Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Microsoft calls for ‘Digital Geneva Convention’ to rein in cyberwarfare

Sophos Naked Security - 16 Únor, 2017 - 17:46
Governments should step up to define and enforce rules that protect civilians, Microsoft chief legal officer tells RSA

Cris Thomas on Cyberwar Rhetoric

Threatpost - 16 Únor, 2017 - 15:00
Cris Thomas of Tenable Networks, aka Space Rogue of the L0pht, talks to Mike Mimoso during RSA Conference about the rhetoric and hype surrounding cyberwar, as well as a quick trip down memory lane with the L0pht and its famous 1998 testimony before Congress.
Kategorie: Hacking & Security

Retailers push back against plans to boost security of online shopping

Sophos Naked Security - 16 Únor, 2017 - 14:56
EU banking organisation suggests requiring a passcode for purchases over €10, but retailers and payments providers warn of potential hit to sales

KasperskyOS: Bude konkurovat Linuxu na síťových krabičkách a ve světě IoT?

Zive.cz - bezpečnost - 16 Únor, 2017 - 14:39
[********************] [********************] Vývojáři z Kaspersky Lab po patnácti letech práce vypustili do světa svůj vlastní operační systém KasperskyOS pro architektury x86/64 a ARM. Namísto dodatečného bezpečnostního softwaru, který má nad systémem bojovat proti malwaru, vytvořili zcela nový ...
Kategorie: Hacking & Security

Fallen for a fake Twitter account? Here’s how to spot them

Sophos Naked Security - 16 Únor, 2017 - 14:02
An account impersonating Trump adviser Mike Flynn fooled news organizations and individuals alike, fuelling further concerns about 'fake news'

RSA 2017: Microsoft Word Intruders step outside Office for the first time

Sophos Naked Security - 16 Únor, 2017 - 13:08
Windows remains the largest battlefield for attackers, but the author of MWI has upped the ante by moving beyond Office-based exploits

Yahoo Hacked Once Again! Quietly Warns Affected Users About New Attack

The Hacker News - 16 Únor, 2017 - 11:26
Has Yahoo rebuilt your trust again? If yes, then you need to think once again, as the company is warning its users of another hack. Last year, Yahoo admitted two of the largest data breaches on record. One of which that took place in 2013 disclosed personal details associated with more than 1 Billion Yahoo user accounts. Well, it's happened yet again. <!-- adsense --> Yahoo sent out another
Kategorie: Hacking & Security

Breaking The Weakest Link Of The Strongest Chain

Kaspersky Securelist - 16 Únor, 2017 - 10:54

Around July last year, more than a 100 Israeli servicemen were hit by a cunning threat actor. The attack compromised their devices and exfiltrated data to the attackers’ command and control server. In addition, the compromised devices were pushed Trojan updates, which allowed the attackers to extend their capabilities. The operation remains active at the time of writing this post, with attacks reported as recently as February 2017.

The campaign, which experts believe is still in its early stages, targets Android OS devices. Once the device is compromised, a process of sophisticated intelligence gathering starts, exploiting the ability to access the phone’s video and audio capabilities, SMS functions and location.

The campaign relies heavily on social engineering techniques, leveraging social networks to lure targeted soldiers into both sharing confidential information and downloading the malicious applications.

Characterized by relatively unsophisticated technical merit, and extensive use of social engineering, the threat actor targets only IDF soldiers.

IDF C4I & the IDF Information Security Department unit, with Kaspersky Lab researchers, have obtained a list of the victims; among them IDF servicemen of different ranks, most of them serving around the Gaza strip.

Attack Flow

The operation follows the same infection flow across the different victims:

Figure 1: Campaign’s attack flow

Social Engineering

The threat actor uses social engineering to lure targets into installing a malicious application, while continuously attempting to acquire confidential information using social networks. We’ve seen a lot of the group’s activity on Facebook Messenger. Most of the avatars (virtual participants in the social engineering stage) lure the victims using sexual innuendo, e.g. asking the victim to send explicit photos, and in return sending fake photos of teenage girls. The avatars pretend to be from different countries such as Canada, Germany, Switzerland and more.

Dropper

After the victim downloads the APK file from the malicious URL, the attacker expects the victim to install the package manually. The dropper requires common user permissions as shown in the following screenshot.

Figure 2: Dropper permissions once installed on a victim mobile device

Key features

The dropper relies on the configuration server which uses queries in order to download the best fitting payload for the specified device.

  • Downloader & Watchdog of the main payload
  • Payload update mechanism
  • Customized payload – the dropper sends a list of installed apps, and receives a payload package based on it
  • Obfuscation – The dropper package is obfuscated using ProGuard, which is an open source code obfuscator and Java optimizer, observed in the LoveSongs dropper.
Network Protocols

The network protocol between the dropper and the configuration server is based on HTTP POST requests. The following servers implement a RESTful API:

LoveSongs – http://endpointup[.]com/update/upfolder/updatefun.php

YeeCall, WowoMessanger – http://droidback[.]com/pockemon/squirtle/functions.php

Figure 3: Communication with C&C server over HTTP

Most of the communication with the server is in clear-text, except for specific commands which are encrypted using an AES-128 hard coded-key.

Figure 4: WowoMessanger REST-API POST packet capture

Figure 5: Fake WowoMessanger app – logic flow

Along with an ID existence check, the dropper sends a list of the device’s installed apps – if it hasn’t done so already.

The flow between different variants of the dropper is similar, with minor changes. One variant pretends to be a YouTube player, while others are chat apps:

LoveSongs has YouTube player functionality, whereas WowoMessanger does not have any legitimate functionality whatsoever; it erases its icon after the first run.

Payload

The payload is installed after one of the droppers mentioned above has been downloaded and executed on the victim device. The only payload we have seen so far is “WhatsApp_Update”.

The payload is capable of two collection mechanisms:

  • Execute “On demand” commands – manual commands that are triggered by the operator
  • Scheduled process – scheduled tasks that collect information periodically from various sources.

Most of the collected data will be sent only when a WI-FI network is available.

C&C Commands

The payload uses the WebSocket protocol, which gives the attacker a real-time interface to send commands to the payload in a way that resembles ‘reverse shell’. Some of the commands are not yet implemented (as shown in the table below). The commands gives the operator basic yet dangerous RAT capabilities:

  • Collect general information about the device e.g. Network operator, GPS location, IMEI etc.
  • Open a browser and browse to a chosen URL
  • Read & send SMS messages, and access contacts
  • Eavesdrop at a specific time and period
  • Take pictures (using the camera) or screenshots
  • Record video and audio.
COLL_AUDIO_RECORDS COLL_CALL_RECORDS GET_LOCATION CHECK_AVAILABILITY OPEN_WEBPAGE GET_IMAGE GET_DEVICE_INFO COLL_CAPTURED_PHOTOS GET_TELEPHONY_INFO GET_CELLS_INFO TAKE_SCREENSHOT CALL_PHONE GET_SEC_GALL_CACHE GET_SMS SEND_SMS GET_CONTACTS GET_BOOKMARKS TAKE_BACK_PIC CHANGE_AUDIO_SOURCE RECORD_AUDIO GET_SEARCHES CLOSE_APP GET_HISTORY OPEN_APP GET_CALENDER_EVENTS RESTART GET_USER_DICTIONARY SHUTDOWN UNINSTALL_APP GET_ACCOUNTS INSTALL_APK GET_INSTALLED_APPS GET_WHATSAPP_KEY RECORD_FRONT_VIDEO GET_WHATSAPP_BACKUP GET_FILE GET_CALLS GET_ROOT_STATUS TAKE_FRONT_PIC RECORD_BACK_VIDEO INVALID_COMMAND REMOVE_FILE

*Commands which were implemented are in bold.

Scheduled Process

Besides the C&C commands, the payload periodically collects data using various Android APIs. The default time interval is 30 seconds. The process collects the following data:

  • General data about the device (as mentioned in the C&C command)
  • SMS messages, WhatsApp database along with the encryption key (requires root permissions which is not yet fully implemented)
  • Browsing & search history along with bookmarks
  • Documents and archives ( < 2MB ) found in storage (doc, docx, ppt, rar, etc)
  • Pictures taken, auto captures while on an active call
  • List of contacts and call logs
  • Records calls and eavesdrops
  • Updates itself

The attackers implemented all of the malicious logic without any native or third-party sources. The logic behind the automatic call-recording feature is implemented entirely using Android’s API.

Figure 6: Call-Recording implementation in WhatsApp_update

Conclusions

The IDF, which led the research along with Kaspersky Lab researchers, has concluded that this is only the opening shot of this operation. Further, that it is by definition a targeted attack against the Israeli Defense Force, aiming to exfiltrate data on how ground forces are spread, which tactics and equipment the IDF is using and real-time intelligence gathering.

Kaspersky Lab GReAT researchers will disclose more behind-the-scenes details of the operation at the upcoming Security Analyst Summit.

IOCs Domain names & APK hashes

androidbak[.]com
droidback[.]com
endpointup[.]com
siteanalysto[.]com
goodydaddy[.]com
10f27d243adb082ce0f842c7a4a3784b01f7248e
b8237782486a26d5397b75eeea7354a777bff63a
09c3af7b0a6957d5c7c80f67ab3b9cd8bef88813
9b923303f580c999f0fdc25cad600dd3550fe4e0
0b58c883efe44ff010f1703db00c9ff4645b59df
0a5dc47b06de545d8236d70efee801ca573115e7
782a0e5208c3d9e8942b928857a24183655e7470
5f71a8a50964dae688404ce8b3fbd83d6e36e5cd
03b404c8f4ead4aa3970b26eeeb268c594b1bb47

Certificates – SHA1 fingerprints

10:EB:7D:03:2A:B9:15:32:8F:BF:68:37:C6:07:45:FB:DF:F1:87:A6
9E:52:71:F3:D2:1D:C3:22:28:CB:50:C7:33:05:E3:DE:01:EB:CB:03
44:52:E6:4C:97:4B:6D:6A:7C:40:AD:1E:E0:17:08:33:87:AA:09:09
67:43:9B:EE:39:81:F3:5E:10:33:C9:7A:D9:4F:3A:73:3B:B0:CF:0A
89:C8:E2:E3:4A:23:3C:A0:54:A0:4A:53:D6:56:C8:2D:4A:8D:80:56
B4:D5:0C:8B:73:CB:A9:06:8A:B3:F2:49:35:F8:58:FE:A2:3E:2E:3A

Xen Project asks to limit security vulnerability advisories

LinuxSecurity.com - 16 Únor, 2017 - 10:49
LinuxSecurity.com: The Xen Project has requested feedback from the community in thrashing out new disclosure guidelines which may only reveal the most serious vulnerabilities affecting the hypervisor.
Kategorie: Hacking & Security

How Google reinvented security and eliminated the need for firewalls

LinuxSecurity.com - 16 Únor, 2017 - 10:47
LinuxSecurity.com: Over time, however, that perimeter developed holes as Google's increasingly mobile workforce, scattered around the world, demanded access to the network. And employees complained about having to go through a sometimes slow, unreliable VPN. On top of that, Google, like everyone else, was moving to the cloud, which was also outside of the castle.
Kategorie: Hacking & Security

New MacOS Malware linked to Russian Hackers Can Steal Passwords & iPhone Backups

The Hacker News - 16 Únor, 2017 - 10:38
Security researchers have discovered a new Mac malware allegedly developed by APT28 Russian cyber espionage group who is believed to be responsible for 2016 presidential election hacking scandal. A new variant of the X-Agent spyware is now targeting Apple macOS system that has previously been used in cyber attacks against Windows, iOS, Android, and Linux devices. The malware is designed to
Kategorie: Hacking & Security

Facebook o nás ví vše. Díky dobře skrytému vyhledávači se to dozví i ostatní

Zive.cz - bezpečnost - 16 Únor, 2017 - 07:00
** Facebook o nás ví vše, protože mu to sami řekneme ** V jeho nitru se skrývá mocný vyhledávač ** Mohou jej zneužít stalkeři, sociální inženýři a další nezbedníci
Kategorie: Hacking & Security

Setting Expectations Between States on Cyberwar

Threatpost - 16 Únor, 2017 - 01:30
A RSA Conference panel tackles the difficulty in defining cyberwar.
Kategorie: Hacking & Security

Yahoo reveals more breachiness to users victimized by forged cookies [Updated]

Ars Technica - 16 Únor, 2017 - 00:35

(credit: Clever Cupcakes)

Yahoo has sent out another round of notifications to users, warning some that their accounts may have been breached as recently as last year. The accounts were affected by a flaw in Yahoo's mail service that allowed an attacker—most likely a "state actor," according to Yahoo—to use a forged "cookie" created by software stolen from within Yahoo's internal systems to gain access to user accounts without a password.

Yahoo informed some users in e-mails this week that "Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account." The messages are regarding possible breaches using the cookie vulnerability in 2014.

The Associated Press' Raphael Satter reports that a Yahoo spokesperson acknowledged the company was notifying users of the potential breach of their accounts, but would not disclose how many users were affected.

Read 6 remaining paragraphs | Comments

Kategorie: Hacking & Security

RSA 2017 – Day 2 – Roving report [PODCAST]

Sophos Naked Security - 16 Únor, 2017 - 00:20
Bill Brenner, our "roving reporter" at the RSA Conference 2017 in San Francisco, talks to Paul Ducklin about what went down on Day 2.

Obrana prakticky neexistuje. Viry samy smažou všechny stopy

Novinky.cz - bezpečnost - 15 Únor, 2017 - 20:46
V loňském roce se doslova roztrhl pytel s vyděračskými viry. Ty dokázaly napáchat na napadeném stroji velkou neplechu, ale uživatel alespoň hned věděl, na čem je. Nezvaní návštěvníci se totiž téměř okamžitě přihlásili o výkupné. Nová vlna útoků v letošním roce je však daleko vážnější, protože si škodlivé kódy hrají s uživateli na schovávanou.
Kategorie: Hacking & Security

House members: EPA officials may be using Signal to “spread their goals covertly”

Ars Technica - 15 Únor, 2017 - 19:23

Enlarge / Chairman of the Science, Space, and Technology Committee Lamar Smith, R-Texas, seen here in 2013. (credit: Bill Clark/CQ Roll Call)

Two Republican members of Congress sent a formal letter Tuesday to the Environmental Protection Agency’s Office of the Inspector General, expressing concern that “approximately a dozen career EPA officials” are using the encrypted messaging app Signal to covertly plan strategy and may be running afoul of the Freedom of Information Act.

The open source app has gained renewed interest in the wake of the election of President Donald Trump.

As Ars has reported previously, all Signal messages and voice calls are end-to-end encrypted using the Signal Protocol, which has since been adopted by WhatsApp and other companies. However, unlike other messaging apps, Signal’s maker, Open Whisper Systems, makes a point of not keeping any data, encrypted or otherwise, about its users. (WhatsApp also does not retain chat history but allows for backups using third-party services, like iCloud, which allows for message history to be restored when users set up a new device. Signal does not allow messages to be stored with a third party.)

The letter was written by Rep. Lamar Smith (R-Texas) and Rep. Darin LaHood (R-Ill.), who are the chair of the Committee on Science, Space, and Technology and the chair of the subcommittee on Oversight, respectively.

The congressmen note that the EPA has previously examined employee use of text messages to conduct government business and found that only a minuscule fraction of those messages was retained under FOIA.

“Not only does this demonstrate the vast issues presented with using text messages to conduct official business, but raises additional concerns about using messaging applications to conduct official business, which make it virtually impossible for the EPA to preserve and retain the records created in this manner to abide by federal record-keeping requirements,” they concluded.

The two republicans gave the agency until February 28 to respond.

The EPA OIG did not immediately respond to Ars’ request for comment.

UPDATE 5:49pm ET: Jennifer Kaplan, Deputy Assistant Inspector General for Congressional and Public Affairs, e-mailed: "In response to your inquiry below, the EPA OIG takes all congressional requests seriously. This request is under review by the Inspector General and his senior leadership team."

Read on Ars Technica | Comments

Kategorie: Hacking & Security

Government focuses on young people to tackle cyberskills shortage

Sophos Naked Security - 15 Únor, 2017 - 18:29
Scheme aims to have nearly 6,000 teenagers trained in cyberskills by 2021

Fake news: what can we all do to play our part in combating it?

Sophos Naked Security - 15 Únor, 2017 - 17:57
Tech companies, media organisations and political parties are starting to work together but it comes down to us, too
Syndikovat obsah