Thursday, 15 March 2018

DuckDuckGo Starts Privacy Contest With $ 500,000 Prize Money



Privacy search engine DuckDuckGo has started a contest with which organizations that use privacy can win all sorts of cash prizes. The competition will be held on the crowdfunding platform CrowdRise. The organization that gets the most money between 13 March and 10 April will receive the top prize of 50,000 dollars. A total of 253,000 dollars was reserved for the sixteen best participants.

In addition, there is 247,000 dollars that is distributed through the weekly bonus challenges . A total of 20 organizations participate in the competition, including the Freedom of the Press Foundation, the Tor Project , Let's Encrypt, Tails and Bits of Freedom. Since the start of the game yesterday, a total of $ 4219 in donations has been raised and the Center for Democracy and Technology has topped $ 1130.

Google Removed 3.2 Billion Malicious Ads In 2017



Last year, Google removed more than 3.2 billion malicious ads because they tried to infect Internet users with malware, went to phishing sites, committed advertising fraud, or for other reasons - more than 100 ads removed per second.

For example, 79 million advertisements were removed because they sent internet users to websites with malware. Google removed another 48 million ads because they let users install unwanted software. Furthermore, 66 million "trick-to-click" ads were removed. In addition to advertising, 320,000 of the advertising network were also banned and Google decided to blacklist 90,000 websites and 700,000 mobile apps.

Registry Key No Longer Required For Windows 10 Updates


Users of Windows 10 no longer need a specific registry key to receive security updates, Microsoft announced. The reason for the mandatory registry key was a compatibility problem with various anti-virus products that can provide a blue screen of death (BSOD).

To stop these problems from incompatible anti-virus products, Microsoft security updates from January 3 and beyond were only offered to systems that had a compatible virus scanner. Anti-virus vendors had to confirm to Microsoft that their software was compatible with January and beyond security updates, which was added to the Windows Registry by adding a special registry key. In case the virus scanner did not enter this registry key, users no longer received updates and were vulnerable to attack. When users did not run a virus scanner, Microsoft advised to manually enter the registry key to receive the January and after updates.

Now Microsoft's John Cable reports that there is no longer a check on the compatibility of anti-virus programs. All Windows 10 machines will therefore receive the March security updates as well as the previously released updates for the Spectre and Meltdown attacks, regardless of whether they have the previously required registry key. In the coming weeks, Microsoft will provide more information about the compatibility of anti-virus software on older Windows versions.

Meltdown Update For 32-Bit Versions Windows 7 and 8.1


Microsoft released two months after the unveiling of the Spectre and Meltdown attacks , which should protect users of the 32-bit versions of Windows 7 and Windows 8.1 against Meltdown. In addition, Intel microcode updates for various Intel processors have been rolled out.

At the beginning of January, the software giant already released security updates for the 64-bit versions of Windows. A Meltdown update for the 32-bit versions of Windows 10 followed on 18 January. Microsoft now announced that security updates for the 32-bit versions of Windows 7 and Windows 8.1 have also been made available to protect users from the Meltdown attack.

To be fully protected against Spectre and Meltdown attacks, systems require both software and firmware (microcode) updates, Microsoft said. That is why in early March it started to offer microcode updates from Intel via the Microsoft Update Catalog . Initially, it concerned updates for systems that have a Skylake processor and run the Windows 10 Fall Creators Update. Now, Microsoft has also made updates for Kaby Lake and Coffee Lake processors on the same platform.

Microsoft: Shift From Ransomware To Cryptominers



Millions of computers have come into contact with cryptominers in recent months, while the number of cases of ransomware has declined, according to Microsoft today. From September last year to January of this year, an average of 644,000 unique Windows computers were detected each month and encountered a cryptominer.

This involves malware that can be installed on the computer in various ways and allows the system to mine cryptocurrency. While there is a clear increase in the number of cryptominers, the number of computers encountered by ransomware is decreasing. A possible reason is that cryptominers are now also distributed via exploit kits, as well as via malicious e-mail attachments.


"It is unlikely that cyber criminals will completely abandon ransomware in the short term, but the increase in trojanised cryptominers shows that attackers are exploring the possibilities of illegally earning money with this newer method," said Eric Avena of Microsoft. Because cyber criminals now choose more for cryptominers, this malware will also take over the behavior of already known threats, according to Avena. As an example, he points to the NeksMiner, who places a copy of himself in shared network folders and on USB sticks to propagate further, like all kinds of other malware.

Mozilla Is Considering Blocking In-Page Pop-Ups In Firefox



Mozilla is collecting a dataset of in-page pop-ups in order to automatically block them in Firefox. In-page pop-ups are pop-ups that show pages at different times, such as when loading the website, scrolling, inactivity or opening a tab.

Experiments are now being done with a pop-up blocker to close these pop-ups automatically. For this Mozilla is working on a collection of such pop-ups. Internet users can report this via this page . The dataset is only needed to train the pop-up blocker. The plan is to be able to block them automatically without having a complete blocklist. Whether the feature also comes is still unclear. Firefox developer Ehsan Akhgari says on Twitter that Mozilla is exploring it as a possible Firefox feature.

Wednesday, 14 March 2018

Researchers Let Malware Send Data Via Loudspeakers



Researchers at Ben-Gurion University have developed malware that can steal data from systems that are not connected to the internet via passive loudspeakers. Because of the risk of attacks, it is a lot of advice to not connect computers with confidential data to the internet.

This is also called an air gap. An offline computer can still be infected, for example via USB sticks or a malicious employee. In order to steal data from an infected offline computer, Ben-Gurion University researchers have developed various methods in the past, such as the use of speakers , air conditioning , sound from the hard disk , fans , radio waves , infrared cameras , scanners , heat emitted. , usb radiation , mobile phones , hard drive lights and router lights to return the data directly to the attacker or via an infected computer or smartphone connected to the Internet.


The researchers are now demonstrating a new method called Mosquito ( pdf ) in which "speaker-to-speaker" communication is used to steal data from a computer that is not connected to the internet. The scenario that the researchers sketch consists of a room with two computers, one of which is and one is not connected to the internet. Both computers are infected with malware and have passive speakers or headphones. The malware then exploits a feature of the audio chip that changes the connected speakers of output device into an input device (microphone).

Malware on one computer can then transmit information via the speakers and the use of ultrasonic waves that are collected by the speakers of the other computer, which have in fact become a microphone. In this way it is possible to send data at a speed of 10 - 166 bits / sec at a distance of 9 meters between the computers. If headphones are used instead of loudspeakers, a distance of 3 meters is possible.

The researchers state that in heavily guarded settings it is common to ban both active and passive loudspeakers, in order to create an air gap. Less stringent rules prohibit the use of microphones, but allow the use of "one-way" speakers. In many cases, the policy and security measures do not apply to modern headphones, which are basically non-powered and unenhanced loudspeakers. Mosquito could be effective in these situations.

To prevent such attacks, organizations can take various measures, such as prohibiting the use of speakers, headphones or earphones, using active speakers, disabling the audio codec in the bios, detecting ultrasonic transmissions, and using low-pass filters.

Mozilla: Many Popular Websites With Symantec Certificates




There are still many popular websites with Symantec certificates that will soon no longer be trusted by Firefox and will cause an error message, as Mozilla has warned. It is about 1 percent of the Top 1 million most popular websites on the internet, which amounts to about 10,000 sites.

These websites use a tls certificate issued by Symantec to encrypt traffic to and from their visitors. Due to various incidents with tls certificates issued by Symantec, browser developers have decided to cancel the trust in Symantec certificates. This will take place in phases, with all Symantec certificates issued before 1 July 2016 no longer being trusted.

Google will implement this measure next month with the launch of Chrome 66. Mozilla will follow Firefox 9 on May 9. With the launch of Firefox 63 in October this year, trust in all Symantec certificates will be canceled regardless of issue date. Users who receive a certificate warning when visiting a website can ignore them and still reach the website, Mozilla explains, but security experts advise internet users never to ignore such warnings and not to visit the website in question.

Download.com Distributed Malware That Steals Bitcoins



The popular download site Download.com has been distributing malware for years that bitcoins from internet users have been stolen, anti-virus company ESET says today. The malware was hidden in bombarded applications called Disk Imager, Code :: Blocks and MinGW-w64.

The infected version of Disk Imager has been available on Download.com since May 2016 and was downloaded over 4500 times during that time. Code :: Blocks has been on Download.com since June 2016 and was removed from the website last year by Cnet, owner of Download.com. However, the program had already been downloaded 104,000 times. The number of downloads of MinGW-64, which was also on the website since 2016, amounted to just under 500.


The malware in the three programs was developed to steal bitcoins. Bitcoin users who want to make a payment or transfer money to another wallet often copy the wallet address of the beneficiary and then paste it into a field on the transaction page. At that moment the wallet address is in the clipboard of the computer.

The malware monitors the clipboard on infected computers and when it sees that a user is copying a wallet address, it changes this address. If the user then wants to paste the wallet address onto the transaction page, he will paste the custom wallet address and transfer money to the wrong party. The bitcoin address that the malware uses would have received a total of 8.8 bitcoin, which is currently 62,000 euros. After being informed, Cnet has removed the infected programs. It is not the first time that Download.com is in the news due to malware being offered.

Dofoil Malware (Smoke Loader): Infected MediaGet Update After Recent Cryptominer Outbreak



An infected update for the torrent client MediaGet is responsible for the large cryptominer outbreak that Microsoft warned last week. The software giant quickly discovered 400,000 cases of Dofoil malware on computers, which eventually downloaded the cryptominer.

Following screenshot is Dofoil Malware Timeline:


The cryptominer uses the computational power of the infected computers to mine cryptocurrencies. In particular computers in Russia, Turkey and Ukraine were affected by the malware. Dofoil, also known as Smoke Loader, normally spreads via infected e-mail attachments and exploit kits. Striking in the outbreak last week was that most infected files came from a process called mediaget.exe. MediaGet is a program to download torrents. In this case, the malware was not downloaded via infected torrents, but from the program itself.


Further research showed that it was a carefully planned attack, according to Microsoft . The attackers distributed an infected user update from February 12 to February 19 this year via the MediaGet update servers. This update installed a backed up version of the torrent client. From March 1 to March 6, this backdoor was then used to install malware among users. Microsoft says it has shared information with the MediaGet developers, but they have not yet reported the incident on their website.

Privacy OS Tails Introduces Screen Lock


A new version of the privacy-oriented operating system Tails has been released that now also offers users the possibility to lock their screen. When users have set an administrator password, they can unlock the screen.

Otherwise, a separate password can be set for the first time the screen is locked. Furthermore, Tails 3.6 contains various upgrades, security updates and other adjustments. Tails stands for The Amnesic Incognito Live System and is a fully Linux-based operating system that contains all kinds of tools to anonymously use the internet. It can be used from a DVD or USB stick and is recommended by various civil rights movements and privacy experts. Some 22,000 people use Tails every day.

Monday, 12 March 2018

Android Manufacturer: Included Malware Is False Alarm



The Chinese manufacturer of Android devices Leagoo has removed to anti-virus company Doctor Web, which claimed that the manufacturer supplied devices with malware. The virus fighter claimed that it had found the Triada Trojan in the firmware of more than 40 models , including that of Leagoo.

The malware, which can download and execute additional malware and apps, without users knowing this, turned out to be present in a custom Android system library. This system library is used by all Android apps, which means that the malicious code is present in the memory of all running apps. According to Doctor Web, the malware was added at the request of a Leagoo partner and the manufacturer made this request.

Leagoo says in a statement that it is a false alarm. "The problem with the" virus warning "on Leagoo phones is mainly caused by differences in the virus detection of Chinese and foreign anti-virus software", according to the manufacturer. Leagoo states that all phones are scanned for malware by "top Chinese anti-virus software" to ensure that all devices are virus-free. In the future, Leagoo will also use "foreign algorithms" during scanning to prevent new virus warnings.

Recent Adobe Flash Player Vulnerability Leak Attacked Via Exploit Kits



A recently patched vulnerability in Adobe Flash Player is being actively attacked via exploit kits. This means that visiting a hacked website or seeing infected ads with a vulnerable Flash Player version is sufficient to infect with malware.

The vulnerability in question was resolved by Adobe on February 6 through an emergency patch . The vulnerability appeared to have been targeted against South Korean organizations since last November . Here Excel and Word files with embedded Flash objects were used. Now it appears that cyber criminals also have the exploit to use them via the web.

Flash Player was and still is the most popular target for exploit kits. Due to the absence of new exploits, and the fact that more and more browsers are phasing out the support of Flash Player, the effectiveness of exploit kits has declined sharply in the past period . According to researcher Kaffeine of the Malware do not need coffee blog , this is the first new Flash exploit that has been added to an exploit kit since July 2016 for a Flash leak. The new Flash exploit will be deployed via infected ads and will successfully install the Hermes ransomware. Users are therefore advised to upgrade to Flash Player version 28.0.0.161 or later, as the vulnerability has been corrected.

McAfee: Two Botnets Behind 97 Percent Of All Spam In Q4




Two botnets accounted for 97 percent of all spam sent in the fourth quarter of last year, according to McAfee in a new report. These are the Necurs and Gamut botnets, which are rented by spammers for sending spam, phishing emails and malware.

Necurs was the most used with a share of 60 percent, followed by Gamut with 37 percent ( pdf ). According to McAfee, Necurs is currently the largest spambot network in the world. The contaminated machines that are part of the botnet are controlled via a peer-to-peer model. In the fourth quarter of last year, the Locky ransomware and Dridex bank malware were sent via Necurs, among other things. Gamut focused more on e-mails during this period to recruit money mules and phishing e-mails.

Sunday, 11 March 2018

Popular Privacy Plug-In Ghostery Made Open Source



The German software company Cliqz, owner of the popular privacy plug-in Ghostery , has decided to make the tool open source. Ghostery blocks ads and trackers and has millions of users. A year ago Ghostery was taken over by Cliqz .

In the interests of transparency and an open internet, Cliqz has made the choice to make Ghostery open source. By looking at the source code, users can see how Ghostery works and what kind of data it collects. In addition, other developers can now contribute to the privacy plug-in. "Only when people understand what data digital products collect can they make meaningful decisions about what information they want to share and with whom," says Jeremy Tillman , Ghostery's product director.

According to Cliqz, most Ghostery users share stats with which new trackers are found. The software company emphasizes that it is anonymous statistics that also assess the relevance and safety of websites. However, it is also possible to set Ghostery so that no data is shared. The source code of Ghostery can be found on GitHub .

Leaked Source Code Ammyy Admin Uses For Malware



Source code of the remote desktop software Ammyy Admin has been used for malware that has been used for both targeted and large-scale attacks, according to security firm Proofpoint. Ammyy Admin is a program that allows remote access to computers.

Some time ago the source code of Ammyy Admin version 3 appeared on the Internet and cyber criminals have used it to develop malware called "FlawedAmmyy". This malicious version has been used in attacks since the beginning of 2016, but only recently discovered, Proofpoint says. Among other things, the automotive industry would be the target of the attacks.

To spread the malware, the attackers use e-mails that contain Word or ZIP files as an attachment. The Word files have a malicious macro that, when enabled by the user, downloads the malware on the system. Once active on a system, FlawedAmmyy can be used to steal trade secrets, customer data and other information from companies, according to the researchers.

Avast: Attackers CCleaner Also Wanted To Install keylogger



The attackers who hacked software company Piriform last year and added a backdoor to the popular CCleaner tool were also likely to install a keylogger on infected systems, according to anti-virus company Avast , which is the owner of CCleaner.

Last September, Avast announced that attackers had hacked CCleaner developer Piriform and added malware to the official version. This infected version was downloaded by 2.27 million users. The malware was added to the Piriform development platform between 11 March and 4 July 2017. The software company was acquired by Avast two weeks later on 18 July.

The first phase of the malware was to gather information about CCleaner users, such as the name of the computer, installed software and active processes. The second phase consisted of downloading additional malware. However, this was done with a select number of machines. Eventually, 40 computers received this additional malware. These included systems from major tech companies such as Intel, Samsung, Sony, Asus, NEC and the South Korean telecom provider Chunghwa Telecom.

There is no evidence that a third step has been carried out, but Avast has now found information indicating that it may have been planned. During the investigation into the hacked Piriform infrastructure, early versions of the first and second phase of the malware were discovered, as well as a tool called ShadowPad. ShadowPad is used by cyber criminals to control computers remotely. The tool was installed on four Piriform computers on April 12, while the second phase of the malware was already installed on March 12.

The older version of the second phase malware connected to a command & control server. The servers were no longer active at the time Avast analyzed the computers, so it is unknown what was downloaded, but given the time window it was probably ShadowPad. The Avast researchers also discovered ShadowPad log files with keystrokes from a keylogger installed on the computers. The keylogger had been active since 12 April and had stored keystrokes of all kinds of programs. The encountered version of ShadowPad appeared to have been specially made. Avast thinks that the attackers who had adapted especially for Piriform.

In addition to the keylogger, the attackers also installed a password builder and tools to install other software. According to Avast, there are no indications that ShadowPad is installed on the computers of CCleaner users. The virus fighter does state that it was the third phase of the attack. It is not known whether the attackers wanted to install the keylogger on all 40 attacked computers in the second phase, or just a few or not at all, this is still in under investigation.