Category Archives: Apple

Three mobile app issues and a Mac 0-Day

Updates to Mac Virus

John Leyden for The Register: Baddies of the internet: It’s all about dodgy mobile apps, they’re so hot right now  “Rogue mobile apps have become the most common fraud attack vector, according to the latest quarterly edition of RSA Security’s global fraud report.” If you don’t mind giving your contact information away, the report is available here.


For Sophos, Matt Boddy explains how to use AppMon to see which of your Android apps are paying more attention to your conversations than you’re comfortable with. Not for beginners, but interesting. Are your Android apps listening to you?


Also for Sophos, Paul Ducklin analyses Patrick Wardle’s 0-day Mac exploit, as discussed recently at Def Con. While there’s no fix as yet, Paul points out that “Fortunately, as zero-days hacks go, this one isn’t super-serious – a crook would have to infect your Mac with malware first in order to use Wardle’s approach, and it’s more a tweak to an anti-security trick that Wardle himself found and reported last year than a brand new attack.” Apple Mac “zero day” hack lets you sneakily click [OK]


Martin Beltov for Security Boulevard: Android Man-in-the-Disk Attack Can Expose Apps & User Data –  “Security experts discovered a new Android infection mechanism called the Man-in-the-Disk attack. It takes advantage of a design issue found to be with the operating system itself that takes advantage of the external storage access. Abuse of this possibility can expose sensitive data to the criminal operators.”

David Harley

Advertisements

AVIEN Resource updates 2nd August

Updates to Anti-Social Media 

(1)

New York Times: Facebook Has Identified Ongoing Political Influence Campaign – “Facebook announced on Tuesday that it has identified a coordinated political influence campaign, with dozens of inauthentic accounts and pages that are believed to be engaging in political activity around divisive social issues ahead of November’s midterm elections.”

Commentary from The Register: Facebook deletes 17 accounts, dusts off hands, beams: We’ve saved the 2018 elections – “Yeah, that’ll do the trick, Mark”

Facebook’s own blog post: Removing Bad Actors on Facebook

(2)

Luana Pascu: GDPR directly impacts Facebook, 1 million European users lost 

(3)

The Register: UK ‘fake news’ inquiry calls for end to tech middleman excuses, election law overhaul  “British lawmakers have been told to create tougher rules for social media giants claiming to be neutral platforms, establish a code of ethics for tech firms, and plump up the UK’s self-styled “data sheriff”.”

(4)

Roger Thompson (Thompson Cyber Security Labs): Ok, this was scary – a disquieting example of how much more information is ‘publicly available’ than you probably think. Even scarier is the question of how much publicly available information is actually accurate.

Updates to Cryptocurrency/Crypto-mining News and Resources

Graham Cluley: Steam game Abstractism pulled after cryptomining accusations

The Register: ‘Unhackable’ Bitfi crypto-currency wallet maker will be shocked to find fingernails exist – “A crypto-currency wallet heavily promoted as “unhackable” – complete with endorsements from the security industry’s loopy old uncle John McAfee and a $350,000 bounty challenge – has, inevitably, been hacked within a week.”

Bleeping Computer: Massive Coinhive Cryptojacking Campaign Touches Over 200,000 MikroTik Routers – “Security researchers have unearthed a massive cryptojacking campaign that targets MikroTik routers and changes their configuration to inject a copy of the Coinhive in-browser cryptocurrency mining script in some parts of users’ web traffic.” Lengthy analysis by Trustwave: Mass MikroTik Router Infection – First we cryptojack Brazil, then we take the World?

Updates to GDPR page

The Register: India mulls ban on probes into anonymized data use – with GDPR-style privacy laws – “Thought having your call center in India was a good idea? Maybe not so much now”

Luana Pascu: GDPR directly impacts Facebook, 1 million European users lost 

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

Pierluigi Paganini: Tens of flaws in Samsung SmartThings Hub expose smart home to attack
““Cisco Talos recently discovered several vulnerabilities present within the firmware of the Samsung SmartThings Hub.” reads the analysis published by Talos.”

The SANS OUCH! newsletter for August offers basic but generally sensible advice on Smart Home Devices. “There is no reason to be afraid of new technologies but do understand the risk they pose. By taking these few simple steps you can help create a far more secure Smart Home.”

Updates to Mac Virus

Android and OneDrive, and iOS-targeting phish

David Harley

Resource updates 5th July 2018

Updates to Anti-Social Media 

Graham Cluley: Carole Cadwalladr takes us behind the scenes of the Cambridge Analytica investigation – HOW MILLIONS OF FACEBOOK USERS’ PERSONAL DATA WERE USED TO INFLUENCE THE US ELECTION AND BREXIT. “Last week, Carole Cadwalladr won The Orwell Prize for Journalism for her work investigating the impact of big data on the EU Referendum at the US Presidential election.”

John E. Dunn for Sophos: Facebook gave certain companies special access to customer data – “What do Russian internet company Mail.ru, car maker Nissan, music service Spotify, and sports company Nike have in common? They, and 57 other companies, were revealed by Facebook in a US House of Representatives’ Energy and Commerce Committee submission to have been given temporary extensions to access private Friends data API despite the company supposedly changing the policy allowing this in May 2015.”

The Hacker News: Facebook Admits Sharing Users’ Data With 61 Tech Companies

Rhett Jones for Gizmodo: Google Says It Doesn’t Go Through Your Inbox Anymore, But It Lets Other Apps Do It

Updates to Cryptocurrency/Crypto-mining News and Resources

Pierluigi Paganini: Crooks leverage obfuscated Coinhive shortlink in a large crypto-mining operation – “Crooks leverage an alternative scheme to mine cryptocurrencies, they don’t inject the CoinHive JavaScript miner directly into compromised websites.”

Paul Ducklin for Sophos: Serious Security: How to cut-and-paste your way to Bitcoin riches – “Whether it’s cryptocurrency addresses, payment card details, ID numbers or other snippets of personal information, malware that sneakily changes data in the clipboard as you work online can trick you into paying the wrong people.”

Updates to GDPR page

The Register: United States, you have 2 months to sort Privacy Shield … or data deal is for the bin – Eurocrats – “MEPs call for urgent fix”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

DZone Security Zone: Glimpse Inside IoT-Triggered DDoS Attacks and Securing IT Infrastructures

Tech support scams resource page

SANS Ouch Newsletter: Phone Call Attacks & Scams

Updates to Mac Virus

Andrew Orlowski for The Register: Uh-oh. Boffins say most Android apps can slurp your screen – and you wouldn’t even know it – “Over 89 per cent of apps in the Google Play store make use of an API that requests screen capture or recording – and the user is oblivious as it evades the Android permission framework.” Summary of a paper”…titled Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications (summary and PDF).”

Pierluigi Paganini: A Samsung Texting App bug is sending random photos to contacts – ”

“The problem affected Galaxy S9 and S9+ devices, but we cannot exclude that other devices may have been affected…several users reported the anomalous behavior on Reddit and the company official forums.”

John E. Dunn for Sophos: Samsung phones sending photos to contacts without permission and also Your smartphone can watch you if it wants to, study finds.

Elcomsoft:  Apple Warns Users against Jailbreaking iOS Devices: True or False? Not whether Apple has issued the warnings – of course it has – but more about how justified the warnings are. The conclusion seems to be mostly true, with “with few caveats and one major exception.” Interesting article, anyway.

David Harley

April 16th 2018 updates

Updates to Anti-Social Media 

Updates to Meltdown/Spectre – Related Resources

Bleeping Computer: Intel SPI Flash Flaw Lets Attackers Alter or Delete BIOS/UEFI Firmware

Updates to: Ransomware Resources  and Specific Ransomware Families and Types

Researchers at Princeton: Machine Learning DDoS Detection for Consumer Internet of Things Devices. “…In this paper, we demonstrate that using IoT-specific network behaviors (e.g. limited number of endpoints and regular time intervals between packets) to inform feature selection can result in high accuracy DDoS detection in IoT network traffic with a variety of machine learning algorithms, including neural networks.” Commentary from Help Net: Real-time detection of consumer IoT devices participating in DDoS attacks

Updates to Specific Ransomware Families and Types

Pierluigi Paganini: Microsoft engineer charged with money laundering linked to Reveton ransomware

Updates to Mac Virus

Mozilla: Latest Firefox for iOS Now Available with Tracking Protection by Default plus iPad Features. Commentary from Sophos: Tracking protection in Firefox for iOS now on by default – why this matters

The Register: Android apps prove a goldmine for dodgy password practices “And password crackers are getting a lot smarter…An analysis of free Android apps has shown that developers are leaving their crypto keys embedded in applications, in some cases because the software developer kits install them by default.” Summarizes research described by Will Dormann, CERT/CC software vulnerability analyst, at BSides.

David Harley

Resource updates 28th March 2018

Updates to Anti-Social Media

Updates to Specific Ransomware Families and Types

Updates to Meltdown/Spectre – Related Resources

Updates to Cryptocurrency/Crypto-mining News and Resources

Updates to Mac Virus

iOS

Android

Updates to Chain Mail Check

22nd March Resources Update

Cryptocurrency/Crypto-mining News and Resources

Anti-Social Media

Mac Virus

Resource updates 20th March 2018

[Update to Ransomware Resources page, also posted to Chain Mail Check]

If I had a separate category for ‘miscellaneous extortion’ this might belong there. Included here because it isn’t just a hoax, but one that centres on extortion, though it looks as if the point is to embarrass/harass the apparent sender of the extortion email (the Michigan company VELT)  rather than actually make a direct profit from extortion. The company’s CEO told the BBC that the attacker was probably a Minecraft player who had been banned from using the Veltpvp server, by way of revenge.

[Updates to Cryptocurrency/Crypto-mining News and Resources]

[Update to Tech support scams resource page]

Sophos: Fake Amazon ad ranks top on Google search results. “Yep, not for the first time, Google’s been snookered into serving a scam tech support ad posing as an Amazon ad.”

[MacVirus news]

(1) Commenting on Symantec’s warning of a new Fakebank Android variant, Graham Cluley reports: This Android malware redirects calls you make to your bank to go to scammers instead – “MALWARE HELPS SCAMMERS TRICK YOU INTO THINKING YOU’RE SPEAKING TO YOUR BANK.”

The Fakebank malware is only targeting South Korea, right now, but Graham rightly suggests that the same gambit is likely to be re-used elsewhere.

(2) Apple has dealt a major blow to users of supercookies with a security improvement in Safari.

David Harley

Meltdown/Spectre resources

[Content now transferred to the resource page here, which I intend to expand and maintain as time allows.]

Official commentary from Apple: About speculative execution vulnerabilities in ARM-based and Intel CPUs and from Google: Today’s CPU vulnerability: what you need to know

Related Resources:

David Harley

New Mac Malware Resource

Well, actually, it’s an old one. It’s at the Mac Virus site I kicked back into life a few months ago, primarily as a blog site.

However, I’ve been under some pressure to restore some of the features of the old Mac Virus site. While I’ll be restoring some (more) of the pre-OSX stuff for its historical interest, I don’t see that as a big priority right now. But as I’ve been talking quite a lot about Mac threats in the past month or two (see http://macviruscom.wordpress.com/2010/05/13/apple-security-snapshots-from-1997-and-2010/ for example), there’s been curiosity about what we’ve been seeing in the way of OS X malware.

Enter (stage left, with a fanfare of trumpets) the Mac Virus “Apple Malware Descriptions” Page at http://macviruscom.wordpress.com/apple-malware-descriptions/. Right now it consists of two descriptions of Mac scareware from 2008, so it’s at a very early stage of development. (It just happens to be those two descriptions because someone asked me about them yesterday.)

Isn’t this stuff available elsewhere, I hear you ask? Of course it is. The point about these descriptions is that unlike most vendor descriptions, they point to various other sources of (reasonably dependable) information, as well as including a little personal commentary. It’s a first cut at attempting to answer the question “if there’s so much Mac malware around, where is it?”

More later…

David Harley CITP FBCS CISSP
AVIEN Chief Operations Officer
Mac Virus Administrator
ESET Research Fellow and Director of Malware Intelligence

Also blogging at:
http://www.eset.com/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macvirus.com
http://amtso.wordpress.com/