Monday 11 December 2017

German Secret Service Warns Against Fake Profiles On LinkedIn



The German secret service BfV warns against fake profiles on LinkedIn that would be used by Chinese intelligence services to gather information about politicians and policymakers. Over a period of nine months more than 10,000 Germans were approached via the fake profiles, according to the BfV.

The profiles occur as headhunters, consultants or scientists with the names "Rachel Li" and "Alex Li". They claim to have, among other things, vacancies at a Dutch HR company. After contact has been made, the fake profiles try to collect information about habits, hobbies and political interests. "Chinese intelligence services are active on networks such as LinkedIn and in this way try to gather information and find sources of information," said a spokesperson.


Many of the profiles are provided with photographs of attractive men and women. One of the photos would even be taken directly from an online fashion catalog, according to Reuters . The fake profiles have mainly provided for European diplomats and politicians. German citizens are called upon to report suspicious profiles and not to share valuable personal information via social media. "This is an extensive attempt to infiltrate certain parliaments, ministries and government agencies," says Hans-Georg Maassen, head of the BfV.

Conficker Worm Still Active On 150,000 Computers After 9 Years


The Conficker worm that infected nine million computers at its peak has been operating on 150,000 computers since its first appearance on 21 November 2008, anti-virus company Trend Micro said. Conficker is distributed in a variety of ways, including a vulnerability in the Windows Server service, shared network folders, and the Autorun feature of Windows.

The vulnerability in the Windows Server service was patched by Microsoft on October 23, 2008. In January 2009, Conficker also started distributing itself through the Autorun feature of Windows, something for which Microsoft released an update in February 2011. According to Trend Micro, Conficker is mainly active in China, Brazil and India. These three countries together account for more than half of all infections. Most infections were found in government systems, followed by production companies and health care.

After an infection, Conficker tries to connect every day with all kinds of domains to see if there are new instructions from the makers. ICANN, the organization that is responsible for the distribution of ip numbers and domains, has, however, taken measures so that these domains can not be registered. Thus, the infected computers can not be used for criminal purposes.

According to Trend Micro, Conficker can also be labeled as "background malware" that is mainly active on legacy systems. "Although it is not as interesting to the general public as more modern malware such as WannaCry and Petya, it remains a persistent threat and will remain so as long as unsupported, unpatched legacy systems are still part of corporate networks," says researcher the virus fighter .

Sunday 10 December 2017

Strong Increase Of Phishing Sites That Use Https



Not only legitimate websites use https more and more, phishing sites also have more and more access to a secure connection. There is even a strong increase in the number of https phishing sites, according to security company PhishLabs . In the third quarter of this year almost 25 percent of the observed phishing sites had a https connection.

A quarter earlier was still about 12 percent, while a year ago less than 3 percent of the phishing sites had a ssl certificate. According to the security company, there are two reasons why there is an increase in https usage among phishing sites. The first reason is that phishing sites are regularly offered via hacked, legitimate websites. When a legitimate website with a ssl certificate is hacked, the phishing page that is offered via the website will also have a secure connection.


The second reason according to PhishLabs is that criminals register domains for their phishing site and then enable https themselves. This then happens via certificate authorities that offer free ssl certificates, such as Let's Encrypt and Comodo. In this way, the phishing site looks more legitimate, says Crane Hassold of PhishLabs. Chrome automatically displays the "Safe" message at https sites. This refers to the secure connection, but end users think the website they are visiting is safe, Hassold notes.

"The misunderstanding about the meaning of https among the general public and the confusing appointment of https websites in browsers are the main reasons why it is a popular preference of phishers in hosting phishing sites," Hassold continues. "Combined with the rapid growth of https among website owners, we expect the number of https phishing sites to grow further."

Explanation How To Remove The Microphone From Your iPhone And MacBook



Those who do not want to risk using a hacked iPhone or MacBook as a listening device can choose to remove the built-in microphone. Calls can then only be made by connecting a headset with a microphone, for example.

"There is no reason why these devices need those sensors to function," says Kyle Wiens from repair company iFixit opposite Wired . "And taking them apart to remove the microphone is not more difficult than repairing them." Users can switch off the microphone or even insert a cut-off jack in the microphone socket if it is already present, but according to experts this does not offer sufficient protection.

According to Richard George, a former technical director of the NSA who was involved in the design of the secure BlackBerry of President Obama, the trick with the microphone jack is not enough. A malicious application could bypass the fake microphone and still enable the real microphone. Anyone who wants to be sure of his case can also remove the microphone or have it done.

In the case of a MacBook, this appears to be fairly simple. So iFixit even has a manual for it. The microphone can also easily be connected again. The same operation with the iPhone is a lot more difficult and permanent. The iPhone also has four built-in microphones. Once again, iFixit offers extensive instructions for doing this yourself. A repair company that Wired spoke costs 75 dollars and says twice for privacy-oriented customers.

Last year whistleblower Edward Snowden advised that people who do not want to be spied or tapped would be wise to remove the microphone and camera from their smartphone. Recently, however , the Public Prosecutor announced that legitimate users have no reason to "demolish" the microphone from their device. The verdict was made in connection with the investigation into Ennetcom, a company that supplied custom BlackBerry smartphones to communicate encrypted. The microphone was removed from these phones.

Saturday 9 December 2017

Mac Malware Hidden Lotus Uses Unicode To Disguise Itself



Researchers have discovered a malware copy for macOS that uses a Roman Unicode character to disguise itself. The malware in question occurs as a PDF file and also has .pdf as an extension. In reality, however, it is an application, which is also displayed by the Finder.

The "d" in .pdf appears not to be a normal d, but a Roman numeric D in lowercase, which shows the number 500. In addition, a Mac application does not need .app as an extension to be treated as an application. An application in macOS is simply a folder with a special internal structure called a bundle. A folder with the correct structure is still a folder, but when it is provided with the .app extension, it immediately becomes an application. The Finder treats it as a single file instead of a folder, and double-clicking starts the application instead of opening the folder.


When double-clicking on a file or folder, LaunchServices will first look at the extension. In the case of a known extension, it is opened with the corresponding application. When it comes to a file with an unknown extension, the user gets the question what he wants to do. However, when it is a folder with an unknown extension, LaunchServices first looks at the bundle structure if it is present. In the case of the now discovered Mac malware, it appears that they have the correct structure of an app. Because the malware actually has an unknown extension, LaunchService looks at the internal structure and therefore considers it as an application.

However, users still get a warning from macOS to see if they want to open an application that comes from the internet, as anti-malware company Malwarebytes says . In case users open the file anyway, they can get infected with the HiddenLotus backdoor. Attackers have access to the system through this backdoor. According to Malwarebytes, HiddenLotus is a variant of the OceanLotus backdoor that was used against Vietnamese Mac users, among others.

Virustotal Link:

https://www.virustotal.com/en/file/f261815905e77eebdb5c4ec06a7acdda7b68644b1f5155049f133be866d8b179/analysis/

MD5:

8a1fe734eb7d49044d8ebc0ef1b9b86f

Saturday 2 December 2017

Researcher Discovers Keylogger In HP Keyboard Driver


A researcher with the alias ZwClose has discovered a keylogger in an HP keyboard driver that malware could use. The keylogger was in the SynTP.sys file. This is part of the Synaptics Touchpad driver installed on hundreds of HP laptops.

Although the keylogger was turned off by default, it could have been enabled via an adjustment to the Windows Registry. The investigator warned HP and the manufacturer confirmed the presence of the keylogger. It was code that was actually meant for debugging the driver and was left behind. HP has now released an update to remove the code.

The update can be downloaded from the HP and Windows Update website , the researcher says. All affected models are listed on the HP website. It involves almost 500 different laptops. According to HP, the presence of the keylogger did not ensure that the self or Synaptics had access to customer data. Earlier this year, a keylogger was also found in an HP audio driver .