Archive for February 2015
Critical Vulnerability discovered in the Ultra Secure BlackPhone
A critical vulnerability discovered in the ultra secure BlackPhone has given attackers the ability to decrypt and read messages, read contacts, monitor geographic locations of the phone, write code or text to the phone's external storage, and enumerate the accounts stored on the device.
The vulnerability existed in SilentText which is the secure text messaging application bundled with the BlackPhone, the app can also be found in the Google play store as a free download. A component known as libscimp contained a type of memory corruption flaw known as a type confusion vulnerability.
Mark Dowd, a principal consultant with Australia-based Azimuth Security said "the vulnerability allows an attacker to directly overwrite a pointer in memory (either partially or in full), which when successfully exploited can be used to gain remote, unauthenticated access to the vulnerable device".
SGP Technologies (a joint venture between the makers of GeeksPhone and Silent Circle) has since issued a patch for a newly-discovered vulnerability
The vulnerability existed in SilentText which is the secure text messaging application bundled with the BlackPhone, the app can also be found in the Google play store as a free download. A component known as libscimp contained a type of memory corruption flaw known as a type confusion vulnerability.
Mark Dowd, a principal consultant with Australia-based Azimuth Security said "the vulnerability allows an attacker to directly overwrite a pointer in memory (either partially or in full), which when successfully exploited can be used to gain remote, unauthenticated access to the vulnerable device".
SGP Technologies (a joint venture between the makers of GeeksPhone and Silent Circle) has since issued a patch for a newly-discovered vulnerability
Cyber Crime Hacker
Now a days, any mention of malware and Macs in the same setting generally conjures up images of WireLurker. It was notable as a new family of malware specifically targeting iOS devices via USB and is able to penetrate the iPhone's strict software controls.
WireLurker has been in action in China for the past six months, first infecting Macs by inserting Trojan software through repackaged OS X apps, then moving on to iOS devices. The firm claims that it is the first to automate generation of malicious iOS apps by implementing a binary file replacement attack.
Security experts at Palo Alto Networks traced WireLurker in a research paper saying "It is the biggest in scale we have ever seen! “. WireLurker can jump from a Mac onto an iPhone running a vanilla version of Apple's operating system by leveraging Apple's enterprise provisioning assets.
The WireLurker attackers "probably aren't people who do this often," says Ryan Olson, intelligence director of Palo Alto Networks' Unit 42. They are "clearly very skilled MacOS or iOS developers," but they definitely are not very experienced in writing malware.
With Apple's global smart phone market share continues to rise, so do the number of attempts to surreptitiously harvest data from unsuspecting consumers. As for who created WireLurker, Palo Alto's best guess is that this is one individual or a small group of individuals operating within China, independently of any nation-state. They could be a startup malware house in the new financially motivated, politically independent cybercrime underground growing behind the Great Wall.
Taking advantage of an app provisioning vulnerability, WireLurker lays dormant on a user's computer in an infected OS X app. The malware monitors for new iOS devices and installs malicious apps downloaded from an off-site server or generated autonomously on-device. From there, the program can access user information like contacts, read iMessages and perform other functions determined by the command-and-control server.
So far, 467 OS X apps have been infected and distributed through China's third-party Maiyadi App Store, with downloads totaling over 356,104 possibly impacting "hundreds of thousands of users."
While many publications have dubbed WireLurker “a new brand of threat,” it seems that the majority of users have nothing to worry about. It’s relies on a USB connection for delivery—a practice that has gone by the wayside for most folks in recent years.
On November 14, the Beijing Municipal Public Security Bureau announced it had arrested three people in connection with the WireLurker malware which brought a sense of relief among Apple users of China.
The police received a tip from the Chinese technology company Qihoo 360 and subsequently arrested three individuals, respectively surnamed Chen, Li, and Wang.
The third-party app store that had been serving WireLurker, Maiyadi, was also shut down. Apple has already taken steps to block infected programs but the rest of the work rests on users.
WireLurker has been in action in China for the past six months, first infecting Macs by inserting Trojan software through repackaged OS X apps, then moving on to iOS devices. The firm claims that it is the first to automate generation of malicious iOS apps by implementing a binary file replacement attack.
Security experts at Palo Alto Networks traced WireLurker in a research paper saying "It is the biggest in scale we have ever seen! “. WireLurker can jump from a Mac onto an iPhone running a vanilla version of Apple's operating system by leveraging Apple's enterprise provisioning assets.
The WireLurker attackers "probably aren't people who do this often," says Ryan Olson, intelligence director of Palo Alto Networks' Unit 42. They are "clearly very skilled MacOS or iOS developers," but they definitely are not very experienced in writing malware.
Taking advantage of an app provisioning vulnerability, WireLurker lays dormant on a user's computer in an infected OS X app. The malware monitors for new iOS devices and installs malicious apps downloaded from an off-site server or generated autonomously on-device. From there, the program can access user information like contacts, read iMessages and perform other functions determined by the command-and-control server.
So far, 467 OS X apps have been infected and distributed through China's third-party Maiyadi App Store, with downloads totaling over 356,104 possibly impacting "hundreds of thousands of users."
While many publications have dubbed WireLurker “a new brand of threat,” it seems that the majority of users have nothing to worry about. It’s relies on a USB connection for delivery—a practice that has gone by the wayside for most folks in recent years.
On November 14, the Beijing Municipal Public Security Bureau announced it had arrested three people in connection with the WireLurker malware which brought a sense of relief among Apple users of China.
The police received a tip from the Chinese technology company Qihoo 360 and subsequently arrested three individuals, respectively surnamed Chen, Li, and Wang.
The third-party app store that had been serving WireLurker, Maiyadi, was also shut down. Apple has already taken steps to block infected programs but the rest of the work rests on users.
Google’s Project Zero gets tough on companies with lax security patch policies
Google Inc. has a elite team of hackers and programmers called Project Zero so named after the “zero day” security flaws that are exploited before developers learn of them.
Project Zero scrubs their own and competitors’ software for security flaws, giving companies a deadline, more specifically a 90 day ultimatum to patch their software vulnerabilities or they will make them public knowledge.
In an effort to “motivate” competitors like Microsoft Corp. and Apple Inc. to fix their buggy software before the real cyber criminals take advantage of the flaws in their unpatched code. Of course, both Microsoft and Apple are not keen on this.
Opponents of Google’s Project Zero’s practice say it puts online security at risk by revealing gaps before they can be plugged. Of course, hackers in the know work fast to purposefully exploit software flaws when they become known.
Consider when the Chinese-backed intruders exploited a Web-security flaw known asHeartbleed to attack Community Health Systems Inc. after only a week after the software flaw was publicized.
Even, Apple pleaded with Google to wait before going public so it could fix their flaws in the Mac OS X operating system. Google knew the fix was coming and had possession of the updated source software because they also served as a developer for Apple at the time. Google refused and released any details to the public of the flaws. Microsoft, also, requested additional time to fix a flaw in their Windows OS. Google, again, refused and publicized the bug.
Google supporters say the Project Zero’s 90 day hard-line approach may motivate the software industry to focus on better security patching practices in which companies can take months or years to patch their bugs.
To date, Google’s Project Zero has identified 39 vulnerabilities in Apple products and 20 in Microsoft products. The team also has found 37 flaws in Adobe Systems Inc. software and 22 in the FreeType software development library for rendering fonts..
It is a good thing for consumers that Google’s Project Zero has taken the role of patch it or we’ll report it task master as many of these companies products can leave users vulnerable to hacks that can create more grief and deeper problems if they are not put in check.
Project Zero just drew the line in the sand, how the effected companies react to this will determine what products you can really trust with your data in the future.
Live Map Shows Thousands of Cyber Attacks as They Happen
Sony got nuked, said
one security expert. But it’s hardly the only attack aimed at a major
corporation. Tens of thousands of cyber-attacks are launched every second – a
majority of which are directed at the United States – but few have the impact
that can force a Hollywood studio to cancel a film.
“There’s really no
other word for it,” said Kurt Stammberger, a security expert and vice president
for marketing at Norse, a cyber-security firm specializing in live attack
intelligence. “What’s happening at Sony is really the nightmare scenario for
every organization.”
The Northern
California-based company, which provides live intelligence data to companies
such as HP, has an interactive map of cyber-attacks on its website where users
can watch the action as its happening.
“It’s a little bit like
the weather – it comes and goes in storms and bursts,” said Stammberger.
Except, unlike the
weather, the attacks, represented by streaks of colored lines, is only one
tenth of one percent of all cyber-attacks. The whole map would be covered if it
were to show every attack, so a random sample is all that’s shown.
Norse is able to come
up with this data by placing more than eight million bait computers, or what
they call “honeypots,” in 167 different data centers and 47 different countries
where they’re attacked by hackers who think the bait machines hold credit card
numbers or other sensitive information.
While the continuous
barrage of cyber-attacks makes for an engaging map that looks more like a
hacker version of the board game Risk, it highlights how pervasive cybercrime
and cyber-attacks are in this day and age when megabytes if not gigabytes of
our own personal information and financial records are stored and collected in
servers where we can’t attest to its level of protection.
Thankfully, it’s not
just defense for the good guys. See the mysterious node object on the map in
the ocean just southwest of Africa? It’s not a ship or even an island full of
hackers unleashing attacks. The node represents attacks launched on the
offensive by the U.S. government, placed in the ocean to shield the location of
where the attack is originating.
Trojans, Viruses and Worms
Introduction:
Computers
have become mandatory to run a successful businesses. It is not enough to have
isolated computers systems; they need to be networked to facilitate
communication with external businesses. This exposes them to the outside world
and cybercrime. Cybercrime is using computers to commit fraudulent acts such as
fraud, privacy invasion, stealing corporate/personal data etc. Cybercrimes cost
many organizations millions of dollars every year. Businesses need to protect themselves
against such attacks.
How can they protect themselves?
In this article, we will introduce you to ethical
hacking.
Topics covered:
·
Common hacking terminologies
·
What is cybercrime?
·
Types of cybercrime
·
What is ethical hacking?
·
Why ethical hacking?
·
Legality of ethical hacking
·
Summary
What is hacking?
There are many
definitions of hacking. In this article, we will define hacking as identifying
weakness in computer systems and/or networks and exploiting the weaknesses to
gain access. An example of hacking is using by passing the login algorithm to
gain access to a system. A hacker is a person who finds and exploits weakness
in computer systems and/or networks to gain access. Hackers are usually skilled
computer programmers with knowledge of computer security. Before we go any
further, let’s look at some of the most commonly used terminologies in the
world of hacking.
Types of Hackers
Hackers are classified
according to the intent of their actions. The following list classifies hackers
according to their intent.
What is Cybercrime?
Cybercrime is the use of
computers and networks to perform illegal activities such as spreading computer
viruses, online bullying, performing unauthorized electronic fund transfers
etc. Most cybercrimes are committed through the internet. Some cyber crimes can
also be carried out using mobile phones via SMS and online chatting
applications.
Type of Cybercrime:
The following list presents the common types of cyber crimes:
Computer fraud:
Intentional deception for personal gain via the use of computer systems.
Privacy violation:
Exposing personal information such as email addresses, phone number, account
details etc. on social media, websites etc.
Identity Theft:
Stealing personal information from somebody and impersonating that person.
Sharing copyrighted files/information:
This involves distributing copyright protected files such as eBooks and
computer programs etc.
Electronic funds transfer:
This involves gaining an un-authorized access to bank computer networks and
making illegal fund transfers.
Electronic money laundering: This
involves the use of computer to launder money.
ATM Fraud: This
involves intercepting ATM card details such as account number and PIN numbers.
These details are then used to withdraw funds from the intercepted accounts.
Denial of Service Attacks:
This involves the use of computers in multiple locations to attack servers with
a view of shutting them down.
Spam: Sending
unauthorized emails. These emails usually contain advertisements.
What is ethical hacking?
Ethical hacking is
identifying weakness in computer systems and/or computer networks and coming
with counter measures that protect the weaknesses. Ethical hackers must abide
by the following rules. Get written permission from the owner of the computer
system and/or computer network before hacking. Protect the privacy of the
organization been hacked. Transparently report all the identified weaknesses in
the computer system to the organization. Inform hardware and software vendors
of the identified weaknesses.
Why ethical hacking?
Information is one of
the most valuable assets of an organization. Keeping information secure can
protect an organization’s image and save an organization a lot of money. Hacking
can lead to loss of business for organizations that deal in finance such as
PayPal. Ethical hacking puts them a step ahead of the cyber criminals who would
otherwise lead to loss of business.
Legality of ethical
hacking
Ethical hacking is legal
if the hacker abides by the rules stipulated in the above section on the
definition of ethical hacking. The International Council of E-Commerce
Consultants (EC-Council) provides a certification program that tests individual’s
skills. Those who pass the examination are awarded with certificates. The
certificates are supposed to be renewed after some time.
Summary
Hacking is identifying
and exploiting weaknesses in computer systems and/or computer networks. Cybercrime
is committing crime with the aid of computers and information technology
infrastructure. Ethical hacking is about improving the security of computer systems
and/or computer networks. Ethical hacking is legal.