Author Archives: David Harley

About David Harley

Computer Security Author/Editor; Independent Antimalware Researcher; CEO at Small Blue-Green World; Senior Research Fellow at ESET.

Three mobile app issues and a Mac 0-Day

Updates to Mac Virus

John Leyden for The Register: Baddies of the internet: It’s all about dodgy mobile apps, they’re so hot right now  “Rogue mobile apps have become the most common fraud attack vector, according to the latest quarterly edition of RSA Security’s global fraud report.” If you don’t mind giving your contact information away, the report is available here.


For Sophos, Matt Boddy explains how to use AppMon to see which of your Android apps are paying more attention to your conversations than you’re comfortable with. Not for beginners, but interesting. Are your Android apps listening to you?


Also for Sophos, Paul Ducklin analyses Patrick Wardle’s 0-day Mac exploit, as discussed recently at Def Con. While there’s no fix as yet, Paul points out that “Fortunately, as zero-days hacks go, this one isn’t super-serious – a crook would have to infect your Mac with malware first in order to use Wardle’s approach, and it’s more a tweak to an anti-security trick that Wardle himself found and reported last year than a brand new attack.” Apple Mac “zero day” hack lets you sneakily click [OK]


Martin Beltov for Security Boulevard: Android Man-in-the-Disk Attack Can Expose Apps & User Data –  “Security experts discovered a new Android infection mechanism called the Man-in-the-Disk attack. It takes advantage of a design issue found to be with the operating system itself that takes advantage of the external storage access. Abuse of this possibility can expose sensitive data to the criminal operators.”

David Harley

Advertisements

I’m being followed by a Foreshadow…

Updates to Meltdown/Spectre and other chip-related resources

Dave Lee for the BBC: Foreshadow’ attack affects Intel chips – “Researchers have found another serious security flaw in computer chips designed by Intel…Nicknamed Foreshadow, this is the third significant flaw to affect the company’s chips this year.”

For more details, see the advisory on Intel’s web site. Also:


The Register: Three more data-leaking security holes found in Intel chips as designers swap security for speed “Apps, kernels, virtual machines, SGX, SMM at risk from attack…The operating system and hypervisor-level flaws – CVE-2018-3620 and CVE-2018-3646 – were discovered by Intel’s engineers after they were tipped off about CVE-2018-3615, the SGX issue, by the university researchers.”


Thomas Claburn for The Register: The off-brand ‘military-grade’ x86 processors, in the library, with the root-granting ‘backdoor’ – “Dive into a weird and wonderful ‘feature’ of Via’s embedded hardware chips … A forgotten family of x86-compatible processors still used in specialist hardware, and touted for “military-grade security features,” has a backdoor that malware and rogue users can exploit to completely hijack systems.”

David Harley

Three problem IoT areas but self-driving cars look OK

A paper by Saleh Soltan, Prateek Mittal, and H. Vincent Poor, Princeton University, presenting at Usenix: BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid “We demonstrate that an Internet of Things (IoT) botnet of high wattage devices–such as air conditioners and heaters–gives a unique ability to adversaries to launch large-scale coordinated attacks on the power grid.”

Additional commentary:
1.Andy Greenberg (Wired): HOW HACKED WATER HEATERS COULD TRIGGER MASS BLACKOUTS

2. Lisa Vaas for Sophos: Your smart air conditioner could contribute to mass power outages

3. Martin Beltov for Sensors Tech Forum: Potential BlackIT Botnet Attacks Can Bring down IoT Devices  “A group of researchers presented a new concept malware at the Usenix Security Symposium this week called the BlackIoT botnet. It is a theoretical offensive that is still not available as an executable code that can be used in real-world attacks.”  I like the fact that he didn’t mention air conditioners…


Zeljka Zorz for Help Net: IoT malware found hitting airplanes’ SATCOM systems  More in the IOActive white paper here


The Register: Say what you will about self-driving cars – the security is looking ‘OK’  “Black Hat Car hacking wizards Charlie Miller and Chris Valasek have turned their attention to autonomous vehicles – and reckon the security is surprisingly good.”


The Register: Funnily enough, no, infosec bods aren’t mad keen on W. Virginia’s vote-by-phone-app plan “Mobile ballots dubbed ‘horrific’, blockchain reliance questioned … The US state of West Virginia plans to allow some of its citizens to vote in this year’s midterm elections via a smartphone app – and its seemingly lax security is freaking out infosec experts.”

David Harley

Bitcoin ATMs, SIM swapping, and Twitter scam bots

Updates to Cryptocurrency/Crypto-mining News and Resources

Trend Micro’s article Malware Targeting Bitcoin ATMs Pops Up in the Underground not only talks about the very interesting ATM malware Trend has analysed, but gives some useful background about Bitcoin ATMs, indicating that criminals are extending their activities beyond cryptomining.


Brian Krebs: Hanging Up on Mobile in the Name of Security  – “An entrepreneur and virtual currency investor is suing AT&T for $224 million, claiming the wireless provider was negligent when it failed to prevent thieves from hijacking his mobile account and stealing millions of dollars in cryptocurrencies. Increasingly frequent, high-profile attacks like these are prompting some experts to say the surest way to safeguard one’s online accounts may be to disconnect them from the mobile providers entirely.” The reason being, in this case at least, that mobile providers are too often tricked by scammers into transferring a victims’ service to a new SIM card and mobile phone in the possession of the scammer, not the victim.


An interesting article by William Suberg for CoinTelegraph: Researchers Reveal Network of 15K Crypto-Related Scam Bots on TwitterNew research published today, Aug. 6, has shed light on the infamous phenomenon of cryptocurrency-related Twitter accounts advertising fake “giveaways,” revealing a network of at least 15,000 scam bots.”

David Harley

Anti-Social Media: bumper bundle

[I’ve been catching up after a week out of office, so there’s quite a lot to be depressed about this time.]

Zeljka Zorz for Help Net: Turning off Location History doesn’t prevent Google from knowing your location  – “If you believe that by turning off Location History on your Android device or iPhone means that Google won’t be able to know your location, think again: Princeton University researchers have confirmed Google services store users’ location regardless of those settings.”

Help Net is quoting research performed on behalf of Associated Press…”  AP says “Google’s support page on the subject states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored…That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking.”


Kashmir Hill and Surya Mattu for Gizmodo: Facebook Wanted Us to Kill This Investigative Tool  – “Last year, we launched an investigation into how Facebook’s People You May Know tool makes its creepily accurate recommendations….In order to help conduct this investigation, we built a tool to keep track of the people Facebook thinks you know. …. In January, after hiring a third party to do a security review of the tool, we released it publicly on Github for users who wanted to study their own People You May Know recommendations.”

Facebook, it seems, wasn’t happy about the release of the tool, for more than one reason. I can actually understand that the terms of service that it might violate are at least in part imposed for reasons of security (or should be). Yet Gizmodo points out that “Journalists need to probe technological platforms in order to understand how unseen and little understood algorithms influence the experiences of hundreds of millions of people”: Facebook’s apparent distrust of this assertion may tell us something about its PR worries, and even about the intrusive nature of the algorithms it prefers to keep secret.


Graham Cluley: Twitter CEO says they’re taking no action against InfoWars and Alex Jones
IT’S THE SAME CONTENT THAT FACEBOOK, YOUTUBE, SPOTIFY, AND APPLE BANNED.
If you’re unaware of the fuss about Jones, you might like to check out this article in the New York Times: Alex Jones, Pursued Over Infowars Falsehoods, Faces a Legal Crossroads


Teiss: Facebook denies it asked banks to share customers’ financial information –  Summarizes a story from the Wall Street Journal which I haven’t read because I’m not a subscriber.


Pierluigi Paganini: Social Mapper – Correlate social media profiles with facial recognition
“Security experts at Trustwave have released Social Mapper, a new open-source tool that allows finding a person of interest across social media platform using facial recognition technology…Experts from Trustwave warn of potential abuses of Social Mapper that are limited “only by your imagination.””

Which is unfortunate in that it’s easily found for free…

David Harley

AVIEN resource updates 3rd August 2018

Updates to Anti-Social Media 

A fascinating article for Quartz by Nikhil SonnadEverything bad about Facebook is bad for the same reason – “Facebook only does the right thing when it’s forced to. Instead, it needs to be willing to sacrifice the goal of total connectedness and growth when this goal has a human cost; to create a decision-making process that requires Facebook leaders to check their instinctive technological optimism against the realities of human life.” Recommended. (Hat tip to Daring Fireball.)

The Next Web: Telegram Passport is already drawing fire for not being secure enough – “Its password encryption could be cracked for just $5”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

US-CERT advised that the FBI published an article on securing the internet of things. US-CERT also flagged the NCCIC Tip Securing the Internet of Things.

David Harley

AVIEN Resource updates 2nd August

Updates to Anti-Social Media 

(1)

New York Times: Facebook Has Identified Ongoing Political Influence Campaign – “Facebook announced on Tuesday that it has identified a coordinated political influence campaign, with dozens of inauthentic accounts and pages that are believed to be engaging in political activity around divisive social issues ahead of November’s midterm elections.”

Commentary from The Register: Facebook deletes 17 accounts, dusts off hands, beams: We’ve saved the 2018 elections – “Yeah, that’ll do the trick, Mark”

Facebook’s own blog post: Removing Bad Actors on Facebook

(2)

Luana Pascu: GDPR directly impacts Facebook, 1 million European users lost 

(3)

The Register: UK ‘fake news’ inquiry calls for end to tech middleman excuses, election law overhaul  “British lawmakers have been told to create tougher rules for social media giants claiming to be neutral platforms, establish a code of ethics for tech firms, and plump up the UK’s self-styled “data sheriff”.”

(4)

Roger Thompson (Thompson Cyber Security Labs): Ok, this was scary – a disquieting example of how much more information is ‘publicly available’ than you probably think. Even scarier is the question of how much publicly available information is actually accurate.

Updates to Cryptocurrency/Crypto-mining News and Resources

Graham Cluley: Steam game Abstractism pulled after cryptomining accusations

The Register: ‘Unhackable’ Bitfi crypto-currency wallet maker will be shocked to find fingernails exist – “A crypto-currency wallet heavily promoted as “unhackable” – complete with endorsements from the security industry’s loopy old uncle John McAfee and a $350,000 bounty challenge – has, inevitably, been hacked within a week.”

Bleeping Computer: Massive Coinhive Cryptojacking Campaign Touches Over 200,000 MikroTik Routers – “Security researchers have unearthed a massive cryptojacking campaign that targets MikroTik routers and changes their configuration to inject a copy of the Coinhive in-browser cryptocurrency mining script in some parts of users’ web traffic.” Lengthy analysis by Trustwave: Mass MikroTik Router Infection – First we cryptojack Brazil, then we take the World?

Updates to GDPR page

The Register: India mulls ban on probes into anonymized data use – with GDPR-style privacy laws – “Thought having your call center in India was a good idea? Maybe not so much now”

Luana Pascu: GDPR directly impacts Facebook, 1 million European users lost 

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

Pierluigi Paganini: Tens of flaws in Samsung SmartThings Hub expose smart home to attack
““Cisco Talos recently discovered several vulnerabilities present within the firmware of the Samsung SmartThings Hub.” reads the analysis published by Talos.”

The SANS OUCH! newsletter for August offers basic but generally sensible advice on Smart Home Devices. “There is no reason to be afraid of new technologies but do understand the risk they pose. By taking these few simple steps you can help create a far more secure Smart Home.”

Updates to Mac Virus

Android and OneDrive, and iOS-targeting phish

David Harley

Ransomware and support scam updates

 

Updates to Specific Ransomware Families and Types

The Register: Please forgive me, I can’t stop robbing you: SamSam ransomware earns handlers $5.9m – “Sophos has been investigating the SamSam campaign since its emergence. A study (PDF) based on this research – released on Tuesday – summarises its findings about the attacker’s tools, techniques and protocols.” For ZDnet, Danny Palmer tells us that This destructive ransomware has made crooks $6m by encrypting data and backups – “Attackers behind destructive SamSam ransomware show no signs of giving up – and they’re now taking $300,000 a month in ransom from victims.”

Bleeping Computer: BitPaymer Ransomware Infection Forces Alaskan Town to Use Typewriters for a Week – “In a PDF report published yesterday, Wyatt finally identified the “virus” as the BitPaymer ransomware. This ransomware strain was first spotted in July 2017, and it first made news headlines in August 2017 when it hit a string of Scottish hospitals.”

Updates to Tech support scams resource page

Sean Gallagher for ArsTechnica: Click on this iOS phishing scam and you’ll be connected to “Apple Care” – “This phishing attack also comes with a twist—it pops up a system dialog box to start a phone call. The intricacy of the phish and the formatting of the webpage could convince some users that their phone has been “locked for illegal activity” by Apple, luring users into soon clicking to complete the call.”

Commentary from Sophos: Porn-warning security scam hooks you up to “Apple Care”

27th July 2018 Resource updates

Updates to Cryptocurrency/Crypto-mining News and Resources 

John Leyden for The Register: Criminal mastermind injects malicious script into Ethereum tracker. Their message? ‘1337’ – “The Etherscan incident could have been far worse. Rather than a cheeky pop-up, a more mendacious mind might just have easily used the same flaw to run a crypto-mining scam.”

SecureList (Kaspersky): A mining multitool – “Symbiosis of PowerShell and EternalBlue for cryptocurrency mining… The creators of PowerGhost …  started using fileless techniques to establish the illegal miner within the victim system. It appears the growing popularity and rates of cryptocurrencies have convinced the bad guys of the need to invest in new mining techniques – as our data demonstrates, miners are gradually replacing ransomware Trojans.”

Graham Cluley: Mind your company’s old Twitter accounts, rather than allowing them to be hijacked by hackers  – “DEFUNCT FOX TV SHOW HAS ITS TWITTER ACCOUNT COMPROMISED BY CRYPTOCURRENCY SCAMMERS.” “…it appears that hackers seized control of the moribund Twitter account and gave it a new lease of life promoting cryptocurrency scams.

Updates to Tech support scams resource page

ZDnet: US makes an example of Indian call center scam artists with stiff sentences – “The worst offenders have been thrown behind bars for up to 20 years… a number of call centers were established in Ahmedabad, India, in which operators impersonated the IRS and USCIS… in order to threaten US victims with arrest, prison, fines, and deportation unless they paid money they apparently owed.”

Updates to Chain Mail Check

An excellent article has just been published by my ESET colleague Lysa Myers. Companies actually compound the phishing problem when they send poorly thought-out messages that are indistinguishable from phishing messages, both to their own staff and to customers (some banks are particularly culpable here). As a result, recipients of such messages are conditioned into accepting without suspicion messages that don’t conform to good practice, and are more susceptible to being taken in by phishing messages. Hook, line, and sinker: How to avoid looking ‘phish-y’  In addition, Lysa points out an issue I hadn’t really considered: “An increasingly common scenario is phishy-looking emails sent by Software as a Service (SaaS) apps like those for fax or shipping services, human resource or accounting portals, collaboration tools, newsletters or even party planners.”

Another colleague (and long-time friend), Bruce P. Burrell, expands on the story I referred to briefly here – Sextortion and leaked passwords – with this article: I saw what you did…or did I? – “It might seem legit but there are several reasons why you should not always hit the panic button when someone claims to have your email password.” Not just a rehash of the news story, but the precursor to what I expect to be a very useful second article with advice from a seasoned security researcher.

Updates to Mac Virus

[update:  for ESET – Fake banking apps on Google Play leak stolen credit card data – “Fraudsters are using bogus apps to convince users of three Indian banks to divulge their personal data”]

Catalin Cimpanu: Chrome Extensions, Android and iOS Apps Caught Collecting Browsing Data – “An investigation by AdGuard, an ad-blocking platform, has revealed a common link between several Chrome and Firefox extensions and Android & iOS apps that were caught collecting highly personal user data through various shady tactics.”

Pierluigi Paganini: CSE Malware ZLab – APT-C-27 ’s long-term espionage campaign in Syria is still ongoing. After ESET’s Lukas Stefanko revealed the existence of a repository containing Android applications, researchers from CSE Cybsec Z-Lab identified spyware that was “part or the arsenal of a APT group tracked as APT-C-27, aka Golden Rat Organization.” In recent years the group has been focusing its activities in Syria. Here’s the ZLAB Malware Analysis Report.

The Hacker News: iPhone Hacking Campaign Using MDM Software Is Broader Than Previously Known – “India-linked highly targeted mobile malware campaign, first unveiled two weeks ago, has been found to be part of a broader campaign targeting multiple platforms, including windows devices and possibly Android as well.”

Sophos: Red Alert 2.0: Android Trojan targets security-seekers – “A malicious, counterfeit version of a VPN client for mobile devices targets security-minded victims with a RAT.”

David Bisson for Tripwire: Exobot Android Banking Trojan’s Source Code Leaked Online -“Bleeping Computer said it received a copy of the source code from an unknown individual in June. In response, it verified the authenticity of the code with both ESET and ThreatFabric…Exobot is a type of malware that targets Android users via malicious apps. Some of those programs made their way onto the Google Play Store at one point.”

David Harley

Raising Spectres – blocks off the old chips

  1. A paper from the University of Graz offers a disquieting alternative view, suggesting that Spectre attacks aren’t necessarily dependent on code being executed locally. The paper NetSpectre: Read Arbitrary Memory over Network demonstrates “a generic remote Spectre variant 1 attack … the first access-driven remote Evict+Reload cache attack over network”.Admittedly, a side-channel attack that leaks 15 bits an hour doesn’t sound all that impressive, though the researchers also claimed that “Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system.”  For the Register, Thomas Claburn points out that this might not be as bad as it sounds, in that “it could take days to find and gather privileged information such as an encryption key or authentication token.”

    According to Claburn, Intel are playing it cool: “”NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753), and is mitigated in the same manner – through code inspection and modification of software to ensure a speculation stopping barrier is in place where appropriate…” Claburn interprets this as meaning that “Essentially, if you’ve updated your code and applications to mitigate previous Spectre exploits, you should be safe from NetSpectre.”

  2. Researchers in the US also have a new Spectre attack to pique our interest. Here’s the research in question: Spectre Returns! Speculation Attacks using the Return Stack Buffer from the University of California, Riverside. “In this paper, we introduce a new Spectre-class attack that we call SpectreRSB. In particular, rather than exploiting the branch predictor unit, SpectreRSB exploits the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return addresses.”Commentary from Bleeping Computer (Catalin Cimpanu): Researchers Detail New CPU Side-Channel Attack Named SpectreRSB.
  3. The Register cites an instance where the medicine could do with a spoonful of sugar: Spectre/Meltdown fixes in HPC: Want the bad news or the bad news? It’s slower, say boffins – “MIT Lincoln metalheads broke big iron so you don’t have to… oh, you still have to, don’t you?…network connections, disk accesses, and computational workloads can all be affected by the fixes, whether in the operating system or the microcode.”
  4. Also from Bleeping Computer: Academics Announce New Protections Against Spectre and Rowhammer Attacks – “Academics from multiple universities have announced fixes for two severe security flaws known as Spectre and Rowhammer.”
  5. Maybe the sky is falling after all. In a paper dramatically entitled Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers, Eurecom researchers they present “a new side channel that affects mixed-signal chips used in widespread wireless communication protocols, such as Bluetooth and WiFi. … the radio transmitter may unintentionally broadcast sensitive information from hardware cryptographic components or software executing on the CPU. The well-known electromagnetic (EM) leakage from digital logic is inadvertently mixed with the radio carrier, which is amplified and then transmitted by the antenna.”

    Commentary by Richard Chirgwin for The Register: Boffins: Mixed-signal silicon can SCREAM your secrets to all – “‘Screaming Channels’, a side-channel baked into off-the-shelf Wi-Fi, Bluetooth silicon.”

David Harley