Hacking & Security

Andromeda Bot Analysis part 2

InfoSec Institute Resources - 28 Září, 2015 - 14:00

Bot Analysis: Now, you get the original Andromeda build file. Load the unpacked sample at OllyDBG. As before, after the stack frame at the EP, you see that the malware is looking to load API’s address using the PEB_LDR_DATA structure, but this time instead of kernel32.dll; the malware try to find ntdll.dll base address, then, […]

The post Andromeda Bot Analysis part 2 appeared first on InfoSec Resources.

Kategorie: Hacking & Security

Quantum Teleportation — Scientists Teleported Quantum Data over 60 Miles

The Hacker News - 28 Září, 2015 - 13:26
We are just one step closer to creating a Harry Potter or ‘Star Trek’-style Transporter. However, When we talk about Teleportation, we don't typically mean Teleporting any matter from one place to another as in the Science-fiction Movies. Rather, Teleportation involves capturing the essential information about something — its "quantum state", to recreate it exactly someplace else. <!--
Kategorie: Hacking & Security

What your 99 cents gets you for buying an iOS adblocking app: adverts

Sophos Naked Security - 28 Září, 2015 - 13:21
Crystal, the top adblocking utility on iOS, agreed to a deal to let whitelisted ads through - but at least it offers an opt-out.

New DDoS attack uses smartphone browsers to flood site with 4.5bn requests

LinuxSecurity.com - 28 Září, 2015 - 13:12
LinuxSecurity.com: Researchers suspect a mobile advertising network has been used to point hundreds of thousands of smartphone browsers at a website with the aim of knocking it offline. According to distributed denial-of-service protection service CloudFlare, one customer's site recently came under fire from 4.5 billion page requests during a few hours, mostly from smartphone browsers on Chinese IP addresses.
Kategorie: Hacking & Security

Facebook unfriending was the last straw in workplace bullying case

Sophos Naked Security - 28 Září, 2015 - 12:45
Unfriending someone on Facebook can be "indicative of unreasonable behaviour", a court found.

Monday review - the hot 23 stories of the week

Sophos Naked Security - 28 Září, 2015 - 11:31
Get yourself up to date with everything we've written in the last seven days - it's weekly roundup time.

'The Hacker News' Weekly Roundup — 14 Most Popular Stories

The Hacker News - 28 Září, 2015 - 10:53
To make the last week’s top cyber security threats and challenges available to you in one shot, we are once again here with our weekly round up. Last week, we came across lots of cyber security threats like the XCodeGhost malware in Apple’s App Store and lockscreen bypass bug in iOS 9 and iOS 9.0.1 that made us sad, but… …we were also thrilled by latest developments such as
Kategorie: Hacking & Security

Salted Hash: Live from DerbyCon 5.0 (Day 0)

LinuxSecurity.com - 28 Září, 2015 - 10:48
LinuxSecurity.com: Salted Hash is in Louisville, Kentucky for DerbyCon 5.0. All weekend long, in-between talks and training, this blog will be updated with various items of note from the show or thoughts form those attending. Today's starter topic is insider threats.
Kategorie: Hacking & Security

Gaza cybergang, where’s your IR team?

Kaspersky Securelist - 28 Září, 2015 - 10:00

Summary information:

Gaza cybergang is a politically motivated Arabic cybercriminal group operating in the MENA (Middle East North Africa) region, targeting mainly Egypt, United Arab Emirates and Yemen. The group has been operating since 2012 and became particularly active in Q2 2015.

One interesting new fact about Gaza cybergang activities is that they are actively sending malware files to IT (Information Technology) and IR (Incident Response) staff; this is also obvious from the file names they are sending to victims, which reflect the IT functions or IR tools used in cyber attack investigations.

IT people are known for having more access and permissions inside their organizations than other employees, mainly because they need to manage and operate the infrastructure. This is why getting access to their devices could be worth a lot more than for a normal user.

IR people are also known for having access to sensitive data related to ongoing cyber investigations in their organizations, in addition to special access and permissions enabling them to hunt for malicious or suspicious activities on the network…

The main infection modules used by this group are pretty common RATs: XtremeRAT and PoisonIvy

Some more interesting facts about Gaza cybergang:

  • Attackers take an interest in government entities, especially embassies, where security measures and IT operations might not be well established and reliable
  • Use of special file names, content and domain names (e.g. gov.uae.kim), has helped the group perform better social engineering to infect targets
  • Increasing interest in targeting IT and IR people, which is clear from most of the recent malware file names used

Other operation names:

  • DownExecute
  • MoleRATs

Kaspersky Lab products and services successfully detect and block attacks by Gaza team.

Political file names targeting Arabic countries

File name: بوادر خلاف جديد بين الامارات والسعودية.exe

Translation: Indications of disagreement between Saudi Arabia and UAE.exe

Filename: “Wikileaks documents on Sheikh ******* *** *****.exe”

File name: صور فاضحـــــة جدا لبعض العسكريين والقضاة والمستشاريين المصريين.exe

Translation: Scandalous pictures of Egyptian militants, judges and consultants

File name: Majed-Abaas.zip -> الرئيس الفلسطيني محمود عباس يشتم ماجد فرج.exe

Translation: President Mahmoud Abbas cursing Majed Faraj.exe

File name: “مكالمة مسربة بين القائد العام للقوات المسلحة المصرية صدقي صبحي.exe”

Translation: Leaked conversation with the Egyptian leader of military forces Sodqi Sobhi.exe

File name: tasreb.rar

IT and IR Malware File Names VCSExpress.exe Hex.exe Microsoft Log.exe IMP.exe Win.exe Corss.exe WinRAR.exe AVR.exe ccleaner.exe codeblocks.exe HelpPane.exe Hex_Workshop_Hex_Editor-o.exe Help.exe Decoded.exe vmplayer.exe Decrypted.exe procexp.exe crashreporter.exe RE.exe WindowsUpdate.exe PE.exe AVP.exe PE-Explorr.exe Kaspersky.exe PE-Explorr.exe Kaspersky.exe hworks32.exe Kaspersky Password Manager.exe

Other malware file names

وصية وصور الوالد أتمنى الدعاء له بالرحمة والمغفرة.exe

Military Police less military sexual offenses, drug offenses more.exe






IP addresses and domain names used in the attacks Domains uae.kim natco1.no-ip.net gov.uae.kim natco3.no-ip.net up.uae.kim natco5.no-ip.net uptime.uae.kim nazer.zapto.org google.com.r3irv2ykn0qnd7vr7sqv7kg2qho3ab5tngl5avxi5iimz1jxw9pa9.uae.kim noredirecto.redirectme.net ajaxo.zapto.org nrehcnthrtfmyi.strangled.net backjadwer.bounceme.net ns2.negociosdesucesso.info backop.mooo.com offeline.webhop.net bandao.publicvm.com orango.redirectme.net bypasstesting.servehalflife.com redirectlnk.redirectme.net cbbnews.tk removalmalware.servecounterstrike.com cccam.serveblog.net mailchat.zapto.org chromeupdt.tk mp4.servemp3.com cnaci8gyolttkgmguzog.ignorelist.com rgoyfuadvkebxhjm.ddns.net cyber18.no-ip.net rotter2.publicvm.com deapka.sytes.net rotter2.sytes.net depka.sytes.net safar.selfip.com dnsfor.dnsfor.me safara.sytes.net download.likescandy.com safari.linkpc.net downloadlog.linkpc.net spreng.vizvaz.com downloadmyhost.zapto.org store-legal.biz downloadskype.cf su.noip.us duntat.zapto.org tango.zapto.org fastbingcom.sytes.net test.cable-modem.org fatihah.zapto.org test.ns01.info gaonsmom.redirectme.net testcom.strangled.net goodday.zapto.org thenewupdate.chickenkiller.com googlecombq6xx.ddns.net thenewupdatee.redirectme.net gq4bp1baxfiblzqk.mrbasic.com tvnew.otzo.com haartezenglish.redirectme.net update.ciscofreak.com haartezenglish.strangled.net updatee.hopto.org help2014.linkpc.net updatee.serveblog.net httpo.sytes.net updato.ns01.info internetdownloadr.publicvm.com use.mooo.com justded.justdied.com wallanews.publicvm.com kaliob.selfip.org wallanews.sytes.net kaswer12.strangled.net Wcf6f0nqvjtUP4uN.mooo.com kolabdown.sytes.net webfile.myq-see.com ksm5sksm5sksm5s.zzux.com webfile.myq-see.com lastmoon.mooo.com ynet.ignorelist.com lilian.redirectme.net ynet.sytes.net live.isasecret.com IP addresses Malware Hashes 302565aec2cd47bb6b62fa398144e0ad f94385be79ed56ef77c961aa6d9eafbf f6e8e1b239b66632fd77ac5edef7598d a347d25ed2ee07cbfe4baaabc6ff768b 8921bf7c4ff825cb89099ddaa22c8cfd 674dec356cd9d8f24ef0f2ec73aaec88 3bb319214d83dfb8dc1f3c944fb06e3b e20b5b300424fb1ea3c07a31f1279bde 826ab586b412d174b6abb78faa1f3737 42fca7968f6de3904225445312e4e985 5e255a512dd38ffc86a2a4f95c62c13f 3dcb43a83a53a965b40de316c1593bca 058368ede8f3b487768e1beb0070a4b8 e540076f48d7069bacb6d607f2d389d9 62b1e795a10bcd4412483a176df6bc77 699067ce203ab9893943905e5b76f106 39758da17265a07f2370cd04057ea749 11a00d29d583b66bedd8dfe728144850 f54c8a235c5cce30884f07b4a8351ebf d5b63862b8328fb45c3dabdcdf070d0d 9ea2f8acddcd5ac32cfb45d5708b1e1e bc42a09888de8b311f2e9ab0fc966c8c 948d32f3f12b8c7e47a6102ab968f705 c48cba5e50a58dcec3c57c5f7cc3332d 868781bcb4a4dcb1ed493cd353c9e9ab 658f47b30d545498e3895c5aa333ecb1 3c73f34e9119de7789f2c2b9d0ed0440 2b473f1f7c2b2b97f928c1fc497c0650 9dccb01facfbbb69429ef0faf4bc1bda 46cf06848e4d97fb3caa47c17cdd7a9e 4e8cbe3f2cf11d35827194fd016dbd7b 6eb17961e6b06f2472e4518589f66ab9 b4c8ff21441e99f8199b3a8d7e0a61b9 b0f49c2c29d3966125dd322a504799c6 4d0cbb45b47eb95a9d00aba9b0f7daad ca78b173218ad8be863c7e00fec61f2f 18259503e5dfdf9f5c3fc98cdfac6b78 23108c347282ff101a2104bcf54204a8 0b074367862e1b0ae461900c8f8b81b6 76f9443edc9b71b2f2494cff6d4a26a8 89f2213a9a839af098e664aaa671111b Phishing Hashes


Additional references


Paranoid Android redux: “going dark” with Silent Circle’s Blackphone 2

Ars Technica - 28 Září, 2015 - 07:00

The back of the Blackphone 2, Silent CIrcle's latest take on the privacy-focused smartphone. (credit: Sean Gallagher)

Specs at a glance: Silent Circle Blackphone 2 Screen 2560×1440 5.5” Full HD IPS OS Silent OS (based on Android Lollipop) CPU

Qualcomm® Snapdragon 615, 1.7GHz Octa-core

RAM 3GB GPU Adreno 405 Storage 32GB, with up to 128GB additional via microSD Networking

Dual-band 2.4/5.0GHz 802.11 a/b/g/n/ac, Bluetooth 4.0LE. LTE and worldwide 3G/HSPA+ cellular data.

Ports Micro USB 2.0, headphones Camera 13MP rear camera with BSI and flash, 5MP front camera, Size

7.9 x 76.4 x 152.4mm


164.9 gm


3060 mAh with Qualcomm Quick Charge 2.0

Starting price $799 Other perks Silent OS 2.0, 1 year SilentPhone encrypted communications,

For the majority of smartphone manufacturers, security and privacy are check boxes on a feature list. For Blackphone, they're the main attraction. Launched last year as a joint venture between the secure communications service Silent Circle and the Spanish specialty phone manufacturer Geeksphone, Blackphone's eponymous first product was an Android-based smartphone intended to provide the security and privacy that were lacking in Google's mobile operating system. Last June, we got an exclusive first look at that device and found it to be largely what it claimed to be. Unsurprisingly for a security-minding phone, the original Blackphone felt somewhat lacking in the usability department and somewhat janky in the hardware department.

A lot has changed in a year. Silent Circle—founded by Phil Zimmerman (creator of PGP), former Entrust Chief Technology Officer John Callas (the man behind much of the security in Mac OS X and iOS), and former Navy SEAL and security entrepreneur Mike Janke—bought out Geeksphone and absorbed the joint venture. The company hired a new CEO (former Entrust CEO and Nortel President Bill Conner), renamed and rebuilt its Android-based operating system, upgraded the infrastructure of its encrypted voice and text communications network, and built an entirely new hardware platform based on a somewhat more industry-standard chipset. All of that has led the team toward Blackphone 2. Today, Silent Circle begins shipping its new flagship (and only) handset; and Ars once again got early access to put it through the usability and security wringer.

The new Silent OS adds updated security functionality, better management for enterprise users, and integration with Google's app ecosystem. The Blackphone 2 delivers all that in a package that is much more polished and commercial than its predecessor. The phone is also the first part of a rollout of a more complete set of security services that includes upgraded versions of its central Silent Phone app for iOS and standard Android.

Read 35 remaining paragraphs | Comments

Kategorie: Hacking & Security

With Stolen Cards, Fraudsters Shop to Drop

Krebs on Security - 28 Září, 2015 - 06:24

A time-honored method of extracting cash from stolen credit cards involves “reshipping” scams, which manage the purchase, reshipment and resale of carded consumer goods from America to Eastern Europe — primarily Russia. A new study suggests that some 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year, and identifies some choke points for disrupting this lucrative money laundering activity.

Many retailers long ago stopped allowing direct shipments of consumer goods from the United States to Russia and Eastern Europe, citing the high rate of fraudulent transactions for goods destined to those areas. As a result, fraudsters have perfected the reshipping service, a criminal enterprise that allows card thieves and the service operators essentially split the profits from merchandise ordered with stolen credit and debit cards.

Source: Drops for Stuff research paper.

Much of the insight in this story comes from a study released last week called “Drops for Stuff: An Analysis of Reshipping Mule Scams,” which has multiple contributors (including this author). To better understand reshipping scheme, it helps to have a quick primer on the terminology thieves use to describe different actors in the scam.

The “operator” of the reshipping service specializes in recruiting “reshipping mules” or “drops” — essentially unwitting consumers in the United States who are enlisted through work-at-home job scams and promised up to $2,500 per month salary just for receiving and reshipping packages.

In practice, virtually all drops are cut loose after approximately 30 days of their first shipment — just before the promised paycheck is due. Because of this constant churn, the operator must be constantly recruiting new drops.

The operator sells access to his stable of drops to card thieves, also known as “stuffers.” The stuffers use stolen cards to purchase high-value products from merchants and have the merchants ship the items to the drops’ address. Once the drops receive the packages, the stuffers provide them with prepaid shipping labels that the mules will use to ship the packages to the stuffers themselves. After they receive the packaged relayed by the drops, the stuffers then sell the products on the local black market.

The shipping service operator will either take a percentage cut (up to 50 percent) where stuffers pay a portion of the product’s retail value to the site operator as the reshipping fee. On the other hand, those operations that target lower-priced products (clothing, e.g.) may simply charge a flat-rate fee of $50 to $70 per package. Depending on the sophistication of the reshipping service, stuffers can either buy shipping labels directly from the service — generally at a volume discount — or provide their own [for a discussion of ancillary criminal services that resell stolen USPS labels purchased wholesale, check out this story from 2014].

The researchers found that reshipping sites typically guarantee a certain level of customer satisfaction for successful package delivery, with some important caveats. If a drop who is not marked as problematic embezzles the package, reshipping sites offer free shipping for the next package or pay up to 15% of the item’s value as compensation to stuffers (e.g., as compensation for “burning” the credit card or the already-paid reshipping label).

However, in cases where the authorities identify the drop and intercept the package, the reshipping sites provide no compensation — it calls these incidents “acts of God” over which it has no control.

“For a premium, stuffers can rent private drops that no other stuffers will have access to,” the researchers wrote. “Such private drops are presumably more reliable and are shielded from interference by other stuffers and, in turn, have a reduced risk to be discovered (hence, lower risk of losing packages).”


One of the key benefits of cashing out stolen cards using a reshipping service is that many luxury consumer goods that are typically bought with stolen cards — gaming consoles, iPads, iPhones and other Apple devices, for instance — can be sold in Russia for a 30 percent to 5o percent markup on top of the original purchase price, allowing the thieves to increase their return on each stolen card.

For example, an Apple MacBook selling for 1,000 US dollars in the United States typically retails for for about 1,400 US dollars in Russia because a variety of customs duties, taxes and other fees increase their price.

It’s not hard to see how this can become a very lucrative form of fraud for everyone involved (except the drops). According to the researchers, the average damage from a reshipping scheme per cardholder is $1, 156.93. In this case, the stuffer buys a card off the black market for $10, turns around and purchases more than $1,100 worth of goods. After the reshipping service takes its cut (~$550), and the stuffer pays for his reshipping label (~$100), the stuffer receives the stolen goods and sells them on the black market in Russia for $1,400. He has just turned a $10 investment into more than $700. Rinse, wash, and repeat.

The study examined the inner workings of seven different reshipping services over a period of five years, from 2010 to 2015, and involved data shared by the FBI and the U.S. Postal Investigative Service. The analysis showed that at least 85 percent of packages being reshipped via these schemes were being sent to Moscow or to the immediate surrounding areas of Moscow.

The researchers wrote that “although it is often impossible to apprehend criminals who are abroad, the patterns of reshipping destinations can help to intercept the international shipping packages beforethey leave the country, e.g., at an USPS International Service Center. Focusing inspection efforts on the packages destined to the stuffers’ prime destination cities can increase the success of intercepting items from reshipping scams.”

The research team wrote that disrupting the reshipping chains of these scams has the potential to cripple the underground economy by affecting a major income stream of cybercriminals. By way of example, the team found that a single criminal-operated reshipping service  can earn a yearly revenue of over 7.3 million US dollars, most of which is profit.

A copy of the full paper is available here (PDF).

Kategorie: Hacking & Security

Not Apple's best week ever! 60 Second Security

Sophos Naked Security - 28 Září, 2015 - 00:37
Watch the latest episode of our weekly 1-minute security news video... Find out why this wasn't such a great week for Apple.

The World's First $9 Computer is Shipping Today!

The Hacker News - 26 Září, 2015 - 15:34
Remember Project: C.H.I.P. ? A $9 Linux-based, super-cheap computer that raised some $2 Million beyond a pledge goal of just $50,000 on Kickstarter will be soon in your pockets. Four months ago, Dave Rauchwerk, CEO of Next Thing Co., utilized the global crowd-funding corporation ‘Kickstarter’ for backing his project C.H.I.P., a fully functioning computer that offers more than what you
Kategorie: Hacking & Security

Malware in the App Store? You CANNOT be SERIOUS! [Chet Chat Podcast 215]

Sophos Naked Security - 26 Září, 2015 - 14:55
Take a listen to the latest Chet Chat podcast, our fun-but-informative weekly commentary on the latest computer security issues.

uh-oh! North America Runs Completely Out of IPv4 Internet Addresses

The Hacker News - 26 Září, 2015 - 11:50
Two months ago, THN reported about a similar announcement made by The American Registry for Internet Numbers (ARIN), which said that the agency is no longer able to produce IPv4 addresses in North America. Within a time frame of few months, ARIN, which handles Internet addresses in America, has announced the final exhaustion of their free pool of IPv4 addresses has reached zero... ...
Kategorie: Hacking & Security

Latest iOS 9.0.1 Update Failed to Patch Lockscreen Bypass Hack

The Hacker News - 26 Září, 2015 - 11:22
iOS 9.0.1 – Apple's first update to its new iOS 9 mobile operating system, came out on Wednesday, addressed several bugs in its software. However, unfortunately, it seems that the latest update iOS 9.0.1 doesn't fix the lock screen bypass vulnerability reported by iPhone user Jose Rodriguez. Yes, the serious flaw in iOS 9 that allows anyone – with physical access of your iPhone or iPad
Kategorie: Hacking & Security

Turnkey Linux 14: Small business server Linux made easy

LinuxSecurity.com - 26 Září, 2015 - 11:16
LinuxSecurity.com: Turnkey has improved SSL/TLS security. The net result is that TurnKey appliance's overall administrator tools, Webmin and Webshell, are now hidden behind stunnel using TLS. In addition, the three supported web servers used across appliances (Apache, LigHTTPd and Nginx) are now configured to use consistent hardened TLS cipher suite and settings. The Tomcat JavaServer also has hardened TLS settings.
Kategorie: Hacking & Security

Police Can't Force You To Unlock Your Phone, It violates Fifth Amendment Rights

The Hacker News - 26 Září, 2015 - 10:32
Can the Cops can make you unlock your iPhone? ..."NO" According to a recent Federal Court’s ruling, it is not okay for police to force suspects to unlock their phones with a passcode. And, doing so would be a violation of your Fifth Amendment Rights in the US Constitution. The ruling came as the conclusion of a case, where Securities and Exchange Commission (SEC) accused Bonan
Kategorie: Hacking & Security

Yahoo! Launches Free Web Application Security Scanner

The Hacker News - 26 Září, 2015 - 09:20
Yahoo! has open-sourced Gryffin – a Web Application Security Scanner – in an aim to improve the safety of the Web for everyone. Currently in its beta, Project Gryffin has made available on Github under the BSD-style license that Yahoo! has been using for a number of its open-sourced projects. Gryffin is basically a Go & JavaScript platform that helps system administrators scan URLs for
Kategorie: Hacking & Security

Banks: Card Breach at Hilton Hotel Properties

Krebs on Security - 25 Září, 2015 - 22:38

Multiple sources in the banking industry say they have traced a pattern of credit card fraud that suggests hackers have compromised point-of-sale registers in gift shops and restaurants at a large number of Hilton Hotel and franchise properties across the United States. Hilton says it is investigating the claims.

In August, Visa sent confidential alerts to numerous financial institutions warning of a breach at a brick-and-mortar entity that is known to have extended from April 21, 2015 to July 27, 2015. The alerts to each bank included card numbers that were suspected of being compromised, but per Visa policy those notifications did not name the breached entity.

However, sources at five different banks say they have now determined that the common point-of-purchase for cards included in that alert had only one commonality: They were all were used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, DoubletreeHampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts.

In a written statement, a Hilton spokesperson said the company is investigating the breach claims.

“Hilton Worldwide is strongly committed to protecting our customers’ credit card information,” the company said. “We have many systems in place and work with some of the top experts in the field to address data security.  Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace.  We take any potential issue very seriously, and we are looking into this matter.”

As with other recent card breaches at major hotel chains — including Mandarin Oriental and White Lodging properties — the breach does not appear to be related to the guest reservation systems at the affected locations. Rather, sources say the fraud seems to stem from compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties.

It remains unclear how many Hilton properties may be affected by this apparent breach. Several sources in the financial industry told KrebsOnSecurity that the incident may date back to November 2014, and may still be ongoing.

This is a developing story. More as updates become available.

Kategorie: Hacking & Security
Syndikovat obsah