Monday 11 December 2017

German Secret Service Warns Against Fake Profiles On LinkedIn



The German secret service BfV warns against fake profiles on LinkedIn that would be used by Chinese intelligence services to gather information about politicians and policymakers. Over a period of nine months more than 10,000 Germans were approached via the fake profiles, according to the BfV.

The profiles occur as headhunters, consultants or scientists with the names "Rachel Li" and "Alex Li". They claim to have, among other things, vacancies at a Dutch HR company. After contact has been made, the fake profiles try to collect information about habits, hobbies and political interests. "Chinese intelligence services are active on networks such as LinkedIn and in this way try to gather information and find sources of information," said a spokesperson.


Many of the profiles are provided with photographs of attractive men and women. One of the photos would even be taken directly from an online fashion catalog, according to Reuters . The fake profiles have mainly provided for European diplomats and politicians. German citizens are called upon to report suspicious profiles and not to share valuable personal information via social media. "This is an extensive attempt to infiltrate certain parliaments, ministries and government agencies," says Hans-Georg Maassen, head of the BfV.

Conficker Worm Still Active On 150,000 Computers After 9 Years


The Conficker worm that infected nine million computers at its peak has been operating on 150,000 computers since its first appearance on 21 November 2008, anti-virus company Trend Micro said. Conficker is distributed in a variety of ways, including a vulnerability in the Windows Server service, shared network folders, and the Autorun feature of Windows.

The vulnerability in the Windows Server service was patched by Microsoft on October 23, 2008. In January 2009, Conficker also started distributing itself through the Autorun feature of Windows, something for which Microsoft released an update in February 2011. According to Trend Micro, Conficker is mainly active in China, Brazil and India. These three countries together account for more than half of all infections. Most infections were found in government systems, followed by production companies and health care.

After an infection, Conficker tries to connect every day with all kinds of domains to see if there are new instructions from the makers. ICANN, the organization that is responsible for the distribution of ip numbers and domains, has, however, taken measures so that these domains can not be registered. Thus, the infected computers can not be used for criminal purposes.

According to Trend Micro, Conficker can also be labeled as "background malware" that is mainly active on legacy systems. "Although it is not as interesting to the general public as more modern malware such as WannaCry and Petya, it remains a persistent threat and will remain so as long as unsupported, unpatched legacy systems are still part of corporate networks," says researcher the virus fighter .

Sunday 10 December 2017

Strong Increase Of Phishing Sites That Use Https



Not only legitimate websites use https more and more, phishing sites also have more and more access to a secure connection. There is even a strong increase in the number of https phishing sites, according to security company PhishLabs . In the third quarter of this year almost 25 percent of the observed phishing sites had a https connection.

A quarter earlier was still about 12 percent, while a year ago less than 3 percent of the phishing sites had a ssl certificate. According to the security company, there are two reasons why there is an increase in https usage among phishing sites. The first reason is that phishing sites are regularly offered via hacked, legitimate websites. When a legitimate website with a ssl certificate is hacked, the phishing page that is offered via the website will also have a secure connection.


The second reason according to PhishLabs is that criminals register domains for their phishing site and then enable https themselves. This then happens via certificate authorities that offer free ssl certificates, such as Let's Encrypt and Comodo. In this way, the phishing site looks more legitimate, says Crane Hassold of PhishLabs. Chrome automatically displays the "Safe" message at https sites. This refers to the secure connection, but end users think the website they are visiting is safe, Hassold notes.

"The misunderstanding about the meaning of https among the general public and the confusing appointment of https websites in browsers are the main reasons why it is a popular preference of phishers in hosting phishing sites," Hassold continues. "Combined with the rapid growth of https among website owners, we expect the number of https phishing sites to grow further."

Explanation How To Remove The Microphone From Your iPhone And MacBook



Those who do not want to risk using a hacked iPhone or MacBook as a listening device can choose to remove the built-in microphone. Calls can then only be made by connecting a headset with a microphone, for example.

"There is no reason why these devices need those sensors to function," says Kyle Wiens from repair company iFixit opposite Wired . "And taking them apart to remove the microphone is not more difficult than repairing them." Users can switch off the microphone or even insert a cut-off jack in the microphone socket if it is already present, but according to experts this does not offer sufficient protection.

According to Richard George, a former technical director of the NSA who was involved in the design of the secure BlackBerry of President Obama, the trick with the microphone jack is not enough. A malicious application could bypass the fake microphone and still enable the real microphone. Anyone who wants to be sure of his case can also remove the microphone or have it done.

In the case of a MacBook, this appears to be fairly simple. So iFixit even has a manual for it. The microphone can also easily be connected again. The same operation with the iPhone is a lot more difficult and permanent. The iPhone also has four built-in microphones. Once again, iFixit offers extensive instructions for doing this yourself. A repair company that Wired spoke costs 75 dollars and says twice for privacy-oriented customers.

Last year whistleblower Edward Snowden advised that people who do not want to be spied or tapped would be wise to remove the microphone and camera from their smartphone. Recently, however , the Public Prosecutor announced that legitimate users have no reason to "demolish" the microphone from their device. The verdict was made in connection with the investigation into Ennetcom, a company that supplied custom BlackBerry smartphones to communicate encrypted. The microphone was removed from these phones.

Saturday 9 December 2017

Mac Malware Hidden Lotus Uses Unicode To Disguise Itself



Researchers have discovered a malware copy for macOS that uses a Roman Unicode character to disguise itself. The malware in question occurs as a PDF file and also has .pdf as an extension. In reality, however, it is an application, which is also displayed by the Finder.

The "d" in .pdf appears not to be a normal d, but a Roman numeric D in lowercase, which shows the number 500. In addition, a Mac application does not need .app as an extension to be treated as an application. An application in macOS is simply a folder with a special internal structure called a bundle. A folder with the correct structure is still a folder, but when it is provided with the .app extension, it immediately becomes an application. The Finder treats it as a single file instead of a folder, and double-clicking starts the application instead of opening the folder.


When double-clicking on a file or folder, LaunchServices will first look at the extension. In the case of a known extension, it is opened with the corresponding application. When it comes to a file with an unknown extension, the user gets the question what he wants to do. However, when it is a folder with an unknown extension, LaunchServices first looks at the bundle structure if it is present. In the case of the now discovered Mac malware, it appears that they have the correct structure of an app. Because the malware actually has an unknown extension, LaunchService looks at the internal structure and therefore considers it as an application.

However, users still get a warning from macOS to see if they want to open an application that comes from the internet, as anti-malware company Malwarebytes says . In case users open the file anyway, they can get infected with the HiddenLotus backdoor. Attackers have access to the system through this backdoor. According to Malwarebytes, HiddenLotus is a variant of the OceanLotus backdoor that was used against Vietnamese Mac users, among others.

Virustotal Link:

https://www.virustotal.com/en/file/f261815905e77eebdb5c4ec06a7acdda7b68644b1f5155049f133be866d8b179/analysis/

MD5:

8a1fe734eb7d49044d8ebc0ef1b9b86f

Saturday 2 December 2017

Researcher Discovers Keylogger In HP Keyboard Driver


A researcher with the alias ZwClose has discovered a keylogger in an HP keyboard driver that malware could use. The keylogger was in the SynTP.sys file. This is part of the Synaptics Touchpad driver installed on hundreds of HP laptops.

Although the keylogger was turned off by default, it could have been enabled via an adjustment to the Windows Registry. The investigator warned HP and the manufacturer confirmed the presence of the keylogger. It was code that was actually meant for debugging the driver and was left behind. HP has now released an update to remove the code.

The update can be downloaded from the HP and Windows Update website , the researcher says. All affected models are listed on the HP website. It involves almost 500 different laptops. According to HP, the presence of the keylogger did not ensure that the self or Synaptics had access to customer data. Earlier this year, a keylogger was also found in an HP audio driver .

Thursday 26 October 2017

Infrastructure Behind BadRabbit Ransomware Since 2016 Active


The infrastructure used last Tuesday to spread the BadRabbit ransomware has been active since 2016, says Dutch security researcher Yonathan Klijnsma from security company RiskIQ. During the attack the attackers used a large number of hacked websites.

These websites showed a popup to visitors that they needed to install an update for Adobe Flash Player. In fact, it was a Petya ransomware variant that encrypted files on the hard drive and overwritten the Master Boot Record from the hard drive. As a result, the operating system can no longer be started. Furthermore, BadRabbit tries to spread on SMB via a list of commonly used passwords and intercepting login credentials via SMB.

On the hacked websites, code was sent to an injection server that showed the malicious popup on the websites. One of these injection servers was first observed last September. In addition, various hacked websites have been compromised since last year. RiskIQ counted 63 hacked websites where the attackers had access. The security company claims, however, that it can go for more websites.

"The group behind the BadRabbit ransomware has been active for quite some time," said Klijnsma. The researcher speaks of a long-term campaign that could possibly be set up for something other than BadRabbit. "Although the BadRabbit ransomware is brand new, we can track the distribution industry by the beginning of 2016, which shows that victims had been compromised a lot before before the ransomware hit and the news cycle began. The campaign could originally be set up for something other than BadRabbit. " Security company Symantec claims that 86 percent of the infections occurred in Russia and it mainly concerns companies.

Wednesday 25 October 2017

Security Company Develops DDE Feature Patch In Microsoft Office



A security company has developed an unofficial patch for the DDE feature in Microsoft Office where cybercriminals are currently exploiting abuse. Dynamic Data Exchange (DDE) is a feature that was added to older Windows versions and is still used in many places. The feature allows you to inject data from, for example, an Excel document into a Word document.

In the event that the Excel document is updated, this will be immediately visible in the Word document. However, the DDE feature also makes it possible to call a malicious application instead of Excel or a benign application that performs malicious commands. To perform the called application, the user must first give permission to two dialog boxes.

However, this does not seem to be a problem, as the functionality is currently being used by cyber criminals. Microsoft is not currently planning to resolve the issue through a security update. However, the Windows 10 Fall Creators Update features the Windows Defender Exploit Guard that can block attacks via the DDE feature. Since Microsoft did not get a patch for the time being, security company ACROS decided to look into the possibilities to develop a patch.

The result is a " micro-patch " for Office 2007, 2010, 2013, 2016 and 365, both the 32-bit and 64-bit versions. The patch causes the DDE feature not to invoke the specified application. Microsoft Word will still display the two dialog boxes, but if the user click here yes, the called application will not be executed. To install the micro patch, the free 0patch Agent software must run on the system. This is an unofficial patch and the use is at your own risk. ACROS has previously developed micro-vulnerability vulnerabilities in Windows and Foxit Reader, among other things.

Researchers Crack Google's Audio Captcha


Researchers have managed to crack Google's audio captcha with an average of 85 percent accuracy, allowing bots to automatically create accounts on websites and place spam messages. To distinguish robots from people, captcha's often need to solve puzzles and distorted texts. The captcha of Google also allows users to resolve an audio captcha.

The audio captcha consists of multiple digits read in different speeds, accents and pitches with background noise. Researchers at the University of Maryland devised an attack targeting Google's audio captcha. To crack the audio captcha, the researchers developed " unCaptcha ", software that downloads the captcha audio file and then splits the parts with voice.


The split audio fragment of each digit is then sent to six free online audio transcription services, including Google's. Based on the different results, which figure was read in the audio clip. The results are then entered 'organic' by the software in the captcha window. On average, the software knows how to solve the captcha with 85 percent accuracy. After the researchers published their research ( pdf ), Google has taken various measures that limit the effectiveness of unCaptcha.

Assault Modifies Dns Coinhive Using Reused Password


An attacker succeeded in adjusting the coinhive dns yesterday, making websites using the cryptominer a JavaScript file of the attacker's being. Coinhive is a cryptominer that uses the computer's computing power to cryptocurrency Monero through the browser. To do this, the computer performs a cryptographic calculation.

Owners of websites that want to use Coinhive must point to a coinhive JavaScript file on their website. This file is then uploaded by the visitor's browser, after which the computing power of their computer is used to perform the cryptographic calculation. The attacker was able to access the Coinhive Cloudflare account. Cloudflare is Coinhive's dns provider.

Then, the attacker changed the DNS settings, which forwarded requests for coinhive.com to another server. This server turned a custom version of the JavaScript file. This caused the attacker to benefit from the calculations made by website visitors, rather than the websites running Coinhive.

According to Coinhive , the Cloudflare account has been hacked through an unsafe password probably stolen at Kickstarter's hack in 2014. "Since then, we learned hard lessons about security and used two-factor authentication and unique passwords for all services, but have failed to update our years-old Cloudflare account," said Coinhive. We are now looking at ways to offset affected websites.

Tuesday 24 October 2017

Ukraine And Russia Hit By Bad Rabbit Ransomware


Organizations in Ukraine and Russia have been hit by a new ransomware copy called Bad Rabbit, which would be a Petya ransomware variant that spread this summer, reports anti-virus company ESET. The malware would have infected hundreds of systems.

Among the victims are the Kiev metro, the Odessa airport and the Ukrainian ministries, according to the virus fighter. Anti-virus company Kaspersky Lab announces that most victims are in Russia. For example, the Russian press agency Interfax has been hit by the ransomware. The press office reports that the news services are not available because of the attack. "Based on our research, it is a targeted attack on corporate networks through methods similar to the ExPetr attack," said Kaspersky researcher Alex Perekalin. ExPetr is one of the names given to the Petya variant of this summer.

According to Kaspersky Lab, Bad Rabbit ransomware is spread through a number of hacked Russian media websites. ESET researcher Lukas Stefanko , Proofpoint researcher Darien Huss and the known anti-virus veteran Vesselin Vladimirov Bontchev warn that ransomware is on websites as an update for Flash Player . As soon as a user downloads and opens this so-called update, the Bad Rabbit ransomware will be activated on the system. Bad Rabbit tries to spread on the network. To do this, a list of common passwords is used, and Bad Rabbit tries to steal login data through the Mimikatz tool.

Bad Rabbit encrypts files and, like Petya, overwrites the Master Boot Record (MBR) of the hard drive. Therefore, the system becomes unusable. The ransomware claims victims 240 euros for decrypting the files. Whether victims pay the ransom to recover their files is still unknown. Organizations are advised to block executing files c: \ windows \ infpub.dat and c: \ windows \ cscc.dat and, if possible, disable Windows WMI service so that ransomware can not spread further .

Initially, ESET researcher Stefanko reported that the EternalBlue operation was also used. This does not appear to be the case at all. The article has been modified.

The attackers knew to hack several media and news sites. Then there was a malicious code that offered the so-called Flash Player update. Most infections have been observed in Russia, followed by Ukraine, Bulgaria and Turkey. According to ESET, all major companies are affected at the same time. "It is possible that the attackers already had access to the network and launched the attack through the websites at the same time as distraction," said Marc-Etienne M.Léveillé of ESET. He notes that there are no indications that employees of affected organizations have been stepped into the so-called Flash Player update. Anti malware company Malwarebytes announces that the attackers behind Bad Rabbit are likely to be responsible for the Petya / NotPetya variant of last June.

In the meantime, several technical analyzes of Bad Rabbit have appeared online. :

- Bitdefender

- Cisco

- ESET

- Kaspersky Lab

- Malwarebytes

- McAfee

- Qualys

According to Costin Raiu of Kaspersky Lab, the attackers behind Bad Rabbit would have been working on setting up the network of hacked websites since July. The attackers had access to, inter alia, Russian, Turkish, German and Bulgarian websites.

Lenovo Provides Computers With FIDO Authenticators



Lenovo has provided various computer models of so-called FIDO authenticators that let users login their accounts via a fingerprint scan or click on a prompt on the screen. The Fast IDentity Online (FIDO) Alliance has set itself the goal of replacing the password with authentication methods that are "safer and user-friendly."

Lenovo is one of the FIDO members, among other things, Google, Microsoft, MasterCard and PayPal. The parties involved develop products and services that make use of the FIDO protocol. This would automatically recognize devices that support FIDO and allow users to replace passwords by another authentication method.

Lenovo now claims that it is the first PC manufacturer to integrate directly into Windows computers by FIDO certified authenticators. Instead of a password to log in, users can choose from an alternative. For example, a fingerprint scan can be logged through the Universal Authentication Framework (UAF). In addition, the system also supports Universal 2nd Factor (U2F).

In case a user has enabled two-factor authentication for his account, it is no longer necessary to enter a separate security key or SMS. The two-factor authentication is built directly into the computer. In the case of two-factor authentication via U2F, users get a prompt to confirm, after which they are logged in to their account. This login method is supported by Google, Facebook and Dropbox.

To support UAF and U2F, Lenovo uses Intel Online Connect and Intel Software Guard Extensions (Intel SGX) on the latest Intel processors. The functionality will be delivered with different computer models and available for all models delivered. Intel Online Connect is available for download from Lenovo's website and will be available through Lenovo System Update and Lenovo App Explorer.

Well-known British Clinic For Plastic Surgery Hacked



Attackers hacked a well-known British clinic for plastic surgery, taking off all sorts of sensitive patient data including photos. Opposite The Daily Beast, the attackers, known as The Dark Overlord, claim that they stole terabytes of data.

Information about members of the royal family would also be available in the stolen databases. The attackers shared information and operation photos with a journalist from The Daily Beast . The attackers' emails were sent from a hacked clinic's e-mail account. The attackers are threatening to make the stolen images public.

On its own website , London Bridge confirms Plastic Surgery and states that it has taken measures to stop the attack. It is now investigating what data the attackers have taken precisely. How the attack could take place do not let the clinic know, but on Twitter it speaks of a " refined cyber attack ". Earlier, a Hollywood studio was also squeezed by the group after Orange's episodes have not yet appeared, the New Black had been stolen.

Mozilla Doubles Donations To The Tor Project



The Tor Project has today launched a crowdfunding campaign to raise funds and Mozilla will double donations to a total of $ 500,000. Every day, 2 million people use the Tor network to protect their privacy and visit censored websites.

According to the Tor Project, the number of online attacks on censorship and privacy was unprecedented this year. "Countries around the world tried to restrict access to the web, to dissolve dissidents and to compromise personal privacy," said Tommy Collison of the Tor Project. Also for next year, the Tor Project expects many governments and companies censorship to make the norm and want privacy to be included in the past.

A large part of the revenue from the Tor Project comes from the US government and the organization wants to reduce it by depending more on individual donations. As there are no restrictions on crowdfunding, the money that is collected can be spent on projects which, according to the Tor Project, are the most important and can be responded quickly to changing circumstances.

Furthermore, the Tor Project praises cooperation with Mozilla. Not only will Mozilla double donations to a total of $ 500,000, both parties will work closely together in software development. For example, there is regular consultation between the engineers of Mozilla and the Tor Project. For example, Tor Browser's privacy enhancements are added to Firefox, and Mozilla engineers have taught Tor developers to program in the Rust programming language. In addition, Mozilla helps the Tor network by running several Tor servers.

25,000 Fortinet Devices Vulnerable To DUHK Attacks


Over 25,000 Fortinet devices used for vpn connections and accessible via the Internet are vulnerable to a new DUHK cryptographic attack, allowing attackers to decrypt passive vpn connections to read traffic.

DUHK stands for Do not Use Hard-coded Keys and was developed by Matthew Green , cryptographer and professor at Johns Hopkins University, in collaboration with Nadia Heninger and Shaanan Cohney. Vulnerability occurs with the ANSI X9.31 Random Number Generator (RNG) in combination with a hard-coded seed key. The ANSI X9.31 RNG is a more than 20 year old algorithm that was used to recently to generate cryptographic keys that are used to protect vpn connections and web sessions so that third parties can not intercept.

Through the DUHK attack, an attacker of vulnerable implementations can detect the secret encryption key, thus decrypting and reading traffic from vpn connections and web sessions. This may include sensitive information, such as company information, login information, credit card information, and other confidential content. The ANSI X9.31 RNG is used in many government-certified products. Until last year, ANSI X9.31 RNG was one of four number-generators approved by the United States for use in cryptographic modules. However, it has been removed from the list.

Network manufacturer Fortinet made use of this vulnerable number generator. It's about devices with FortiOS 4.x. All Fortinet vpn devices with FortiOS 4.3.0 to FortiOS 4.3.18 can be decrypted by a passive network attacker who can detect encrypted handshake traffic. Fortinet released FortiOS 4.3.19 last year to update the problem. According to Green, there are more than 25,000 vulnerable vpn devices on the Internet. The professor argues that it is a "conservative number", as only machines were counted that responded to the researchers' scans. The researchers have published a document with their findings ( pdf ) but will not disclose the attack code.

Man Charged For Hacking 550 Gmail And iCloud Accounts


In the United States, a 32-year-old man is charged with hacking over 550 Gmail and iCloud accounts, including Hollywood star and other celebrity accounts. According to the charge, the man sent phishing emails from April 2013 until the end of August 2014 in which recipients were asked to return their username and password.

If the recipient responded and returned the credentials, the man used to log in to the victim's iCloud and Gmail account. As soon as the man logged in, he searched for sensitive personal information, including photos and videos. The case against the man arises from the search for 'Celebgate' or 'The Fappening', which loads all kinds of nude photos of celebrities. However, the FBI has not found evidence that the accused man is responsible for leakage of the naked photos or that he has shared or uploaded the information obtained.

The man has now signed a "plea" agreement with Justice and is expected to acknowledge debt, as soon as the US Department of Justice knows. Earlier this year, a 29-year-old American was sentenced to a nine-month imprisonment for hacking the iCloud and Gmail accounts of more than 300 people, including at least thirty Hollywood stars. According to the FBI, this man was not responsible for Celebgate.

WordPress Sites Attacked Via Zeroday Leak In Plug-In




A zeroday leak in the WordPress plug-in Ultimate Form Builder Lite is actively used to attack and acquire websites before an update was available. Ultimate Form Builder Lite is a WordPress plugin for creating contact forms and runs on over 50,000 websites.

Vulnerability was discovered by security investigators of Wordfence.Wordfence already warned Zeroday leaks in three plug-ins, named Appointments, Flickr Gallery and Registration Magic-Custom Registration Forms, which were actively attacked. These three plug-ins were used in total by 21,000 websites. During the investigation of the attacks, the researchers discovered that attackers had also provided it with WordPress sites with Ultimate Form Builder Lite.

The attackers used SQL injection in combination with a php vulnerability. By sending one request, attackers could completely take over vulnerable websites. The developer of the WordPress extension was informed on October 13 and rolled out an update on Sunday, October 22, which solved the problem.

Windows Defender Exploit Guard Protects Against DDE Attacks



With the launch of the Windows 10 Fall Creators Update, Microsoft has added new security measures to the operating system, which, among other things, protect against the DDE attack that has been in the news lately. The new security measures are called Microsoft Windows Defender Exploit Guard. It is a collection of features that should protect users from various threats.

For example, the feature is called Controlled folder access, which protects directories against ransomware. Only authorized applications will have access to files in specified folders in this case. Unauthorized executable files, dll files and scripts will not be accessed, even if they are running administrative privileges. In case ransomware approaches the files in the specified folders, Windows 10 gives a warning.

Attack Surface Reduction


Another feature is Attack Surface Reduction (ASR). This is a set of controls that allow organizations to prevent an attacker from infecting emails, scripts, or Microsoft Office systems. In the case of Microsoft Office, ASR can prevent apps from creating executable content or injecting themselves into a process. Also, macro code is blocked. Another attack that blocks ASR is through the Microsoft Office DDE feature, so Microsoft has announced .

The Dynamic Data Exchange (DDE) feature of Microsoft Office makes it possible to inject data from, for example, an Excel document into a Word document. This will add code to one document that points to the data in the other document. Instead of a document, malicious code may also be linked. Attackers now use this feature to infect internet users through Word documents with ransomware and other malware. Windows Defender Exploit Guard can detect and stop this attack. Furthermore, the feature stops JavaScript, VBScript and PowerShell code, as well as executable content that enters email or webmail.

Exploitation Protection

Windows Defender Exploit Guard also provides protection against exploits. It replaces Microsoft's well-known Enhanced Mitigation Experience Toolkit (EMET). Like EMET, Exploit Guard provides the system with additional security that provides protection against known and unknown exploits. The Fall Creators Update will remove EMET on Windows 10 computers if this tool is installed. EMET users can import their settings within Exploit Guard. The Fall Creators Update will be rolled out in Windows 10 in the coming months and can be installed manually .

Monday 23 October 2017

Security Company: Microsoft Should Patch DDE Feature In Word


Microsoft has to come up with a solution to the DDE feature in Word now that cybercriminals use it . The Dynamic Data Exchange (DDE) feature of Word allows you to inject data from one document into a second document. Instead of a document, malicious code may also be linked. DDE is a legacy Inter-Process Communication (IPC) mechanism dating from 1987.


It consists of a protocol designed to exchange messages between two applications. In the case of DDE, it is further enhanced by giving access to shared memory. Microsoft Office provides an extension to allow DDE to communicate within external processes. Thus, DDE in a Word document may not only allow Excel to be invoked, but also to execute commands on the system via cmd.exe.

Security company SensePost warned Microsoft, but the software giant said it would not take any measures for the time being because DDE is considered a feature. It may be considered as a "candidate bug" in a subsequent version of Office. One possible reason for this is that users in multiple windows should be allowed to run the code called by DDE.

Security company EndGame decided to look into DDE within Word and discovered a bug in the implementation. The MSDN documentation about DDE states that the application that calls DDE must already run. However, that does not appear to be the case. Therefore, a malicious Word document via DDE can call cmd.exe and perform additional commands. According to Bill Finlayson of EndGame, Microsoft could resolve this by asking the user to start the app itself instead of doing this automatically.

Additionally, Microsoft can customize the text in the dialogs and make more security-oriented before running the requested application. Finlayson, however, refers to all attacks via macros that show that the end-user eventually clicks each window, regardless of the wording used. "The correct solution is therefore to ask the user to launch the application before they can click through the dialog, and then re-run the request." Finlayson is therefore sorry that Microsoft does not want to solve the problem, as attackers increasingly use this feature.

Android Gets 'Dns Over Tls' To Encrypt Dns Requests


Android gets a feature that causes dns requests to be encrypted so that ISPs do not see which websites their subscribers seek, so XDA reports. Dns (domain name system) is similar to the phonebook and, among other things, translates domain names into IP addresses.

If an Internet user enters a domain name in his browser, the computer sends a request to a dns server, which then returns the website's ip address to the browser, which can load the website. Often these requests go to the internet server's dns server. However, the requests are unencrypted, allowing anyone who has access to the connection that can see.

Dns over tls is a protocol that encrypts dns requests, as does https for traffic to and from websites. The encryption of tls must prevent tapping and manipulating dns requests in the network, thus protecting the privacy of users. Inside the Android Open Source Project (AOSP), code has now appeared that indicates that dns is added to tls on Android.

Users could immediately enable or disable it using the OS's Developer Options. The feature may be added to Android 8.1. Users who want to use dns over tls must choose a dns server that supports this. In addition, the encrypted dns requests will still be visible to this dns server.

Attack Via Office DDE Feature Also Works In Microsoft Outlook



The Microsoft Office DDE feature currently used to attack Internet users through Word documents also works in Microsoft Outlook, so researchers have shown. The attack can be performed by sending emails and calendar invitations set up in Rich Text Format (RTF).

The Dynamic Data Exchange (DDE) feature of Microsoft Office makes it possible to inject data from, for example, an Excel document into a Word document. This will add code to one document that points to the data in the other document. Instead of a document, malicious code may also be linked. Attackers now use this feature to infect internet users through Word documents with ransomware and other malware.

The attackers send emails that have attached a Word document. As soon as the recipient opens the document, he will see several dialog boxes asking for permission to run the code that is linked. However, it is not necessary to send Word documents, so researchers have shown . Researcher Kevin Beaumont found a way to use the DDE feature in Microsoft Outlook via e-mail. In this case, users get the same notification as with Word asking for permission to execute code.


In addition to a RTF-generated email, the attack can also be performed via a calendar invitation. According to anti-virus company Sophos , the attack is easy to stop, users need to click on no-click in the first window asking for code execution. If the user clicked yes in the first window, a second dialog will appear for permission. Only when yes is clicked is the code called through DDE executed. Another option that users can apply to protect themselves is to display emails in plain text.

Google Play Protect Stops Less Malware Than Anti-Virus Apps


The security software that protects Google Android devices against malware performs worse than anti-virus apps, according to a test of the German test lab AV-Test. In July , Google launched " Play Protect", security software that checks apps that users want to download and install scans malware and periodically checks the device on malware. Play Protect is present on all Android devices with Google Play.

AV-Test has been comparing several mobile virus scanners for a long time, but also included Play Protect in the September test. For the test, 20 different Android virus scanners and Play Protect were tested with nearly 6000 infected apps. It involved detection of 3000 contaminated apps in real time and detection of 2900 infected Android apps found in the last four weeks of the test.

On average, the tested programs detect 95.7 percent and 98.4 percent of the infected apps. Antiy, Bitdefender, Cheetah Mobile, Sophos, Symantec and Trend Micro score 100 percent in both detection tests. Google Play Protect ends at the bottom. During the real-time detection of apps, Play Protect detected 65.8 percent of malicious apps. Of the malicious apps found in the four weeks before the test, Play Protect detected 79.2 percent.

In total, the virus scanners could collect 13 points. Six points were achieved for detecting malicious apps. The same number of points were divided for usability, such as battery usage, system load, high data traffic, and the unreasonable alert of Google Play clean apps and other official marketplaces. Finally, there was one point to earn for additional security measures, such as anti-theft, encryption and backup.

To achieve six points in detecting Android malware, it was not necessary to score 100 percent. Therefore, ultimately, AhnLab, Antiy, Bitdefender, Cheetah Mobile, G Data, Kaspersky Lab, McAfee Symantec, Tencent and Trend Micro can reach the maximum 13 points. Google Play Protect was evaluated only on malware detection. Due to the low detection score, the software receives zero points. Of the anti-virus applications tested on all components, NSHC and F-Secure end with 9 and 9.5 points, respectively, below.

Tuesday 10 October 2017

Privacy-Based Librem 5 Phone Collected $ 1.5 Million


The privacy and security-based Librem 5 smartphone has collected over $ 1.5 million through a crowdfunding campaign . With this, Purism developer has achieved the goal of the campaign and the phone can be produced. The Librem 5 runs free and open source software on PureOS.

This is a Debian Linux-based operating system. The phone can also run other GNU distributions, such as Ubuntu, Fedora and Suse. Developers want to create a completely open development environment, rather than the closed platforms of other phone providers. Furthermore, developers say that the phone is being developed with security in mind and will use the "privacy by default" principle. Thus, the Librem will offer 5 decentralized end-to-end encrypted communications via the Matrix network and are the first 'ip native' smartphone in the world.


"We think that phones should not follow you or make an abuse of your digital life. We are in the middle of a digital rights revolution where you can pay the future", so let developers know the Librem 5 website. The phone can also communicate with other devices, such as monitors, mouse and keyboard and other platforms. The five-inch smartphone features 3GB of memory, 32GB of storage that can be expanded via a micro SD card and provides hardware, camera, microphone, baseband, wifi, and Bluetooth kill switches. The phone can be ordered through the crowd funding campaign for $ 599. The device should be delivered in January 2019.

ISC Warns Usb Cable With Built-In Sim Card


The Internet Storm Center (ISC) warns of usb cables that are sold and have a built-in sim card, mobile phone and microphone. Attackers could perform attacks or stolen data through such cables, according to Johannes Ullrich of the ISC.

For example, the $ 30-usb usb cable responds to text messages and can send those GPS coordinates. It is also possible to activate and listen to the microphone via a text message. "The main risk is to leave systems (and cables) left unattended in places with some public access," Ullrich notes. This applies, for example, to systems in hotel rooms or classrooms.

Users therefore get the advice to mark their cables so that they can not be replaced by other cables. In addition, the cables must be fastened. In conclusion, Ullrich states that the "usb spy cable" in question is easy to recognize when users know what to look for. "But I'm sure they can make a smaller cable and maybe a version that's a bit more expensive and not so easy to show the sim card."

Sleep Pattern WhatsApp Users Easy To Follow


It's easy to follow WhatsApp usage and sleep patterns of WhatsApp users. For example, information that can be sold to health insurers and credit agencies, says software engineer Robert Heaton . Using only the WhatsApp user's phone number, it is possible to read his status, as if he is online and when he was last seen.

It is not necessary to be friends with the WhatsApp user. Only a phone number is sufficient. Heaton wrote a simple script that requests information every 10 seconds at WhatsApp. Then he processed the data in a graph, making it clear that the sleep pattern of the WhatsApp user he wanted to follow became clear. Users can set to see their "last seen" status show. By default, however, this status is visible to everyone. Additionally, users can not hide their "online" status.


According to Heaton, it is so easy to make graphs of both theirs and strangers using their WhatsApp use and sleep patterns. Information that can be sold to health insurers and credit agencies that are interested in "deviant behavior", for example, let the engineer know. Other scenarios are outlined at Hacker News , which allows the status information to communicate which friends communicate in a contact list via the status information. For example, it may be outdated whether people are cheating or having an affair.

37,000 Chrome Users Downloaded Fake Version Of Adblock Plus



Over 37,000 Chrome users have downloaded a fake version of the popular Adblocker Adblock Plus. The extension was offered in the official Chrome Web Store, so the security investigator reports the "SwiftOnSecurity" alias on Twitter .

The extension used non-Latin characters so it seemed like it was about Adblock Plus. Over 37,000 Chrome users were deceived in this way. Once installed, the fake version shows all kinds of ads. The extension developer appears to be cloning more popular extensions and then offering it in the Chrome Web Store. Meanwhile, Google has removed the Chrome Web Store extension. The true version of Adblock Plus has more than 10 million users and over 158,000 reviews.

Monday 9 October 2017

Infected Pornhub Ads Spread Kovter Malware



On the popular porn site Pornhub, infected advertisements appeared to infect visitors with malware. According to market researchers, the porn site is ranked in the top 30 of most visited websites in the world. Pornhub claims itself to get 75 million unique visitors a day.

The infected ads were spread through Traffic Junky's ad network. The ads passed users to a website that believed that there was an important update for the browser or Adobe Flash Player. When users clicked on the page, a JavaScript file was downloaded that installed the final malware. It was about malware that caused the computer advertising fraud. After being informed, both Traffic Junky and Pornhub have removed the ads, according to security company Proofpoint.


"The combination of large scale malvertising campaigns on print-enabled websites with sophisticated social engineering that convinces users to infect themselves means that potential exposure to malware is quite high and millions of Internet users are reached," says the Proofpoint researcher with the alias Caffeine. "Once again, we see that attackers exploit the human factor as they adapt their tools and approaches to a landscape where traditional exploits are less effective." The investigator thus targets the fact that attacking vulnerabilities in browsers and Adobe Flash Player causes ever fewer infections to cyber criminals.


Indicators of Compromise (IOCs):


IOC
IOC Type
Description
www.advertizingms[.com|204.155.152.173
domain|IP
Suspicious Epom server 2017-10-01
*-6949.kxcdn.com
domains
Subdomain from a rogue KeyCDN customer 2017-10-01
phohww11888[.org|192.129.215.155
domain|IP
KovCoreG soceng host  2017-10-01
cipaewallsandfloors[.net|192.129.162.107
domain|IP
KovCoreG soceng host  2017-10-01
b8ad6ce352f502e6c9d2b47db7d2e72eb3c04747cef552b17bb2e5056d6778b9
sha256
            T016d6n7t96x2hc43r5f3u6gs61d.zip (zipped runme.js)  2017-10-01

4ebc6eb334656403853b51ac42fb932a8ee14c96d3db72bca3ab92fe39657db3
sha256
FlashPlayer.hta
 2017-10-01
a9efd709d60e5c3f0b2d51202d7621e35ba983e24aedc9fba54fb7b9aae14f35
sha256
Firefox-patch.js
 2017-10-01

0e4763d4f9687cb88f198af8cfce4bfb7148b5b7ca6dc02061b0baff253eea12
sha256
 Kovter 2017-10-01

f449dbfba228ad4b70c636b8c46e0bff1db9139d0ec92337883f89fbdaff225e
sha256
 Kovter 2017-10-01