Thursday, 19 January 2017

"Attack the Cyber Enemy in their Burrows"


Exclusive: in anticipation of the CyberTech 2017 Conference, Israel Defense paid a rare visit to the cyber warfare facilities of the Israel Security Agency (ISA) and spoke with the "certified hackers" of the State of Israel
At the height of the 'knife terrorism' surge Israel faced during the first half of 2016, many ISA operatives were committed to the operational activity. This time, the ISA personnel did not consist exclusively of hardened field agents armed with handguns, but also included numerous youngsters who operated out of high-tech style open-space offices in central Israel. Their theaters of operations were, in this case, the social media. Working around the clock, the cyber specialists of ISA searched for groups forming and organizing to initiate and execute terrorist attacks.
In fact, these specialists practically "lived" inside those social media. In some cases, the information they collected led to preventive arrests made by IDF and ISA warfighters – those who do operate in the field. In cases where the danger of a terrorist attack was regarded as less imminent, warnings were issued over the telephone: ISA operatives contacted the parents of youngsters from the Judea and Samaria region, and made it clear that if their child were to execute a terrorist attack, the whole family would pay dearly.
"There were times we actually heard the parents slapping their children on the other side of the line, even before the call was over. The parents immediately pledged to assume responsibility for their children's actions," they say at the SigInt-Cyber Branch of ISA. "We estimate that many terrorist attacks were prevented in this way."
We paid a rare journalistic visit to the cyber warfare units of ISA in anticipation of the CyberTech 2017 Conference, to be held between January 30 and February 1 at the Tel-Aviv Convention Center.
The visit provided numerous surprises, as the people of ISA spoke with us very openly about cyber warfare and because the physical environment of the ISA cyber warfare operations is nothing like the standard image that comes to mind in the context of a secret security agency – there are no dark cellars or dull rooms branching out of grey corridors. On the contrary, some of the cyber warfare specialists work in open-space offices located at Israel's bustling high-tech centers (naturally, you will not be able to find any signs on the doors indicating their true organizational affiliation). Others operate from the ISA HQ building, where the work spaces are brightly-lit and the walls are covered with colorful wallpaper. The rest areas have slush and espresso machines along with Playstation and X-Box consoles – as if these were the offices of Apple or Google.
We spoke about the entire cyber warfare setup of ISA, most of which stands at the cutting edge of cyber technology and includes proactive cybersecurity methods. This setup identified and foiled a massive cyberattack against Israel about two years ago, which remained unknown to the public, but we'll get to that.

The Third Revolution

Generally, the cyber warfare setup of ISA is facing a major revolution in 2017 under the leadership of ISA Chief Nadav Argaman. Yet in order to fully understand this significant organizational revision, we must go back to the first revolution. This revolution took place more than 20 years ago, in the 1990's, at the height of the suicide attack offensive against Israeli urban centers alongside the Oslo agreements.
In the context of that first revolution, the ISA Chief at the time, Ami Ayalon, had the organization step up to a new era of information technology, and the outcome was new methods of operation, capable of 'fishing' terrorists out of a sea of digital information. In the early 2000s, The ISA Security Division even established the National Information Security Authority, which assumed responsibility for defending the critical infrastructures of the State of Israel against cyberattacks.
The second revolution took place at the outset of the present decade, when new cyber warfare and SigInt divisions were established by ISA, which operated alongside two primary staff branches – the SigInt-Cyber branch and the Information Technology (IT) branch. SigInt (Signals Intelligence – collection of digital information) and cyber warfare became an inseparable part of every operation, and with regard to the defensive aspect – ISA shifted from focusing on passive cybersecurity methods to offensive cybersecurity. In the context of the third revolution, which is about to take place, one SigInt and Cyber branch will be established and the SigInt-Cyber and Technology divisions of the various branches will be subordinated to it.
"In 2010, four new divisions were established practically overnight. Now we are taking them and merging them into a single SigInt-Cyber and and technology branch, thereby establishing a single organ that would function as a powerful fist," they say at ISA.
In fact, it may be concluded that you are establishing a first-of-its-kind cyber warfare arm, combining defensive and offensive capabilities. Although the IDF had discussed the establishment of such an arm but have not actually established it (in December 2016, the IDF General Staff decided to retain the separation between defensive and offensive cyber warfare operations – A.R.)?
"We are not doing anything parallel to the processes initiated by IDF or other armed forces. In our case, it is a fist that is suitable to the present era, where everything is intermixed, the physical reality on the ground and the cybernetic world. In such a reality, even a field coordinator in the territories requires a technological linkage. It is not enough to be a good warfighter or a sophisticated field agent operator. The Internet is breaking down all the walls.
"Fifteen years ago, only 4% of all ISA personnel served in the cyber warfare and SigInt units. Today they account for not less than 25% of our manpower," the people at ISA presented this amazing bit of data to illustrate the revolution – and that percentage is expected to grow further.
"Israel's databases are the most substantial in the Middle East, and one of the biggest and most complex in the world, owing to our technological advantage, and they require on-going protection," they say at ISA.
"Unlike past periods, the elements that affect the situation the most are not countries but the Internet and telecom giants from Silicon Valley, California. Every minor change that takes place in Palo Alto rocks the entire cybernetic world."
As far as you are concerned, how significant is the approach of offensive cybersecurity?
"It is highly significant. Information security was the first issue with which we had to cope years ago. This led to information system security, and in 2012 we realized that even that was not sufficiently effective, and unless we address cyberspace as a whole – we will fail.
"As far as we are concerned, just like in the physical world they do not deal with terrorist attacks by Hamas only by positioning security guards at shopping mall entrances, but actively pursue the terrorists wherever they may be, in the burrows and alleys, and attack them even at the places where they plan their attacks – the same should take place in the context of the cyber warfare effort. The approach being applied today is definitely offensive, and involves even deception tactics."
To illustrate this different approach, the people at ISA revealed the following example, which is being publicized here for the first time: about three years ago, the cyber warfare specialists of ISA had identified a carefully planned offensive, executed by one of Israel's most sophisticated enemies in the region. In the context of that offensive, the enemy 'deployed' at several sensitive nodes of the Israeli communication layout. Apparently, the intention was to remain at those nodes in dormant mode and execute a carefully-timed attack when the time comes. The intention may have been to simultaneously dominate an extensive range of television and radio broadcasts.
According to the traditional cybersecurity methods, ISA could have driven the "attackers" away from the sensitive nodes or enhanced security for those nodes. Instead, they opted for a different course of action. The cyber warfare specialists on the Israeli side monitored the way the enemy attack evolved and studied the methods of operation and even the working hours of the attacking hackers. Then, they took advantage of a prolonged holiday on the other side in order to eliminate the attack and stage a counterattack. One of the ways to attack enemy hackers is to reveal their details in communities of other hackers on the web. "In the hacker world, there is nothing more humiliating than this," they say at ISA, without specifically referring to the details of the counterattack staged by ISA (after all, they are not at liberty to openly discuss all of the aspects of the cyber wars).
The cyberattack foiled was one of the most sophisticated attacks with which ISA had to deal in the last few years, unlike the case of December 2012, when the satellite broadcast of one of Israel's TV channels was replaced by a written message from Hamas. In that case, the enemy took advantage of the fact that the satellite signals were being broadcast at very low power settings, for economic considerations. When the hostile takeover was identified, the power setting was increased and the Hamas message promptly disappeared.
Can we say that a cyberattack that causes physical damage is more dangerous than a propaganda attack like the takeover of a communication broadcast? Is the connection between the physical world and the cybernetic world the main issue today?
"In our opinion, no. Everyone likes to talk about that at every professional discussion forum, but the estimate is that the risk of a propaganda attack is more serious. Such an attack can even bring about the collapse of a bank, which would have far-reaching consequences, or the collapse of the stock exchange, as was the case a few years ago pursuant to a false report planted into the editorial board of the AP news agency.
"In November 2016, in the USA, you could see up close how hackers create chaos in the election campaign. Admittedly, physical damage, like damage inflicted on electrical turbines for example, could have extremely serious consequences, but in this case the objective is like a fortified locality that is very difficult to reach. The damage of a propaganda attack, on the other hand, involves the 'softest' objective. You must cover multiple risks continuously."
The changes within ISA are not only organizational. The cybernetic revolution has also led to a renewed definition of the respective responsibilities and the boundaries between ISA and other organizations like the IDF Intelligence Directorate and the Cyber Authority, established as part of the National Cyber Bureau in 2016.
Opposite the IDF, the arrangement is fairly simple: ISA, as always, is responsible for preventing damage to national security, including espionage operations, while the IDF cyber operations are aimed primarily at military objectives.
With regard to the Cyber Authority – the Authority and ISA signed a treaty last June, which is reported here for the first time. ISA Chief Nadav Argaman and the Head of the National Cyber Bureau, Dr. Eviatar Matania, finalized the treaty that put an end to the conflict over authority and responsibilities that had taken place a few years previously. (Dr. Matania and Buki Carmeli, who heads the Cyber Authority of the National Cyber Bureau, will be among the primary speakers at the CyberTech 2017 Conference, alongside Prime Minister Benjamin Netanyahu and cyber technology leaders, at the national level and from the industry, from around the world).
According to the treaty, the Authority is responsible for the business continuity of the civilian sector in Israel and for protecting that sector against cyberattacks. The Authority has recently inaugurated the National CERT (Cyber Emergency Response Team) Center in Beersheba, headed by Dato Hasson – himself a former senior ISA officer. The Authority assumed responsibility for cybersecurity in two-thirds of the layouts regarded as vital national infrastructures, including energy and electricity, while ISA is still responsible for the remaining third, including communication infrastructures. The responsibility for thwarting cyberterrorism and espionage remains with the ISA.
Does the arrangement work well?
"The very fact that we did not have to open the agreement even once since it had been signed last June says everything," they say at ISA. "It is important to understand that the cybersecurity effort is not divided but combined. We conduct elliptical table discussions, attended by the Cyber Authority, the Mossad, IDF Intelligence Directorate and the Director of Security of the Defense Establishment (MALMAB). These are people who know each other very well from previous positions, among other things. It is not a battleground. On the contrary, the trick has to do with how you develop the cooperative alliances. No single agency can do it all on its own."

"Being a Certified Hacker"

With the dramatic increase in the number of cyber specialists within ISA, their average age is dropping, and the present figure is 34.
"The factor that leads to success or to failure are the people," at ISA they were proud to note that their cyber specialists won a major part of the annual prizes for distinction, awarded at ISA by the Prime Minister in late December 2016.
Are you successful in filling your ranks, despite the struggle over quality personnel opposite the civilian companies?
"Yes, we have 100% staffing, as we offer a state-of-the-art working environment, good pay and stability (even if the pay is a little lower than the standard of the civilian sector), and in particular something else, which is the dream of the young people: to be a legitimate, certified cyber specialist and to be involved in the most sophisticated operations, that are difficult to even imagine."
The work of the ISA cyber specialist – is it teamwork or solo work?
"Both. There is a lot of room for individualistic work, depending on the mission. In the SigInt sections, work is predominately teamwork. Generally, we create an environment where youngsters can flourish and feel like racehorses carrying as little weight as possible.
"Beyond the on-going missions, the environment produces non-stop technological startups. In the civilian sector, you are focusing on a single startup at most. In our case, every cyber warfare specialist can be involved in multiple startups simultaneously. They are practically serial start-uppers."
Do you have a problem with the fact that some of these people eventually develop civilian companies using similar knowledge, after they leave and join the civilian sector?
"Naturally, we see to it that the truly sensitive knowledge does not leak out, but we live in peace with the situation of our people using the rest of the knowledge. It is a part of reality that we also benefit from. Sometimes we receive a telephone call from Palo Alto, with amazing technological proposals from people who had grown up here and never forgot where they came from."

Tuesday, 17 January 2017

Supreme Court issue notice to WhatsApp and Facebook over privacy policy

The Supreme Court of India has issued notices to central government,  Telecom Regulatory Authority of India (TRAI), WhatsApp, and Facebook over a plea seeking privacy on data.

The petition was filed by two law students against the  WhatsApp's proposal to start sharing some of the user data with the parent company, Facebook.

The Delhi High Court had earlier denied the petition and refused to interfere with matter. However, the Apex court has directed the companies to reply to the notices within two weeks.

"What is disturbing here is you want to continue using this private service and at the same time want to protect your privacy... You can choose not avail of it [WhatsApp], you walk out of it,” Chief Justice of India J.S. Khehar said.

According to the petitioner, there are 157 million users on WhatsApp and Facebook.

It's not that Facebook and WhatsApp are facing privacy issue in India only, the even European Union has raised questions about Facebook's privacy policy.

Last month the European Union  Commissioner, Margrethe Vestager,   had said that "Facebook was misleading it about WhatsApp.Companies are obliged to give the Commission accurate information during merger investigations... In this specific case, the Commission's preliminary view is that Facebook gave us incorrect or misleading information during the investigation into its acquisition of WhatsApp. Facebook now has the opportunity to respond."

WhatsApp’s encrypted messages can be vulnerable to MITM attacks


This week, an article by Guardian reported that Whatsapp’s encrypted messages are vulnerable to hacks. The encryption keys in social messenger leave users wide open to man-in-the-middle attacks, enabling third-parties to tap their communications.

Last spring, Whatsapp announced that every message on its service is delivered with end-to-end encryption which means not even Whatsapp can tell what's inside.

In the MITM attack, if an attacker gains access to a WhatsApp server, he could forcibly reset the keys used to encrypt messages and install himself as a relay point, intercepting any future messages sent between the parties. The recipient of the message would not be alerted to the change in keys, and the sender will only be alerted if they’ve opted into the app’s “Show security notifications” setting.

The underlying weakness has to do with alerts rather than cryptography. Although they share the same underlying encryption, the Signal app by Open Whisper Systems isn’t vulnerable to the same attack. If the Signal client detects a new key, it will block the message rather than risk sending it insecurely.

WhatsApp will send that message anyway. Since the key alert isn’t on by default, most users would have no idea.

Based on its Signal Protocol (also used for encrypted messaging in Google's Allo), each client is identified by a public key that's shared with other people, and a private key on the device. Because people change phones or uninstall and reinstall apps, the pair of keys can change. Users can ensure their communication is secure by checking the security code displayed on each end, if it matches, then they can be sure their messages aren't subject to MITM attack by a third party.

The attack cannot be exploited by many criminals because it requires server access but still an unusually skilled attacker or a court order could compel WhatsApp to break its own security.

The messenger was quick to push back against the allegation saying that “WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor.” WhatsApp team and people who helped design the implementation defended the flaw saying that the design decision isn’t putting users at risk.

The bug reported in the article had long been known to security professionals, and there’s no evidence WhatsApp ever tried to conceal it. The persistence of the weakness shows how hard it is to balance security with the demands of everyday users.

The flaw has been described as a "security back door" by The Guardian and privacy campaigners but more sober voices have described it as a minor bug and criticised the media outlet for going over the top. A number of security professionals have chimed in to agree, including Frederic Jacobs, who helped design the protocol being used.

The vulnerabilities in key handling were first discovered by German computer scientist Tobias Boelter in April 2016. In his blog, Boelter blamed the bug on the use of closed-source software, rather than a deliberately inserted back door.

The Guardian raised the urgency of this flaw by pointing to the UK’s recently passed Investigatory Powers Bill, which gives that government significant new legal powers for aggressive data collection. But it would be very hard to use this vulnerability for mass surveillance. A successful attack would allow WhatsApp servers to break a given conversation’s encryption, but to provide data en masse to the government, the servers would have to perform that attack continuously on every conversation in the UK, sending out a cascade of pings to anyone with security notifications enabled.

If WhatsApp were to leverage this bug to fulfil lawful access demands, the company would have to implement the attack continually on every user in the country, which would be extremely noisy and extremely visible. The end result wouldn’t be much different from shipping an update and announcing that the service is no longer encrypted.

For users, the most responsible thing to do seems to be to turn on notifications and check your security codes regularly.

Italian siblings arrested for cyberattack

Italian police have arrested a nuclear engineer, Giulio Occhionero, 45 and his sister, Francesca Maria Occhionero, 49 for hacking into 18,000 high-profile email accounts, including the former Prime Minister.
Authorities suspect that the siblings may have ties to the Freemasons, because the malware used in the hack was called “Eye Pyramid,” believed to be a reference to the all-seeing eye of God, or Eye of Providence, a symbol typically associated with Freemasonry. The name of the software may also have been a play on his own surname – Occhionero means “black eye” in Italian.
The widespread cyber-attack compromised communications of prominent Italian institutions and individuals, including Vatican’s two former Prime Ministers, Vatican cardinals, bank executives and other high profile targets, which prosecutors claim was used to conduct insider trading. Mario Draghi, the president of the European Central Bank was also among the targeted individuals. Former Prime Minister, Matteo Renzi was also one who resigned in December last year after losing a constitutional reform referendum.
The attackers, who have dual residencies in London and Rome, are accused of spearphishing attacks using malware to gain access to victims' email accounts and illegally accessing classified information and breaching and intercepting information technology systems and data communications since 2012. The siblings were most recently living in Italy.
Vatican officials have not yet commented on the attack and it is yet unknown to what extent sensitive Vatican information may have been compromised.
There are indications the malware campaign may have been running from as early as 2008. In total, just under 1800 passwords were allegedly captured by the Occhionero siblings, who exfiltrated around 87 gigabytes of data to servers in the United States.
Mr Occhionero who had strong links to the Masonic movement allegedly developed software that infected email accounts, enabling him to access the information. Several of the compromised accounts belonged to Mason members.
Whether or not there are ties to the Masons, cyber security experts believe it is highly unlikely that the sibling pair acted alone.
The illegally accessed information was stored on servers in the United States, leading to an ongoing investigation with the assistance of the FBI’s cyberdivision. The stolen data has been seized by Italian police and the FBI.

Italian police believe the siblings used the stolen confidential information to make investments through a firm operated by Mr Occhionero, a nuclear engineer by profession.

Monday, 9 January 2017

The official Tor browser for iOS is free to use


When Mike Tigas first created the Onion Browser app for iOS in 2012, he never expected it to become popular. He was working as a newsroom Web developer at The Spokesman-Review in Spokane, Washington, at the time, and wanted a Tor browser app for himself and his colleagues. Expecting little interest, he then put Onion Browser on the Apple App Store at just $0.99/£0.69, the lowest non-zero price that Apple allows.
Fast forward to 2016, and Tigas found himself living in New York City, working as a developer and investigative journalist at ProPublica, while earning upwards of $2,000 a month from the app—and worrying that charging for it was keeping anonymous browsing out of the hands of people who needed it.
So a few weeks ago, he made the app free. Since then, its popularity has exploded, with thousands of downloads recorded every day. The results of the recent US presidential election might have had something to do with this decision, and its impressive results, Tigas told Ars. "Given recent events, many believe it's more important than ever to exercise and support freedom of speech, privacy rights, and digital security," he wrote in a blog post. "I think now is as good a time as ever to make Onion Browser more accessible to everyone."
Global concerns also influenced his decision. "Iran is not technically a country where you can get an iPhone, but on the grey market you can," he told Ars. "People over there can't get apps you have to pay for, because you have to have a credit card that Apple actually accepts," he added, noting that economic sanctions forbid Apple from selling to Iranian iOS users.
Onion Browser is the official Tor Project-endorsed Web browser for iOS. But it lacks some of the features available for Tor Browser (Linux, MacOS, Windows) and OrFox (Android), due to technical roadblocks peculiar to iOS.
The two biggest challenges Tor developers on iOS face, as Tigas outlined in this blog post on the Tor Project website, are Apple's requirement that all browsers use the iOS WebKit rendering engine, and the inability to run Tor as a system-wide service or daemon on iOS.
Developers have found workarounds to both problems, and iOS users can soon expect to see a new, improved Onion Browser, as well as a Tor VPN that routes all device traffic over Tor—probably in the first quarter of 2017.

Not quite as secure

Unlike the Tor or OrFox, Onion Browser is not based on the Firefox Gecko rendering engine. This is good—Onion Browser is not vulnerable to Firefox exploits—but also bad, because code cannot be reused.
A further challenge, Tigas said, is that Apple’s WebKit APIs "don’t allow a lot of control over the rendering and execution of Web pages, making a Tor Browser-style security slider very difficult to implement."
Many of iOS's multimedia features don't use the browser's network stack, making it difficult to ensure the native video player does not leak traffic outside of Tor.
"Onion Browser tries to provide some functionality to block JavaScript and multimedia, but these features aren’t yet as robust as on other platforms," Tigas wrote.
Moreover, it doesn't support tabbed browsing, and the UX is pretty basic, but Tigas is working on a rewrite based on Endless. "It adds a lot of important features over the existing Onion Browser,” he said, “like a nicer user-interface with tabbed browsing, HTTPS Everywhere, and HSTS Preloading. There’s a new version of Onion Browser in the works that’s based on Endless that will hopefully enter beta testing this month."

Welcome to the sandbox

The biggest challenge to getting Tor working seamlessly on iOS, though, is the inability to run Tor as a system-wide service or daemon, something which is trivial to accomplish with most other operating systems, but unavailable to iOS app developers. To prevent misbehaving apps from getting up to their usual mischief, Apple sandboxes apps from each other, and from the underlying OS. This means you can't install Tor on iOS, let it run in the background, and route all your device traffic over Tor.
“In iOS the moment you leave an app, the app goes to sleep,” Tigas told Ars. “With Tor Browser Bundle or OrBot on Android, other apps can use the Tor in Tor Browser Bundle, other apps can use OrBot's connection on Android.”
In fact, to get Onion Browser to work, he has to compile Tor into the app itself—as does any other iOS app developer who wishes to offer a Tor connection. But that's about to change, thanks to iCepa.

A Tor VPN for iOS

OrBot, the official Tor routing service for Android.
Enlarge / OrBot, the official Tor routing service for Android.
iCepa—from the Latin cepa for onion, and pronounced i-KAY-puh—is a Tor VPN for iOS currently under development that will enable iOS users to route all their traffic over Tor. "A lot of us had the idea simultaneously after Apple released iOS 9, which added some APIs that allowed you to talk to network traffic," iCepa developer Conrad Kramer told Ars. "It was intended for companies like OpenVPN or Cisco to build their own VPN solutions for iOS, but we realised we could build a version of Tor using this API."
"It's similar to how OrBot works," he added, "which also uses a VPN approach."
Apple-imposed memory limits had prevented Kramer from finishing work on iCepa until recently. The memory limit for packet-tunnel extensions, he explained, was 5MB—and Tor needs around 10MB to run.
Kramer said he was able to continue development work on a jailbroken iOS 9 device, but with little motivation since a jailbroken solution would not scale. An encounter with Apple engineers at the WWDC conference gave him the chance to lobby Apple engineers to raise the limit—which they did, in iOS 10, to 15MB, more than enough to get a Tor VPN working in iOS.
Kramer told Ars he had just gotten iCepa working on his test device in mid-December, and plans to share the working code in a private alpha with other Tor developers before the end of the year. He hopes to release iCepa to the public through the App Store at the end of the first quarter of 2017.
"The timeline is still uncertain," he emphasised, "but I do want to get it out as soon as possible.”

Paying for Tor development

Since making Onion Browser free in early December, Tigas says the number of downloads has jumped from around 3,000 paid downloads per month to thousands per day. He is at peace with his decision, though, convinced he has done the right thing, but worries about the loss of income.
"[The extra money] helped keep me doing investigative journalism by day," he told Ars. "If I can get to even 15 percent of where it was before, I would be really happy and amazed. I think I have like five people on Patreon right now."
Tigas has received some financial support from the Guardian Project to continue work on Onion Browser, but, he says, the money does not come close to replacing the income lost from the App Store.
“I'm still a little terrified that I've made this change,” he wrote in his blog post, “but I'm happy this day has come—and judging from the responses I've already received, so have many of you. Thanks for your support.”

Android banking Trojan malware disguises itself as Super Mario Run

super-mario-run.png
Cybercriminals are taking advantage of Android users who are desperate to play Nintendo's wildly popular Super Mario Run mobile game, in order to spread the notorious Marcher banking Trojan malware.
Nintendo's iconic plumber made his much anticipated debut on mobile devices in December and is currently exclusive to Apple iOS users, who can download the game via the App Store.
But some desperate users are looking for ways to gain access to it on Android by attempting to download versions from third-party websites. And, much like they did when Android users wanted to download Pokemon Go before it was available, attackers are actively looking to exploit that demand by tricking users into downloading the bank information stealing Marcher Trojan.

The Marcher malware has been around since March 2013, and has repeatedly evolved in order dupe unsuspecting victims into installing it, even posing as an Android firmware update, then tricking users into entering their banking details into a fake overlay page which hands them directly to the attackers.
Now, cybersecurity researchers at Zscaler have warned that the Trojan is disguising itself as Super Mario Run in a new effort to steal financial account details and credit card numbers from those most desperate to download the game on Android by bypassing the official Google Play store.
From fake websites advertising the availability of an Android version of Super Mario Run, users are invited to download a phony version of the app, which demands the user grant it various permissions including administrative rights to the device.
By providing administrative access to the infected systems, users are enabling the gang behind Marcher to monitor the device and steal login data of not just banking and payment apps, but also for apps including Facebook, WhatsApp, Skype, Gmail, the Google Play store, and more. Criminals can exploit all of these stolen details to carry out additional fraud.
Due to the constantly evolving nature of the malware, Zscaler researchers have previously dubbed Marcher "the most prevalent threat to the Android devices" and the malware attacks all versions of Google's mobile operating system.
Marcher first originated on Russian underground forums but has since become a global threat, with the Trojan targeting bank customers around the world.
The best way for Android users to avoid falling victim to Marcher is to only download applications from trusted application stores such as Google Play, and not downloading anything from unknown sources.

VNC server library gets security fix


An important fix for libvncserver has landed in Debian and on the library's GitHub page.
Late in 2016, a bug emerged in the VNC libraries that left clients vulnerable to malicious servers.
As the Debian advisory states, the fix addresses two bugs: CVE-2016-9941 and CVE-2016-9942. The libraries incorrectly handled incoming packets, leading to heap-based buffer overflows.
Clients could be attacked either for denial-of-service, or potentially for remote code execution.
The folks at libvncserver pushed out their own patch on December 30 – so if you're a dev using the library, get it and start patching. It's the first new libvncserver code release since October 2014.
Debian's other recent security patches include Tomcat 7 and Tomcat 8 security updates, to close CVE-2016-8745: “incorrect error handling in the NIO HTTP connector of the Tomcat servlet and JSP engine could result in information disclosure”.

St. Jude Medical Patches Vulnerable Cardiac Devices

 Image result for medical devices
St. Jude Medical today released an update for the Merlin@home Transmitter medical device that includes a patch for vulnerabilities made public last year in a controversial disclosure by research company MedSec Holdings and private equity firm Muddy Waters.
In a paper published last August, Muddy Waters said that vulnerabilities in the remote transmitter used to communicate with St. Jude Medical’s implantable cardiac devices left defibrillators and pacemakers exposed to attack and put patients’ physical safety at risk.
The disclosure was compounded by a short position Muddy Waters held on St. Jude Medical stock that allowed it and MedSec to profit should St. Jude stock drop in value. Muddy Waters said it expected close to half of St. Jude Medical revenue to drop as a result of the disclosure and that remediation would take close to two years. St. Jude Medical, which has since been acquired by Abbott Laboratories, is trading at $80.82 today, up from $77.82 on Aug. 25.
Muddy Waters today called the patches a “long-overdue acknowledgement” and alleged again that St. Jude Medical prioritizes profits over patients.
“It also reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities,” said Carson Block, Muddy Waters CEO, in a statement provided to Threatpost. “Regardless, the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”
Justine Bone, CEO of MedSec, echoed what Block said regarding the remaining vulnerabilities.
“We acknowledge St. Jude Medical’s effort in the remediation of this vulnerability which was rated as High severity by the Department of Homeland Security,” Bone said. “We eagerly await remediation efforts on the multitude of severe vulnerabilities that remain unaddressed including the ability to issue an unauthorized command from a device other than the Merlin@home device. MedSec remains available to assist Abbott Laboratories during this process.”
In October, research outfit Bishop Fox said in a legal filing on behalf of Muddy Waters and MedSec countering a suit filed by St. Jude Medical, that a universal key, or backdoor, could be exploited to send commands from the Merlin@home transmitter to the implanted device. Bishop Fox said it developed an attack that could issue an emergency shock command to the implanted device. Bishop Fox also described two other attacks in its report that could deliver dangerous shocks to patients, as well as wireless protocol vulnerabilities that it had found.
The U.S. Food and Drug Administration, meanwhile, partnered with St. Jude Medical on today’s announcement, and recommended that providers and patients continue to use the affected devices.
“The FDA has reviewed St. Jude Medical’s software patch to ensure that it addresses the greatest risks posed by these cybersecurity vulnerabilities, and reduces the risk of exploitation and subsequent patient harm,” the FDA said in a statement. “The FDA conducted an assessment of the benefits and risks of using the Merlin@home Transmitter, and has determined that the health benefits to patients from continued use of the device outweigh the cybersecurity risks.”
Today’s update will be automatically pushed to Merlin@home devices, and patients are advised to ensure the remote monitoring tool is connected to the Merlin.net network in order to pull down the patch.
The initial Muddy Waters report said it saw two demonstrations of attacks against implantable cardiac devices through the Merlin@home Transmitter. Should an attacker gain access to the device, they could change configurations and cause a device to malfunction and either alter pacing to dangerous rates, or deliver harmful shocks. Attackers could also cause the battery to drain. The attacks, the report said, are within reach of relatively unskilled hackers.
Muddy Waters and MedSec said in August that the communication protocols for Merlin@home Transmitters lacked encryption and authentication mechanisms and were compromised.
“As a result, an attacker can impersonate a Merlin@Home unit, and communicate with the Cardiac Devices – and likely even STJ’s internal network. While STJ might be able to patch one particular type of attack, the mass distribution of access points to the inner workings of the ecosystem via the home monitoring devices requires in our opinion, a lengthy system rework,” Muddy Waters’ report said.
The decision to publicly disclose the vulnerabilities to capitalize on the short position drew opened a new front in the disclosure debate, and resurrected a number of conversations around the ethics of where and when to report vulnerabilities in software and devices.
The FDA, which along with the Department of Homeland Security, opened an investigation in September, said today that it will continue to assess any new information around St. Jude device security and alter its recommendations if need be.
“The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users,” the FDA said. “The increased use of wireless technology and software in medical devices, however, can also often offer safer, more efficient, convenient and timely health care delivery.”

Sunday, 8 January 2017

NATO trains Iraqi Experts in Cyber Defense

Iraqi experts were trained on cyber defense at the Middle East Technical University (METU) in Ankara, Turkey to improve their expertise and technical knowledge and to contribute to the strengthening of Iraqi national cyber defense capabilities. According to a NATO publication, this course was supported by the Science for Peace and security (SPS) Program and took place from 21 November to 2 December 2016.
This training course aimed at Iraqi system/network administrators was tailored specifically to Iraq’s needs by focusing on its cyber security and defense requirements presented to NATO. Overall, 16 civil servants from the new Iraqi Computer Incident Response Team (CIRT) were trained during the course.
The hands-on training program included both theoretical sessions as well as practical laboratory exercises of core aspects of cyber defense, including cryptanalysis, prevention of data exfiltration, advanced digital forensics, and conducting vulnerability assessment.
The course focused on raising cyber security awareness and provided the trainees with the expertise and technical knowledge to help increase resilience of their national networks. Upon their return, the trainees will be able to apply the gained knowledge in the daily operation of their institutions thereby significantly contributing to the strengthening of Iraqi national cyber defense capabilities

Iranian Threat Agent OilRig targeted Multiple Organizations in Israel


Iranian threat agent OilRig has been targeting multiple organizations in Israel and other countries in the Middle East since the end of 2015, according to a Clear Sky report. In recent attacks, they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors, several financial institutes, and the Israeli Post Office.
Later, the attackers set up two fake websites pretending to be a University of Oxford conference sign-up page and a job application website. In these websites, they hosted malware that was digitally signed with a valid, likely stolen code signing certificate
Based on VirusTotal uploads, malicious documents content, and known victims – other targeted organizations are located in Turkey, Qatar, Kuwait, United Arab Emirates, Saudi Arabia, and Lebanon.

Infrastructure Overlap with Cadelle and Chafer

In December 2015, Symantec published a post about “two Iran-based attack groups that appear to be connected, Cadelle and Chafer” that “have been using Backdoor.Cadelspy and Backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations."
Backdoor.Remexi, one of the malware in use by Chafer, had the following command and control host:
87pqxz159.dockerjsbin[.]com
Interestingly, IP address  83.142.230.138, which serve as a command and control address for an OilRig related sample (3a5fcba80c1fd685c4b5085d9d474118), was pointed to by 87pqxz159.dockerjsbin[.]com as well.
This suggest that the two groups may actually be the same entity, or that they share resources in one way or another.

For the complete report, visit the Clear Sky blog.

Malware uses denial-of-service attack in attempt to crash Macs

ddos-email-client.png
The malware opens emails until the system crashes.
A tech support scam is targeting Mac users with unusual malware which tries to crash the system then encourages the victim to call a phony Apple support number in order to get the system restored to normal.
Victims are infected with the malware via a malicious email or by visiting a specially registered scam website. Cybersecurity researchers at Malwarebytes warn that these websites are particularly dangerous for Mac users running Safari because simply visiting one of the domains can execute the attack.
Once the malicious code has been triggered, it will first of all check to see which version of OS X the victim is using and then attempt to trigger a a denial-of-service attack by repeatedly opens draft emails.
The DDoS continues drafting new emails in individual windows until so many windows are running that the system crashes due to lack of memory. The subject line of the emails tells the user a virus has been detected and to call the tech support number.
There are also instances of the malicious software opening up iTunes without any user prompting and displaying the fraudulent phone number there.
While users running the most up to date version of the Apple operating system - macOS Sierra 10.12.2 - don't appear to be affected by the DDoS attack against the mail application, so users should patch their systems to ensure the most protection against the attacks
This is far from the first support scam to target web users, with Microsoft users also regularly targeted by cyber fraudsters. Microsoft itself has previously warned Windows users to remain vigilant when it comes to tech support scammers malware.

Bank robber reveals identity – by using his debit card during crime

 

Moron of the month gets almost four years in the clink for failing to grasp basic opsec

On January 3, Alvin Lee Neal received a 46-month prison sentence for robbing a Wells Fargo Bank in San Diego, California, and was ordered to pay back the $565 taken.
Neal, a registered sex offender, acknowledged his role in the May 13, 2016 robbery in a plea agreement with the US Attorney's Office of Southern California.
As described in the complaint filed with the US District Court in San Diego, Neal walked up to a teller in the bank and "presented a Wells Fargo debit card which he swiped through the customer card reader located on the counter."
This displayed his name and customer profile on the teller's screen.
Asked by the teller what kind of business he wanted to transact with the bank, Neal said, "You're being robbed," and presented a note reading, "You're being robbed no mistake."
Neal subsequently clarified the ambiguity of his note, which could have been read as a statement that the robbery should not be mistaken as some other activity. His intended message turned out to be a warning that the teller not do anything that might prompt a harmful response.
"You don't want anyone to get hurt, don't make a mistake," he said.
Thanks to Neal's mistake, investigators didn't have to work very hard to solve the case. A query to the California Department of Motor Vehicles database for Alvin Lee Neal produced a picture that was similar to the individual captured on the bank's surveillance video. Additional law enforcement database searches identified Neal as a registered sex offender.
When law enforcement agents arrived at Neal's address and requested permission to search his residence (which Neal granted in writing), they found "a grey, checkered pattern double-breasted style jacket similar in appearance to the jacket worn by Neal when the Wells Fargo was robbed" and the ATM card with which he had identified himself.
The complaint indicates that Neal was read his rights, which he subsequently waived, and then admitted to the investigators his intent to rob the bank.
The sentence of almost four years is significantly less than the 20-year maximum penalty.