Archive for the ‘security news’ Category

« Older Entries
Newer Entries »

New Trojan affects Android devices

Friday, January 7th, 2011

A new sophisticated Android Trojan, dubbed “Geinimi”, emerged in China compromising devices, bundling with botnet-style functionality.

The malware sends personal data of a user’s phone to a remote server and is also capable of receiving commands from, controlled by hackers, remote servers, in order to control the phone. Mobile security firm Lookout describes the malware as the most sophisticated to appear on Android devices wich has been uploaded onto third-party Chinese Android app markets, poses as gaming applications(Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense, Baseball Superstars 2010).

When Geinimi is launched, collects significant information like location coordinates, unique identifiers for the device (IMEI) and SIM card (IMSI) and attempts to connect to a remote server to transmit the collected device information.

The security firm already updated both free and paid versions of its software to protect against Geinimi.

source:http://blog.mylookout.com/2010/12/geinimi_trojan/

Tags: , , , , ,
Posted in security news | No Comments »

$120 to decrypt your files (ransomware attack)

Friday, January 7th, 2011

According to researchers at SophosLabs hackers are trying to spread a new ransomware in order to extort $120. More specifically this ransomware encrypts media and Office files on victim’s computer. As a result victims cannot access these files (because they have been encrypted by the malicious code) until they pay the hackers.

It seems that this ransomware attack has hit many computers via a drive-by vulnerability on compromised websites. Many users reported that they have received the attack via a malicious PDF which downloads and installs the rensomware.

The attack changes the Windows desktop wallpaper to show the first part of the ransom message.

http://sophosnews.files.wordpress.com/2010/11/ransomware-wallpaper.jpg

The “HOW TO DECRYPT” txt-file on the desktop contains the message:

Attention!!!

All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself - just look for files in all folders.

There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.

We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.

For details you have to send your request on this e-mail (attach to message a full serial key shown below in this 'how to..' file on desktop): [email address]

The above message contains an email address to contact if the victim wants to recover the encrypted data. Moreover it contains a fingerprint hex-string which changes between runs. It is used as a unique victim id and it must be quoted when victim contacts the hackers.

File types which can be affected: .jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, .avi, .flv, .lnk, .bmp, .1cd, .md, .mdf, .dbf, .mdb, .odt, .vob, .ifo, .mpeg, .mpg, .doc, .docx, .xls, and .xlsx.

Tags: , , ,
Posted in security news | No Comments »

Top 10 security threats for 2011

Friday, January 7th, 2011

Imperva announced their Top 10 Security Threats for 2011, which include:

1. Nation-sponsored hacking: Advanced technological threats (hacker industry and APT) from hackers who are funded by a government, like Stuxnet.
2. Insider Threats: A company may be threatened by an employee – hacker, or a hacker outside the workplace, who owns a employee’s profile. Access Control will be a key factor in neutralizing this threat.
3. Man in the Browser Attacks: Similar to the “man-in-the-middle” attacks, where a trojan is used to interrupt the communication between the browser and security mechanisms or libraries. The main purpose is to cause a financial scam in control transactions through the Internet, even if authentication operates well.
4. Misanthropes and anti-socials: Privacy vs. security in social networks: In 2011, popular social networks and tools will make more efforts into security over privacy. This is not the result of resolving privacy issues, but rather an understanding of the real threats to the existence and spread of social networks.
5. Data Loss: All the data we collect on everything needs to be locked down.
6. Cloud Security: Including computer security, network security, information security. References to a wide range of principles, technologies and controls designed to protect data, applications and related infrastructure of cloud computing.
7. Mobile Devices: Τhe mobile internet, online applications, which are usually technologically complex, make mobile devices vulnerable to threats.
8. Hackers and Criminal Networks: The “hacker industry” invests more resources in the attack techniques and detection evasion.
9. Consolidation: Cyber security has become a business process and can not be separated from the business operations.
10. Regulation: Convergence of data security and privacy regulation worldwide as governments tighten the legal screws on enterprises.

Source: http://www.net-security.org/secworld.php?id=10154

Posted in security news | No Comments »

Popular web sites are stealing browser histories

Tuesday, December 7th, 2010

Some of the most popular web sites are exploiting a flaw to gain access to read browser’s Web history, according to researchers at University of California, San Diego. Their study tracked the the 50,000 most popular websites and found that 485 sites are exploiting the history-sniffing flaw, and 46 of those sites are actively downloading browser history, including youporn.com, gamesfreak.com, newsmax.com, morningstar.com and espnf1.com.

History sniffing called the combination of JavaScript and Cascading Style Sheet (CSS) properties that enables the sites to figure out where a user has been on the Web by changing the color of the links that the user has visited. The researchers’ findings are published in a new study entitled “An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications.”

According to the researcher’s, about 18, such as Gamestorrents.com, are using the exploit to analyze a user’s past visits to more than 220 sites. YouPorn.com, an amateur porn site and one of the 100 most visited sites on the Web, analyzes the browsing history for more than 21 sites, encoding its JavaScript to hide the sites it searches for and decodes it only when used, to cover its tracks.

The widely known vulnerability that these sites exploit exists in all production version browsers except of Apple’s Safari, which first detected the threat. Google Chrome and Mozilla Firefox soon followed. Internet Explorer may also defend against this attack if browser is used in private browsing mode. Production versions of those browsers are still wide open.

The study also detected sites maintained by Microsoft, YouTube, Yahoo and About.com that employ JavaScript tracking mouse movements on a page to detect what a user does after visiting it.

Posted in security news | No Comments »

Zero-day flaw bypasses Windows UAC

Sunday, November 28th, 2010

A new vulnerability in the Windows kernel was disclosed this Wednesday(11-24-2010) that could allow malware to attain administrative privileges by bypassing User Account Control (UAC).

A zero-day exploit in Microsoft Windows enables non-administrator accounts to execute code as if they were an administrator. The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems.

A bug in win32k.sys, which is part of the Windows kernel, seems to be responsible for this exploit. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users.

This exploit does not allow remote code execution (RCE). Thus, malicious code that uses the exploit needs to be introduced. So your anti-virus system should be able to block those payloads and keep you safe.

source

Tags: , , , ,
Posted in security news | No Comments »

HDCP Cracked !(?)

Sunday, November 28th, 2010

HDCP is a content protection scheme designed to eliminate the possibility of intercepting encrypted high definition digital data midstream between the source and the display, developed by Intel Corp. It prevents copying of digital audio and video content as it travels across the DisplayPort, DVI, HDMI, GVIF or UDI etc. connections. HDCP uses a three-stage protection process:

  • Device Authentication and Key Exchange
  • Encryption of Content
  • Key-revocation procedures

In 2001, before the HDCP deployed in any commercial product, a paper revealing cryptanalysis flaws published. According to this paper the linear key exchange is a fundamental weakness and the key swap can break with conspiracy attack (obtaining keys of 39 devices and reconstructing the secret master matrix).

On September 14th 2010, hackers posted in pastebin a HDCP Master Key! The key that protects million of devices and media contents, such as Blu-ray, against redistribution. After 2 days, Intel confirms the authenticity of the key and a few days later a programming group releases an open-source C implementation of the HDCP encryption/decryption algorithm, not very efficient as HDCP designed for hardware, which works and verifies that the leaked key is correct.

But,is this the end of HDCP ?

What we can really do with this master key is to derive keys for devices that do work with the keys produced by Intel’s security technology. Also, theoretically, a nefarious user can capture,decrypt and reproduce media travelling across HDMI cables from one device to another. But the most realistic scenario is to build ‘fake’ devices without Intel’s fees and standards. For example a China’s manufactory can produce Blu-Ray players or repeaters-recorders, capable of connecting in genuine HD-TVs , using the leaked master key, without any aprovement from Intel. Intel on the other hand, declares that need a lot of experience and money to accomplish that and in combination with legal threats against possible frauds HDCP remains and effective component for protecting digital entertainment.

Tags: , , ,
Posted in security news, Uncategorized | No Comments »

Analysis of Android Froyo uncovers 88 flaws exposing users’ data

Sunday, November 28th, 2010

A study by Coverity unveils 88 flaws exposing users’ data. The study examined the publicly disclosed version of the Android kernel. Among the discovered defects in Android there where memory corruptions, memory illegal accesses and resource leaks. All mentioned defects are considered high-risk.
Coverity said it won’t release details until January. This way it allows Google and handset vendors to issue fixes.
While Android is the OS of about 26% of the smart-phones worldwide[2] and  companies are supplying their employees with smart-phones for mixed business and personal use, malicious software could be deployed to extract informations from companies.

[1] http://www.coverity.com/library/pdf/coverity-scan-2010-open-source-integrity-report.pdf

[2] http://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Mobile_devices

Tags: , , , ,
Posted in security news | No Comments »

Zynga sued for sharing Facebook User IDS to advertizers and data brokers

Sunday, October 24th, 2010

The largest Facebook games developer has been hit by a fundamental lawsuit for leaking the personal information of 218 million Facebook members to third parties.

Only days have passed since The Wall Street Journal investigated that a large number of Facebooks apps – including Zynga games such as Farmville and Mafia Wars  – leaked the user IDs of Facebook players and their friends to outside companies.

User IDs are unique identifiers, which can be used to access a user’s Facebook profile by simply going to http://www.facebook.com/#!/profile.php?id=[UID].

The actual harm that might be done if a user’s Facebook ID is exposed is debatable so Zynga representatives called the lawsuit without merit and stressed that they are preparing a strong defense, according to The Register.

The Facebook social network prohibits the sharing of user IDs with data brokers in its privacy policies and in order to assuage the critics following this privacy breaches is planning to encrypt the user IDs.

Tags: , ,
Posted in security news | No Comments »

Windows shortcut flaw goes wild?

Wednesday, July 21st, 2010

On July 16, Microsoft released Security Advisory 2286198 confirmed the Windows shortcut flaw that exposes all windows user of all current versions of Windows system to very serious attacks, including fully patched Windows 7 system.

Just by opening a directory containing the infected shortcut will get user infected. Once the infected shortcut icon is displayed in Windows Explorer, malicious code is launched without any further user interaction. Hackers have already developed malware that spreads via USB sticks, using this vulnerabilities.  Independent security researcher Frank Boldewin had found the attack is currently targeted toward the WinCC SCADA system by Siemens. “Looks like this malware was made for espionage,” Boldewin writes.

On Sunday, a researcher known as “Ivanlef0u” published aproof-of-concept code to several locations on the Internet. There is already a Metasploit module that implements the exploit with the WebDAV method.

To protect yourself from the attack, Microsoft suggests disabling the displaying of icon for shortcut and turning off WebClient service as workarounds against possible attacks. Please reference Microsoft advisory for details of how to “Disable the displaying of icons for shortcuts“. Another way to protect yourself is to use Didier Stevens’ tool Ariad .

Additional information on the flaw can be found in a blog post by the SANS Institute’s Internet Storm Centre here.

source:

Experts Warn of New Windows Shortcut Flaw

MS confirms Windows shortcut zero-day flaw

Preempting a Major Issue Due to the LNK Vulnerability – Raising Infocon to Yellow

Tags: , , ,
Posted in security news | No Comments »

New Linux OS REMnux Designed For Reverse Engineering Malware

Tuesday, July 20th, 2010

A new OS called REMnux has been released from Lenny Zeltser, a security expert specializing on malware reverse engineering. REMnux is a lightweight version of Ubuntu originally distributed as a VMware virtual appliance, which can be booted via several VMware products or through X-Windows. The OS was also recently released as an ISO image of a Live CD.

The classical approach to analyze malware is to set up a virtual machine on a computer specifically designed for that purpose and then release the malware and monitor how it affects the system. The drawback of this protocol is that much of the malware’s behavior can remain hidden, while deeper analysis is not a convenient option.

REMnux comes as a solution to these disadvantages and offers an alternative approach for taking apart a malicious code. Typically, infection of another laboratory system with the malware sample is followed by direction of the potentially-malicious connections to the REMnux “monitoring” ports.

This approach combines a generous number of popular malware-analysis, reverse-engineering, network monitoring, and memory forensic tools. Amongst them, REMnux contains three tools for analyzing Flash-specific malware, namely SWF tools, Flasm, and Flare. Furthermore, it contains several applications for analyzing malicious PDFs, such as the Didier Steven’s analysis tools. The OS also provides a lot of tools for de-obfucating JavaScript, including Rhino debugger, a NoScript-version of Firefox, JavaScript Deobfuscator and Firebug, and Windows Script Decoder. In addition to the above analysis tools, a small Web server, an IRC server, and a pseudo-DNS server are also included. Further, several tools for network monitoring and interactions, such as the virtual honeypot server, HoneyD, as well as Wireshark, INetSim, fakedns and fakesmtp scripts, and NetCat are also part of REMnux.

Behind the development of REMnux stands the idea of providing a useful set of tools for people interested in the field, rather than a be-all reverse-engineering environment. As Zeltser himself puts it: “This doesn’t have every tool in it, because I think people can get distracted with too many tools in there”. On the contrary, Zeltser states that this OS targets beginners or people that are not Linux experts. He also hopes that users’ input and comments will aid in further development of REMnux to reach an improved version of the OS.

Any interested and adventurous potential developers, who would like to contribute to the improvement of REMnux,  are welcomed to contact Lenny Zelter directly.

Tags: , , , , , , , ,
Posted in security news | No Comments »

« Older Entries
Newer Entries »