Saturday, 7 December 2013

Majority of Mobile Apps Have Serious Security Flaws

iOS 7 Security Apps frequently have access to data they don't need, or permissions to use hardware and services that have nothing to do with what they do. A recent study shows the problems are much more widespread than we thought.
HP researchers examined more than 2,000 iOS apps between October and November and found that nine out of ten apps had serious vulnerabilities, according to the study released last month. The issues ranged from having too many permissions, unencrypted data, and transmitting data insecurely. Games don't need to have access to your address book, and there really isn't any reason for the weather app to have permission to send out email. If an app doesn't protect the data it has access to, or properly secure how it uses the core operating system components, the device becomes vulnerable to attack.
Mobile devices are "prime targets for attack, with vulnerable applications providing access to sensitive data," said Mike Armistead, vice president and general manager of the enterprise security products group at HP's Fortify.
In the study, researchers used HP Fortify on Demand automated binary and dynamic analysis engine to test 2,107 applications, selected from 22 different categories, including productivity and social networking. While the study focused on custom enterprise applications, it's not a stretch to assume that similar security and privacy issues are present in the apps we would find on the Apple App Store or Google Play.
Not Protecting Data
Nearly all—97 percent, of tested apps accessed at least one "private information source," such as personal address books and social media pages, or took advantage of Bluetooth or Wi-Fi connectivity. What's worrying is that a staggering 86 percent of those applications did not have adequate security measures in place to ensure the private data was protected, the study found.
Approximately 75 percent of applications used encryption incorrectly when storing data on mobile devices, the study found. Unprotected data included passwords, personal information, session tokens, documents, chat logs, and photographs.
It was reassuring to see that only 18 percent of applications tested in the study sent usernames and passwords over HTTP while the remaining apps used SSL/HTTPS. However, of those using secure mode of transmission, nearly 20 percent had incorrect SSL/HTTPS implementations. This means the data is still vulnerable to being sniffed by malicious attackers.
Developers Need to Step Up
In general, mobile operating systems—Android and iOS alike—are getting better about explicitly describing which permissions the app requests. There are also stricter guidelines about what type of data apps can access. However, the burden is still on the user to look at the list of permissions, understand the implications, and to make the decision that the requests are unreasonable.
The better scenario would be if developers built security and privacy into the apps from the start. They need to think about how their apps interact with other apps and the operating system. They need to consider how their apps can securely access data.
Businesses need to switch from "fast to market," to "secure and fast to market," HP said.

How Morgan Freeman got confused for Nelson Mandela

Ohh - the horrors of the internet have hit the Google search keyword "Nelson Mandela RIP" you will get the face of Morgan Freeman saying "RIP". The picture seems to be uploaded on the website.
Google Search Fail Nelson Mandela Morgan Freeman
Click for full picture

So tell me, did you search and find Morgan Freeman?

1.5 Million euro stolen & 13 people detained in the Russian Blackhole exploit kit case

Russian Ministry of Internal Affairs Investigation Department initiated a criminal case on the Cc Article 1.2. 210 of the Criminal Code of the Russian Federation (the creation of and participation in a criminal association (criminal organization) to jointly committing one or more serious or particularly serious crimes).
According to the investigation in 2011 on the territory of the Russian Federation the criminal community, which specialized in massive embezzlement of funds from the accounts of individuals and legal entities are open in various lending institutions by Internet dissemination of malicious software ("banking Trojans"), followed by unauthorized access to legally protected computer information (logins, passwords, electronic keys, certificates).
Said malicious software was loaded on a computer victims through software vulnerabilities found through the ligament-sployty «Blackhole».
Then the information about the infected computer victims directed at a specially created command and control servers, combined in a computer network that ran partners with a view to subsequent remote access and copy information. Having captured the information mentioned above, members of the criminal community was formed and sent to lenders fraudulent payment orders on behalf of holders of bank accounts, in which as recipients of funds specify details of individuals and entities controlled by members of the criminal community.
Found that the activities of a criminal community members affected customers of Russian banks located throughout yy Moscow, Tyumen, Ulyanovsk, Krasnodar, Petrozavodsk and Kursk region.
Police arrested and prosecuted 13 people suspected of involvement in the creation and in this interregional criminal community. Among those detained and prosecuted creator said ligament-sployty.
The total damage from the actions of suspects amounted to about 70 million rubles.
With respect to the founders and members of the criminal community remand.

eBay Founder Pierre Omidyar Calls for Leniency for Anonymous 'PayPal 14' hackers

The group, which has become known as the 'PayPal 14' were arrested in 2011 and charged with taking part in a distributed denial of service (DDoS) attack against PayPal on 8 December 2010.
They are due to appear before a Federal Court in the US this week, all facing two federal felony charges, which carry a combined maximum sentence of 15 years in jail and a $500,000 (£306,000, €369,000) fine.
It is unknown how many members of Anonymous took part in the attack, but only 14 people were ever arrested. It was reported that the vast majority of traffic was directed by two large botnets, controlled by hackers, who directed all infected computers towards the PayPal site.
The Anonymous-organised attack was a response to PayPal's decision to suspend Wikileak's account with the online billing service.
PayPal's website was down for an hour on 8 December and another brief period on 9 December. The company estimates the damage caused by the attack was $5.5 million and it provided the FBI with 1,000 IP addresses of its attackers.
Pierre Omidyar is the founder and chairman eBay, PayPal's parent company, and in an article for the Huffington Post  has caleld on prosecutors to show leniency towards the PayPal 14.

Close to home

Omidyar says that as someone "deeply committed to government transparency, press freedoms and free expression, these issues hit close to home."
Omidyar has been  in the news recently for his new online publication called NewCo which will feature Glenn Greenwald as its star journalist and will have "the First Amendment at its core."
The eBay founder said that prior to the cyberattack on 8 December, 2010 he expressed concerns to company management about the decision to suspend Wikileak's account.
The attack on PayPal not only effected the company but also the people who rely on it to do business: "An attack on PayPal's servers hurts these vulnerable people far more than it hurts a multinational company."

Online protest

However, Omidyar recognises that members of Anonymous felt they were just taking part in an online protest:
"I can understand that the protesters were upset by PayPal's actions and felt that they were simply participating in an online demonstration of their frustration. That is their right, and I support freedom of expression, even when it's my own company that is the target."
The sentence handed down to the PayPal 14 will be based on the amount of damages prosecutors say was caused by the attack on PayPal's servers. However the 14 defendants are likely to be charged with the total amount of damage caused by all those taking part in the attack - which could have numbers in the thousands.


Prosecutors are also planning to tell the court that the damages figure should include the cost of upgrading PayPal's systems to protect them from such attacks in the future.
Omidyar believes this is unfair and that each individual should only be charged for the damage they caused and for "the pay and overtime pay required for employees to respond to the attack."
"Prosecutors should also look at the circumstances of each defendant, and examine whether or not they were aware of the excessive impact their actions might have. They may have believed they were participating in a legitimate online protest and not aware of the multiplicative effect of the tools they were installing."
The eBay founder believes the charges the PayPal 14 are facing are too serious for the crime committed: "In those cases, I believe justice requires leniency. In my view, they should be facing misdemeanor charges and the possibility of a fine, rather than felony charges and jail time."

10 times more throughput on optic fibers

EPFL scientists have shown how to achieve a dramatic increase in the capacity of optical fibers; Their simple, innovative solution reduces the amount of space required between the pulses of light that transport data
Optical fibers carry data in the form of pulses of light over distances of thousands of miles at amazing speeds. They are one of the glories of modern telecommunications technology. However, their capacity is limited, because the pulses of light need to be lined up one after the other in the fiber with a minimum distance between them so the signals don't interfere with each other. This leaves unused empty space for data in the fiber.
EPFL's Camille Brès and Luc Thévenaz have come up with a method for fitting pulses together within the fibers, thereby reducing the space between pulses. Their approach, which has been published in Nature Communications, makes it possible to use all the capacity in an optical fiber. This opens the door to a ten-fold increase in throughput in our telecommunications systems.
Fiber optics at a crossroads
"Since it appeared in the 1970s, the data capacity of fiber optics has increased by a factor of ten every four years, driven by a constant stream of new technologies," says Camille Brès, of the Photonics Systems Laboratory (PHOSL). "But for the last few years we've reached a bottleneck, and scientists all over the world are trying to break through."
There have been several different approaches to the problem of supplying more throughput to respond to growing consumer demand, but they often require changes to the fibers themselves. That would entail pulling out and replacing the existing infrastructure. Here, the EPFL team took a different approach, looking at the fundamental issue of how to process the light itself, i.e., how best to generate the pulses that carry the digital data. This approach would not entail a need to replace the entire optical fiber network. Only the transmitters would need to be changed.
Traffic problems on the information superhighway
In modern telecommunications exchanges, for example when two cell-phones are communicating with each other, the data are transported between the two antennae on optical fibers, by means of a series of light pulses that form codes.
Simply put, an "on" pulse corresponds to the number 1, while an "off" pulse corresponds to 0. The messages are thus sets of ones and zeros. These codes are decoded by the receiver, providing the initial message. The problem with this system is that the volume of data transmitted at one time can't be increased. If the pulses get too close together, they no longer deliver the data reliably. "There needs to be a certain distance between each pulse, so they don't interfere with each other," says Luc Thevenaz, of EPFL's Fiber Optics Group (GFO). However, the EPFL team noticed that changes in the shape of the pulses could limit the interference.
Pulses that fit together like a jigsaw puzzle
Their breakthrough is based on a method that can produce what are known as "Nyquist sinc pulses" almost perfectly. "These pulses have a shape that's more pointed, making it possible to fit them together, a little bit like the pieces of a jigsaw puzzle lock together," says Camille Brès. "There is of course some interference, but not at the locations where we actually read the data."
The first to "solve" the puzzle
The idea of putting pulses together like a puzzle to boost optic fibers' throughput isn't new. However, the "puzzle" had never been "solved" before: despite attempts using sophisticated and costly infrastructures, nobody had managed to make it work accurately enough - until now. The EPFL team used a simple laser and modulator to generate a pulse that is more than 99% perfect.
Fine-tuning the system
Practically speaking, the shape of pulse is determined by its spectrum. In this case, in order to be able to generate the "jigsaw puzzle," the spectrum needs to be rectangular. This means that all the frequencies in the pulse need to be of the same intensity. Professors Brès and Thévenaz had this in mind when modulating their lasers.
Simple lasers are generally made up essentially of just one color - i.e., one optical frequency - with a very narrow spectrum. This is rather like a violin that has only one string. However, a laser can be subtly modulated (using a device called a modulator) so that it has other colors/frequencies. The result is a pulse composed of several different colors, with a larger spectrum. The problem is that the pulse's main color generally still tends to be more intense than the others. This means the spectrum won't have the rectangular shape needed. For that, each color in the pulse needs to be of the same intensity, rather like getting the strings of a violin to vibrate with the same force, but without making any other strings nearby vibrate.
The team thus made a series of subtle adjustments based on a concept known as a "frequency comb" and succeeded in generating pulses with almost perfectly rectangular spectrum. This constitutes a real breakthrough, since the team has succeeded in producing the long-sought-after "Nyquist sinc pulses." Professor Thévenaz recounts how it all started: "Camille and I were talking with a Visiting Professor at the University of Leipzig, and we realized that by teaming up we might be able to develop this new approach."
The technology is already mature
The new pulses could well generate interest among many telecommunications-industry market participants. The technology is already mature, as well as 100% optic and relatively cheap. In addition, it appears that it could fit on a simple chip. "It almost seems too good to be true," says Prof. Thévenaz.

Cyber warfare – Why we need to define a model of conflict?

Cyber warfare or information warfare is still a gray area of the military doctrine, it is necessary to define the "model of conflict" and rules for the actors.
Cyber war and cyber information warfare are two terms very inflated used to describe the current disputes within the cyberspace.  To explain the effect of acts of cyber war, security experts use to mention the cyber attack against the Estonia’s government networks in 2007, an offense occurred in a period of intense political contrasts with Russia.
But the recent years have been characterized by an intense activity of governments in the cyberspace considered the fifth domain of the warfare, we assisted to the mutual network intrusions of Korean cyber armies the disputes between US and Israel against countries like ChinaIran and Syria.
Almost every government in investing to improve its cyber capabilities, New Zeland and Russia for example have started important initiatives recently, the definition and the implementation of an efficient cyber strategy is a must for everyone. In many cases we discussed about the repercussions of a cyber attack on the reality, Stuxnet is a good example of the potential effect of a cyber weapon, a malicious code could in fact be used to harm an industrial process and cause loss of human life.
The absence of global accepted rules in the cyberspace, let's think the concept itself of cyber weapon is ambiguous, is causing a fragmentation of the power, information warfare is significantly influencing the defense strategies of every governments requesting a review of decisional processes.
It is mandatory to establish a global collaboration interstate to prevent the escalation of cyber conflicts, the cyber warfare scenario is rapidly evolving and governments must align their strategies working to the definition of a set of cyber rules globally recognized and accepted.
Early 2013 an International Group of Experts tried to define this set of rules, formalizing their effort in an handbook titled “The Tallinn Manual on the International Law Applicable to Cyber Warfare”, a document that provides a study on how extant international law norms could be applied to cyber warfare.
cyber warfare Tallinn_Manual
NATO Cooperative Cyber Defense Center of Excellence has sustained the drafting of the document to clarify the rules of the governments in the cyberspace, and their conduct, defining jurisdiction, control and legal responsibilities.
«A State bears international legal responsibility for cyber operation attributable to it and which constitutes a breach of an international obligation.»
The experts provided a legal definition for a concept such as a cyber attack and a cyber weapon, following an abstract from the first draft release:
«A cyber attack is cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects»
The NATO group isn't the unique one,  the EastWest Institute has created the Cyber 40, with delegates from 40 digitally advanced countries, the purpose is to involve government organizations, industry groups and think tanks to define practical "humanitarian agreements for cyber conflicts" in cyber warfare.
Within principal goals the definition of  the duty of care in case of cyber attacks against a country that have to define which targets have to be preserved due the possible damage on the population. Dam, dykes and Nuclear Electrical Generating Stations could not represent a primary target for a cyber attack, another question is to operate in a "context" that needs to preserve children, journalists, medical and religious personnel. In cyber warfare, the context is fundamental to introduce the concept of cyber weapons, and experts have approached it defining the ‘Means’ of cyber warfare that are cyber weapons and their associated cyber systems.
"Cyber weapons are cyber means of warfare that are by design, use, or intended use, capable of causing either injury to, or death of, persons. The ‘Methods’ of cyber warfare are the cyber tactics, techniques and procedures, by which hostilities are conducted."
As highlighted by many cyber experts it is necessary to contextualize the principles proposed by the Geneva and Hague conventions, to the information warfare facing with difficulties specific in the use of cyber tools.
What could be considered an act of cyber war? Which are the rules of engages? When is a cyber attack justified? Which is the limitation of an "offensive" approach to cyber security?
These are just a few of questions to approach, it is necessary to define a "model of cyber conflict", defining roles and responsibilities (e.g. Attackers, targets) .
Within the various urgencies there is the need to be able to distinguish humanitarian interests in cyberspace to avoid that a cyber attack could impact them, but it is a hard task.
Another serious issue to address is the attribution of responsibility for the cyber war acts, in the majority of cases it is quite impossible to discover the origin of the attack and to identify the attacker. The acceptance of a law framework could help to create a shared awareness of what is considerable "moral" and what is not accepted.
Information warfare is conducted through the cyberspace but we must keep in mind the possible consequences on the real world, the human component must be always preserved also in a scenario in which machine component is assuming a crucial rule, let's think for example of the definition of a new generation of tools and systems able to take decision in real time in case of cyber attacks.
Cyber offensives are instantaneous events and in some cases to avoid the destruction of assets or to prevent the loss of human life it is necessary to take decisions in real time.
Are we really able to substitute human intervention in critical situation evaluating every possible consequences real time? Are we able to design systems that could not be deceived and that will be able to take the right decision in a timely way?
Until we have defined a model for cyber conflict and the rules for the involved actors the answer is no!

Padvish Iranian indigenous antivirus unveiled

The first Iranian indigenous antivirus has been unveiled in Iran Elecomp 2013.Mehr News reported that the developer of the antivirus had said it would be exported to other countries by 3 years. Called ‘Padvish,’ (Persian for ‘mouse trap’), is the first indigenous antivirus designed and developed totally by domestic expertise.
Abbas Hosseini told reporters in the unveiling ceremony that the product would be exported to other countries by 3 years. “No part of the product has been adopted or inspired by foreign examples, and major part of the design is indigenous,” he added.
He also said that today antivirus enjoyed a fame and prestige equal to that of operating systems and “it should not be forgotten that antivirus consisted of tens of other technologies.
A unique feature of this antivirus is that it can function as IT security police, protecting the contents of the computers, while other parts such as firewalls are outside the computers,” he added.
The director of Amnpardaz Co., the developer company, said that “to the extent that operating systems should be consistent so that other devises operate safely, antivirus should provide security but should not slow the process, and more important, it should provide after-sale services.”
He cited providing supporting services and blocking viruses from flash memories over other foreign antivirus. “An up-to-date technology used in antivirus is the cloud technology which removes any malware and rapidly updates the users, a technology incorporated also in Padvish,” he added.
Hosseini believed the identification of users needs as the first step in developing of the antivirus. “Padvish is capable of competing with foreign antivirus and it has been committed to copyright laws. Thus, it can find applications in other neighboring countries and world markets,” he said.
Amnpardaz director also said that the advanced version of the antivirus had been unveiled. “Saa Iran, the Judiciary, and the Petrochemical industry are the potential customers of the antivirus,” he added.

New Snowden leak reveals U.S. espionage in Rome and Milan

An article published Friday by one of Italy’s most prominent news magazines details the efforts of the United States to spy on Italian citizens and their government officials.
According to L’espresso, the Special Collection Service (SCS), a U.S. foreign intelligence unit, is engaged in espionage within the cities of Milan and Rome. The information was included in classified files handed over to the press by NSA whistleblower Edward Snowden.
The story was filed by Italian journalist Stefania Maurizi, in collaboration with Glenn Greenwald, the journalist primarily responsible for reporting on materials provided by Snowden.
The SCS was also the unit responsible for wiretapping the phone of German Chancellor Angela Merkel, the journalists reported. They are responsible for “monitoring the communications of the political, and likely economical, leaders of host nations,” according to L’espresso.
L’espresso reports that “the Special Collection Service is likely one of the most sensitive units in U.S. intelligence. The service deploys teams under diplomatic cover, operating in US embassies around the world to control friendly and enemy governments.” An NSA document refers to 80 active SCS sites as of 2010, only two of which are located in Italy.
It’s speculated that one SCS site in Germany is likely located on the rooftop of the U.S. embassy. “But what about Rome?” L’espresso asks.
A technical assessment requested by the magazine from journalist Duncan Campbell (of ECHELON fame) concluded it’s very likely the SCS has set up at the U.S. Embassy on Rome’s Via Veneto.
Campbell told L’espresso, “I have no doubt that the cubic white tent like structure marked by the arrows is a SIGINT concealment,” and described the uses of multiple antennas atop the embassy, likely used to monitor “government and police channels,” as well as for “targeted bugging” by the Central Intelligence Agency. Campbell said the spy equipment was “obvious” and noted that similar equipment can be seen on many embassies worldwide.
The NSA materials also provide insight into how the Italian embassy has been targeted in America. The U.S. engaged in two espionage operations, codenamed "Bruneau" and "Hemlock”, as described in a top secret Sept. 2010 report, which effectively extracted all data contained within the Italian embassy’s hard drives. In addition, “implants” were placed within the embassy, which may be a physical device (a bug), or exist in the form of uploaded surveillance software.
“NSA's mass spying activities did not target our leadership and diplomacy alone, but it possibly also targeted millions of Italian citizens.” L’espresso added.
A file, defining a top secret program called “Boundless Informant”, which specifies Italy as a target, revealed that between December and January the metadata of over 45 million telephone calls had been collected by the NSA. Whether Italian intelligence services were complicit in the extraction of this data is unknown, notes L’espresso.
Enrico Letta, Italy’s prime minister, has previously denied aiding the NSA in any intelligence gathering operations targeting Italian citizens. Of course, “Enrico Letta has ruled out NSA espionage against the Italian government, diplomacy and citizens,” in the past, L’espresso notes. Thanks to Snowden’s revelations, we now know he may have ruled it out too soon.
Finally, L’espresso poses an important question, one that demands a response from U.S. leadership: “What does espionage against a friendly country have to do with the fight against al-Qaeda fundamentalism?”

Snowden to make video appearance at EU parliament

 Former US intelligence contractor Edward Snowden is set to make a pre-recorded video appearance at the European Parliament’s civil liberties committee around 18 December.
“The meeting will be live-streamed but the statement will be recorded answers of our questions, which will we send in advance,” said German Green MEP Jan Phillip Albrecht on Friday (6 December).
Albrecht noted that a live stream of Snowden himself would risk revealing his location.
The American is currently in Russia where he is said to be working at the country's version of Facebook, VKontakte.
The US charged him with espionage after he leaked top-secret documents to former Guardian reporter Glenn Greenwald in a Hong Kong hotel room in late May.
The revelations, first reported by the Washington Post and the Guardian in early June, caused a widespread backlash against US-led intelligence gathering regimes.
The documents allege US and UK intelligence agencies, with the help of other EU counterparts and major Internet companies, are sweeping up the personal details of almost everyone in the name of counter-terrorism.
US authorities have admitted that the extent of the spying by the Fort Meade-based National Security Agency (NSA) needs to be scaled back.
But senior US lawmakers in November refused to grant Snowden any clemency.
MEPs are in contact with Snowden via his lawyer, who had made an appearance at an earlier committee inquiry into the spying allegations.
“Our secretariat had contacted him via her,” said Albrecht.
Albrecht said Snowden has been following the parliament hearings “because it is one of the only places where a real debate is taking place, at the moment.”
The deputies are currently putting together their list of questions.
“That’s the plan at the moment and hopefully it will be possible,” said Albrecht.

NSA defends global cellphone tracking as legal

The National Security Agency on Friday said its tracking of cellphones overseas is legally authorized under a sweeping U.S. presidential order. The distinction means the extraordinary surveillance program is not overseen by a secretive U.S. intelligence court but is regulated by some U.S. lawmakers, Obama administration insiders and inspectors general.
Documents obtained from former NSA contractor Edward Snowden showed that the NSA gathers as many as 5 billion records every day about the location data for hundreds of millions of cellphones worldwide by tapping into cables that carry international cellphone traffic. The Washington Post said the collection inadvertently scoops up an unknown amount of U.S. data as well.
The NSA said Friday it was not tracking every foreign phone call and said it takes measures to limit how much U.S. data is collected. The NSA has declined to provide any estimates about the number of Americans whose cellphones it has tracked because they were traveling overseas or their data was irrevocably included in information about foreigners' cellphones.
"It is not ubiquitous," NSA spokeswoman Vanee Vines said in a statement. "NSA does not know and cannot track the location of every cell phone."
Vines said the collection of the global cellphone location data is carried out under the White House order that governs all U.S. espionage, known as Executive Order 12333. That means congressional committees and relevant inspectors general can oversee the program, but the secret court established under the Foreign Intelligence Surveillance Act would not.
A frequent justification for the NSA programs by President Barack Obama and top U.S. intelligence officials is that they are overseen by all three branches of government.
"The NSA claims its collection is incidental, but there is no question it's deliberately engaging in the mass collection of cell phone location data that it knows will inevitably sweep up information on a huge number of innocent Americans," said Catherine Crump, American Civil Liberties Union staff attorney, in a statement. "And, all of this is happening without any supervision by a court."
The NSA spokeswoman, Vines, said legal restrictions under the intelligence law still apply to the cellphone tracking. When NSA analysts realize they unintentionally collected an American's information, they would have to separate it when possible or wall it off from the other information, and limit who can access it and how long it is kept.
But an intelligence lawyer told the Post that when U.S. cellphone data are collected, the data are not covered by the Fourth Amendment, which protects Americans against unreasonable searches and seizures.
"FISA authorization would be required for the intentional collection of domestic metadata," Vines said. "This activity is centered on overseas locations." She said no domestic NSA program gathers such geolocation data.

PDF, Flash, and Java: the Most Dangerous File Types

Dangerous File Types A report just released by AV-Test should be a huge wake-up call for anybody who doesn't pay attention to software updates. After ten years of study, the researchers concluded that security holes in Adobe and Java are responsible for 66 percent of all vulnerabilities actively exploited in Windows.
Modern applications are complex enough that there will always be flaws, and in some cases the flaw can open up a PC to invasion by malware. The vendors patch these flaws as quickly as they can, but their hard work doesn't help if you don't stay up to date. When cybercrooks shoehorn malware onto your PC by taking advantage of such a hole, that's called an exploit.
Aiding and Abetting
The report notes that the browser is complicit in many exploits. A website can query the browser for all sorts of information, like the precise browser version, the operating system, and the version number of add-ins like Flash and Java. This mechanism exists so that sites can tailor the pages they deliver for the best user experience, but it can be misused by malicious sites that target their attacks based on the returned information.
Some exploits target browser vulnerabilities, but even more of them attack through flaws in the processing of specific file types. According to the report, the PDF format is "most frequently used as a malware transporter for vulnerabilities." Click on the image at the top of this article for a list of other dangerous file types.
I was somewhat surprised to fine the ZIP format in line after Java and HTML. Then I remembered that the DOCX and XLSX formats used by Microsoft Office and Excel (which churn through plenty of vulnerabilities) are actually ZIP files. Peek at one using a binary editor and you'll see that the first two characters are PK (for Phil Katz), like any other ZIP file.
Protection Is Available
If you've got Norton Internet Security (2014), Bitdefender Total Security (2014), or another up-to-date security suite, you'll probably never get hit by an exploit, concludes the report. The suite has many opportunities to prevent the attack, starting with blocking the initial JavaScript that tries to get system information. It may also block the PDF, JAR, or other type of file that contains the exploit.
Remember, the exploit itself is just a way to deliver malware. If the suite doesn't block the exploit file, it's very likely to quarantine the delivered malware either immediately or when it tries to launch. And of course, keep all of your software up to date.
Possible Alternatives
PDF-based vulnerabilities are found within Adobe Reader, so using a different PDF viewer such as the free Foxit Reader 5.1 can help. (Note, though, that Foxit Reader has had to patch a few holes of its own).
As for Flash, sites do have to function without it, or flop on iOS devices. The report notes that Mozilla is supporting Shumway, an open-source project that aims to display Flash content using HTML5, with no Flash Player involved.
Java has been so much trouble this year that we've advised people to disable it, at least on a trial basis. The report differs, suggesting that "surfing the web without Java... is virtually impossible," and once again recommending a good security suite. If this topic piques your interest, you'll definitely want to read the full report on the AV-Test website.

Did you say “Advanced” Persistent Threats?

Once in a while we get to spend time analyzing malicious code that is not as widespread, or not as well-obfuscated as other threats we’ve encountered in the past. In this post we introduce our detailed analysis of one such threat, analyzed in further depth in a whitepaper: Did you say Advanced Persistent Threats?
Figure 1: Targeted entities were located in Vietnam and Taiwan
We decided to spend some time on this analysis because one of the components refers to Vietnam’s Central Post and Telecommunications Department. But before we delve into the topic lets first highlight some of the findings:
  • Entities in Taiwan and the Vietnam government are targeted
  • Saw an attacker interact with an infected machine
  • Evidence of an unidentified APT actor
  • Social engineering vector (no exploit code) with very credible documents
  • Bad criminals: typos in configuration, naive cryptographic implementation, weak code practices
  • Sophistication variability: from no obfuscation to hidden position independent code, XOR encryption, XTEA encryption, stand-alone re-usable components
  • Tailored infections: one threat doesn’t persist, the other doesn’t do anything before a reboot
Figure 2: Analyzed threats covered in the white paper
You can see in the above figure all the malware samples that the whitepaper covers. The file received by the victim is always the dropper.

Good ol’ social engineering

As we noticed from our telemetry data, the malicious software reaches its target through spear-phishing campaigns. The targeted emails carry an executable which displays the icon of a Word document. It is one of the oldest tricks around.
Upon execution the dropper will decrypt its configuration parameters and extract files from inside itself into the filesystem.
The dropper first drops the main malicious binary and then a Word document into the user’s temporary folder. It executes the malicious payload and uses the copy of itself to clean up and open the Word document shown in figure 4.
Figure 3: Dropper operation
All this work is done to effectively simulate the result one would expect when double clicking on an innocuous Word document except that in this case malicious code was executed first.
Figure 4: Vietnam decoy document


This is a Visual C++ Trojan that communicates over HTTP with hard-coded Command and Control (C&C) servers. In the sample we analyzed, the three servers supported by the Trojan configuration were in fact pointing to the same domain name, but using different ports (80, 443 and 5050). An interesting fact about this threat is its lack of persistence, meaning that it will be executed only once and will not be relaunched if the system reboots.
In its attempt to contact the C&C the malware will send, in plaintext, several pieces of information about the host in a GET request and use a specific User-Agent string.
The hardcoded campaign string (CPT-NMC) sent by the client further confirms the targeted nature of the attack. CPT stands for Central Post and Telecommunications Department, a department of the Vietnamese government. We can also notice that the top-level domain used for C&C ( is strikingly similar to Vietnam’s which is Vietnam Posts and Telecommunications Group and probably chosen as a means of camouflage within Intrusion Detection System (IDS) logs. Finally, the decoy document writes about telecoms and testing and carries some network diagrams, which all seems very credible to a potential victim. Looks like this campaign was aimed at Vietnam’s CPT and we know Vietnam’s officials have been under targeted attack this year.
We saw an operator interact with a system we infected and monitored. They performed reconnaissance operations: netstat to view current network interactions, drive enumeration, set to view the current environment variables and then some file locations were explored. As you can see in the screenshot below, all this information is sent in plain text over the network.
Figure 4: Vietnam decoy document
The non-persistence characteristic of the attack strengthens the hypothesis that it is targeted, since the attackers will leave little trace and little network activity if they don’t install an additional component through the trojan. A typical attack scenario with this tool would then be: figure out potential victims in an organization; send spear-phishing emails; wait; get connections from the trojan; and quickly and interactively investigate the computers for the sensitive data you are looking for. If the data isn’t there pull the plug, and if it is there install an additional component through the commands for file download (3004) and file execution (3011).

Terminator RAT (aka FAKEM RAT)

When we started analyzing this threat, our product detected it as Win32/Protux.NAR. When we reverse engineered the cryptographic protocol of the network communication with the C&C we found out that the threat was documented by and Trend Micro as Terminator RAT or FAKEM RAT, but that our sample diverged a lot from the one they analyzed, and carried an additional binary. Last month, FireEye released an analysis of a sample very similar to this one but the hashes are still different. In this article, we will focus on giving additional details of the threat and we encourage you to refer to these past articles for further background information.
We first found out that what we called Win32/Protux.NAR was in fact the Terminator RAT when we looked at the network encryption and stumbled on’s report titled APT1: technical backstage. Although their reference to the APT1 group is challenged by the community, we definitely have here a private Trojan that has been re-used on several campaigns by the same group.
This threat is more complex than the ones previously described. It uses a modified XTEA cipher for encryption, it has a fancy evasion maneuver (pictured below), it will not perform any network interaction before the system is rebooted and it extracts and runs position independent code that acts as its main payload from an internal resource. Additionally, a stand-alone component is bundled that allows the RAT to reach out to the C&C servers even if there is a mandatory proxy configured on the infected computer.
Figure 6: Terminator's evasion maneuver
Figure 6: Terminator’s evasion maneuver
Figure 7: Position independent code loading and execution
Figure 7: Position independent code loading and execution
Here’s a table that highlights the differences between the various observed campaigns:

Trend Micro’s analysis FireEye’s analysis ESET’s analysis
Activity Since 2009 June 2013 June 2013
Campaign undisclosed zjz1020 wet
Distribution Word or Excel documents with exploit code Word or Excel documents with exploit code Social engineering
Installation Registry Run entry Modified Startup Folder Modified Startup Folder
XTEA key None used 0x3c78… 0x9ac9…
Network traffic Fake header in first 32 bytes Repeated pattern in first 32 bytes Random bytes with padding intermixed in the first 32 bytes
Proxy tunnel No mention of this component Stand-alone component for exfiltration through corporate proxy Stand-alone component for exfiltration through corporate proxy
Proxy filename None sss.exe winlogon.ini then winnlogon.exe
  • *
  • *
  • localhost port 8000
  • “[space]” port 9000 (broken)
  • port 9090
  • localhost port 8000
IPs Varied (same /24)
DDNS Provider DynDNS, DtDNS,

Summary of similarities

  • Same network encryption algorithm (“ARCHY”[::-1] xor/ror3)
  • Same 1024 byte network payload
  • Same commands (0×211, etc.)
  • Most C&C rely on dynamic DNS
  • Operated from the same /24 network owned by a Taiwanese ISP

There is no A in this APT

Indeed, none of these threats were packed to thwart reverse-engineering, no exploit code was used and there were several observations of poor software development and operational practices. This is not ‘advanced’. However, as long as these less sophisticated attacks are still successful they will continue, because they are obviously cheaper to perform than the more complex ones.
We can see two [A]PT strains at work here. One with no A where we have low-complexity low-cost attacks where manual operators are thrown at several targeted campaigns, using simple malware modified just enough to avoid detection. Then, on the other hand, groups seem to exist that truly deserve the A epithet – A-teams, you might say. (Note that we avoided the cyberwar kind of APT.)
So, before issuing your press-release about getting popped by an APT group, at least make sure that you are not simply overly exposed to simplistic B-list attacks. User awareness training and locked-down group policies incorporating the filtering of executables in emails would have mitigated or prevented the threats described in this post. Is your company at least taking these steps?
Author: Olivier Bilodeau
Contributors: Mathieu Lavoie, Marc-Etienne M. Léveillé
  • 58e1dfa7ace03a408d2b20c1fab6e127acbdc71f492366622cd5206484443ed7
  • 3f58a0ea8958c5bf88aa9cfcefe457393f0a96bba9f05f301ba6a15b65d5b64a
  • 54c5517541187165fd9720dfe8cff67498d912d189d649cc652d8b113bae8802
Win32/Protux.NAR (Terminator RAT)
  • 425a919cb5803ce8fabb316f5e1be611f88f5c3813fffd2b40f2369eb7074da9
Win32/Protux.NAR (Terminator RAT) embedded proxy tunnel component
  • a6cc9fbcb3d806fefb4d0f2f6d1c04b81316593dfe926b4477ca841ac17354e2

Why “crypto” isn’t just for spies: A beginner’s guide to keeping secrets

 Encryption has always sounded like a James Bond technology – and it turns out, thanks to the recent NSA and GCHQ scandals, that Commander Bond – or at least his real-world equivalent – may well have been decrypting our emails for years.
But “ordinary” PC users can feel intimidated by it – for years, it’s been something that IT staff handled – and it’s also been highly complex to use, requiring Zen computer skills on Windows, or enterprise-level software.
Even IT people often worried about encryption in the past, says ESET Senior Research Fellow David Harley, “When I did user support, I was paranoid  about ensuring that when people didn’t encrypt until they’d sorted out their backup/recovery mechanisms. Sometimes the IT team can’t fix your lost passwords.”
But as more and more of us carry valuable information on handheld devices such as smartphones, encryption is something even ‘normal’ computer users can use – and should consider.
It’s now easy to do on devices such as Android phones and tablets – and offers peace of mind if you DO have to carry one very valuable piece of information on a handheld – although do bear in mind that the risk of physical theft is always present.
ESET’s Harley says that, for ordinary users, the concern is NOT governments – it’s criminals, “The recent concerns about government surveillance have started people thinking about protecting their data who never gave it a thought before, which isn’t a bad thing, but the main danger to the average individual isn’t surveillance by governments, but intrusion by out-and-out criminals.”
Don’t fear “crypto” – it’s easy to do, and often built into your device
Sadly, few of us live lives so exciting that our boss will hand over a disc, saying, “Guard this with your life”. But most of us have files we want to keep safe. Encryption used to be a ‘pro’ IT skill – requiring enterprise-level software. Now Windows 8 has a pretty good system built in. Right click a file, click advanced, then Encrypt. Back up your certificate for the file (otherwise you’re locked out), then double-lock by encrypting the disk – now standard in Windows 8. That should baffle all but the most determined cyber-crooks.
Don’t worry about spies, unless you, too, are a spy
ESET’s Harley says, “Governments and law-enforcement agencies are actually going to see the use of encryption as an indication of ‘something to hide’ and possibly deserving a closer look.
“On the other hand, paraphrasing Bruce Schneier, if a well-resourced intelligence agency or LEA wants to know your secrets ‘they’re in’, and some much-hyped encryption programs will offer very little resistance. Selecting the right security software of this sort and properly installing and maintaining it is not easy. If you want to do it properly – and safely! – it needs time and care.”
If you want to keep something safe, don’t leave it on your PC
Cybercrime relies on your valuables – whether they be confidential files, banking details or Bitcoin wallets – being within reach. If you disconnect from the internet, you are safe. Anything on your PC is at risk – even if that risk is minute, and you ‘play by the rules’ security-wise. If you’re connected, there is a risk, however small.  To stay truly safe, keep data offline – an encrypted USB stick works well. Put that stick in a deposit box, and you’re even safer. A detailed guide by ESET experts to backing up data can be found here
Use good passwords, and if possible, lock those away too
Even IT experts use bad passwords some days – if you’re browsing a site you know you’ll never visit again, say. For precious data, though, use a unique password – a complex one that cracker software will find indigestible, although even that will only buy you time if the password IS stolen. Better still, use a secure password-generator like LastPass. That, combined with an encrypted disk, will make most cyber criminals give up in disgust.
Remember that Inboxes and Outboxes have long memories
When the New York Times front page was defaced by hackers this year, the password came from an email outbox. If you value something, or if it’s highly confidential, you should take extra precautions before emailing – it could just as easily sit in the recipient’s inbox, and be stolen from there. If it’s a confidential work file, ask advice from an expert – you could, for instance, email the file in encrypted form, and then send the decryption key by a different communication channel. If it’s really important, encrypt it, and deliver it physically.
Keep your PC clean
Most of us have a lot of precious digital possessions these days – so it’s not always practical to keep them on a removable hard drive with military encryption built in (cool though those things are). The most important rule is, as always, update Windows, your browser, Java and so on – and, invest in good AV, like ESET Smart Security 7 – this lessens the risk from spyware, keyloggers and other tools used by cyber-thieves.
Getting into this? Consider encryption software
If you’re frequently dealing with confidential documents, there are many software packages built to encrypt files – although many are still not particularly user-friendly, and that can be nerve-wracking when you are dealing with software where one password problem can mean your data is gone forever. Most are functional, though, and offer solid levels of protection – but it’s a matter of taste, and of your own level of computing skills, which you choose. Try out packages such as PGP, its open-source equivalents, or software such as Bitlocker. Try some – ideally with ‘test’ files first – and see which one suits you.
Don’t trust companies you work with
In business, cybercriminals will target the weakest link – which means you can live a life of cast-iron security, and they STILL steal your data. Professional services companies such as accountants and laywers are often targeted as a ‘way in’ to financial companies – as are third-party bank card suppliers. If possible, don’t share. Keep it in your office, under digital lock and key. ESET’s Harley says, “Encryption solutions are often compromised because people forget to give the same attention to other factors such as using safe[r] transaction protocols, good anti-malware protection to reduce the risk from subversive malware such as keyloggers, keeping confidential data well inside a protected network and away from unsafe services. It may not matter how good your security software is if your data is shared with companies and sites who don’t maintain the same standards.”

Microsoft’s new crime-fighting super-team strikes blow against million-strong “zombie army”

Only weeks after Microsoft unveiled a global Cybercrime Center armed with new, hi-tech tools to detect and combat crime, the technology giant announced it had laid waste to a zombie army, namely the Siferef botnet. Microsoft collaborated with law enforcement worldwide, and targeted IP addresses and domains used by the botnet.
The botnet, also known as ZeroAccess, is spread by a Trojan, according to Microsoft’s Technet, has infected nearly two million computers worldwide, and diverts users from legitimate search results on search engines such as Bing, Yahoo and Google to potentially dangerous sites, at a cost, Microsoft claims of $2.7 million a month to advertisers.
Microsoft’s operation involved cooperation from Europol, the FBI, and industry partners. Although the botnet ‘communicates’ via a peer-to-peer system, Microsoft received authorization to block communications between machines in the U.S. and 18 IP addresses used in the scam. The firm also seized 49 domains associated with the botnet, according to the BBC’s report.
Microsoft admitted in its statement that it did not expect, or intend, to eradicate ZeroAcccess entirely, “Due to its botnet architecture, ZeroAccess is one of the most robust and durable botnets in operation today, and was built to be resilient to disruption efforts, relying on a peer-to-peer infrastructure that allows cybercriminals to remotely control the botnet from tens of thousands of different computers,” the firm said.
The malware was distributed via infected websites, Microsoft said, “Most often, computers become infected with ZeroAccess as a result of “drive-by-downloads,” where the cybercriminals create a website that downloads malware onto any unprotected computer that happens to visit that site.”
The botnet has not been completely eliminated, according to Beta News.  “While the legal and technical action hasn’t wiped out the botnet entirely — ZeroAccess has been designed to resist such disruption efforts – it will have a significant impact on its effectiveness,” the site said.
Microsoft said that it expected the international action to, “significantly disrupt the botnet’s operation by disrupting the cybercriminals’ business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims’ computers from committing the fraudulent schemes.”
Microsoft said in its post that this was the first large-scale action since it opened its new Cybercrime Center - a war room where the tech giant’s lawyers and security experts use what Microsoft described as bleeding-edge technology and industry expertise to battle crime online, as reported by We Live Security here.
The Cybercrime Center is to ooperate with law enforcement, academia, industry and NGOs – and focus on child exploitation, IP crimes and malware, in particular botnets. The Center will have 100 staff based around the world, and law enforcement will be able to use the facilities 24/7, The Register reports.
The Center is located on Microsoft’s Redmond campus, and includes what Microsoft describes as “groundbreaking” technologies, including SitePrint, a tool for mapping organized crime networks, and PhotoDNA, a tool for fighting child pornography.
A separate area of the Cybercrime Center will allow cybersecurity experts from third-party companies to lend their expertise, including academics, experts from industry and affected customers.
“In the fight against cybercrime the public sector significantly benefits from private sector expertise, such as provided by Microsoft,” said Noboru Nakatani, executive director of the INTERPOL Global Complex for Innovation.
“The security community needs to build on its coordinated responses to keep pace with today’s cybercriminals. The Microsoft Cybercrime Center will be an important hub in accomplishing that task more effectively and proactively.”
Microsoft pointed out that this is the third major botnet it has disrupted this year – including Citadel, a network reported to have earned up to $500m for its creators, as reported by We Live Security here.

Twitter introduces cookie-based targeted advertising

Twitter IPO
Twitter users will now see targeted advertisements based on their internet-browsing history, following updates to the microblogging site's services for advertisers.
Through cookies stored on users' machines by the websites they visit, Twitter will now be able to use more data to display relevant adverts to its users. It also claims this will save its advertisers money by only showing their adverts to those who are likely to be interested. According to Twitter, firms such as Digitas have already used the platform and have been happy with the results.
The industry's biggest online advertisers have used cookie-based advertising for a long time, and it can be very lucrative. But many privacy bodies and watchdogs have become concerned about how websites use cookies, and that many internet surfers don't fully understand how they are being used. In 2012 the UK's Information Commissioner's Office set regulations requiring all websites using cookies to display a prominent notice explaining exactly how cookies would be used and how they would affect the browsing experience.
Twitter, however, says it has taken this into account and gives its members multiple ways of opting out. Users who have enabled the "do not track" function in their web browser, and those who edit their Twitter privacy settings, will not be targeted. It is an opt-out process, though.
Twitter became a publicly traded company in November, successfully launching onto the New York Stock Exchange, initially valued at more than $30bn. While the firm is a significant loss maker, investors were pleased to see Twitter received much of its revenue from mobile advertising and by the fact that the firm has room for expansion into more targeted advertising, including cookie-based and location-based ads.
At the end of November, Twitter launched its self-service advertising platform in the UK, allowing smaller businesses to more easily handle their campaigns. This was a step towards serving highly lucrative local advertisements, highlighting how much room for manoeuvre the company has in the advertising space.

Android app developer slammed by FTC for deceitful data gathering

The US Federal Trade Commission (FTC) has rebuked an Android app developer for collecting and sharing information on users’ locations and device ID data, regardless of whether they had given their consent or not.
The incident underlines the risks posed by Android from a security point of view as apps are not vetted before they're made available on the Google Play store and can be used by their creators to spread malware or for other harmful means.
GoldenShores Technologies, makers of the Brightest Flashlight app, which the FTC said has been downloaded “millions of times”, were found to have passed on the data they gathered to third-party advertising networks.
Users were presented with an option about whether to share information but this had no effect whatsoever. Jessica Rich, director of the FTC’s Bureau of Consumer Protection, criticised the owner of the app Erik Geidl for playing fast and loose with users' privacy.
“When consumers are given a real, informed choice, they can decide for themselves whether the benefit of a service is worth the information they must share to use it,” she said. “But this flashlight app left them in the dark about how their information was going to be used.”
As a result of the undertaking signed by the firm to settle the case with the FTC it has agreed to stop "misrepresenting how consumers’ information is collected and shared and how much control consumers have over the way their information is used".
The settlement also requires the defendants to provide a disclosure that fully informs consumers "when, how and why their geolocation information is being collected, used and shared" and explicit permission for data collection must be secured as well.