Tuesday, 30 September 2014

Ello social network hit by suspected DDoS attack

Ello, the social network site intended to serve as something of an antidote to ad-stuffed Facebook, was hit by a suspected Distributed-Denial-of-Service attack today.
The outfit, which has gained plenty of press coverage in the past week after employing the classic invite-only marketing trick to lure in more users, said on its status page within the last hour that it had suffered a major front-end outage on its network.

Russian-speaking fraud on Skype

It used to be a common scam: Russian cybercriminals would send an SMS like: "Mom, I'm in trouble. Please, transfer me some funds. I will explain it properly when I get home". A whole bunch of friends and relatives got suckered by this fraud, believing that the message had genuinely come from someone close to them.
Fortunately, Russian mobile operators cracked down hard on this, forcing the criminals to give up. But now they've moved on to Skype. Yesterday I got this Skype message from one of my contacts:
Translation of the text:
Hey. I'm on a trip right now and I can't get to a payment terminal and top up my balance. Could you please transfer 100 rubles – or even better 200 – to the number  +7925XXXXXXX? I can't think of anyone else who could help me. It would really do me a big favor! I pay you back as soon as I get home!!
What happened? The cybercriminals stole my contact's password, probably using password stealing malware. Suddenly, even a Skype account without any money attached is worth something to a crook.
The victim will never see that couple of hundred rubles again. The number mentioned belongs to the cybercriminals, not to the Skype account-holder. It's impossible to say how many people fall victim to this kind of social engineering fraud, but in general we know that social engineering is an effective trick for scammers.

Kali Linux “NetHunter” Released – Turn Your Android Device into Hacking Weapons


After making its influence in hacker and security circles, Kali Linux has now been published with Kali Nethunter, a version of the security suite for Android devices. The tool is a mobile distribution designed to compromise systems via USB when installed and run on an Android phone.
Kali Linux NetHunter project provides much of the power to Nexus users, those running the NetHunter penetration testing platform can now launch attacks including Teensy keyboard via HID style attacks and BadUSB man-in-the-middle (MITM) networking attacks via USB human interface device (HID), wireless 802.11 frame injection, and could setup evil access points in a single click.
Our NetHunter images support programmable HID keyboard attacks, (a-la-teensy), as well as “BadUSB” network attacks, allowing an attacker to easily MITM an unsuspecting target by simply connecting their device to a computer USB port,” the Offensive Security team said. “In addition to these built in features, we’ve got a whole set of native Kali Linux tools available for use, many of which are configurable through a simple web interface.
Nethunter is currently available for Nexus devices only, but builds for other Android devices are likely on the way. Nethunter contained a full Kali Linux toolset, including support for self destruction, software defined radio and the ability to launch a Kali desktop VNC session on Nexus phone.
The tools are designed for use by an attacker who has physical access to a device — an insider threat — or someone who gains access through social engineering, tailing etc.
Kali Linux nethunter hacking tool android
On one hand, Teensy Keyboard attacks on PCs can be used to automatically elevate privileges on a Windows PC and install a reverse-HTTP tunnel to a remote workstation. On the other hand, BadUSB can force a Windows PC to recognize the USB-connected phone as a network adapter and re-route all the traffic of the PC through it for monitoring purposes.
Additionally, the Kali NetHunter configuration interface helps users to easily manage complex configuration files through a local web interface, which together with 802.11 wireless injection and a pre-configured connect VPN service make it a “formidable network security tool or discrete drop box – with Kali Linux at the tip of your fingers wherever you are.
Kali NetHunter open source security platform supports Nexus 10 and 7 tablets and Nexus 5 phones built on the existing Kali (formerly Backtrack) Linux platform. The official Kali NetHunter images can be downloaded from the Offensive Security NetHunter download page.

FBI opens Malware Investigator portal to industry

The Federal Bureau of Investigations has released a formerly in-house malware-analysing portal to help speed up incident responses and help industry and law enforcement with investigations.
The G-men hope the Malware Investigator portal can let businesses build responses to new malware without such heavy reverse-engineering loads.
Information crime unit chief Steve Pandelides said during the portal's initial launch it would benefit the agency and the private sector.
"After submission, the report can get turned around in a matter of minutes to a matter of hours," Pandelides said.
"It will enable our private partners to protect their company's networks and help our state and local law enforcement partners further their investigations.
"It will also provide the FBI a global view of the malware threat."
Malware Investigator: FBI Malware Investigator: FBI
Windows malware submitted to the portal would be correlated against other submissions and the FBI's intelligence to produce reports. It would be expanded to cater for other virus types.
Malware would be analysed in part through fuzzy hashing including section hashing, virus scanning cluster, sandboxing, file system modification and others.
The agency opened API access for organisations seeking to integrate the system into their platforms, and maintained that a submitters' private details would remain undisclosed, the Bureau's Jonathan Burns said at the Virus Bulletin conference in Seattle last week.
The FBI began manual malware analysis in 1998 and over subsequent years had built systems to help store and examine viruses, trojans, worms and bots. The process became automated in 2011 with work beginning on Malware Investigator last year.

Alleged mobile spyware sellers cuffed in US

Allegedly selling spyware has landed a Pakistani man in trouble with the Feds, with the FBI collaring 31-year-old Hammad Akbar from Lahore cuffed on Monday for flogging StealthGenie.
The US Justice Department says Akbar was indicted in the Eastern District of Virginia for operating a company called InvoCode, which sold the software online.
According to the statement, StealthGenie – which Akbar allegedly wrote with co-conspirators – can intercept calls, texts, videos and other communications from iPhones, Android phones, and Blackberrys. The cabal advertised it as “untraceable” and the DoJ says it's “undetectable by most users”.
The indictment says the charge sheet includes “conspiracy, sale of a surreptitious interception device, advertisement of a known interception device and advertising a device as a surreptitious interception device”.
StealthGenie's real capabilities, the indictment says, include:
  • It recorded all incoming/outgoing voice calls;
  • It intercepted calls on the phone to be monitored while they take place;
  • It allowed the purchaser to call the phone and activate it at any time to monitor all surrounding conversations within a 15-foot radius; and
  • It allowed the purchaser to monitor the user’s incoming and outgoing e-mail messages and SMS messages, incoming voicemail messages, address book, calendar, photographs, and videos.
If someone – say, a jealous spouse – installed the software, the user would never know these functions were enabled. The software also synched to Amazon servers, the government alleges, and the government has taken down the company's Website for the time being.

Friday, 26 September 2014

‘Shellshock’ Bug Spells Trouble for Web Security

As if consumers weren’t already suffering from breach fatigue: Experts warn that attackers are exploiting a critical, newly-disclosed security vulnerability present in countless networks and Web sites that rely on Unix and Linux operating systems. Experts say the flaw, dubbed “Shellshock,” is so intertwined with the modern Internet that it could prove challenging to fix, and in the short run is likely to put millions of networks and countless consumer records at risk of compromise.
The bug is being compared to the recent Heartbleed vulnerability because of its ubiquity and sheer potential for causing havoc on Internet-connected systems — particularly Web sites. Worse yet, experts say the official patch for the security hole is incomplete and could still let attackers seize control over vulnerable systems.
The problem resides with a weakness in the GNU Bourne Again Shell (Bash), the text-based, command-line utility on multiple Linux and Unix operating systems. Researchers discovered that if Bash is set up to be the default command line utility on these systems, it opens those systems up to specially crafted remote attacks via a range of network tools that rely on it to execute scripts, from telnet and secure shell (SSH) sessions to Web requests.
According to several security firms, attackers are already probing systems for the weakness, and that at least two computer worms are actively exploiting the flaw to install malware. Jamie Blasco, labs director at AlienVault, has been running a honeypot on the vulnerability since yesterday to emulate a vulnerable system.
“With the honeypot, we found several machines trying to exploit the Bash vulnerability,” Blasco said. “The majority of them are only probing to check if systems are vulnerable. On the other hand, we found two worms that are actively exploiting the vulnerability and installing a piece of malware on the system. This malware turns the systems into bots that connect to a C&C server where the attackers can send commands, and we have seen the main purpose of the bots is to perform distributed denial of service attacks.”
The vulnerability does not impact Microsoft Windows users, but there are patches available for Linux and Unix systems. In addition, Mac users are likely vulnerable, although there is no official patch for this flaw from Apple yet. I’ll update this post if we see any patches from Apple.
The U.S.-CERT’s advisory includes a simple command line script that Mac users can run to test for the vulnerability. To check your system from a command line, type or cut and paste this text:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the system is vulnerable, the output will be:
 this is a test
An unaffected (or patched) system will output:
 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test
US-CERT has a list of operating systems that are vulnerable. Red Hat and several other Linux distributions have released fixes for the bug, but according to US-CERT the patch has an issue that prevents it from fully addressing the problem.
The Shellshock bug is being compared to Heartbleed because it affects so many systems; determining which are vulnerable and developing and deploying fixes to them is likely to take time. However, unlike Heartbleed, which only allows attackers to read sensitive information from vulnerable Web servers, Shellshock potentially lets attackers take control over exposed systems.
“This is going to be one that’s with us for a long time, because it’s going to be in a lot of embedded systems that won’t get updated for a long time,” said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley. “The target computer has to be accessible, but there are a lot of ways that this turns accessibility into full local code execution. For example, one could easily write a scanner that would basically scan every Web site on the planet for vulnerable (Web) pages.”

Jimmy John’s Confirms Breach at 216 Stores

More than seven weeks after this publication broke the news of a possible credit card breach at nationwide sandwich chain Jimmy John’s, the company now confirms that a break-in at one of its payment vendors jeopardized customer credit and debit card information at 216 stores.
jjohns On July 31, KrebsOnSecurity reported that multiple banks were seeing a pattern of fraud on cards that were all recently used at Jimmy John’s locations around the country. That story noted that the company was working with authorities on an investigation, and that multiple Jimmy John’s stores contacted by this author said they ran point-of-sale systems made by Newtown, Pa.-based Signature Systems.
In a statement issued today, Champaign, Ill. based Jimmy John’s said customers’ credit and debit card data was compromised after an intruder stole login credentials from the company’s point-of-sale vendor and used these credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16, 2014 and Sept. 5, 2014.
“Approximately 216 stores appear to have been affected by this event,” Jimmy John’s said in the statement. “Cards impacted by this event appear to be those swiped at the stores, and did not include those cards entered manually or online. The credit and debit card information at issue may include the card number and in some cases the cardholder’s name, verification code, and/or the card’s expiration date. Information entered online, such as customer address, email, and password, remains secure.”
The company has posted a listing on its Web site — jimmyjohns.com — of the restaurant locations affected by the intrusion. There are more than 1,900 franchised Jimmy John’s locations across the United States, meaning this breach impacted roughly 11 percent of all stores.
pdqThe statement from Jimmy John’s doesn’t name the point of sale vendor, but company officials confirm that the point-of-sale vendor that was compromised was indeed Signature Systems. Officials from Signature Systems could not be immediately reached for comment, and it remains unclear if other companies that use its point-of-sale solutions may have been similarly impacted.
Point-of-sale vendors remain an attractive target for cyber thieves, perhaps because so many of these vendors enable remote administration on their hardware and yet secure those systems with little more than a username and password — and often easy-to-guess credentials to boot.
Last week, KrebsOnSecurity reported that a different hacked point-of-sale provider was the driver behind a breach that impacted more than 330 Goodwill locations nationwide. That breach, which targeted payment vendor C&K Systems Inc., persisted for 18 months, and involved two other as-yet unnamed C&K customers.

Some government computer systems taken offline after Shellshock security bug discovery

Photo illustration: text from the Bash command-line program overtop a computer user\'s hands.
The federal government has rushed to update software across its computer systems and taken other vulnerable systems offline after a critical network security flaw known as “Shellshock” was disclosed Wednesday.
The Shellshock bug lets people issue commands using the Bash shell program, which is shipped with most Linux and UNIX distributions and Apple’s Mac OS X operating system. That leaves everything from personal computers to routers and many other devices that connect to the internet vulnerable to exploitation.
“When the government became aware of this vulnerability, all federal government organizations were directed by the Chief Information Officer for the Government of Canada to patch affected systems on a priority basis,” Kelly James of the Treasury Board of Canada Secretariat said Thursday afternoon in an email to Postmedia.
“For vulnerable systems where no patch is available, departments have been directed to take those systems offline.”
The Treasury Board of Canada Secretariat handles internal administration for much of the federal government.
The federal government was criticized in April for being slow to notify the public about the Heartbleed bug discovered in the OpenSSL encryption library, waiting several days even as some 900 Social Insurance Numbers were copied from the Canada Revenue Agency website. A 19-year-old computer science student at Western University in London, Ont., was charged with one count of unauthorized use of a computer and one count of mischief in relation to data over the incident.
Some security experts warn that Shellshock could prove more harmful than the Heartbleed bug. Whereas Heartbleed allowed third parties to “listen in” on users’ activity, Shellshock could let hackers execute malicious code on remote machines that use the vulnerable versions of Bash, putting much of the internet at risk.
Updates for the affected Bash software have not completely patched the vulnerability yet, according to network administrators, and attacks by hackers exploiting the Shellshock flaw have already been carried out. The U.S. Department of Homeland Security has listed the Shellshock bug in its national vulnerability database under the identifier “CVE-2014-6271″ — with a severity rating of 10 out of 10.
The vulnerability was discovered last week by Stephane Chazelas, a French programmer working in Scotland who told the Globe and Mail he checked Bash after finding a similar flaw in other software. The bug was reportedly part of the code for over two decades before it was discovered and it could take months before its full impact is known.

Drozer – The Leading Security Testing Framework For Android

Drozer (formerly Mercury) is the leading security testing framework for Android. drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.
drozer - Android Security Testing Framework
drozer provides tools to help you use, share and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR’s advanced exploitation payload) drozer is able to maximise the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT).
drozer helps to reduce the time taken for Android security assessments by automating the tedious and time-consuming. In a way you could think of drozer as Metasploit for Android devices.
  • Discover and interact with the attack surface exposed by Android apps.
  • Execute dynamic Java-code on a device, to avoid the need to compile and install small test scripts.
  • Discover Installed Packages
  • Send Intents to IPC Endpoints
  • Broadcast Intents
  • Access Databases from other Apps
  • Interact with Services in other Apps
  • Arbitrary Java Execution
  • Run an Interactive Shell
  • Access a device with Remote Exploits
  • Root Privilege Escalation
  • Command-line Interface
  • Use drozer with Physical Devices
  • Use drozer with Android Emulators
You can download drozer here:
Windows installerdrozer-installer-2.3.3.zip
Debian/Ubuntu (.deb)drozer_2.3.3.deb
Redhat/CentOS (.rpm)drozer-2.3.3-1.noarch.rpm
Or read more here.

Why the Heyday of Credit Card Fraud Is Almost Over

Credit Cards_Merithew
Jim Merithew/WIRED
In 1960, an IBM engineer named Forrest Parry was developing a new type of ID card for the CIA when he had an epiphany: Why not make each card a tiny data storage device in and of itself? He cut a short length of half-inch wide magnetic tape from a reel and wrapped it around a blank plastic card, secured it with Scotch tape, and then, at his wife’s suggestion, pressed it on with a warm iron.
The magnetic stripe card was born.
Today magstripes are on the backs of millions of US-issued credit and debit cards, where they hold all the information needed to produce a flawless counterfeit card—account number, expiration date, and a secret code called a CVV. That has made Forrest Parry’s invention one of the computer underground’s most prized targets—more valuable than anything on your hard drive. We were reminded of that last week, when Home Depot confirmed that 56 million shoppers had their credit card data siphoned from the big box retailer’s point-of-sale systems over six months. That’s 3,000 miles of magstripe, stolen three inches at a time.
The announcement makes the Home Depot breach the single largest known theft of credit card data in history, edging out the 40 million cards stolen from Target late last year, and about the same number taken from TJX in 2006. It may also be one of the last major credit card heists.
But more on that in a moment.
The first magstripe card.
The first magstripe card. (CC) Jerome Svigals via Wikimedia Commons
First, a bit of history: What happens to stolen bank card data hasn’t changed in 15 years—the hackers package it and sell it in bulk to the underground’s third-party resellers. Ten years ago it was the Ukranian known as “Maksik”; today it’s the Ukrainian known as “Rescator.” If Parry’s innovation was to take a bulk storage medium and literally slice it into a wallet-sized one, the computer underground has perfected the opposite process, compiling all those squirts of information into a big data play that would make Mark Zuckerberg envious.
Once it’s in an underground shop, card counterfeiters buy the magstripes they need—sometimes ordering by bank or ZIP code—and copy it onto fake cards using their own magstripe encoding machines. Then they use the cards to buy goods they can resell or dispatch crews to do the shopping for them in exchange for a cut of the profits.
Since about 2001, stolen magstripe swipes, or “dumps,” have been the pork bellies of a massive hacker commodities market, centered in Eastern Europe and stretching around the globe. Beyond the hackers who breach stores like Home Depot, and the resellers like Rescator who market the cards, there are vendors specializing in the hardware and material—plastic embossers, fake holograms, blank cards, magstripe encoders—needed to use the data and others who crank out professional fake IDs to help pass the fake cards. By the most conservative estimates, it all adds up to $11 billion in losses annually.
But the golden age of credit card fraud is drawing to a close, and history will regard Home Depot, TJX, Target, and all other breaches as a single massive exploit against one catastrophic security hole: The banks’ use of roughly 23 characters of magnetically encoded data as the sole authentication mechanism for a consumer payment infrastructure that generated 26.2 billion transactions in 2012 alone. Engineering students will study that gaffe with the astonished bemusement with which they view old footage of the Tacoma Narrows Bridge twisting in the wind.
The fatal problem with the credit card magstripe is that it’s only a container for unchanging, static data. And if static data is compromised anywhere in the processing chain, it can be passed around, copied, bought and sold at will.
The solution has been available for years: Put logic in the card. Thanks to Moore’s Law, an inexpensive tamper-resistant microprocessor fits comfortably in a space smaller than your driver’s license photo. With a computer on both edges of the transaction, you can employ cryptography and authenticate the card interactively, so that eavesdropping on the transaction gains you nothing. Just as IBM’s Parry made our wallets smarter by adding computer storage, a modern card is smarter still by having an entire computer onboard.
Now, after resisting it for 10 years because of the formidable transition costs, the US is about to finally embrace the secure chip-based authentication system called EMV—the standard was pioneered by Europay, MasterCard, and Visa—that the rest of the world has already adopted. Pushed by mounting fraud costs, credit card companies have crafted incentives for merchants to switch to the sophisticated readers needed to accept the cards. “There was a lot of skepticism about whether it would ever happen in the US,” says Michael Misasi, an analyst with the Mercator Advisory Group. “All of the data breaches that have happened have woken people up, and progress has been accelerating this year.” The first serious milestone is October 2015. By 2020 the swipe-and-sign magstripe reader will be as hard to find as the credit card impression rollers they supplanted.
By then, it’s probably safe to say, the entire idea of a credit or debit “card” will be quaint. With the newly announced Apple Pay joining Google Wallet as a real-life payment system, even the chip-based credit cards will be little more than a backup technology. Apple took some ribbing for announcing Apple Pay while its iCloud celebrity breaches were still in the news. But unlike cloud storage, the state of the art of retail payment is so poor today that Apple can’t possibly fail to improve it.
You can see where this is headed by looking at one of EMV’s early adopters. Since the UK deployed EMV “chip-and-PIN” cards in 2004, overall card fraud in that country has fallen 32 percent, from 504.8 million euro in losses that year to 341 million in 2011, according to the most recent figures from the UK Card Association.
There are two loopholes that kept criminals from being hit even harder by the chip cards. First, the UK cards still have magstripes so UK travelers can use them when visiting the US. Adaptable criminals in the UK began working with confederates in restaurants and shops, covertly swiping magstripes from customers and selling them to American crooks to use at primitive American point-of-sale terminals. These scams contributed as much as 80 million euro in foreign fraud charges on UK cards in 2011.
But that loophole will close once the US switches over to EMV. The second, bigger, loophole is online fraud. Internet transactions aren’t made any safer by having a chip on your card, and in the UK and elsewhere criminals were able to make up much of what they lost by doubling down on fraudulent web purchases.
But the end is nigh for online credit card fraud, too. Systems like Apple Pay and Visa’s newly announced Visa Token Service accomplish the same security goals as EMV, but also work online. They replace the static credit card number with a temporary token that changes every time. “Initially, Apple Pay’s tokenization will only be for in-app purchases from mobile phones,” says David Robertson, publisher of the respected payments industry newsletter The Nilson Report. “But over time that will broaden.”
Robertson agrees that the simultaneous arrival of EMV and tokenization in the US will trigger a sea change in the underground. “There’s every reason to think that the industry will get ahead of the bad guys again,” he says.
None of this means cybercrime will become unprofitable. Skilled cyber-criminals will still make tons of money in more elaborate scams, like account takeovers and identify theft. But the death of the magstripe will trigger a financial crisis in the unskilled ranks of the computer underground akin to what the mortgage collapse did to Wall Street. And Perry’s historic invention, so brilliant at the time, can relax into its long overdue retirement.

The FBI says disgruntled employees are the new danger

The FBI has warned about the insider security threat
THE UNITED STATES Federal Bureau of Investigation (FBI) has warned businesses to watch out for disgruntled employees with an axe to grind and a basic command of internet services.
In a note on the US Homeland Security website the FBI said that the insider threat is a very real one, presumably because it has cottoned on to the whole Edward Snowden and NSA thing, and employees represent a "significant risk" to networks and proprietary information. In its advice the FBI suggests that firms be on the lookout for people who look glum, have personal email addresses and use things like Dropbox.
"The exploitation of business networks and servers by disgruntled and/or former employees has resulted in several significant FBI investigations in which individuals used their access to destroy data, steal proprietary software, obtain customer information, purchase unauthorised goods and services using customer accounts, and gain a competitive edge at a new company," the FBI said, recommending that firms look out for poisoned exit strategies.
"The theft of proprietary information in many of these incidents was facilitated through the use of cloud storage web sites, like Dropbox, and personal email accounts. In many cases, terminated employees had continued access to the computer networks through the installation of unauthorised remote desktop protocol software. The installation of this software occurred prior to leaving the company."
Some rascals have left companies only to return and extort them for access to websites and other information, added the note, and the FBI admitted that it spends a fair amount of time looking into such capers and that companies can spend between $5,000 and $3m recovering from them.
The FBI had some recommendations for organisations. First it recommended that companies change network access passwords when someone leaves, and delete that person's credentials from the system. It also said that passwords should not be shared, either by people or systems, and that they should be changed from any defaults.
It didn't say this, but it is also a truism: You should not iron your trousers while you are wearing them.

Hackers thrash Bash Shellshock bug: World races to cover hole

Sysadmins and users have been urged to patch the severe Shellshock vulnerability in Bash on Linux and Unix systems – as hackers ruthlessly exploit the flaw to compromise or crash computers.
But as "millions" of servers, PCs and devices lay vulnerable or are being updated, it's emerged the fix is incomplete.
The flaw affects the GNU Bourne Again Shell – better known as Bash – which is a widely installed command interpreter used by many Linux and Unix operating systems – including Apple's OS X.
It allows miscreants to remotely execute arbitrary code on systems ranging from web servers, routers, servers and Macs to various embedded devices that use Bash, and anything else that uses the flawed open-source shell.
An attacker needs to inject his or her payload of code into the environment variables of a running process – and this is surprisingly easy to do, via Apache CGI scripts, DHCP options, OpenSSH and so on. When that process or its children invoke Bash, the code is picked up and executed.
The Bash flaw – designated CVE-2014-6271 – is being exploited in the wild against web servers, which are the most obvious targets but not by any means the only machines at risk.
Patches released on Wednesday by Linux vendors, the upstream maintainer of Bash, and others for OS X, blocked these early attacks, but it's understood they do not completely protect Bash from code injection via environment variables.
New packages of Bash were rolled out on the same day, but further investigation made it clear that the patched version is still exploitable, and at the very least can be crashed due to a null-pointer exception. The incomplete fix is being tracked as CVE-2014-7169.
Red Hat, at time of writing, is urging people to upgrade to the version of Bash that fixes the first reported security hole, and not wait for the patch that fixes the secondary lingering vulnerability – designated CVE-2014-7169.
"CVE-2014-7169 is a less severe issue and patches for it are being worked on," the Linux maker said.
Meanwhile, although Ubuntu and other Debian-based distros have moved to using the non-vulnerable Dash over Bash, the latter may well be present or in use by user accounts. Above all, check what shell interpreters are installed, who is using them, and patch CVE-2014-6271 immediately.

The above code can be used to drop files onto patched systems and execute them, as explained here. Completely unpatched servers and computers can be exploited to open reverse command shells – a backdoor, basically – or reboot them (or worse) if they connect to a malicious DHCP server.
The main CVE-2014-6271 flaw was discovered by Stephane Chazelas of Akamai before it was responsibly disclosed. A Metasploit module leveraging the bug is already available. A blog post by Metasploit developers Rapid7 explains the grim state of play.

FBI:Apple's iPhone, iPad encryption puts people 'above the law'

FBI Director James Comey has complained that Apple and Google's use of stronger encryption in smartphones and tablets makes it impossible for cops and g-men to collar criminals.
"There will come a day – well it comes every day in this business – when it will matter a great, great deal to the lives of people of all kinds that we be able to with judicial authorization gain access to a kidnapper's or a terrorist or a criminal's device," he apparently told a press conference.
"I just want to make sure we have a good conversation in this country before that day comes. I'd hate to have people look at me and say, 'Well how come you can't save this kid,' 'How come you can't do this thing.'"
Apple has made great play of its tweaked file encryption in iOS 8, which is designed so that Apple doesn't hold people's crypto-keys so it can't be forced to give them up. The device owner's passcode is used to create the encryption and decryption key in the iThing; decrypting the contents of a person's iOS 8 phone or slab is no longer Apple's problem.
Shortly after the change was made public, Google said it too would switch on a similar system by default.
"I am a huge believer in the rule of law, but I am also a believer that no one in this country is above the law," Comey moaned today.
"What concerns me about this is companies marketing something expressly to allow people to place themselves above the law."
Comey said the FBI was in discussions with Apple and Google about their crypto implementations, but didn’t give any details as to what Cupertino and Mountain View's response was. It's clear he's not happy that the Feds can no longer get direct access to the handsets via Apple or Google, although data in iCloud is still up for grabs.
And, on iOS 8, not all data is encrypted on the gadgets, and some information can still be extracted if the g-men really want it, security expert Jonathan Zdziarski says.
But Comey is not the first law enforcement type to complain about Apple's it's-not-our-problem-anymore encryption, and he won’t be the last. The untrammeled access law enforcement has had to such devices in the past has been a major tool for fighting crime Comey argued and said enough was enough.
"I get that the post-Snowden world has started an understandable pendulum swing," he said. "What I'm worried about is, this is an indication to us as a country and as a people that, boy, maybe that pendulum swung too far."
Comey doesn't seem to get that in a "post-Snowden world" a lot of phone buyers actually want to make sure their private conversations and pictures remain private. Firms like Silent Circle have sprung up to meet this demand, and now the major players are getting the message too.
Despite Comey's criticism, it's unlikely Apple or Google is going to bow down to the wishes of government and install backdoors in their own products. This would be disastrous to sales if found out, and there are increasing signs that the tech sector is gearing up for a fight over the issue.

Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'

Security geeks have worked out a formula for determining which of a series of formerly blacklisted domains would be reused in malware attacks.
The method combines the domain name with the generic Top Level Domain, IP address alterations and the cost of a domain transfer.
Under the right conditions, the researchers sway, the domains net villains plan to use could be blocked or otherwise used to in the service of good instead of evil.
Palo Alto researchers Wei Xu, Yanxin Zhang and Kyle Sanders presented the paper We know it before you do: predicting malicious domains [pdf] at this week's Virus Bulletin conference.
Much effort has been put into building reputation-based malicious domain blacklists, however in order to evade detection and blocking by such systems, "many malicious domains are now only used for a very short period of time" they write.
"In other words, a malicious domain has already served most of its purpose by the time its content is detected and the domain is blocked.
"... we propose a system for predicting the domains that are most likely to be used (or are about to be used) as malicious domains. Our approach leverages the knowledge of the life cycle of malicious domains, as well as the observation of resource re-use across different attacks."

Life cycle of a malicious domain

The trio observed attackers reused valuable resources in setting up malicious domains and built in to their formula knowledge of the malicious domain life cycle. They designed systems to leverage Domain Generation Algorithms (DGAs) which could automatically predict future malicious domain names, and found temporal patterns in DNS queries of the malicious domains before their use.
Shared hosting IP addresses, DNS resolution infrastructure and shared domain registration information allowed domains to be identified that have not yet but would very likely be used in future attacks.
Malware flingers were increasingly taking advantage of resources geared to reuse given the economic benefits, which fell right into the hands of researchers.
"The reuse of resources across different attacks also presents opportunities for us to find connections between malicious domains," they said. "Using our knowledge of these connections, we can identify domains that are setting up to be used for malicious purposes."
They said the technique could predict and prevent malicious domains which could become stronger with future work.
The work did not consider benign domains that were hacked to host attacks, and focused crosshairs on bulletproof hosts.

Monday, 22 September 2014

How Vodafone Australia left customers' mobile voicemail accounts exposed to hacking

Shubham Shah discovered a security flaw in the way Vodafone handled voicemail. Shubham Shah discovered a security flaw in the way Vodafone handled voicemail. Photo: Peter Rae
An 18-year-old security researcher from Sydney who found a flaw in Optus' mobile voicemail service has found another vulnerability, this time in Vodafone Australia's voicemail system.
The flaw was only resolved after Fairfax Media raised a series of questions about the vulnerability, which also exposed Vodafone customers to identity theft through unauthorised access to online services such as Google, which use two-factor authentication via a phone call.
The Vodafone flaw allowed anyone to "bruteforce" a target's voicemail PIN using easily accessible technology and gain access to the phone subscriber's voicemail messages.
Huey Peard, 17, helped identify the flaw. Huey Peard, 17, helped identify the flaw.
The practice of brute forcing involves hackers using software to try multiple PIN combinations to gain access to a service. Typically secure systems employ bruteforce protection that will lock hackers out after a certain number of incorrect attempts, but Vodafone's Australian system had no such protection.
The flaw also allowed outsiders to retrieve Vodafone customers' two-factor authentication codes, or tokens, used to access their Google, Yahoo and other online accounts.
These codes – which come in handy as a second layer of security when online log-in credentials are stolen – are usually sent via text message but can also be sent via a phone call and end up in voicemail.
In order to bypass two-factor authentication, hackers needed a user's online password, which security experts point out is relatively easy to retrieve these days with the high number of breaches occurring daily on the internet and password reuse. They also needed to engage the user's phone so that the code could be left in their voicemail.
There is no evidence to suggest hackers made use of the flaw on any of Vodafone's 4.9 million customer accounts. It was corrected in June but Fairfax waited until global carriers could secure their infrastructure before revealing it.
The researcher, Shubham Shah, is due to present his findings at the Ruxcon security conference in Melbourne next month alongside his friend and high school student Huey Peard, 17, one of the founding members of Gibson Security. Last year the group published exploits found in disappearing photo-sharing app Snapchat. The revelations allowed another group to release usernames and mobile numbers of 4.5 million Snapchat users online.
"We were made aware of research that identified a security issue with our visual voicemail service," Eyman Ahmed, head of information security at Vodafone, said in a statement. "Vodafone's technical team responded to the matter within a matter of hours, and has updated its systems to address it. We thank the researcher for responsibly disclosing this issue to us so that we could address it and ensure our customers remain protected."
But Mr Shah said the fix Vodafone implemented was not well thought out. It involved, he said, locking out hackers - as well as users - from their voicemail after five incorrect PIN attempts. This meant anyone could lock a user out, requiring them to call support to reset their voicemail PIN.
The vulnerability was linked to the carrier's visual voicemail offered to customers using Apple's iPhone.  It's understood the four other global markets where Vodafone offers visual voicemail were not affected.
To notify others telcos about the flaw, Mr Shah informed the GSM Association (GSMA), a group whose members include global telecommunications companies.
James Moran of the GSMA said the group was "very grateful" for Mr Shah's co-operation and confirmed that operators were sent a security alert last week.
As the flaw potentially affects certain configurations of the visual voicemail system, Mr Shah also notified Apple, who acknowledged his findings.
"Thank you for contacting Apple Product Security," a company representative told him. "We appreciate you keeping us informed of your research, and hope your presentation goes well."

TOR users become FBI's No.1 hacking target after legal power grab

The FBI wants greater authority to hack overseas computers, according to a law professor.
A Department of Justice proposal to amend Rule 41 of the Federal Rules of Criminal Procedure would make it easier for domestic law enforcement to hack into the computers of people attempting to protect their anonymity on the internet.
The change in search and seizure rules would mean the FBI could seize targets whose location is "concealed through technological means", as per the draft rule (key extract below). Concealed through technological means is legal speak for hosted somewhere on the darknet, using Tor or proxies or making use of VPN technology.
Authority to Issue a Warrant. At the request of a federal law enforcement officer or an attorney for the government: (6) a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if: (A) the district where the media or information is located has been concealed through technological means; or (B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.
The DoJ has said that the amendment is not meant to give courts the power to issue warrants that authorise searches in foreign countries.
However the "practical reality of the underlying technology means doing so is almost unavoidable", according to Ahmed Ghappour, a visiting professor at UC Hastings College of the Law.
Ghappour argues that the proposals would result in "broadest expansion of extraterritorial surveillance power since the FBI’s inception".
Asked whether the FBI enhanced extraterritorial power might encroach on the NSA's turf, Ghappour told El Reg that the issue goes further than that and might also affect the US State Department and CIA. "Uncoordinated unilateral 'cyber' ops by FBI may interfere with US foreign affairs (or covert ops)," he said. Security experts think Ghappour may well be onto something on this point.
"Malware from the FBI to, say, Syria could very well trigger congressional investigations," noted Matthew Green, an assistant research professor who lectures in computer science and cryptography at Johns Hopkins University, in an update to his Twitter account.
The FBI reportedly used malware to identify users sharing child abuse images on the dark net as part of its bust of Freedom Hosting last year. In addition, LulzSec kingpin-turned-FBI snitch Hector Xavier “Sabu” Monsegur reportedly led cyber-attacks against foreign governments while under FBI control, so there's evidence that the FBI is already involved in overseas cyber-ops of one form or another. Viewed from this perspective, the proposed DoJ changes would involve regulating actions and operations that are already taking place.
Professor Ghappour - who also serves as director of the Liberty, Security and Technology Clinic – has put together a detailed blog post at ‪justsecurity.org‬ breaking down the DoJ's proposal here.

There's a New Social Network for Leakers and Whistleblowers

The world probably doesn't need another social network, but a new one launched earlier today that focuses on vetting people while still preserving anonymity could potentially fill a niche for whistleblowers, sources, and leakers.
Called 'Heard,' its key feature is its 'Verified not Identified' badges system, which will tell journalists and others that a source does indeed work for the government, or a big tech firm, or some sort of organization, even though they choose to remain anonymous.
"Instead of the all-or-nothing approach to identity, our system gives users another option of revealing only those badges that are relevant to the conversation," Heard cofounder Dave Vronay told me.
Those badges are awarded to users based on their credentials, such as their occupation and expertise, once it has been verified that the information is correct by what they are calling Badge Providers.

It's like using a burner cell phone.

At the moment, the verification process only works for one title: "tech industry insider," and it has been set up by Heard itself.
It does this by checking if you have an email address from one of the 20 biggest tech companies. If so, it sends a code to that address. You're then asked to upload a specific file to a server that doesn't know who you are but can give you the "badge" that'll stay with you on your Heard profile, Vronay says.
Heard will eventually allow companies and individuals to create their own Badge Providers, meaning that all sorts of job titles and "insiders" could potentially be vetted by the site. By making this a third-party process, Vronay says Heard has plausible deniability if law enforcement asks for its records.
"Heard has no idea how you managed to convince the provider to give that badge to you. At the same time, the Badge Provider has no idea who you are in Heard," Vronay said.
This system will, in theory, allow people to post with authority on a topic that requires it, without necessarily revealing their full identity to the public.
Vronay says that, eventually, badges might be given in person for highly sensitive jobs and government workers.
"This might be something that a major news agency sets up," he said.
Vronay hopes that with enough third-party use of Heard, companies would have their own presence on the site anyway, meaning that getting an official badge from Microsoft, for example, could be done through them.
This, however, is where a healthy dose of skepticism should come in. Heard only works if there's some sort of incentive for companies to want their employees on it, and that usefulness isn't immediately apparent at the moment. There's also the possibility, of course, that anonymity could be destroyed if a company looked into its employees' emails to see who joined Heard.
As for what might be leaked on Heard, Vronay thinks it's "particularly suitable for industry rumors, where many badged people can pile on and vote up reliable content. So things like new iPhone leaks, upcoming mergers or layoffs" could be exposed on Heard.
"The advantage of Heard is that you can make these single-use accounts that are badged. It is like using a burner cell phone," Vronay said.
We've seen lots of companies try to make it easier for whistleblowers to leak documents—and Heard might very well catch on. But given how whistleblowers have operated thus far, maybe you shouldn't hold your breath.

Your location info is too revealing: data boffins

A group of researchers partly supported by SAP has taken a look at one of the big problems with so-called “anonymised” data: the way spatial correlations in mobile data can be used to re-identify individuals in large data sets.
Location data is the big problem, the Singapore-led group says: even if the resolution of a phone's GPS records is reduced in a stored dataset, following a user's track (trajectory in the paper) for long enough will easily identify that user.
“Removing identifiers from location information, or reducing the granularity of the location or time, does not prevent disclosure of personally identifiable information,” the paper states. “Individuals are highly re-identifiable with only a few spatio-temporal points”.
Just how revealing location trajectories are is revealed in their analysis of 56 million records: “with two random points, more than 60 per cent of the trajectories are unique”, they write.
The researchers say anonymisation of mobile datasets is improved if the “trajectories” – literally, the “where the user has been” location datasets – are reduced. This way, they write, anonymity can be better protected, without trashing the utility of the dataset.
The researchers, Yi Song of the National University of Singapore (working under an SAP internship), Daniel Dahlmeier of SAP and Stephane Bressan of the National University of Singapore, note that the longer a user's location data can be strung into a trajectory, the easier it is to identify that user. In other words: a couple of location data points is nowhere near as useful as 24-hours' worth of the user's movements.
Trajectory-cutting to preserve anonymitySplitting a user's trajectory can help preserve anonymity
The attraction of their approach, they hope, is that only one parameter needs to be adjusted to give users better anonymity: the time window that trajectories are cut into. That's a simple enough operation that they believe it will be scalable to very large data sets

Five Ways to Avoid Wasting Time During a Breach Investigation

After a security incident is detected tremendous resources are spent in the forensic investigation trying to figure out what exactly happened and what data, if any, was compromised. If the forensic investigation doesn’t yield definitive results fairly quickly the organization is left with no choice but to assume the worst.
Worst case scenarios generally result in a dramatic increase in potential liability, as well as incurring more brand and customer damage than is warranted.
However, good preparation and a few basic security controls can dramatically reduce the amount of time wasted during forensic investigations, helping the organization quickly identify what happened, how it happened and who was behind the attack.

1. Build a Clean System

There’s no easy way to determine if an attack was successful and it’s even more difficult to quickly determine the scope and scale of what was compromised. The only reliable approach is to build a clean system and then compare it to all other systems in order to identify the changes.
Once a clean image is built, automated comparison of the clean image to systems on the network can quickly show the differences between the clean image and the potentially compromised infrastructure. Next, signs of malicious activity can be identified and these systems can be quarantined.

2. Classify Assets to Business Relevance

Business context matters during every breach investigation. Big changes on non-mission critical assets, like the printer in HR, may not merit significant time and attention. On the other hand, even small changes on mission critical assets should be investigated carefully.
After a breach, all systems are subject to review and audit. Post breach consultants often spend an inordinate amount of time trying to figure out the business purpose of systems with vague or non-existing business classification information.
In this scenario, an unpatched Windows machine is a meaningless piece of information, whereas a server that is part of the ecommerce infrastructure that hasn’t been patched or hardened for more than six months has the business relevance needed for forensics. All systems need business relevance data that is consistently collected, maintained and available for audit.

3. List Authorized Users and Their Privileges

Once a security breach is confirmed a huge amount of time is spent trying to figure out if the security incident matters and if so, who did it. Significant time can be saved if you spend the time required to create and maintain up-to-date user authorization policies and current asset classification before the breach.
The goal of forensic activities is to identify the actor, internal or external and the method used for the compromise, and finally, the scope of the impact so appropriate remediation action can be applied. In order to find the bad actor, a current list of authorized users and the assets they can access is a crucial resource.
Tools exist that can automate this but they are only as effective as the business process underlying them. Tracking down who did what with precision requires keeping access controls up-to-date with each change in employment, termination dates and especially third-parties and contractors.

 4. Put Login Failures into Context

Reviewing login failures is like looking for a needle in a stack of needles. It gets even worse because in and of themselves, they really don’t tell you anything but you can’t afford to ignore them either.
A better approach is to correlate login failures with other suspicious activity. Many companies are now connecting asset vulnerability and identity context to their log information and correlating this data to identify truly suspicious activity.
For example, some companies are able to create an automated watch list of terminated employees and correlate it to activity. Some companies can also correlate suspicious changes (outside change windows, for example) and configuration policy failures (such as opening FTP or unauthorized ports) against other network activity to detect anomalous behavior.
Forensics experts repeatedly report that activities like this that are present during a breach, but most businesses never connect the data in various security technology silos.

5. Improve Tool Integration

Poor integration of security technologies leaves many organizations with an error-prone process that requires manually correlating thousands of events or changes. Suspicious changes identified by one security tool must be confirmed through reports in different data formats from multiple other tools.
Better tool integration automatically correlates data, dramatically reducing the time and resources required to confirm suspicious activity. This is an emerging area within security. To help their customers truly get ahead of security risks, vendors need to connect key pieces of information across the security technology stack. The blind spots created by missing integration are often how the bad guys get in.
Every company, even those with formidable security resources, is vulnerable to a cyberattack. Security teams need to stop thinking about “if” and plan for “when” because prevention really is only half the battle.
Best practices are generally perceived as beneficial but boring and they are rarely accorded the urgency they deserve on the long list of things that security and IT teams need to do. Strategic investment in these basic controls is worth the time; it will improve cyberattack prevention and save time during the critical hours and days after a security breach.

Home Depot breach exposes a whopping 56M credit cards

Home Depot said Thursday that 56 million unique credit cards were put at risk of theft as a result of a security breach earlier this year in what could be the largest credit card exposure yet.
"Criminals used unique, custom-built malware to evade detection," the hardware store chain said in a statement Thursday. "The malware had not been seen previously in other attacks."
The company said that the malware, which it believes was present in Home Depot store systems between April and September 2014, has been eliminated from its systems and any terminals identified with malware were taken out of service. Additionally, Home Depot has rolled out enhanced encryption of payment data in all US stores.
Home Depot revealed last week that it was investigating "unusual activity" related to customer data but didn't actually say that it had been the victim of a credit card breach at that time.
The possibility of a breach was raised by security reporter Brian Krebs, who reported that "multiple banks" had seen evidence that Home Depot may be the source of a large cache of stolen customer credit and debit cards put up for sale on black markets.
The company said today that only credit card data was breached and "there is no evidence that debit PIN numbers were compromised."
The hack into Home Depot recalls a similar security breach at retail giant Target. Late last year hackers obtained credit card data of 40 million Target customers and the personal information for an additional 70 million customers.
Since the Target hack, there has been an apparent uptick in security breaches at retail locations. Over the past few months, arts and crafts retail chain Michaels Stores, department store Neiman Marcus, and restaurant chain P.F. Chang's all revealed they were victims of security breaches aimed at stealing customers' credit card information.
Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store from April 2014 to now.
"We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges," Home Depot chairman and CEO Frank Blake said in a statement. "From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so."

ATM Fraud, U.K. Leading Example

ATMs have been a convenient way for customers to access quick cash out of their accounts, but with all the ATM-related cybercrime stories, just how safe are they?
ATM scams have been around for a long time.
The latest evolution in ATM scams involve hackers using malware in Windows-based ATMs.
“The malware they are using is very effective at overcoming the ATM protections in place,” says Graham Mott, director of the U.K.’s ATM network, the LINK scheme. “We live in an international age. Crimes cross borders. Criminals are always looking for new techniques. So, it’s not the criminal who is migrating; it’s the technique that is migrating.”
The U.K. connects all of their 65,000 ATMs through LINK scheme, giving them a broad view of attacks and techniques used by hackers.
“The advantage is we are seeing all financial transactions which occur among financial institutions,” Mott says. “So it gives us a very good opportunity to see where attacks are happening and to see what the techniques are.”
Staying ahead of hackers new techniques and trying to anticipate and counter attacks is the approach companies need to take, Mott adds.
Mott will be a feature presenter at Information Security Media Group’s Fraud Summit in London on September 23.
Using malware to attack ATM machines is not a new technique being utilized by hackers. When looking at ATM-related cybercrime practices this year, Ploutus ATM malware is by far the most discussed.
Skimming techniques have been applied in many ATM hacks around the world. Thieves install devices on ATMs to steal card information. When an ATM has been tampered with, it can be very hard to detect.
Here are some links providing tips for ATM security: 
Skimtacular: All-in-One ATM Skimmer
10 Consumer Tips for ATM Safety and Security
4 Tips to Protect You from ATM Thieves
How to Spot (and Stop) ATM Skimmers