not provided documentation of the changes that were pushed out to the more than one million browsers that have downloaded the Web Developer extension.

Read 7 remaining paragraphs | Comments

No comments
Jeremy WebbAfter phishing attacks, Chrome extensions push adware to millions
read more

Stealthy Google Play apps recorded calls and stole e-mails and texts

Enlarge (credit: portal gda)

Google has expelled 20 Android apps from its Play marketplace after finding they contained code for monitoring and extracting users’ e-mail, text messages, locations, voice calls, and other sensitive data.

The apps, which made their way onto about 100 phones, exploited known vulnerabilities to “root” devices running older versions of Android. Root status allowed the apps to bypass security protections built into the mobile operating system. As a result, the apps were capable of surreptitiously accessing sensitive data stored, sent, or received by at least a dozen other apps, including Gmail, Hangouts, LinkedIn, and Messenger. The now-ejected apps also collected messages sent and received by Whatsapp, Telegram, and Viber, which all encrypt data in an attempt to make it harder for attackers to intercept messages while in transit.

The apps also contained functions allowing for:

Read 3 remaining paragraphs | Comments

No comments
Jeremy WebbStealthy Google Play apps recorded calls and stole e-mails and texts
read more

Microsoft expands bug bounty program to cover any Windows flaw

Some bugs aren’t worth very much cash. (credit: Daniel Novta)

Microsoft today announced a new bug bounty scheme that would see anyone finding a security flaw in Windows eligible for a payout of up to $15,000.

The company has been running bug bounty schemes, wherein security researchers are financially rewarded for discovering and reporting exploitable flaws, since 2013. Back then, it was paying up to $11,000 for bugs in Internet Explorer 11. In the years since then, Microsoft’s bounty schemes have expanded with specific programs offering rewards for those finding flaws in the Hyper-V hypervisor, Windows’ wide range of exploit mitigation systems such as DEP and ASLR, and the Edge browser.

Many of these bounty programs were time limited, covering software during its beta/development period but ending once it was released. This structure is an attempt to attract greater scrutiny before exploits are distributed to regular end-users. Last month, the Edge bounty program was made an on-going, continuous scheme no longer tied to any particular timeframe.

Read 2 remaining paragraphs | Comments

No comments
Jeremy WebbMicrosoft expands bug bounty program to cover any Windows flaw
read more

Mac malware that went undetected for years spied on everyday users

Enlarge (credit: Tim Malabuyo)

A mysterious piece of malware that gives attackers surreptitious control over webcams, keyboards, and other sensitive resources has been infecting Macs for at least five years. The infections—known to number nearly 400 and possibly much higher—remained undetected until recently and may have been active for almost a decade.

Patrick Wardle, a researcher with security firm Synack, said the malware is a variant of a malicious program that came to light in January after circulating for at least two years. Dubbed Fruitfly by some, both malware samples capture screenshots, keystrokes, webcam images, and information about each infected Mac. Both generations of Fruitfly also collect information about devices connected to the same network. After researchers from security firm Malwarebytes discovered the earlier Fruitfly variant infecting four Macs, Apple updated macOS to automatically detect the malware.

The variant found by Wardle, by contrast, has infected a much larger number of Macs and remained undetected by both macOS and commercial antivirus products. After analyzing the new variant, Wardle was able to decrypt several backup domains that were hardcoded into the malware. To his surprise, the domains remained available. Within two days of registering one of the addresses, close to 400 infected Macs connected to the server, mostly from homes located in the United States. Although Wardle did nothing more than observe the IP address and user names of Macs that connected to his server, he had the ability to use the malware to spy on the users who were unwittingly infected.

Read 6 remaining paragraphs | Comments

No comments
Jeremy WebbMac malware that went undetected for years spied on everyday users
read more

Mac malware that went undetected for years spied on everyday users

Enlarge (credit: Tim Malabuyo)

A mysterious piece of malware that gives attackers surreptitious control over webcams, keyboards, and other sensitive resources has been infecting Macs for at least five years. The infections—known to number nearly 400 and possibly much higher—remained undetected until recently and may have been active for almost a decade.

Patrick Wardle, a researcher with security firm Synack, said the malware is a variant of a malicious program that came to light in January after circulating for at least two years. Dubbed Fruitfly by some, both malware samples capture screenshots, keystrokes, webcam images, and information about each infected Mac. Both generations of Fruitfly also collect information about devices connected to the same network. After researchers from security firm Malwarebytes discovered the earlier Fruitfly variant infecting four Macs, Apple updated macOS to automatically detect the malware.

The variant found by Wardle, by contrast, has infected a much larger number of Macs and remained undetected by both macOS and commercial antivirus products. After analyzing the new variant, Wardle was able to decrypt several backup domains that were hardcoded into the malware. To his surprise, the domains remained available. Within two days of registering one of the addresses, close to 400 infected Macs connected to the server, mostly from homes located in the United States. Although Wardle did nothing more than observe the IP address and user names of Macs that connected to his server, he had the ability to use the malware to spy on the users who were unwittingly infected.

Read 6 remaining paragraphs | Comments

No comments
Jeremy WebbMac malware that went undetected for years spied on everyday users
read more

Microsoft’s secret weapon in ongoing struggle against Fancy Bear? Trademark law

Enlarge (credit: Harald Deischinger)

On Friday, representatives of the notorious hacking entity known as Fancy Bear failed to appear in a federal court in Virginia to defend themselves against a civil lawsuit brought by Microsoft.

As the Daily Beast first reported on Friday, Microsoft has been waging a quiet battle in court against the threat group, which is believed to be affiliated with the GRU, Russia’s foreign intelligence agency. For now, the company has managed to seize control of 70 domain names, but it’s going after many more.

The idea of the lawsuit, which was filed in August 2016, is to use various federal laws—including the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and American trademark law—as a way to seize command-and-control domain names used by the group, which goes by various monikers, including APT28 and Strontium. Many of the domain names used by Fancy Bear contain Microsoft trademarks, like microsoftinfo365.com and hundreds of others.

Read 5 remaining paragraphs | Comments

No comments
Jeremy WebbMicrosoft’s secret weapon in ongoing struggle against Fancy Bear? Trademark law
read more