Wednesday 5 September 2018

Google Chrome Will No Longer Show 'Protected' At HTTPS Sites



To celebrate the tenth anniversary of Google Chrome, a new version of the browser has appeared that does not show the word 'secured' at https sites, makes using Flash Player more difficult, introduces an improved password manager and fixes 40 security vulnerabilities.

On 2 September 2008 , Google launched its own browser, which has since become the dominant browser. According to StatCounter, Chrome has a market share of almost 68 percent on the desktop . In the Netherlands, around 54 percent of desktop users would browse with Chrome. Yesterday evening the 69th version of Chrome appeared that contains all kinds of new features and improvements.

This allows Chrome 69 to enter passwords, address details and credit card numbers more accurately. It is data stored in the user's Google account and accessible directly from the Chrome toolbar. The browser also has an improved password manager that can generate unique passwords for websites and accounts. Saved passwords are then available to users with a Google account on both the computer and mobile devices.

Furthermore, Chrome 69 does not show the word "secured" on websites with a secure connection. Only the lock icon indicates that a secure connection is being used. Eventually the lock icon will also disappear. Google decided in July to display the message "Unprotected" at all http sites. The internet giant wants https sites to be the norm and users will only see a notification at http sites.

Also, in the browser measures have been taken to make the use of Adobe Flash Player more difficult. Previously, users could whitelists websites that wanted to access the built-in Flash Player. That has now changed. Users must allow this separately each time a website wants to enable Flash content, regardless of whether they have done so in previous sessions.

In addition, Google has fixed 40 vulnerabilities in the browser that prevented an attacker from stealing or modifying data from other websites in the worst case scenario. Updating to Chrome 69.0.3497.81 will happen automatically on most systems. For Android users, Chrome 69.0.3497.76 has been made available.

MEGA Warns Against An Infected Chrome Extension That Steals Data



The popular cloud storage service MEGA has warned users of an infected version of its own Chrome extension that was distributed through the official download channel and tried to steal all kinds of user data. According to MEGA, the cloud storage service of internet entrepreneur Kim Dotcom, an attacker has gained access to the official Chrome Web Store account of the company.

Then an infected version of the MEGA Chrome extension was placed in the Web Store and automatically offered to existing users. This version required permission to read data on all websites. As soon as users granted this permission, the extension tried to steal private keys for cryptocurrency wallets and user names and passwords for Amazon, GitHub, Google and Microsoft accounts.

After five hours, the infected Chrome extension was removed from the Chrome Web Store by Google. MEGA states that it has initiated an investigation to find out how the Web Store account could be taken over. The cloud storage service also gets to Google because it does not allow developers to sign their Chrome extensions. The extensions are now automatically signed after being uploaded to the Chrome Web Store. According to MEGA, this will remove an important measure that must protect against attackers.

Before MEGA gave the warning, Jeremy Nation of MetaCert already came up with an analysis of the infected extension. It is not the first time that attackers get access to the Web Store account of an extension developer and then distribute an infected update or version. At the end of last year, eight Chrome extensions were discovered that had been hacked and adware was installed by the 4.6 million users. The attackers had been able to trace the login data for the Web Store through these phishing attacks.

Tuesday 4 September 2018

Google Employee Hacks RFID Access System Own Office



A Google employee hacked the RFID access system of Google's own office in Sunnyvale, allowing him to open doors without an access pass and prevent other employees from gaining access. Google uses the iStar Ultra and IP-ACM systems from supplier Software House. The access system works via an RFID access pass.

Google employee David Tomaschik monitored the encrypted network traffic of the iStar Ultra and IP-ACM systems. The encrypted traffic turned out not to be random, whereas it should have been the case. Further research by Tomaschik revealed that all Software House devices used a hard-coded encryption key. This made it possible to forge commands, such as the command to open a door. He was also able to replay captured network traffic and thus open or block a door.

Furthermore, it was possible to perform these actions without creating a log. Software House has developed a solution, but organizations where the vulnerable systems are in use are still at risk, according to business magazine Forbes. Google also mentions that it has segmented its own network to provide protection against vulnerable systems.

British Man Gets 14 Months In Prison For Not Giving Up Facebook Password



A 24-year-old British man has been sentenced to 14 months in prison for not giving up his Facebook password. The man is suspected of the murder of a 13-year-old girl. The police had twice asked for his credentials for the social network site, but the Brit refused to provide it.

Under the British Regulation of Investigatory Powers Act (Ripa), the man was subsequently charged with not providing 'access codes to an electronic device'. The Ripa legislation gives UK investigative authorities the power to force people to give their password, encryption key or other log-in details to investigate an electronic device such as a telephone or computer, according to The Independent . The Ripa legislation was originally intended as an anti-terrorist measure, but the police can use it much more broadly, according to a British law firm. A maximum term of imprisonment of 5 years is imposed on not giving up a password.

The Briton told the judge that relinquishing his password would reveal information about cannabis. The judge called the defense "entirely inadequate" and stated that the man had thwarted the police investigation into the murder through his actions. The British police are trying to get access to the man's Facebook account through the US Department of Justice, the Daily Mail and The Sun report . In the past, people in the United Kingdom have more often been sentenced to prison terms for not relinquishing their login details.

Mozilla's New VP Will Focus On Privacy & Security



Mozilla has a new security chief who will focus on privacy and security. Alan Davidson is the new vice president for "Policy, Trust and Security" with the open source developer. He will be responsible for promoting an open internet and a 'healthy web'.

He will also lead a 'trust and security' team that will focus on promoting innovative privacy and security features in Mozilla products. Previously, Davidson worked at the US Department of Commerce and in 2011 he was the policy leader at Google. "I am very happy to work for an organization that is so dedicated to putting the user first", Davidson said.

Thursday 15 March 2018

DuckDuckGo Starts Privacy Contest With $ 500,000 Prize Money



Privacy search engine DuckDuckGo has started a contest with which organizations that use privacy can win all sorts of cash prizes. The competition will be held on the crowdfunding platform CrowdRise. The organization that gets the most money between 13 March and 10 April will receive the top prize of 50,000 dollars. A total of 253,000 dollars was reserved for the sixteen best participants.

In addition, there is 247,000 dollars that is distributed through the weekly bonus challenges . A total of 20 organizations participate in the competition, including the Freedom of the Press Foundation, the Tor Project , Let's Encrypt, Tails and Bits of Freedom. Since the start of the game yesterday, a total of $ 4219 in donations has been raised and the Center for Democracy and Technology has topped $ 1130.

Google Removed 3.2 Billion Malicious Ads In 2017



Last year, Google removed more than 3.2 billion malicious ads because they tried to infect Internet users with malware, went to phishing sites, committed advertising fraud, or for other reasons - more than 100 ads removed per second.

For example, 79 million advertisements were removed because they sent internet users to websites with malware. Google removed another 48 million ads because they let users install unwanted software. Furthermore, 66 million "trick-to-click" ads were removed. In addition to advertising, 320,000 of the advertising network were also banned and Google decided to blacklist 90,000 websites and 700,000 mobile apps.

Registry Key No Longer Required For Windows 10 Updates


Users of Windows 10 no longer need a specific registry key to receive security updates, Microsoft announced. The reason for the mandatory registry key was a compatibility problem with various anti-virus products that can provide a blue screen of death (BSOD).

To stop these problems from incompatible anti-virus products, Microsoft security updates from January 3 and beyond were only offered to systems that had a compatible virus scanner. Anti-virus vendors had to confirm to Microsoft that their software was compatible with January and beyond security updates, which was added to the Windows Registry by adding a special registry key. In case the virus scanner did not enter this registry key, users no longer received updates and were vulnerable to attack. When users did not run a virus scanner, Microsoft advised to manually enter the registry key to receive the January and after updates.

Now Microsoft's John Cable reports that there is no longer a check on the compatibility of anti-virus programs. All Windows 10 machines will therefore receive the March security updates as well as the previously released updates for the Spectre and Meltdown attacks, regardless of whether they have the previously required registry key. In the coming weeks, Microsoft will provide more information about the compatibility of anti-virus software on older Windows versions.

Meltdown Update For 32-Bit Versions Windows 7 and 8.1


Microsoft released two months after the unveiling of the Spectre and Meltdown attacks , which should protect users of the 32-bit versions of Windows 7 and Windows 8.1 against Meltdown. In addition, Intel microcode updates for various Intel processors have been rolled out.

At the beginning of January, the software giant already released security updates for the 64-bit versions of Windows. A Meltdown update for the 32-bit versions of Windows 10 followed on 18 January. Microsoft now announced that security updates for the 32-bit versions of Windows 7 and Windows 8.1 have also been made available to protect users from the Meltdown attack.

To be fully protected against Spectre and Meltdown attacks, systems require both software and firmware (microcode) updates, Microsoft said. That is why in early March it started to offer microcode updates from Intel via the Microsoft Update Catalog . Initially, it concerned updates for systems that have a Skylake processor and run the Windows 10 Fall Creators Update. Now, Microsoft has also made updates for Kaby Lake and Coffee Lake processors on the same platform.

Microsoft: Shift From Ransomware To Cryptominers



Millions of computers have come into contact with cryptominers in recent months, while the number of cases of ransomware has declined, according to Microsoft today. From September last year to January of this year, an average of 644,000 unique Windows computers were detected each month and encountered a cryptominer.

This involves malware that can be installed on the computer in various ways and allows the system to mine cryptocurrency. While there is a clear increase in the number of cryptominers, the number of computers encountered by ransomware is decreasing. A possible reason is that cryptominers are now also distributed via exploit kits, as well as via malicious e-mail attachments.


"It is unlikely that cyber criminals will completely abandon ransomware in the short term, but the increase in trojanised cryptominers shows that attackers are exploring the possibilities of illegally earning money with this newer method," said Eric Avena of Microsoft. Because cyber criminals now choose more for cryptominers, this malware will also take over the behavior of already known threats, according to Avena. As an example, he points to the NeksMiner, who places a copy of himself in shared network folders and on USB sticks to propagate further, like all kinds of other malware.

Mozilla Is Considering Blocking In-Page Pop-Ups In Firefox



Mozilla is collecting a dataset of in-page pop-ups in order to automatically block them in Firefox. In-page pop-ups are pop-ups that show pages at different times, such as when loading the website, scrolling, inactivity or opening a tab.

Experiments are now being done with a pop-up blocker to close these pop-ups automatically. For this Mozilla is working on a collection of such pop-ups. Internet users can report this via this page . The dataset is only needed to train the pop-up blocker. The plan is to be able to block them automatically without having a complete blocklist. Whether the feature also comes is still unclear. Firefox developer Ehsan Akhgari says on Twitter that Mozilla is exploring it as a possible Firefox feature.

Wednesday 14 March 2018

Researchers Let Malware Send Data Via Loudspeakers



Researchers at Ben-Gurion University have developed malware that can steal data from systems that are not connected to the internet via passive loudspeakers. Because of the risk of attacks, it is a lot of advice to not connect computers with confidential data to the internet.

This is also called an air gap. An offline computer can still be infected, for example via USB sticks or a malicious employee. In order to steal data from an infected offline computer, Ben-Gurion University researchers have developed various methods in the past, such as the use of speakers , air conditioning , sound from the hard disk , fans , radio waves , infrared cameras , scanners , heat emitted. , usb radiation , mobile phones , hard drive lights and router lights to return the data directly to the attacker or via an infected computer or smartphone connected to the Internet.


The researchers are now demonstrating a new method called Mosquito ( pdf ) in which "speaker-to-speaker" communication is used to steal data from a computer that is not connected to the internet. The scenario that the researchers sketch consists of a room with two computers, one of which is and one is not connected to the internet. Both computers are infected with malware and have passive speakers or headphones. The malware then exploits a feature of the audio chip that changes the connected speakers of output device into an input device (microphone).

Malware on one computer can then transmit information via the speakers and the use of ultrasonic waves that are collected by the speakers of the other computer, which have in fact become a microphone. In this way it is possible to send data at a speed of 10 - 166 bits / sec at a distance of 9 meters between the computers. If headphones are used instead of loudspeakers, a distance of 3 meters is possible.

The researchers state that in heavily guarded settings it is common to ban both active and passive loudspeakers, in order to create an air gap. Less stringent rules prohibit the use of microphones, but allow the use of "one-way" speakers. In many cases, the policy and security measures do not apply to modern headphones, which are basically non-powered and unenhanced loudspeakers. Mosquito could be effective in these situations.

To prevent such attacks, organizations can take various measures, such as prohibiting the use of speakers, headphones or earphones, using active speakers, disabling the audio codec in the bios, detecting ultrasonic transmissions, and using low-pass filters.

Mozilla: Many Popular Websites With Symantec Certificates




There are still many popular websites with Symantec certificates that will soon no longer be trusted by Firefox and will cause an error message, as Mozilla has warned. It is about 1 percent of the Top 1 million most popular websites on the internet, which amounts to about 10,000 sites.

These websites use a tls certificate issued by Symantec to encrypt traffic to and from their visitors. Due to various incidents with tls certificates issued by Symantec, browser developers have decided to cancel the trust in Symantec certificates. This will take place in phases, with all Symantec certificates issued before 1 July 2016 no longer being trusted.

Google will implement this measure next month with the launch of Chrome 66. Mozilla will follow Firefox 9 on May 9. With the launch of Firefox 63 in October this year, trust in all Symantec certificates will be canceled regardless of issue date. Users who receive a certificate warning when visiting a website can ignore them and still reach the website, Mozilla explains, but security experts advise internet users never to ignore such warnings and not to visit the website in question.

Download.com Distributed Malware That Steals Bitcoins



The popular download site Download.com has been distributing malware for years that bitcoins from internet users have been stolen, anti-virus company ESET says today. The malware was hidden in bombarded applications called Disk Imager, Code :: Blocks and MinGW-w64.

The infected version of Disk Imager has been available on Download.com since May 2016 and was downloaded over 4500 times during that time. Code :: Blocks has been on Download.com since June 2016 and was removed from the website last year by Cnet, owner of Download.com. However, the program had already been downloaded 104,000 times. The number of downloads of MinGW-64, which was also on the website since 2016, amounted to just under 500.


The malware in the three programs was developed to steal bitcoins. Bitcoin users who want to make a payment or transfer money to another wallet often copy the wallet address of the beneficiary and then paste it into a field on the transaction page. At that moment the wallet address is in the clipboard of the computer.

The malware monitors the clipboard on infected computers and when it sees that a user is copying a wallet address, it changes this address. If the user then wants to paste the wallet address onto the transaction page, he will paste the custom wallet address and transfer money to the wrong party. The bitcoin address that the malware uses would have received a total of 8.8 bitcoin, which is currently 62,000 euros. After being informed, Cnet has removed the infected programs. It is not the first time that Download.com is in the news due to malware being offered.

Dofoil Malware (Smoke Loader): Infected MediaGet Update After Recent Cryptominer Outbreak



An infected update for the torrent client MediaGet is responsible for the large cryptominer outbreak that Microsoft warned last week. The software giant quickly discovered 400,000 cases of Dofoil malware on computers, which eventually downloaded the cryptominer.

Following screenshot is Dofoil Malware Timeline:


The cryptominer uses the computational power of the infected computers to mine cryptocurrencies. In particular computers in Russia, Turkey and Ukraine were affected by the malware. Dofoil, also known as Smoke Loader, normally spreads via infected e-mail attachments and exploit kits. Striking in the outbreak last week was that most infected files came from a process called mediaget.exe. MediaGet is a program to download torrents. In this case, the malware was not downloaded via infected torrents, but from the program itself.


Further research showed that it was a carefully planned attack, according to Microsoft . The attackers distributed an infected user update from February 12 to February 19 this year via the MediaGet update servers. This update installed a backed up version of the torrent client. From March 1 to March 6, this backdoor was then used to install malware among users. Microsoft says it has shared information with the MediaGet developers, but they have not yet reported the incident on their website.

Privacy OS Tails Introduces Screen Lock


A new version of the privacy-oriented operating system Tails has been released that now also offers users the possibility to lock their screen. When users have set an administrator password, they can unlock the screen.

Otherwise, a separate password can be set for the first time the screen is locked. Furthermore, Tails 3.6 contains various upgrades, security updates and other adjustments. Tails stands for The Amnesic Incognito Live System and is a fully Linux-based operating system that contains all kinds of tools to anonymously use the internet. It can be used from a DVD or USB stick and is recommended by various civil rights movements and privacy experts. Some 22,000 people use Tails every day.

Monday 12 March 2018

Android Manufacturer: Included Malware Is False Alarm



The Chinese manufacturer of Android devices Leagoo has removed to anti-virus company Doctor Web, which claimed that the manufacturer supplied devices with malware. The virus fighter claimed that it had found the Triada Trojan in the firmware of more than 40 models , including that of Leagoo.

The malware, which can download and execute additional malware and apps, without users knowing this, turned out to be present in a custom Android system library. This system library is used by all Android apps, which means that the malicious code is present in the memory of all running apps. According to Doctor Web, the malware was added at the request of a Leagoo partner and the manufacturer made this request.

Leagoo says in a statement that it is a false alarm. "The problem with the" virus warning "on Leagoo phones is mainly caused by differences in the virus detection of Chinese and foreign anti-virus software", according to the manufacturer. Leagoo states that all phones are scanned for malware by "top Chinese anti-virus software" to ensure that all devices are virus-free. In the future, Leagoo will also use "foreign algorithms" during scanning to prevent new virus warnings.

Recent Adobe Flash Player Vulnerability Leak Attacked Via Exploit Kits



A recently patched vulnerability in Adobe Flash Player is being actively attacked via exploit kits. This means that visiting a hacked website or seeing infected ads with a vulnerable Flash Player version is sufficient to infect with malware.

The vulnerability in question was resolved by Adobe on February 6 through an emergency patch . The vulnerability appeared to have been targeted against South Korean organizations since last November . Here Excel and Word files with embedded Flash objects were used. Now it appears that cyber criminals also have the exploit to use them via the web.

Flash Player was and still is the most popular target for exploit kits. Due to the absence of new exploits, and the fact that more and more browsers are phasing out the support of Flash Player, the effectiveness of exploit kits has declined sharply in the past period . According to researcher Kaffeine of the Malware do not need coffee blog , this is the first new Flash exploit that has been added to an exploit kit since July 2016 for a Flash leak. The new Flash exploit will be deployed via infected ads and will successfully install the Hermes ransomware. Users are therefore advised to upgrade to Flash Player version 28.0.0.161 or later, as the vulnerability has been corrected.

McAfee: Two Botnets Behind 97 Percent Of All Spam In Q4




Two botnets accounted for 97 percent of all spam sent in the fourth quarter of last year, according to McAfee in a new report. These are the Necurs and Gamut botnets, which are rented by spammers for sending spam, phishing emails and malware.

Necurs was the most used with a share of 60 percent, followed by Gamut with 37 percent ( pdf ). According to McAfee, Necurs is currently the largest spambot network in the world. The contaminated machines that are part of the botnet are controlled via a peer-to-peer model. In the fourth quarter of last year, the Locky ransomware and Dridex bank malware were sent via Necurs, among other things. Gamut focused more on e-mails during this period to recruit money mules and phishing e-mails.

Sunday 11 March 2018

Popular Privacy Plug-In Ghostery Made Open Source



The German software company Cliqz, owner of the popular privacy plug-in Ghostery , has decided to make the tool open source. Ghostery blocks ads and trackers and has millions of users. A year ago Ghostery was taken over by Cliqz .

In the interests of transparency and an open internet, Cliqz has made the choice to make Ghostery open source. By looking at the source code, users can see how Ghostery works and what kind of data it collects. In addition, other developers can now contribute to the privacy plug-in. "Only when people understand what data digital products collect can they make meaningful decisions about what information they want to share and with whom," says Jeremy Tillman , Ghostery's product director.

According to Cliqz, most Ghostery users share stats with which new trackers are found. The software company emphasizes that it is anonymous statistics that also assess the relevance and safety of websites. However, it is also possible to set Ghostery so that no data is shared. The source code of Ghostery can be found on GitHub .

Leaked Source Code Ammyy Admin Uses For Malware



Source code of the remote desktop software Ammyy Admin has been used for malware that has been used for both targeted and large-scale attacks, according to security firm Proofpoint. Ammyy Admin is a program that allows remote access to computers.

Some time ago the source code of Ammyy Admin version 3 appeared on the Internet and cyber criminals have used it to develop malware called "FlawedAmmyy". This malicious version has been used in attacks since the beginning of 2016, but only recently discovered, Proofpoint says. Among other things, the automotive industry would be the target of the attacks.

To spread the malware, the attackers use e-mails that contain Word or ZIP files as an attachment. The Word files have a malicious macro that, when enabled by the user, downloads the malware on the system. Once active on a system, FlawedAmmyy can be used to steal trade secrets, customer data and other information from companies, according to the researchers.

Avast: Attackers CCleaner Also Wanted To Install keylogger



The attackers who hacked software company Piriform last year and added a backdoor to the popular CCleaner tool were also likely to install a keylogger on infected systems, according to anti-virus company Avast , which is the owner of CCleaner.

Last September, Avast announced that attackers had hacked CCleaner developer Piriform and added malware to the official version. This infected version was downloaded by 2.27 million users. The malware was added to the Piriform development platform between 11 March and 4 July 2017. The software company was acquired by Avast two weeks later on 18 July.

The first phase of the malware was to gather information about CCleaner users, such as the name of the computer, installed software and active processes. The second phase consisted of downloading additional malware. However, this was done with a select number of machines. Eventually, 40 computers received this additional malware. These included systems from major tech companies such as Intel, Samsung, Sony, Asus, NEC and the South Korean telecom provider Chunghwa Telecom.

There is no evidence that a third step has been carried out, but Avast has now found information indicating that it may have been planned. During the investigation into the hacked Piriform infrastructure, early versions of the first and second phase of the malware were discovered, as well as a tool called ShadowPad. ShadowPad is used by cyber criminals to control computers remotely. The tool was installed on four Piriform computers on April 12, while the second phase of the malware was already installed on March 12.

The older version of the second phase malware connected to a command & control server. The servers were no longer active at the time Avast analyzed the computers, so it is unknown what was downloaded, but given the time window it was probably ShadowPad. The Avast researchers also discovered ShadowPad log files with keystrokes from a keylogger installed on the computers. The keylogger had been active since 12 April and had stored keystrokes of all kinds of programs. The encountered version of ShadowPad appeared to have been specially made. Avast thinks that the attackers who had adapted especially for Piriform.

In addition to the keylogger, the attackers also installed a password builder and tools to install other software. According to Avast, there are no indications that ShadowPad is installed on the computers of CCleaner users. The virus fighter does state that it was the third phase of the attack. It is not known whether the attackers wanted to install the keylogger on all 40 attacked computers in the second phase, or just a few or not at all, this is still in under investigation.

Wednesday 28 February 2018

Decrease Of Malicious Advertisements In The Second Half Of 2017



The number of malicious advertisements that Internet users tried to infect with malware, tried to deprive data or attempted to defame it in another way, was reduced in the second half of 2017, security company RiskIQ claims. In the third quarter, the security company detected 53 percent less malvertising than in the second quarter of 2017. In the fourth quarter, this decline continued and 10 percent fewer malicious ads were detected.


The use of advertisements to attack unpatched internet users, for example through vulnerabilities in Adobe Reader or Internet Explorer, decreased by 36 percent in the third quarter and 20 percent in the fourth quarter. Other malware in ads decreased by as much as 67 percent in the fourth quarter. The fourth quarter, however, saw an increase of 16 percent in the number of ads pointing to a scam, but overall there were fewer rogue ads in both the third and fourth quarters.

Coinhive Code Injected On LA Times Website


The website of the American newspaper the LA Times has unknowingly implemented Coinhive code in order to minate Monero's. The code has certainly been on an interactive map of the newspaper about murders in cities since 9 February , researchers from Bad Packet's report have discovered. The code let the CPU run just below 30 percent of its power to remain unnoticed, writes John Dunn from security company Sophos .

The code has been injected via a poorly secured Amazon AWS S3 bucket. This S3 bucket offered visitors write permissions. The researchers also found a message that suggested that someone else had access, in addition to the Bad Packet Report researchers and the cryptojackers themselves. The message was as follows:

Hello, this is a friendly warning that your Amazon AWS S3 bucket settings are wrong.
Anyone can write to this bucket. Please fix this before a bad guy finds it.

After the researchers informed the newspaper about the incident, the code was cleaned up and the cloud environment better secured. Coinhive has also lifted the account that was linked to the code. The researchers suspect that approximately 24 dollars of crypto currencies have been generated.

Veil System: Researchers Make Private Browsing More Private


All modern browsers now have private browsing, a function that ensures that the surfing behavior is not stored on the computer. However, the information that is accessed during private browsing can still be retrieved from the computer by a motivated attacker. Reason for researchers from MIT and Harvard to develop a new system called Veil that should make private browsing more private.

Browsers should delete all stored data after closing a private browsing session. However, modern memory management is complex and can ensure that data is left in the memory somewhere. Veil tries to tackle this problem by encrypting all data that the browser loads into memory until it is displayed on the screen.

The use of Veil

To use Veil, the Veil user goes to the Veil website and enters the url of a website. A special "blinding server" then sends a version of the requested page in the Veil format. The Veil page is similar to a normal web page, but contains code that executes a decryption algorithm. The data on the page is unreadable until it is decrypted by the algorithm. Once the data has been decrypted, it must be loaded into the computer's memory to be displayed on the screen. This temporarily stored data should be much harder to trace when the browsing session is over.

In order not to give attackers a chance, Veil takes an additional security measure. The blinding server adds meaningless code to every loaded page. This code has no effect on how the page before the user looks, but does change the underlying source file. Every page that is loaded by a blinding server, even if it is the same page, looks different. An attacker who manages to obtain part of the decrypted code after closing a Veil session is therefore unlikely to say which website the user visited.

When these measures are not enough, Veil also offers the option to have the blinding server take a picture of the requested page. In this case, the blinding server opens the requested page, makes a screenshot of it and sends it to the user. This prevents executable code from ending up on the user's system. If the user then clicks on the image somewhere, the browser registers this and sends the new request to the blinding server, which then loads a new zoomed image and sends it back to the user.In order to use the system, websites do have to create a Veil version of their website, but the researchers have developed a compiler for this that automatically performs the conversion. A bigger challenge is hosting the blinding servers, which can be done by volunteers, as is the case with the Tor network, or by companies that, for example, want to offer their visitors more privacy. No adjustments to the browser are required for the implementation of Veil.

Researchers Warn Of Android Malware RedDrop



Security researchers warn of a new type of malware for Android phones called RedDrop. Hackers can not only steal a lot of information from the infected smartphone, sounds can be recorded and photos can be taken and Premium SMS messages can be sent.

Security company Wandera has researched the new malware and observes that RedDrop is now nestled in at least 53 Android apps. When such an infected app is opened, at least seven new APKs are installed in the background, each with malicious functions.


With the help of spyware, all kinds of information about the user is collected and then sent to a Dropbox account of the attacker. The data collected includes local files, such as photos, live sound recordings, device and SIM information (IMEI, IMSI, MNC, MCC) and information from the application and Wi-Fi networks in the area.

Also, if a user uses the infected app, a text message is sent to a payment service in the background, which is immediately removed to prevent discovery.

The creators of RedDrop use a content distribution network with more than 4000 domain names to distribute the malware. The researchers suspect that a lot is referred to domains to hide the source of the malware as well as possible.

Malware Infection Chain:



According to Michael Covington, VP Product Strategy at Wandera, this is very sophisticated malware . "The criminals very cleverly offer a seemingly handy app that performs all sorts of complex malicious activities in the background. The attacker not only uses a wide range of malicious applications to tempt the victim, they have also perfected every little detail to ensure that their actions are difficult to trace. This is one of the more persistent malware variants we've seen. "

Decrypting Tool For GandCrab Ransomware Available



Victims of the GandCrab ransomware can regain access to their encrypted files. The decrypting tool for GandCrab was made available today on the site nomoreransom.org by the Romanian police in cooperation with Bitdefender and the European police organization Europol.

GandCrab has been observed in the wild for about a month and has now made more than 50,000 victims worldwide, including many Europeans. It is therefore one of the most aggressive forms of ransomware this year, according to Europol .

GandCrab spreads via manipulated advertisements on websites and via fake invoices that are sent as attachments by e-mail. When the malware is installed, the files on the victim's computer are encrypted and an amount of 300 to 500 dollars in ransom is demanded, to be paid in the virtual currency DASH.

As far as we know, GandCrab is the first ransomware copy that requires payment in DASH. GandCrab also has an affiliate program where the ransomware is offered as a service (ransomware-as-a-service) and the developers receive a commission for each ransom payment received.