Monthly Archives: August 2017

Android Oreo: Google has just made app installs from unknown sources a lot safer

Android 8.0 has introduced a new way to protect devices from malicious Android apps installed from the web or third-party app stores.

Until now, Android users could install apps from places other than Google’s Play Store by enabling ‘Install from unknown sources’ in Android Settings. Though it is a convenient option, users are generally not recommended to enable this feature because it can lead to malicious apps being downloaded to their phone.

Moreover, users who enabled ‘Allow unknown sources’ were still exposed to a benign app offering a bogus security update that in fact installs a malicious app. Google calls these “hostile downloaders” and, according to its 2016 Android security report, they’re the second most prevalent threat on the Play Store following Trojans.

In Android Oreo, Google eschewed the setting for a new ‘Install unknown apps‘ permission that’s tied to each app.

Android Oreo users will need to grant permission to each app to allow it to download apps from untrusted sources. So, the user could enable Drive and a third-party store app to download apps outside the Play Store, but block Chrome and Gmail from downloading unknown apps.

This new per-app opt-in model should go some way to preventing hostile downloaders, given that now the user would need to give the app permission to install another app before a hostile downloader can install software with standard trickery.

The Settings app now lists which apps have been approved for installing unknown apps. Users can also revoke the permission in Settings.

Older versions of Android will continue to use the Settings page to either allow or disallow installs from outside of the Play Store.

Google has outlined changes that app developers need to make to use this new behavior. Essentially they’ll need to declare upfront that they could request permission to be able to install apps from Android’s Package Installer.

Apps that haven’t declared this permission are automatically banned from installing other apps.

 

LambdaLocker ransomware victim? Now you can decrypt your files for free

Victims of LambdaLocker ransomware can now get their files back for free using a decryption tool released as part of the No More Ransom initiative.

The scheme was launched last year, with the goal of bringing law enforcement and private industry together to fight file-locking malware.

No More Ransom recently celebrated its one-year anniversary, and now offers over 50 decryption tools for use against more than 100 ransomware families.

Now cybersecurity researchers at Avast Antivirus have added a decryption tool for LambdaLocker to the portal, allowing victims to retrieve their files without paying the 0.5 Bitcoin ($2,200) ransom that attackers demand in exchange for the cryptographic key.

LambdaLocker first appeared in January and uses a combination of AES-256 and SHA-256 ciphers to encrypt victims’ files, making them inaccessible and adding the extension ‘.lambda_l0cked’.

 

Like many forms of ransomware, it’s distributed via spam emails. LambdaLocker is also reported to infect victims via game installers from hacked or malicious download sites and peer-to-peer networks.

Following infection, the victim is presented with a note demanding a ransom, complete with instructions on how to buy and use Bitcoin. The note — which is in English and Chinese — also demands victims pay within a month, or risk losing the encrypted files forever.

 

But, thanks to the release of the decryption tool, victims no longer need to worry about paying the ransom and can retrieve their files without lining the pockets of criminals. At least if they’re attacked with a newer version of the ransomware, that is — there’s currently no decryption available tool for older versions.

New Trojan malware campaign sends users to fake banking site that looks just like the real thing

A notorious banking Trojan is targeting customers of a major bank with a new email spam campaign, which directs victims to a fake login page that’s indistinguishable from that of their real bank.

The credential-stealing Trickbot banking malware has been hitting the financial sector since last year and targets online banking customers in in the US, UK, Australia, and other countries.

Those behind this particular banking Trojan are continually developing it and have even been experimenting with EternalBlue, the Windows exploit that helped spread WannaCry and Petya.

But no matter how advanced malware gets, phishing remains a common attack vector for distributing malicious payloads.

Uncovered by security researchers at Cyren, the latest Trickbot distribution campaign sent over 75,000 emails in 25 minutes, all claiming to be from Lloyds Bank, one of the UK’s biggest banks.

Emails were sent with the subject ‘Incoming BACs’, a reference to BACS, a system that allows users to make payments directly from one email account to another. The emails claim that the target needs to review and sign attached documents.

 

Once a computer is infected with Trickbot, the malware runs in the background and waits for the victim to visit their online bank.

When they do so, Trickbot redirects them to a malicious site, which in this case is a fake version of the Lloyds website that looked exactly like the real thing — complete with the correct URL of the online bank and a legitimate SSL certificate, so a user may not suspect they’re being tricked.

 

“TrickBot evolves and changes almost every day and targets new banks all over the world, so all banks should be on alert,” said Stefnission.

It’s currently not clear who is behind Trickbot, but the way the malware is continually evolving suggests it’s the work of a well-organised, well-funded cybercriminal group.

Fines for being hacked: If a breach is down to bad security it could cost you millions

Organisations that provide critical national infrastructure services including electricity, water, energy, transport, and healthcare could face fines of £17m or four percent of their global turnover if they fail to protect themselves from cyberattacks.

The plan is being considered by the UK government as it examines how to implement the European Union’s Network and Information Systems (NIS) Directive from May 2018. The directive represents the first piece of EU-wide legislation on cybersecurity and provides legal measures in an effort to protect member states and their essential services from cyberattacks.

 

According to the Department for Digital, Culture, Media, and Sport, the fines would be a last resort — and they won’t apply to organisations that have put proper cybersecurity protections in place and still suffered a system outage as a result of a cyberattack. At this stage, the government isn’t clear about exactly what constitutes taking proper precautions.

 

Under the cybersecurity standards, infrastructure providers will be required to develop a strategy to understand and manage risk, as well as implement measures to prevent attacks and system failures, including raising staff awareness with training. Companies will also be obliged to report incidents as soon as they happen and ensure they can restore systems as quickly as possible in the event of an attack.

The government is set to host workshops with critical national infrastructure operators in order to pick their brains before any proposals for fines are introduced.

“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyberattack and more resilient against other threats such as power failures and environmental hazards,” said minister for digital Matt Hancock.

“The NIS Directive is an important part of this work and I encourage all public and private organisations in those sectors to take part in this consultation so together we can achieve this aim,” he added.

The National Cyber Security Centre — the arm of GCHQ responsible for helping to protect the UK from cyberattacks — has also encouraged organisations to take part in discussions with government.

US Voting Machines Hacked At DEF CON – Every One

US Voting Machines Hacked, some in minutes at this year’s DEF CON “Voting Village” – not something you want to hear really. Especially with the results of recent elections that the World is currently dealing with the consequences from.

US Voting Machines Hacked At DEF CON - Every One

Of course with physical access, most machines can be dominated in some way or another – but the scary part is some of them were done remotely, from a distance.

After the debacle of the 2000 presidential election count, the US invested heavily in electronic voting systems – but not, it seems, the security to protect them.

This year at the DEF CON hacking conference in Las Vegas, 30 computer-powered ballot boxes used in American elections were set up in a simulated national White House race – and hackers got to work physically breaking the gear open to find out what was hidden inside.

In less than 90 minutes, the first cracks in the systems’ defenses started appearing, revealing an embarrassing low level of security. Then one was hacked wirelessly.

“Without question, our voting systems are weak and susceptible. Thanks to the contributions of the hacker community today, we’ve uncovered even more about exactly how,” said Jake Braun, who sold DEF CON founder Jeff Moss on the idea earlier this year.

“The scary thing is we also know that our foreign adversaries – including Russia, North Korea, Iran – possess the capabilities to hack them too, in the process undermining principles of democracy and threatening our national security.”

 

Perhaps we should really go back to pen and paper and indelibly marking people’s finger tips, not that it’s foolproof either but it certainly seems safer than these digital voting boxes built on Windows XP full of outdated software.

I hope this really does act as a wake-up call to the US and any other countries using digital voting equipment that if it’s this easy to hack, you might want to do something about it.

The machines – from Diebolds to Sequoia and Winvote equipment – were bought on eBay or from government auctions, and an analysis of them at the DEF CON Voting Village revealed a sorry state of affairs. Some were running very outdated and exploitable software – such as unpatched versions of OpenSSL and Windows XP and CE. Some had physical ports open that could be used to install malicious software to tamper with votes.

It’s one thing to physically nobble a box in front of you, which isn’t hard for election officials to spot and stop. It’s another to do it over the air from a distance. Apparently, some of the boxes included poorly secured Wi-Fi connectivity. A WinVote system used in previous county elections was, it appears, hacked via Wi-Fi and the MS03-026 vulnerability in WinXP, allowing infosec academic Carsten Schurmann to access the machine from his laptop using RDP. Another system could be potentially cracked remotely via OpenSSL bug CVE-2011-4109, it is claimed.

We’re told the WinVote machine was not fully secured, and that the intrusion would have been detected and logged, so don’t panic too much. And not all the attacked equipment are used in today’s elections. However, it does reveal the damage that can potentially be done if computer ballot box makers and local election officials are not on top of physical and remote security, especially with a growing interest from Russia and other states. Think of it as a wakeup call.

Pretty scary really, considering various elections around the World are crying foul of rigging (Kenya and Venezuela to start) and many claim Trump was elected due to rigging, probably from Russia.

Of course a lot of it is conspiracy theorists running wild, but there’s certainly some truth in there and with what happened at DEF CON in minutes in most cases it just shows what other Nation States could be doing to global elections.

Source: The Register

Undetected surveillance malware haunts mac users worldwide

The integrity of data and security of mac systems is well-known but in the past three years, mac systems have come under a lot of scrutiny. A report published in 2011 went as far as to claim the following:

In fact, I would claim that the current security level of Windows 7 is better than on Mac OS X, and that it’s more likely we will see a major mobile worm outbreak on iPhone than on smartphones running Windows Phone.”

mac malware

These claims have picked up strength after the discovery of an undetected mac malware that remained under the tables for so long. This undetected mac malware has the ability to grant access to hackers and attackers over the webcams, keyboards, trackpads and other sensitive input/output devices. More shocking is the fact that these undetected mac malwares have been affecting mac systems for more than 5 years!

Astonishingly, these malwares amount to almost 400 including both major and minor infections. After a detailed research and report by Patrick Wardle, a researcher from the famous security firm Synack, it is discovered that this undetected mac malware was given a fake name of Fruitfly. He was astonished as to how this malware remained under the radar for so long considering the simplicity of this malware compared to more complex malwares. Not only can this malware let attackers gain access to webcams etc. but also can collect information about other computers linked to the target Mac.

undetected mac malware infected

According to Wardle, this undetected mac malware has remained under the naked eye for a long time and neither Mac OS nor commercially sold antiviruses have been able to detect this malware. Wardle quotes that many users of Mac are overconfident about the safety of their Mac systems. He also claims that this undetected mac malware probably uses clicking of malicious links to gain access over users.

Let us hope that Mac developers take notice of these vulnerabilities and roll out fixes for such major issues.