Category Archives: Software

NSA whistleblower: No software is ‘safe from surveillance’

image
A former NSA official said the agency has "more resources" for surveillance than the average user can ever hope to defend against.

William Binney doesn’t have a membership card to the small group of which he’s a part — people who have spoken out against the National Security Agency, and been left relatively unscathed — but at least he has the next best thing, a valid passport.

The former National Security Agency official, who spent three decades of his life in espionage — and is said to have been one of the reasons why Edward Snowden took and handed thousands of classified documents to journalists two years ago — still talks about his time in the intelligence community.

“The biggest threat to US citizens is the US government,” said Binney in a Reddit “ask me anything” session.

Which in itself would be a bold claim if it weren’t for the most recent revelations, which we can thank his whistleblowing “successor” for.

The NSA, once called the “No Such Agency” for its clandestine and secretive operations, has been embroiled in a string of intelligence-gathering and law-bending practices that have not only ensnared much of the world’s communications, but also the data belonging to Americans — the same people the agency is tasked with protecting.

One of those operations included developing cyberweapons based on hardware and software security vulnerabilities.

“I don’t think any software is safe from surveillance,” said Binney, in response to a question about free and open-source operating systems and software, such as Linux.

A few days earlier, the NSA, known for exploiting vulnerabilities in software, said in more than 90 percent of cases it would disclose flaws, with the exception of when “national security reasons” outweigh the public good. The NSA did not say when it would disclose those flaws, however, leaving open the possibility that they are used before they are turned over to be fixed.

Binney’s comments run contrary to how many see, in particular, open-source software, which many regard as more secure than closed-off systems, like Windows.

Ladar Levison, founder of Lavabit, the encrypted email service said to have been used by Snowden prior to his departure from the US, said in phone conversation earlier this year that although he distrusts some US software, “you don’t have to distrust everything.”

“The true problem is that you don’t know what can be trusted and what can’t. I personally find myself seeking open platforms, systems, and tools, where I can go in and look — or at least if not myself, one of my peers,” he said.

Other open-source developers, like Cryptocat developer Nadim Kobeissi, have also said that open-source code makes it near-impossible to include backdoors.

To read more and the full story follow this link to ZD Net.

Advertisements

Chinese Marketing Firm Spreads Adware to Promote Its App Portfolio

image

A Chinese company that markets itself as a mobile app promoter has been cheating its clients by deploying adware to install their apps on unsuspecting victims.

The company, named NGE Mobi/Xinyinhe, activating in China and Singapore, has been using popular apps, repackaged with the malicious adware code, which it distributes through unofficial Android app stores.

When users install these apps on their smartphones, the adware comes to life, collects information about the device, sends it to a C&C server, and then waits for new commands.

The adware can gain root access and boot persistence

When the server answers, the app moves to install a root backdoor and a series of system daemons that allow it to survive system reboots.

Here is where the fun begins, because once the adware is firmly implanted on the victim’s phone, it starts serving apps and ads, all from NGE Mobi/Xinyinhe’s portfolio.

As FireEye found out in their research, most of the times pornographic apps and ad interstitials are displayed on the user’s home screen, all harmless but very annoying.

Currently, the adware has been found on Android versions ranging from 2.3.4 to 5.1.1. with the most infected users in countries like Russia, China, Brazil, Argentina, Egypt, Spain, France, Germany, Sweden, Norway, Saudi Arabia, Indonesia, India, the UK, and the US.

The NGE adware campaign was first observed in August and has grown at a constant pace ever since.

image

The adware can be hijacked to deliver more dangerous malware

What’s even worse, as FireEye researchers point out, is that the adware’s creators were extremely careless when they put together the malicious code.

Because the C&C server communications are carried out via blind HTTP channels, a second attacker could easily intercept these transmissions.

Since the adware gains root privileges and boot persistence over all infected devices, another attacker could use this to serve much more dangerous apps compared to silly adult apps and ads.

The first example that comes to mind is when the second attacker adds infected phones to a botnet and uses them to carry out DDOS attacks. Worse scenarios are when attackers decide to go snooping through your private pictures or install ransomware on your phone.

For more information and more photos follow this link to Softpedia

New Android Malware Sprouting Like Weeds

image

Information stored on an Android smartphone or tablet is vulnerable to almost 4,900 new malware files each day, according to a report G Data SecurityLabs released Wednesday.

Cybercriminals’ interest in the Android operating system has grown, the firm’s Q1 2015 Mobile Malware Report revealed.

“The report suggests that Android devices are becoming a bigger target for the bad guys and more profitable than in previous years,” said Andy Hayter, security evangelist for G Data.

The number of new malware samples in the first quarter increased 6.4 percent (440,267) from the fourth quarter of last year (413,871). The number of malware strains rose by 21 percent compared with the first quarter of 2014 (316,153).

More than 2 million new Android malware strains are likely to surface this year, G Data security predicted.

Just the Start

The 2 million figure is very realistic, due to the increasing use of Android devices for banking and shopping online, G Data suggested.

“The report shows that the OS has a bigger market share than the others, and thus is more interesting to security researchers and malware authors alike. Also, a lot of vendors offer Android devices varying in quality standards, but that is not a problem of the OS itself, but rather of the vendor in question,” Hayter told LinuxInsider.

Google introduced premium SMS Checks last year. After that, the malware models started to spread out, he noted.

“Before that time there were a few very active malware families, such as SMS FakeInstaller,” Hayter said. “Since then there are lots of small families.”

Financially Motivated

At least 41 percent of consumers in Europe and 50 percent in the U.S. use a smartphone or tablet for their banking transactions. Plus, 78 percent of Internet users make purchases online.

The new malware files have a financial foundation, according to the G Data report. At least half of all Android malware now in circulation includes banking Trojans, SMS Trojans and similar malware components.

The actual percentage of malware-infected Android apps easily could be higher, the researchers warned. They only studied malware with a direct financial purpose — many other types of cases might exist.

For example, a malware program might install apps or steal credit card data as an additional process after a payment is made. Because that type of malware would not seem to be financially motivated, it would not have been included in the report’s statistics.

Thin Dividing Line

Free Android apps offer particularly attractive attack vectors to cybercriminals. Many apps, especially free apps, rely on advertising to fund their development.

Bad apps can hide themselves in the background or conceal functions from users. Bad apps also can send legitimate apps’ data to additional advertising networks.

Apps that do such things — like programs running on PC OSes — are called “Potentially Unwanted Programs,” or PUPs. The report categorizes such apps as adware, noting that they often hide in manipulated or fake apps that are installed from sources other than the Google Play Store.

Malware Magnet

Android is a derivative of Linux, an operating system generally considered less likely to be targeted by viruses and malware. However, Android is less rigorous and less secure than other mobile platforms, said Rob Enderle, principal analyst at the Enderle Group.

“There is much more sideloading, which means there is a far easier path to getting viruses on Android devices than any other mobile platform,” he told LinuxInsider.

Google historically has been less focused on security and customer satisfaction than firms that are more closely tied to user revenue, Enderle said. Another reason for Android’s vulnerability is that mobile platforms generally don’t run security software.

Historically, they have been somewhat protected because of their tight ties to curated stores, “but now that smartphones have PC-like performance, they are becoming a magnet for malware,” noted Enderle.

“Google’s lack of focus on this problem, reminiscent of Microsoft’s similar mistake in the late 1990s — which resulted in their having to rethink their OS and create Windows XP — has created a massive exposure for Android users,” he said.

To read more follow this link to Linux Insider.

A New High-Speed MRI Technique Is Fast Enough To Record Someone Singing

image

It’s a remarkable technology capable of looking inside a human being, but magnetic resonance imaging—or MRI—machines are finicky and require a patient to remain absolutely still while it does its thing. But researchers at the University of Illinois have found a way to capture up to 100 frames per second on an MRI machine allowing them to record patients in motion.

The need for a faster MRI technique arose when a faculty member at the University of Illinois’ Beckman Institute for Advanced Science and Technology wanted to study how the muscles of the larynx worked in elderly patients while singing, in an attempt to help give them more powerful and pronounced voices. The problem with using MRI machines was that they could only capture images at around ten frames per second which was far too slow to study what was going on with the 100 or so muscles required to sing.

So Zhi-Pei Liang, an electrical and computer engineering professor at the institute, worked with his team to develop a new methodology to extract more frames from an MRI machine—which is a far cheaper solution than trying to rebuild and redesign one of the incredibly expensive devices from the ground up. Here’s how the new technique they came up with is described in an issue of Magnetic Resonance in Medicine:

An imaging method is developed to enable high-speed dynamic speech imaging exploiting low-rank and sparsity of the dynamic images of articulatory motion during speech. The proposed method includes: (a) a novel data acquisition strategy that collects spiral navigators with high temporal frame rate and (b) an image reconstruction method that derives temporal subspaces from navigators and reconstructs high-resolution images from sparsely sampled data with joint low-rank and sparsity constraints.

To read the full story and for more information please follow this link to Gizmodo.

New malware used to attack energy companies

malware
The Trojan program is used for reconnaissance and distribution of additional malware, researchers from Symantec say

 

A new malware program is being used to do reconnaissance for targeted attacks against companies in the energy sector.

The program, dubbed Trojan.Laziok by researchers from antivirus vendor Symantec, was used in spear-phishing attacks earlier this year against companies from the petroleum, gas and helium industries.

The attacks targeted companies from many countries in the Middle East, but also from the U.S., India, the U.K., and others, according to malware researchers from Symantec.

The Trojan is spread via emails with malicious documents that exploit a Microsoft Office vulnerability for which a patch has existed since April 2012.

“If the user opens the email attachment, which is typically an Excel file, then the exploit code is executed,” the Symantec researchers said Monday in a blog post. “If the exploit succeeds, it drops Trojan.Laziok, kicking off the infection process.”

Trojan.Laziok is mainly used to determine if a compromised system is worth further attention from the attackers. It collects information like the computer’s name, RAM size, hard disk size, GPU and CPU type, as well as a list of installed software, including running antivirus programs.

The information is sent back to the attackers, who then decide if they want to deploy additional malware that can provide them with remote access to the infected system. For this second stage of attack they use customized versions of Backdoor.Cyberat and Trojan.Zbot, two well known malware threats.

“The group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market,” the Symantec researchers said. “However, many people still fail to apply patches for vulnerabilities that are several years old, leaving themselves open to attacks of this kind.”

For more information and the original story follow this link to Computerworld

Worst WordPress hole for five years affects 86% of sites

image

An estimated 86 per cent of WordPress websites harbour a dangerous cross-site scripting (XSS) hole in the popular comment system plugin, in what researcher Jouko Pynnonen calls the most serious flaw in five years. The bug could provide a pathway for attacking visitors’ machines.

The WP-Statistics plugin lets attackers inject JavaScript into comments, which can then infect reader computers or those of administrators.

The flaw has existed for about four years, affecting versions between 3.0 to 3.9.2 – but not version 4.0, which handles regular expressions differently.

Version 4.0.1 patched a separate and also critical set of XSS flaws discovered by the internal security team, along with a cross-site request forgery hole.

Klikki Oy security bod Jouko Pynnonen revealed the earlier flaw last week in technical advisory.

“An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication,” Pynnonen said.

He continued:

Program code injected in comments would be inadvertently executed in the blog administrator’s web browser when they view the comment. The rogue code could then perform administrative operations by covertly taking over the administrator account.

Such operations include creating a new administrator account (with a known password), changing the current administrator password, and in the most serious case, executing attacker-supplied PHP code on the server. This grants the attacker operating system level access on the server hosting WordPress.

In light of the server-side impact the unauthenticated default exploit is “probably the most serious WordPress core vulnerability that has been reported since 2009”, according to Pynnonen.

He developed a proof-of-concept exploit that mopped up evidence of injected scripts before quietly using the plugin editor to write attacker-supplied PHP code on the server, changing the user’s password and creating an administrator account.

Attackers could then write more PHP code to the server through the editor. This code was instantly executed using an AJAX request to gain operating system-level access.

Other plugins that allow unprivileged users to enter HTML text could offer more attack vectors, Pynnonen said.

He has created a work-around plugin for administrators who are unable to upgrade their WordPress servers.

A third set of recently patched XSS in WP-Statistics has been discovered by Sucuri researcher Marc-Alexandre Montpas. The stored and reflected XSS in versions 8.3 and below of the WordPress plug-in also turned attackers into admins, permitting black hats to inject search engine optimisation (SEO) content into unrelated blog posts.

“… the problem is very simple,” Montpas wrote in a Nov 20 blog post. “The plugin fails to properly sanitise some of the data it gathers for statistical purposes, which are controlled by the website’s visitors.”

“If an attacker decided to put malicious Javascript code in the affected parameter, it would be saved in the database and printed as-is in the administrative panel, forcing the victim’s browser to perform background tasks on its behalf.”

To finish the article and for more information follow the source link below! 

Source: The Register

Wikipedia has been visualized as an interactive galaxy powered by WebGL

image

Wikipedia is an almost boundless source of information — as close to a true compendium of human knowledge as we’ve ever come. It’s not very pretty, though, is it? Page after page of black text on a white background, and enough hyperlinks to suck you into a never ending vortex of related articles. Rendering Wikipedia as a nebula is more befitting its true nature, don’t you think? I just so happens there’s a Chrome experiment that does just that, and it’s called WikiGalaxy.

This Wikipedia visualization was created by French computer science student Owen Cornec. Each “star” in WikiGalaxy is a single article on Wikipedia. Highly related articles are placed close to each other in space with connections between them. So if you click on one point of light, you’ll see the text of the article in the left info panel. Over on the right are all the linked articles, which show up on the map as lines connecting the points of light. It’s interesting to see how wide-ranging some of the articles are. The beams of light might be confined to a little corner of the virtual galaxy on one article, then a neighboring page has its tendrils of influence creeping all the way across the map. To get a better feel of your meandering, you can enable the history path, which connects all the articles you’ve clicked on with a green line, winding through the stars.

The map view is the default mode, but you can also dive into fly mode for a more interactive experience. This places you in the middle of the galactic disc, surrounded by articles. The arrow keys move forward, back and side to side. The movement control is good enough, but anyone who has played a 4X game will be missing mouse zoom in map view. It just seems like you should be able to zoom in any out more quickly, and the buttons toward the upper left don’t quite cut it.

image

image

So it’s neat for poking around Wikipedia in a superficial way, but what about reading articles? The preview pane on the left is okay for getting the gist, but you can click on the title for a full page version. You can read through a whole article in this view, but the lack of links and busted table formatting make it less than ideal for in-depth research. Hey, it’s still Wikipedia in galaxy form. What more do you want? If you would like to simply enjoy the interface and click around, there’s a button up top to turn off the UI and get all those boxes out of the way. The beta version only has 100,000 articles, but that’s still a sizeable galaxy.

Cornec’s next project will be to color-code the different article categories so you’ll be able to tell what sort of article each star represents without clicking on it. More stars should be added along the way too. While this is a Chrome experiment running WebGL and HTML5, WikiGalaxy should work in most modern browsers. However, it might not play as nicely with Chrome on Macs. You can blame either Google or Apple for that — take your pick.

For more information and the original story follow the source link below.

Source: Extreme Tech

Vsenn is a modular smartphone with triple layer encryption

image
Image via TechSpot

Google’s Project Ara hopes to free users from the yearly upgrade cycle that exists in the smartphone world. With the ability to swap out or upgrade various components of your smartphone, the goal is to reduce waste while also reducing the cost of always having the latest mobile hardware in your pocket. Now, Ara has some competition in the form of security conscious Vsenn, which wants to do something similar along with three layers of encryption.

Engadget points to the Vsenn website, which states that the company was co-founded by an unnamed former Nokia Android X program manager. The site promises modular hardware when it comes to your phone’s camera, battery, processor, and RAM as well as guaranteed Android updates for four years and customization via swappable back covers. The real clincher is that all of your data is protected with triple layer encryption and users have free access to a VPN network and secure cloud service.

For a lot of people, their smartphone is a key to their digital life. With access to everything from email and banking information to hundreds or thousands of photos, the prospect of losing that device or it falling into the wrong hands can be a scary thought. That’s why devices like Vsenn or the BlackPhone (which was shown off at MWC earlier this year and encrypts calls, emails texts, and browsing) garner so much attention.

No word on when consumers can get their hands on a Vsenn phone, but the company has already confirmed that the first of its devices will have a 4.7-inch 468.7 PPI display and will measure 124 x 63 x 8.9 mm. So just a little shorter and narrower and slimmer than the 2013 Moto G.

For more information and the original story follow the source link below.

Source: mobilesyrup

Sophisticated malware has been spying on computers since 2008 (updated)

image

Highly sophisticated malware isn’t limited to relatively high-profile sabotage code like Stuxnet — sometimes, it’s designed to fly well under the radar. Symantec has discovered Regin, a very complex trojan that has been spying on everyone from governments to individuals since at least 2008. The malware is highly modular, letting its users customize their attacks depending on whether they need to remote control a system, get screenshots or watch network traffic. More importantly, it’s uncannily good at covering its tracks. Regin is encrypted in multiple stages, making it hard to know what’s happening unless you capture every stage; it even has tools to fight forensics, and it can use alternative encryption in a pinch. Researchers at Symantec suspect that the trojan is a government-created surveillance tool, since it likely took “months, if not years” to create.

If it is meant for spying, though, it’s not clear just who wrote the malware or why. Unlike Dragonfly and other instances of professionally-made malware, Regin’s origin hasn’t been narrowed down to a particular country or region. About half of the infections have taken place in Russia and Saudi Arabia, but you can also find victims across India, Iran and multiple European nations. Also, it’s definitely not limited to telecoms or other high-value targets — 48 percent of known victims are people and small businesses. While Regin could easily be part of an online espionage campaign, it’s hard to rule anything out at this point.

Update: Kaspersky Labs did some extra sleuthing and found that Regin can attack cellular’ networks GSM base stations, mapping their infrastructure. Also, sources tell The Intercept that Belgian carrier Belgacom found the trojan on its internal networks. That’s potentially worrisome — while there’s no hard evidence of a connection so far, it suggests that Britain’s GCHQ may have used Regin to infiltrate Belgacom and spy on its users.

For more information and the original story follow the source link below.

Source: Engadget

For a year, gang operating rogue Tor node infected Windows executables

image
A flowchart of the infection process used by a malicious Tor exit node.

Attacks tied to gang that previously infected governments with highly advanced malware.

Three weeks ago, a security researcher uncovered a Tor exit node that added malware to uncompressed Windows executables passing through it. Officials with the privacy service promptly shut down the Russia-based node, but according to new research, the group behind the node had likely been infecting files for more than a year by that time, causing careless users to install a backdoor that gave attackers full control of their systems.

What’s more, according to a blog post published Friday by researchers from antivirus provider F-Secure, the rogue exit node was tied to the “MiniDuke” gang, which previously infected government agencies and organizations in 23 countries with highly advanced malware that uses low-level code to stay hidden. MiniDuke was intriguing because it bore the hallmark of viruses first encountered in the mid-1990s, when shadowy groups such as 29A engineered innovative pieces of malware for fun and then documented them in an E-zine of the same name. Written in assembly language, most MiniDuke files were tiny. Their use of multiple levels of encryption and clever coding tricks made the malware hard to detect and difficult to reverse engineer. The code also contained references to Dante Alighieri’s Divine Comedy and alluded to 666, the “mark of the beast” discussed in the biblical Book of Revelation.

“OnionDuke,” as the malware spread through the latest attacks is known, is a completely different malware family, but some of the command and control (C&C) channels it uses to funnel commands and stolen data to and from infected machines were registered by the same persona that obtained MiniDuke C&Cs. The main component of the malware monitored several attacker-operated servers to await instructions to install other pieces of malware. Other components siphoned login credentials and system information from infected machines.

Besides spreading through the Tor node, the malware also spread through other, undetermined channels. The F-Secure post stated:

During our research, we have also uncovered strong evidence suggesting that OnionDuke has been used in targeted attacks against European government agencies, although we have so far been unable to identify the infection vector(s). Interestingly, this would suggest two very different targeting strategies. On one hand is the “shooting a fly with a cannon” mass-infection strategy through modified binaries and, on the other, the more surgical targeting traditionally associated with APT [advanced persistent threat] operations.

The malicious Tor node infected uncompressed executable files passing through unencrypted traffic. It worked by inserting the original executable into a “wrapper” that added a second executable. Tor users downloading executables from an HTTPS-protected server or using a virtual private network were immune to the tampering; those who were careful to install only apps that were digitally signed by the developer would likely also be safe, although that assurance is by no means guaranteed. It’s not uncommon for attackers to compromise legitimate signing keys and use them to sign malicious packages.

Tor officials have long counseled people to employ a VPN use encryption when using the privacy service, and OnionDuke provides a strong cautionary tale when users fail to heed that advice.

This post was updated to remove incorrect statements concerning the use of virtual private networks.

For the complete story follow the source link below.

Source: Ars Technica