Archive | Link list

Now WikiLeaks is distributing malware

Veteran anti-virus researcher Vesselin Bontchev has discovered that there are thousands of samples of malware available for download from the WikiLeaks website.

The malware found by Bontchev is found in a large tranche of emails leaked from AKP, a Turkish political party.

Bontchev writes:

Since many of the AKP members have been recipients of malware sent by e-mail (most likely random spam but could have also been targeted attacks), the received malware in the e-mails is also present in the dump. As a result, the Wikileaks site is hosting malware. For the record, I consider this to be extremely irresponsible from the part of Wikileaks. Malware distribution is not "journalism" by any definition of the term.

Bontchev found 3277 malicious files on the WikiLeaks site, accessible to anyone on the internet via a single click.

Of course, it's perfectly possible that the true number of malware samples published on the WikiLeaks site is much larger than this. Bontchev's focus so far has been on one particular email dump, and used the VirusTotal service to determine if a file was identified as malicious or not.

Furthermore, one cannot discount the possibility that some of the email dumps published by WikiLeaks contain targeted attacks that are not presently detected by any anti-virus product.

WikiLeaks has been criticised before for its unwillingness to curate the leaked information that it leaks - by, amongst others, no less than Edward Snowden.

Anti-virus industry old-timers like me and Bontchev are left with our heads in our hands when we hear that WikiLeaks is apparently making no efforts whatsoever to prevent its readers from encountering malware samples.

Following data breach, Sage employee arrested at Heathrow airport

City of London Police arrested a 32-year-old woman at Heathrow airport yesterday on "suspicion of conspiracy to defraud".

According to police, the arrested woman is a current employee of Sage.

Sage made the headlines earlier this week after the online accounting and payroll company announced it had suffered a data breach, putting the details of approximately 280 UK and Irish companies at risk.

Sage described this as a "small number" of their customers. And it is a small percentage, considering over half a million British businesses are thought to be using Sage's payroll software.

But, of course, that's little consolation if you're one of the customers whose data was put at risk by the breach. And the number alone doesn't tell us anything about the size of the companies affected, or how many employees of those companies could also potentially have had their identities and financial details put in danger.

Police say that the woman arrested at Heathrow airport has been released on bail.

Sage said that an internal login had been used to access the sensitive information.

It's worth underlining that the woman arrested has not been charged with any offence, let alone convicted... but this might be a timely reminder for all businesses to not focus solely on external attackers over the internet but recognise that there can also be considerable dangers posed by insiders if your workforce turns rogue.

Video of Hillary Clinton meeting ISIS leader? Nah, it's a malware attack

Symantec writes:

Cybercriminals are using clickbait, promising a video showing Democratic Party presidential nominee Hillary Clinton exchanging money with an ISIS leader, in order to distribute malicious spam emails.

The email's subject announces “Clinton Deal ISIS Leader caught on Video,” however there is no video contained in the email, just malware. Adding to the enticement, the email body also discusses voting, asking recipients to “decide on who to vote [for]” after watching the non-existent clip.

Attached to the email is a ZIP archive, containing a Java file. Make the mistake of opening the Java file (in the mistaken belief that you are going to see a controversial video) and you will be infecting your computer with the Adwind backdoor Trojan horse.

It's not unusual for criminals to use these kind of disguises to make their malicious emails more tempting to click on, and we've seen attacks like this during previous presidential election campaigns. Expect more of the same, and be on your guard.

IT security woman hits back at sexist trolls on LinkedIn

UK IT security firm Foursys writes:

Should we police or dictate how our employees dress? Should we only allow them to represent our brand if they have a specific body type or sense of style?

What about internet commenters or trolls? Is it ok for them to bombard our employees with abuse?

Foursys is asking these questions after Jayde, one of its sales executives, appeared in a harmless social media post on LinkedIn - celebrating that the firm now had 500 followers on the professional social network.

The response on LinkedIn was ghastly, with many offensive, derogatory and often sexual comments made towards Jayde.

Jayde, however, has stood up to the bullies - making her own brave video response where she details some of the abuse she received:

"For all of those who say that I know nothing about IT security: Shame on you. I know more than 99% of people you'd meet on the street. I can tell you what a denial-of-service attack is, how SQL injection works, and how to your protect against ransomware. To be perfectly clear: Bullying and shaming people because of the way that they look or how they choose to dress is nasty, and I am not just going to take it - and neither should you."

Hear hear.

I find it extraordinary that some people would make such hurtful and mean remarks... and particularly dumb that so many did so on LinkedIn, which details their real names, jobs and places of employment.

Seriously, the IT security world needs to grow up and stop thinking that women can be treated in such an appalling way.

Watch Jayde's video response to the cyber-bullies on YouTube, and read more in Foursys's blog post.

A simple way to kill off Twitter trolls

@th3j35t3r writes on his blog:

Simply put. If Jim is blocked by John, Jim can no longer even utter Johns handle/twittername in a tweet. If he attempts to the tweet simply doesn’t process or gets sinkholed. Period. The end. Forever, or until John unblocks him. This approach would not infringe on Jim’s ‘freedom of speech’, he can still say whatever he likes, but he can’t include John. This approach would be self-policing essentially allowing users to decide if they are being abused or harassed and allowing them to take immediate actions without relying on Twitter to minimize the problem effectively. This approach would not be an overhead on Twitters current infrastructure and would require NOTHING by way of extra storage capacity.

Trolls are the ugly side of Twitter, but @th3j35t3r's proposal seems very elegant to me.

So how about it Twitter?

Find out more, and check out his amusing flowchart, by reading @th3j35t3r's blog post.

Tor users in the States were hacked by Australian authorities

Joseph Cox at Motherboard writes:

Australian authorities hacked Tor users in the US as part of a child pornography investigation, Motherboard has learned.

The contours of this previously-unreported hacking operation have come to light through recently-filed US court documents. The case highlights how law enforcement around the world are increasingly pursuing targets overseas using hacking tools, raising legal questions around agencies’ reach.

In one case, Australian authorities remotely hacked a computer in Michigan to obtain the suspect's IP address.

While I'm sure that the vast majority of us are keen for child abuse websites to be shut down, and their users brought to justice, we are not all comfortable with intelligence agencies breaking the law themselves to achieve this.

Legal processes need to be put in place to not only prevent criminals from hacking into systems they shouldn't and stealing private information, but also to prevent over-zealous law enforcement agents from stepping over the line.

Just because something can be done doesn't mean it should be done.

Also, we need to stop thinking that state-sponsored hacking is something done by the Russians and Chinese against the Americans and the Brits. Or it's something that the Americans and Brits do against the Russians and Chinese.

The true story is that just about everyone is up to it.

I would be shocked if any even semi-sophisticated intelligence agency anywhere in the world wasn't using the internet, and methods used by criminal hackers, to spy upon the governments, businesses and citizens of other countries.

Blogger turns tables on cyber-scammer by infecting them with ransomware

BBC News reports:

A French security researcher says he managed to turn the tables on a cyber-scammer by sending him malware.

Technical support scams try to convince people to buy expensive software to fix imaginary problems.

But Ivan Kwiatkowski played along with the scheme until he was asked to send credit card details. He instead sent an attachment containing ransomware.

On one level I feel like just about everyone else reading the story. The scammers deserved everything they got, and isn't it hilarious that a "victim" turned the tables and managed to infect the criminals' computer with a copy of the Locky ransomware.

But another part of me feels uncomfortable.

I don't think the existence of online crime gives any of us a green light to break the law ourselves, tricking others into running malware and making changes to their computer systems without their permission.

Yes, waste scammers' time if you want to. But I would not recommend breaking the law.

Nonetheless, I'm sure some of you will be tickled by the story. You can read it in full on Kwiatkowsi's blog.

Someone seems to be trying to spy on VeraCrypt's security audit

At the start of this month OSTIF (the Open Source Technology Improvement Fund) announced that it had agreed a plan to get the open source disk encryption tool VeraCrypt independently audited.

The audit, which would look for security holes and weaknesses in VeraCrypt's code, would be done in co-ordination with vulnerability researchers from QuarksLab.

So far, so good. Especially as you may remember that VeraCrypt's predecessor, TrueCrypt, was mysteriously discontinued a couple of years back leading to all manner of conspiracy theories.

Now, the bad news... OSTIF says that its confidential PGP-encrypted communications with QuarkLabs about the VeraCrypt security audit may be being mysteriously intercepted:

We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders. Not only have the emails not arrived, but there is no trace of the emails in our “sent” folders. In the case of OSTIF, this is the Google Apps business version of Gmail where these sent emails have disappeared.

This suggests that outside actors are attempting to listen in on and/or interfere with the audit process.

We are setting up alternate means of encrypted communications in order to move forward with the audit project.

If nation-states are interested in what we are doing we must be doing something right. Right?

Let the speculation begin...

Sage suffers data breach, putting details of UK and Irish businesses at risk

Online accounting software company Sage has suffered a data breach, putting the details of a "small number" of its UK and Irish business customers at risk.

As the company briefly noted on its website:

We believe there has been some unauthorised access using an internal login to the data of a small number of our UK customers so we are working closely with the authorities to investigate the situation.

Our customers are always our first priority so we are communicating directly with those who may be affected and giving guidance on measures they can take to protect their security.

If you have any concerns at all, you can reach us on the following contact details:

The dedicated helpline number is 0845 145 3345 - please leave a message with your details and we will get back to you as soon as we can. You can also get in touch with us by emailing us at customercontact@sage.com.

Richard De Vere of the AntiSocial Engineer posted this weekend providing further information and commentary, saying that the "personal details and bank account information for employees of as many as 300 large UK companies may have been compromised."

De Vere went on to warn of the risks of insider threats to all businesses:

"An insider threat can strike any business, Sage have an industry leading product that is secure as many cloud providers are these days. The problem isn't with Sage, but in how companies manage these insider risks."

Sage says it has been contacting affected customers.

Almost all cars sold by VW Group since 1995 at risk from unlock hack

Wired writes:

Later this week at the Usenix security conference in Austin, a team of researchers from the University of Birmingham and the German engineering firm Kasper & Oswald plan to reveal two distinct vulnerabilities they say affect the keyless entry systems of an estimated nearly 100 million cars. One of the attacks would allow resourceful thieves to wirelessly unlock practically every vehicle the Volkswagen group has sold for the last two decades, including makes like Audi and Skoda. The second attack affects millions more vehicles, including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.

The researchers are led by University of Birmingham computer scientist Flavio Garcia, who was previously blocked by a British court, at the behest of Volkswagen, from giving a talk about weaknesses in car immobilisers.

At the time Volkswagen argued that the research could "allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car." That researchers finally got to present their paper a year ago, detailing how the Megamos Crypto system – an RFID transponder that uses a Thales-developed algorithm to verify the identity of the ignition key used to start motors – could be subverted.

The team's latest research doesn't detail a flaw that in itself could be exploited by car thieves to steal a vehicle, but does describe how criminals located within 300 feet of the targeted car might use cheap hardware to intercept radio signals that allow them to clone an owner's key fob.

The researchers found that with some "tedious reverse engineering" of one component inside a Volkswagen’s internal network, they were able to extract a single cryptographic key value shared among millions of Volkswagen vehicles. By then using their radio hardware to intercept another value that’s unique to the target vehicle and included in the signal sent every time a driver presses the key fob’s buttons, they can combine the two supposedly secret numbers to clone the key fob and access to the car. "You only need to eavesdrop once," says Birmingham researcher David Oswald. "From that point on you can make a clone of the original remote control that locks and unlocks a vehicle as many times as you want."

Sounds to me like it's time to turn to the car manufacturers to ask what on earth they are going to do to fix the millions of potentially vulnerable vehicles they have sold in the last couple of decades.

Read more, including the researcher's paper, on Wired.

Earn up to $200,000 as Apple *finally* launches a bug bounty

The Verge writes:

Apple is planning a new bug bounty program that will offer cash in exchange for undiscovered vulnerabilities in its products, the company announced onstage at the Black Hat conference today. Launching in September, the program will offer cash rewards for working exploits that target the latest version of iOS or the most recent generation of hardware. It’s the first time Apple has explicitly offered cash in exchange for those vulnerabilities, although the company has long maintained a tip line for disclosing security issues.

Ivan Krstic, Apple’s head of security engineering and architecture, made the announcement during a presentation at Black Hat on Thursday.

The top reward comes for finding flaws in vulnerabilities in Apple's "secure boot" process, which if broken could seriously compromise security.

As Hacker News reports, for now Apple's bug bounty program is invite-only - meaning that the only people likely to be ushered in are those who have a track record in finding exploitable flaws in the company's code. Hopefully things will loosen up over time, and from the sound of things they are open to adding others who come forward after finding critical vulnerabilities in key areas.

Frankly, an Apple bug bounty is long overdue.

Apple was looking incongruous in not offering a reward for security researchers who uncovered critical vulnerabilities in its products. After all, if you were a vendor you would rather have those who find security vulnerabilities in your products work with you rather than selling off their exploits to a third-party, wouldn't you?

With a bug bounty in place, serious exploitable vulnerabilities are more likely to be responsibly disclosed to Apple, and users are more likely to be protected in a timely fashion.

Good.

$61 million stolen from accounts at Bitcoin exchange Bitfinex

The Verge writes:

Hackers have compromised the Bitcoin exchange Bitfinex, the company announced today, withdrawing roughly $61 million from various consumer accounts. The causes of the breach are still unclear, but the attackers appear to have bypassed Bitfinex’s mandated limits on withdrawals.

"The theft is being reported to — and we are co-operating with — law enforcement," the statement reads. "We ask for the community’s patience as we unravel the causes and consequences of this breach."

You really shouldn't be surprised. Online criminals are modern-day Willie Suttons. They go where the money is.

If you had a Bitcoin wallet with Bitfinex I imagine you would be quite worried right now.

In fact, if you had a Bitcoin wallet anywhere else you probably shouldn't be feeling too smug. Security Week reports that the value of Bitcoin has dropped by more than 20% since the incident.

Meet the men who spy on women through their webcams

Nate Anderson at Wired paints a terrifying portrait of the sick world of webcam hackers, while also pointing out that such perverted snooping is within easy reach of even the technically unskilled:

Calling most of these guys "hackers" does a real disservice to hackers everywhere; only minimal technical skill is now required to deploy a RAT and acquire slaves. Once infected, all the common RAT software provides a control panel view in which one can see all current slaves, their locations, and the status of their machines. With a few clicks, the operator can start watching the screen or webcam of any slave currently online.

For Pete's sake, folks. Get yourself a webcam cover.

Advertisers could be tracking you via your battery status

A legitimate reason to poll your battery's status is to stop intensive operations from executing if you're running low on juice.

But it's also open to exploitation by those who want to track your online activity, writes Lukasz Olejnik:

The information provided by the Battery Status API is not always changing fast. In other words, they are static for a period of time; it may give rise to a short-lived identifier. At the same time, users sometimes clear standard web identifiers (such as cookies). But a web script could analyze identifiers provided by Battery Status API, which could then possibly even lead to recreation of other identifiers. A simple sketch follows.

An example web script continuously monitors the status of identifiers and the information obtained from Battery API. At some point, the user clears (e.g.) all the identifying cookies. The monitoring web script suddenly sees a new user - with no cookie - so it sets new ones. But battery level analysis could provide hints that this new user is - in fact - not a new user, but the previously known one. The script's operator could then conclude and reason that those this is a single user, and resume with tracking. This is an example scenario of identifier recreation, also known as respawning.

A recent study reported that battery status is being monitored by some tracking scripts.

It sounds like it would be a positive step if browsers stopped accessing such detailed information about our battery.

Aside from tracking, there are other ways that battery information could be exploited.

Uber, for instance, says that it knows customers are more likely to accept a much higher price to hire a cab when their battery is running low.

Secure email service GhostMail shutting down, in fear of being abused

GhostMail, a site that offered "military encrypted and self-destructing email accounts", has announced that it is closing down:

GhostMail in its current form will be closed down as per 1. of September 2016.

Since we started our project, the world has changed for the worse and we do not want to take the risk of supplying our extremely secure service to the wrong people – it’s simply not worth the risk.

In general, we believe strongly in the right to privacy, but we have taken a strategic decision to only supply our platform and services to the enterprise segment.

We hope you understand this decision and we refer to other free services available, as an alternative to our platform i.e. Protonmail.

PRO users will be refunded and contacted directly.

If we take GhostMail's statement at face value, one assumes that GhostMail is concerned that criminals and terrorists might abuse its services to hide their communications. As GhostMail has no way of perusing its customers' encrypted conversations it wouldn't know who would be up to no good, and who wouldn't.

So, bad news for regular folks who were using GhostMail for their secure, private webmail (switching to alternatives like Switzerland-based ProtonMail sounds like a natural next step) but potentially the company might be able to offer a more focused offering for enterprise customers.

If you are a GhostMail user make sure to download any messages from its servers that you wish to keep before 1st September.

Would you risk running a VPN in the United Arab Emirates?

Iain Thomson of The Register writes:

A royal edict from the president of the United Arab Emirates (UAE) may have effectively made it illegal for anyone in the country to use a VPN or secure proxy service.

Those caught could face jail time and fines of between 500,000 and 2,000,000 UAE dirham (US$136,130 and $544,521).

The wording is ambiguous and technologically illiterate. Essentially, it seems, you are not allowed to use systems that hide the fact that you're committing a crime or covering one up. If you're routing your network traffic through a secure VPN or proxy server, you could be evading the eyes of the state while breaking a law, and that's now a big no-no.

You could claim you were using the VPN or proxy for legit reasons, and that no criminal activity was being committed or concealed, but since your packets were encrypted, you may have a hard time proving your innocence.

That certainly does sound like a bit of a pickle for businesses and individuals who want to use the internet safely while in the United Arab Emirates.

You want to run VPN software to secure your communications, and keep your confidential information out of the hands of hackers sniffing data out of the air at public Wi-Fi hotspots, and beyond the grasp of over-reaching intelligence agencies. There are also plenty of people who have legitimate excuses for using the internet anonymously, and concealing their true identity.

But let's take a closer look at the wording of this new legislation:

Whoever uses a fraudulent computer network protocol address (IP address) by using a false address or a third-party address by any other means for the purpose of committing a crime or preventing its discovery, shall be punished by temporary imprisonment and a fine of no less than Dh500,000 and not exceeding Dh2,000,000, or either of these two penalties.

The key thing to emphasise in the above is, I would argue, the words "for the purpose of committing a crime or preventing its discovery".

Hopefully the UAE is planning to use this legislation to crack down on illegal activities on the internet, rather than those who use a VPN and other secure proxy services legitimately.

But if you were to find yourself *forced* to reveal what you had been doing (to prove it wasn't illegal) well, you've just flushed your privacy down the lavatory.

I would worry that we could find ourselves slipping into a situation where the very use of a VPN and encrypted communications is considered itself inherently suspicious, rather than sensible.