Month: March 2015

Russian banks combat Tyupkin ATM malware gang

Posted on

The Russian Ministry of Internal Affairs, together with the Federal Security Service, are taking steps to try and locate a criminal cyber-group specialising in robbing ATMs using the Tyupkin computer malware.

The criminals work in two stages. First, they get physical access to the ATMs and insert a bootable CD to install the malware – code named Tyupkin by Kaspersky Lab which discovered the exploit last year. After they reboot the system, the infected ATM is under their control.

Kaspersky reports on its website how the scam works and has produced a video on its operation.

Following successful infection, the malware runs in an infinite loop waiting for a command. To make the scam harder to spot, Tyupkin malware only accepts commands at specific times on Sunday and Monday nights. During those hours the attackers are able to steal money from the infected machine.

When the combination key is entered correctly, the ATM displays details of how much money is available in each cash cassette, inviting the operator to choose which cassette to rob. After this the ATM dispenses 40 banknotes at a time from the chosen cassette.

Alexander Vurasko, an official spokesman of the department of investigation of cyber-crimes at the Russian Ministry of Internal Affairs told that, in addition to being used in Russia, the Tyupkin virus has also been used for to rob ATMs around the world, including in EU states as well as in the US and China.

He added that most of attacks are achieved thanks to the widespread use of Microsoft’s XP operating systems in ATMs. The virus has several variations which include skimming capabilities, being able to read data from card magnetic stripes, and saving PIN-codes.

Analysts at Russian-based international security software company Kaspersky Lab believe that Tyupkin and other similar viruses may soon replace traditional skimming.

Ruslan Stoyanov, head of department of investigations of computer incidents of Kaspersky Lab, has said that Tyupkin represents a more progressive technology for the crooks, and that it can dramatically reduce the number of different actions and transactions needed to steal large amounts of cash.

Russian banks combat Tyupkin ATM malware gang+/. cw
Russian banks combat Tyupkin ATM malware gang

He has also added that the use of the virus helps criminals so that they don’t need to transfer money from the card to other accounts and create fake companies and have the authorities chase the money through their accounts.

Amid this ever-growing threat of the malware’s spread, many Russian banks are taking measures to strengthen their IT security, as well as increase the security of their ATMs, with the aim of preventing an unauthorised access.

IT analysts at Russian Izvestia business paper, citing on Edward Ahunyanov, head of the department payment systems of the Russian Bank of Settlements and Savings, one of Russia’s leading banks, told that the malware is a typical Trojan, commenting: “There is also a threat that such malware may result in information leakage. Part of our plans are to change the locks and to modify the programs. In addition, we plan to tighten control over the keys, cash-in-transit couriers and educate the technical service staff of our bank about the threat.”

According to Andrey Lyushin, deputy chairman of Loco-bank, another leading Russian bank, the use of such high-tech theft methods is unusual in the Russian banking sector. He adds that the bank will need another one to two months to implement countermeasures against this malware.


Nigerian Electoral Commission Website Hacked

Posted on

“The INEC (Independent National Electoral Commission) website‎ was hacked this morning but we are trying to revive it,” the body’s deputy director of public affairs, Nick Dazang, told AFP.

“But nothing has been tampered with,” he added, without elaborating.

INEC has been under scrutiny for weeks about its preparations for the election, in particular over the use of biometric voter identity cards and new technology to cut down on electoral fraud.

Nigerian Electoral Commission Website Hacked
Nigerian Electoral Commission Website Hacked

Voters throughout Nigeria have complained about lengthy delays in authenticating their cards. President Goodluck Jonathan’s own card failed on the new system and he had to be accredited by hand.

The INEC website — — was allegedly targeted by the Nigerian Cyber Army. A message on the home page read: “Feel some shame Admin!! Security just an illusion.”

The site was later back online.


Android users exposed to malware by installer hijacking vulnerability

Posted on Updated on

Security researchers have warned about a widespread vulnerability in Android devices, that could see attackers sneakily modify or entirely replace seemingly benign apps with malware, without users becoming aware.
In other words, a user might attempt to install a legitimate version of “Angry Birds” but instead end up with a Flashlight app that’s harbouring malware.
Every Android user is familiar with the screen that gets displayed during an app package’s installation, explaining the permissions that the app requests in order to run.

What wasn’t commonly known was that while a user is reviewing this information (the so-called “Time of Check”), an attacker can modify or replace the app’s package with their own malicious app, in readiness of the user to click the “Install” button.
Fortunately, apps downloaded from the official Google Play Store are not at risk as they are downloaded into a protected space which cannot be overwritten by attackers.

Android users exposed to malware by installer hijacking vulnerability
Android users exposed to malware by installer hijacking vulnerability

Palo Alto Research says that it first found the Time-of-Check to Time-of-Use (TOCTTOU) vulnerability, and how it could be exploited in so-called “installer hijacking” in January 2014, and has been co-operating with Google, Samsung, Amazon and other manufacturers ever since.
The vulnerability can be successfully exploited on Android 2.3, 4.0.3-4.0.4, 4.1.X, and 4.2.x – which means that an alarming 49.5% of the Android devices currently in use are at risk.
That should obviously ring alarm bells – not just amongst home users, but also corporations which have BYOD policies allowing staff to access corporate data on Android devices and to bring their smartphones and tablets into the office.
Piling on the bad news, according to researchers the vulnerability does not rely upon Android devices being rooted (although this does make them more vulnerable) and it is possible that some phones may be running vulnerable distributions of Android 4.3 too.
So, what’s the answer?
The best solution is to stop using vulnerable versions of the Android OS on your devices. Upgrade to Android 4.4 and later, which have fixed the problem.
Of course, that’s easier said than done.
Even if you *want* to upgrade the OS on your Android device you might not be able to, because an update is only going to be available for those devices with the assistance and goodwill of Google, the device’s manufacturer and your mobile phone carrier.
As history has often shown us, older Android devices are left stranded without an easy path for OS updates.
If upgrading your version of Android is not an option, you can reduce the risk by ensuring that apps are only ever downloaded from the official Google Play store rather than third-party sites.
Palo Alto Networks has released a free vulnerability scanner (available from the Google Play store, natch) that will hunt for the flaw on your Android device.


Big Vulnerability in Hotel Wi-Fi Router Puts Guests at Risk

Posted on

GUESTS AT HUNDREDS of hotels around the world are susceptible to serious hacks because of routers that many hotel chains depend on for their Wi-Fi networks. Researchers have discovered a vulnerability in the systems, which would allow an attacker to distribute malware to guests, monitor and record data sent over the network, and even possibly gain access to the hotel’s reservation and keycard systems.

The security hole involves an authentication vulnerability in the firmware of several models of InnGate routers made by ANTlabs, a Singapore firm whose products are installed in hotels in the US, Europe and elsewhere.

The vulnerability, which was discovered by the security firm Cylance, gives attackers direct access to the root file system of the ANTlabs devices and would allow them to copy configuration and other files from the devices’ file system or, more significantly, write any other file to them, including ones that could be used to infect the computers of Wi-Fi users.

Big Vulnerability in Hotel Wi-Fi Router Puts Guests at Risk
Big Vulnerability in Hotel Wi-Fi Router Puts Guests at Risk

The researchers found 277 of the devices in 29 countries that are accessible over the internet, though there may be many others that they weren’t able to uncover over the internet because they’re protected behind a firewall. Devices behind a firewall, however, would still presumably be vulnerable to the same malicious activity by anyone who gets on the hotel’s network.

Of the 277 vulnerable devices accessible over the internet, the researchers found more than 100 of them were at locations in the US. But they also found 35 vulnerable systems in Singapore, 16 in the UK, and 11 in the United Arab Emirates.

The vulnerable systems were found primarily at hotel chains, but the researchers also found some convention centers with internet-accessible vulnerable routers. They also found that a top data center company uses an InnGate device to manage guest Wi-Fi at several of its locations in the Asia Pacific.
The InnGate devices function as a gateway for hotels and convention centers to provide guests with internet access. But Justin Clarke, a researcher with Cylance’s new SPEAR (Sophisticated Penetration Exploitation and Research) team, says the devices are often also connected to a hotel’s property management system, the core software that runs reservation systems and maintains data profiles about guests. Clarke says they found a number of hotels where the InnGate was configured to communicate with a PMS. This presents additional security risks in itself, allowing an attacker to potentially identify guests and upcoming guests at a hotel and learn their room number. But PMSes are often, in turn, integrated with a hotel’s phone system, point-of-sale system for processing credit card transactions, and the electronic keycard system that controls access to guest rooms. This would potentially give an attacker a gateway to access and exploit these systems as well.

“In cases where an InnGate device stores credentials to the PMS [property management system], an attacker could potentially gain full access to the PMS itself,” the researchers write in a blog post published today, which they shared with WIRED in advance.

The property management systems that were used in the vulnerable hotels Cylance examined include ones made by Micros Fidelio, FCS, Galaxy, and Prologic.

Oracle purchased Micros Fidelio last year and now markets its PMS as the Opera Property Management System. According to Oracle’s web site, the Opera PMS “provides all the tools a hotel staff needs for doing their day-to-day jobs—handling reservations, checking guests in and out, assigning rooms and managing room inventory, accommodating the needs of in-house guests, and handling accounting and billing.” But, the site notes, the system also includes interfaces to connect the PMS to “hundreds of third-party hospitality systems” including telephone and electronic switching and key lock systems.

Gaining access to a guest room through a compromised key lock system wouldn’t just be of interest to thieves. One of the most famous cases involving the subversion of a hotel’s electronic key system resulted in the assassination of a high-ranking Hamas official in a Dubai hotel in 2011. In that case the assassins, believed to be Israeli Mossad agents, reprogrammed the electronic lock on their victim’s hotel room door to gain entry while he was out of the room and lie in wait for him to return. It’s not known exactly how the attackers compromised that key system.
How the Hotel Vuln Works
The vulnerability lies in an unauthenticated rsync daemon used by the ANTlabs devices. The Rsync daemon is a tool often used to backup systems since it can be set up to automatically copy files or new parts of files from one location to another. Although the daemon can be password-protected, the ANTlabs device that uses it requires no authentication.

As a result, once an attacker has connected to the rsync daemon, “they are then able to read and write to the file system of the Linux based operating system without restriction,” the researchers write in their blog post. “Given the level of access that this vulnerability offers to attackers, there is seemingly no limit to what they could do… Once full file system access is obtained, the endpoint is at the mercy of the attacker.”


Hanjuan Exploit Kit leveraged in malvertising campaign

Posted on

Anyone who visited the New York Daily News website or Metacafe website – as well as several other lesser known sites – within the past couple of weeks could have been infected with malware, according to Malwarebytes.

Researchers identified a malvertising campaign originating from the engage:BDR advertising network, a Tuesday post indicates. In a Wednesday email correspondence, Jerome Segura, senior security researcher with Malwarebytes, told that the issue has been resolved.

The malware was being delivered via malvertisements that redirected users to the Hanjuan Exploit Kit, according to the post. Researchers only observed the Hanjuan Exploit Kit taking advantage of a recently patched Adobe Flash Player zero-day vulnerability – CVE-2015-0313.

The threat is a drive-by download attack that happens within seconds and requires no user interaction, meaning no clicking is required to become infected, the post indicates.

“Typically a drive-by download is very quiet, unless it involves Java (you will see the Java icon in the tray) or perhaps crashes the browser,” Segura said. “In the case of Flash, it is completely transparent and unless the malware is obvious (changes the desktop or loads a fake app) the user would be completely unaware of it.”

Segura said that Hanjuan Exploit Kit only targets U.S. residential IP addresses, which means that only legitimate home users residing in America were targeted in the campaign. Given the vulnerability being exploited and the high profile of certain affected websites, he speculated that tens of thousands of victims may have been infected.

Hanjuan Exploit Kit uses numerous techniques to deliver malware to specific victims and go by mostly unnoticed, Segura said.

Hanjuan Exploit Kit leveraged in malvertising campaign
Hanjuan Exploit Kit leveraged in malvertising campaign

“First of all, it leverages an ad network to filter out non desirable users and really tailor the malicious [ads] for the target population,” Segura said. “Secondly, it performs very strict checks on the user’s IP address to ensure that it has never seen it before, but also that it belongs to a genuine residential ISP.”

Segura added, “The problem for security companies is that very often our IP ranges are already blacklisted by the bad guys and VPNs are not an option either since they are not the target population.”

Because Hanjuan Exploit Kit is stealthy, Malwarebytes has been unable to identify the malware being delivered, the post notes.

Users should be using anti-exploit protection to defend against these types of threats, and should also always be surfing the web using the latest security updates applied to their computers, Segura said. He added that advertising networks need to be thoroughly checking their customers to ensure they are legitimate.

“They also have to spot patterns of malicious activity in close to real-time and block attacks, something that is easier said than done, when the number of impressions for an ad network can be in the millions or even billions per day,” Segura said.


Vawtrak Banking Malware Targets Canadian Users

Posted on

The malware is also known by the names Neverquest and Snifula, and it is an advanced piece capable of stealing financial information and executing transactions from the compromised computer through remote desktop control, thus hiding its tracks.

Its authors rely on real-time web-injection tactics to present the victim with fraudulent screens asking for the information necessary for accessing online banking account.

This method is also used for harvesting two-factor authentication (2FA) codes that are generated by separate tokens, usually based on offline card verification or its PIN number.

C&C servers have been registered in February

Security researchers at Heimdal Security analyzed the methods used by the cybercriminals to distribute Vawtrak and determined that it spreads via drive-by download attacks, phishing campaigns on social media websites as well as spam.

They say that the variant analyzed by them targets more than 15 financial institutions from Canada and it connects to six command and control (C&C) servers in different parts of the world.

Running a whois search on them, we learned that all but one have been registered on February 25, 2015.

The last one appears to have been registered on February 16, 2015, which could also be an approximate date for launching the malicious campaign.

Vawtrak Banking Malware Targets Canadian Users
Vawtrak Banking Malware Targets Canadian Users

In an in-depth analysis from researchers from antivirus company AVG, Vawtrak is presented with a complex set of features that includes protection against a large number of security solutions that may be running on the infected computer.

The malware tries to disable the antivirus products by enabling the Software Restriction Policies mechanism available on Windows systems. The feature is intended for network administrators, offering them control over the software executed on controlled endpoints.

Vawtrak gets stronger, it is not going anywhere

Additional functionality present in the latest versions of Vawtrak refers to stealing sensitive information such as passwords from different programs (via Pony infostealer module), digital certificates and cookies, logging keystrokes and capturing video and screen images.

AVG says that the malware is not showing any signs of decreased activity and that minor changes in its features, targeted regions and banks create detection spikes every two to five days.

Based on their telemetry data, the countries most affected by this threat are Czech Republic, USA, UK, and Germany.

The conclusion reached by AVG following their analysis of the malware is that “Vawtrak is like a Swiss Army knife for its operators because of its wide range of applications and available features.



Posted on

Canada’s electronic surveillance agency has secretly developed an arsenal of cyberweapons capable of stealing data and destroying adversaries’ infrastructure, according to newly revealed classified documents.

Communications Security Establishment, or CSE, has also covertly hacked into computers across the world to gather intelligence, breaking into networks in Europe, Mexico, the Middle East and North Africa, the documents show.

The revelations, reported Monday by CBC News in collaboration with The Intercept, shine a light for the first time on how Canada has adopted aggressive tactics to attack, sabotage and infiltrate targeted computer systems.

The latest disclosures come as the Canadian government debates whether to hand over more powers to its spies to disrupt threats as part of the controversial anti-terrorism law, Bill C-51.

Christopher Parsons, a surveillance expert at the University of Toronto’s Citizen Lab, told CBC News that the new revelations showed that Canada’s computer networks had already been “turned into a battlefield without any Canadian being asked: Should it be done? How should it be done?”

According to documents obtained by The Intercept from National Security Agency whistleblower Edward Snowden, CSE has a wide range of powerful tools to perform “computer network exploitation” and “computer network attack” operations. These involve hacking into networks to either gather intelligence or to damage adversaries’ infrastructure, potentially including electricity, transportation or banking systems. The most well-known example of a state-sponsored “attack” operation involved the use of Stuxnet, a computer worm that was reportedly developed by the United States and Israel to sabotage Iranian nuclear facilities.

One document from CSE, dated from 2011, outlines the range of methods the Canadian agency has at its disposal as part of a “cyber activity spectrum” to both defend against hacking attacks and to perpetrate them. CSE says in the document that it can “disable adversary infrastructure,” “control adversary infrastructure,” or “destroy adversary infrastructure” using the attack techniques. It can also insert malware “implants” on computers to steal data.

The document suggests CSE has access to a series of sophisticated malware tools developed by the NSA as part of a program known as QUANTUM. As The Intercept has previously reported, the QUANTUM malware can be used for a range of purposes — such as to infect a computer and copy data stored on its hard drive, to block targets from accessing certain websites, or to disrupt their file downloads. Some of the QUANTUM techniques rely on redirecting a targeted person’s internet browser to a malicious version of a popular website, such as Facebook, that then covertly infects their computer with the malware.

According to one top-secret NSA briefing paper, dated from 2013, Canada is considered an important player in global hacking operations. Under the heading “NSA and CSEC cooperate closely in the following areas,” the paper notes that the agencies work together on “active computer network access and exploitation on a variety of foreign intelligence targets, including CT [counter terrorism], Middle East, North Africa, Europe, and Mexico.” (The NSA had not responded to a request for comment at time of publication. The agency has previously told The Intercept that it “works with foreign partners to address a wide array of serious threats, including terrorist plots, the proliferation of weapons of mass destruction, and foreign aggression.”)

Notably, CSE has gone beyond just adopting a range of tools to hack computers.

According to the Snowden documents, it has a range of “deception techniques” in its toolbox. These include “false flag” operations to “create unrest,” and using so-called “effects” operations to “alter adversary perception.” A false-flag operation usually means carrying out an attack, but making it look like it was performed by another group — in this case, likely another government or hacker. Effects operations can involve sending out propaganda across social media or disrupting communications services. The newly revealed documents also reveal that CSE says it can plant a “honeypot” as part of its deception tactics, possibly a reference to some sort of bait posted online that lures in targets so that they can be hacked or monitored.


The apparent involvement of CSE in using the deception tactics suggests it is operating in the same area as a secretive British unit known as JTRIG, a division of the country’s eavesdropping agency, Government Communications Headquarters, or GCHQ. Last year, The Intercept published documents from Snowden showing that the JTRIG unit uses a range of effects operations to manipulate information online, such as by rigging the outcome of online polls, sending out fake messages on Facebook across entire countries, and posting negative information about targets online to damage their reputations.

CSE declined to comment on any specific details contained in the latest revelations. In a general statement issued to The Intercept and CBC News, a spokesman for the agency said: “In moving from ideas or concepts to planning and implementation, we examine proposals closely to ensure that they comply with the law and internal policies, and that they ultimately lead to effective and efficient ways to protect Canada and Canadians against threats.”

The spokesman said that some of the Snowden documents do “not necessarily reflect current CSE practices or programs.” But he refused to explain which capabilities detailed in the documents the agency is not using, if any. Doing so, he said, would breach the Security of Information Act, a Canadian law designed to protect state secrets.


Malware de malware de puntos de venta (POS)

Posted on

2014 será recordado por muchas brechas de seguridad, pero para aquellos cuyo crédito o débito tarjetas fueron hackeado en una brecha de datos, recuerdan el año en que una ola de malwares de punto de venta se estrelló en los minoristas grandes y pequeños según profesionales de servicios de seguridad informática.

La organización international institute of cyber security que también proporciona el curso de hacking ético en México señaló que los delincuentes comenzaron a dirigirse cada vez más a los malwares de puntos de venta (POS) kits para su uso en el ciber-subterráneo. Según iicybersecurity, los precios de estos kits variaba dependiendo de su complejidad, con un poco de que va para decenas de dólares y otros que cuestan en los cientos o miles de dólares.

Los ataques infectan los terminales con software malicioso diseñado para robar información de tarjetas de crédito, usado por puntos de ventas. El malware se ejecuta en segundo plano de la terminal, y continuamente explora los datos únicos que se encuentran en la banda magnética de una tarjeta y enviar datos que corresponden a un servidor controlado por el atacante explico experto de forense digital.

En el año 2014, mientras que varias grandes empresas se enfrentaban a las infracciones de su infraestructura de puntos de ventas, muchos minoristas más pequeños se enfrentan a la misma amenaza por los grupos menos organizados según el informe de servicios de seguridad informática.

Malware de malware de puntos de venta (POS)
Malware de malware de puntos de venta (POS)

Malware como BlackPoS requiere un poco de planificación estratégica por parte del hacker; gran parte del sistema carece de apuntar y hacer clic en la naturaleza intuitiva de botnets. Para los grupos menos organizados o menos calificados hackers, un kit off-the-shelf como DexterPoS puede permitir capacidades de explotación y ofensivos que de otra manera no sería posible. Señalo experto de forense digital Mike Stevens que la explosión de puntos de venta de malware puede ser mitigado mediante la adopción de estándares EMV (Europay, MasterCard y Visa), así como el crecimiento de opciones de pago como Google Wallet y Apple Pay.

La adopción de estos nuevos procesos de pago debe proporcionar a los consumidores con los métodos de pago más seguras y hacer que sea más difícil para

los criminales que tratan de hacer dinero con estos sistemas. Según el informe de curso de hacking ético en México va a haber un cierto retraso en el 2015 ya que los minoristas y los bancos se mueven para poner estas mejoras en el lugar, durante los cuales los ciber delincuentes todavía será capaz de explotar los sistemas de procesamiento de pagos corrientes. Sin embargo, los procesos nuevos, una vez en el lugar, debe conducir a una disminución en el tipo de ataques POS visto en el último año.

Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware

Posted on

Cisco’s Security Solutions (CSS) consists of information security experts with a unique blend of law enforcement, enterprise security and technology security backgrounds. The team works directly with Cisco’s Talos Security Intelligence & Research Group to identify known and unknown threats, quantify and prioritize risk, and minimize future risk.

When consumers make purchases from a retailer, the transaction is processed through Point-of-Sale (PoS) systems. When a credit or debit card is used, a PoS system is used to read the information stored on the magnetic stripe on the back of the credit card. Once this information gets stolen from a merchant, it can be encoded into a magnetic stripe and used with a new card. Criminal markets exist for this valuable information because the attackers are able to easily monetize stolen credit card data. Incidents involving PoS malware have been on the rise, affecting many large organizations as well as small mom-and-pop establishments and garnering a lot of media attention. The presence of large amounts of financial and personal information ensures that these companies and their retail PoS systems will remain attractive targets.

Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware
Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware

There is new a malware family targeting PoS systems, infecting machines to scrape memory for credit card information and exfiltrate that data to servers, also primarily .ru TLD, for harvesting and likely resale. This new malware family, that we’ve nicknamed PoSeidon, has a few components to it, as illustrated by the diagram below:

At a high level, it starts with a Loader binary that upon being executed will first try to maintain persistence on the target machine in order to survive a possible system reboot. The Loader then contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.

Technical details
The file with SHA256 334079dc9fa5b06fbd68e81de903fcd4e356b4f2d0e8bbd6bdca7891786c39d4 could perhaps be at the source of the PoS system compromise. We call this file KeyLogger based on debugging information found in the binary:

Upon execution, this file copies itself to either %SystemRoot%\system32\<filename>.exe or %UserProfile%\<filename>.exe and adds registry entry under HKLM (or HKCU)\Software\Microsoft\Windows\CurrentVersion\Run.

The file also opens HKCU\Software\LogMeIn Ignition and enumerates the keys for the account sub key, opens it and deletes the PasswordTicket Value and obtains the Email Value. Also deletes registry tree HKCU\Software\LogMeIn Ignition\<key>\Profiles\* .

The file sends to an exfiltration server by POSTing data to one of these URIs:

The URI format is


The Keylogger component was potentially used to steal passwords and could have been the initial infection vector.


Massive DDoS racks up $30,000-a-day Amazon bill for China activists

Posted on

Chinese activist site which masks censored traffic into the country is under a sustained distributed denial of service (DDoS) attack that is racking up $30,000 a day in server costs.

The website masks internet traffic from websites including Facebook and Google, so it can be seen in China, and does so using cloudy servers. Attempts by Beijing to take down access to those content providers would incur an unpalatable amount of collateral damage, the activists contend.

Website admin Charlie Smith says the DDoS attack is delivering 2.6 billion requests an hour.

“We are under attack and we need help,” Smith says.

“This kind of attack is aggressive and is an exhibition of censorship by brute force.

“Attackers resort to tactics like this when they are left with no other options.”

Amazon has not yet said if it would waive the extra costs. The Register has contacted the company for comment.

Smith says the website’s first-ever DDoS attack is likely prompted by a Wall Street Journal story published Wednesday (regwalled).

The DDoS is a 2500 increase on normal traffic levels and is slamming all GreatFire website mirrors of websites blocked on the mainland.

Massive DDoS racks up $30,000-a-day Amazon bill for China activists
Massive DDoS racks up $30,000-a-day Amazon bill for China activists

Beijing has stepped up pressure on the website in recent months, the activists say. The Cyberspace Administration of China labelled GreatFire a foreign “anti-China website” and has pushed its unspecified technology partners to cut ties, GreatFire alleges.

The site has upgraded to faster servers to handle the traffic influx but Smith fears it could sink if the attacks increase.

Smith is asking DDoS boffins to offer advice on mitigating the attacks.

The attacks are the latest GreatFire alleges to be the handiwork of Beijing. In November the activists said authorities used DNS poisoning against its content delivery network EdgeCast which caused mass outages and service interruptions.


Ransomware Uses GnuPG Encryption Program to Lock Down Files

Posted on Updated on

Operators of ransomware VaultCrypt started their business in Russia, but according to recent reports, the malware has reached English-speaking parts of the world, giving trouble to system admins.

Files used for encryption overwritten 16 times

The threat is not as complex in nature as its infamous siblings CryptoLocker or CryptoWall, but this does not make it any less dangerous.

The fact that a ransom alert is not displayed until one of the encrypted files is launched might make it seem rudimentary, but it uses a strong 1024-bit RSA key pair for encryption and deletes the shadow copies of the files to prevent recovery.

The cybercriminals running VaultCrypt used some interesting methods to achieve their goal, according to an analysis from Bleeping Computer.

It appears that apart from GnuPG, the malware relies on a suite of VBS scripts, all wrapped up in a large Windows batch file, and Microsoft’s sDelete application to remove the data used during the encryption process, and runs 16 overwrite routines.

Private key is encrypted in a file

According to the research, VaultCrypt exports the decryption key in a “vaultkey.vlt” file, which also contains information about the infected computer that is used for personalizing the ransom page and to provide a percentage of the amount of data locked.

The vault key is then encrypted with a master public key that works for all compromised systems. The resulting file is saved locally with the name “VAULT.KEY,” with the private decryption key remaining with the attackers at all times.

The main script powering the malware is publicly available online and it has been tracked down on Pastebin by Fabian Wosar, security researcher at Emsisoft.

Infostealer is also pushed on the infected computer

As if encrypting the data was not enough, it appears that VaultCrypt downloads from a domain hidden in Tor anonymous network another malware with the name “ssl.exe,” whose purpose is to collect log-in credentials from websites visited by the victim.

The command and control (C&C) server is also located in Tor and access to it is protected by a log-in window.

Registration is based on the VAULT.KEY file, which needs to be uploaded in order to receive a user ID and a password. This is the only way the user can find out the ransom amount (about 1 bitcoin) and how it can be paid. The text is mostly in Russian, but some pages contain links to English instructions on Pastebin.

Ransomware Uses GnuPG Encryption Program to Lock Down Files
Ransomware Uses GnuPG Encryption Program to Lock Down Files

There’s a chance to recover files without paying

As is the case with most malware of the same feather, the ransom increases, but it does not double up, after a certain period of time, and the crooks offer the possibility to test the decryption process on four files.

Users impacted by VaultCrypt are not completely without hope, as the threat does not securely delete the encrypted data, leaving the door ajar for recovering the files using free software.

However, this procedure is not guaranteed and restoration from a proper backup file is the safest way to avoid losing data (XLS, DOC, PDF, RTF, PSD, DWG, CDR, CD, MDB, 1CD, DBF, SQLITE, JPG and ZIP) or paying the ransom.

Android apps downloaded over 6.3 billion times still vulnerable to FREAK

Posted on

A total of 1,228 popular Android apps found in the Google Play store are still vulnerable to a FREAK attack, FireEye says.

Research published on Tuesday by the firm’s security team disclosed just how vulnerable both Android and iOS apps still are to the FREAK bug.

FREAK is a cryptographic weakness which permits attackers to force data traveling between a vulnerable website or operating system to servers that use weak encryption protocols. If combined with a man-in-the-middle attack (MITM), the data could theoretically be intercepted and cracked as the user is unwittingly using a lower level of encryption than believed.

According to the team, as of March 4, both of the latest Android and iOS platforms are vulnerable to the security issue. As FREAK is both a platform vulnerability and an app vulnerability, even after Google and Apple issued patches, apps may still be vulnerable when connecting to servers which accept RSA_EXPORT cipher suites.

FireEye says this is why some iOS apps are vulnerable even after Apple patched the FREAK vulnerability in iOS earlier this month.

Researchers Yulong Zhang, Hui Xue, Tao Wei and Zhaofeng Chen crawled through the Google Play app store to determine how severe the FREAK vulnerability still could be. The team scanned a total of 10,985 popular apps with over one million downloads each — and discovered that 11.2 percent of them, 1,228 apps in total, are still vulnerable to the bug, as they “use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers.”

The 1,228 apps in question have been downloaded over 6.3 billion times. In total, 664 of these apps use Android’s bundled OpenSSL library and 554 rely on custom libraries.

Android apps downloaded over 6.3 billion times still vulnerable to FREAK
Android apps downloaded over 6.3 billion times still vulnerable to FREAK

When it comes to iOS apps, the security researchers claim that 771 out of 14,079 — 5.5 percent — of popular iOS apps connect to vulnerable services and, therefore, are vulnerable to FREAK attacks on iOS versions below 8.2, which has been patched. In addition, seven of these 771 apps have their own vulnerable versions of OpenSSL and they remain vulnerable on iOS 8.2.

“An attacker may launch a FREAK attack using man-in-the-middle (MITM) techniques to intercept and modify the encrypted traffic between the mobile app and backend server. The attacker can do this using well-known techniques such as ARP spoofing or DNS hijacking. Without necessarily breaking the encryption in real time, the attacker can record weakly encrypted network traffic, decrypt it and access the sensitive information inside,” the team says.

FireEye says that an attacker could use a FREAK attack on a shopping app to steal login credentials and credit card information. In addition, “medical apps, productivity apps and finance apps,” may also be vulnerable.


Stealthy, Persistent DLL Hijacking Works Against OS X

Posted on

DLL hijacking has plagued Windows machines back as far as 2000 and provides hackers with a quiet way to gain persistence on a vulnerable machine, or remotely exploit a vulnerable application.

And now it’s come to Apple’s Mac OS X.

This week at the CanSecWest conference in Vancouver, Synack director of research Patrick Wardle is expected to deliver a talk during which he’ll explain different attacks that abuse dylibs in OS X for many of the same outcomes as with Windows: persistence; process injection; security feature bypass (in this case, Apple Gatekeeper); and remote exploitation.

“DLL hijacking has haunted Windows for a while; it’s been abused by malware by a number of malicious adversaries. It’s a fairly widespread attack,” Wardle told Threatpost. “I wondered if it was similar on OS X and I found an attack similar to that. Under the hood, there are technical differences, but it provides the same capabilities. Given you have a vulnerable app on OS X, you can abuse it the same way it’s abused on Windows.”

Wardle is also expected to release following his talk source code for a scanner that discovers apps that are vulnerable to his attack. Running his Python script against his own OS X machine, Wardle was able to find 144 binaries vulnerable to different flavors of his dylib hijacking attacks, including Apple’s Xcode, iMovie and Quicktime plugins, Microsoft Word, Excel, and PowerPoint, and third-party apps such as Java, Dropbox, GPG Tools and Adobe plugins.

“Windows is vulnerable to DLL hijacking, and now OS X is similarly vulnerable to dylib hijacking,” Wardle said.

With DLL and dylib attacks, the concept is essentially the same: an attacker must find a way to get a malicious library into a directory that is loaded by the operating system. Wardle explained one facet of his attack where he was able to find a vulnerable Apply binary in its Photostream Agent that automatically started with iCloud.

“It’s perfect for attacker persistence,” Wardle said. “You copy a specially crafted dylib into the directory PhotoStream looks for when the app starts, and the attacker’s dylib is loaded into the context of the process. It’s a stealthy way to gain persistence; you’re not creating any new processes, nor modifying any files. You’re planting a single dylib and you’re in.”

In another attack, Wardle said he was able to gain automatic and persistent code execution via a process injection against Xcode, Apple’s integrated developer environment.

“My malware infects Xcode and any time a developer deploys a new binary, it would also add the malicious code,” Wardle said. “It’s an anonymous propagation vector.”

Stealthy, Persistent DLL Hijacking Works Against OS X
Stealthy, Persistent DLL Hijacking Works Against OS X

Wardle was also able to remotely bypass Apple’s Gatekeeper security product that limits what software can be downloaded onto an Apple machine and from where, in addition to providing antimalware protection. His malicious dylib code, he said, would be implanted in a download that should be blocked by Gatekeeper because it’s not signed from the Apple App Store. Gatekeeper, however, will load the malicious file remotely giving the attacker code execution, Wardle said.

“Gatekeeper normally does a pretty good job of blocking these downloads, but now using this bypass, we can get users to infect themselves,” Wardle said.

Wardle is expected to demonstrate an attack that combines all of these components, including the Gatekeeper bypass that when executed uses the dylib hijacking to gain persistence, grabs users’ files and exfiltrates that data to iCloud, and can also sent remote commands to the vulnerable machine. Most worrisome, he said, is that his malware went undetected by most antivirus packages, and Apple barely acknowledged his bug reports starting in January other than an automated response, and a thank you and congratulations on his talk being accepted at CanSecWest.

“I think things are broken. This abuses legitimate functionality of OS X and it’s not patched,” Wardle said. “These attacks are powerful and stealthy, and do a lot of malicious things.



Posted on

GCHQ’s hacking operations are conducted with little to no oversight and risk “undermining the security of the internet”, leading online privacy experts have warned. Even when oversight is required, GCHQ has revealed that ministers don’t have the technical knowledge to understand what it is doing. Privacy campaigners today described the issue as “a major scandal”.

Details of GCHQ’s hacking operations and attempts to weaken encryption were revealed in a parliamentary committee report into the UK’s surveillance capabilities. The Intelligence and Security Committee (ISC) review, published last week, revealed GCHQ makes the majority of decisions about hacking, and its operations to weaken encryption, internally and without telling ministers exactly what it is doing.

GCHQ’s hacking operations, which it defines as “computer network exploitation” are part of a “general power” afforded to the spy agency with “no additional ministerial authorisation”, according to the ISC’s report. While a warrant is required for hacking operations inside the UK, outside the UK the spy agency uses five broad “Section 7 class-based Authorisations”, which allow it to carry out hacking without specific oversight.

Ministers are only asked to judge GCHQ’s hacking operations when they may cause serious economic or political risk. Even in these instances the report revealed the Foreign and Commonwealth Office (FCO), whose remit GCHQ falls under, doesn’t have the technical knowledge to understand what GCHQ is doing. The lack of oversight could also lead to internet security being weakened, privacy experts told

“This is not oversight: it is a policy of ‘trust us, we know what we’re doing’,” said Jim Killock, executive director of civil liberties organisation Open Rights Group. “It is shocking that ministers and the ISC aren’t checking their risk analysis and admit the FCO lacks the skills to do so.”

In its report, the ISC expressed concern that GCHQ’s decisions about hacking were taken internally. It said such operations “may expose the public to greater risk and could have potentially serious ramifications”. The ISC added that ministers “must be kept fully informed of all such work”. The ISC also makes a distinction between GCHQ’s hacking operations and its efforts to weaken encryption. In relation to hacking, the ISC notes there is inadequate oversight with attacks on encryption apparently subject to no oversight whatsoever.

Following publication of the ISC’s report, foreign secretary Philip Hammond praised the “independent scrutiny and oversight” that it provides. Hammond also said that the actions of the UK’s intelligence agencies, including GCHQ, were subject to “detailed ministerial oversight”, despite GCHQ’s admission that decisions about its hacking activities involve no oversight.

Killock slammed the committee’s “inadequate” response, arguing that the “scandalous lack of oversight” looks set to continue. Even if the ISC’s recommendations are adopted by government, no changes will be made to increase oversight of GCHQ’s hacking operations, according to the report.

GCHQ admitted the FCO was “not well placed to assess the complex technical risk” of its hacking operations. In evidence given to the ISC Sir Iain Lobban, then director of GCHQ, dismissed the idea that its operations caused “large scale damage to the internet” as “misplaced”. Killock, an expert witness called on by the ISC for its report, claimed that “technical expertise seems to be absent from all levels of oversight”.

Caroline Wilson Parlow, legal officer at rights group Privacy International described the revelations as “very troubling”, adding that GCHQ’s hacking operations and efforts to weaken encryption were “undermining the security of the internet”.

“State-sponsored hacking into phones, computers, and networks weakens the communications systems we rely on everyday, making us less secure in the process and more vulnerable to malicious actors online.


“The oversight of GCHQ’s hacking activities is minimal, and when it comes to weakening encryption, it appears to be nonexistent. As the ISC report reveals, to the extent that ministers oversee GCHQ’s overseas hacking activity at all, it is only to grant broad authorisations that essentially give GCHQ carte blanche to hack.”

She said that GCHQ should only be allowed to engage in such activities with strong safeguards and oversight in place. “The fact that the agency seems to have taken powers unto itself without parliamentary oversight, or even effective ministerial authorisation, should worry us all,” she said.

GCHQ’s alleged hacking abilities form a major part of its cybersecurity arsenal. The spy agency was linked to the attack on Sim card maker Gemalto, from which billions of mobile device encryption keys were reportedly stolen — although the firm has claimed said the attack was ineffective. GCHQ has also been linked to a 2012 attack on Belgium’s largest telecommunications provider, Belgacom.

In July 2014 a leaked GCHQ document detailed more than 100 tools it apparently used to launch attacks on everything, from Twitter and Blackberry to Facebook and Second Life. Leaked documents also revealed GCHQ’s use of a malware toolkit named after characters in TV series The Smurfs. An ability codenamed Nosey Smurf turns on Android and iPhone microphones to spy on conversations, while Tracker Smurf and Dreamy Smurf handle device geolocation tracking and the covert switching on of phones respectively. Online rights charity Privacy International has accused GCHQ of “unlawfully” spying on people using such malware.

The spy agency’s range of tools relies on a number of exploits — known bugs, bugs found by GCHQ, information shared by the NSA and bugs placed into software by agents. Weaknesses exploited by GCHQ, or that it creates, could fundamentally damage online security. Security engineers have argued that they need to be made aware of rare bugs, many of which GCHQ reportedly relies on to gather information. Such information would allow engineers to better secure online infrastructure, making the internet safer for all users

In evidence given to the ISC, GCHQ said that the “lion’s share” of the vulnerabilities it used were “publicly known”. However leaked documents have revealed its use of both zero-day exploits — which use previously unknown weaknesses to attack software — as well as exploits it has found or created.


WhatsApp Voice Calling Invitation Spam Comes With Malware

Posted on

Android phones will soon start seeing the voice calling features made available for WhatsApp, with other platforms to gradually see their own versions.

One issue may be that is not all that simple to cover the significantly sizable audience base, which is just the reason that the beta test period is being extended as indefinitely as it is, and subscribers join via invitation.

Some months back, a number of users said that they’d gotten special invitations to take part in a beta version of WhatsApp’s voice calling program. They could make calls to a small number of contacts because those particular subscribers had themselves also gotten the invitation. WhatsApp’s voice feature hasn’t yet been made readily available, thus it’s still necessary to join by invitation. However, there’ve been some hackers who’ve made use of this vulnerability to start fabricating and distributing malware via phony invites. Malware

For the current time being, the most malicious link has been identified as whatsappcalling dot com, and this link has been used multiple times to infect users’ computers with malware. The whatsappcalling link automatically activates whenever a subscriber connects to a 3G data network or to any wireless internet connection. It prompts subscribers to agree in order for the malicious website to download the malware under the guise of providing “the latest version of WhatsApp messenger”.

It advertises itself as including the in-demand voice calling software, but will actually redirect and download malicious software that automatically self-opens. Another tricky maneuver the link uses that of not actually immediately downloading, but first asking subscribers to take a survey of some kind or another, which then leaves the computer open to the particular malware at hand before spreading.

Invitation Spam Comes With Malware
WhatsApp Voice Calling Invitation Spam Comes With Malware

Illegal users to be banned

As a measure of preventing illegal third-party applications from commandeering a given subscriber’s phone, WhatsApp has become quite conscientious about banning users. If in the event that you download a third-party version of WhatsApp or WhatsApp Plus, the company will banned you for a short time.

In previous times, it had been taken by assumption that the offending subscribers were banned for life, though it’s now known that the whole point is to prevent people from using APK files that they got from illegal sources that would maliciously assault both the developer along with the subscriber.


Zero Day Weekly: Facebook Reconnect hijack, Rowhammer, CISA quietly approved

Posted on

Facebook declined to fix it: The “Reconnect” tool allows attackers to generate URLs to hijack accounts on sites using Facebook Login. Reconnect was released last week by San Francisco based pentester Egor Homakov. It takes advantage of a cross-site request forgery (CSRF) issue in Facebook Login, the service that allows users to log in on websites using their Facebook accounts. The Reconnect proof-of-concept tool generates malicious URLs to hijack accounts on,, Stumbleupon,, Mashable and Vimeo ( has since closed the hole). The vuln was disclosed in January 2014 after Facebook declined to fix it; Facebook this week denied that it’s refusing to fix the attack, pushing the blame to developers who don’t follow Facebook’s best practices. However, other sites using Facebook Login can be targeted by manually inputting links that trigger Facebook login requests on behalf of their users into the tool.

Zero Day Weekly Facebook Reconnect hijack, Rowhammer
Zero Day Weekly Facebook Reconnect hijack, Rowhammer

A U.S. Senate committee has quietly approved CISA (formerly called CISPA, which does away with warrants to get your online records). Behind closed doors at the end of the day Thursday, The Senate Intelligence Committee voted to approve the controversial bill, which facilitates businesses to share user information with government agencies, obviating the need for warrants. Sen. Ron Wyden, the only lawmaker to vote against the new bill, said the measure “lacks adequate protections for the privacy rights of American consumers, and…will have a limited impact on US cybersecurity.”
This month’s Patch Tuesday updates from Microsoft contained an epic number of updates. Microsoft patched Stuxnet and FREAK vulnerabilities; five updates (four for Windows and one for Office) are rated Critical. The remaining nine are rated Important, all for Windows except for a lone Exchange Server patch. That Microsoft had failed to patch it five years ago caused no small amount of controversy in online discussions. The FREAK cleanup continues with Cisco and Apple releasing fixes almost in unison with Microsoft and Google.

Google’s Project Zero uncovered a serious security problem lurking in modern DRAM devices — one the hardware industry may have written off as a reliability issue. Project Zero has called on hardware makers for more information about efforts to mitigate Rowhammer: a hardware bug that renders notebooks vulnerable to a memory-based exploit. It affects DRAM from three major vendors, suggesting to the researchers that many systems in use are likely to be at risk. Rowhammer can’t be mitigated by just upgrading software: Cisco has outlined two widely known mitigations for Rowhammer.

The average enterprise has over 2000 unsafe or malicious apps installed on staff mobiles, according to new research from security vendor Veracode. The firm analyzed hundreds of thousands of mobile apps installed in enterprise environments across a variety of industries and found 14,000 of them to be “unsafe”. Of these, 85% exposed sensitive phone data such as device location, call history, contacts, SMS logs and SIM information. A further 37% apparently performed “suspicious” actions such as recording phone conversations, installing or uninstalling apps, running additional programs or checking to see if the device is rooted or jailbroken.
IBM’s X-Force Application Security Research Team revealed the existence of a severe vulnerability in the Dropbox SDK for Android. The now-patched vuln, DroppedIn, allowed attackers to connect applications on a user’s mobile device to a Dropbox account that they controlled. Dropbox said no files were compromised before the patch; IBM says it first reported the vulnerability to Dropbox in December and praised Dropbox for issuing a patch within four days.
Kaspersky Labs on March 10 revealed details of what it claims is the first malware that outwits CAPTCHA. (See also: In 2012, a trio of hackers unveiled a free system that defeats CAPTCHA with 99% accuracy; DEFCON 16 (2008).) The Podec malware (Trojan-SMS.Android.Podec) targets Android devices; it send CAPTCHA requests to online human translation service,, which converts the image to text and relays that data back to the malware code within seconds, convincing CAPTCHA it’s a person. Podec extorts money from victims by subscribing infected Android users to costly services.
Blue Coat Systems, an enterprise security company specializing in corporate networking and hardware, confirmed on Tuesday it has been acquired by Bain Capital for approximately $2.4 billion. The transaction is expected to close during the first half of 2015. Blue Coat boasted it now counts approximately 80 percent of the Fortune 500 as customers of its on-premise, hybrid and cloud-based solutions.
CIA tried to hack into iPhone, iPad for years, say leaked documents from 2012: The CIA once focused its efforts on cracking the security keys used to encrypt personal data on iPhones and iPads, according to an article published by The Intercept on Tuesday. According to The Intercept, researchers working for the CIA looked into both “physical” and “non-invasive” ways of gaining access to a device’s firmware.
Verizon’s 2015 PCI compliance report shows that companies bulk up IT security just in time for their PCI inspection, but only 29% keep it up afterward. Verizon found that insurance companies that offer cybersecurity policies are rejecting retailer’s claims “because they have failed to take adequate security measures.


Sadie Frost: phone hacking wrecked my life

Posted on

The actor Sadie Frost has described how phone hacking by journalists wrecked her life, causing her to fall out with her best friend, Kate Moss, and suspect her mother of selling stories to the press.

Giving evidence at the high court in London, Frost said she became a nervous wreck and was afraid to leave the house for fear of being pursued by photographers.

“It is difficult to explain the damage this has done to me. For many years, I was in a living hell,” she said in a witness statement.

“I was suffering from depression, anxiety and regular panic attacks. I found it hard to leave the house and, if I finally made myself, I was followed … or they [the photographers] would turn up where I was going. This made my anxiety even worse.”

Frost is one of eight phone-hacking victims, including the ex-footballer Paul Gascoigne, suing the Daily Mirror, Sunday Mirror and the People publisher Mirror Group Newspapers (MGN) for damages.

Frost said she had lost three or four years of her children’s lives due to being hounded by the paparazzi every time she left the house.

Maintaining her composure in the witness box, she said in a clear voice: “I was somebody trying to pull my life back together and these articles were coming out every day, which affected my work, my family and me as a mother.

“I couldn’t take my son to the park for two years because every time I did I was photographed. He would be crying and get upset and I would have panic attacks.”

She described being ambushed by photographers as she left an Alcoholics Anonymous (AA) meeting as “the lowest of the low” and a “nightmare”, comparing it to the time a photographer turned up at her father’s funeral.

“I was so unhappy that I found it difficult to sleep and eat – and this got reported in the papers. Absolutely nothing was left alone,” she said.

“I thought it would be good for me to stop drinking, so I went to AA – and MGN published that as well. I had nowhere to turn to as the press was in every area of my life.”

Retreating into the house to escape the constant press attention, Frost said she “became what the papers were saying about me. I became a wreck”.

She said that mean-spirited articles about her in the Mirror aggravated the “torment” of not being able to trust her closest allies at her lowest moment, when her father was dying, she was going through a divorce and was suffering post-natal depression.

Sadie Frost phone hacking wrecked my life
Sadie Frost phone hacking wrecked my life

MGN’s apology to phone-hacking victims was described as “too little too late”. “After over six months of litigation, MGN has finally sent me an apology and published an apology in the newspaper,” she said.

“Whilst I wanted them to do this, the fact is that this is rather too little too late. I even said that I wanted an apology back in December so it is quite telling that they waited this close to trial in order to do this.”

Earlier on Thursday, the Sunday Mirror’s former in-house phone hacker revealed that he had met BBC executive Alan Yentob and ex-EastEnders actor Lucy Taggart – two of the claimants in this trial – to express his “deep, deep regret” at snooping on their voicemails.

Dan Evans, 39, was handed a 10-month suspended prison sentence last July after pleading guilty to intercepting voicemails.

He said an “inner sanctum” of senior Sunday Mirror journalists knew about phone hacking when he worked for the title from April 2003 to December 2004. “When I used the phrase inner circle, or inner sanctum, I was referring to a small group of senior journalists who taught me and tutored me in the practice of phone hacking, and who were entitled to have the entire product passed up to them.

“I passed it to them so they had overarching knowledge of voicemail interceptions.


Yoast WordPress SEO Plugin Vulnerable To Hackers

Posted on

The Yoast WordPress SEO Plugin that is used by over 14 million WordPress blogs on the web has reportedly been open to an exploit where hackers can do a Blind SQL injection.

SQL Injection vulnerability Yoast SEO plugin
SQL Injection vulnerability Yoast SEO plugin

A Blind SQL Injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

It can be used to insert an SQL query into the database to either extract data, modify data or delete data. It is often used to insert unwanted or unauthorized affiliate, spam links, or malware/adware on sites.

If you are on WordPress, there is a good chance you are using this Yoast plugin. To fix the issue, upgrade to version 1.7.4 immediately. This version is documented to be a security fix based on what Ryan Dewhurst found during a security scan. The security fix says:
Security fix: fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.


Microsoft Patches Old Stuxnet Bug, FREAK Vulnerability

Posted on

Windows IT shops figure to be in for some scrambling today. Not only was it revealed that a five-year-old patch for a vulnerability exploited by Stuxnet was incomplete and machines have been exposed since 2010, but today is also Patch Tuesday and the updated Stuxnet patch is one of 14 bulletins released by Microsoft.

Five of the bulletins are rated critical by Microsoft, and include another Internet Explorer rollup and a patch for the recently disclosed FREAK attack. Microsoft also released an advisory announcing that SHA-2 code signing support has been added to Windows 7 and Windows Server 2008 R2. Later versions of Windows desktop and server OSes already include support for SHA-2 signing and verification, Microsoft said.

The highest profile bulletin, however, is MS15-020 which resolves some issues left behind by the original Stuxnet patch, CVE-2010-2568, released in August 2010. The bulletin covers two remote code execution vulnerabilities, one addressing how Windows handles loading of DLL files, and the other patches how Windows Text Services improperly handles objects in memory.

The DLL planting vulnerability was used by Stuxnet to attack the Iranian nuclear program in 2009. If a user viewed a folder or directory storing a malicious .LNK file, the exploit would allow the attacker to run code of their choice remotely.

The issue was reported to HP’s Zero Day Initiative, which worked with Microsoft providing it with details and a proof of concept exploit that was used to build a new patch.

The IE bulletin, MS15-018, addresses a number of memory corruption and elevation of privileges vulnerabilities in the browser.

“The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory, by modifying how the VBScript scripting engine handles objects in memory, by helping to ensure that cross-domain policies are properly enforced in Internet Explorer, and by adding additional permission validations to Internet Explorer,” Microsoft said in its advisory.

The vulnerability is rated critical for all client versions of IE going back to IE6, while it’s rated moderate going back to IE6 on Windows Server.

Microsoft said that one of the elevation of privilege vulnerabilities has been publicly disclosed and exploited. Some details on CVE-2015-0072 were disclosed in early February by U.K. researcher David Leo of Deusen. The vulnerability, a universal cross-site scripting (XSS) bug, could be exploited to steal information or inject code into domains on the browser on Windows 7 and 8.1, he said.

Microsoft also patched a critical vulnerability in the Windows VBScript scripting engine that could lead to remote code execution. MS15-019 patches the flaw, which can be exploited if a user is led to a website hosting an exploit. VBScript 5.8 in IE 8-11 are affected by the vulnerability, which exists in the way the VBScript engine, when rendered in IE, handles objects in memory.

Microsoft also patched critical remote code execution vulnerabilities in Office. The critical bugs in MS15-022 lead to remote code execution and can be exploited via malicious Office documents. In addition to Office software, Sharepoint is also affected with a pair of cross-site scripting vulnerabilities.

Microsoft Patches Old Stuxnet Bug, FREAK Vulnerability
Microsoft Patches Old Stuxnet Bug, FREAK Vulnerability

The final critical bulletin is MS15-021, patches eight vulnerabilities in the Adobe Font Driver, four of them critical remote code execution bugs, along with less-severe information disclosure and denial of service vulnerabilities.

The critical RCE vulnerabilities are exploited over the web by taking advantage of a flaw in the way the driver improperly overwrites objects in memory. None of the vulnerabilities were publicly disclosed, nor have they been exploited in the wild.

Microsoft also released a bulletin addressing the FREAK vulnerabilities. MS15-031 specifically patches the security feature bypass vulnerability in Schannel, the Windows implementation of SSL/TLS, that enables FREAK attacks. FREAK forces systems to downgrade the key length of an RSA key to a crackable 512 bits, enabling a man-in-the-middle attack putting supposedly encrypted traffic at risk.

Initially, it was believe that FREAK was confined to certain SSL clients, including OpenSSL, but Microsoft released an advisory on March 5 warning about Schannel’s exposure.

“The security update addresses the vulnerability by correcting the cipher suite enforcement policies that are used when server keys are exchanged between servers and client systems,” Microsoft said.

Of the remaining bulletins, all of which are rated important by Microsoft, MS15-027 merits attention. The bulletin patches a vulnerability in Windows Netlogon by modifying the way it handles secure channels.

“The vulnerability could allow spoofing if an attacker who is logged on to a domain-joined system runs a specially crafted application that could establish a connection with other domain-joined systems as the impersonated user or system,” Microsoft said in its advisory, adding that the severity is lessened because an attacker would have to be logged on to a domain-joined system and be able to observe network traffic.


Aprender arte de Esteganografía

Posted on

Unas de las técnicas cuberita en el curso hacking ético es esteganografía. La esteganografía es el arte y la ciencia de escribir mensajes ocultos de tal manera que nadie aparte del destinatario sabe de la existencia del mensaje; esto está en contraste con la criptografía, donde no se disfraza la existencia del mensaje en sí, pero el contenido está oscurecido.Según expertos de curso de Seguridad Informática

se lee una determinada imagen en formato GIF, JPEG o PNG, encripta los datos suministrados por el usuario (un mensaje, un archivo, una colección de ambos) y oculta los datos cifrados en la imagen haciendo cambios sutiles del color a ciertos píxeles para almacenar los datos de la imagen simbólicamente. Según Mike Stevens quien tiene muchas certificaciones seguridad informática , otro uso de la esteganografía es la marca de agua digital, la industria del cine se conoce para incrustar una marca de agua invisible en sus películas de vista previa, antes de la liberación, si una de estas copias se filtró y se encuentra en un sitio de torrentz ellos pueden rastrear quién es la persona responsable de esa copia.

Según expertos de curso de Seguridad Informática hay varias ventajas de esteganografía contra criptografía. Primera ventaja es que no atrae la atención: Cifrar un mensaje declara que hay algo de valor y esto atraerá la atención no deseada.Mensajes de correo electrónico cifrado PGP comienzan con una línea que los identifique como un mensaje cifrado PGP, por lo que es fácil para un analizador de paquetes en un ISP para marcar correos cifrado PGP con sólo escanear la palabra PGP o GnuPG, esto no puede ser utilizado contra la esteganografía.

Hace difícil la vigilancia en Internet: Si las actividades de Internet de alguien están siendo monitoreados visitar Flickr y subir fotos personales de la familia con mensajes ocultos no se disparará una alarma pero el envío de mensajes cifrados dice Mike Stevens experto con certificaciones seguridad informática.

Difícil probar que existe: en algunos países como el Reino Unido puede ser requerido por la policía para proporcionar la contraseña para sus archivos cifrados, negándose a hacerlo conlleva una pena de prisión, si los datos se ha escondido dentro de una fotografía del policía primero tiene que demostrar que definitivamente hay algo escondido dentro del archivoacuerdo con maestro de curso hacking ético.

Curso de Seguridad Informática
Curso de Seguridad Informática

Steganalysis es el arte de descubrir mensajes ocultos esteganográficos, esta ciencia no es perfecta, es posible que steganalysis para no detectar archivos esteganográficos si los datos han sido muy bien oculto en el archivo original.

Un buen método para encontrar mensajes ocultos dentro de las imágenes es con ayuda de ayuda de experto con certificaciones seguridad informática . Ellos hacen eso mediante el uso de un editor hexadecimal y leer los primeros bytes de cabecera de imagen, por ejemplo, una imagen GIF visto por un editor hexadecimal siempre leerá “47 49 46 38”, que significa “GIF” en ASCII código, si una imagen GIF se ha utilizado para ocultar un mensaje dentro de ella cuando se ve con un editor hex los primeros bytes de identificación será diferente de los estándar.

Curso de Seguridad Informática ensenan herramientas para detectar la esteganografía automatizados, una de estas herramientas es Stegdetect, capaz de detectar mensajes en imágenes jpeg, después de que se ha encontrado un mensaje oculto un ataque de fuerza bruta puede ser lanzado, con las palabras del diccionario que intentan adivinar la contraseña y exponer los datos. Para saber más sobre esteganografía contacta iicybersecurity que dan curso hacking ético en México.