Warning: Creating default object from empty value in /home/ict-forward/www-apps/wp-svn/wp-includes/ms-load.php on line 138
security « The FORWARD project blog

Posts Tagged ‘security’

Malicious Android apps double in 6 months

Tuesday, January 10th, 2012

Lookout mobile security has identified 1000 malicious applications in less than six months.
Previously the most of the malicious apps where located on third-party app stores, and alternatives to the official Android Market.
Lookout mentions that the likelihood of an Android user encountering malware increases from 1 to 4 percent yearliy and the U.S. is placed in the middle of mobile malware, compared to other countries.
Another malware action is when Android users are convinced to click on untrusted links that lead to malware and phishing sites.
The global yearly likelihood of an Android user clicking on an unsafe link is much higher and reaches 36 percent (6 percent higher than July 2011) and the likelihood in the U.S. is 40 percent.
Another issue that Lookout detected is “mobile pickpocketing”, which is applications and malware that charges the phone owner without his knowledge.
There are also the RuFraud applications that pretend to be free wallpapers finder and popular games, but hide terms that allow the service to charge the phone owner, without his knowledge.
Lookout believes that many of these incidents will be reported, and also botnets, malware that exploits weaknesses in mobile operating systems, browser-based attacks , malware hiding in mobile advertisements and tools that allow automatic repackaging of legitimate applications to add malware.
Lookout finally suggests to avoid using third-party application stores, avoid clicking on in-app advertisements, and beware when clicking on apps that ask you to click “OK”. Users should first check any reviews before downloading any application, and mainly those related with games, ulitities and porn, which are most likely to contain malware.

Sources :
RuFraud Apps

WPS Design Flaw Revealed

Tuesday, January 10th, 2012

A security technology that is widely used in latest, domestic or small business, modem/routers, is WiFi Protected Setup (WPS). As its name implies, WPS protocol has been designed to aid in the WiFi security configuration process, enhancing devise usability. However in contrast to usability, security issues have been revealed by several researchers, that could easily lead to a DOS attack.

WPS supports both out-of-band configuration over Ethernet/UPnP and in-band configuration over IEEE 802.11/EAP. Since the (wireless) in-band option is most likely to be exploited by in – range potential attackers , it is interesting to examine all the three configuration methods that an in-band configuration over IEEE 802.11/EAP provides.

According to the first security configuration method, a user has to push a button, usually actual, located on both the Access Point and the new wireless client device. This method is commonly referred as PBC (Push Button Connect), and prevents a user form typing a unique security key-code for performing authentication. The second method involves the typing of the client device PIN into the web-interface of the access point, usually referred as PIN internal registrar. The third method is called PIN external registrar, mainly because the user enters the PIN of the access point into a GUI provided by the client device (usually a computer).

The latter method is extremely vulnerable, to a Brute Force Attack, since authentication is not required. If an incorrect PIN is entered the Access Point responds with an EAP-NACK message. An attacker can use the Brute Force technique, by incrementing the PIN number each time an EAP-NACK message is received. Furthermore, the attacker (client) by sending to the access point a handshake message and receiving back an EAP-NACK message, depending on the type of message sent, is capable of determining whether the first half or the second half of the PIN is correct. This observation has an impact on the performance of the Brute Force algorithm used by a potential attacker, since only the first and the second half of the PIN number has to be incremented accordingly until a match is found, decreasing dramatically the time needed to obtain the PIN.

In an attempt to restrict the Brute Force technique, vendors incorporate into their devices lock down mechanisms that introduce delays every time an incorrect PIN is entered. However at least one researcher has showed that such lock down mechanisms are not sufficient to make the attack infeasible. Several factors influence the Maximum Attack Time, depending on whether a lock down scheme is deployed. The lock down time and the number of attempts before lock down, are the most predominant factors that affect Maximum Attack Time. A researchers implementation of a proof of concept Brute Force attack tool, has showed that the Maximum Attack Time could last from 3.97 hours to 2203.97hours, depending on the lock down mitigation mechanism employed by vendors. Apart from vendors, end users could prevent a Brute Force Attack by deactivating WPS. However this may not always be possible.

Another researcher, by implementing an open source tool capable of performing Brute Force Attacks exploiting the WPS vulnerability, has been concluded that by knowing the WPS PIN, the routers encryption pass phrase can be easily revealed. This is true even if multiple radio frequencies are used in the physical layer, with each configured with different WPA key, or even if the pass phrases are altered by the user.

The key point to note is that WPS functionality is likely to have been turned on by default, as a factory setting, or if this is the case the means of turning WPS off may not be available, resulting in a security flaw, even if end users do not benefit WPS facilities. Definitely a long lock down time period, may not be a solution to prevent Brute Force Attacks, since an access point is usually operating for a long time, in the order of several months, that is enough time for an attack to take place. To address this security flaw, a mature solution could be vendors collaboration to develop mitigation techniques with an end user informative campaign to urge them for firmware upgrade and / or WPS deactivation.





iPhone Safer from Hackers than Android

Friday, January 14th, 2011

Android-based smartphones are more vulnerable to attacks by hackers and electronic viruses than the iPhone, according to the chairman of the world’s largest provider of security software for corporate servers. The remarks were made less than a week after the company, Trend Micro, released its Mobile Security software for Android devices.

“Android is open source, which means the hacker can also understand the underlying architecture and source code”, Chairman Steve Chang told Bloomberg Businessweek.

“We have to give credit to Apple, because they are very careful about it,” he added. “It’s impossible for certain types of viruses”to operate on the iPhone.”

Google didn’t exactly refute Chang’s claim in its response to Bloomberg. “On all computing devices, users necessarily entrust at least some of their information to the developer of the application they’re using,” it said in an email. “Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer.”

In the iPhone universe, the amount of trust a user must cede to a developer is less than in the Android realm because Apple reviews all apps before it allows them to be sold through its App Store. Although that kind of quality review doesn’t exist in the Android world yet, some vetting of apps will occur when Amazon launches its Android apps store later this year.

As smartphone usage grows in corporations, they’ll become more tempting targets for hackers. “Smartphones are the next PC, and once they’re adopted by enterprises, data loss will be a very key problem,” Chang said.

Trend Micro’s Mobile Security app for Android, which it’s selling for $3.99, will block viruses and malicious viruses, as well as unwanted calls, on smartphones running the operating system. It also installs parental controls on a phone’s web browser. According to the company, the app is the only mobile tool that uses cloud-based security intelligence to protect Android devices from the latest cyber threats.

source: PCWorld

Security Risks When Using VoIP

Friday, January 14th, 2011
Identity and service theft
VoIP services can be phreaked. Phreaking is a type of hacking that steals or uses a service from a service provider on the expenditure of another person. Session initiation protocol (SIP) – an authentication method over VoIP calls, does not commonly use encryption, which results in VoIP services being phreaked.
Hackers steal user names, passwords and phone numbers through eavesdropping to take control over voicemail, billing information and call forwarding. The hackers do not always do this to gain access to a free service, but also to get important information like business data and other sensitive information.
It is another name for VoIP phishing, which involves someone calling you pretending to be a trustworthy organization (e.g. your bank) and requesting personal and sensitive information such as account number, credit card details, etc. The criminals who might phone you already have some information about you, which creates a false sense of security and consequently you give them more sensitive information.
Call tampering
Voice calls can be tampered by the attacker, who can simply flub the quality of the call by injecting noise in the communication stream. The voice call participants can meet long periods of silence during the call when the attacker withholds the transfer of packets.
Viruses and malware
VoIP equipment such as soft phones is vulnerable to malware just like any other internet application. The soft phone application runs on a user system (i.e. PC and PDA) and is easily exposed to malicious code attacks.
DoS (Denial of Service)
VoIP can suffer from DoS (Denial of Service) attacks. It is often achieved by overloading the network, device or consuming all available bandwidth. VoIP calls can be dropped untimely by also flooding the target with unnecessary SIP call-signaling messages, which results in halting of call processing.
SPIT (Spamming over Internet Telephony)
Spamming in VoIP has not become very common as yet but is beginning to be, soon. Like those emails we often receive consisting of online promotion, sales calls, now these messages are also going to VoIP voicemails. Since every VoIP account has an associated IP address, it becomes very easy for spammers to send their voice messages to numerous random IP addresses, which results in voicemails clogging. Spam messages sent to VoIP accounts can also carry malware and spyware with them.

Mac App Store Protection Cracked

Friday, January 14th, 2011

A group of hackers, Hackulous, announced that they developed a program called “Kickback” that can break the protection of applications hosted on the Mac App Store. In order words this means that by installing this software users will be able to pirate any application in the store. More specifically users can run paid applications for free when the copy and paste in a receipt number from a free application.

According to Dissent, member of Hackulous:

We don’t want to release kickback as soon as the [Mac App] Store gets released. I have a few reasons for that.

Most of the applications that go on the Mac App Store [in the first instance] will be decent, they’ll be pretty good. Apple isn’t going to put crap on the App Store as soon as it gets released. It’ll probably take months for the App Store to actually have a bunch of crappy applications and when we feel that it has a lot of crap in it, we’ll probably release Kickback.

So we’re not going to release Kickback until well after the store’s been established, well after developers have gotten their applications up. We don’t want to devalue applications and frustrate developers.

$120 to decrypt your files (ransomware attack)

Friday, January 7th, 2011

According to researchers at SophosLabs hackers are trying to spread a new ransomware in order to extort $120. More specifically this ransomware encrypts media and Office files on victim’s computer. As a result victims cannot access these files (because they have been encrypted by the malicious code) until they pay the hackers.

It seems that this ransomware attack has hit many computers via a drive-by vulnerability on compromised websites. Many users reported that they have received the attack via a malicious PDF which downloads and installs the rensomware.

The attack changes the Windows desktop wallpaper to show the first part of the ransom message.


The “HOW TO DECRYPT” txt-file on the desktop contains the message:


All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself - just look for files in all folders.

There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.

We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.

For details you have to send your request on this e-mail (attach to message a full serial key shown below in this 'how to..' file on desktop): [email address]

The above message contains an email address to contact if the victim wants to recover the encrypted data. Moreover it contains a fingerprint hex-string which changes between runs. It is used as a unique victim id and it must be quoted when victim contacts the hackers.

File types which can be affected: .jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, .avi, .flv, .lnk, .bmp, .1cd, .md, .mdf, .dbf, .mdb, .odt, .vob, .ifo, .mpeg, .mpg, .doc, .docx, .xls, and .xlsx.

The man behind Mega-D botnet arrested

Tuesday, December 7th, 2010

Last week FBI has arrested the man that is believed to be behind the Mega-D botnet, one of the most renowned botnets, that was supposed to cause one third of total worldwide spam on the internet at a time. The name of the man is Oleg Nikolaenko, a Russian who was arrested at his last visit in the United States of America.

The first clue that Nikolaenko was behind Mega-D was given since a fake Rolex dealer, Jody Smith, was arrested. After Jody Smith, FBI arrested Lance Atkinson, an Australian fake medicine dealer who admitted he paid nearly half a million dollars to a third party known only as “Docent” for spam advertising. It is claimed that Oleg Nikolaenko took millions of dollars from companies looking to advertise fake products like fake Rolexes. After investigation agents found email accounts involved in the payment chain belong to Nikolaenko. In one of these Nikolaenko had the necessary command and control files for the Mega-D botnet.

Nikolaenko is supposed to run Mega-D since 2007. Mega-D spam has been reduced over the last months, and its servers are found non-responsive, but this has happened due to large interest of researchers and authorities.

Finally FBI arrested Nikolaenko at the Speciality Equipment Market Association (SEMA) car exhibition in Las Vegas for offences under the CAN-SPAM Act.

Zero-day flaw bypasses Windows UAC

Sunday, November 28th, 2010

A new vulnerability in the Windows kernel was disclosed this Wednesday(11-24-2010) that could allow malware to attain administrative privileges by bypassing User Account Control (UAC).

A zero-day exploit in Microsoft Windows enables non-administrator accounts to execute code as if they were an administrator. The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems.

A bug in win32k.sys, which is part of the Windows kernel, seems to be responsible for this exploit. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users.

This exploit does not allow remote code execution (RCE). Thus, malicious code that uses the exploit needs to be introduced. So your anti-virus system should be able to block those payloads and keep you safe.


Analysis of Android Froyo uncovers 88 flaws exposing users’ data

Sunday, November 28th, 2010

A study by Coverity unveils 88 flaws exposing users’ data. The study examined the publicly disclosed version of the Android kernel. Among the discovered defects in Android there where memory corruptions, memory illegal accesses and resource leaks. All mentioned defects are considered high-risk.
Coverity said it won’t release details until January. This way it allows Google and handset vendors to issue fixes.
While Android is the OS of about 26% of the smart-phones worldwide[2] and  companies are supplying their employees with smart-phones for mixed business and personal use, malicious software could be deployed to extract informations from companies.

[1] http://www.coverity.com/library/pdf/coverity-scan-2010-open-source-integrity-report.pdf

[2] http://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Mobile_devices

Windows shortcut flaw goes wild?

Wednesday, July 21st, 2010

On July 16, Microsoft released Security Advisory 2286198 confirmed the Windows shortcut flaw that exposes all windows user of all current versions of Windows system to very serious attacks, including fully patched Windows 7 system.

Just by opening a directory containing the infected shortcut will get user infected. Once the infected shortcut icon is displayed in Windows Explorer, malicious code is launched without any further user interaction. Hackers have already developed malware that spreads via USB sticks, using this vulnerabilities.  Independent security researcher Frank Boldewin had found the attack is currently targeted toward the WinCC SCADA system by Siemens. “Looks like this malware was made for espionage,” Boldewin writes.

On Sunday, a researcher known as “Ivanlef0u” published aproof-of-concept code to several locations on the Internet. There is already a Metasploit module that implements the exploit with the WebDAV method.

To protect yourself from the attack, Microsoft suggests disabling the displaying of icon for shortcut and turning off WebClient service as workarounds against possible attacks. Please reference Microsoft advisory for details of how to “Disable the displaying of icons for shortcuts“. Another way to protect yourself is to use Didier Stevens’ tool Ariad .

Additional information on the flaw can be found in a blog post by the SANS Institute’s Internet Storm Centre here.


Experts Warn of New Windows Shortcut Flaw

MS confirms Windows shortcut zero-day flaw

Preempting a Major Issue Due to the LNK Vulnerability – Raising Infocon to Yellow