Category Archives: Operating System

Windows BITS Service Used to Reinfect Computers with Malware 

Crooks found a way to reinfect computers with malware via the Windows BITS service, months after their initial malware was detected and deleted from the infected system.

BITS (Background Intelligent Transfer Service) is a Windows utility for transferring files between a client and a server. The utility works based on a series of cron jobs and is the service in charge of downloading and launching your Windows update packages, along with other periodic software updates.

According to US-based Dell subsidiary SecureWorks, crooks are using BITS to set up recurring malware download tasks, and then leveraging its autorun capabilities to install the malware.

Abusing BITS is nothing new since criminals used the service in the past, as early as 2006, when Russian crooks were peddling malicious code capable of using BITS to download and installing malware on infected systems.Initial malware infection took place back in March 2016In the particular case, SecureWorks staff were called to investigate a system that had no malware infections but was still issuing weird security alerts regarding suspicious network activities.

The SecureWorks team discovered that the initial malware infection took place on a Windows 7 PC on March 4, 2016, and that the original malware, a version of the DNSChanger malware calledZlob.Q, had added malicious entries to the BITS service.

These rogue BITS tasks would download malicious code on the system and then run it, eventually cleaning up after itself.

Since the user’s antivirus removed the initial malware, the BITS tasks remained, re-downloading malware at regular intervals. Because BITS is a trusted service, the antivirus didn’t flag these activities as malicious but still issued alerts for irregular activities.BITS tasks could be used in much more dangerous waysIn this case, SecureWorks reports that the BITS jobs downloaded and launched a DLL file that executed as a “notification program.”

BITS jobs have a maximum lifetime of 90 days, and if the malware coder had used them properly, they could have had a permanent foothold on the infected system.

SecureWorks staff presents a method of searching for malicious BITS tasks in their technical write-up, along with a list of domains from where this particular infection kept downloading malicious code.

To read more and the original story follow this link to Softpedia

90 Percent of All SSL VPN Use Insecure or Outdated Encryption

image

Information security firm High-Tech Bridge has conducted a study of SSL VPNs (Virtual Private Networks) and discovered that nine out of ten such servers don’t provide the security they should be offering, mainly because they are using insecure or outdated encryption.

An SSL VPN is different from a classic IPSec VPN because it can be used inside a standard Web browser without needing to install specific software on the client-side.

SSL VPNs are installed on servers, and clients connect to the VPN via their browsers alone. This connection between the user’s browser and the VPN server is encrypted with the SSL or TLS protocol.

Three-quarters of all SSL VPNs use untrusted certificates

Researchers from High-Tech Bridge say they analyzed 10,436 randomly selected SSL VPN servers and they found that most of them are extremely insecure.

They claim that 77% of all SSL VPNs use SSLv3 or SSLv2 to encrypt traffic. Both of these two versions of the SSL protocol are considered insecure today. These protocols are so insecure that international and national security standards, such as the PCI DSS and NIST SP 800-52 guidelines, have even gone as far as to prohibit their usage.

Regardless of their SSL version, 76% of all SSL VPN servers also used untrusted SSL certificates. These are SSL certificates that the server has not confirmed, and that attackers can mimic and thus launch MitM (Man-in-the-Middle) attacks on unsuspecting users.

High-Tech Bridge experts say that most of these untrusted certificates are because many SSL VPNs come with default pre-installed certificates that are rarely updated.

Some VPNs still use MD5 to sign certificates

Additionally, researchers also note that 74% of certificates are signed with SHA-1 signatures, and 5% with MD5 hashes, both considered outdated.

41% of all SSL VPNs also used insecure 1024 key lengths for their RSA certificates, even if, for the past years, any RSA key length below 2048 was considered to be highly insecure.

Even worse, one in ten SSL VPNs is still vulnerable to the two-year-old Heartbleed vulnerability, despite patches being available.

Out of all the tested SSL VPNs, researchers say that only 3% followed PCI DSS requirements. None managed to comply with NIST (National Institute of Standards and Technology) guidelines.

High-Tech Bridge is also providing a free tool that can tell users if their SSL VPN or HTTPS website is actually doing a good job of protecting them.

For the original story follow this link to Softpedia for more information.

This Hack Lets You Run Any Android App on Your Chromebook

image

Using a small JavaScript script, the hack, which is detailed in full on GitHub, allows any regular Android APK to be packaged up and, for want of a better term, side-loaded onto a Chromebook. It can then be run under the Android App Runtime in the same way as the ‘official’ Vine, Dulingo and Evernote. 

Restrictions mean that only one Android app can be run at a time.

To watch a Youtube video demonstration and the full original story follow this link to OMG Chrome.

Try It Out

If the thought of waiting for Google to partner up with the maker of your favourite app, game or utility is too much to bear, you could don your hard hat and try it out for yourself.

But be warned: it’s not a guide for the fainthearted or the technically averse. The developer behind the hack,
Vladikoff, cautions that his tool is for ‘proof of concept’ and is provided without any kind of warrant or assurance. The hack is also not endorsed by Google, Chromium or Android.

To follow along you’ll need a Chromebook with the Android Runtime plugin installed, the Android Vine app (which will be replaced during the course of the guide) and an OS X or Linux desktop from which to ‘package’ your app.

Applications tested and said to be working include Twitter, both tablet and mobile modes, and Flipboard (which was demoed running on a Chromebook at Google I/O).

Other apps tested but that crash include Google Chrome for Android (!), Spotify, SoundCloud and Swing Copters.

You can find more details and a download for the script on the project’s GitHub page, linked below.

‘Run Android APKs on Chromebooks’ Guide

Android adware can install itself even when users explicitly reject it

image

A while back, Ars reported on newly discovered Android adware that is virtually impossible to uninstall. Now, researchers have uncovered malicious apps that can get installed even when a user has expressly tapped a button rejecting the app.

The hijacking happens after a user has installed a trojanized app that masquerades as an official app available in Google Play and then is made available in third-party markets. During the installation, apps from an adware family known as Shedun try to trick people into granting the app control over the Android Accessibility Service, which is designed to provide vision-impaired users alternative ways to interact with their mobile devices. Ironically enough, Shedun apps try to gain such control by displaying dialogs such as this one, which promises to help weed out intrusive advertisements.

From that point on, the app has the ability to display popup ads that install highly intrusive adware. Even in cases where a user rejects the invitation to install the adware or takes no action at all, the Shedun-spawned app uses its control over the accessibility service to install the adware anyway.

“Shedun does not exploit a vulnerability in the service,” researchers from mobile security provider Lookout wrote in a blog post published Thursday morning. “Instead it takes advantage of the service’s legitimate features. By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user.”

For a video demonstration and the original story follow this link to Ars Technica.

As previously reported, Shedun is one of several families of adware that can’t easily be uninstalled. That’s because the apps root the device and then embed themselves into the system partition to ensure they persist even after factory reset. Lookout refers to them as “trojanized adware” because the end goal of this malware is to install secondary applications and serve aggressive advertising.

The ability to use social engineering to hijack the Android Accessibility Service is yet another sign of the creativity and ingenuity put into this new breed of apps. As always, readers are reminded to carefully weigh the risks and benefits of using third-party app markets. They should also remain highly suspicious of any app that asks for control of the Android Accessibility Service.

Yes, Google can remotely reset Android passcodes, but there’s a catch

image

Newer Android phone and tablet owners aren’t affected, but it does say something about Android’s fragmentation of device security.

The one-sided encryption debate continues. Now, it’s being used as a tool to spread what’s commonly known as “fear, uncertainty, and doubt.”

If you ventured to Reddit, you might have read a startling claim by the Manhattan district attorney’s office, who last week released a report into smartphone encryption and public safety.

It reads [PDF]:

“Google can reset the passcodes when served with a search warrant and an order instructing them to assist law enforcement to extract data from the device. This process can be done by Google remotely and allows forensic examiners to view the contents of a device.”

But there’s a problem: that’s only half of the story. And while it’s true, it requires a great deal more context.

The next few lines read:

“For Android devices running operating systems Lollipop 5.0 and above, however, Google plans to use default [device] encryption, like that being used by Apple, that will make it impossible for Google to comply with search warrants and orders instructing them to assist with device data extraction.”

If you thought you heard that before, that’s because you have.

Google, which develops Android, said in its “Lollipop” 5.0 upgrade two years ago it would enable device encryption by default, which forces law enforcement, federal agents, and intelligence agencies to go to the device owner themselves rather than Google.

This so-called “zero knowledge” encryption — because the phone makers have zero knowledge of your encryption keys — also led Apple to do a similar thing with iOS 8 and later. Apple now has 91 percent of its devices using device encryption.

However, there was some flip-flopping on Google’s part because there were reports of poor device performance. Eventually, the company said it would bring device encryption by default to its own brand of Nexus devices. Then, it said that its newest “Marshmallow” 6.0 upgrade will enable device encryption by default.

It took a year, but Google got there in the end

The US government, and its law enforcement and prosecutors were concerned. They have argued that they need access to device data, but now they have to go to the very people they are investigating or prosecuting.

Only a fraction of Android devices, however, are protected.

According to latest figures, only 0.3 percent of all Android devices are running “Marshmallow” 6.0, which comes with device encryption by default. And while “Lollipop” 5.0 is used on more than one-quarter of all Android devices, the vast majority of those who have device encryption enabled by default are Nexus owners.

To read more and the original story follow this link to ZD Net.

NSA whistleblower: No software is ‘safe from surveillance’

image
A former NSA official said the agency has "more resources" for surveillance than the average user can ever hope to defend against.

William Binney doesn’t have a membership card to the small group of which he’s a part — people who have spoken out against the National Security Agency, and been left relatively unscathed — but at least he has the next best thing, a valid passport.

The former National Security Agency official, who spent three decades of his life in espionage — and is said to have been one of the reasons why Edward Snowden took and handed thousands of classified documents to journalists two years ago — still talks about his time in the intelligence community.

“The biggest threat to US citizens is the US government,” said Binney in a Reddit “ask me anything” session.

Which in itself would be a bold claim if it weren’t for the most recent revelations, which we can thank his whistleblowing “successor” for.

The NSA, once called the “No Such Agency” for its clandestine and secretive operations, has been embroiled in a string of intelligence-gathering and law-bending practices that have not only ensnared much of the world’s communications, but also the data belonging to Americans — the same people the agency is tasked with protecting.

One of those operations included developing cyberweapons based on hardware and software security vulnerabilities.

“I don’t think any software is safe from surveillance,” said Binney, in response to a question about free and open-source operating systems and software, such as Linux.

A few days earlier, the NSA, known for exploiting vulnerabilities in software, said in more than 90 percent of cases it would disclose flaws, with the exception of when “national security reasons” outweigh the public good. The NSA did not say when it would disclose those flaws, however, leaving open the possibility that they are used before they are turned over to be fixed.

Binney’s comments run contrary to how many see, in particular, open-source software, which many regard as more secure than closed-off systems, like Windows.

Ladar Levison, founder of Lavabit, the encrypted email service said to have been used by Snowden prior to his departure from the US, said in phone conversation earlier this year that although he distrusts some US software, “you don’t have to distrust everything.”

“The true problem is that you don’t know what can be trusted and what can’t. I personally find myself seeking open platforms, systems, and tools, where I can go in and look — or at least if not myself, one of my peers,” he said.

Other open-source developers, like Cryptocat developer Nadim Kobeissi, have also said that open-source code makes it near-impossible to include backdoors.

To read more and the full story follow this link to ZD Net.

New malware used to attack energy companies

malware
The Trojan program is used for reconnaissance and distribution of additional malware, researchers from Symantec say

 

A new malware program is being used to do reconnaissance for targeted attacks against companies in the energy sector.

The program, dubbed Trojan.Laziok by researchers from antivirus vendor Symantec, was used in spear-phishing attacks earlier this year against companies from the petroleum, gas and helium industries.

The attacks targeted companies from many countries in the Middle East, but also from the U.S., India, the U.K., and others, according to malware researchers from Symantec.

The Trojan is spread via emails with malicious documents that exploit a Microsoft Office vulnerability for which a patch has existed since April 2012.

“If the user opens the email attachment, which is typically an Excel file, then the exploit code is executed,” the Symantec researchers said Monday in a blog post. “If the exploit succeeds, it drops Trojan.Laziok, kicking off the infection process.”

Trojan.Laziok is mainly used to determine if a compromised system is worth further attention from the attackers. It collects information like the computer’s name, RAM size, hard disk size, GPU and CPU type, as well as a list of installed software, including running antivirus programs.

The information is sent back to the attackers, who then decide if they want to deploy additional malware that can provide them with remote access to the infected system. For this second stage of attack they use customized versions of Backdoor.Cyberat and Trojan.Zbot, two well known malware threats.

“The group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market,” the Symantec researchers said. “However, many people still fail to apply patches for vulnerabilities that are several years old, leaving themselves open to attacks of this kind.”

For more information and the original story follow this link to Computerworld

Worst WordPress hole for five years affects 86% of sites

image

An estimated 86 per cent of WordPress websites harbour a dangerous cross-site scripting (XSS) hole in the popular comment system plugin, in what researcher Jouko Pynnonen calls the most serious flaw in five years. The bug could provide a pathway for attacking visitors’ machines.

The WP-Statistics plugin lets attackers inject JavaScript into comments, which can then infect reader computers or those of administrators.

The flaw has existed for about four years, affecting versions between 3.0 to 3.9.2 – but not version 4.0, which handles regular expressions differently.

Version 4.0.1 patched a separate and also critical set of XSS flaws discovered by the internal security team, along with a cross-site request forgery hole.

Klikki Oy security bod Jouko Pynnonen revealed the earlier flaw last week in technical advisory.

“An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication,” Pynnonen said.

He continued:

Program code injected in comments would be inadvertently executed in the blog administrator’s web browser when they view the comment. The rogue code could then perform administrative operations by covertly taking over the administrator account.

Such operations include creating a new administrator account (with a known password), changing the current administrator password, and in the most serious case, executing attacker-supplied PHP code on the server. This grants the attacker operating system level access on the server hosting WordPress.

In light of the server-side impact the unauthenticated default exploit is “probably the most serious WordPress core vulnerability that has been reported since 2009”, according to Pynnonen.

He developed a proof-of-concept exploit that mopped up evidence of injected scripts before quietly using the plugin editor to write attacker-supplied PHP code on the server, changing the user’s password and creating an administrator account.

Attackers could then write more PHP code to the server through the editor. This code was instantly executed using an AJAX request to gain operating system-level access.

Other plugins that allow unprivileged users to enter HTML text could offer more attack vectors, Pynnonen said.

He has created a work-around plugin for administrators who are unable to upgrade their WordPress servers.

A third set of recently patched XSS in WP-Statistics has been discovered by Sucuri researcher Marc-Alexandre Montpas. The stored and reflected XSS in versions 8.3 and below of the WordPress plug-in also turned attackers into admins, permitting black hats to inject search engine optimisation (SEO) content into unrelated blog posts.

“… the problem is very simple,” Montpas wrote in a Nov 20 blog post. “The plugin fails to properly sanitise some of the data it gathers for statistical purposes, which are controlled by the website’s visitors.”

“If an attacker decided to put malicious Javascript code in the affected parameter, it would be saved in the database and printed as-is in the administrative panel, forcing the victim’s browser to perform background tasks on its behalf.”

To finish the article and for more information follow the source link below! 

Source: The Register

Wikipedia has been visualized as an interactive galaxy powered by WebGL

image

Wikipedia is an almost boundless source of information — as close to a true compendium of human knowledge as we’ve ever come. It’s not very pretty, though, is it? Page after page of black text on a white background, and enough hyperlinks to suck you into a never ending vortex of related articles. Rendering Wikipedia as a nebula is more befitting its true nature, don’t you think? I just so happens there’s a Chrome experiment that does just that, and it’s called WikiGalaxy.

This Wikipedia visualization was created by French computer science student Owen Cornec. Each “star” in WikiGalaxy is a single article on Wikipedia. Highly related articles are placed close to each other in space with connections between them. So if you click on one point of light, you’ll see the text of the article in the left info panel. Over on the right are all the linked articles, which show up on the map as lines connecting the points of light. It’s interesting to see how wide-ranging some of the articles are. The beams of light might be confined to a little corner of the virtual galaxy on one article, then a neighboring page has its tendrils of influence creeping all the way across the map. To get a better feel of your meandering, you can enable the history path, which connects all the articles you’ve clicked on with a green line, winding through the stars.

The map view is the default mode, but you can also dive into fly mode for a more interactive experience. This places you in the middle of the galactic disc, surrounded by articles. The arrow keys move forward, back and side to side. The movement control is good enough, but anyone who has played a 4X game will be missing mouse zoom in map view. It just seems like you should be able to zoom in any out more quickly, and the buttons toward the upper left don’t quite cut it.

image

image

So it’s neat for poking around Wikipedia in a superficial way, but what about reading articles? The preview pane on the left is okay for getting the gist, but you can click on the title for a full page version. You can read through a whole article in this view, but the lack of links and busted table formatting make it less than ideal for in-depth research. Hey, it’s still Wikipedia in galaxy form. What more do you want? If you would like to simply enjoy the interface and click around, there’s a button up top to turn off the UI and get all those boxes out of the way. The beta version only has 100,000 articles, but that’s still a sizeable galaxy.

Cornec’s next project will be to color-code the different article categories so you’ll be able to tell what sort of article each star represents without clicking on it. More stars should be added along the way too. While this is a Chrome experiment running WebGL and HTML5, WikiGalaxy should work in most modern browsers. However, it might not play as nicely with Chrome on Macs. You can blame either Google or Apple for that — take your pick.

For more information and the original story follow the source link below.

Source: Extreme Tech

Vsenn is a modular smartphone with triple layer encryption

image
Image via TechSpot

Google’s Project Ara hopes to free users from the yearly upgrade cycle that exists in the smartphone world. With the ability to swap out or upgrade various components of your smartphone, the goal is to reduce waste while also reducing the cost of always having the latest mobile hardware in your pocket. Now, Ara has some competition in the form of security conscious Vsenn, which wants to do something similar along with three layers of encryption.

Engadget points to the Vsenn website, which states that the company was co-founded by an unnamed former Nokia Android X program manager. The site promises modular hardware when it comes to your phone’s camera, battery, processor, and RAM as well as guaranteed Android updates for four years and customization via swappable back covers. The real clincher is that all of your data is protected with triple layer encryption and users have free access to a VPN network and secure cloud service.

For a lot of people, their smartphone is a key to their digital life. With access to everything from email and banking information to hundreds or thousands of photos, the prospect of losing that device or it falling into the wrong hands can be a scary thought. That’s why devices like Vsenn or the BlackPhone (which was shown off at MWC earlier this year and encrypts calls, emails texts, and browsing) garner so much attention.

No word on when consumers can get their hands on a Vsenn phone, but the company has already confirmed that the first of its devices will have a 4.7-inch 468.7 PPI display and will measure 124 x 63 x 8.9 mm. So just a little shorter and narrower and slimmer than the 2013 Moto G.

For more information and the original story follow the source link below.

Source: mobilesyrup