Archive | Link list

Cluley 250 thumb

Now WikiLeaks is distributing malware

Veteran anti-virus researcher Vesselin Bontchev has discovered that there are thousands of samples of malware available for download from the WikiLeaks website.

The malware found by Bontchev is found in a large tranche of emails leaked from AKP, a Turkish political party.

Bontchev writes:

Since many of the AKP members have been recipients of malware sent by e-mail (most likely random spam but could have also been targeted attacks), the received malware in the e-mails is also present in the dump. As a result, the Wikileaks site is hosting malware. For the record, I consider this to be extremely irresponsible from the part of Wikileaks. Malware distribution is not “journalism” by any definition of the term.

Bontchev found 3277 malicious files on the WikiLeaks site, accessible to anyone on the internet via a single click.

Of course, it’s perfectly possible that the true number of malware samples published on the WikiLeaks site is much larger than this. Bontchev’s focus so far has been on one particular email dump, and used the VirusTotal service to determine if a file was identified as malicious or not.

Furthermore, one cannot discount the possibility that some of the email dumps published by WikiLeaks contain targeted attacks that are not presently detected by any anti-virus product.

WikiLeaks has been criticised before for its unwillingness to curate the leaked information that it leaks - by, amongst others, no less than Edward Snowden.

Anti-virus industry old-timers like me and Bontchev are left with our heads in our hands when we hear that WikiLeaks is apparently making no efforts whatsoever to prevent its readers from encountering malware samples.

Cluley 250 thumb

Video of Hillary Clinton meeting ISIS leader? Nah, it’s a malware attack

Symantec writes:

Cybercriminals are using clickbait, promising a video showing Democratic Party presidential nominee Hillary Clinton exchanging money with an ISIS leader, in order to distribute malicious spam emails.

The email’s subject announces “Clinton Deal ISIS Leader caught on Video,” however there is no video contained in the email, just malware. Adding to the enticement, the email body also discusses voting, asking recipients to “decide on who to vote [for]” after watching the non-existent clip.

Attached to the email is a ZIP archive, containing a Java file. Make the mistake of opening the Java file (in the mistaken belief that you are going to see a controversial video) and you will be infecting your computer with the Adwind backdoor Trojan horse.

It’s not unusual for criminals to use these kind of disguises to make their malicious emails more tempting to click on, and we’ve seen attacks like this during previous presidential election campaigns. Expect more of the same, and be on your guard.

Cluley 250 thumb

IT security woman hits back at sexist trolls on LinkedIn

UK IT security firm Foursys writes:

Should we police or dictate how our employees dress? Should we only allow them to represent our brand if they have a specific body type or sense of style?

What about internet commenters or trolls? Is it ok for them to bombard our employees with abuse?

Foursys is asking these questions after Jayde, one of its sales executives, appeared in a harmless social media post on LinkedIn - celebrating that the firm now had 500 followers on the professional social network.

The response on LinkedIn was ghastly, with many offensive, derogatory and often sexual comments made towards Jayde.

Jayde, however, has stood up to the bullies - making her own brave video response where she details some of the abuse she received:

For all of those who say that I know nothing about IT security: Shame on you. I know more than 99% of people you’d meet on the street. I can tell you what a denial-of-service attack is, how SQL injection works, and how to your protect against ransomware. To be perfectly clear: Bullying and shaming people because of the way that they look or how they choose to dress is nasty, and I am not just going to take it - and neither should you.”

Hear hear.

I find it extraordinary that some people would make such hurtful and mean remarks… and particularly dumb that so many did so on LinkedIn, which details their real names, jobs and places of employment.

Seriously, the IT security world needs to grow up and stop thinking that women can be treated in such an appalling way.

Watch Jayde’s video response to the cyber-bullies on YouTube, and read more in Foursys’s blog post.

Cluley 250 thumb

A simple way to kill off Twitter trolls

@th3j35t3r writes on his blog:

Simply put. If Jim is blocked by John, Jim can no longer even utter Johns handle/twittername in a tweet. If he attempts to the tweet simply doesn’t process or gets sinkholed. Period. The end. Forever, or until John unblocks him. This approach would not infringe on Jim’s ‘freedom of speech’, he can still say whatever he likes, but he can’t include John. This approach would be self-policing essentially allowing users to decide if they are being abused or harassed and allowing them to take immediate actions without relying on Twitter to minimize the problem effectively. This approach would not be an overhead on Twitters current infrastructure and would require NOTHING by way of extra storage capacity.

Trolls are the ugly side of Twitter, but @th3j35t3r’s proposal seems very elegant to me.

So how about it Twitter?

Find out more, and check out his amusing flowchart, by reading @th3j35t3r’s blog post.

Cluley 250 thumb

Tor users in the States were hacked by Australian authorities

Joseph Cox at Motherboard writes:

Australian authorities hacked Tor users in the US as part of a child pornography investigation, Motherboard has learned.

The contours of this previously-unreported hacking operation have come to light through recently-filed US court documents. The case highlights how law enforcement around the world are increasingly pursuing targets overseas using hacking tools, raising legal questions around agencies’ reach.

In one case, Australian authorities remotely hacked a computer in Michigan to obtain the suspect’s IP address.

While I’m sure that the vast majority of us are keen for child abuse websites to be shut down, and their users brought to justice, we are not all comfortable with intelligence agencies breaking the law themselves to achieve this.

Legal processes need to be put in place to not only prevent criminals from hacking into systems they shouldn’t and stealing private information, but also to prevent over-zealous law enforcement agents from stepping over the line.

Just because something can be done doesn’t mean it should be done.

Also, we need to stop thinking that state-sponsored hacking is something done by the Russians and Chinese against the Americans and the Brits. Or it’s something that the Americans and Brits do against the Russians and Chinese.

The true story is that just about everyone is up to it.

I would be shocked if any even semi-sophisticated intelligence agency anywhere in the world wasn’t using the internet, and methods used by criminal hackers, to spy upon the governments, businesses and citizens of other countries.

Cluley 250 thumb

Blogger turns tables on cyber-scammer by infecting them with ransomware

BBC News reports:

A French security researcher says he managed to turn the tables on a cyber-scammer by sending him malware.

Technical support scams try to convince people to buy expensive software to fix imaginary problems.

But Ivan Kwiatkowski played along with the scheme until he was asked to send credit card details. He instead sent an attachment containing ransomware.

On one level I feel like just about everyone else reading the story. The scammers deserved everything they got, and isn’t it hilarious that a “victim” turned the tables and managed to infect the criminals’ computer with a copy of the Locky ransomware.

But another part of me feels uncomfortable.

I don’t think the existence of online crime gives any of us a green light to break the law ourselves, tricking others into running malware and making changes to their computer systems without their permission.

Yes, waste scammers’ time if you want to. But I would not recommend breaking the law.

Nonetheless, I’m sure some of you will be tickled by the story. You can read it in full on Kwiatkowsi’s blog.

Cluley 250 thumb

Someone seems to be trying to spy on VeraCrypt’s security audit

At the start of this month OSTIF (the Open Source Technology Improvement Fund) announced that it had agreed a plan to get the open source disk encryption tool VeraCrypt independently audited.

The audit, which would look for security holes and weaknesses in VeraCrypt’s code, would be done in co-ordination with vulnerability researchers from QuarksLab.

So far, so good. Especially as you may remember that VeraCrypt’s predecessor, TrueCrypt, was mysteriously discontinued a couple of years back leading to all manner of conspiracy theories.

Now, the bad news… OSTIF says that its confidential PGP-encrypted communications with QuarkLabs about the VeraCrypt security audit may be being mysteriously intercepted:

We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders. Not only have the emails not arrived, but there is no trace of the emails in our “sent” folders. In the case of OSTIF, this is the Google Apps business version of Gmail where these sent emails have disappeared.

This suggests that outside actors are attempting to listen in on and/or interfere with the audit process.

We are setting up alternate means of encrypted communications in order to move forward with the audit project.

If nation-states are interested in what we are doing we must be doing something right. Right?

Let the speculation begin…

Cluley 250 thumb

Almost all cars sold by VW Group since 1995 at risk from unlock hack

Wired writes:

Later this week at the Usenix security conference in Austin, a team of researchers from the University of Birmingham and the German engineering firm Kasper & Oswald plan to reveal two distinct vulnerabilities they say affect the keyless entry systems of an estimated nearly 100 million cars. One of the attacks would allow resourceful thieves to wirelessly unlock practically every vehicle the Volkswagen group has sold for the last two decades, including makes like Audi and Skoda. The second attack affects millions more vehicles, including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.

The researchers are led by University of Birmingham computer scientist Flavio Garcia, who was previously blocked by a British court, at the behest of Volkswagen, from giving a talk about weaknesses in car immobilisers.

At the time Volkswagen argued that the research could “allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car.” That researchers finally got to present their paper a year ago, detailing how the Megamos Crypto system – an RFID transponder that uses a Thales-developed algorithm to verify the identity of the ignition key used to start motors – could be subverted.

The team’s latest research doesn’t detail a flaw that in itself could be exploited by car thieves to steal a vehicle, but does describe how criminals located within 300 feet of the targeted car might use cheap hardware to intercept radio signals that allow them to clone an owner’s key fob.

The researchers found that with some “tedious reverse engineering” of one component inside a Volkswagen’s internal network, they were able to extract a single cryptographic key value shared among millions of Volkswagen vehicles. By then using their radio hardware to intercept another value that’s unique to the target vehicle and included in the signal sent every time a driver presses the key fob’s buttons, they can combine the two supposedly secret numbers to clone the key fob and access to the car. “You only need to eavesdrop once,” says Birmingham researcher David Oswald. “From that point on you can make a clone of the original remote control that locks and unlocks a vehicle as many times as you want.”

Sounds to me like it’s time to turn to the car manufacturers to ask what on earth they are going to do to fix the millions of potentially vulnerable vehicles they have sold in the last couple of decades.

Read more, including the researcher’s paper, on Wired.

Cluley 250 thumb

Earn up to $200,000 as Apple *finally* launches a bug bounty

The Verge writes:

Apple is planning a new bug bounty program that will offer cash in exchange for undiscovered vulnerabilities in its products, the company announced onstage at the Black Hat conference today. Launching in September, the program will offer cash rewards for working exploits that target the latest version of iOS or the most recent generation of hardware. It’s the first time Apple has explicitly offered cash in exchange for those vulnerabilities, although the company has long maintained a tip line for disclosing security issues.

Ivan Krstic, Apple’s head of security engineering and architecture, made the announcement during a presentation at Black Hat on Thursday.

The top reward comes for finding flaws in vulnerabilities in Apple’s “secure boot” process, which if broken could seriously compromise security.

As Hacker News reports, for now Apple’s bug bounty program is invite-only - meaning that the only people likely to be ushered in are those who have a track record in finding exploitable flaws in the company’s code. Hopefully things will loosen up over time, and from the sound of things they are open to adding others who come forward after finding critical vulnerabilities in key areas.

Frankly, an Apple bug bounty is long overdue.

Apple was looking incongruous in not offering a reward for security researchers who uncovered critical vulnerabilities in its products. After all, if you were a vendor you would rather have those who find security vulnerabilities in your products work with you rather than selling off their exploits to a third-party, wouldn’t you?

With a bug bounty in place, serious exploitable vulnerabilities are more likely to be responsibly disclosed to Apple, and users are more likely to be protected in a timely fashion.


Cluley 250 thumb

$61 million stolen from accounts at Bitcoin exchange Bitfinex

The Verge writes:

Hackers have compromised the Bitcoin exchange Bitfinex, the company announced today, withdrawing roughly $61 million from various consumer accounts. The causes of the breach are still unclear, but the attackers appear to have bypassed Bitfinex’s mandated limits on withdrawals.

The theft is being reported to — and we are co-operating with — law enforcement,” the statement reads. “We ask for the community’s patience as we unravel the causes and consequences of this breach.”

You really shouldn’t be surprised. Online criminals are modern-day Willie Suttons. They go where the money is.

If you had a Bitcoin wallet with Bitfinex I imagine you would be quite worried right now.

In fact, if you had a Bitcoin wallet anywhere else you probably shouldn’t be feeling too smug. Security Week reports that the value of Bitcoin has dropped by more than 20% since the incident.

Meet the men who spy on women through their webcams

Meet the men who spy on women through their webcams

Nate Anderson at Wired paints a terrifying portrait of the sick world of webcam hackers, while also pointing out that such perverted snooping is within easy reach of even the technically unskilled:

Calling most of these guys “hackers” does a real disservice to hackers everywhere; only minimal technical skill is now required to deploy a RAT and acquire slaves. Once infected, all the common RAT software provides a control panel view in which one can see all current slaves, their locations, and the status of their machines. With a few clicks, the operator can start watching the screen or webcam of any slave currently online.

For Pete’s sake, folks. Get yourself a webcam cover.

Cluley 250 thumb

Secure email service GhostMail shutting down, in fear of being abused

GhostMail, a site that offered “military encrypted and self-destructing email accounts”, has announced that it is closing down:

GhostMail in its current form will be closed down as per 1. of September 2016.

Since we started our project, the world has changed for the worse and we do not want to take the risk of supplying our extremely secure service to the wrong people – it’s simply not worth the risk.

In general, we believe strongly in the right to privacy, but we have taken a strategic decision to only supply our platform and services to the enterprise segment.

We hope you understand this decision and we refer to other free services available, as an alternative to our platform i.e. Protonmail.

PRO users will be refunded and contacted directly.

If we take GhostMail’s statement at face value, one assumes that GhostMail is concerned that criminals and terrorists might abuse its services to hide their communications. As GhostMail has no way of perusing its customers’ encrypted conversations it wouldn’t know who would be up to no good, and who wouldn’t.

So, bad news for regular folks who were using GhostMail for their secure, private webmail (switching to alternatives like Switzerland-based ProtonMail sounds like a natural next step) but potentially the company might be able to offer a more focused offering for enterprise customers.

If you are a GhostMail user make sure to download any messages from its servers that you wish to keep before 1st September.

Cluley 250 thumb

Sorry, your Motorola Android isn’t going to get monthly security updates

Well, this sucks if you’ve spent good money on a Motorola smartphone.

The firm has confirmed to Ars Technica that it isn’t going to commit to monthly security updates, even though Google will have released patches for the Android operating system.

Here’s what they told Ron Amadeo at Ars Technica:

Motorola understands that keeping phones up to date with Android security patches is important to our customers. We strive to push security patches as quickly as possible. However, because of the amount of testing and approvals that are necessary to deploy them, it’s difficult to do this on a monthly basis for all our devices. It is often most efficient for us to bundle security updates in a scheduled Maintenance Release (MR) or OS upgrade.”

I guess people who care about security will be buying an Android smartphone from a company that does care about keeping them up-to-date with security patches - like Google or Samsung.

Or maybe they’ll just buy an iPhone. But certainly not a phone made by Motorola.

Cluley 250 thumb

SentinelOne says if you get hit by ransomware, it will pay the ransom

SentinelOne writes:

We’ve created the first ever Ransomware Cyber Guarantee – a warranty for our product’s performance. It’ll give you the best protection from ransomware attacks – and if we miss something and you get infected – we’ll pay the ransom. It’s that simple. And it’s how security is supposed to be. If you can block something – why not guarantee it? Would you buy a new shiny car without manufacturer warranty?

In other words, self-proclaimed “next generation endpoint security solution” SentinelOne says it’s entirely comfortable paying money to criminals.

Of course it’s a marketing stunt, but still one - I must admit - that leaves a strange taste in my mouth.

If I’m feeling mischievous, I might even wonder if some future ransomware might detect the presence of SentinelOne and increase its ransom demand accordingly…

Couldn’t SentinelOne have just offered to throw in a decent backup program?

Cluley 250 thumb

Police 3D print murder victim’s finger to unlock his phone

Fusion reports:

A man was murdered, and the police think there might be clues to who murdered him stored in his phone. But they can’t get access to the phone without his fingerprint or passcode. So instead of asking the company that made the phone to grant them access, they’re going another route: having the Jain lab create a 3D printed replica of the victim’s fingers. With them, they hope to unlock the phone.

The numerous media reports I’ve read about this case don’t mention what type of smartphone the police are trying to break into, but my hunch is that it’s an Android.

There are some big differences between how iOS and Android devices implement fingerprint authentication, and some of the design decisions Apple made make the scenario described above highly unlikely.

For instance, an iPhone or iPad will time out the fingerprint sensor every time the device is restarted or after 48 hours of inactivity, requiring you to enter your passcode instead.

However, on Android 4.4 - 5.1.1 the fingerprint unlock *never* expires. Even with Android 6.0 Marshmallow, which adds an official fingerprint authentication API for the first time, I don’t believe there are any set requirements for when the fingerprint unlock should expire.

It seems to me that fingerprint security has been pretty sloppy generally on Android, with some smartphones even storing unencrypted images of users’ fingerprints in a non-protected folder.

Cluley 250 thumb

When the people selling you IT security solutions hack into their rival’s database…

The Register reports:

Five men working at UK-based IT security reseller Quadsys confessed today to hacking into a rival’s database.

Owner Paul Streeter, managing director Paul Cox, director Alistair Barnard, account manager Steve Davies and security consultant Jon Townsend appeared before the beak at Oxford Crown Court.

All pleaded guilty to obtaining unauthorised access to computer materials to facilitate the commission of an offence,” the court clerk told us.

This is punishable by a minimum of 12 months in prison or a fine on summary conviction, or up to five years or a fine on indictment.

We all know that there are bad guys hacking into firms.

We want to protect our firms from online criminals, so we bring in third-parties to help us do that, and purchase solutions and services.

It’s depressing to discover that some of those third party firms may have some rotten apples on their payroll, who don’t know the difference between right and wrong, and think nothing of exploiting their technical skills to break the law if it helps them gain a commercial advantage.

Let this be a warning to others. Just because you can do something doesn’t mean that you should.

Hacking into a rival’s database to steal customer and pricing information might give you a short term advantage, but you are putting your personal future, and that of your business, at permanent risk.