Monthly Archives: September 2016

You can now earn $1.5 million for hacking the iPhone

A private exploit seller has tripled the reward for Apple iOS exploits and is now offering $1.5 million for valid attacks against fully patched iPhones and iPads.

Zerodium is a premium exploit platform which purchases zero-day vulnerabilities and exploits and pays heavy rewards to researchers that discover previously unknown security flaws in popular software.

The exploit peddler says it “focuses on high-risk vulnerabilities with fully functional exploits” and “we pay the highest rewards on the market.”

For new, novel attacks against Apple’s iOS and Google’s Android mobile operating systems, the company appears to be correct, with rewards for iOS 10 jailbreaking now reaching up to $1.5 million.

In an updated rewards list, Zerodium revealed that researchers able to produce a new attack against up-to-date iOS 10 iPhones and iPads which successfully compromises the devices remotely can expect up to $1,500,000. This is three times the amount of previous rewards, which were brought down to $500,000 after the company paid out $1 million to three research teams last year which were able to find remote zero-day exploits for iOS 9.

In addition, researchers who can provide the private exploit seller with remote exploits for Android 7 mobile devices can enjoy double the payout, with Zerodium now willing to pay up to $200,000 an exploit.

screen-shot-2016-09-30-at-09-33-59.jpg
Zerodium’s updated rewards list.

 

If researchers are willing to sell their work privately rather than report them to vendors, exploits are then sold to private clients including government entities, which may use them for surveillance purposes, tracking and spying on criminals, terrorists and any other targets of interest.

The company is interested in working exploits against up-to-date software from Apple, Google, and Adobe, among others.

When asked about the extensive difference in reward rates for jailbreaking iOS devices in comparison to exploits for the Android operating system, speaking to Ars Technica, Zerodium founder Chaouki Bekrar said:

“Prices are directly linked to the difficulty of making a full chain of exploits, and we know that iOS 10 and Android 7 are both much harder to exploit than their previous versions.

That means that iOS 10 chain exploits are either 7.5 x harder than Android or the demand for iOS exploits is 7.5 x higher. The reality is a mix of both.”

Earlier this year, the FBI paid $1 million to a security company to provide an exploit used to access an iPhone belonging to one of the San Bernardino shooters.

FBI reports more attempts to hack voter registration system

There have also been ‘scanning activities,’ which could be preludes to attacks

FBI Comey
 

The U.S. Federal Bureau of Investigation has found more attempts to hack the voter registration systems of states, ahead of national elections.

The agency had reportedly found evidence in August that foreign hackers had breached state election databases in Illinois and Arizona, but it appears that there have been other attempts as well, besides frequent scanning activities, which the FBI describes as preludes for possible hacking attempts.

“There have been a variety of scanning activities, which is a preamble for potential intrusion activities, as well as some attempted intrusions at voter registration databases beyond those we knew about in July and August,” FBI Director James Comey told theHouse Judiciary Committee on Wednesday.

Comey said that the systems that could be at risk were the voter registration systems that are connected to the Internet. The vote system in the U.S., in contrast, is hard to hack into “because it’s so clunky and dispersed,” he added. He advised states to get the best information they can get from the Department of Homeland Security and ensure their systems are tight as there is “no doubt that some bad actors have been poking around.”

“We are doing an awful lot of work through our counter-intelligence investigators to understand just what mischief is Russia up to in connection with our elections,” Comeysaid. U.S. officials have hinted that they believe Russia is behind recent attacks on servers of the Democratic National Committee, which led to the leak of embarrassing emails through whistleblowing website, WikiLeaks. But the U.S. government has not directly attributed the attacks to Russia.

Security experts and Democratic party president candidate Hillary Clinton have blamed Russia for the attack, but Republican party candidate Donald Trump said nobody knows it was the Russians, adding that the hack could have come from Russia, China or a 400-pound hacker working from his bed.

The U.S. government is not sure whether Russia, which is said to have interfered in U.S. elections since the 1960s, aims to influence the outcome of the election or try to sow seeds of doubt about the sanctity of the process, Director of National Intelligence James R. Clapper recently told The Washington Post in an interview.

Clapper said that “there’s a tradition in Russia of interfering with elections, their own and others.” To ensure that hackers don’t get to the electoral system, the DHS is working with state election officials on best practices on security, specially where there is any dependence on the Internet, Clapper said.

So far 18 states have requested the assistance of the DHS, said Secretary Jeh Johnson, in testimony this week before a Senate committee.

What is ransomware? 1 in 3 small businesses ‘clueless’ to the danger

A third of small to medium-sized businesses (SMBs) have no idea what ransomware is or how devastating the malware can be, highlighting a series lack of understanding which could seriously harm today’s companies.

According to new research released by antivirus firm AVG on Tuesday, too many businesses are unaware of how dangerous ransomware can be — and how easily it is to become the latest victim of the malware strain.

Ransomware is a type of malicious code that once executed on your system — usually through a malicious link or phishing email — locks your PC, encrypts either your files or hard drive, and demands a ransom payment in return for a decryption key which claims to give you your system back.

One of the latest strains to be detected, MarsJoke, threatens to wipe data if a ransom is not paid within 96 hours.Time-sensitive threats are a common tactic used by ransomware campaign operators to put pressure on victims to pay up, and ransom payments can range from small amounts to hundreds — or thousands — of dollars.

As ransomware can be a very lucrative prospect for cybercriminals looking to cash in, unsurprisingly, infections are on the rise. Locky, Cerber and Virlock are only some of the ransomware variants which are being used in active campaigns against entities including hospitals, governments and gamers.

One UK university has reported 21 attacks in the past 12 months alone.

The true scale of the problem is somewhat hard to define though because, understandably, many businesses and organisations are reluctant to reveal they’ve been held to ransom because of fears about being targeted again, or losing existing or new customers,” AVG notes.

In June, the security firm asked almost 400 SMB customers in the US and the UK whether they knew about ransomware. In total, 68 percent of respondents had heard of the term ‘ransomware,’ but it is the 32 percent — just over a third — that had no knowledge which is the concerning factor.

Considering the first recorded attack took place in 2005, which came in the now-common form factor of a fake antivirus message which required payment, 11 years on is a long time to not know about such a dangerous threat to business operations.

To make matters worse, out of the 68 percent of respondents which said they knew what ransomware was, 36 percent gave the wrong answer — and actually didn’t really know what the malware was, or its implications.

If you find yourself a victim of such malware, the first thing to do is research the infection to see if security companies have come up with free decryption tools, including AVG andKaspersky.

While some tools are available, it takes time to crack updated versions and so you may be out of luck. If none are available, you may have to resort to backups of your data. You might be tempted to pay up; however — if you do so, you are funding the criminal enterprise, and there is no guarantee you will be given a working key to retrieve your files after paying the ransom.

Where ransomware goes next: Your phone, your TV, your servers

Cyber-cops list cryptoware as their ‘dominant concern’ and warn that it will target more devices and aim for higher-value targets.

Europol’s latest annual Internet Organised Crime Threat Assessment report paints a rather grim portrait of digital criminality loose on the internet.

It warns that the Crime-as-a-Service model continues to provide crooks, from the entry level to top-tier players, with the tools and services needed to conduct crime online.

The report also said that the boundaries between cybercriminals and state-sponsored hackers continue to blur, warning: “While the extent to which extremist groups currently use cyber techniques to conduct attacks appears to be limited, the availability of cybercrime tools and services, and illicit commodities such as firearms on the Darknet, provide ample opportunities for this situation to change.”

But Europol said that in terms of day-to-day online criminality, “ransomware continues to be the dominant concern for EU law enforcement”, as the number of variants of the malware have multiplied. Most use the same business model: encrypt a user’s files, demand a ransom in Bitcoin, and offer a free test file decryption to prove their capability.

More ransomware targets
But while traditional malware mostly targets desktop Windows users, Europol said there are many more potential targets for ransomware, from individual users’ devices, to networks within industry, healthcare, or even government.

“Cryptoware will also continue to expand its attack surface,” it said, adding: “The profile of ransomware as a threat on mobile devices will grow as developers hone their skills in attacking those operating systems and platforms.”

And while the same data-stealing malware largely appears year-on-year, ransomware is in greater flux will take several more years before it reaches the same level of equilibrium, said the report.

Europol warned that ransomware will evolve to “routinely spread to other smart devices”, and that there were already some indications that ransomware is capable of infecting devices such as smart TVs.

“Following the pattern of data-stealing malware, cryptoware campaigns will likely become less scattergun and more targeted on victims of greater potential worth,” the report said, noting that a new strain of server-side ransomware called Samsam was targeting the healthcare industry. Samsam does not require user to click on a link or open an attachment, but exploits the vulnerabilities of web servers and encrypts folders typically associated with website files, images and scripts.

As well as ransomware, the report warned that the overall quality and authenticity of phishing campaigns has increased, with targeted phishing — also known as spear-phising — aimed at high-value targets, including CEOs for the purposes of fraud. It also said that DDoS attacks continue to grow in intensity and complexity, as do the ways in which criminals use the data they steal.

“Data remains a key commodity for cybercriminals, however data is no longer just procured for immediate financial gain. Increasingly it is acquired for the furtherance of more complex fraud, encrypted for ransom, or used directly for extortion,” said the report.

Majority of enterprises admit they are vulnerable to insider threats

The majority of enterprise players admit they are vulnerable to insider threats to their networks and a third have already become victims, according to new research.

Insider threats are not always due to malicious, unprincipled employees. While it is possible that such staff members could access corporate data for sale or trade illegally, it is often accidental insider threats which are the source of data breaches — such as in the case ofSnapchat this year, when a cybercriminal posing as the firm’s CEO Evan Spiegel in order to dupe HR into handing over staff payroll data.

There are many reasons why insider threats can disrupt a business, including simple human error, falling for fraudulent emails, careless personal security of devices and data or failing to keep personal devices which access corporate networks secure.

According to Bitglass researchers, despite cybersecurity becoming more of a priority for today’s businesses, the threat of insiders is still very much a core problem.

On Thursday, the cybersecurity firm released a new report on insider threats in the enterprise. After surveying over 500 security professionals from enterprise companies, Bitglass said that one in three companies admitted to experiencing a data breach caused by an insider in the past year, and 74 percent still feel vulnerable to insider threats.

Over half of respondents — 56 percent — also said that they believe insider threats have become more frequent in the past 12 months.

In total, 71 percent of cybersecurity professionals said they were most concerned with accidents and inadvertent corporate leaks and breaches caused by “risky, unsanctioned” mobile app usage, accidental external sharing of corporate data and the use of mobile devices which are not fully up-to-date and patched — which can lead to malicious apps accessing corporate information, surveillance or spying.

Malicious insiders are also a source of worry for IT professionals, with 61 percent concerned about employees that have an axe to grind or are willing to trade corporate information for their own gain.

n addition, careless security policies implemented by the enterprise make matters worse. If network administrators give employees more access and privileges than they need, should their accounts be compromised, attackers can do so much more — and for 60 percent of organizations, it is these privileged users which demonstrate a real threat to security.

A number of respondents also said that cloud and mobile technologies are forcing a rethink of how best to tackle digital security. According to the survey, 62 percent of IT professionals blame a lack of employee training and 57 percent say insufficient data protection solutions is a major cause of data breaches.

Too many devices have access to sensitive data say 54 percent of respondents, and 48 percent claim that more data than ever leaving corporate network perimeters is also a major cause of information leaks.

“Adoption of cloud and BYOD are positive developments, but organizations that have limited cross-app visibility will struggle to detect anomalous behavior and need to rethink their approach to data security,” said Nat Kausik, CEO of Bitglass. “The reality is that cloud apps have made data more readily accessible and insider threats more likely — it’s up to the enterprise to put adequate data controls and policies in place to secure vital data.”

In the majority of organizations, employee training, identity management solutions and data leakage prevention strategies were seen as effective tools to combat insider threats.

New ransomware family takes aim at government targets

A new form of ransomware is targeting government agencies and educational institutions in the US, using emails claiming to be from airlines.

The MarsJoke ransomware has been unearthed by Proofpoint cybersecurity researchers, who note that a large-scale email campaign distributing the machine-locking malware began on 22 September, with the main targets being state and local government agencies.

MarsJoker is just the latest in a string of new ransomware attacks, the combined might of which are set to cost organisations a total of $1 billion during 2016 alone.

Those behind MarsJoke are sending out malicious emails designed to look like they’re from airlines: the method is similar to that used by a recent CryptFile 2 ransomware campaign, which attempted to lure government targets with the lure of cheap flights.

The recipient will receive an email with a subject about tracking a parcel and, when opened, this displays a spoofed email claiming to be from a carrier and inviting them to click on a link to track their delivery.

If the target’s suspicions aren’t raised by the spelling errors and bad English and they click on the link, they’ll be taken to a URL hosting a file named “file_6.exe” which will infect the targeted machine with the MarsJoke.

This sort of approach is different to many other types of ransomware – including the widely distributed Locky – because it encourages users to click a link rather than download an infected document.

Researchers have chosen this name for the ransomware based on a string in the code which says “HelloWorldItsJokeFromMars”.

Once a machine is infected, MarsJoke will encrypt files and also creates new files with names like “!!! For Decrypt !!!.bat”, “!!! Readme For Decrypt !!!.txt”, and “ReadMeFilesDecrypt!!!.txt” to create a file inform the victim their files have been encrypted and provide instructions on how to pay a ransom of 0.7 Bitcoins ($320) – the untraceable nature of Bitcoin makes it a popular payment method for cybercriminals.

The victim’s desktop background is also changed to tell them they’ve been infected and also features a timer ticking down from 96 hours, warning the user that if they don’t pay within that time, all of their files will be permanently encrypted with MarsJoker.

The criminals also warn that any action taken to remove the ransomware without paying will result in the computer’s files being lost forever. It’s worth noting that the visual style of the ransom demand is very similar to that of the CTB-Locker ransomware family.

marsjoke-ransomware-demand.png
The visual style of MarsJoke mimics CTB-Locker

Image: Proofpoint

Like many schemes of this type, the criminals behind MarsJoker provide a “help” service to instruct victims how to acquire the Bitcoin required in order to pay the ransom, as well offering the option to decrypt two files for free.

With MarsJoker representing a new strain of ransomware, there’s currently no means of decrypting files without paying the ransom. Proofpoint researchers suggest this variant isn’t “just another ransomware” with a highly sophisticated operation likely to be behind the scheme.

The last majority of the MarsJoker emails target state and local government agencies, with schools also a major focus of the campaign. These sectors – particularly education – are likely to be hit because cybercriminals view them as an easy target, due to a lack of infrastructure and funding in place in order protect users. The ransomware is also targeting the healthcare, telecoms and insurance sectors, although on a much smaller scale.

Hackers selling tools to spread malware through torrent files – Beware

Be careful with what you torrent. A new tool on the black market is helping hackers distribute malware through torrent files in exchange for a fee.

On Tuesday, security researchers at InfoArmor said they discovered the so-called “RAUM” tool in underground forums.

It leverages torrenting — a popular file-sharing method associated with piracy — to spread the malware. Popular torrent files, especially games, are packaged with malicious coding and then uploaded for unsuspecting users to download.

Using torrents to infect computers is nothing new. But the makers of the RAUM tool have streamlined the whole process with a “Pay-Per-Install” model, according to InfoArmor.

RAUM’s developers have created a slick interface for their product. It can monitor the status of the malicious torrent files over popular sites such as The Pirate Bay and ExtraTorrent, which often act as a directory for users to download pirated content.

“In some cases, the lifespan of these seeded malicious files exceeded 1.5 months and resulted in thousands of successful downloads,” InfoArmor said. Customers of the tool have frequently been using it to package malware with PC-based online games for both Windows and Mac.

To infect more users, the makers of RAUM were also on the lookout for known uploaders of torrent files. They would then hijack their accounts, and use them to spread even more malicious torrent files.

The RAUM tool has been found distributing ransomware such as CryptXXX, in addition to the Trojan Dridex — which can steal a user’s banking credentials — and the password-lifting Pony spyware.

The makers of RAUM are believed to be an Eastern European organized crime group known as Black Team, according to InfoArmor. The underground forums where the tool is sold are invite-only, with the verification process of new members quite strict.

“InfoArmor strongly recommends that extreme caution be taken when visiting torrent trackers or downloading pirated digital content, operating systems and business software,” the security firm said.

Privacy groups urge US FTC to investigate WhatsApp promises

WhatsApp’s plan to share data with parent Facebook violates earlier commitments, groups say

Facebook gambles $16 billion on WhatsApp
Facebook gambled $16 billion on WhatsApp.

Credit: Facebook

The U.S. Federal Trade Commission should stop mobile messaging service WhatsApp from sharing user data with parent company Facebook in violation of earlier privacy promises, several privacy groups said.

The FTC should step in to stop WhatsApp from violating “commitments the company previously made to subscribers,” the 17 groups said in a letter sent to the agency Thursday. WhatsApp has long billed itself as a secure and private messaging service.

WhatsApp’s recently released plan to share user data with Facebook as a way to target advertising could amount to an “unfair and deceptive” trade practice, said the groups, including the Center for Digital Democracy, Consumer Action, Consumer Watchdog, and Demand Progress.

“We are deeply concerned about the impact this proposed change in data practices will have on the privacy and security of WhatsApp users in the U.S. and across the world,” the letter added. When Facebook acquired the messaging service in 2014, both companies “made numerous promises” that WhatsApp’s privacy policies wouldn’t change, the letter added.

WhatsApp complies with “applicable” laws, a spokeswoman said in response to the letter. “As always, we consider our obligations when designing updates like this,” she added by email.

 WhatsApp has collected personal information from more than 1 billion users, “with the promise that this information would not be used or disclosed for marketing purposes,” the letter to the FTC said. “WhatsApp’s reversal on this promise is a material, retroactive change that will apply to previously collected data.”

The proposed changes in WhatsApp’s privacy policy have raised concerns outside the U.S. as well. On Friday, India’s Delhi High Court ordered the company to delete user data for people who opt out of the changes before Sunday, according to news reports. The court also told WhatsApp to avoid sharing data collected before then with Facebook, even for users who do not opt out of the new policy.

Yahoo has revealed that at least 500 million of its users accounts have been hacked. That’s more victims than in any other hack in history. Odds are you’re a victim. Here’s what you must do to protect yourself.

yahoo-hq-620x371610x365.jpg
Image: CNET

First, if you have any kind of Yahoo account, such as Yahoo Mail or Flickr, you must change your password. To do this go to your Yahoo account page. Once there, go to Account security and choose Change password.

 

Pick a good password. That means choosing one you’re likely to remember. As Jonathan Yarmis, a research analyst at the research firm, The Skills Connection, once told me, “Onerous password requirements are a waste… 17 letters, characters, and numbers. Changed every 30 days. No repeats nor anything similar. This guarantees that the person has to write it down within five feet of their computer.”

Instead, use a random nonsense phrase for a password. Say, “YahooSecurityWasAWFUL!” Brute-force attacks aren’t likely to work on it, and you’ll be less likely to forget it.

Heck, or even follow the seemingly crazy advice of security guru Bruce Schneier:

People can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We’re all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper and keep it with their other valuable small pieces of paper: In their wallet.

Simply changing your Yahoo password is only the start. Yahoo’s security questions (e.g. your mom’s maiden name) also appear to have been revealed. That’s bad news since people tend to use the same questions and answers over and over again.

Yahoo now recommends you disable your security questions. I’ll go farther. If you used any of those same questions on any other site, change those questions now. Hackers will use that information against you.

It’s not personal. As Amichai Shulman, CTO of the security company Imperva, explains, “Data from breaches is hot merchandise on both sides of the legitimacy fence, the security marketplace on one side and the dark market on the other.” In short, your logins and passwords will be bundled off and sold to cyber crooks.

What’s that? You haven’t used your Yahoo accounts in years? It makes no difference. The stolen data goes back to at least 2012.

Besides, if you’re the kind of person who uses the same username and password on account after account, those accounts are now open to attack. Change your password on all these accounts. Now. It’s not a matter of “if” your accounts will be cracked. It’s a matter of when.

You can also now use two-factor authentication with Yahoo by turning on two-step verification from the security page. Yahoo’s two-factor authentication requires you to use a phone to get a code via text or phone call.

Got all that? Good. Now do it. There’s no time to waste.

Tick, tock, tick, tock: New malware is hitting your network every four seconds

A Check Point report suggests organisations’ security hasn’t kept pace to meet a ninefold rise in malicious software.

 

An exponential rise in malware means employees are at their highest-ever risk of accidentally installing malicious software onto an enterprise network — an event that happens every four seconds within the average company, a new report has warned.

Security researchers at Check Point analysed information on over 30,000 security incidents discovered by the company’s ThreatCloud prevention software at more than 1,000 companies across the globe.

 

They found that employees in industry, finance, government, and other sectors are very much taking a cavalier attitude to cybersecurity and downloading potentially harmful files to their company’s networks.

It’s unknown malware — malicious software which isn’t yet recognised by security systems — which is most likely to be downloaded by employees and according to Check Point, it happened every four seconds on average across the organisations analysed in the report. There were 971 unknown malware downloads per hour, representing nine times more downloads than the previous year, when the figure was 106 downloads per hour, the company said.

In many cases, it only takes a small modification to a malware’s code for it to become invisible to antivirus software programmes, allowing it to bypass defences and make its way onto corporate network where it could be used to conduct cyber espionage, steal data, or lockdown systems with ransomware.

If that wasn’t bad enough, researchers found that known malware — malicious software with a recognisable signature — is also being downloaded onto enterprise networks. If it’s known, then why isn’t it blocked? Because many organisations aren’t staying up to date with critical security patch management, thus enabling malicious actors to gain entry to their networks in circumstances that wouldn’t otherwise be possible if patching was properly done.

 

 

The rise of mobile devices is a significant factor in the increase in malware attacks. Each smartphone or tablet connected to the company Wi-Fi is yet another attack vector that malicious actors can potentially use in order to gain access to the network — and the enterprise is lagging behind when it comes to securing this space.

But while employees want to use their smartphones to access email and other services, the report points out “no one likes the idea of unilateral restrictions, nor the thought that they are being watched” — meaning that security is often a secondary consideration.

Nonetheless, organisations must take responsibility for protecting data because the report suggests that one in five employees will accidentally cause a data breach either through downloading malware or using malicious Wi-Fi hotspots designed with purpose of carrying out man-in-the-middle attacks to steal data.

But with such a wide variety of threats, there’s no one size fits all approach to securing the enterprise against malware and other cyberattacks.

“While no one technology or technique can hope to provide complete protection from all threat vectors, a well designed approach combining multiple methods of protection and detection can minimize successful attacks. With additional protections at the post infection stage, organizations can limit damage and lateral movement,” the report says.