Tuesday, 30 June 2015

Software Update LG Phones Vulnerable To MITM Attack



The software electronics manufacturer LG used to update smartphone apps not check the server's SSL certificate that provides the updates, allowing users vulnerable to man-in-the-middle attacks and silently apps can be on the phone installed.

It reports the Hungarian security Search Labs . The problem is in the LG Update Center app. This app acts as an app store and allows users to download all kinds of apps. These apps are managed through the Update Center app, which also checks for available updates. To see if any updates are available makes the app via HTTPS connection www.lgcpm.com . However, the SSL certificate is not checked.

An attacker who is between the user and the Internet is just to catch the request of the Update Center app, and can then specify a different location to download the update. Since updating via APK files is done which there is no further permission or user interaction is required, an attacker can thus silently install malicious APK files on the phone of the target. These malicious apps can use any permission except the permissions must be signed with the key system.

According to the researchers, the entire process can take place in the background without the user suspecting anything. LG smartphones have also been configured to automatically install updates as they become available. The problem was reported to LG last November. The company said researchers know that for newer models with Android Lollipop, an update would consider. However, the updates must still appear.

"At the moment all LG Android-based smartphones are vulnerable to this attack and will continue to plans by LG," write the researchers. They argue that because LG "business interests" No updates will bring. LG users who want to protect themselves are advised to "Auto app update" disable and use the Update Center app only reliable Wi-Fi networks to install apps or update.

Avira Wins Lawsuit Over Blocking Adware


The German antivirus company Avira has a lawsuit won so that a program of a German publisher simply as "potentially unwanted software" (PUP) can remain label. It is a download manager game Moorhuhn Remake publisher Freemium. Avira warned users to download manager, because the additional software could download.

It's common for software publishers programs and games with all sorts of bundling other software, including adware or test versions of other programs. Avira warns users before, but it does provide the ability to download and install the software. In this case it was a download manager posing as the game Moorhuhn Remake but was bundled with various other programs.

Freemium went to court in Berlin and demanded that Avira would stop alert, reports Computerworld . According to the business users themselves could determine whether additional programs were downloaded, but the two parties differed about the transparency of this process. Avira stated that there was no clear link between the game and the other bundled applications. It was in this case for applications such as PC Tuneup, Driver Finder and Super Easy Registry Cleaner.

The conditions for users would be unclear. Then Avira decided to classify the download manager as PUP. Freemium claims that revenues since February, bisected by the blockade of Avira. As a remedy, the publisher demanded a compensation of 250,000 euros for each offense and imprisonment for up to six months for the director of Avira. The German court was not here, and decided to dismiss the lawsuit. Additionally Freemium was sentenced to pay court costs of 500,000 euros.

Monday, 29 June 2015

Malwarebytes Provides Software Pirates Free Year License


To accommodate Internet using a pirated version of the anti-virus security software company Malwarebytes an " amnesty program started. " According to the virus fighter can prevent users from being tricked into buying a counterfeit version of Malwarebytes.

Also, it may be that there is a problem with the key being used. Therefore, users can now specify in the paid version of the software, how they obtained the product and then generate a new license for Anti-Malware Pro or Premium. In addition, users of 12 months may make free Malwarebytes Anti-Malware Premium use. Some users, however, not to speak of the action and want their money back, because software pirates in this way with a free version "rewarded".

In a statement sets Marcin Kleczynski, CEO and founder of Malwarebytes, that in the beginning in the development of anti-virus software unsafe algorithm was selected to generate the license keys. As a result, it was and is the generation of an illegal license key very simple. The problem with illegal license keys is that they sometimes "collide" with legal license keys, Kleczynski notes. Meanwhile, there is a new licensing system used will be rolled out in phases.

"The only problem is that we have millions of users where we sold keys to, or where a reseller has sold keys, or we have issued keys without placing them in. It's a mess, and as a consumer you have the right to to be angry, " writes Kleczynski on the private forum. Therefore, the virus fighter first see which keys are active and by whom they are used. In the case of software pirates, they will be able to use free of Malwarebytes at most one year. The CEO noted that he would like all keys would want to process manually and verify, but that millions of license keys is impossible.

VU Researchers Reveal Vulnerability In Android


Researchers at the Free University in Amsterdam have revealed a vulnerability in Android which an attacker can install using the stolen credentials to a Google Account in several steps malicious apps on devices.

The problem is caused by one Google account used for different devices. An attacker who successfully infect the computer of an Android user knows and manages to steal the password of the Google Account can then install apps on all Android devices associated with that account, so the researchers had this weekend at the Volkskrant know. The devices showed the researchers used only during the installation process notifications in the notification bar, as downloading and installing the app.

"But once this was done, there was nothing more to see until the notification screen is explicitly opened. It is also true that the icon of the app does not always end up on the main screen, but sometimes only at the 'all apps' list, for example, if your main screen already filled, or - if the app is published correctly -. We did not make use of the latter, "said university researcher Victor van der Veen . Together with researcher and professor Radhesh Krishnan system and network Herbert Bos discovered and he researched the issue.

Play Store

Van der Veen says that can be installed through the attack vector only apps from the Play Store. According to the researcher then has two options attacker. Or placing a simple app on Google Play, which will be opened after installing a new rogue app.These users, however, would have to set themselves apps from external sources can be installed. Something that is disabled by default. The second option is to install an app on Google Play containing all malicious code. "Meanwhile we have several 'bad' applications received in the Play Store without being detected as malicious by Google," Van der Veen.

Through the malicious app, an attacker can then perform a variety of actions on the device, such as the interception of text messages or turn on the camera. The researchers warned Google late last year, but the Internet giant would want to do anything about the problem. Van der Veen advises users who want to protect themselves against possible attacks to watch.So should be immediately removed unsolicited downloaded apps and the option "Install from external sources" are disabled.Also users should change their passwords regularly. "Especially when there are suspicious or strange signals. And protect your PC, because the criminals come for the first time," the researcher noted.

Cyber Criminals Diving Brand New Flash Player Flaw



Visitors to the emergency patch this week for Adobe Flash Player are not yet installed get urgent advice to do so directly, since cyber criminals are now actively trying to infect computers with malware through the vulnerability.

The vulnerability attackers can take the computer completely. Visiting a hacked or malicious Web site or see getting an infected ads is sufficient. There is no further interaction is required. In announcing the emergency patch let Adobe know that the vulnerability on a limited scale was used in targeted attacks. It is in this case usually attacks against companies and organizations with valuable information.

Exploitkit

Security Researcher JuK of the blog Malware Do not Need Coffee now reports that an exploit that vulnerability uses the Magnitude Exploitkit added. This means that much more Internet users run the risk of being attacked via the leak. There contaminated ads in the past on Yahoo appeared that visitors to the Magnitude Exploitkit sent them. Last month, warned security company Zscaler for infectious ads that were distributed on the Internet in conjunction with the exploitkit.

In the case of Internet users their Flash Player not have up-to-date with the exploitkit come into contact CryptoWall-ransomware is installed on the computer. This ransomware encrypts files on the computer for ransom. Last week, the Magnitude Exploitkit was already in the news because an exploit for another just patched Flash Player flaw had been added to the arsenal. Users who have installed Flash Player belong version 18.0.0.194 to use. This page shows you which version is installed on the computer.

FBI Warns Of Malicious Hackers US Government


The FBI has a bulletin distributed among companies that warn of malware that attackers have used to break up the network of a US government agency and, where possible, the sensitive data of tens of millions of civil servants were stolen.

It's about the burglary at the Office of Personnel Management (OPM), where attackers managed to steal twice data. At the first break of the personal data of 4.2 million former and current officials were stolen. The second burglary has a much greater impact. There did attackers to gain access to the system where information on screenings and background checks are stored. It involves highly sensitive data, such as mental health problems, drug and alcohol use, arrests by police and bankruptcies. Also, persons in completing the screening form names fill acquaintances and contacts, as well as the social security number.

This week it was announced that 32 million of potential officials this highly sensitive private data are captured, reports the Washington Times . The attackers made ​​via stolen credentials of an outside company to gain access to the system. The company is responsible for background checks of officials who should be given a "security clearance", said OPM Director Katherine Archuleta this week at a hearing of a Senate committee to know, according to USA Today .

Sakula

In early June the FBI circulated a information bulletin ( pdf ), which warned of the Sakula Remote Access Tool (RAT), reports Public Intelligence . Through the tool attackers had stolen personal identifying information. The warning was published a day after the OPM had the first break on the network warned . Last week left sources told Reuters that the OPM hackers a "special tool" called Sakula were used to control the computers of the administration remotely, making the link between the FBI warning and OPM burglary could be laid. The malware was already at the intrusion on the network of US health insurer Anthem are used. Since the data of 80 million were former and current customers stolen.

In addition to the technical characteristics of the malware also gives the FBI the information bulletin several tips to businesses what they should do after detecting Sakula and what measures can be taken to secure systems preventive heavier. This involves things like the use of reduced duties, limiting local accounts, network segregation, logging and monitoring admin accounts, deploy whitelisting and using the Microsoft Enhanced Mitigation Experience Toolkit ( EMET ). Via this free software from Microsoft it more difficult for attackers to use both known and unknown vulnerabilities.

Sunday, 28 June 2015

Researcher: Root Certificates Added Quietly Windows


Microsoft has quietly 18 new root certificates to Windows without notice has been here somewhere. So says a researcher with the alias " Hexatomium ". Root Certificates determine which SSL certificates are trusted by the operating system.

It is therefore important to know which organizations and certificate authority's root certificate is added. The researcher reports that he is the new root certificates through the RCC-auditing tool has discovered. Through the program, users can control which root certificates are heard in the Windows root CA to store and which have been added quietly.

In addition to the SHA1 hash of the license and the name of the associated certificate authority is no additional information is available. On Hacker News lets a user know that the certificate authority named RXC C2 is actually Cisco. Remarkably Cisco sets its own documentation Cisco RXC certificate policy ( pdf ) which certificate authorities should always use meaningful names. Feather in the list of additional root certificates include certificates of Swedish, Tunisian and Indian authorities.

Apple Blocks Unsafe Versions Of Flash Player


Because of a zero-day vulnerability in Adobe Flash Player which this week emergency patch released Apple has decided to block all versions of the emergency patch. The vulnerability was used in targeted attacks before the update was available from Adobe. Through the leak could allow an attacker complete control of the computer.

In order to achieve this, e-mails have been sent to links with different targets. The link in the message pointed to a website that then tried to install malware through the vulnerability in Flash Player. According to Adobe, the attacks against Firefox users on Windows XP and IE users on Windows 7 and older Windows versions. Nevertheless, Mac users were advised to install the emergency patch within 72 hours.

Mac users who have not yet done receive when visiting websites in Safari that Flash Player now invoke a pop-up . Which reports that Flash Player is outdated and needs to be updated. Something can be done via a button in the same message.The blockade applies to all Flash Player versions prior to version 18.0.0.194 and 13.0.0.296.

Saturday, 27 June 2015

IEEE And IETF Test Privacy MAC Address


To prevent consumers via the MAC address of their smartphone or other mobile devices have followed the IEEE (Institute of Electrical and Electronics Engineers) and IETF (Internet Engineering Task Force) held several successful experiments, so both organizations this week let know . The IEEE and IETF are two organizations involved in the development of standards.

During the experiment in November was tested with random MAC addresses. Participants had to run a script that made ​​they got a random MAC address if they were connected to the network. A MAC address serves as a unique identifier on the local network and is assigned by manufacturers to network. Because of the unique feature of the MAC address, that is continuously broadcast by mobile devices, for example, stores use it to track people.

Privacy Implications

Because of the privacy implications decided the IEEE and IETF last year the IEEE 802 Executive Committee Privacy Study Group to focus on. This group looks at the impact of Wi-Fi technology and is working on recommendations and standards."From the beginning IEEE 802 and IETF have shared conviction to address the privacy risks for non-technical users, who live in a world of continuous connectivity is present," said Juan Carlos Zuniga, president of the group. According to him, the experiments show that there are viable ways to protect users from Wi-related privacy risks.

"The IETF community sees widespread monitoring as an attack on the privacy of Internet users," Joel Jaeggli IETF adds. He argues that the IETF and IEEE 802 itself will work to protect users from passive observation. "Successful tests with MAC address privacy implementations help solve a major problem with the visibility of Layer 2 identifiers on a shared local network," Jaeggli further notes. The results can be used to establish new standards. Whether this will happen and when exactly allow both organizations do not know. Last year Apple came with a measure to provide users with a random MAC address when scanning Wi-Fi networks.

Japanese Ministry Shuts Down Because Of Malware Network



The Japanese Ministry of Justice has turned off its own internal computer after there was a virus on one of the computers found. The ministry believes that no information has been stolen. Yet there is reported to the police of a possible cyber attack, reports the Japan Times .

According to the Ministry the existing security on May 17 would have detected a suspicious communication attempt from the computer and locked. How much time there is between this incident and disabling the internal network was unknown. Japan faced in recent weeks with various malware incidents. It seemed that malware in Japan Pension Service data of 1.25 million people had been stolen and there was malware on the network discovered by the Japanese state company that manages radioactive waste from the nuclear reactor of Fukushima.

Trend Micro: New Flash Vulnerability Same Reason As Earlier Leak


The latest vulnerability in Adobe Flash Player which this week an emergency patch appeared to have the same cause as previous vulnerabilities in the popular browser plug-in. This enables the Japanese anti-virus company Trend Micro after analysis. This week, the vulnerability was with he CVE number 2015-3113 patched after the leak was previously used in targeted attacks. According to researchers, the leak is very similar to CVE-2015-3043 that Adobe patched in April.

Both vulnerabilities cause a buffer overflow. It also appears that an exploit for the vulnerability also published in April version 18.0.0.160 could crash (the latest Flash Player version before the emergency patch released this week). Both vulnerabilities are caused handle FLV with the Nellymoser audio codec and can be attacked through a specially prepared audio tag of an FLV file.

"This incident shows how important it is carefully developing patches to prevent vulnerabilities patched at a later time be attacked again," said the researchers. Which argue that software developers need to perform regression tests to ensure that old bugs are not a threat to new versions of the software.

E-mail

It was already known this week that the attackers left in emails used to lure targets to a malicious page where the Flash Player flaw was then attacked. Security company Websense says that the emails had used the subject line "2015 Program Kick Off". The text stated that the recipient was invited to a meeting. Through the attached link could be found more information about the meeting. The attackers would have mainly focused on the technological and scientific sectors.

Cisco Fixes Problems Again With Standard SSH Keys


Cisco offers weather updates for different products released due to the use of standard SSH-keys. Using the default SSH keys, an attacker remotely without valid credentials on a login system with root privileges. The only thing that is required is that the attacker can connect to the platform.

According to Cisco, the problem is that all installations of the Web Security Virtual Appliance (WSAV), Email Security Virtual Appliance (Esau) and Content Security Management Virtual Appliance (SMAV) share the same authorized SSH key for the remote support functionality. Also, an attacker via the SSH host key can also all appliances is the same, and all communications between virtual appliances decrypt and mimic.

Cisco has released updates to fix the problems. Last October there appeared an update of a similar problem in the Cisco Unified Communications Manager Domain. The networking giant has announced that to their knowledge the newly discovered problems are not yet attacked or were previously known on the Internet.

Friday, 26 June 2015

Man Mails More Than 97,000 People Their Password


With great regularity on websites like Pastebin stolen passwords and other credentials posted. The reason for a programmer named Julian alias' aTechDad 'to collect all kinds of stolen email addresses and passwords via a script and then warn the user.

For example, some Internet users use Google Alerts or other services to warn if their data appear anywhere on the internet.Most Internet users may not know such services exist and users who know there is much that their data would rather not leave you in this kind of party, said the programmer. He therefore decided to create a script, which he in a three-day period on Pastebin 97 931 combinations of email addresses and passwords collected.

Last month, he decided to warn users. Through a simple e-mail, he said that the account of the user probably was compromised, which he also co-stared the password. The nearly 98,000 sent emails yielded only nine thanked by. 100 e-mails could not be delivered, while 41 people sent back a request to be unsubscribed. Yet Julian considers the experiment a success. At this time he started a second experiment, in which he has already collected 300,000 passwords. "I might do it again," said the programmer.

Trend Micro: Simple Keylogger Costs Companies Millions


A simple commercial keylogger that is distributed has small and medium businesses worldwide millions of euros cost via e-mail attachments, claims the Japanese anti-virus company Trend Micro. It is the HawkEye keylogger offered on the Internet for a few bucks.

Once active, the keylogger is used to steal passwords from the browser and email client. This data is via e-mail, FTP and web panel sent to the attackers. With the stolen passwords to the email accounts of corporate executives, including the CEO and CFO acquired. Then there via the hijacked email accounts, a payment order sent to the accounting. This scam is also known as "Business Email Compromise" and would have caused worldwide last year to a loss of 216 million dollars.According to the FBI and Secret Service more and more American companies are affected by the fraud. The reason for the investigation services to a warning to deliver.

For the dissemination of the keylogger to send .exe and .zip files that are supposedly an invoice, purchase order or quote. In some cases, the criminals make first contact with the companies. Only after several e-mail exchanges, the keylogger will be sent. According to Trend Micro, the majority of victims of HawkEye in India, followed by Egypt and Iran. These are companies in different sectors, but mainly goods, transportation and manufacturing. It also appears that most companies are accessed via info @ email address.

Trend Micro made ​​a report ( pdf ) on HawkEye which also analyzed two Nigerian cyber criminals using the malware. According to the researchers HawkEye seem a simple keylogger, but is motivated cyber criminals more than sufficient to carry out malware attacks. Also by other security HawkEye was recently investigated as iSight Partners . The research shows that this security be used for the dissemination of keylogger files invoice.exe, payment and purchase slip.exe order.exe. ISight also argues that most victims are in India, but also see a lot of infections in Italy, the United States and Turkey. Furthermore, there are also infections observed in the Netherlands.

Europol Arrests Gang Behind Zeus- And SpyEye Malware



At an international operation is an active group of cyber criminals arrested who is suspected to be behind the development and spread of the Zeus- and SpyEye malware. The malware was used to steal money from online bank accounts, which the gang would have caused damage to 2 million.


The operation, which took place on 18 and 19 June in the Ukraine and was supported by Europol and Euro just were arrested five suspects and eight homes searched. According to Europol, the criminals use malware to attack online banking systems in Europe and beyond. "Every cyber criminal had its own specialty and the group was pretty skirts in making the malware, infecting machines, collecting credentials for online banking and money laundering through straw men," said the European Investigation.


On forums for cyber criminals stolen credentials were compromised account data and malware traded. The group would also their "hacking services" to other parties and cooperation with other cyber criminals have sought. "This was a very active group of criminals who were active in countries on all continents, tens of thousands of users infected with banking Trojans then attacked big banks," said Europol.

Thursday, 25 June 2015

Researcher: Samsung Software Disables Windows Update



The software Samsung on some laptops flour evert appears to disable Windows Update, so users do not receive critical security updates. Before warns Microsoft MVP Patrick Barker . He is active on a forum where someone had a problem with Windows Update.

Further research showed that a file on the laptop was named Disable_Windowsupdate.exe that, as the name suggests, Windows Update turned off. The file appeared to be part of the update software that installs on Samsung laptops. Through this software drivers and programs are updated. Barker decided to contact Samsung and was told that indeed Windows Update is turned off by the software.

The reason is that otherwise the standard drivers to be installed that do not necessarily work with the laptop. To prevent this, switches the Samsung software Windows Update. Experts are puzzled about the operation of the software, just because Windows Update is an important tool for users to automatically install updates. Samsung has not yet responded to the criticism. Barker takes at least that Samsung's software as malware should be considered.

HackerOne Receives Investment Of $ 25 Million


HackerOne, the platform for reporting vulnerabilities in various software projects and applications, during a new round of investment $ 25 million received. HackerOne was in 2013 founded with the help of Facebook and Microsoft. Initially HackerOne focused on rewarding bug reports in popular software projects from which millions of people use. Meanwhile, all kinds of software companies through the website launched a so-called "bug bounty program."

HackerOne fulfills coordination between bug detector and the software in question. Also advises the platform software vendors for their own software via HackerOne want to start a rewards program. The money in the latest round of investment was raised include from Salesforce Chairman and CEO Marc Benioff, Dropbox's CEO and co-founder Drew Houston and Yelp CEO and co-founder Jeremy Stoppelman.

Since the last round of investment HackerOne the number of employees has expanded from 10 to 50. By now, Yahoo !, Twitter, Adobe, Dropbox, LinkedIn, Snap Chat and Airbnb all use the services of the platform. The total number of customers has now passed the 250. These software companies and projects in recent years to more than 1,500 researchers over $ 3.2 million was paid. The money was used to locate nearly 10,000 vulnerabilities and fix. Despite the positive noises made ​​LinkedIn recently announced that it had started a private reward program for a select group of researchers, because programs where everyone can join would create too much noise to. Why chose LinkedIn sure to route payments to researchers via HackerOne.

Malwarebytes: Registry Cleaners Are Scams


On the Internet, numerous programs are offered to clean and optimize the Windows Registry, called registry cleaners, but this kind of software is actually meaningless, misleading users only. This enables anti-virus company Malwarebytes. On the forum of the virus fighter users regularly complain about registry cleaners. The programs are often distributed on dubious. Because of the increased complaints will Malwarebytes registry cleaners that are aggressively disseminate weather messages as unwanted software.

The Windows registry is basically a database of configuration settings and options for Windows. By installing and removing software may leave registry keys. Some users may think that the removal of these keys or the optimization of the Windows Registry can improve the performance of the computer. However, according Malwarebytes there is a placebo effect, because users see a nice animation and think that something is happening on their system.

The virus fighter designates registry cleaners also as the digital equivalent of " snake oil . " The performance improvements resulting from these types of programs are "at best, tiny and not noticeable," says Malwarebytes. At worst, it could damage the computer, however, so that a reinstallation of Windows. Even Microsoft does not recommend the use of registry cleaners.

However, the virus fighter will not all these programs consider undesirable. "We can tell you that these programs are scams, but we're not going to commit to not use them." However, the software will be considered undesirable as it presents itself to users and parasitic example through the installation of other software or other exhibits aggressive features.

Facebook Lets 2 Million Computers Remove Malware


Thanks to Facebook more than 2 million computers have been virus-free for the past three months again.When logging on to the social networking site Facebook detected that the computers were infected with malware. Then, users were offered a tool to remove the infection.

The removal tool runs in the background and users will see a notification when the scan is performed. Facebook already offered the tools of ESET, F-Secure and Trend Micro, and there is now also the Malware Scan for Facebook joined Kaspersky Lab as the social networking site let know . In total, there would be via the scanner Kaspersky Lab for over 260,000 Facebook users have been helped.

Google Finds Critical Vulnerability In Virus ESET


A researcher from Google alone in a few days a critical vulnerability in the virus scanners and security of the Slovak anti-virus company ESET discovered which allows remote attackers computers and systems can completely take over, without any user interaction is required. The vulnerability would therefore be ideal for a worm which business networks that use ESET software can be completely infected.

ESET software uses a mini-filter to intercept all input and output (I / O) to the hard disk, analyze and then emulate in case it comes to executable code. Through emulation, a file can be carried out partially before the virus signatures are used to determine whether the file is malicious or not.

Through the browser, email client, instant messaging, file sharing, network, USB and many other ways an attacker disk I / O and so cause execute the attack. The problem is in fact caused by the emulation performing ESET. The emulator does not appear to be robust and easy to compromise, says researcher Tavis Ormandy of Google. They may run malicious code with root privileges.

The problem is at all ESET products, including virus scanners for Linux, Mac OS X and Windows. As proof Ormandy developed a working exploit which systems to attack from a distance. Last Friday warned Google ESET, where the results were discussed in person with the company. Three days later, on Monday, the Slovak virus fighter came with an update to resolve the issue.

Risk

According to Ormandy, however whether users are the risks and benefits of security weigh. In the past, even though Ormandy revealed major problems in the anti-virus software from Sophos , and this week it was announced that the NSA and GCHQ to vulnerabilities have sought in anti-virus programs. Attacking users through their virus is therefore not a theoretical risk, according to Ormandy.

New Flash Player Flaw Attacked Through The Link In Emails


A critical vulnerability exists in Adobe Flash Player which yesterday an emergency patch released was attacked from links in emails. That informs the American security company FireEye that the zero-day vulnerability discovered and reported to Adobe.

A China-based group, according to FireEye behind the attack. The attacks were aimed at companies and organizations in different sectors, such as aerospace, defense, telecom, engineering and transport. The targets were emails sent with a link.Remarkably, there is no targeted emails were used, but messages that seemed almost on spam. "Save between $ 200-450 by purchasing an Apple Certified Refurbished iMac through this link. Refurbished iMacs come with the same one-year extendable warranty as new iMacs. Supplies are limited, but updated frequently. Do not hesitate...> Go to Sale , "the text in the message.

The link in the email pointed to a compromised server where the target was profiled via JavaScript. Once the victim was determined downloaded a malicious SWF and FLV file. Eventually this led to the installation of a backdoor. Through this backdoor received the attackers access to the system and the network of the organization was infiltrated. In announcing the emergency patch let Adobe know that IE users on Windows 7 and older and Firefox users on Windows XP were the target of the attack.

Wednesday, 24 June 2015

Maker Black Shades Malware Gets Almost 5 Years In Prison


In the United States a 24-year-old Swedish man was sentenced to a prison term of nearly five years for developing the Black Shades malware, as reported to the US Department of Justice. Through Black Shades were users of the malware full control over the computers of their victims, including the webcam.It was also possible to view pictures via the malware, saving keystrokes and steal passwords.

The malware was offered at a cost of between $ 40 and $ 100 and could easily be adapted for various purposes. Globally, more than 500,000 computers in more than 100 countries with malware infected. According to the Department of Justice Black Shades would have been sold to thousands of criminals and this generated between September 2010 and April 2014 a total of more than $ 350,000. Last year there was a major international operation against users Black Shades place where the Dutch police attended.

According to the indictment of the American OM the Swede led his organization, which led to the development of Black Shades, like a real business, which he took and sacked employees, salaries and customized the software at the request of its customers. He also had several managers employ to keep the organization running, such as a marketing director, a website developer, a customer manager and a real team of customer service representatives.

The Swede was arrested in late 2013 and Moldova last April extradited to the United States. In addition to his prison sentence of 57 months, he must also give an amount of $ 200,000 and the computer that was used for the development of the malware.

FBI Warns CryptoWall-Ransomware



Both consumers and businesses in the last year lost millions because they were victims of CryptoWall-ransomware, reason for the FBI to issue a warning. CryptoWall a ransomware variant that encrypts files for ransom.

According to the US, it is the most active investigation service ransomware threat in the United States. In addition, the damage is often greater than the demanded ransom, which is between $ 200 and $ 10,000. Many victims would be faced with additional costs due to network security, taking countermeasures, productivity loss, legal fees, IT assistance and arranging credit monitoring for employees and customers.

Between April 2014 and June 2015, the FBI received 992 complaints about CryptoWall, in which victims indicated that they had lost more than $ 18 million. To avoid infection by ransomware advises the FBI to use a virus scanner and firewall, install pop-up blockers, making backups and to be skeptical. "Do not click on e-mails or attachments you do not recognize and avoid suspicious websites." The latter recommendation, however, does not account for the large number of hacked websites and infected ads on legitimate websites that cyber criminals use ransomware to spread.

Emergency Patch For Active Attacked Flash Player Flaw



Adobe has a vulnerability in Flash Player that is actively used to infect computers with malware repaired via an emergency patch. According to the company involves limited, targeted attacks, where IE users on Windows 7 and older and Firefox users on Windows XP are targeted.

Through the leak, which was reported by the US security firm FireEye Adobe, an attacker can execute arbitrary code on the computer. Visiting a malicious or hacked website or see getting an infected ad is sufficient. System administrators and users are strongly advised to within 72 hours to update to Flash Player 18.0.0.194 to install.

Updating via the built-in updater and Adobe.com . In the case of Google Chrome and IE10 and IE11 on Windows 8 and Windows 8.1, the embedded Flash Player will be updated via the browser. This page shows which version is installed on the computer.

US Marine Microsoft Pays Millions For Windows XP


The US Navy has paid millions of dollars to Microsoft to continue to support 100,000 computers still run on Windows XP. The Space and Naval Warfare Systems Command (SPAWAR), which is responsible for communications and information networks of the US Navy, has earlier this month signed a maintenance contract of 9.1 million dollars, reports PC World .

As part of the agreement Microsoft will navy security updates for Windows XP, Office 2003, Exchange 2003 and Windows Server 2003 are provided. The support of this latest Windows version expires next month. The entire contract Microsoft can provide a sum of 30.8 million dollars and continue through 2017.

The US Navy began two years ago with the migration to a newer operating system, but some 100,000 computers are still running XP or other software. A spokesman for the US Navy announced that the Navy still some legacy applications and use programs that work only on older versions of Windows. Until those applications and programs are renewed or phased out the use of these Windows versions is necessary.

Kodi Media Center (XBMC) Vulnerable To MITM Attacks



The popular media center Kodi, formerly known as XBMC, contains a vulnerability which attackers between a user and the Internet are able to attack the system. Through Kodi allows users movies, music and other media, for example playback on their TV or sound system.

The software contains a collection of add-ons that allow users popular services like YouTube, Grooveshark and Dropbox can access. Each time Kodi is started watching the software or pre-installed add-ons updates. In the case of a new version is automatically downloaded and installed. The update check takes place entirely over HTTP without encryption, as discovered the Romanian antivirus company BitDefender .

The software asks during the update check to a MD5 hash for the last addons.xml file, which contains information about add-ons. An attacker can send back, in this case a random MD5 hash, which does not have to correspond to the file that is then presented. The attacker could send a specially prepared following addons.xml file indicating that a new version for a particular add-on is available. Then, the attacker must send the correct MD5 hash for his malicious add-on. Once Kodi this add-on installs the malicious Python code running in the add-on to the system.

For their demonstration, the researchers succeeded to download an executable file and place it in the startup directory of the system. It should be noted that an attacker the same privileges as the user running Kodi. Eventually they managed also to steal login details for YouTube and could Dropbox add-on change, so when starting or synchronizing files all content from the local Dropbox directory to a specified FTP server was sent. The Kodi developers are informed by Bitdefender and working on an update. When that appears is unknown.

G Data: Windows User Must Install Optional UAC Patch


Windows users would be wise to install an optional update for Windows, other malware can use a trick to get unnoticed administrator rights on the computer, so advises the German anti-virus company G Data.Following the spread of the Dridex malware.

This is a Trojan horse that recently in Belgium for major damage caused by the banking system to attack the Belgian companies use. The malware spreads via e-mail and MHTML document. This document contains a macro that attempts to download a "downloader". The downloader will place the final malware on the system. If the user macros enable the downloader is downloaded in Microsoft Office. To get administrative rights on the computer downloader tries to bypass the UAC window.


Windows User Account Control (UAC) is a security measure designed to protect computers from Microsoft as "hackers and malicious software." As software or a user wants to change some Windows settings or try to perform actions that require administrative privileges displays a UAC warning. The downloader adjusts according to G Data to a popular trick to hide the UAC warning. It uses a customized file SDB . In this case, Windows will not show because UAC window.

Microsoft has released a patch developed that allows the UAC warning is also shown in this case, but this is an optional update. "The malware creators abuse a weakness in Microsoft's operating system to be without displaying the UAC notification system. Therefore, we strongly recommend to install the Microsoft patch, Microsoft even designates it as a required patch," the German anti-virus company. In addition, users advised to not open email attachments from unknown senders and no macros enable foreign documents.

HP Reveals Details Of An Patches IE Flaw


Researchers at HP have unveiled a vulnerability in Internet Explorer for which no security update is available, and Microsoft has indicated that there is no patch will appear. In February this year, the HP researchers received an amount of $ 125,000 from Microsoft for the discovery of a new attack technique and developing a solution.

By using the technique, it was possible to circumvent the security ASLR-IE in the most recent version. ASLR is a measure to abuse vulnerabilities more difficult to make, the researchers decided in February not to reveal the details of the attack, because Microsoft had not yet resolved all the bugs. "We wanted to give them a little more time and assumed that was a solution to any problems reported in the making. Unfortunately, Microsoft did the team finally know that a comprehensive solution would not come," says Dustin Childs HP.

According to Microsoft, the problem would not exist in the default configuration of IP. Something the researchers disagree.They decided therefore to demonstration code to publish the attack, so users can see the problem yourself and determine what measures they should take for their own installations. "We think it's important that everyone knows about this threat, so they can better understand the risk to their network," Childs says. Besides the demonstration code and a YouTube video showing the attack, there is also a white paper (PDF) about the attack and underlying problems put online.

Tuesday, 23 June 2015

Toshiba Promises Quantum Cryptography 2020


The Japanese electronics giant Toshiba says that in five years with a communication system is making use of quantum cryptography and in theory is not to eavesdrop. This was reported by the Asahi Shimbun . The testing of the quantum key distribution according to the company is located in the final stage. Earlier tests with long-distance communication would have been a success. In late August there will be a test of two years to test the resistance of the system before it goes to market.

At current encryption systems are working with secret keys. Once the key has been stolen, the data can be decrypted. Quantum Cryptography is a technique in which the encryption of information is performed with the aid of light, or photons. A zero or one is represented by a single light particle. At the level of single particles governed by the laws of quantum mechanics. That means that if the encrypted message is intercepted, the content of the message changes automatically.

The Toshiba system first sends the secret key and then the data. If it appears that the secret key is intercepted, the data will not be sent and intercepted key is turned off. Photons are, however, unstable and the development of a system to communicate over long distances has always been a major obstacle. Toshiba has improved the precision of the photo transmitter, where there is now photons over a distance of 45 kilometer may be sent. The test that begins shortly aims to solve the final obstacles so that the system, in practice, may be used.

Iran Rolls Homemade Detection Of Malware


Iran has 150 locations in the country rolled out a homemade intrusion detection system (IDS) to protect production in industrial enterprises from malware. It reports the Iranian news agency Mehr News today.According to the manager of the project is the IDS very safe, because it uses an Iranian system.

The system would have an output of 5 gigabits per second and are so ready for large-scale industrial enterprises. In 2010 showed that Iran had become the target of the Stuxnetworm. The malware was provided at the uranium enrichment plant in Natanz. According to Iran, the United States and Israel were behind the attack.

US Warns Hospital Patients After Snooping Into Private Data



An American medical center has about 4,900 patients warned that an employee for nearly four years has viewed their private data without this being necessary for his job duties. It would be names, dates of birth, gender, medical record numbers, height, weight, allergy information, address, medical documentation, diagnoses, test results, medication, employment status, health insurance and employer.

According to the UC Irvine Medical Center , the employer for his work to access some patient records, but he also had no work-related tasks between June 2011 and March 2015 looked at patient records. After the discovery, the hospital forensic experts called in to examine the hard drive and e-mail account of the employee.

The investigation revealed that the employee no patient data had been removed. The police were also informed that a study was started. Furthermore, the employee no longer has access to the networks of the medical center and are subject to disciplinary action. The worker eventually ran into trouble the hospital does not know. Affected patients can get one year of free credit monitoring them.

Monday, 22 June 2015

Anti-Virus Companies Were Targeted GCHQ And NSA


Several anti-virus companies in the past have been the target of US and British intelligence, focusing in particular went to the Russian virus fighter Kaspersky Lab, according to documents from whistleblower Edward Snowden in 2008.

The US NSA and the British GCHQ looked for ways to circumvent virus and other security software. The e-mail traffic was monitored in order to bring users of anti-virus software identified. The documents also show that British intelligence software Kaspersky wanted to reverse engineer and that the NSA was looking for vulnerabilities. US intelligence also shows traffic between the servers and Kaspersky users have viewed the software.

In 2008 discovered a research team from the NSA that the Kaspersky software users sensitive information sent back to the company's servers. This information could easily be captured to track users, says a report. The NSA would have intercepted e-mails, which were intended for security companies and which were warned of new viruses and vulnerabilities, reports the intercept today using different Snowden documents.

According to researcher Joxean Koret anti-virus software is an attractive target for attackers. The software often takes the highest rates in the system. An attack on a virus an attacker could cause these rights. Moreover, the security of many anti-virus software to be desired and even years on other client applications such as browsers and document readers behind, Koret said. "It means that Acrobat Reader, Microsoft Word or Google Chrome are much more difficult to attack than 90% of the virus." It was recently announced that Kaspersky Lab was the victim of a sophisticated attack carried out by a state, according to the virus fighter.

Torrent Tags Warns Torrents Copyright



Australian software developers have developed a database called Torrent Tags that users warns Torrent Files copyrighted. The database contains a list of torrent files that are ever claimed by a copyright holder.

When a user uploads the .torrent via the website or entering the hash, Torrent Tags shows that the file has been claimed by a copyright holder. In several countries, torrent users already indicted by societies because of downloading copyrighted material. The database is aggregated via Torrent Tags Chilling Effects and information copyright holders themselves. They can also pinpoint torrents copyright.

According to the developers of Torrent Tags should leave this sort parties know what torrents copyright applies, before users can be monitored, with the ultimate goal to indict them. In addition, they argue that without making this information public, monitoring of torrent users equals "honeypot strategies." From a user perspective is a torrent without claim because indistinguishable from a torrent that has been made by a copyright holder and as a honeypot to act.

US Data Leaks School Children In PowerPoint Presentation



An American school has the private data of preschoolers and schoolchildren leaked into a PowerPoint presentation. During the presentation, which was given by the CTO of the school in 2011, were on a slide to see the pictures of sixteen toddlers, as well as their names and phone numbers.

On another slide listing the names, student numbers and reading scores of 145 "fourth-graders" (similar to group 6, children 9-10 years old) are shown. The presentation was later shown at a different location and ended up on a federal government website. Once an older school in March this year had warned the presentation was removed. In April followed a letter of apology to all parents to, as is now known, according to the Washington Post .

In the letter, the school that the PowerPoint presentation against the rules was not monitored. The chief technology officer, said at one of the affected schools that they did not know the details of real students originated. In addition, the CTO claims not know the organization that the presentations had kept the PowerPoint file uploaded to a website of the National Institute of Standards and Technology (NIST).

Sunday, 21 June 2015

New ExploitKit Focuses Almost Entirely On Flash Player


Adobe Flash Player is the favorite target of cyber criminals has become instead of Java was the last few months several times already demonstrated , but a new trend exploitkit makes this clear again. The Beta Exploitkit, also known as Sundown, is a recently launched exploitkit which is still in the testing phase.

Through exploit kits can cyber criminals Internet users who miss security updates easily infect by example code on a compromised website or to hide in an advertisement. This code then sends visitors to the exploitkit. In the case of Sundown trying to infect the exploitkit Internet via six different vulnerabilities with malware.

This is according to researcher JuK of the blog Malware Do not Need Coffee to four vulnerabilities in Adobe Flash Player and two Windows. Researchers Aditya Sood and Rohit Bansal analyzed a different version in which a Windows vulnerability for IE vulnerability had made. Java, which was a favorite target in the past, is missing. A trend that is also seen in many other recent exploit kits.

The Windows leaks Sundown attacks dating back to 2013 and 2014, while the Flash Player vulnerabilities last year and this year. The IE vulnerability that Sood and Bansal saw was discovered in 2012 and patched. For all vulnerabilities are updates available. Yet there are still internet users who do not install these patches and so risk.

However, the Beta Exploitkit is itself not without faults. Sood and Bansal discovered errors in the administrator panel exploitkit, allowing them to log on and managed to retrieve all kinds of information, such as used server domains, users, domains, location of the victims and what kind of browser that surfing. The exploitkit is still in the testing phase, but the researchers expect that the coming months will be used by cyber criminals.

Saturday, 20 June 2015

Network Waste Processor Fukushima Infected With Malware



The Japanese state company that manages radioactive waste resulting from the nuclear reactor of Fukushima was hit by malware, as it has Japanese Ministry of Environment announced. The Japan Environmental Storage & Safety Corp (JESCO) manages the locations where the radioactive material, which is the consequence of the nuclear disaster in 2011, is stored.

According to the Ministry on the network discovered unauthorized communication to the outside. Further investigation revealed that a computer virus had infected the intranet, reports the Japan Times . Because the infection was decided to take down the network. JESCO is busy setting up of facilities for the storage of radioactive soil and other debris. To this end, consultations with landowners.

However, computers JESCO would contain no information on the landowners, the ministry said. Recently it was announced that Japan Pension Service was infected with malware and attackers as access to pension data of 1.25 million Japanese had been given.

Research: Botnets Consist Of Average 1700 Computers



In the first quarter of this year were from botnets average 1700 computers, claims ISP Level 3 on the basis of own research ( pdf ). For the study 600 to 1000 Command & Control servers were monitored allow cyber criminals to control infected computers.

The number of computers part of a botnet accounted fluctuated considerably in the first months of this year. So it went in January to an average of 3,763 computers, but this was dropped in March to 338 computers. According to Level 3 is due to the decline in the "vigilance" by the security community. Computers that are part of a botnet are found mainly in China and the United States, each with more than half a million infected machines, followed by Norway with 213,000 "zombies."

Norway was in the first quarter, also the target of the most botnet traffic, followed by the US and Spain. The presence of Norway is explained by a single incident where a botnet server was hosted within a specific hosting environment.

Netherlands

The report also mentioned several times Netherlands. For example, the Netherlands is in fourth place worldwide in countries that generate botnet traffic and in third place in Europe. "From a global perspective, the Netherlands is higher in relation to other European countries. The top 10 listing is primarily due to a large and heavy port scanner which made a number of victims in the Nordic region," says the report. It is further stated that the Netherlands provides a "robust infrastructure," making it "ideal" is to centralize botnets in the region.