The first remote administration trojan that targets Android, Linux, Mac and Windows. Joomla and vBulletin have major flaws & tips for protecting your online privacy from some very motivated public figures.

Plus some great questions, a rockin’ roundup & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

First remote administration trojan that targets Android, Linux, Mac, and Windows: OmniRat

• “On Friday, Avast discovered OmniRat, a program similar to DroidJack. DroidJack is a program that facilitates remote spying and recently made news when European law enforcement agencies made arrests and raided the homes of suspects as part of an international malware investigation.”
• “OmniRat and DroidJack are RATs (remote administration tools) that allow you to gain remote administrative control of any Android device. OmniRat can also give you remote control of any Windows, Linux or Mac device. Remote administrative control means that once the software is installed on the target device, you have full remote control of the device.”
• “On their website, OmniRat lists all of the things you can do once you have control of an Android, which include: retrieving detailed information about services and processes running on the device, viewing and deleting browsing history, making calls or sending SMS to any number, recording audio, executing commands on the device and more.”
• “Like DroidJack, OmniRat can be purchased online, but compared to DroidJack, it’s a bargain. Whereas DroidJack costs $210, OmniRat costs only $25 to $50 depending on which device you want to control.”
• “A custom version of OmniRat is currently being spread via social engineering. A user on a German tech forum, Techboard-online, describes how a RAT was spread to his Android device via SMS. After researching the incident, I have come to the conclusion that a variant of OmniRat is being used.”
• “The author of the post received an SMS stating an MMS from someone was sent to him (in the example, a German phone number is listed and the SMS was written in German). The SMS goes on to say “This MMS cannot be directly sent to you, due to the Android vulnerability StageFright. Access the MMS within 3 days [Bitly link] with your telephone number and enter the PIN code [code]“. Once the link is opened, a site loads where you are asked to enter the code from the SMS along with your phone number. Once you enter your number and code, an APK, mms-einst8923, is downloaded onto the Android device. The mms-einst8923.apk, once installed, loads a message onto the phone saying that the MMS settings have been successfully modified and loads an icon, labeled “MMS Retrieve” onto the phone.”
• “The OmniRat APK requires users to accept and give OmniRat access many permissions, including edit text messages, read call logs and contacts, modify or delete the contents of the SD card. All of these permissions may seem evasive and you may be thinking, “Why would anyone give an app so much access?”, but many of the trusted and most downloaded apps on the Google Play Store request many of the same permissions. The key difference is the source of the apps. I always recommend that users read app permissions carefully. However, when an app you are downloading directly from the Google Play Store requests permissions, it is rather unlikely the app is malicious.”
• “The victim then has no idea their device is being controlled by someone else and that every move they make on the device is being recorded and sent back to a foreign server. Furthermore, once cybercriminals have control over a device’s contact list, they can easily spread the malware to more people. Inside this variant of OmniRat, there is a function to send multiple SMS messages. What makes this especially dangerous is that the SMS spread via OmniRat from the infected device will appear to be from a known and trusted contact of the recipients, making them more likely to follow the link and infect their own device.”
• Additional Coverage: Softpedia
• “The Softpedia article about OmniRAT includes a video, but declined to post the tool’s homepage. You can easily find it via a Google search.”

Joomla, one of the most popular web platforms after wordpress, has critical flaw affecting millions of sites

• “Joomla is a very popular open-source Content Management System (CMS) used by no less than 2,800,000 websites (as of September 2015).”
• An SQL injection attack was discovered that affects versions 3.2 through 3.4.4
• “Unrestricted administrative access to a website’s database can cause disastrous effects, ranging from complete theft, loss or corruption of all the data, through obtaining complete remote control of the web server and abusing or repurposing it (for instance, as a host for malicious or criminal content), and ending in infiltration into the internal network of the organization, also-known-as lateral movement.”
• “3 CVEs has been assigned to the vulnerability – CVE-2015-7297, CVE-2015-7857 and CVE-2015-7858. It has been tested and found working on a number of large websites, representing different business verticals”
• “We encourage site administrators to update their Joomla installations immediately, deploy a 3rd-party protection product, or at the very least take their site down until a proper solution is found. According to the Verizon 2015 Database Breach Investigation Report, “99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published” so not patching your system will almost guarantee it will be hacked.”
• Timeline:
• Oct 15, 2015 – Disclosure to the Joomla security team
• Oct 19, 2015 – Vulnerability is acknowledged by Joomla
• Oct 22, 2015 – Patch released by Joomla
• Oct 30, 2015 – Disclosure published by PerimeterX
• It turns out, proper sanitization of the ‘select’ (columns) and ‘limit’ (pagination) parameter was not being done. One of the most obvious and ubiquitous SQL injection vectors.
• “Using this SQLI we could extract all users, reset password tokens, sessions, and other configuration data stored in the DB. This will ultimately allow an attacker to obtain admin credentials, and therefore control the system’s PHP code using the ‘edit theme’ interface, effectively compromising the entire server.”
• So I can replace the hash of the admin user with one I know the password for (or just create my own new admin user), as well as extract the hashed passwords of all other users.
• “This vulnerability is a classic example of how having a too-dynamic code can reflect very severely on security. I expect this disclosure will stir up a hornet’s nest regarding the system’s dynamic nature, and more vulnerabilities exploiting it will be discovered. When you are developing a complex system, keep in mind that although your design is convenient for other developers, it is convenient for vulnerability researchers, too.”

Camgirl OPSEC: How the worlds newest porn stars protection their online privacy

• Not the type of thing you would normally expect us to cover on TechSNAP, but it turns out, if you want to maintain your privacy online, it helps to take advice from the experts
• Women already have more crap to deal with online, but camgirls often receive the worst of it
• “But with modern technology comes modern problems: swatting, doxxing, and the fact that on most sites, there’s a large chat window right by the camgirl’s face, into which anyone with a credit card can say anything.”
• If people can find out who you are, or where you live, they can do all sorts of nasty things.
• Most “performers” use an alias, so for them, the first step is to protect their true identity
• Related to this, they also wish to keep their location secret
• Some examples of ways your location can be exposed:
  • Pandora, the music streaming service, uses location based advertisements. In this case, they ask for your ZIP code, enter a fake one
  • Many other sites also use location based advertisements, use a VPN to hide your real location
  • “Speaking of VPNs, use one. If you use Skype, there’s Skype Resolvers out there that can show your IP by simply entering a username”
  • “Amazon wishlists reveal your town, which is why people use PO boxes”
• “People can simply call Amazon/the shipper and find out the address their purchase was sent to if they pry enough. I don’t know what the company policy is for this, but it’s happened”
• “Camgirl #OpSec tip: I know craft beers are delicious, but they circumscribe your location to a very tight circle.”
• Make sure photos that you post online do not have GPS or location metadata included
• Even things as “smalltalk” as the weather, with multiple samples, can give away your location
• “Also make sure you don’t go to your PO box alone, because someone may be waiting for you there, especially if you publicly reveal your PO box address and/or say specifically when you’ll be going to it”
• “Google Voice provides fake numbers, so you can use them for texting, or any apps/sites that require a number”
• “Do not accept gift cards as payments towards your service from random people”, they may be able to track how/where it was spent
• Use a separate browser for “work” and “personal” internet use, to ensure cookies and logins do not get contaminated
• Especially things like Facebook and Google that track you all over the internet
• Avoid creating ‘intersections”, where your two identities can be correlated. Make sure your username doesn’t give it away
• Consider changing your alias on a regular basis. Balance building a reputation against OPSEC
• Use strong passwords, and DO NOT reuse passwords for multiple sites, use 2FA whenever possible

Feedback:

• Authenticated and encrypted DNS

• email spoofing

• Do end users need a public IP

• ZFS question

Round Up:

• Almost 2000 Vodafone UK accounts compromised using email addresses and passwords from an unknown source. Stop reusing passwords.
• FBI re: ransomware “we often advise people just to pay the ransom”. FBI can’t be tasked with recovering your data
• All CoinVault and Bitcryptor ransomware victims can now recover their files for free
• 25 GPU cluster can crack every 8 character NTLM password hash in 6 hours, at 350 billion-guess-per-second. Can make only 71,000 guesses/sec against Bcrypt and 364,000 guesses/sec against SHA512crypt
• Car hacking for plebs
• PageFair compromised by phishing attack, CDN account reset and used to distribute malware
• Malware that deletes your Chrome browser and replaces it with a fake one
• Inside the Shifu malware
• Unknown group sells iOS 9.1/9.2 zero-day exploit to Zerodium for $1 million. No details, will be hard to tell who VUPEN sells it to
• Top Germany government official infected with highly spohpistcated regin malware that may have ties to the NSA
• History: In 1988, the first internet worm infected more than 10% of the internet
• x86 considered harmful
• New LTE-U standard may distrupt WiFi, proponents’ labs show different results than detractors’ labs
• Microsoft drops unlimited OneDrive storage after people use it for unlimited storage
• XORsearch, brute force decryption against basical obfuscation like XOR, ROL, ROT, and SHIFT
• vBulletin zero-day in versions 5.1.4 to 5.1.9 used against vBulletin and Foxit. Appears to be SQL injection. May be used in watering hole attacks