Cisco Adds Vulnerability Identification to Tetration Platform
6.3.2018 securityweek

Cisco today announced the availability of identification of software vulnerabilities and exposures as part of the security capabilities of its Tetration platform.

Designed to offer workload protection for multi-cloud data centers through a zero-trust model that employs segmentation, the platform can now also detect vulnerabilities associated with software installed on servers.

With support for both on-premises and public cloud workloads, Tetration can now help identify security incidents faster, as well as contain lateral movement, in addition to reducing attack surface, Cisco says.

“Tetration is equipped to identify high severity security events such as Spectre and Meltdown using behavior-based anomalies,” Cisco notes.

The platform maintains an inventory of the software packages installed on the server, along with information on version and publisher. Leveraging the Common Vulnerabilities and Exposure (CVE) database, Tetration can detect packages with known CVEs.

The platform also offers a scorecard ranking the severity of specific vulnerabilities and reveals which servers might be affected, thus helping IT organizations proactively set up filters to find additional vulnerabilities.

Now, Tetration can also collect and maintain information about running processes on each server, on a real-time basis, Cisco announced. This should help IT managers find servers on which specific processes are running or have run. The collected information includes ID, parameters, duration, hash (signature), and the user running the process.

The identification of application behavior deviations from the baseline is also available on the platform, through the monitoring of workloads and networks for behavior that might be suspicious. Tetration first creates an application behavior baseline and then keeps an eye out for any deviations to identify attacks.

“For example, a process might seek to obtain privileged access that it should not have under normal behavior and use that privilege to execute a series of operations. Tetration can provide a time-series view of history to visualize process hierarchy and behavior information,” Cisco says.

The platform can search for specific process events and discover details such as privilege escalation, shell code execution, and side channel attacks.

According to Cisco, process behavior monitoring and identification of vulnerabilities allow Tetration to identify anomalies in minutes and reduce the attack surface up to 85%, while efficient application segmentation minimizes lateral movement. Furthermore, automation allows for a 70% reduction in human intervention to enable a zero-trust model.

“Tetration is powered by big data technologies to support the scale requirements of data centers. It can process comprehensive telemetry information received from servers in real-time (up to 25,000 servers per cluster). Tetration can enforce consistent policy across thousands of applications and tens of millions of policy rules,” Cisco notes.

Facebook improves link security infrastructure by implementing HSTS Preloading
6.3.2018 securityaffairs

Facebook has implemented HSTS preloading that instructs a browser to always use SSL/TLS to communicate with eligible websites.
Facebook has upgraded its link security infrastructure to include HTTP Strict Transport Security (HSTS) preloading that instructs a browser to always use SSL/TLS to communicate with eligible websites.

Facebook and Instagram links will automatically update from HTTP to HTTPS for eligible websites.

“We have recently upgraded our link security infrastructure to include HSTS preloading, which automatically upgrades HTTP links to HTTPS for eligible websites. This will improve people’s security and will also often improve the speed of navigation to sites from Facebook.” reads the announcement published by Facebook.

According to Facebook, the modification aims to improve security and navigation speed for Facebook and Instagram links.
HSTS Preloading Facebook
Facebook determines the links that are eligible for HTTPS based on two sources:

The Chromium preload list, that is currently used in most major browsers;
Recording HSTS headers from sites shared on Facebook, in this case, the browser preload list is updated with any sites that serve HSTS with the preload directive.
Facebook invites websites to support HTTPs and sponsors Let’s Encrypt initiative which provides free TLS certificates and instructions on how to enable HTTPS for most common server software.

Triada Trojan Pre-Installed on Low Cost Android Smartphones
5.3.2018 securityweek Android

Security researchers have discovered the sophisticated Triada Trojan in the firmware of more than 40 low-cost Android smartphone models.

Discovered in early 2016 and considered one of the most advanced mobile threats out there, Triada stands out in the crowd because it abuses the Zygote parent process to inject its code in the context of all software on the device. The Trojan uses root privileges to replace system files and resides mainly in the device’s RAM, which makes it difficult to detect.

In April last year, security researchers discovered that Triada had adopted sandbox technology in an attempt to boost its detection evasion capabilities. Specifically, the malware was using the open source sandbox DroidPlugin, which allowed it to dynamically load and run code going through the installation process.

Several months later, in July 2017, Doctor Web reported that Triada was present in the firmware of several low-cost Android smartphones. At the time, the list of infected device models included Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.

Now, the security firm reveals that the Trojan comes pre-installed on a larger number of Android smartphone models, even on devices that were launched in December 2017. Overall, over 40 device models were found to be impacted, the security researchers say.

The specific malware variant found on these devices is detected as Android.Triada.231 and includes all of the capabilities a member of the Triada family comes with: it injects its module in the Zygote process to penetrate all running applications on the device.

This allows the Trojan to carry out a broad range of malicious activities without user interaction, such as covertly downloading and launching applications. Designed with a modular architecture, Triada can redirect financial SMS transactions to buy additional content or steal money from the user.

Because the malware authors managed to inject Android.Triada.231 into the system library, they are able to compromise a device’s firmware during the manufacturing process, and users end up receiving smartphones that have been already infected.

Doctor Web says they notified manufacturers who produced infected devices of the compromise last year, but infected models continue to be produced. One of these is the Leagoo M9 smartphone, which was announced in December 2017.

“Additionally, our analysts’ research showed that the Trojan’s penetration into firmware happened at request of the Leagoo partner, the software developer from Shanghai. This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation,” Doctor Web says.

Despite this controversial request, the manufacturer didn’t become suspicious and the Trojan ended up on the new smartphone model without any obstacles.

The security researchers also discovered that the malicious application was signed with the same certificate as Android.MulDrop.924, a Trojan discovered in 2016. This suggests that the developer requesting the addition of the code into the mobile operating system image might be involved in the distribution of Triada.

Doctor Web published a list of the 40 device models infected with Triada, but warns that the list might not be comprehensive, as other compromised smartphones could exist out there. Impacted manufacturers include Leagoo, ARK, Zopo, Doogee, Vertex, Advan, Cubot, Prestigio, Pelitt, and more.

“Such widespread distribution of Android.Triada.231 shows that many Android device manufacturers pay little attention to security questions and penetration of the Trojan code into system components. This can be due to error or malicious intent and is likely common practice,” the researchers point out.

Payment Card Breach Hits Some Applebee's Restaurants
5.3.2018 securityweek

RMH Franchise Holdings revealed on Friday that malware had been found on point-of-sale (PoS) systems at the Applebee’s restaurants it operates as a franchise.

RMH disclosed the incident on Friday afternoon, which often indicates an attempt to avoid the news cycle and fly under the radar. The company posted a link to the data breach notice on the homepage of its website, but it did not announce anything on social media.

According to the data breach notice, the incident affects more than 160 restaurants in Alabama, Arizona, Florida, Illinois, Indiana, Kansas, Kentucky, Missouri, Mississippi, Nebraska, Ohio, Pennsylvania, Texas and Wyoming. This represents nearly all the restaurants operated by RMH.

In a vast majority of cases, the malware was present on PoS systems between December 6, 2017 and January 2, 2018, but in a small number of restaurants the malware had been active since November 23 or December 5, 2017. The company said the breach does not impact payments made online or using self-pay tabletop devices.

The breach was discovered on February 13 and RMH launched an investigation in cooperation with cybersecurity experts and law enforcement.

The company said the malware was designed to collect names, credit or debit card numbers, expiration dates, and card verification codes.

RMH pointed out that its payment systems are isolated from the broader Applebee’s network, which is not affected by this incident.

“Moving forward, RMH is continuing to closely monitor its systems and review its security measures to help prevent something like this from happening again,” RMH said. “RMH is pleased to report that the incident has been contained and guests may use their cards with confidence at the RMH Applebee’s locations that were affected by this incident.”

Several major restaurant chains disclosed payment card breaches last year, including Arby’s, Chipotle, Sonic Drive-In, and Shoney’s. Amazon's Whole Foods Market also informed customers that taprooms and full table-service restaurants at nearly 100 locations were hit by a breach.

Largest Ever 1.3Tbps DDoS Attack Includes Embedded Ransom Demands
5.3.2018 securityweek

[UPDATED - New record set at 1.7Tbs] On Tuesday, February 27, three major DDoS mitigation service providers (Akamai, Cloudflare and Arbor) warned that they had seen spikes in a relatively rare form of reflection/amplification DDoS attack via Memcached servers. Each service provider warned that this type of reflection attack had the potential to deliver far larger attacks.

One day later, Wednesday, February 28, GitHub was hit by the largest DDoS attack that had ever disclosed -- more than twice the size of the Mirai attack of 2016, peaking at 1.3Tbps. And still the potential, in the short term at least, is for even larger attacks.

Amplification attacks are generated when a server can be 'tricked' into sending a larger response than the initial query. Reflection occurs when the requesting IP is spoofed. The result is that multiple servers can be tricked into sending large responses to a single target IP, rapidly overwhelming it with the volume sent.

Memcached servers are particularly vulnerable to such a use whenever they are left accessible from the public internet. In theory, this should never -- or at least very rarely -- happen; in practice there are various estimates of between 50,000 and more than 100,000 vulnerable servers. Because the service was designed for use internally within data centers, it has no inbuilt security and can be easily compromised by attackers.

The purpose of Memcached servers is to cache frequently used data to improve internal access speeds. Its default service is via UDP. Because it can be easily compromised, the data it caches can be configured by the attackers. The result is that small requests to the server can result in very large replies from the cache. Researchers suggest, in theory, the reply could be up to 51,000 times the size of the request. This is the amplification side of the attack -- the ability to amplify a 203-byte request into a 100-megabyte response.

If the requests include a spoofed IP address, the reply can be sent to a different target IP address. This is the redirection side of the attack. If successive requests are made to multiple compromised Memcached servers all delivered to a single target IP, the result is an amplification/redirection DDoS attack such as that delivered against GitHub on 28 February.

This attack was described by GitHub Engineering on Thursday. "The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints." It started at 17.21 UTC when GitHub's network monitoring detected an anomaly in the ratio of ingress to egress traffic. Within 5 minutes GitHub decided to call on Akamai's DDoS mitigation service.

"At 17:26 UTC the command was initiated via our ChatOps tooling to withdraw BGP announcements over transit providers and announce AS36459 exclusively over our links to Akamai." Akamai took over mitigation, and by 17:30, GitHub had recovered. Akamai's own statistics show that the attack peaked at 1.35 Tbps before tailing off; and was followed by a smaller, yet still very large, attack of around 400 Gbps just after 18:00 UTC.

Akamai's own brief report on the incident comments, "Many other organizations have experienced similar reflection attacks since Monday, and we predict many more, potentially larger attacks in the near future. Akamai has seen a marked increase in scanning for open memcached servers since the initial disclosure."

Small DDoS attacks are often delivered as an extortion 'warning', with a demand for payment to prevent a larger attack. Cybereason has noticed that this process was reversed in the GitHub attack -- the attack itself contained the extortion demand: "the same memcached servers used in the largest DDoS attack to date are including a ransom note in the payload that they're serving," it reported on Friday.

The extortion note, which occurs in a line of Python code delivered by the compromised Memcached servers, demands payment of 50 XMR (the symbol for the Monero cryptocurrency). This would have been approximately $15,000.

"It is a pretty clever trick to embed the ransom demand inside the DOS payload," Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, told SecurityWeek. "It is also fitting with the times that attackers are asking for Monero rather than Bitcoin because Monero disguises the origin, destination and amount of each transaction, making it more suitable for ransoms."

There is no way of knowing whether any of the recent Memcached DDoS victims have paid a Monero ransom.

Memcached attacks are not entirely new, but have been relatively rare before the last ten days. The DDosMon from Qihoo 360 monitors amplification attack vectors and its figures show generally less than 100 attacks per day since at least November 2017. On 24 February this spiked to more than 400 attacks, followed by an increase to more than 700 in the following days.

It is thought that until recently Memcached attacks were deployed manually by skilled attackers, but that the attack techniques have now been weaponized and made available to all skill-levels via so-called booter/stresser botnets. This is what makes it likely that there will be more and potentially larger Memcached attacks in the future.

But it's not all doom and gloom. The number of vulnerable servers is already decreasing as operators begin to secure their Memcached servers.

"Overall memcached is expected to top the DDoS charts for a relatively short period of time," Ashley Stephenson, CEO, Corero Network Security, told SecurityWeek by email. "Ironically, as we have seen before, the more attackers who try to leverage this vector the weaker the resulting DDoS attacks as the total bandwidth of vulnerable servers is fixed and is shared across the victims. If a single attack could reach 200G, then with only 10 bad actors worldwide trying to use this vector at the same time they may only get 20G each. If there are hundreds of potential bad actors jumping on the memcached bandwagon, this once mighty resource could end up delivering just a trickle of an attack to each intended victim."

UPDATE - New record set at 1.7Tbps - As predicted, the Memcached DDoS methodology has already created a new world record. Netscout Arbor has today confirmed a 1.7Tbps DDoS attack against the customer of a U.S.-based service provider. This attack was recorded by Netscout Arbor’s ATLAS global traffic and threat data system, and is more than 2x the largest Netscout Arbor had previously seen. No further details are yet available.

Critical flaw in Pivotal’s Spring Data REST allows to hack any machine that runs an application built on its components
5.3.2018 securityaffairs

A critical flaw in Pivotal’s Spring Data REST allows remote attackers to execute arbitrary commands on any machine that runs an application built using its components.
Pivotal’s Spring Data REST project is affected by a critical vulnerability, tracked as CVE-2017-8046, that was discovered by security researchers at Semmle/lgtm.

Pivotal’s Spring Framework a platform is widely used by development teams for building web applications.

Spring Data REST builds on top of Spring Data repositories, it allows to expose hypermedia-driven HTTP resources (collection, item, and association resources) representing your model) for aggregates contained in the model.

The components included in the Spring Data REST are used by developers to build Java applications that offer RESTful APIs to underlying Spring Data repositories.

The vulnerability is similar to the weaknesses found in Apache Struts that resulted in the Equifax data breach.

“Security researchers at have discovered a critical remote code execution vulnerability that affects various projects in Pivotal Spring, the world’s most popular framework for building web applications.” reads the security advisory published by Semmle/lgtm. “The vulnerability allows attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST.”

Pivotal's Spring Data REST

This flaw ties the way Spring’s own expression language (SpEL) is used in the Data REST component. The lack of validation of the user input allows the attacker to execute arbitrary commands on any machine that runs an application built using Spring Data REST.

“Virtually every modern web application will contain components that communicate through REST interfaces, ranging from online travel booking systems, mobile applications and internet banking services,” continues the advisory.

Pivotal issued a security patch for a vulnerability it refers to as DATAREST-1127 as part of its Spring Boot 2.0 update.

“Malicious PATCH requests submitted to spring-data-rest servers can use specially crafted JSON data to run arbitrary Java code.” reads the security advisory published by Pivotal.

Researchers from have worked closely with Pivotal to solve the issue and publicly disclose the issue, the intent was to give Spring Data REST users sufficient time to update their apps.

The experts urge to apply the fix because it allows remote attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST.

The exploitation of the flaw in RESTful APIs could allow hackers to easily gain control over production servers and access sensitive information.

“This vulnerability in Spring Data REST is unfortunately very easy to exploit. As it is common for RESTful APIs to be publicly accessible, it potentially allows bad actors to easily gain control over production servers and obtain sensitive user data.” explained Man Yue Mo, security researcher at Semmle who discovered the issue.

The affected Spring products and components are:

Spring Data REST components, versions prior to 2.5.12, 2.6.7, 3.0RC3
(Maven artifacts: spring-data-rest-core, spring-data-rest-webmvc, spring-data-rest-distribution, spring-data-rest-hal-browser)
Spring Boot, versions prior to 2.0.0M4
(when using the included Spring Data REST component: spring-boot-starter-data-rest)
Spring Data, versions prior to Kay-RC3
Hurry up, upgrade to the latest versions the aabove components.

New attacks on 4G LTE networks can allow to spy on users and spoof emergency alerts
5.3.2018 securityaffairs Mobil 

A group of researchers discovered a number of weaknesses in the 4G LTE networks that could be exploited by attackers to eavesdrop on phone calls and text messages, knock devices offline, track location, and spoof emergency alerts.
A group of researchers from Purdue and the University of Iowa have discovered a number of vulnerabilities affecting the 4G LTE networks that could be exploited by attackers to eavesdrop on phone calls and text messages, knock devices offline, track location, and spoof emergency alerts.

The experts detailed ten different attacks in a research paper, the experts leverage weaknesses in three critical protocol operations of the cellular network, such as securely attaching a device to 4G LTE networks and maintaining a connection to receive calls and messages.

“In this paper, we investigate the security and privacy of the three critical procedures of the 4G LTE protocol (i.e., attach, detach, and paging), and in the process, uncover potential design flaws of the protocol and unsafe practices employed by the stakeholders.” reads the paper published by the experts.”For exposing vulnerabilities, we propose a model based testing approach LTEInspector which lazily combines a symbolic model checker and a cryptographic protocol verifier in the symbolic attacker model.”

The researchers devised a testing framework dubbed LTEInspector that they used to detect vulnerabilities in LTE radios and networks.

The group tested eight of the ten attacks using SIM cards from four large US carriers.

The researchers demonstrated how to conduct authentication relay attacks that allow them to bypass the network authentication and masquerade as a victim’s device.

An attacker can access 4G LTE networks and impersonate the victim.

” Using LTEInspector, we have uncovered 10 new attacks along with 9 prior attacks, categorized into three abstract classes (i.e., security, user privacy, and disruption of service), in the three procedures of 4G LTE.” continues the paper.
“Notable among our findings is the authentication relay attack that enables an adversary to spoof the location of a legitimate user to the core network without possessing appropriate credentials. To ensure that the exposed attacks pose real threats and are indeed realizable in practice, we have validated 8 of the 10 new attacks and their accompanying adversarial assumptions through experimentation in a real testbed”

4G LTE networks

The researchers highlighted the dangers related to the exploitation of the flaws, an attacker can spoof the location of the victim device, which could lead to interference in criminal investigations by planting false location information, which could allow crooks to create fake evidence.

The weaknesses could be exploited by threat actors to cause the chaos by injecting warning messages, emergency notices, and Amber alerts in the 4G LTE networks.

One of the scenarios tested by the researchers, a major US carrier never used encryption for control plane messages allowing an attacker to exploit the issues to eavesdrop the SMS and other sensitive data. The good news is that the US carrier has promptly addressed the flaw and deployed a fix.

The scary aspect of this research is that a cheap equipment (common software-defined radio devices) and open source 4G LTE protocol software could be bought by anyone to carry out the attacks.

Anyone can build the equipment to power the attacks for as little as $1,300 to $3,900.

The researchers announced that they plan to release the proof-of-concept code once the vulnerabilities will be fixed.

Applebee restaurants suffered payment card breach
5.3.2018 securityaffairs

RMH Franchise Holdings revealed on Friday afternoon that PoS systems at the Applebee ’s restaurants were infected with a PoS malware.
Another week another data breach, RMH Franchise Holdings revealed last week that PoS systems at the Applebee’s restaurants were infected with malware.

The PoS malware was used to collect names, payment card numbers, expiration dates, and card verification codes.

On Friday afternoon, RMH Franchise Holdings published a link to the data breach notice on its website.

“RMH Franchise Holdings (“RMH”) recently learned about a data incident affecting certain payment cards used at RMH-owned Applebee’s restaurants that we operate as a franchisee.” states the notice of the data breach.

“We are providing this notice to our guests as a precaution to inform them of the incident and to call their attention to some steps they can take to help protect themselves. RMH operates its point-of-sale systems isolated from the broader Applebee’s network, and this notice applies only to RMH-owned Applebee’s restaurants.”

The security breach was discovered on February 13, the RMH promptly started an investigation with the help of and law enforcement.

The infection lasted between December 6, 2017, and January 2, 2018, is some cases the malware was present on the PoS systems of restaurants since November 23 or December 5, 2017.

Almost any restaurant operated by RMH was impacted, the incident affects more than 160 restaurants in Alabama, Arizona, Florida, Illinois, Indiana, Kansas, Kentucky, Missouri, Mississippi, Nebraska, Ohio, Pennsylvania, Texas, and Wyoming.

Applebees restaurants

The security breach does not affect online payments systems, clients using self-pay tabletop devices were not affected too.

RMH clarified that its payment systems are not affected by the incident because they are isolated from the payment network used Applebee.

“After discovering the incident on February 13, 2018, RMH promptly took steps to ensure that it had been contained. In addition to engaging third-party cyber security experts to assist with our investigation, RMH also notified law enforcement about the incident and will continue to cooperate in their investigation.”RMH added.

“Moving forward, RMH is continuing to closely monitor its systems and review its security measures to help prevent something like this from happening again.”

Windows Defender ATP Detects Spyware Used by Law Enforcement: Microsoft
5.3.2018 securityweek

Microsoft Dissects FinFisher’s Complex Infection Process

Windows Defender Advanced Threat Protection (Windows Defender ATP) is capable of detecting behavior associated with the sophisticated FinFisher spyware, Microsoft says, after performing an in-depth analysis of the malware’s infection process.

FinFisher is a lawful interception solution built by Germany-based FinFisher GmbH, which sells it exclusively to governments. Also referred to as FinSpy, the malware has been around for over half a decade and has been associated with various surveillance campaigns.

In September last year, after the malware was observed exploiting a .NET Framework zero-day (CVE-2017-8759) for infection, ESET warned that Internet service providers (ISPs) might be involved in FinFisher’s distribution process.

According to Microsoft, FinFisher is complex enough to require “special methods to crack it” but, despite its sophistication, the malware cannot go unnoticed by its security tools. These include Office 365 Advanced Threat Protection (Office 365 ATP) and Windows Defender ATP, which is set to arrive on Windows 7 and Windows 8.1 devices this summer.

Packed with various detection, evasion and anti-analysis capabilities, including junk instructions and “spaghetti code,” multi-layered virtual machine detection, and several anti-debug and defensive measures, FinFisher wasn’t easy to tear apart and analyze, Microsoft says.

Through the addition of continuous code jumps (spaghetti code), FinFisher’s authors ensured that the program flow is difficult to read and can confuse disassembly programs. While reversing plugins that may help in such situations exist, none was found to work with this malware, and Microsoft had to come up with their own.

The first thing the company discovered was an array of opcode instructions that a custom virtual machine program can interpret. 32 different routines were discovered, each implementing a different opcode and functionality that the malware program may execute.

Not only does the use of virtualized instruction blocks ensure that analysis using regular tools is not possible, but anti-debug and anti-analysis tricks in the virtualized code attempt to evade dynamic analysis tools as well.

“Each virtual instruction is stored in a special data structure that contains all the information needed to be properly read and executed by the VM. […] The VM handler is completely able to generate different code blocks and deal with relocated code due to address space layout randomization (ASLR). It is also able to move code execution into different locations if needed,” the software giant explains.

The first stage of FinFisher is a loader meant to detect sandbox environments. If it passes the initial set of checks, the loader reads four imported libraries from disk (ntdll.dll, kernel32.dll, advapi32.dll, and version.dll) and remaps them in memory, rendering debuggers and software breakpoints useless.

Next, the malware performs additional anti-sandbox checks, likely in an attempt to avoid specific sandbox or security products, and also checks for virtualized environments (VMWare or Hyper-V) and if it is running under a debugger.

Only if all these checks are passed, the loader moves to the next step, which represents a second multi-platform virtual machine.

“The 32-bit stage 2 malware uses a customized loading mechanism (i.e., the PE file has a scrambled IAT and relocation table) and exports only one function. For the 64-bit stage 2 malware, the code execution is transferred from the loader using a well-known technique called Heaven’s Gate,” Microsoft explains.

The 64-bit stage 2 implements another loader and virtual machine, featuring an architecture similar to those in the previous stage, but using slightly different opcodes (which Microsoft lists on their site). The virtual machine extracts and decrypts the stage 3 malware. After decryption, the payload is remapped and executed in memory.

Stage 3, which represents the installation and persistence stage of the malware, is the setup program for FinFisher and no longer employs a VM or obfuscation. The code can install the malware in a UAC-enforced environment with limited privileges, or with full-administrative privileges enabled. However, no privilege escalation code was found in the malware.

During this installation step, stage 4, stage 5, and stage 6 payloads, along with additional files, are potentially dropped under a folder located in C:\ProgramData or in the user application data folder. Stage 4 is a loader for UAC bypass or installation with admin rights, stage 5 is a payload injected into explorer.exe or winlogon.exe, while stage 6 is the main malware executable.

The stage 5 malware only provides one more layer of obfuscation for the final payload (through the VM) and sets up a special Structured Exception Hander routine to ensure stealthy operations. After checking the environment once again, it proceeds to extract and execute the final payload into the injected process (it uses RunDll to implement the spyware).

SgxPectre attack allows to reveal the content of the SGX enclave
5.3.2018 securotyaffairs

A group of researchers from the Ohio State University has discovered a new variation of the Spectre attack named SgxPectre that allows to reveal the content of the SGX enclave.
A group of researchers from the Ohio State University has discovered a new variation of the Spectre attack named SgxPectre.

Intel Software Guard eXtensions (SGX) is a technology for application developers that allows protecting select code and data from disclosure or modification. The Intel SGX allows application code executing within an Intel SGX enclave, which are protected areas of execution in memory.

We have a long debated both Spectre and Meltdown vulnerabilities in Intel processors and the way to exploit them.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

While the exploitation of Meltdown or Spectre doesn’t allow attackers to extract data from SGX enclaves, the SgxPectre attack exploits the bugs in Intel CPU to reveal the content of the SGX enclave.

“SGXPECTRE Attacks that exploit the recently disclosed CPU bugs to subvert the confidentiality of SGX enclaves. Particularly, we show that when branch prediction of the enclave code can be influenced by programs outside the enclave, the control flow of the enclave program can be temporarily altered to execute instructions that lead to observable cache-state changes.” reads the paper published by the researchers.

“An adversary observing such changes can learn secrets inside the enclave memory or its internal registers, thus completely defeating the confidentiality guarantee offered by SGX.”

According to the experts, almost any enclave program could be vulnerable to the SGXPECTRE attack.

SgxPectre Intel SGX enclave

The attack SgxPectre leverages on specific code patterns in software libraries that allow developers to add SGX support to their application. Desired code patterns are available in most SGX runtimes, including Intel SGX SDK, Rust-SGX, and Graphene-SGX.

Basically, the SgxPectre is a cache side-channel attack against enclave programs.

The researchers explained that their attack is based on the observation of the repetitive code execution patterns that the software development kits introduce in SGX enclaves and the associated variation in the cache size.

“In particular, because vulnerable code patterns exist in most SGX runtime libraries (e.g., Intel SGX SDK, Rust-SGX, Graphene-SGX) and are difficult to be eliminated, the adversary could perform SGXPECTRE Attacks against any enclave programs.” continues the paper.

“We demonstrate end-to-end attacks to show that the adversary could learn the content of the enclave memory, as well as its register values in such attacks”

Intel plans to address SgxPectre with a security update for the Intel SGX SDK that will be released on March 16.

Developers will need to update their application by using the new SDK version.

The experts released a video PoC of the attack while the PoC code was published on GitHub.

GCHQ fears energy smart meters could expose millions of Bretons to hack
4.3.2018 securityaffairs BigBrothers

In the United Kingdom, new smart energy meters that are set to be installed in 27 million homes were found vulnerable by GCHQ.
Unsecured IoT devices are a privileged target of hackers and unfortunately, smart energy meters belong to this category.

In the UK, new smart energy meters that are set to be installed in 27 million homes were found vulnerable by GCHQ.

According to the intelligence agency the vulnerabilities could be exploited by hackers to compromise the IoT devices posing a serious risk to the users.

In 2017, some energy providers in the UK, including British Gas, E.on, Npower, Scottish Power and EDF, started testing SMETS 2 smart energy meters, the successor of SMETS 1 meters.

The new model smart energy meters addressed several issues that affected the 8 million of SMETS 1 meters

SMETS 2 smart energy meters solved various problems that both consumers and energy firms faced with first-generation SMETS 1 meters. Unlike the older SMETS 1 meters, the UK, SMETS 2 could be used by energy suppliers to remotely receive meter readings electronically.

The SMETS 2 smart energy meters were also designed to interoperate with different suppliers, consumers can change the energy provider without needing to change the meters.

According to a post published by the Telegraph, the GCHQ has raised concerns over the security of the smart energy meters. Attackers hack them to steal personal details and defraud consumers by tampering with their bills.

“Cyber security experts say that making the meters universal will make them more attractive to hackers because the potential returns are so much greater if they can hack every meter using the same software.” states The Telegraph.

“The cyber criminals are able to artificially inflate meter readings, making bills higher.

They then try to intercept payments, and if they simply skim off the difference between the real reading and the false reading, energy companies will think the bill has been paid normally.”

The intelligence agency also warned attackers could use the devices as a “Trojan horse” to enter in the customers’ networks.

The UK Government also fears that nation-state actors could exploit the flaws in the energy smart meters to create a power surge that would damage the National Grid.

Security experts also warn of BlueBorne attacks that potentially expose smart meters to hack by leveraging Bluetooth connections.

Robert Cheesewright, of Smart Energy GB, the Government-funded agency promoting the smart meter roll-out, tried to downplay the risks explaining that no financial data is directly managed by the devices, but evidently, its explanation doesn’t consider different attack scenarios.

“Smart meters are one of the safest and most secure pieces of technology in your home.” said Robert Cheesewright.

“Only energy data is stored on a meter and this is encrypted. Your name, address, bank account or other financial details are not stored on the meter.”

Risks associated with vulnerable smart meters were already analyzed in the past, in 2014 the security researchers, Javier Vazquez Vidal and Alberto Garcia Illera discovered that millions of Network-connected electricity meters in Spain were are susceptible to cyberattack due to lack of proper security controls.

Bitcoin-linked heist: thieves stolen 600 powerful computers in Iceland
4.3.2018 securityaffairs Cryptocurrency

Thieves steal 600 powerful computers in a huge heist in Iceland with the intent to use them for mining Bitcoin.
Cyber criminal organization continue to show a great interest in cryptocurrencies, the number of crimes against cryptocurrency industry is on the rise.

News of the day is that crooks have stolen 600 powerful computers from data centers in Iceland to use in Bitcoin mining. At the time, the computers, that are worth almost $2 million, have not yet been found.

“Some 600 computers used to “mine” bitcoin and other virtual currencies have been stolen from data centers in Iceland in what police say is the biggest series of thefts ever in the North Atlantic island nation.” reads the post published by The Associated Press.

The thieves have stolen 600 graphics cards, 100 processors, 100 power supplies, 100 motherboards and 100 sets of computer memory to use in the proficuous activity.

The Icelandic media dubbed the crime the “Big Bitcoin Heist,” the authorities have arrested 11 people, including a security guard.

A judge at the Reykjanes District Court on Friday ordered two people to remain in custody.

“This is a grand theft on a scale unseen before,” Police Commissioner Olafur Helgi Kjartansson said. “Everything points to this being a highly organized crime.”

The thefts occurred between late December and early January, the members of the gang were identified thank the surveillance cameras used by the server company Advania.

Advania suffered two of the four thefts, the company had been offering its customers access to bitcoin-mining rigs, for this reason, crooks targeted the firm.

The police are searching any evidence to track the thieves, authorities are also tracking energy consumption across Iceland in case they turn on their computers. A spike in the energy consumption could reveal their location if the thieves don’t take measure to avoid being tracked.

“Police tracking the stolen computers are monitoring electric consumption across the country in hopes the thieves will show their hand, according to an industry source who spoke on condition of anonymity because he is not allowed to speak to the media.” concluded the Associated Press.

“Unusually high energy usage might reveal the whereabouts of the illegal bitcoin mine.”

Iceland is a good place where find cheap, renewable energy for crypto mining activities.

Kam kráčí šifrování?

4.3.2018 SecurityWorld  Kryptografie
Přechod od SHA-1 na SHA-2, kongresové vítězství nad zadními vrátky a vzestup šifrované komunikace nás vedou k bezpečnějšímu světu.

Vypadá to, jako by se vývoj technologií každý rok zrychloval. Je tu však vždy jeden opozdilec: šifrování. Proč tak rozvážné tempo? Protože jeden malý omyl dokáže zablokovat komunikaci a pohřbít firmu.

Nastávají však chvíle, kdy je potřebné zbystřit – například abyste zjistili, že se sféra šifrování prakticky přes noc změnila. Ten čas nastal nyní. Přestože v průběhu několika let docházelo ke změnám postupně, výsledný efekt je dramatický.

Některé z těchto změn začaly krátce po zveřejnění informací od Edwarda Snowdena o tom, jak rozsáhlý je sledovací program vlády USA. Další jsou přirozeným důsledkem kryptografických nápadů, které se dostávají na trh, vysvětluje Brent Waters z Texaské státní univerzity.

„Mnoho z těchto nových dostupných nástrojů a aplikací je založeno na výsledcích výzkumů z let 2005 a 2006,“ vysvětluje Waters. „Teprve si uvědomujeme, jaké typy šifrovacích funkcí jsou možné.“

O krok blíže

Šifrovaný webový provoz je prvním krokem směrem k bezpečnějšímu světu internetu, kde útočníci nebudou moci odposlouchávat privátní komunikace, finanční transakce ani obecné internetové aktivity.

Mnoho webů včetně služeb Google a Facebook zapnulo šifrování HTTPS ve výchozím stavu pro všechny uživatele. Pro většinu majitelů domén je však nákup a nasazení certifikátů SSL/TLS pro zajištění bezpečné komunikace s jejich weby drahým a komplikovaným úsilím.

Naštěstí iniciativa Let’s Encrypt (Pojďme šifrovat) a její bezplatné certifikáty SSL/TLS transformovaly celý ekosystém a dalay vlastníkům domén nástroje pro snadné zapnutí protokolu HTTPS na jejich webech.

Tato nezisková certifikační autorita provozovaná skupinou ISRG (Internet Security Research Group), Let’s Encrypt, je podpořenáa takovými velikány, jako jsou Mozilla, Electronic Frontier Foundation, Cisco nebo Akamai.

Jak všudypřítomným se protokol HTTPS stal? V říjnu loňského roku zveřejnil Josh Aas, šéf iniciativy Let’s Encrypt a bývalý zaměstnanec společnosti Mozilla, telemetrický graf Mozilly, který ukazuje, že protokol HTTPS využívá již více než 50 procent webů.

Přestože graf ukazuje jen uživatele prohlížeče Firefox, je toto číslo stále významné, protože poprvé počet šifrovaných stránek přerostl množství stránek nešifrovaných. Společnost NSS Labs očekává, že tento trend bude pokračovat, a předpovídá, že do roku 2019 bude šifrovaných 75 procent veškerého webového provozu.

Bezplatné nabídky certifikátů toto přijetí dále urychlí. Do příštího roku počet vydaných bezplatných veřejných důvěryhodných certifikátů pravděpodobně překročí množství certifikátů placených, prohlašuje Kevin Bocek, viceprezident strategie zabezpečení a threat intelligence ve společnosti Venafi, která se zabývá správou klíčů.

Mnoho podniků také začíná využívat bezplatné služby. Když už cena certifikátů nehraje žádnou roli, zaměří se certifikační autority na lepší nástroje pro bezpečnou správu certifikátů a na ochranu klíčů.

Když už mluvíme o správě certifikátů, je dobré připomenout, že po letech varování, že jsou certifikáty SHA-1 slabé a zranitelné vůči útokům, začaly podniky houfně upgradovat své certifikáty na takové, které využívají SHA-2, což je sada kryptografických hašovacích funkcí nahrazujících zastaralý algoritmus SHA-1.

Hlavní tvůrci prohlížečů, tedy firmy Google, Mozilla a Microsoft, se zavázali, že vyřadí SHA-1 počátkem letošního roku a začnou blokovat weby, které stále používají starší certifikáty.

Facebook přestal obsluhovat připojení SHA-1 a nezaznamenal „žádný měřitelný dopad“, tvrdí Wojciech Wojtyniak, produkční inženýr Facebooku.

Podle telemetrie Firefoxu kleslo od května do října 2016 použití SHA-1 na internetu ze 3,5 procenta na méně než procento. Podniky si nemohou dovolit samolibost, ale je pravda, že nedávné odhady společnosti Venafi naznačují, že cca 60 milionů webových stránek i nadále používá nedostatečně silný šifrovací algoritmus.

„Těšíme se na posun tohoto odvětví směrem k většímu využití silnějších certifikátů, jako je SHA-256,“ dodává Wojtyniak.

Šifrování je králem

Kryptografie dostala v posledních několika měsících několik ran, když výzkumníci vytvořili kryptografické útoky, jako je například Drown, který lze použít k dešifrování TLS spojení mezi uživatelem a serverem, pokud server podporuje SSLv2.

Další metodou je pak Sweet32, která umožňuje zaútočit na šifrovaná webová spojení vytvořením velkého množství webových přenosů.

Aktéři z řad státních zpravodajských služeb mají také šifrování ve svém hledáčku. Nedávno odhalila společnost Juniper Networks špionážní kód implantovaný v konkrétních modelech svého firewallu a v zařízeních VPN. Mnozí odborníci se domnívají, že v tom má prsty NSA.

Krátce poté, co si sada hackerských nástrojů, údajně patřící NSA, našla cestu na černé trhy, odhalilo Cisco chybu ve svém softwaru IOS, IOS XE a IOS XR, který se využívá v mnoha jejích síťových zařízeních.

Tato zranitelnost, kterou lze využít k získání citlivých informací z paměti zařízení, byla podobná jako zranitelnost zneužitelná uvedenými nástroji a souvisela s tím, jak tento operační systém zpracovává protokol výměny klíčů pro sítě VPN, uvedlo tehdy Cisco.

Dokonce i aplikace Apple iMessage, která je ukázkou, jak mohou firmy přinést kompletní šifrování masám, měla svůj podíl na problémech. Profesor kryptografie Matthew Green a jeho tým studentů na Univerzitě Johnse Hopkinse totiž dokázali vykonat adaptivní útok, který by za určitých okolností dokázal dešifrovat komunikaci iMessage a přílohy.

Tento tým také zjistil, že aplikace iMessage postrádá mechanismus FS (Forward Secrecy, dopředná bezpečnost), což znamená, že by útočníci mohli dešifrovat dříve zašifrované zprávy, například ty, které jsou uložené v iCloudu.

FS funguje tak, že se po uplynutí nastaveného časového intervalu vytváří nový klíč, takže i v případě, že útočníci získají originální klíč, není možné dříve zašifrované zprávy prolomit.

Jedna věc však navzdory všem špatným zprávám zůstává jasná: Kryptografie není prolomená. Matematika za kryptografickými výpočty zůstává silná a šifrování je stále nejlepší způsob, jak chránit informace.

„Poslední útoky se netýkaly matematiky, ale implementace,“ vysvětluje Waters. Ve skutečnosti šifrování funguje tak dobře, že na něj spoléhají také sami útočníci.

Zločinci dokážou získat klíče a certifikáty pro skrývání svých aktivit uvnitř šifrovaných přenosů. Skutečnost, že se tento vektor útoku rychle stává výchozím chováním zločinců, „téměř maří celý smysl přidávání většího množství šifrování“, uvádí Bocek.

Kyberzločinci používají šifrování také k zajištění velkého dopadu ransomwaru. Jakmile jsou soubory zašifrované, musejí oběti buď zaplatit, aby získaly klíč, nebo smazat své systémy a začít znovu.

Stejně jako se útočníci zaměřují na zranitelné implementace, bezpečnostní výzkumníci úspěšně vyvinuli dešifrovací nástroje pro ty varianty ransomwaru, které v sobě obsahovaly chyby ve svém šifrovacím kódu.

Zadní vrátka

Technologické firmy vždy musely vyvážit aspekty bezpečnosti a ochrany soukromí s faktem, že orgány činné v trestním řízení požadují přístup k informacím uživatelů. James Comey, šéf FBI, intenzivně usiloval o povinnost implementace zadních vrátek v technologických produktech využívajících šifrování a prohlašoval, že kódování dat maří vyšetřování zločinu.

Přestože společnosti často tiše spolupracovaly se zpravodajskými službami a s orgány činnými v trestním řízení, bezpříkladná konfrontace mezi FBI a společností Apple v minulých letech ukázala, že se podniky začínají bránit.

FBI v tomto boji ustoupila a došlo k vytvoření dvoustranné pracovní skupiny složené z komisí z oblasti justice, energií a komerce. Cílem této skupiny je studium problematiky šifrování. Pracovní skupina pro šifrování jednoznačně odmítla požadavky Comeye na zadní vrátka a radí zkoumat jiná řešení.

„Každé opatření, které oslabuje šifrování, pracuje proti národnímu zájmu,“ uvedla tato pracovní skupina ve své zprávě. „Kongres nemůže zabránit zločincům – doma ani v zahraničí – v používání šifrování. Proto by měly komise hledat další strategie, jak řešit potřeby komunity zástupců zákona.“

Oslabování šifrování tak, že by se policie dokázala prolomit do šifrovaných zařízení, by sice urychlilo vyšetřování zločinů, ale bylo by to krátkodobé vítězství s „dlouhodobým dopadem na národní zájmy“, varovala tato pracovní skupina.

Alternativní strategií je například poskytnutí legálních metod zástupcům zákona k přinucení podezřelých odemknout svá zařízení nebo zlepšování sběru metadat a analýz.

Zatímco zpráva pracovní skupiny naznačuje, že Kongres USA nebude usilovat o zákonná zadní vrátka, na obzoru se rýsují další bitvy související se šifrováním.

Tato zpráva totiž vytváří dojem, že podporuje možnost policie používat „zákonné hackování“ k prolomení do produktů s využitím zranitelností softwaru, které znají jen zástupci zákona a zpravodajské služby, což ale může mít bezpečnostní důsledky.

Technologický obor má zájem na oznamování zranitelností ihned po jejich zjištění, aby vláda neměla možnost si je hromadit bez dohledu.

Požadavek Comeye na úplnou kompromitaci tak bude podle slov skupiny realizován spíše v podobě různorodých forem.
Technologie pro všechny

Vlády se snažily roky stále omílat argument boje proti teroristům a vždy k tomu využívaly strašení, uvádí Mike Janke, šéf pro šifrovanou komunikaci ve společnosti Silent Circle. Změnou podle něj je, že podniky začínají brát vážněji zabezpečení své komunikace a jsou méně ochotné tyto funkce obětovat.

Mnoho organizací bylo šokováno rozsahem vládního dohledu odhaleného Edwardem Snowdenem z NSA. Zareagovaly integrací bezpečných nástrojů pro textovou a obrazovou komunikaci současně s šifrováním hlasových přenosů v rámci podnikové komunikace, popisuje Janke.

Šifrování nyní hraje větší roli v technologických diskusích, kdy se podniky ptají na dostupné funkce a možnosti. Oddělení IT už k šifrování nepřistupuje jako k přídavné funkci, za kterou se platí navíc, ale je to povinná vlastnost každého produktu a platformy, kterou používají.

I samotní spotřebitelé byli pobouřeni rozsahem sledovacích programů a neoficiální evidence ukazuje, že mnoho z nich začalo používat aplikace se šifrovaným obsahem, jako jsou WhatsApp nebo Signal. Ve většině případů však za bezpečné produkty neplatí, ani nemění své chování, aby zvýšili rozsah soukromí ve svém každodenním životě.

Změna přichází od šéfů zabezpečení, viceprezidentů technologií a dalších podnikových šéfů zaměřených na technologie, protože nesou odpovědnost za rozhodování v oblasti bezpečnosti a ochrany soukromí svých produktů a služeb.

Když společnost Tesla nyní digitálně podepisuje firmware pro každou svou jednotlivou interní komponentu pomocí kryptografického klíče, je jednodušší se ptát výrobců televizorů a hraček, proč to také nedělají, vysvětluje Janke.

Spotřebitelé jsou ti, kdo budou mít prospěch z integrace šifrování ve výchozím stavu, stejně jako když podniky mění svůj způsob myšlení o významu šifrování.

Osobní data v ohrožení – na co si dát nově pozor?

4.3.2018 SecurityWorld  BigBrother
Jen za poslední měsíc se objevilo několik nových překvapivých způsobů, jak pomocí internetu a chytrých telefonů krást a vyzrazovat osobní údaje. Následující trendy možná stojí za spuštění poplašných sirén.

Samozřejmě že tyto nové starosti lze přidat ke všem starým. Společnosti jako Google a Facebook vás stále sledují a dolují vaše osobní údaje. Hackeři neustále chtějí ukrást vaše data. Také vládní agentury, jako třeba NSA, nadále pracují podle svých zvyklostí.

Pět nových trendů nyní ukazuje, že vaši bezpečnost a soukromí lze ohrozit způsoby, které vás možná nikdy nenapadly.

1. Otisky prstů lze ukrást z fotky selfie.

Vědci z japonského Národního institutu informatiky (NII) nedávno oznámili, že otisky prstů je možné ukrást z fotografií vašich prstů. Lze jejich prostřednictvím vytvořit falešné prsty pro oklamání biometrických bezpečnostních systémů.

Fotoaparáty chytrých telefonů jsou už tak dobré a mají tak velké rozlišení, že lze z fotografií rozpoznat a zkopírovat reliéf otisků vašich prstů a použít ho k oklamání bezpečnostních systémů pracujících s otiskem prstů.

Největší hrozbou je to v Japonsku, kde se na fotografiích vystavovaných na webu hodně používá gesto V, tzv. znamení míru tvořené ukazováčkem a prostředníčkem.

Někteří lidé jsou skeptičtí. Například i proto, že „vědci“ nabízejí absurdní „řešení“ tohoto problému – čirou vrstvu oxidu titanu s natištěným speciálním vzorem, kterou byste si při focení selfie nasadili na prsty, aby zakryla vaše otisky.

Také okolnosti takové krádeže musejí být příznivé. Prsty je nutné mít zaostřené, osvětlení musí být perfektní, vzdálenost od kamery musí být asi tři metry a fotograf musí používat špičkový chytrý telefon. (A takové přístroje obvykle zaostřují na obličej, a ne na prsty.)

Verze fotografií s vysokým rozlišením, jako jsou tyto vlastní ruce autora, by bylo možné použít ke zkopírování otisků prstů.

Jiní ale zase tvrdí, že byste se měli skutečně bát. Zaprvé krádež otisku prstu z fotografie se už uskutečnila.

Před dvěma roky Němec Jan Krissler totiž získal kopii otisků prstů německé ministryně obrany Ursuly von der Leyenové z veřejně dostupných fotografií a udělal trojrozměrnou napodobeninu jejího prstu, který dokázal odemknout smartphone.

Zadruhé tato technologie již existuje. Není potřebný žádný další výzkum. Zatřetí otisky prstů jsou trvalé a nelze je změnit, takže se krádež otisků nepodobá ukradení hesla, které si můžete podle potřeby upravovat.

Začtvrté fotoaparáty smartphonů jsou stále lepší. Je jen otázkou času, než většina lidí bude mít fotoaparáty minimálně stejně dobré, jako jsou nyní ty nejlepší v chytrých telefonech typu iPhone 7 nebo Samsung Galaxy S7.

A konečně hackeři mohou používat on-line fotografie jako výchozí bod namísto toho, že by se nejprve zaměřili na konkrétní lidi. Mohlo by být obtížné soustředit se na určitou osobu, protože byste museli hledat vysoce kvalitní fotografie jejích prstů.

Pokud ale začnete u snímků obsahujících prsty s vysokým rozlišením, řekněme pomocí služby Obrázky Google, potom můžete efektivně získat stovky tisíc vhodných otisků.

Sám autor zkontroloval vlastní Fotky Google a našel hromadu fotografií vhodných pro získání otisků. Kdyby je vystavil veřejně, mohl by někdo se zlými úmysly a dostatečnými prostředky použít více fotografií k vytvoření jeho otisků prstů.

2. Političtí trolové útočí publikováním vašich osobních údajů.

V této náročné politické době se v diskuzích objevují jedovaté poznámky a sociálním sítím vládne jízlivost. Nejnovějším trendem v on-line politické argumentaci je tzv. doxnutí, což je čin on-line vyzrazení osobních informací nějakého člověka.

Některé typy informací jako telefonní čísla a domovní adresy lze snadno najít on-line, což napomáhá k obtěžování. Jeden nenávistník vás „doxne“ a sto dalších vyhrožuje smrtí či bombou nebo na vaši adresu prostřednictvím ohlášení vymyšlené hrozby nějakého údajně probíhajícího násilí pošle speciální zásahovou jednotku.

Tento problém se nedávno stal na webu Reddit natolik závažným, že raději vymazali a zakázali subreddity /r/altright a r/alternativeright. Web Reddit nedokázal běžnými způsoby zabránit doxování v subredditech, takže to vedlo k radikálnímu řešení v podobě jejich ukončení.

Bohužel doxnutelné osobní údaje lze na internetu najít velmi snadno.

3. Weby zabývající se genealogií zveřejnily vaše osobní údaje na internetu.

Weby zabývající se osobními údaji, včetně webů genealogie a webů pro vyhledávání osob, zde existují celá léta.

Obchodní model byl dlouho tvořen nabídkou zajímavých informací a požadavkem zaplatit za získání informací úplných. Nyní se však objevily dva trendy, které by vás měly vyděsit.

Prvním z nich je spuštění superwebu Family Tree Now obsahujícího osobní údaje. Ten bezplatně zveřejňuje údaje, za které si ostatní nechávali platit, a nedávno způsobil velký poprask, když na tento dříve neznámý web upozornila jedna žena na Twitteru.

Když totiž zadáte jméno a příjmení hledané osoby, vypíšou se vám osoby stejného a podobného jména s rokem narození a věkem. Po rozkliknutí se dozvíte i jména členů jejich rodiny s jejich rokem narození, věkem a se současnými a předchozími adresami.

Druhým trendem je, že některé weby pro „vyhledávání lidí“ využívají sociální inženýrství, aby vás přiměly ke sdělení informací namísto toho, že by vám informace naopak poskytly.

Například web TruthFinder během procesu klade otázky a tvrdí, že mu vaše odpovědi pomohou poskytnout vám lepší data. Ve skutečnosti získává TruthFinder informace od vás.

Některé weby pro hledání lidí předvádějí dramatickou podívanou vyhledávání v databázích, aby vám řekli o někom nějaké informace, ale přitom vás zasypávají otázkami, aby mohly vaše odpovědi zadat do svých databází.

4. Mobilní aplikace posílají osobní data pryč na vzdálený server.

Čínská aplikace s názvem Meitu určená pro úpravy selfie dokáže změnit vaši tvář na fantaskní komiksový obrázek. Přitom vybělí, zesvětlí a zvětší oči a přidá vizuální efekty.

Její popularita explozivně vzrostla, protože její efekty jsou velmi neobvyklé a přehnané. Změní váš obličej na pohádkovou postavičku z komiksu.

Přes noc se však ukázalo, že aplikace posílá zpět do Číny všechny druhy informací včetně vaší lokality, údaje o vašem poskytovateli mobilních služeb, IP adresy a IMEI čísla uživatelů na platformě Android. Firma reagovala na internetové pobouření prohlášením, že data neprodává a používá je pouze na vylepšení aplikace.

Tato kontroverze zvýšila povědomí o nepříjemné skutečnosti, že mnoho aplikací shromažďuje vaše údaje bez vašeho vědomí či výslovného souhlasu. Takže jaké je řešení? Bezpečnostní aplikace? Asi ne…

5. Dokonce i bezpečnostní aplikace mohou ohrozit vaši bezpečnost

Jedním z nejlepších způsobů, jak chránit něčí soukromí na internetu, je použití VPN neboli virtuální privátní sítě. VPN vám teoreticky umožňují použít veřejný internet, jako byste byli v privátní síti.

Můžete skrýt a zašifrovat svou on-line aktivitu dokonce i před svým poskytovatelem připojení k internetu. Umožní vám také podvrhnout lokalitu, takže můžete prohlásit, že jste připojeni k internetu v jiném městě či zemi.

Over 40 models of low-cost Android devices shipped with Triada banking Trojan
4.3.2018 securityaffairs Android

Security researchers at Dr.Web have discovered over 40 models of low-cost Android smartphones are shipped with the dreaded Android Triada banking malware.
Security researchers at Antivirus firm Dr.Web have discovered that 42 models of low-cost Android smartphones are shipped with the Android.Triada.231 banking malware.

“In the middle of 2017, Doctor Web analysts discovered a new Trojan Android.Triada.231 in the firmware of some cheap models of Android devices. Since this detection, the list of infected devices has been constantly increasing.” reads the blog post published by Dr-Web. “At the moment, the list contains over 40 models. Doctor Web specialists have monitored the Trojan’s activity and now we can publish the results of this investigation.”

The Triada Trojan was spotted for the first time in 2016 by researchers at Kaspersky Lab that considered it the most advanced mobile threat seen to the date of the discovery.

Triada was designed with the specific intent to implement financial frauds, typically hijacking the financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is its modular architecture, which gives it theoretically a wide range of abilities.

The Triada Trojan makes use of the Zygote parent process to implement its code in the context of all software on the device, this means that the threat is able to run in each application.
The only way to remove the threat is to wipe the smartphone and reinstall the OS.

Researchers at Dr.Web discovered the Triada Trojan pre-installed on newly shipped devices several minor brands, including Advan, Cherry Mobile, Doogee, and Leagoo.

This isn’t the first time the company discovered a pre-installed malware on Android device, back in in July 2017 Dr..Web researchers discovered the many smartphone models were shipped with the dreaded Triada trojan such as Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.

Triada Trojan Android pre-installed malware

The researchers at Dr.Web who investigated the issue discovered that a software developer from Shanghai was responsible for the infection.

“For example, it was detected on the Leagoo M9 smartphone that was announced in December 2017. Additionally, our analysts’ research showed that the Trojan’s penetration into firmware happened at request of the Leagoo partner, the software developer from Shanghai.” continues the blog post.

“This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation. Unfortunately, this controversial request did not evoke any suspicions from the manufacturer. Ultimately, Android.Triada.231 got to the smartphones without any obstacles.”

The infected app found on the device was developed by a Chinese firm, the experts highlighted that the code was signed with the same certificate that was observed in 2016 infections.

“The analysis of this application showed it is signed with the same certificate as Android.MulDrop.924. Doctor Web previously wrote about this Trojan in 2016. We can presume the developer that requested adding the additional program into the mobile operating system image can be connected expressly or implicitly with the distribution of Android.Triada.231.” continues Dr.Web.

At the moment, the experts confirmed to have detected the Android.Triada.231 in the firmware of the following Android device models:

Leagoo M5
Leagoo M5 Plus
Leagoo M5 Edge
Leagoo M8
Leagoo M8 Pro
Leagoo Z5C
Leagoo T1 Plus
Leagoo Z3C
Leagoo Z1C
Leagoo M9
ARK Benefit M8
Zopo Speed 7 Plus
Doogee X5 Max
Doogee X5 Max Pro
Doogee Shoot 1
Doogee Shoot 2
Tecno W2
Homtom HT16
Umi London
Kiano Elegance 5.1
iLife Fivo Lite
Mito A39
Vertex Impress InTouch 4G
Vertex Impress Genius
myPhone Hammer Energy
Advan S5E NXT
Advan S4Z
Advan i5E
Tesla SP6.2
Cubot Rainbow
Haier T51
Cherry Mobile Flare S5
Cherry Mobile Flare J2S
Cherry Mobile Flare P1
Pelitt T1 PLUS
Prestigio Grace M5 LTE
BQ 5510

Unfortunately, the number of infected smartphones models could be much bigger.

Github hit by the biggest-ever DDoS attack that peaked 1.35 Tbs
4.3.2018 securityaffairs

On February 28, 2018, the popular GitHub’s code hosting website was hit by the largest-ever distributed denial of service (DDoS) attack that peaked at 1.35 Tbps
On February 28, 2018, the popular GitHub’s code hosting website was hit by the largest-ever distributed denial of service (DDoS) attack.

The DDoS attack peaked at record 1.35 Tbps by abusing the memcached protocol to power a so-called memcached DDoS attacks.

Memcached is a free and open source, high-performance, distributed memory caching system designed to speed up dynamic web applications by alleviating database load.

Clients communicate with memcached servers via TCP or UDP on port 11211.

Researchers from Cloudflare, Arbor Networks and security firm Qihoo 360 discovered that recently attackers are abusing the memcached for DDoS amplification attacks.

Chinese experts warned about abuses of memcached DDoS attacks in November.

The abuse of memcached servers in DDoS Attacks is quite simple, the attacker sends a request to the targeted server on port 11211 spoofing the IP address of the victim. In a memcached DDoS attack, the request sent to the server is composed of a few bytes, while the response can be tens of thousands of times bigger, resulting in an amplification attack.

Experts at Cloudflare dubbed this type of attack Memcrashed, according to the researcher the amplification technique could allow attackers to obtain an amplification factor of 51,200.

memcached DDoS attack

The Github website is protected by the anti-DDoS service provided by the firm Akamai that confirmed the impressive magnitude of the attack that hit its client.

“At 17:28 GMT, February 28th, Akamai experienced a 1.3 Tbps DDoS attack against one of our customers, a software development company, driven by memcached reflection. This attack was the largest attack seen to date by Akamai, more than twice the size of the September, 2016 attacks that announced the Mirai botnet and possibly the largest DDoS attack publicly disclosed.” reads the analysis published by Akamai.

“Because of memcached reflection capabilities, it is highly likely that this record attack will not be the biggest for long.”

Github largest DDoS memcached server

According to GitHub, the attack was widespread, it originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.

“On Wednesday, February 28, 2018 was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a distributed denial-of-service (DDoS) attack.” states an advisory post published by GitHub.

“Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack.

The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second.”

Github routed the traffic to Akamai service to mitigate the ongoing DDoS attack.

“Given the increase in inbound transit bandwidth to over 100Gbps in one of our facilities, the decision was made to move traffic to Akamai, who could help provide additional edge network capacity. At 17:26 UTC the command was initiated via our ChatOps tooling to withdraw BGP announcements over transit providers and announce AS36459 exclusively over our links to Akamai.” continues Github.

“Routes reconverged in the next few minutes and access control lists mitigated the attack at their border. Monitoring of transit bandwidth levels and load balancer response codes indicated a full recovery at 17:30 UTC. At 17:34 UTC routes to internet exchanges were withdrawn as a follow-up to shift an additional 40Gbps away from our edge.”

GitHub confirmed that the first portion of the attack peaked at 1.35Tbps, while a second part peaked 400Gbps after 18:00 UTC.

Github largest DDoS pasted image 2

Github said it plans to expand its edge network and mitigate new attack vectors.

Researchers believe that threat actors in the wild will abuse misconfigured Memcached servers in future attacks, unfortunately, many of them are still exposed on the Internet.

Cloudflare recommends disabling UDP support unless it’s needed and isolating memcached servers from the Internet. Internet service providers have to fix vulnerable protocols and prevent IP spoofing.

“Internet Service Providers – In order to defeat such attacks in future, we need to fix vulnerable protocols and also IP spoofing. As long as IP spoofing is permissible on the internet, we’ll be in trouble.” concluded Cloudflare.

“Developers – Please please please: Stop using UDP. If you must, please don’t enable it by default. If you do not know what an amplification attack is I hereby forbid you from ever typing
into your editor.”