Thursday 18 July 2013

Tumblr warns users over iPhone app password danger

Micro-blogging site Tumblr has warned users that passwords can be “sniffed” from its iPhone and iPad apps – and issued a “very important” security update for both apps.
Tumblr also warned users who have been using these apps to update their password on Tumblr – and change passwords elsewhere if users have shared the same one.
The warning was issued via an official company blog, and will appear in the timeline of users with the iPhone app. Tumblr only became aware of the security issue on Tuesday, according to TheNextWeb.
The security issue allowed passwords to be “”Sniffed” in transit on certain versions of the app”, Tumblr revealed in a post.
“We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances. Please download the update now,” the site said in its post.
“If you’ve been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password. Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience.”

Huawei slammed for locking GCHQ personnel out of security cell

Huawei logo
The UK Intelligence and Security Committee (ISC) has called for a further investigation into Huawei's network security, questioning the effectiveness of its Cyber Security Evaluation Centre (the Cell), and calling for GCHQ personnel to run the unit.
The ISC called for the review in a public report, claiming the firm is failing to provide sufficient evidence to prove its network hardware and services are secure, potentially leaving UK telecoms vulnerable to a crippling cyber attack.
The report reads: "The UK government has been able to leverage Huawei's reputational concerns to encourage it to invest in the Cyber Security Evaluation Centre and become more transparent about its equipment and business practices. This is a significant achievement. However, we question why the Cell is only now approaching full functionality, over seven years after the BT contract was
awarded.
"Given these delays and the lack of evidence so far that it will be able to provide the level of security assurance required, we recommend that the National Security Adviser conducts a substantive review of the effectiveness of the Cell as a matter of urgency."
The Cell was originally announced and created in 2010 after security concerns around Huawei technology used in BT and EE networks arose. The ISC highlighted the fact that the Cell is currently staffed by Huawei employees as a particular concern, arguing that GCHQ must have further involvement.
"Before seeking clarification, we assumed that Huawei funded the Cell but that it was run by GCHQ. A self-policing arrangement is highly unlikely either to provide, or to be seen to be providing, the required levels of security assurance. We therefore strongly recommend that the staff in the Cell are GCHQ employees," the report states.
"GCHQ must have greater oversight of the Cell and be formally tasked to provide assurance, validation and audit of its work, and the government must be involved in the selection of its staff, to ensure continued confidence in the Cell."
A Cabinet Office spokesman told V3 that the government supports the ISC's findings and plans to follow its recommendation. "We take threats to our Critical National Infrastructure very seriously and need to be responsive to changes in a fast-moving and complex, globalised telecommunications marketplace. We have robust procedures in place to ensure confidence in the security of UK telecommunications networks," said the spokesman.

"However, we are not complacent and as such we have agreed to the main recommendation of the report to conduct a review of Huawei's Cyber Security Evaluation Centre (the ‘Banbury Cell') to give assurance that we have the right measures and processes in place to protect UK telecommunications."
At the time of publishing, Huawei had not responded to V3's request for comment on the ISC's report.

Hackers target NASDAQ Community for passwords and account data

nasdaq
Cyber criminals have targeted the NASDAQ Community forum with a password-stealing attack, looking to gather sensitive information that could be used to mount a larger, more costly campaign.
NASDAQ sent out an email warning users that their account information may have been compromised, but confirming no trading or stock exchange information or systems had been affected by the breach. NASDAQ is yet to confirm how many of the community users have been affected and at the time of publishing had not responded to V3's request for comment.
NASDAQ has since taken the community website offline to upgrade its systems to plug the breach. NASDAQ has been a common target of criminals and was hit by a more serious cyber attack in 2011.
While the information stolen is not necessarily dangerous, it could be used by criminals to mount subsequent, more advanced attacks. In general the information is used by criminals to create more tailored phishing messages, or make more intelligent password guesses when attempting to infiltrate victims' main work accounts.
However, F-Secure analyst Sean Sullivan told V3 the information stolen from NASDAQ could theoretically be used to mount an even more dangerous attack. "How bad is this? That really depends on how forthcoming the NASDAQ community admins have been," he said.
"Imagine this: Suppose the NASDAQ community forum wasn't just compromised for its users' passwords – but also to use it as a watering hole. You thought the Twitter, Facebook, Apple, Microsoft watering hole attack compromises via the iPhone Dev SDK forum was bad? Well, I think that would be nothing compared to the kind of damage that could be done via NASDAQ."

A watering hole attack is a tactic commonly used by hackers to target specific groups. It sees them infiltrate a commonly visited website by people within the target industry and lace it with malware, letting them infect a large number of people, without having to mount multiple attacks.
The potential value of password and account information has made it an increasingly valuable commodity for cyber criminals, with many selling it on cyber black markets. Most recently Webroot researcher Dancho Danchev reported uncovering a Russian cyber gang selling thousands of users' Skype and Twitter password details on a newly created blackmarket.

Hackers knock Network Solutions websites offline with DDoS attack

Concept image representing virus malware
Hackers have hit web registrar Network Solutions with a distributed denial-of-service (DDoS) attack, affecting its own and an unknown number of its customers' websites.
Network Solutions confirmed the attack in a public statement, promising that it is working to get its customers' sites back online as soon as possible. "Some of you have posted about issues with your sites. Yesterday, some Network Solutions customer sites were compromised. We're investigating the cause of this situation, but our immediate priority is restoring your sites as quickly as possible," read the statement.
"Unfortunately, cybercrime is a persistent threat in today's world. Despite our best efforts, no one is immune – including large providers like Network Solutions. We're always working to create a more secure and reliable internet environment for our customers. We appreciate your patience as we work to restore the affected sites."
The number of sites affected remains unknown and at the time of publishing Network Solutions had not responded to V3's request for comment. The potential harm is high though, as Network Solutions currently manages over 6.6 million web domain names.
The attack is the second to hit Network Solutions' hosted websites. Tech giant Cisco reported that hackers had managed to hijack and redirect 5,000 domain names registered with the company to name servers belonging to a Ztomy.com. The purpose of the new attack remains unknown.
DDoS is a growing threat facing businesses of all sizes. The tactic is a common one, traditionally favoured by hacktivist groups such as Anonymous. Disturbingly CloudFlare chief executive Matthew Prince told V3 this is slowly changing and common criminals are increasingly using the tactic to extort money from businesses, threatening to mount DDoS attacks on their sites if they do not pay the "protection" fee.

PRISM: Government needs to address UK cyber snooping laws


Houses of Parliament
The government must consider amending the UK's cyber snooping laws following the ruling that the Government Communications Headquarters (GCHQ) did not illegally request PRISM data from the US National Security Agency (NSA).
Sir Malcolm Rifkind MP, who oversaw the Intelligence and Security Committee's (ISC) four-week investigation, said the ruling is the first step that should lead to a wider debate about the powers intelligence agencies should have.
"The focus of our enquiry has been did they break the law, our answer is no they did not. Everything else becomes a question not for GCHQ but for government and parliament," he said, during a parliament session attended by V3.
"In the few weeks we've concentrated exclusively on the allegations themselves. We have focused entirely on these matters relating to whether GCHQ asked the US, tasked the US to provide information from US intelligence sources without a warrant. A warrant was in place, however, we still have to give a considerable amount of thought regarding the wider legislative framework."
However, Rifkind warned that the government must avoid knee-jerk reactions to PRISM and ensure it doesn't rewrite legislation for the sake of it.
"The fact legislation was passed some years ago does not necessarily mean it is no longer appropriate. There have been big changes in 13 years, but that does not mean it is out of date. I am not meaning to prejudge that but it is something that needs to be thought about carefully," he said.
He added that full disclosure about the investigation will also be difficult as some of the data is sensitive: "We as a committee start form the presumption of whatever is in the public interest and that involves considering national security issues. We are not interested in what will embarrass the government, only what is to do with national security."
The ISC's investigation was launched one month ago following allegations the GCHQ had attempted to circumvent UK surveillance laws by illegally requesting PRISM data from the NSA. Rifkind said the investigation proved the GCHQ had behaved within the letter of the law. The MP said he was even "surprised" how forthcoming the agency was and how robust its security protocols were.
"The work we've done on the PRISM allegations comes in the immediate wake of the implementation of new powers that mean we don't simply request but can require agencies to hand over information. I want to put on record that GCHQ could not have been more helpful," he said.
Despite his positivity, Rifkind said the scope of the inquiry was limited to the question of whether the GCHQ had abused PRISM and had not investigated any other allegations, such as Operation Tempora. Reports about Operation Tempora broke after PRISM and suggest the GCHQ has been monitoring the telecoms cables running through the UK.
"It's only been four weeks and we have unashamedly been focused on issues of legality," he said. "No one has alleged that either GCHQ or any other agencies have acted illegally regarding anything except PRISM."

Recruitment firm chided after 7,500 CVs left unsecured on its website

files
A recruitment firm has been reprimanded by the Information Commissioner’s Office (ICO) for leaving the details of nearly 7,500 CVs on its database unsecured on its public website.

The site, Janetpage.com, is a hub for those in the care industry, and the ICO was alerted to the fact that the supposedly secure website for firms seeking staff – where 7,435 CVs were stored – was completely open to anyone visiting the website.
The company was unaware of this error and when alerted to it said it may have been caused by a hack on its system, although no evidence was able to support this.
"At the time of the incident, the data controller believed that the section of the website, in which the CVs were stored, had been hacked by an individual seeking work. However, the data controller has been unable to provide any technical evidence to support this assumption," it said.
In its report on the issue the ICO said those running the website staff lacked the technical know-how to install such a system and were not trained on data protection measures.

“The data controller failed to ensure appropriate technical security measures were in place to provide an adequate level of protection. In the Commissioner’s view, this demonstrates a lack of data protection awareness with regards to technical security matters,” it said.

“Furthermore, the Commissioner’s investigation revealed that the data controller did not have sufficient data protection training, and that its information security policy and procedures were lacking.”

The firm has now signed an undertaking agreeing to stronger data protection measures including better website security and improved training for staff on data protection issues.

V3 contacted Janetpage for comment on the investigation and subsequent undertaking, but had received no reply at the time of publication.
ICO spokesperson said the case underlined the importance of ensuring any data passed on by members of the public is kept secure.

“The candidates who sent their CVs into the Janet Page website were told that the information would only be shared with employers looking to recruit new staff,” they said.

“This did not happen and the website owner has now agreed to review their current practices to make sure that candidates’ information is kept secure.”

State-sponsored hackers using watering hole attacks to ensnare businesses


Security padlock image
State-sponsored hackers are using watering hole attacks to hijack trusted websites and transform them into Frankenstein malware distribution tools.
The issue was uncovered by security firm Context and its chief executive Mark Raeburn said there had been a marked increase in the number of attacks targeting businesses, confirming hackers have hit websites belonging to big name firms, such as Information Handling Services (IHS).
"In this case the predatory tiger was a state-sponsored attacker and the prey was the target companies visiting the site," he said. "Our Response Team picked up traffic beaconing activity from a remote access Trojan (RAT) known as PlugX, which gives an attacker control over a compromised host and is suspected of being attributable to one of the more aggressive and active Chinese state-sponsored groups."
Context senior consultant Nick Mazitelli told V3 the news is particularly troubling as many of the companies have military and government contracts or are involved in areas of critical infrastructure. Mazitelli said the sophistication of the attack combined with the atypical user of watering hole, as opposed to basic phishing, is also problematic.

“The key difference with the watering hole method of attack is the breadth of organisations potentially affected by it. Using a popular website in this manner means that a large number of organisations can be attacked and compromised in a short amount of time. However, for individual organisations that may have been compromised by the attack the outcome remains the same: a determined, aggressive and capable attacker on their network and the potential loss of sensitive or confidential information,” he said.

“Once the compromise progresses beyond this initial attack, i.e. once the attacker has developed a foothold through the watering hole, the compromise will progress in much the same way as it would following the use of attack methods that have been more prevalent historically, for example phishing emails. So the potential damage remains at the same high level, with a capable attacker expanding their control of the compromised network and harvesting sensitive information.”

Context reported the change in tactic also indicates the new campaign is state sponsored. The firm highlighted a group known as both “FlowerLady” and “FlowerShow” as the most likely suspect. The group is believed to be of Chinese origin and has a track record of mounting opportunistic attacks on Western companies with economic, technological or military significance.
Raeburn said many of the infected sites have already been wiped clean and is unclear how many web users have fallen victim to the scam. He said added that the threat can easily be mitigated if companies implement up-to-date security practices and protection tools.
"Phishing campaigns are often seen as the primary, or only, avenue of compromise when it comes to targeted attacks, but companies need to be more aware of the threat from alternative vectors such as watering hole attacks and take measures to identify malicious activity and mitigate the risks, regardless of the source," said Raeburn.
"Better awareness and activity monitoring, including information from across the network and down to the level of individual PCs, is vital and should be combined with a robust programme of proactive security improvement."
The attack is one of many believed to be state sponsored detected this year. The South Korean government recently reported uncovering evidence linking North Korea to a wave of attacks on its networks.

Hackers foil Google Glass with QR codes

girl lookign silly wearing Google Glass
A group of researchers have uncovered a security vulnerability in the Google Glass platform which could allow attackers to hijack devices with specially-crafted QR codes.
Security firm Lookout said that it has found a method for covertly taking control of Google Glass headsets by exploiting flaws in the way Glass interacts with the photographic codes.
According to Lookout, Google Glass is able to use QR codes to change its configurations, such as connecting to Wi-Fi networks automatically. Though the feature in intended to allow users to easily manage devices while on the move, researchers also worry that it could be exploited by hackers.
“While it’s useful to configure your Glass QR code and easily connect to wireless networks, it’s not so great when other people can use those same QR codes to tell your Glass to connect to their WiFi Networks or their Bluetooth devices,” Lookout said in its report.
“Unfortunately, this is exactly what we found. We analyzed how to make QR codes based on configuration instructions and produced our own 'malicious' QR codes.”
By exploiting the security loopholes, which have since been fixed by Google, the researchers were able to automatically connect devices to a 'hostile' wireless network. Once connected, the researchers were able to eavesdrop on web browsing activity, capture images which were being uploaded to the web and reconfigure devices to access attack sites which exploit Android security vulnerabilities.
The company said that it privately reported the flaw to Google in May and a fix for the flaw was released in early June.
“Google clearly worked quickly to fix the vulnerability as the issue was fixed by version XE6, released on June 4th,” the company said.
“Lookout recommended that Google limit QR code execution to points where the user has solicited it. Google’s changes reflected this recommendation.”
The vulnerabilities will likely not be the last such flaws to be spotted in Google Glass as the platform proceeds with its closed public beta. The platform has been available on a limited basis to developers and is tentatively set for release at the end of the year.

FBI ransomware attacks spread to OS X users

Hacker's hands on keyboard
An old malware trick is being given new life as an infection targeting OS X users, according to researchers.
Security firm Malwarebytes said that it had spotted a new crop of OS X 'ransomware' attacks which attempt to extort money out of users. Posing as an FBI piracy notification, the malware locks a user's system and demands that a 'fine' be paid through an online payment system.
The ransomware technique is a tried and true extortion method for cybercriminals. Often using the guise of law enforcement or anti-piracy notifications, the infection will lock off access to the target system and demand that users pay a fee in order to regain access to their systems.
Though the FBI and other government agencies have never delivered official notifications through unsolicited emails or browser notifications, malware writers continue to extort payments from users worried or embarrassed about having their online activities uncovered.
For OS X users, the attack will demand that a $300 payment be made via a re-loadable payment card service. Attempting to navigate away from the page will trigger a series of alerts which will prevent users from closing or leaving the site.
“The bad guys know there is a growing market of Apple consumers who, for the most part, feel pretty safe about browsing the Internet on a Mac without the need for any security product,” wrote Malwarebytes researcher Jerome Segura.
“Cyber-criminals, well known for not re-inventing the wheel, have ‘ported’ the latest ransomware to OS X, not by using some complicated exploit but rather leveraging the browser and its ‘restore from crash’ feature.”
The company said that users can navigate away from the phony notification page by resetting Safari to clear out cache and history, preventing the page from auto-loading when the browser is restarted.

New Android security flaw spotted in China

Google Android Malware
Researchers are sounding alarms over the discovery of yet another security vulnerability in the Android mobile platform.
The flaw, first spotted by researchers in China, would potentially allow an attacker to manipulate an otherwise legitimate Android APK to execute malicious code without detection by the system.
According to researchers with Sophos, the vulnerability itself lies in the way Android handles the compressed APK files themselves. By modifying an application's .dex file to be a certain size, an attacker could potentially instruct the system to skip the execution of legitimate code and instead run attack code.
The result, says Sophos researcher Paul Ducklin, is a method which could allow malware writers to modify and redistribute applications with their attack code embedded inside.
“That's a bug in any language, and an discomfiting one for Google, whose security teams will surely consider this an elementary mistake that ought to have been caught in testing, if not during code review,” said Ducklin.
The discovery of the flaw comes in the wake of another high-profile security disclosure for the Android platform. Known as the 'master lock,' vulnerability, that flaw afflicts some 99 per cent of Android devices.
According to Ducklin, the new security hole is not likely to be as prevalent. He noted that implementing the attack requires files to be a specific size and length as well as a certain name. He noted that many Android applications to not appear to be compatible with the attack technique.
The flaw has already been addressed by Google and can be patched by installing the latest firmware updates from the company.
As Ducklin noted, however, the Android ecosystem, which relies on hardware vendors to distribute updates, could leave many users running devices which are still vulnerable to attack.
“Although Google has indeed responded quickly by patching both holes, and should be commended for its efficiency, that doesn't get the fixes out into the wider world,” he said.
“It remains to be seen how hard Mountain View will lean on its many handset licensees to push out firmware updates for the 'extra field' and 'master key' flaws, since they go to the heart of application verification on the Android platform.”

Android Rat: Androrat & download link

Androrat an Android remote acces tool is an tool that allows the operator to access system and private data. Androrat is an product of four university students from France.
Functionality

Androrat covers the breadth of Android malware features. From the README:

    ### All the available functionalities are
    * Get contacts (and all theirs informations)
    * Get call logs
    * Get all messages
    * Location by GPS/Network
    * Monitoring received messages in live
    * Monitoring phone state in live (call received, call sent, call missed..)
    * Take a picture from the camera
    * Stream sound from microphone (or other sources..)
    * Streaming video (for activity based client only)
    * Do a toast
    * Send a text message
    * Give call
    * Open an URL in the default browser
    * Do vibrate the phone
Download Androrat Android Rat

Are you searching for Androrat? We have found the Android RAT tool on the following sources:

1. https://github.com/wcb972/androrat
Communication

In the file inout/Protocol.java the request and response codes are listed. For requests the base number is 100, then a value ranging from 0 to 23 is added to it for the code. This is wrapped with the target channel (multiplexed) and arguments in CommandPacket. Then it is wrapped with other meta info in TransportPacket. The resulting packet data size for requests hovers around 21 bytes.

The APK gives an acknowledgment to requests received. The response message is packed into a custom packet via the following function call sequence (format: ClassName.function):
 
   ProcessCommand.process
-> Client.sendInformation
-> Connection.sendData
-> Mux.send
-> TransportPacket.build

This packet includes the acknowledgement data, total length, data length, the channel (multiplexed), as well as a short and bool for following the packet sequence.

The response codes have a base of 200 and add a value ranging from 0 to 15 to that base. Data being sent is generally built into an array or hash table, then the response is written using ObjectOutputStream.writeObject() and placed into a custom packet. The packet includes the type that was packed. For example, when dumping an SMS to the server, the object type java.util.ArrayList will be included in the packet to indicate what has been written. The fields used in these structures prior to packing are very verbose. As an example, PhoneNumber, SimOperator, and IMEI are used when dumping device information to the server.

The information is sent over TCP with this custom protocol. The default server port is 9999, however, this is configurable.

Government spying database: Global Information Grid

It is a good thing that people are becoming aware of the fact that they are being monitored - it is not only speculation anymore. We have seen PRISM, FinSpy and ECHELON. These programs are made to collect information and to store them in a database. Now just imagine the resources that PRISM used (Facebook) and how it could combine these resources to multiple databases.
This is where GiG comes in

GiG stands for Global Information Grid - don't let the name Global trick you - the information that is stored in GiG is not public and is only accessible for companies that are connected to the DoD. If you have a special tool that the NSA can use then you can sign up here for the GiG program.

The Global Information Grid (GIG) is an all-encompassing communications project of the United States Department of Defense.

It is defined as a "globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel."

The GIG includes owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and National Security Systems. Non-GIG IT includes stand-alone, self-contained, or embedded IT that is not, and will not be, connected to the enterprise network.

This new definition removes references to the National Security Systems as defined in section 5142 of the Clinger-Cohen Act of 1996. Further, this new definition removes the references to the GIG providing capabilities from all operating locations (bases, posts, camps, stations, facilities, mobile platforms, and deployed sites). And lastly, this definition removes the part of the definition that discusses the interfaces to coalition, allied, and non-Department of Defense users and systems.

The DoD's use of the term "GIG" is undergoing changes as the Department deals with new concepts such as Cyberspace Operations, GIG 2.0 (A Joint Staff J6 Initiative), and the Department of Defense Information Enterprise (DIE).

The GIG is managed by a construct known as NetOps. NetOps is defined as the operational framework consisting of three essential tasks, Situational Awareness (SA), and Command & Control (C2) that the Commander (CDR) of US Strategic Command (USSTRATCOM), in coordination with DoD and Global NetOps Community, employs to operate and defend the GIG to ensure information superiority.

Anonymous #opPrism set for August 31th


A Anonymous #opPrism video has been released on the internet and the message behind this video is that Anonymous is not happy with the unethical spying by the government. Anonymous brings forward that this tool is being used in over 35 countries and that these kind of tools are simply made to remove your rights.

Anonymous has obtained some documents that "they" do not want you to see, and much to "their" chagrin, we have found them, and are giving them to you. These documents prove that the NSA is spying on you, and not just Americans. They are spying on the citizens of over 35 different countries. These documents contain information on the companies involved in GiG, and Prism.
What is  the NSA GiG program?

The Global Information Grid (GIG) vision implies a fundamental shift in information management, communication, and assurance.

The GIG is the globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel. The GIG includes owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and National Security Systems. Non-GIG IT includes stand-alone, self-contained, or embedded IT that is not, and will not be, connected to the enterprise network. (DODD 8000.01)

The GIG will use commercial technologies augmented to meet the DoD's mission-critical user requirements.

The GIG will be a net-centric system operating in a global context to provide processing, storage, management, and transport of information to support all Department of Defense (DoD), national security, and related Intelligence Community missions and functions - strategic, operational, tactical, and business - in war, in crisis, and in peace.

GIG capabilities will be available from all operating locations: bases, posts, camps, stations, facilities, mobile platforms, and deployed sites. The GIG will interface with allied, coalition, and non-GIG systems.

The overarching objective of the GIG vision is to provide the National Command Authority (NCA), warfighters, DoD personnel, Intelligence Community, business, policy-makers, and non-DoD users with information superiority, decision superiority, and full-spectrum dominance.
#opPrism video

#opPrism transcript

Anonymous Press Release NSA / PRISM (#opPRISM). Call to Action: Protest PRISM August 31. Welcome to fight for privacy and security in Operation PRISM.

Greetings world, we are Anonymous.
Anonymous has obtained some documents that "they" do not want you to see, and much to "their" chagrin, we have found them, and are giving them to you. These documents prove that the NSA is spying on you, and not just Americans. They are spying on the citizens of over 35 different countries. These documents contain information on the companies involved in GiG, and Prism.

Whats GiG you might ask? well...
The Global Information Grid will enable the secure, agile, robust, dependable, interoperable data sharing environment for the Department where warfighter, business, and intelligence users share knowledge on a global network that facilitates information superiority, accelerates decision-making, effective operations, and Net-Centric transformation.

Like we said, this is happening in over 35 countries, and done in cooperation with private businesses, and intelligence partners world wide. We bring this to you, So that you know just how little rights you have. Your privacy and freedoms are slowly being taken from you, in closed door meetings, in laws buried in bills, and by people who are supposed to be protecting you.