Bait and Phish | TechSNAP 181

chris

8 years ago

We’ll tell you about a major German hack that lasted 12 years, and struck over 300 business. Plus researchers discover a nasty Android bug that impacts over 70% of users.

Then it’s a great big batch of your networking questions, our answers & much much more!

Thanks to:

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Operation Harkonnen, a 12 year long intrusion to over 300 businesses

“From 2002 a German cybercrime network performed numerous targeted penetrations to over 300 organizations, including tier one commercial companies, government institutions, research laboratories and critical infrastructure facilities in the German speaking countries. The attackers planted Trojans in specific workstations in the organizations, gained access to sensitive confidential documents and information and silently exfiltrating them to the organizations who ordered the attack”
“Once embedded in the system the files started to send data from the target computer to an external domain. The analysis revealed the domain was registered by a UK company, with the exact address and contact details of 833 other companies, most of which are already dissolved”
“The British relatively tolerant requirements to purchasing SSL security certificates were exploited by the network to create pseudo legitimate Internet service names and to use them to camouflage their fraudulent activity”
Specifically, it is quite easy to establish a new company in England
It is estimated that the attackers spent as much as $150,000 establishing fake companies, and arming them with domains and SSL certificates in order to make their spear-phishing campaign appear more legitimate
“The discovery happened at a leading, 30 year old, 300 employees’ German organization that holds extremely sensitive information with a strategic value to many adverse organizations and countries. The organizational network contains 5 domains with complex architecture of multiple network segments and sites, connected through VPN.“
Additional Coverage: TheHackerNews

Researcher finds same-origin-policy bypass for Android browser, allows attacker to read your browser tabs

Android versions before 4.4 (75% of all current Android phones) are vulnerable
CVE-2014-6041, and was disclosed on September 1, 2014 by Rafay Baloch on his blog.
By malforming a javascript: URL handler with a prepended null byte, an attacker can avoid the Android Open Source Platform (AOSP) Browser’s Same-Origin Policy (SOP) browser security control.
What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page.
The attacker could scrape your e-mail data and see what your browser sees.
Or snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.
As part of its attempts to gain more control over Android, Google has discontinued the AOSP Browser.
Android Browser used to be the default browser on Google, but this changed in Android 4.2, when Google switched to Chrome.
The core parts of Android Browser were still used to power embedded Web view controls within applications, this changed in Android 4.4, when it switched to a Chromium-based browser engine.
Users of Android 4.0 and up can avoid much of the exposure by switching to Chrome, Firefox, or Opera, none of which should use the broken code.
Update: Google has offered the following statement:

We have reviewed this report and Android users running Chrome as their browser, or those who are on Android 4.4+ are not affected. For earlier versions of Android, we have already released patches (1, 2) to AOSP.