Tuesday, 31 March 2015

GitHub Know Repel Chinese DDoS Attack After 113 hours



The popular online platform for developers GitHub has a DDoS attack that began on March 26 after 113 hours to successfully beat off, as the website shows through Twitter know. When the DDoS attack combining attack vectors used. It was well known attack techniques and new technologies used by the browsers of unsuspecting people who had nothing to do with the attack, large amounts of data direction github.com send.

"Based on reports we have received, we think that the aim of this attack is to remove certain content," said Jesse Newland from github in a blog posting . According to the company Insight Labs Internet in China was manipulated to harass GitHub website with traffic. Files of the Chinese search engine Baidu were thereby replaced with JavaScript against the GitHub pages of the Chinese New York Times and Great Fire was directed. Great Fire is an organization that monitors censorship in China.The added code caused the browsers of Chinese Internet users every two seconds clippings from the GitHub pages.

Even researchers Netresec say that the "Great Firewall of China" was used to perform a powerful DDoS attack on GitHub."Therefore the Great Firewall can not only be seen as a technology to censor the Internet of Chinese citizens, but also as a platform for conducting DDoS attacks against targets worldwide, with the help of innocent civilians deployed visit Chinese websites." The current measures taken by GitHub would however maintain.

Researchers Reveal Solution For Mobile Malware


Researchers from the University of Alabama say they have developed a solution that should reduce the impact of mobile malware. The problem of mobile malware, according to the researchers is mainly caused by users who download applications from untrusted sites that offer infected apps. Once installed on the device has the malware free play.

"The Achilles heel of the security of mobile devices is that security decision depends on the user," says researcher and lecturer Nitesh Saxena. For example, when you install an Android app gets the user's demand that the app will have certain rights. Users can then be distracted or have hurry and so quick to allow these permissions. "Whatever the reason, it is a known problem that people do not look at these warnings and simply" yes "clicks."

Current operating systems provide the researchers not protect against this type of attack. Therefore there was a search for a solution to the important parts of the phone, namely the ability to call the camera and NFC, protect against malware. The result was a security that is based on three hand movements. If a user wants to call that instance must move the device or tap anywhere before the phone rings, while as malware service to telephone calls this movement will fail.

To demonstrate the effectiveness of the approach, the researchers collected data from several phone models and users in real or "almost real" scenarios, where both friendly and hostile scenarios were simulated. It emerged that detect hand movements are very accurate and other benign and malignant activities can be distinguished. "In this way, something as simple as human movement to solve a very complex problem," says Saxena. "It makes the weakest link, the user, the strong defender." The researchers plan to develop security for other smartphone services, such as SMS and email.

Infected Updates Distributed For Puush And FlashFXP


Users of programs Puush and FlashFXP has become the target of an attack in which infected updates were presented and distributed. Puush is a program for sharing screenshots. Via Twitter , the service says that malware was sent in the form of a Puush update for the Windows version. After the discovery Puush advised to close the app and scan the computer.

From unconfirmed investigation would show that the malware was designed to steal passwords from browsers. In our own research Puush saw however that passwords were sent to the attackers. There is now released an update for Puush that the malware removed and lets users know if they are or are not infected. In addition, users are advised to change all their passwords. Through a blog posting late Puush know that the server was hacked.

FlashFXP

A similar incident took place last week, only with the FTP program FlashFXP. At the forum FlashFXP users complained that they were offered an update that was not on the website. Attackers had the DNS of the domain using the automatic updater, liveupdate.flashfxp.com adapted and were able to spread infectious updates. According to the developer of the FTP program impact would be limited because FlashFXP first checks the digital signature updates before being installed.

In case the file does not have a valid signature features will be removed. Last week the developer published an update(5.1.0.3824) that users need better protection against DNS hijackings. So is now requesting updates controlled digitally. If the server does not respond with a valid digital signature, the server's response is ignored. Furthermore performed additional checks to verify that the signatures of downloaded files is really FlashFXP.

Intel Is Working With US Air Force Against Malware


Chip giant Intel is working with the US Air Force on software to detect malware. The software is similar to programs that use schools and universities to catch pupils and students who plagiarize example. Is searched for code that is also found in other malware. The program uses the code of more than 4.5 million malware instances.

This would lazy malware authors who borrow code from other malware or earlier versions can be caught, says The Gazette .According to Jason Upchurch, a researcher at Intel, malware authors reuse code themselves or others because it is effective and efficient. Often, a small code modification sure the malware not detected by virus scanners. By looking at parts of the code would be the solution from Intel and the Air Force Academy will recognize the malware.

The Air Force is also pleased to be working with Intel. "We get a taste of new technologies," said Lt. Col. Greg Benettt of the innovation center of the Department of Homeland Security. He argues that cuts through research by the private sector, such as the collaboration with Intel, is playing an important role. "The research by the private sector is much more substantial than what we can perform in the army and the government itself." The cadets will give the opportunity to gain the necessary experience.Next month Benett hopes to conclude a research agreement with Google, reports FCW .

Monday, 30 March 2015

43-Year-Old Telnet Still Popular On The Internet


It is 43 years ago this week that Jon Postel RFC 318 published a document in which he described a standard method to control terminal devices at one location from another location, now better known as Telnet (Teletype NETwork). Despite its age and the security problems that are associated with Telnet network protocol is still very popular on the Internet.

John Matherly, the developer of the search engine Shodan, collected in March sorts of information services on the Internet and discovered that Telnet on the sixth place of most state services found behind HTTP, CWMP, SIP, SSH and HTTPS. According Matherly, Telnet is still used by companies and manufacturers. Among other kinds of " smart "products. "The fact that Telnet is easy to use, easy to integrate and requested by users allows Telnet remains popular on the Internet," said Matherly.

Telnet was designed at a time when security hardly played a role and therefore does not have encryption. Besides all kinds of old legacy devices that still use telnet and replaced by SSH is unclear how often the protocol for new products at selected points Matherly. "But the fact remains that even for new programs and devices, and engineers Telnet preferable alternatives."Something Shodan developer both from a security and usability point of view is unwise. Recently reported that the Internet giant Akamai even in the fourth quarter of 2014 as much as 32% of all the observed attack traffic against Telnet was addressed.

Tens Of Thousands Of Frequent Flyer Accounts Hacked British Airways


Attackers have managed to gain access to thousands of frequent flyer accounts of British Airways and steal all kinds of bonus because users had used their password for the service also for one or more other websites, according to the British airline.

In an email to customers affected British Airways announces that the "unauthorized activities" has discovered regarding the "Executive Club account" of the user. It is an automated attack that happened to other places stolen credentials was tried to login. The Guardian reports that for tens of thousands of users are affected. To protect users, it was decided to close all accounts and change the password. Before users can log in again they must first create a new password.

On Reddit and Twitter are all kinds of angry messages from customers who reported that their Avois points are all stolen, formerly known as Air miles. It is a reward program where consumers when shopping sorts can earn bonus points which can then be used for travel. According to British Airways, there would be no personal information captured and is working to resolve the situation.

Indian Student Pays Training With Bug Reports


The search for vulnerabilities in applications, web applications and other software for many researchers now become a lucrative business, with an Indian student pays even trained with. Shashank Kumar, known on Twitter as cyberboyIndia would now have about $ 30,000 in bug reports are earned. Thus he was able to pay most of his training, so he lets opposite The Verge know.

Despite the revenue say many researchers working on so-called "bug bounty" join programs that they are not full-time to look for vulnerabilities, but rather a part-time job or a way to generate additional income. Earnings that are higher on the black market. Nevertheless, most hackers would choose an official reward program, says Alex Rice, former security chief on Facebook and now CTO of HackerOne.

"In order to sell something on the black market you should make one weapon. That could take months," said Rice. Most hackers do have the skills, according to him, but no bad intentions. Yet it also happens that hackers find that they did not have enough money or that bugs are not resolved quickly enough. Often these hackers then decide to reveal the problem yet, what a PR nightmare for businesses can be said Gus Anagnos of SYNACK.

That can ensure that companies in each bug melding overreact. "As an organization wasting a gun to his head, the start time to vulnerabilities that are not very important," Anagnos notes. There are also now several platforms launched where companies can join. The platform receives the entries and make the selection and communication, so the company only receives structured bug reports, so that can be solved earlier.

Sunday, 29 March 2015

FBI Denies Deliberately Removing Encryption Advice


The FBI denies deliberately removed a tip on how to enable encryption on smartphones from its own website. This week the blog came Techdirt with an article that said the security advisory to encrypt the smartphone from the FBI site had disappeared.

The weblog tied this to statements by FBI Director James Comey that rather negative about the standard encrypting smartphones had spoken by Apple and Google. The National Journal contacted the FBI and was told that there was no malice in the game. The website should be redesigned.

There were recommendations, which stems from 2013, taken from another government site, namely the Internet Crime Complaint Center. Here are the tips to find still . Furthermore, the spokesman said that the investigation service still stands behind the advice that stood on the site and that it is in favor of the use of encryption by smartphone users to protect their data.

China Censor Messages On Google And Mozilla CNNIC


The Chinese authorities have messages from Google and Mozilla censored stating that Chinese certificate authority (CA) CNNIC has been involved in the issue of rogue Google certificate. Reported GreatFire.org , an organization that monitors censorship in China.

The rogue Google certificate which Google, Microsoft and Mozilla this week sounded the alarm had been created by the Egyptian company MCS Holding. The company had been given the opportunity of CNNIC, which is a root CA. As root CA is CNNIC trusted by all major browsers. CNNIC had spent an intermediate certificate for MCS Holding, which the company for arbitrary domains could create SSL certificates. Because the intermediate certificate of CNNIC came, they were created SSL certificates also trusted by browsers.

Both Mozilla and Google warned of rogue certificates and announced measures to protect their users. A famous Chinese IT blogger translated the message from Google that both Google and the Chinese search engine Baidu was well indexed. Not much later, the blogger via Twitter announced that he had received a call from the government that he had to remove his post immediately, which he did. The article Mozilla was acquired by several Chinese sites, including the state-owned Huanqiu.

Eventually, all these articles deleted. "This shows again the role CNNIC in the censorship apparatus. CNNIC was, is and will continue to internet censorship," said Great Fire. The organization calls Google, Mozilla, Microsoft and Apple also to say and draw the root certificate from the organization's confidence in CNNIC to protect users worldwide.

AVG Demonstrates Privacy Glasses To Face


Early this month unveiled the Czech anti-virus company AVG privacy glasses designed to prevent face and now the virus fighter has a demonstration online put. The glasses are developed because it more and more places appear cameras and face recognition develops.


It involves, for example pictures made in public places and shared via social media. Someone might thus inadvertently on websites like Facebook may end up and be "tagged". In order to prevent this, the eyeglasses of a reflective material is provided. If someone has a picture with a flash makes the light is reflected and dazzles the camera, making the face of the wearer is not visible.

In the event no flash is used has the glasses on infrared light. That disturbs the sensor of the camera. "If you're worried about your privacy and want to be invisible, then you can ever buy this privacy glasses in the future," said Tony Anscombe AVG.Whether the virus fighter plans to bring the glasses on the market is not yet known.

Saturday, 28 March 2015

Researchers Reveal SSL Attack By 13-Year-Old RC4 Leak


Researchers have demonstrated an attack with which it is possible to be a part of the information that is to intercept encrypted via SSL / TLS. Unlike several other attacks on the encryption protocol is when attacked by security company Imperva ( pdf ) no need to sit through a man-in-the-middle attack between the user and the Internet. The passive eavesdropping of data, for example, would suffice received by a web application.

The attack is aimed at a thirteen year old vulnerability in the RC4 encryption algorithm, which is used in setting up an SSL / TLS connection. The vulnerability has already been described in 2001, and makes it possible to carry out a "plain text recovery attack" on SSL traffic as RC4 is the used encryption algorithm. Then an attacker can retrieve portions of session cookies, passwords and credit card numbers. The vulnerability is caused by the weak keys that uses RC4.

If an attacker enough SSL / TLS connections can be intercepted found such a weak key, which can then be read the first 100 bytes of the encrypted data. If an attacker tries to steal a session cookie can reduce the effective size of the cookie using this attack, which can be accelerated a brute force attack on the session cookie. Via session cookies, it is possible to take over the session of a user and so as to gain access to online accounts.

The problems with RC4 have long been known , and in 2013, Microsoft released an update for Windows to disable the algorithm. Most browsers would still support RC4, as well as more than half of the servers. According to the researchers such would be 30% of the TLS sessions are still using RC4, even if it is stronger AES algorithm available for quite some time.

Microsoft And Google To Stop Mass Surveillance NSA


Big tech companies such as Microsoft, Google and Yahoo and American civil rights organizations like the EFF and ACLU have the US Congress a letter ( PDF controlled) which they call to stop the mass surveillance of telephone calls. It involves conversation data collected under section 215 of the Patriot Act. Section 215 allows to store the metadata calls the NSA. On 1 June this year expires this section and thus the authority for the NSA.

Opponents this is a good time to implement reforms. Congress has, however, consistently refused reforms of section 215, with threats to national security are given as a reason. In the letter sent now Congress is called to ensure that any proposal that section 215 adjusts at least put an end to mass surveillance, establishes rules for transparency and no demands on data storage or technology.

"We understand that the government plays an important role in protecting our communities, but we must do so in a manner consistent with our values ​​that. Almost two years after the government surveillance became known, the US government still has work to do to distrust in technology that it has caused to recover, " says Microsoft's Fred Humphries.

Friday, 27 March 2015

Serious Leak In Wi-Fi Networks Detected And Patched Hotels


A researcher has discovered a serious vulnerability in the Wi-Fi networks of hundreds of hotels allow an attacker the wifi gateway can completely take over and use to infect visitors with malware or attack the systems of the hotel. The vulnerability is in the ANTLabs InnGate, a popular Internet gateway for hotels, conference centers and other places that offer temporary wifi access.

A vulnerability allows the equipment ensure that a remote attacker full read and write access to the file system can get. This is easily done via rsync daemon that runs on TCP port 873 and no credentials required. Once an attacker connects to the rsync daemon, normally for synchronizing files and creating backups is used, it unlimited files on the file system read and write.

Thus, it is possible to upload a gebackdoorde version of each file or add a user with root privileges. The severity of the leak is increased because it is very easy to attack. Execute any Linux or Unix system with the rsync command can attack namely.Something as researcher Brian Wallace , who discovered the problem through a few keystrokes to do.
Attacks

Once an attacker has taken over the wifi gateway can he attack other users. In the past, there are targeted attacks discovered that users of Wi-Fi networks were notified that they had to update Flash Player instance. It then went to malware via the wifi gateway by the attackers was offered. Also, an attacker can modify files that users of the Wi-Fi network to download and replaced by malware.

It is also easy to intercept unencrypted communications from users. In addition, it was found that the WiFi gateways in some cases in Property Management Systems (PMS) were integrated. These systems are currently being used for hotel reservations, customer data, payroll and many more things. In addition, a PMS for and used by multiple locations. By integrating an attacker can attack the PMS itself. Through the PMS would then be possible to attack other hotel locations.

Wallace performed a scan on the Internet and discovered 277 vulnerable devices in 29 countries, including the Netherlands. ANTLabs yesterday released an update for the vulnerability. However, it is not known if that is installed already by all vulnerable hotels. System administrators can also prevent abuse of the vulnerability by blocking Internet access to the Rsync process

Malware Late Router Advertisements And Porn Websites Show



Researchers have discovered malware that attacks routers and then injects ads and pornography on websites that the user visits. Once the malware has been given access to the router, which is done by default usernames and passwords, the DNS settings are changed.

The Domain Name System (DNS) is similar to the directory and translates among other domain names into IP addresses. By adjusting the DNS of the router can fit criminals traffic from users via their server running. Most operating systems are configured to use the DNS settings of the router. Once a computer or other device to connect to the router, the custom DNS settings will be used.

With this modified DNS settings, it is possible for users to send by other websites, even if they tap the correct address in the address bar of the browser. In the case of custom DNS settings are requests to google-analytics.com intercepted. When users visit a website that used Google Analytics she redirected to a fake Google Analytics site.

Google Analytics is a service that allows websites to gain insight into the use of their website. If a website is viewed with Google Analytics, Google Analytics Javascript code which will download and run, after which the user's view is counted in the survey. Once the user to the fake Google Analytics site is redirected he gets malicious Javascript code which is then presented with advertisements and pornography on the website visited then injects.

Researchers from Ara Labs , which the malware discovered , argue that it is not a vulnerability in Google Analytics, but that the service because of the great popularity is the target. The makers of the malware get paid again to generate traffic to the websites and ads shown. To prevent the attack Internet users are advised to update the firmware on their router and change the default password.

Egyptian Company: Google Rogue Certificates Were Mistake


The Egyptian company that had generated rogue SSL certificates for different websites from Google calls it a mistake that Google eventually discovered the certificates and hit alarm . Indeed, it was not intended that the certificates were discovered. This week, Google warned Internet users to rogue Google certificates generated by the Egyptian MCS Holding. Through the certificates could allow an attacker to Man-in-the-middle and phishing attacks on Internet users to intercept passwords and the contents of encrypted traffic.

MCS Holding is an Egyptian security company that delivers business networking. However, it had become a so-called "intermediate" certificate authority (CA), which was linked to the Chinese certificate authority CNNIC. SSL certificates from an intermediate certificate authority originate have the full authority of the CA under which they fall. In particular, Mozilla had great criticism of CNNIC that MCS Holding had given permission to the intermediate CA to generate SSL certificates.

The Egyptian company said in a statement that it had signed an agreement with CNNIC to a two-week period intermediate CA to act. This would be necessary for the testing of a new roll from cloud service. The test took place in a secure lab where the private key of the CA certifcate, to generate SSL certificates, stored in a firewall.

However, the firewall was set to automatically generate certificates for websites that were visited on the Internet. During an unguarded moment at the weekend would be one of the IT engineers decided to use the internet with Google Chrome. Chrome offers certificate pinning, which websites can indicate what their CA SSL certificate has been issued. The browser will then put these certificates on a whitelist.

Is the website for an SSL certificate that is issued by a different CA, then turn the alarm browser. After MCS Holding by CNNIC had informed the certificate was immediately removed from the firewall and warned all parties involved. According to the Egyptian company, it is a human error which inadvertently took place. "We have no evidence of abuse, and we therefore recommend that people will not change their password or other action," said a company spokesman.

Measures

Meanwhile, Google has revoked the intermediate certificate of MCS Holding and also a Microsoft update released under Windows Users. From the description of the software giant appears that certificates for domains *. google.com , *.google.com.eg , *. g.doubleclick.net , *. gstatic.com , www.google.com , www.gmail .com and *. googleapis.com were created. Firefox comes next week with an update to revoke the certificate.

On the mailing list of Mozilla developers after the incident a heated debate erupted or CNNIC is not guilty because it would have violated all sorts of rules. While some want CNNIC is removed from the root store of Firefox. Mozilla could do this then this can have very serious consequences, especially for Chinese Firefox users, thereby HTTPS sites with SSL certificates of CNNIC and suspended beneath intermediate CAs can not visit. The Chinese CA Mozilla has therefore asked not to remove it from the root store CNNIC.

Thousands Hacked WordPress Sites Spread Malware


In recent weeks, thousands of hacked WordPress sites which are then used to distribute malware. It also involves several Dutch websites including nummeriban.nl , hoofdpijncentra.nl and the website of Dries Roelvink. That leaves the Dutch security researcher Yonathan Klijnsma today know.

Fiesta Exploit Kit Gate
On the hacked WordPress sites is an iframe placed visitors, without this, have, to a exploitkit forward. This exploitkit uses known vulnerabilities in Adobe Flash Player, Adobe Reader and Java to infect users. However, if users use the latest version of these plug-ins they run no risk. "There are thousands of websites that contain this iframe at this time. From the data I have is about 3,000 websites, but this is probably only a fraction" says Klijnsma.

In case the attack, there can be all kinds of malware installed successfully, including ransomware encrypts files that sorts to Trojan specifically designed to steal money from online bank accounts. According Klijnsma the WordPress sites hacked through a leak in the RevSlider plugin. This is a known vulnerability for which an update is available. Webmasters have not rolled out the update. Owners of a WordPress site then also be advised to both the content management system as installed plug-ins to keep up-to-date.

Xtube Porn Spreading Malware Via Flash Attack


Visitors to the porn xtube are now warned cyber criminals have hacked the website and use it for distributing malware. Xtube 780 ranked of most visited websites in the United States and would have to deal with 25 million visitors every month.

Unlike other recent attacks are widely used in the case of infectious xtube no ads, but the attackers have malicious code placed directly on the website itself. Something which is possible only if the attackers have access to the website. The code sends users unnoticed through to another website which then tries to put through a known vulnerability in Adobe Flash Player malware on the computer.

It is a vulnerability that already has a security update has been released. Users who have the latest Flash Player version available are therefore not at risk. In case the attack was successfully placed a Trojan horse on the computer. The malware was detected at the time of the attack by 12 of the 57 scanners on VirusTotal, says anti-virus company Malwarebytes .

It is not just porn sites that are victims of these attacks. This week, the Dutch security researcher warned Yonathan Klijnsma that the website nummeriban.nl where users can convert to an IBAN account number, also malicious code was detected. The malicious code sent by visitors to a website that users via known vulnerabilities in Adobe Flash Player, Java and Adobe Reader tried to attack.

Thursday, 26 March 2015

Spammer Uses 750,000 Twitter Accounts For Slimming


One of the spammers have created over a period of one year 750,000 Twitter accounts and used for an extensive spam operation involving slimming based on green coffee beans were offered. To convince potential customers that the pills were legitimately used the spammer kinds Twitter accounts resembling the accounts of famous brands and celebrities, such as CNN, TMZ and MTV.

Spammers also used the Twitter accounts to real Twitterers to send these fake accounts, as reported anti-virus company Symantec. The virus fighter managed to unmask the spammer because that left some traces of his identity. For spam operation used the spammer three types of accounts. Namely new accounts that had no followers, no tweets sent out and used the standard "egg" icon. Symantec calls these accounts "eggs".

There were also accounts stolen content and tweeted photos of real women used. These accounts were followed by both the "eggs" as real users. Finally there were the "mockingbirds" accounts that occurred as the accounts of famous brands and celebrities and slimming advertised. Through the mockingbirds and parrots the spammer trying to spread the tweets about the diet pills among many people. For anyone who purchased the diet pills eventually the spammer got a fee ranging from 36 to 60 dollars.

The spammer could eventually become obsolete because he made some mistakes. So he left traces in the domains he registered and he used one of his "parrot Accounts" as a personal Twitter account. He also used some parrot accounts to retweet personal tweets.

Paying Attention

Symantec warns Twitterers to check that accounts they follow are real, identifiable by the blue tick. In addition, users of the micro blogging service wary of new followers and wants the number of followers on Twitter that someone does not say anything. "Numbers can lie," said the virus fighter. Finally follows the advice that no miracle pills exist to lose weight.

Vulnerability Scanners F-Secure Patched


The Finnish anti-virus firm F-Secure warns of a leak in the virus scanners and security of the business which a remote attacker via a man-in-the-middle attack could attack the update channel. Then it would be possible to replace all the files on the computer.

The vulnerability, which was discovered by F-Secure itself has been assessed as "high". This is the next-to-highest rating.The problem is present in both the business and consumer software. For the affected software are now hotfixes. The warning for the leak was partly already published on 12 March, but is now updated with a description of the problem, vulnerable versions and the availability of the hotfix.

School District Shifting Exams Because Ransomware


A US school district has the math and English exams postponed after all kinds of files on the network were encrypted by ransomware. The Swedesboro-Woolwich School District in New Jersey consists of four primary schools, with a total of 2,000 students. The infection affected the entire school system, from e-mail communication and online learning tools to examinations conducted online.

Furthermore, would also files of employees are encrypted. Across New Jersey Online late headmaster Terry Van Zoeren know that teachers and students, because the systems were turned off, went to work as if it was "1981". For example, parents could receive e-mails with the numbers of pupils and other information and it was not possible to use the smart boards, as reports CBS. In a statement on its website allows the school district that the affected files mostly Word documents, Excel spreadsheets and PDF files of staff were.

Data of the student information system as well as other applications off-site should be preserved and are not affected by the ransomware. The encrypted files have been restored through a backup, as well as the servers where all the malware was removed. The school district is now working to get the e-mail and other systems in the air again.

According to Van Zoeren would ransomware to "500 bitcoins" ransom asked. An unprecedented sum for ransomware, which usually requires an amount of about $ 500. Possible that this is misunderstood or misinterpreted. How the school district became infected is not reported. In contrast, only explained in the statement how ransomware spreading in general.

Anti-virus Company Provides Alarm After 22 Million Toolbars


Antivirus company Avira has sounded the alarm after the last month 22 million toolbars, plug-ins that display ads, programs that hijack search results and other "potentially unwanted software" (PUA) detected on users' computers. In most cases, the toolbars and adware are bundled with other programs. The virus fighter calls the installation procedures of this type of program is misleading.

The virus scanner from Avira will also detect all software that injects malicious content or an excessive amount of requests personal information. "We believe in free Internet and therefore accept advertising as a means to sponsor content. Downloading software does not mean that you agree to install unwanted or unknown applications on your device," says the virus fighter.

Notorious programs

The five programs Avira most encountered are iLivid, an app that results to ilivid.com forward and all browsers try to infect your computer, SeaSuite, a tool bar that displays ads and injects websites Soft Pulse, a bundle that installs toolbars, NexLive, a browser plug-in that modifies browser settings and OptimizerPro, which monitors the browsing habits and pop-up displays advertisements.

The virus fighter has recently released new guidelines for software developers who need to reduce the amount of unwanted software. It is about rules and behavior where the software should adhere to. It does not, it can be labeled as unwanted software and removed. "Nevertheless, it is extremely important that users understand the risks and protect themselves," Avira says.

Site Checks Hijacked DNS Settings Router


The past year has regularly occurred cybercriminals adapted the DNS settings of routers so that they could direct users to malicious Web sites without direct user was clear. The Finnish anti-virus firm F-Secure says it has discovered more than 300,000 residential and business routers in 2014 of which were adapted to the DNS settings.

The Domain Name System (DNS) is similar to the directory and translates among other domain names into IP addresses.By adjusting the DNS of the router can criminals traffic from users via their servers run or redirect user to as phishing sites, even though they have stated in their browser the correct URL.

The anti-virus company therefore has a website launched that can be easily verified that the DNS settings on the router or the system are hijacked. In case the DNS hijacked, users advised to disconnect their router from the Internet and reset, change the password, disable remote management and updating the firmware. In the case of custom DNS settings on the computer that can be restarted in order to empty the DNS cache and is advised to perform a virus scan.

Wednesday, 25 March 2015

Google Lets Firefox And Safari Block Unwanted Software


After previously Google Chrome users already for websites with unwanted software warns Google has now made ​​this opportunity available for Firefox and Safari. Google offers to other parties the Google Safe Browsing API. This interface make Firefox and Safari example use of information that Google has about phishing sites and malware sites.

Through the Safe Browsing API would globally 1.1 billion people are protected. Google has the information it through the interface to other parties by giving now expanded with a list of websites that offer unwanted software. This involves software that affects the Internet, for example, by adjusting the start or showing additional ads on websites. Or Firefox and Safari will warn their users also for unwanted software or automatically via the API happens is still unknown.

Danish Chiropractors Target Of Ransomware Attack


Danish chiropractors are the target of a highly targeted ransomware attack that attempts to encrypt all kinds of files for ransom. The attack begins with a perfect Danish drawn email, reports the Danish security firm CSIS . The IT security does not exclude that the message was written by a Dane. The email tries through social engineering open the receiver to let the included Dropbox link.

This link points to the kinds of ransomware that encrypts files on the computer. After encrypting a message appears on the screen that the files are encrypted and the user has 24 hours time to get his files, he or she will lose otherwise permanently.The malware also prevents the use of various Windows programs, such as Task Manager, Regedit and MSconfig. The ransomware has a keylogger to save keystrokes.

"We have decided to classify the attack as a major risk, even though that focuses on a specific group. This is mainly because of the level of social engineering that precedes the attack and the destructive code is attempted on the computer to install, "says Peter Kruse of CSIS. He notes that this type of attack is likely to be successful in many Danish organizations and therefore a threat to both companies and the authorities.

Fake Email Wehkamp Spreads Ransomware


Mail order company Wehkamp warns Internet users for an email that already goes around a few days and seems to come from the company, but in reality that is spreading ransomware encrypts files for ransom.According to the email, the recipient would have placed an order with Wehkamp.

It is the computer game Fifa 15 for the PlayStation 3. The message notes for more information on the order to the included zip annex which has an order number. The zip annex again contains an .exe file with an icon from Adobe that the malware appears to be. It is a variant of CTB Locker, which stands for Curve Tor Bitcoin. This ransomware resurfaced last year for the first time. Once users the .exe file to open the computer becomes infected and all kinds of files encrypted. Then users get some days to pay the ransom for decrypting the files.

The infected e-mails using the name of Wehkamp went last week all around, according to a warning from security researcher Mark Loman Twitter. Since then notify all kinds of Twitter users that they have the message received . Increasingly it appears to the so-called order of the computer. "There is indeed a phishing email around that does not come from us. You can best remove him immediately and not open!", says Wehkamp via Twitter.

Half Of Android Users Would Be Vulnerable To Attack APK


Android Users who install apps outside of Google Play and an old Android version use are vulnerable to a new attack. It was estimated to be half of all Android users, warns security company Palo Alto Networks.The actual number is probably much lower.

Through the vulnerability could allow an attacker to break into the installation of a seemingly safe APK file and replace it with an app of choice, without the user noticing. The security issue is caused by an error in the system service "Package Installer" of Android, allowing attackers unnoticed can get unlimited access rights. During installation let Android Apps see what permissions they need in order to work properly. A Messages app, for example, require access to SMS messages, but not to the GPS location.

The vulnerability gives attackers the ability to deceive users by a false, smaller set to allow access rights to see. In reality, the user, if he chooses to install the app, just give access to all services and data on the device, including personal information and passwords. The problem is present in Android 2.3, 4.0.3-4.0.4, 4.1.x, and 4.2.x and some distributions of 4.3. According to Palo Alto Networks uses about half of Android users one of these versions.

The actual number of users that are at risk is likely to be much lower. The security issue because only occurs at Android apps that are downloaded from third parties and unofficial marketplaces. It does not apply to apps downloaded from Google Play. These files are downloaded namely in a safe environment that can not be modified by an attacker. Owners of Android devices vulnerable therefore be advised to only download apps from Google Play.

Malware Can Steal Data From Offline Computer Via Heat


Israeli researchers can steal developed a method by which malware through heat data from computers that are not connected to the Internet. BitWhisper , as the researchers from Ben Gurion University call their attack, uses the built-in thermal sensors of computers and the heat power , processor, video card and other dispensing components.

To carry out the attack, the computer that is not connected to the Internet become newly infected with malware. This could for instance via a USB stick. In addition, should read this computer next to a computer that is connected to the Internet and also been infected. The malware on the offline computer can then communicate through the heat sensor with the heat sensor of the online computer, somewhat similar to Morse code.


By allowing the temperature of the system increases and lowering the malware can forward information to the receiving system. In their model, the researchers got the first heat rise by one degree, to which in turn let to normal temperature bags.To find infected computers around the malware can periodically "ping heat" issue, for example, to determine whether a government employee has placed an infected laptop near.

The two systems can subsequently infected via the "heat-ping", which the temperature is increased by one degree, to exchange a handshake and thus set up a connection. At this time can be exchanged using this attack method only 8 bits of data per hour, reports Wired . Thus, an attacker could send a password or a secret key, but no large amounts of data.

In addition, the attack only works when the systems up to 40 centimeters far apart. According to the researchers, there are many organizations where there are multiple computers on one desk next to each other. One that is connected to the Internet, and one that is connected to an internal network. Soon the researchers will publish a report on their research. On YouTube is now a demonstration video in which one infected computer via heat signals can operate the USB rocket launcher from another infected computer.

Oracle Provides Mac Version Of Java Again With "Adware"


Oracle has started with the delivery of the Java installation for Mac with the infamous Ask Toolbar. Also users get back to whether they have their home in Ask.com want to change. In early March showed that Oracle had the setup of Java for Mac bundled with the Ask Toolbar.

The software does this for some time for the Windows version, but it's the first time it does this for the Mac version. The Ask Toolbar is labeled as adware by different parties. The toolbar uses the Ask search engine, which would be full of bad classified ads. Advertisements that are not of the "organic" results would be distinguished in most cases.

There was considerable controversy because of bundling the Ask Toolbar and after a week seemed Oracle thus stopped to be. Several parties indicated they when installing Java to see the toolbar no longer received. Security firm Intego reports that Oracle now controls the location of users first before it is decided to activate the installation of the Ask Toolbar. Thus, French users will not see the toolbar, while US users will be asked if they want to install.

Regardless of the country of the user is always installed the "Sponsors.framework" when installing Java on the Mac, which again to install the Ask Toolbar is responsible. Intego suspects that the Ask Toolbar can be enabled with future updates , without the need for Java to be installed. The framework would say, if it is already installed, can be updated silently.

Streaming Service Twitch Reset Passwords After Possible Hacking


The popular video streaming service Twitch.tv has all user passwords reset after attackers have been able to access the account details of some users. Twitch is a platform where mainly live streams of computer games on appearing.

Each month, the site, which is owned by Amazon, get more than 100 million visitors. Details about the possible attack are not mentioned. Well Twitch says that to protect user has decided to reset the streaming keys and passwords. In addition, the accounts of Twitter and YouTube disconnected. Users who attempt to log into their account now get to see the message that they have to create a new password.

Twitch advises users to choose a secure password, which mainly use a password manager with a random password generator is recommended. The demands made were made initially to the password for some criticism, which it was decided to relax the requirements slightly. So users can now use passwords of at least 8 characters.

Tuesday, 24 March 2015

Google Sounds Alarm On Rogue Google certificate



Google warns Internet users to rogue Google certificate issued by a company from the United Arab Emirates and could be used to perform man-in-the-middle and phishing attacks on Internet users, so as passwords and the contents of encrypted traffic intercept. SSL certificates are used inter alia for encrypting traffic between websites and visitors and identifying websites.

The company that rogue SSL certificates issued is MCS Holdings , a so-called "intermediate" certificate authority (CA), which is linked to the Chinese CNNIC certificate authority. SSL certificates from an intermediate certificate authority originate have the full authority of the CA under which they fall. CNNIC is in all major "root certificate stores" so the Google unfairly issued certificates would be trusted by most browsers and operating systems.

Chrome on Windows, OS X and Linux, ChromeOS and Firefox 33 and newer would have refused the certificate because certificate-pinning. According to Google, there are probably also issued certificates for other websites that may not be recognized by certificate-pinning. Certificate-pinning sites may indicate by what their CA SSL certificate has been issued. The browser will then put these certificates on a whitelist. Is the website for an SSL certificate that is issued by a different CA, then turn the alarm browser. Browsers like Chrome and Firefox currently support only pinning for some great websites.

Proxy

Following the fraudulent certificates, which were discovered on 20 March, Google CNNIC approached and was told that MCS Holdings only if issued certificates for domains they had registered themselves. That turned the company does not have done. MCS Holdings provides proxy appliances and firewall solutions that enable organizations of workers through the encrypted traffic can intercept self signed certificates. Should normally be set to the office computers to trust the proxy, but in this case it was not required by the wrongly issued certificates.

Google sees similarities with previously unduly certificates issued in 2013 by the French CA ANSSI . The Internet giant also denounces that CNNIC the power to create SSL certificates awarded to a company that was not suitable here. Chrome users do not have to do to be protected from rogue certificates, while Firefox users will have to wait for the arrival of Firefox 37 in which the certificate has been revoked. This version on March 31 appear.

Swedish City Wants 54,000 Euros Teenager After Hacking


A 17-year-old Swedish teenager who hack knew the city Umea system in order to demonstrate the present security issues may need to pay 54,000 euros. Erik Sundqvist, the municipality had warned of the problems, but that would not have responded.

Subsequently, the teen decided to demonstrate the vulnerabilities in a different way, in which he had full control over the system within an hour. Eventually the boy was arrested and pleaded guilty to hacking. He was sentenced to community service for 35 hours. However, the municipality wants compensation for the damage suffered.

This involves changing the passwords of all, the collection of evidence, information sessions and unspecified charges, reports the Swedish television SVT . The boy's father is outraged by the response of the municipality, partly because his son only the problems aimed to debunk. There is now a Facebook petition launched to support the teen. In addition, the parents of the boy took a lawyer.

Chinese Phishing Sites Doubled To 93,000


With an online population of 649 million people, cyber criminals are increasingly turning to the Chinese market, according to a new report from the Chinese Computer Network Emergency Response Technical Team / Coordination Center (CNCERT / CC). Last year there were observed more than 93,000 phishing sites in China, a doubling from the previous year.

Furthermore, the Chinese authorities discovered 37,000 sites that were adapted, while 40,000 websites were equipped with a backdoor. Nearly 6,000 of the websites with a backdoor were controlled by American IP addresses, reports the Chinese state press agency Xinhua .

Macro Malware Infected Computer By Closing Document


Researchers have discovered a new macro malware that infects your computer only if the document is closed, to circumvent detection. The malware looks to the presence of certain sandboxes like Sandboxie sandbox and Anubis. Macros allow users to automate various tasks and were used years back on a large scale by malware. Because of the security risks, Microsoft decided therefore to block macros by default in Office.

A year ago, appeared more and more .doc and .xls documents containing macros were hidden. The documents users were summoned to enable macros. Once the user enables the macro is the background example, it downloaded and installed malware. At least, that is the expected behavior.

A new variant of the Dridex malware downloads the malware until the user closes the document. According to security firm Proofpoint hope to bypass the malware creators this virus scanners and intrusion detection systems that monitor when opening documents loading malware. For this type of behavior to prevent their detection systems have security sandboxes and adapted to "wait" longer any malicious activity.

"The possibility of malicious macros to perform as the document is closed increases the infection window and forces a detection sandbox to monitor longer and possibly miss the infection. How long sandbox also wait, the infection will not occur, and if the sandbox closes or stops without closing the document, the infection is missed as a whole, " said the researchers from Proofpoint.

Sandbox

Also security PhishMe warns of a variant of Dridex that spreads via macros. This variant looks specifically at the presence of certain sandboxes like Sandboxie sandbox and Anubis. In case these sandboxes are detected, the computer will not be infected. Is the attack or successful, then download the macro Dridex banking Trojan on the computer. This malware is specially designed to steal money from online bank accounts.

Many Computers Vulnerable To BIOS Leak


Estimated that millions of computers contain vulnerabilities in the BIOS (Basic Input / Output System) allowing attackers permanently infect a system and then steal all kinds of data. That researchers were LegbaCore Last week, during the CanSecWest conference in Vancouver. BIOS is a set of basic instructions for communication between the operating system and the hardware. It is essential for the operation of the computer and also the first major software that is being loaded.

During their demonstration ( pdf , pptx ), the researchers got different "incursion" vulnerabilities in the System Management Mode (SMM) see. SMM is a mode of Intel processors that firmware can perform certain functions. By using this mode, for example, the contents of the BIOS chip to be adapted or used for the installation of a "implant". Hence, it is possible to install and rootkits to steal passwords and other data from the system.

SMM malware also gives the opportunity to read all the data is in the machine's memory. The researchers therefore showed how they were able to access a BIOS through the incursion vulnerabilities, and then install the "Light Eater SMM implant" there. Via this malware they could GPG keys, passwords and steal decrypted messages from the Tails privacy operating system on an MSI computer.

Tails is a privacy and security-oriented operating system that can be loaded from DVD or USB stick. Tails removes even when closing all kinds of data from memory. Through the BIOS malware makes does not matter anymore, because all data from the memory of the computer can be stolen before cleanup occurs.

Attack

To install the BIOS malware attacker has two options, either through malware on your computer, for example, via an infected email or drive-by download. The second way is to have physical access to the system. The researchers would have already reported the problem to several manufacturers who are now working on a solution.

Even if released BIOS updates will probably have little effect. Most people install because no BIOS updates, the researchers said. According to the CERT / CC at Carnegie Mellon University are the vulnerabilities at least in systems from Dell and HP found. However, the status of many other suppliers is unknown.

Monday, 23 March 2015

Leak In Cisco IP Phones Allows Eavesdropping Possible


Networking giant Cisco warns of vulnerability in the SPA300 and SPA500 IP phones allowing attackers without credentials distance calls can eavesdrop or to gain access to the phone to call then himself. However, an update is not yet available.

Also could be used for a successful attack further attacks, said the advisory . The vulnerability is caused by authentication settings in the default configuration. An attacker would through a specially prepared XML request to send here to abuse a vulnerable device.

Cisco says that in order to exploit this vulnerability, an attacker allowing access to a trusted internal network behind a firewall should be to send the XML request. This requirement would reduce the possibility of a successful attack. Since there is no update available system get the advice to turn XML Execution authentication in the configuration settings.Furthermore, could protect a "solid firewall strategy" systems and can be considered to give only trusted IP addresses access.

Encrypted SMS With Android App SMSSecure


Announced a new app for Android should make it possible again to send encrypted text messages, now another popular Android app that made ​​this possible is stopped. Recently showed Open Whisper Systems , the developer of Secure Text, know that the support of encrypted SMS / MMS is stopped.

According to the developer will be encrypted SMS / MMS never easy to use as encrypted text messages, because users in encrypted SMS manual should exchange the encryption keys before it can be communicated. "We believe that people should not even know what a" key "is, so this obstacle always felt wrong," said the developers.

Also mentions Open WhisperSysms SMS and MMS a "security disaster", because metadata is continuously leaked. SMS messages pass through the servers of telecom companies. The developers do not want the state-run telecom companies like Saudi Arabia, Iran or China can access the metadata Text Secure users. Finally, the support of SMS / MMS make it more difficult for the developers in order to improve the app.

SMSSecure

On GitHub is a new app called appeared SMSSecure , a fork of Text Secure. It is a spin-off based on the source code of Text Secure and focuses on encrypted SMS messages. To go with the app to work there needs to be an unencrypted backup Text Secure, which can then be imported by SMSSecure. SMSSecure developed by the Frenchman Bastien Le Querrec.