Sunday, 24 November 2013

LG admits that its ‘Smart TVs’ have been watching users – and transmitting data without consent

Some LG ‘Smart TVs’ watch their owners – logging their viewing habits without their permission – and transmitting the information back to the company, LG has admitted. The TVs do this even if the user has specifically selected an option not to share data.
The behavior was first noted by a UK-based developer, Jason Huntley, as reported by The Register this week.
The television company advertised this data collection in a video for advertisers, according to Huntley’s blog, saying, “LG Smart Ad analyses users favourite programs, online behavior, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances to women.”
However, Huntley said that even if you switched off the option for ‘collection of watching info’, the information was still transmitted to LG, including file names of users’ private videos.
Every time users changed channel, this information was transmitted, Huntley said, adding, “I made an even more disturbing find within the packet data dumps.  I noticed filenames were being posted to LG’s servers and that these filenames were ones stored on my external USB hard drive.  To demonstrate this, I created a mock avi file and copied it to a USB stick.”
The electronics giant has now admitted that some of its Smart TVs do collect information without consent. In a statement released by LG and reported by security expert Graham Cluley, the company said, “Recently, it has been brought to our attention that there is an issue related to viewing information allegedly being gathered without consent. A firmware update is being prepared for immediate rollout that will correct this problem on all affected LG Smart TVs so when this feature is disabled, no data will be transmitted.”
Cluley comments on his blog, “Glad to hear that it’s being removed with the firmware update, but how on earth do features that have only been partially implemented manage to ship in hundreds of thousands (maybe millions) of TVs that end up in consumers’ front rooms?” Cluley also noted that the company did not apologize.
“What does this say for LG’s quality control if surplus code, which hasn’t been properly tested, that sends details of what should be confidential filenames in *plaintext* across the internet, doesn’t get picked up before the product is bought?”
Earlier this year, a U.S. Senator has called on the manufacturers of Smart TVs to make their devices safer – after a demonstration of an attack which showed off how hackers could “spy” on users through a television’s built-in webcam, as reported by We Live Security here.
“You expect to watch TV, but you don’t want the TV watching you,” said Senator Charles E Schumer. “Many of these smart televisions are vulnerable to hackers who can spy on you while you’re watching tv in your living room. Manufacturers should do everything possible to create a standard of security in their internet-connected products.”
His comments came in the wake of a demonstration at the Black Hat security conference in Las Vegas, where a researcher showed off how to remotely activate the microphones and cameras in a Samsung Smart TV.

Tech Support Scammers: Talking to a Real Support Team

It so happens that I live over 5,000 miles from the ESET North America office in San Diego, and so tend not to have water cooler conversations with the people located there. Of course, researchers working for and with ESET around the world maintain contact through the wonders of electronic messaging, but there are lots of other highly capable people working at ESET that I don’t have much to do with. Like the support team at ESET North America who, like the other ESET support teams, dedicate their working days to sorting out malware problems for the company’s customers, but whom I rarely get to talk to, even on my occasional visits to California.
Strangely enough, although I’ve written an awful lot of blogs (and not a few papers and presentations) about support scams, I spend a lot less time tracking them than you might expect. Not only because I’m thoroughly bored with having the scammers themselves ring me to tell me that there is a non-existent problem with PC that they can fix for me for a few hundred pounds (dollars, yen, zlotys…), but because I don’t have that direct contact with their victims. But it turns out that while ESET support teams are mostly focused on real malware problems, they also get to talk to customers who believe that they’ve been getting support from ESET or its partners, but turn out to have been tricked by scammers.
An old friend now working with the support team at ESET recently mentioned a support call he received from a customer who believed he’d received a call from an ESET 3rd-party tech support rep who told him that his system had been corrupted and that it could be fixed for a not-so-small fee.  Sound familiar? Of course it does, though hopefully it’s not a sales technique you expect from the real ESET. Yet this is almost where I came in, back in 2010 when I first came across support scams. On that occasion the report mentioned a scammer “claiming to be from Microsoft, and informing him that notification had been received concerning a virus infection on his PC, and offering to help him to install antivirus software. When asked what antivirus software was being offered, the caller claimed that it was ESET’s.” (On that occasion, we think the scammer was installing a cracked version of ESET’s software.)
There is something different here, though: while it’s common for scammers to claim to be representing (or being affiliated with) Microsoft, as well as slightly less obvious companies such as Dell, or Cisco, or even BT, it seems they may now be claiming to represent ‘your’ anti-malware vendor.
In real life, of course, the scammer is no more able to tell what security software you can use than he is to determine anything else about your system. His aim is to convince you that he knows more than he really does – for instance, by convincing you that a standard CLSID identifier which is exactly for the same for countless Windows PCs is really a unique identifier for your system – so that you’ll give him access to your system and your credit card. However, since these scams are generally only successful with people who haven’t been reading my blogs become aware that such scams exist, it may be that saying something fluffy like “I’m calling on behalf of your AV vendor” is enough to convince them. ESET’s support team believe that this approach may be expanded to a dialogue something like this:
Scammer: Hello, we are calling you because we see your computer has a lot of infections and is approaching a system crash.  If you let me remote in I can assist with removing the infections to save your computer for only $300.00
User: Well that’s odd, I typically use <Insert Antivirus Name Here> and their support for issue like this.
Scammer: We are 3rd party support for <Insert Antivirus Name Here>, so we can support you.
User: “Oh that’s great!” or “Let me call <Insert Antivirus Name Here> first.”
Well, that’s a mild example of the sort of social engineering we associate with fake psychics or the Mentalist, where seemingly miraculous insights are actually developed from cues from the victim’s body language or a throwaway remark. In the present instance, the victim may not even realize that he was the first to mention the vendor’s name.
However, being cold-called by a scammer probably isn’t the only way in which people fall into the support scam trap. Martijn Grooten, Steve Burn and I wrote on this blog some time ago about a company with a very suspicious Facebook page, stuffed with testimonials with curious similarities in tone, phrasing and even misspelling, and apparently used to bolster a cold-calling campaign. (That FB page is still there, but almost all of its content has been removed.) We wrote at the time:
This line of investigation set us off looking at other support sites still under investigation where the content may be more original, but the quality of the advice leads to the suspicion that the idea is less to provide a proven step-through process than to create difficulties that will persuade the victim to follow the copious links to “computer technical support providers” or “Dell technical support” or “Linksys support”, all of which lead to the same support site.
…What is clear is that there are a lot of companies and sites out there offering support, and even if they aren’t the same people making scam cold-calls – which in some cases seems pretty unlikely – they are basing their appeal to visitors to their web sites on bona fides that are pretty difficult to verify…
Unfortunately, it also seems likely that we’re increasingly going to find Facebook pages and blog pages with scraped or even frankly deceptive content similarly used to add credibility to web sites whose authenticity doesn’t stand up to scrutiny.
In my discussions with the ESET support team and Aryeh Goretsky, it’s become clear that the situation has indeed deteriorated. Using Google and other search engines using search terms like ‘ESET support’ the team found tens of thousands of search hits and sponsored ads of one sort or another. Not all of these are malicious, or fake ESET sites, of course: some actually are ESET resources and some that aren’t may actually offer good advice, albeit at a price. Some undoubtedly are suspicious at best.
I’m not sure, though, why customers wouldn’t seek advice from the support resources provided by the vendor whose product they’ve bought rather than risk the random links (of very variable reliability) that a search engine is likely to bring up, even if it means not getting an instant response because your query arises out of hours. (And, of course, seeing what other avenues there are for contacting ESET support.) It’s fair to say, though, that it’s easier to get support for some products than for others. A few years ago, when I contributed answers to a site that encouraged security-related questions from the public, one of the most common group of questions related to getting support for an anti-virus product distributed through a well-known chain of supermarkets, for which contact details were very hard to find. However, most mainstream AV products will have a [Contact] link on their homepage.
Here’s how to contact ESET if you’re a customer with malware-related problems:
  • If you’ve received specific information about support from your local distributor when you bought the product, that’s the first place to look.
  • Go to  and check out the resources on the Support tab. This tab will offer a number of options, including a search facility, access to the ESET Knowledgebase, a form that enables you to contact Customer Care to submit a specific case, and a link to contact pages for ESET’s offices around the world.
  • You can also get there via the help and support facility in the product itself.
Aryeh points out that you can always receive support from your local ESET distributor or office, use the support form to contact support directly, or post a message on the ESET Security Forum (to which ESET staff contribute as well as other users of ESET’s products).  If you are in North America, you can also call the North America office toll-free at +1 (866) 343-3738 for assistance, or contact a US reseller.
Perhaps I should make it clear that different vendors handle support in many different ways: for example, support packages for enterprises may be very different to consumer packages, and there may be ‘premium rate’ packages that offer an enhanced service for consumers.
At the other end of the scale, vendors who have a product version that is completely free for non-commercial use (as opposed to a time-restricted trial version) generally don’t offer one-to-one support for the free version, though they may well have a forum for discussion with other users of the product, which may also be monitored by company employees. Free versions represent a problem for companies that offer them because there is no direct income to underwrite customer support for those products, and support services are expensive to provide.
One company did, for a while, offer support for its free product through a support centre in India that was able to underwrite its own costs by offering value-added for-fee services. The arrangement fell apart when the call-centre was believed to be expanding its operations far beyond that brief, in ways that were indistinguishable from the gambits used by support scammers, and quite rightly, the security company pulled the plug.

Berners-Lee: Government snooping threatens democracy

A close-up of Sir Tim Berners-Lee
Sir Tim Berners-Lee has warned that a "growing tide of surveillance and censorship" is threatening the future of democracy in the wake of the PRISM spying scandal that has rocked the tech industry this year.
The comments from the World Wide Web founder came ahead of the launch of the second annual Web Index report from the World Wide Web Foundation, which measures the web's contribution to development and human rights across the world. The report found that 94 percent of the countries studied did not meet "best-practice standards" when it came to keeping tabs on government snooping on electronic communications.
It also said that social media appeared to be a source for good and social change, with 80 percent of countries seeing social media playing a part in mobilising public action for various causes.
Berners-Lee said: "One of the most encouraging findings of this year's web index is how the web and social media are increasingly spurring people to organise, take action and try to expose wrongdoing in every region of the world."
"But some governments are threatened by this, and a growing tide of surveillance and censorship now threatens the future of democracy," he said. "Bold steps are needed now to protect our fundamental rights to privacy and freedom of opinion and association online."
Despite grave concerns over surveillance tactics from the GCHQ and the NSA, the UK and the US ranked third and fourth respectively in the Web Index rankings due to high levels of access and content that empowers and educates web users. Sweden and Norway took the first two spots on the list, with New Zealand in fifth.
Emerging economies such as Brazil, South Africa, India and China were all further down the list, with internet access for the masses still an issue. China ranked at number 57, mainly due to its strict censorship and surveillance.
Issues such as gender equality and education remain an issue for the World Wide Web Foundation, which criticised world leaders for not taking more action.
Anne Jellema, chief executive of the World Wide Web Foundation, said: "Ten years after world leaders committed to harnessing technology to build an inclusive information society, parents in 48 percent of countries can't use the web to compare school performance and budgets, women in over 60 percent of countries can't use the web to help them make informed choices about their bodies, and over half the population in developing countries can't use the web at all.
"Countries should accelerate action to make the web affordable, accessible and relevant to all groups in society, as they promised at the World Summit on the Information Society in 2003."
Berners-Lee will be joined today in London by Wikipedia founder Jimmy Wales to discuss the report's findings.

Phishers and firms both proving adept at online stalking

Security padlock image 
SAN FRANCISCO: For the past few years now we've had a steady influx of reports from the security community, warning us that cyber criminals are learning and emulating legitimate companies' strategies.
In the past this has been limited to actual businesses models, with criminal groups setting up cyber black markets and advertising networks that, apart from the illegal wares they sell, operate the same way as entirely legitimate ones.
However, having spent the week in San Francisco covering Salesforce's Dreamforce 2013 event, we've noticed a number of other interesting similarities between the two groups' attitudes towards customer data.
It's no secret; web user data is the new oil. Every drop of it is potentially worth a lot of money, especially if it comes from a business account. This is why every year we hear stories about criminal groups targeting executives in specific companies with sophisticated spy campaigns. These campaigns see the criminal find a soft target within a business they're interested in and then expertly stalk them online. The campaigns see the criminal follow the victim's activity on social media sites and the like, to get a better idea of what makes them tick.
This research is potentially usable in a variety of ways, though its most common application is in phishing scams. This is because the data can be used to alter the hook of a phishing message and make it look more legitimate. For example, if you see on Twitter the CTO of the company you want to hack is currently attending Dreamforce, include a sentence in the phishing message saying "great to meet you at the conference" or if you see he's just ordered a set of golf clubs, send a fake delivery notification. The strategy is fairly simple.
What's interesting is – having spoken to a number of Salesforce customers – we've found most marketing and sales departments follow exactly the same strategy when creating pitches. Speaking to Carlos Zamora, the vice president of BT Conferencing in North America, this phenomenon was drilled home to us when he explained the company's research process leading up to a pitch.
"As we look at how an opportunity is being progressed, we have a number of teams [to] work through a process. This begins with questions like 'Can we win?' 'Is it the type we want?' 'Is our solution the best?' and 'What extras would we need to provide?' Then we map it from the point of contact and find who the decision makers are," he said.
"When you identify your relationship map and plot the influencers, sponsors and contractors involved, you then have to find the best way to engage with those individuals. Nowadays this is done in a variety of ways including social media – what they like, what they do, how they think."
Sounds familiar, right?
To me, this isn't that scary, just good sense. After all, getting information on somebody you're trying to influence is, at the end of the day, common sense. It is, however, a stark reminder of quite how much of our privacy we give away using services such as Facebook and Twitter and the ever-important truth; free services aren't really free and shared information can be used against us.
Let's just hope criminals don't get quite so good at collecting and using it as Salesforce, which just posted its first $1bn quarter.

Workday plans analytics push as PRISM fails to stop cloud use

The chief technology officer (CTO) of HR cloud provider Workday has said many IT chiefs appear unconcerned by government snooping and still see the cloud as vital to their enterprise software needs.
Speaking to V3, Annrai O’Toole said that while the PRISM revelations have certainly put data security and privacy back in the spotlight, it has not changed the market for most IT chiefs – a sentiment echoed by Salesforce CEO Marc Benioff earlier this week.
“I don’t get the sense that CIOs are concerned about governments snooping on their data,” he said. “I think people are more concerned with making sure that they do things to make it very difficult for people, whoever they are, to look at their data.”
On this point, O’Toole said the global nature of data security and protection means many firms still see a dedicated cloud provider as a better means of keeping data secure.
“It doesn’t change what you need to worry about. If you have all your information on premise but it can be accessed across the world, then you’re into all sorts of data-protection regulations and making sure you apply the right policies,” he said.
“I think more and more people are realising they have these issues and vendors like Workday can do a good job as we put a lot of investment into being up to date with these regulations.”
As part of the ongoing push around its products and providing benefits to customers, the IT chief said pushing more analytical capabilities into Workday is high on the agenda for the next year.
"I think a big part of the whole cloud story is analytics. For me cloud itself isn’t so important, it’s the outcomes that it engenders. These are driven by analytics, which is allied to cloud computing, but it’s much bigger,’ he said.
The future for Workday, having beefed up its own offering in 2013, is to improve this to focus on integration with other data sets, O'Toole explained.
“We think we offer great analytics on Workday data, but we want to extend that so we can [bring] in more non-Workday data from other enterprise systems and social media," he said.
“The ability to more easily combine financial data with HR data in a single system and to understand the financial implications of people’s behaviour’s is very complicated to do today.”
O'Toole did not provide any firm timelines for future updates of this nature, but said plans were on the roadmap for 2014 around its product portfolio.
The demand for better data insights and analytics is affecting many industries at present, with F1 teams just some of those looking to use big data to help beat the competition.

NSA compromised more than 50000 networks with malware

A new report based on documents leaked by Snowden revealed that the NSA placed malicious software on more than 50000 networks around the world.

The NSA infected more than 50000 networks worldwide with malicious software designed to steal sensitive information. The large-scale cyber espionage operation was revealed once again by documents provided by former NSA consultant Edward Snowden according to Dutch media outlet NRC.
“The NSA declined to comment and referred to the US Government. A government spokesperson states that any disclosure of classified material is harmful to our national security.” reported NRC.
The news is not surprising but once again raises the debate on the effrontery US surveillance program that created a complex and efficient global spying machine.
The documents include a presentation dated 2012 that details how the NSA operates worldwide to steal information exploiting Computer Network Exploitation (CNE) in more than 50000 networks.
nsa compromised 50000 networks
Computer Network Exploitation is a secret system malware based used to compromise the computers within targeted networks and steal sensitive data. Security experts believe that the telecoms were the most likely targets for the malware, they are confident that the CNE was used in September 2013 to hack the Belgium telecom provider Belgacom. The GCHQ (British Government Communications Headquarters) used fake LinkedIn and Slashdot to hack Belgacom, OPEC & others GRX providers, the cyber espionage operation was conducted to install malware in the Belgacom network in order to tap their customers’ communications and data traffic.
NSA’s Computer Network Operations program describes Computer Network Exploitation as a key part of the program’s mission that “includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks.”
The slides recently published report on top and bottom a stripe reads, “REL TO USA, AUS, CAN, GBR, NZL”, known as five eyes nations that include the U.S., U.K., Canada, Australia, and New Zealand. Those countries work together conducting intelligence operations and sharing the same orientation on surveillance matter, they recently were opposed to the United Nations’ anti-surveillance, right-to-privacy draft resolution called “The Right to Privacy in the Digital Age“.
The US hacking campaigns are performed by a special department of US cyber units known as called TAO (Tailored Access Operations) that I also mentioned when I described the FOXACID architecture. TAO employs more than a thousand high profile hackers, in August the Washington Post reported that the NSA installed an estimated 20,000 ‘implants’ as early as 2008, by mid-2012 this number had more than doubled to 50,000.
The malware used for cyber espionage are software agents that could remain undetected for a long time, the NSA-presentation shows their CNE-operations in countries such as Venezuela and Brazil.
Since now the NSA declined to comment and referred to the US Government, the NRC concludes its article remarking that the Dutch government’s intelligence service has also its own hacking unit, but that it’s prohibited by law the hack on foreign networks to conduct similar cyber operations.

Web Malware: Out of the Shadows and Hiding in Plain Sight

There is an all-too common misconception that in order to become infected with web-propagated malware, you must visit sketchy parts of the Internet’s underbelly or a website within that broad class of which is “not safe for work.” Thus, when you admit to your buddies that your computer is beset by malware, one of them invariably makes some sort of joke about how you’ve been spending too much time on this or that pornographic website.
In reality though, the old days of becoming infected with malware by visiting adult websites are largely over. Those websites, unlike most, probably make money. Therefore, it behooves them to ensure that they are not infected with malware.
In my experience, most malware infected websites are the ones that no one expects to be infected with malware.
With any malware infection, there are really two primary philosophies, trawling and spear-phishing. On the one hand, you can cast as wide a net as possible in order to catch as many fish as possible; the strategy for botnet operators and the progenitors of banking trojans. On the other hand, you pick a fish, go to where it lives, set your hook with the kind of bait you know it likes to eat, and catch it. Likewise, you can find a vulnerability in a popular site and infect it with malware in order to draw in as many infections as possible. Or you can find a vulnerability in a site that you think your intended target will visit. This second method has a name. Its name is a watering hole attack, which derives from wilderness reality that ambush predators hide near water sources, where they know their prey will eventually have go to drink. These predators merely wait until their prey’s head is down to drink, and they attack. Similarly, an attacker will estimate which sites his target is likely to visit and look for vulnerabilities in them.
The broad-style of attack manifested itself last week when the popular humor website cracked[dot]com was infected with malware. Researchers from Barracuda Labs expressed concerns that the number of infections arising from this attack could be quite high considering that the site ranks 289 in the U.S. and 654 globally, according to the Web information firm, Alexa. Similarly, the web-developer resource site PHP[dot]net was recently infected according to Spiderlabs research, as were a small handful of Russian banking sites (you may need to brush up on your Russian to read this).
The more refined or targeted style of attack is perhaps best demonstrated by the rash of watering hole attacks targeting the Department of Labor websites earlier this year. In this case, the targets were likely individuals with access to sensitive government networks. More recently, researchers from the security firm FireEye reported a watering hole attack against an unnamed U.S.-based non-governmental organization (NGO) website hosting domestic and international policy guidance.
In general, the point is this: who would think that the Department of Labor’s website would be serving malware? But that’s the point exactly: to infect an unlikely site where visitors have their guards down.
There is no such thing as perfect security. You never know where an attacker may be hiding malware. They use automated tools to determine which websites contain exploitable vulnerabilities. Therefore, you’re dually relying on the website administrators install updates that will have to have been built by the various software vendors. If admins are anything like normal Internet user’s then they probably aren’t very good about implementing patches. For sure, vendors are much better than they used to be about building patches, but there are still an alarming number of companies in this space with no patch schedule whatsoever.
Because of all of this, the easiest way to protect yourself from websites containing malware is to run an antivirus program, pay attention to browser warnings, and read security news, whether you are surfing on your PC, Mac, tablet or phone.

i2Ninja – A new financial malware being sold on Russian underground

Trusteer researchers have uncovered a sneaky piece of financial malware, known as i2Ninja, being sold on a Russian cyber crime forum.

A new financial malware dubbed i2Ninja menaces banking, despite it has yet to be discovered in the wild, researchers at the IBM company Trusteer have found a sneaky piece of the malicious code on the underground.
i2Ninja is being sold on a Russian cybercrime forum, the  underground provides at the ideal marketplace for buying and selling malicious code or to request their customization exploiting the sale model known as  malware-as-a-service. In the past financial malware such as Zeus, Spyeye,Carberp, Citadel and many others financial malware were proposed on black market forums allowing the authors to remain low profile.
i2Ninja is a peer-to-peer trojan that can be used by cyber criminals to steal credit card and other financial information, it presents the same features of the most popular financial malware. The i2Ninja malware takes its name from I2P, an anonymizing network similar to Tor.
"According to a post on the Russian cybercrime forum, i2Ninja offers a similar set of capabilities to the ones offered by other major financial malware: HTML injection and form grabbing for all major browsers (Internet Explorer, Firefox and Chrome), FTP grabber and a soon to be released VNC (Virtual Network Connection) module. In addition, the malware also provides a PokerGrabber module targeting major online poker sites and an email grabber."
The infection process is the classic drive-by infection schema proposing to the victims fake advertisements and bogus links, but the malware could be used to infect specific targets through spear phishing campaign.
i2Ninja has different HTML injection capabilities and will soon provide a virtual network computing (VNC) module for remote control like other popular malware families.
“Once a VNC capable malware infects a device, the attacker's options are almost limitless.” said Etay Maor, fraud prevention solutions manager at Trusteer.
Another interesting capability of i2Ninja is that It could be used also to target users of gaming websites like poker sites and grabbing email.
Maor sustains that the use of I2P is a winning choice, I2P is the “true Darknet” that offers better protection than Tor and makes more difficult to research and understand the malware's infrastructure and capabilities, but the researcher also added that it is only a matter of time before the I2P encryption is broken like happened for Tor in the case of the exploiting of a Firefox vulnerability.
"Using the I2P network, i2Ninja can maintain secure communications between the infected devices and command and control server. Everything from delivering configuration updates to receiving stolen data and sending commands is done via the encrypted I2P channels. The i2Ninja malware also offers buyers a proxy for anonymous Internet browsing, promising complete online anonymity. "
It is not easy to predict the impact of i2Ninja on the banking but the malware seems to be in high demand.
“The cyber criminal offering the malware in the underground indicated he has enough business due to the malware's underground publicity and indicated he cannot handle more requests to buy the malware,” “The cyber criminal who posted the information regarding i2Ninja is a known and credible forum member.” Maor said.
Below is a translation from Russian post of the ad for i2Ninja:
Last observation on the malware is related to the customer service offered by the authors,  i2Ninja provides an integrated help desk via a ticketing system within the malware’s command and control. A potential buyer can interact with support team always in an anonymous way via I2P.
"While some malware offerings have offered an interface with a support team in the past (Citadel and Neosploit to name two), i2Ninja’s 24/7 secure help desk channel is a first."
Cybercriminal activities are growing at an alarming rate, the release of various malware source code and the sale of new malicious agents are evidence of the fertility of the underground.

Hacking Google Gmail accounts exploiting password reset system flaw

Security researcher Oren Hafif demonstrated how to hack a Google Gmail account exploiting a serious flaw in the password reset process.

A serious vulnerability in the password reset process of Google account allows an attacker to hijack any account, this is the sensational discovery made by security researchers Oren Hafif.
that password recovery is often in the center of attention for attackers – and for security professionals.” reported Oren.
Oren demonstrated the feasibility of a common spear-phishing attack relying on a number of flaws including Cross-site request forgery (CSRF) and cross-site scripting (XSS). An attacker sends to the targeted account a fake “Confirm account ownership” email, claiming to come from Google.
Following the canonic scheme of attack the link embedded in the fake e-mail asks the recipient to confirm for the ownership of the account and requests victim to change the password.
The link in the email points to an HTTPS URL, but exploiting a CSRF attack with a customized email address it leads the victim to a website controlled by attackers.
” The link should actually refer to an attacker’s site (and it does):” The attacker’s site performs a CSRF with the customized email address, and once completed – launches the XSS exploit. The code might look like this:” said Oren.
Google mail attack code
the code above, reads a Hash parameter (“Email”) for the victim’s email. It creates an invisible image and puts an “initialize password recovery” link as its source.After the request is processed, an Error event is thrown (since this is not really an image).”
The Google HTTPS page will ask the victim to confirm the ownership by entering his last password and then will ask to reset his password.
Hacking Google Gmail account
Hacking Google Gmail account 2
Hacking Gmail account email link
At this point the hacker has grabbed victim new password and cookie information with an XSS attack.
“The onError handler now redirects to the XSS’d URL, The user clicks “Reset Password”… and from here the sky is the limit.”
Google Gmail xss attack
The researcher published a proof of concept video to demonstrate the attack:
Hafif reported the flaw to the Google Security department and Google has promptly fixed the issues assigning a reward of $5,100 under their Bug Bounty Program.

Facebook vulnerability allows to view hidden Facebook Friend List

Researcher Irene Abezgauz  from the Quotium Seeker Research Center discovered a Facebook flaw that allows anyone to see a profile’s private friend list.

Facebook is the privileged target for hackers and cybercriminals, the popular social network is a mine of data that could be used to acquire information on a specific target or to conduct criminal activities involving a large audience (e.g. Serve a malware, conduct a phishing campaign, arrange cyber fraud).Through the analysis of mutual relationship between users an attacker could elaborate the proper strategy to hit a victim, or a group of individuals. There are numerous tools that could be exploited to automatize the reconnaissance process through , and numerous are the functionality that could be used for useful researched.Recently I’ve published a post to describe the work of experts Werrett and Lee that demonstrated how to conduct a powerful analysis using FBStalker, a tool created to find a comprehensive amount of data on any Facebook user.
FBStalker reverse-engineers the Facebook Graph to find information on every user, the tool does not require a direct friendship with targeted profiles, it just needs to access to parts of victim’s posts marked as public.Through the use of Graph Search data mining activities has become very easy, Graph Search mines Facebook’s vast user data returning personalized results from natural-language queries. Using it is possible to discover what individuals like, where people have visited and if they share those same preferences with their friends.”
The study of friend list is another powerful practice to profile a target, but it is known that through privacy setting Facebook users can make the friend list public or private, if friend list is made private it will be not visible on publicly viewable profile.
The security researcher Irene Abezgauz  from the Quotium Seeker Research Center has discovered a Facebook flaw that allows anyone to see a users’ friend list, even when it is made private.
Facebook friend list

The researcher demonstrated how to access to the friend list abusing the Facebook feature “People You May Know” implemented by the social networks to suggests new friends to its users.
The feature analyzes Facebook mutual connections, related level, and many other criteria to suggests friends.
The first step is the creation of a fake Facebook profile used to send a friend request to the target account.
Even if the targeted user never accepted the request, the attacker could see that person’s friend list via the “People You May Know” feature. Clicking on the ‘see all’ button the attacker can expand the list to view hundreds of suggestions of users who are friends with the victim.
“As part of the research for this vulnerability we wanted to verify the exact conditions under which this was possible. The friends chosen for the victim were users who also had their friends list set to private. In addition, no interactions took place between the users except for the sending of friend requests. This is data which is not publicly available to any user who is not a friend of the victim.” states the post.
FB replied that:
”If you don’t have friends on Facebook and send a friend request to someone who’s chosen to hide their complete friend list from their timeline, you may see some friend suggestions that are also friends of theirs. But you have no way of knowing if the suggestions you see represent someone’s complete friend list.”
This Facebook hasn’t recognized Irene Abezgauz’s discovery, but maybe it’s better to evaluate it again in fact most of the friend list members is available to the attacker and even if it represents a partial friend list is a violation of user-chosen privacy controls.

(FVEY) Five Eyes spying alliance will survive Edward Snowden

Britain needed US intelligence to help thwart a major terror attack. New Zealand relied on it to send troops to Afghanistan. And Australia used it to help convict a would-be bomber. All feats were the result of a spying alliance known as Five Eyes that groups together five English-speaking democracies, and they point to a vital lesson: American information is so valuable, experts say, that no amount of global outrage over secret US surveillance powers would cause Britain, Canada, Australia and New Zealand to ditch the Five Eyes relationship. The broader message is that the revelations from NSA leaker Edward Snowden are unlikely to stop or even slow the global growth of secret-hunting - an increasingly critical factor in the security and prosperity of nations. "Information is like gold," said Bruce Ferguson, the former head of New Zealand's foreign spy agency, the Government Communications Security Bureau. "If you don't have it, you don't survive."
The Five Eyes arrangement underscores the value of this information - as well as the limitations of the information sharing. The collaboration began during World War II when the allies were trying to crack German and Japanese naval codes and has endured for more than 70 years. The alliance helps avoid duplication in some instances and allows for greater penetration in others. The five nations have agreed not to spy on each other, and in many outposts around the world, Five Eyes agencies work side by side, allowing for information to be shared quickly. But Richard Aldrich, who spent a decade researching a book on British surveillance, said some Five Eyes nations have spied on each other, violating their own rules. The five countries "generally know what's in each other's underwear drawers so you don't need to spy, but occasionally there will be issues when they don't agree" - and when that happens they snoop, Aldrich said.
In Five Eyes, the US boasts the most advanced technical abilities and the biggest budget. Britain is a leader in traditional spying, thanks in part to its reach into countries that were once part of the British Empire. Australia has excelled in gathering regional signals and intelligence, providing a window into the growing might of Asia. Canadians, Australians and New Zealanders can sometimes prove useful spies because they don't come under the same scrutiny as their British and American counterparts. "The United States doesn't share information," said Bob Ayers, a former CIA officer, "without an expectation of getting something in return."
Britain is home to one of the world's largest eavesdropping centres, located about 300 kilometres north-west of London at Menwith Hill. It's run by the NSA but hundreds of British employees work there, including analysts from Britain's eavesdropping agency, the Government Communications Headquarters - or GCHQ.
Australia is home to Pine Gap, a sprawling satellite tracking station located in the remote centre of the country, where NSA officials work side-by-side with scores of locals. The US also posts three or four analysts at a time in New Zealand, home to the small Waihopai and Tangimoana spy stations.

Twitter Toughening Its Security to Thwart Government Snoops

A year ago, hardly anyone, save for cryptographers, had heard of Perfect Forward Secrecy. Now, some customers are demanding it, and technology companies are adding it, one by one, in large part to make government eavesdropping more difficult.
On Friday, Twitter will announce that it has added Perfect Forward Secrecy, after similar announcements by Google, Mozilla and Facebook. The technology adds an extra layer of security to Web encryption to thwart eavesdropping, or at least make the National Security Agency’s job much, much harder. (Update: Twitter has announced the security change on its blog.)
Until Edward J. Snowden began leaking classified documents last summer, billions of people relied on a more common type of security called Transport Layer Security or Secure Sockets Layer (S.S.L.) technology to protect the transmission of sensitive data like passwords, financial details, intellectual property and personal information. That technology is familiar to many Web users through the “https” and padlock symbol at the beginning of Web addresses that are encrypted.
But leaked N.S.A. documents make clear that the agency is recording high volumes of encrypted Internet traffic and retaining it for later cryptanalysis. And it’s hardly the only one: Iran, North Korea, and China all store vast amounts of Internet traffic. More recently, Saudi Arabia has been actively trying to intercept mobile data for Twitter and other communication tools.
The reason governments go to great lengths to store scrambled data is that if they later get the private S.S.L. keys to decrypt that data — via court order, hacking into a company’s servers where they are stored or through cryptanalysis — they can go back and decrypt past communications for millions of users.
Perfect Forward Secrecy ensures that even if an organization recording web traffic gets access to a company’s private keys, it cannot go back and unscramble past communications all at once. Perfect Forward Secrecy encrypts each web session with an ephemeral key that is discarded once the session is over. A determined adversary could still decrypt past communications, but with Perfect Forward Secrecy the keys for each individual session would have to be cracked to read the sessions’ contents.
Perfect Forward Secrecy was invented more than 20 years ago, and Paul Kocher, a leading cryptographer, put support for Perfect Forward Secrecy into the S.S.L .protocol. But companies have been reluctant to use it because it slows website and browser performance, uses resources and because — until Snowden — most consumers did not even know it existed. Unlike S.S.L. technology, there is no indication to a user that Perfect Forward Secrecy is enabled.
This tougher security is quickly becoming a must-have for Internet companies.
Earlier this week, Marissa Mayer, the chief executive of Yahoo, announced that Yahoo would introduce new security features in 2014. But, on Twitter, some consumers were quick to point out that Perfect Forward Secrecy was conspicuously absent from her blog post.
“With security, there are always the things you know you ought to do,” Mr. Kocher said in an interview. “But it’s not until you have a clear adversary that it’s much easier to justify the resources to go fix the problem.”
At Twitter, Jacob Hoffman-Andrews, a security engineer, had been pushing the company to adopt forward secrecy for some time, but did not get much support for the project until the Snowden leaks.
That showed “there really were organizations out there in the world that were scooping up encrypted data just so they could try to attack it at a large scale,” said Jeff Hodges, another Twitter software engineer. “We were like, oh, we need to actually spend some more time and really do this right.”
Actually installing and turning on the technology took only a few months, once Twitter decided to do it, both men said in an interview. That was in part because Google, an early pioneer in the technology, had worked out many of the kinks in Perfect Forward Secrecy and shared its knowledge with the security community.
Perfect Forward Secrecy does add a slight delay to a user’s initial connection to Twitter — about 150 milliseconds in the United States and up to a second in countries like Brazil that are farther away from Twitter’s servers. But the company said the extra protection was worth the delay.
Twitter said it turned on Perfect Forward Secrecy on Oct. 21, although it refrained from publicizing the change immediately to make sure there were no problems.
Twitter said it hoped that its example would prompt other companies to adopt the technology.
“A lot of services that don’t think they need it actually do,” Mr. Hodges said.