The first remote administration trojan that targets Android, Linux, Mac and Windows. Joomla and vBulletin have major flaws & tips for protecting your online privacy from some very motivated public figures.

Plus some great questions, a rockin’ roundup & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

First remote administration trojan that targets Android, Linux, Mac, and Windows: OmniRat

• “On Friday, Avast discovered OmniRat, a program similar to DroidJack. DroidJack is a program that facilitates remote spying and recently made news when European law enforcement agencies made arrests and raided the homes of suspects as part of an international malware investigation.”
• “OmniRat and DroidJack are RATs (remote administration tools) that allow you to gain remote administrative control of any Android device. OmniRat can also give you remote control of any Windows, Linux or Mac device. Remote administrative control means that once the software is installed on the target device, you have full remote control of the device.”
• “On their website, OmniRat lists all of the things you can do once you have control of an Android, which include: retrieving detailed information about services and processes running on the device, viewing and deleting browsing history, making calls or sending SMS to any number, recording audio, executing commands on the device and more.”
• “Like DroidJack, OmniRat can be purchased online, but compared to DroidJack, it’s a bargain. Whereas DroidJack costs $210, OmniRat costs only $25 to $50 depending on which device you want to control.”
• “A custom version of OmniRat is currently being spread via social engineering. A user on a German tech forum, Techboard-online, describes how a RAT was spread to his Android device via SMS. After researching the incident, I have come to the conclusion that a variant of OmniRat is being used.”
• “The author of the post received an SMS stating an MMS from someone was sent to him (in the example, a German phone number is listed and the SMS was written in German). The SMS goes on to say “This MMS cannot be directly sent to you, due to the Android vulnerability StageFright. Access the MMS within 3 days [Bitly link] with your telephone number and enter the PIN code [code]“. Once the link is opened, a site loads where you are asked to enter the code from the SMS along with your phone number. Once you enter your number and code, an APK, mms-einst8923, is downloaded onto the Android device. The mms-einst8923.apk, once installed, loads a message onto the phone saying that the MMS settings have been successfully modified and loads an icon, labeled “MMS Retrieve” onto the phone.”
• “The OmniRat APK requires users to accept and give OmniRat access many permissions, including edit text messages, read call logs and contacts, modify or delete the contents of the SD card. All of these permissions may seem evasive and you may be thinking, “Why would anyone give an app so much access?”, but many of the trusted and most downloaded apps on the Google Play Store request many of the same permissions. The key difference is the source of the apps. I always recommend that users read app permissions carefully. However, when an app you are downloading directly from the Google Play Store requests permissions, it is rather unlikely the app is malicious.”
• “The victim then has no idea their device is being controlled by someone else and that every move they make on the device is being recorded and sent back to a foreign server. Furthermore, once cybercriminals have control over a device’s contact list, they can easily spread the malware to more people. Inside this variant of OmniRat, there is a function to send multiple SMS messages. What makes this especially dangerous is that the SMS spread via OmniRat from the infected device will appear to be from a known and trusted contact of the recipients, making them more likely to follow the link and infect their own device.”
• Additional Coverage: Softpedia
• “The Softpedia article about OmniRAT includes a video, but declined to post the tool’s homepage. You can easily find it via a Google search.”

Joomla, one of the most popular web platforms after wordpress, has critical flaw affecting millions of sites

• “Joomla is a very popular open-source Content Management System (CMS) used by no less than 2,800,000 websites (as of September 2015).”
• An SQL injection attack was discovered that affects versions 3.2 through 3.4.4
• “Unrestricted administrative access to a website’s database can cause disastrous effects, ranging from complete theft, loss or corruption of all the data, through obtaining complete remote control of the web server and abusing or repurposing it (for instance, as a host for malicious or criminal content), and ending in infiltration into the internal network of the organization, also-known-as lateral movement.”
• “3 CVEs has been assigned to the vulnerability – CVE-2015-7297, CVE-2015-7857 and CVE-2015-7858. It has been tested and found working on a number of large websites, representing different business verticals”
• “We encourage site administrators to update their Joomla installations immediately, deploy a 3rd-party protection product, or at the very least take their site down until a proper solution is found. According to the Verizon 2015 Database Breach Investigation Report, “99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published” so not patching your system will almost guarantee it will be hacked.”
• Timeline:
• Oct 15, 2015 – Disclosure to the Joomla security team
• Oct 19, 2015 – Vulnerability is acknowledged by Joomla
• Oct 22, 2015 – Patch released by Joomla
• Oct 30, 2015 – Disclosure published by PerimeterX
• It turns out, proper sanitization of the ‘select’ (columns) and ‘limit’ (pagination) parameter was not being done. One of the most obvious and ubiquitous SQL injection vectors.
• “Using this SQLI we could extract all users, reset password tokens, sessions, and other configuration data stored in the DB. This will ultimately allow an attacker to obtain admin credentials, and therefore control the system’s PHP code using the ‘edit theme’ interface, effectively compromising the entire server.”
• So I can replace the hash of the admin user with one I know the password for (or just create my own new admin user), as well as extract the hashed passwords of all other users.
• “This vulnerability is a classic example of how having a too-dynamic code can reflect very severely on security. I expect this disclosure will stir up a hornet’s nest regarding the system’s dynamic nature, and more vulnerabilities exploiting it will be discovered. When you are developing a complex system, keep in mind that although your design is convenient for other developers, it is convenient for vulnerability researchers, too.”

Camgirl OPSEC: How the worlds newest porn stars protection their online privacy

• Not the type of thing you would normally expect us to cover on TechSNAP, but it turns out, if you want to maintain your privacy online, it helps to take advice from the experts
• Women already have more crap to deal with online, but camgirls often receive the worst of it
• “But with modern technology comes modern problems: swatting, doxxing, and the fact that on most sites, there’s a large chat window right by the camgirl’s face, into which anyone with a credit card can say anything.”
• If people can find out who you are, or where you live, they can do all sorts of nasty things.
• Most “performers” use an alias, so for them, the first step is to protect their true identity
• Related to this, they also wish to keep their location secret
• Some examples of ways your location can be exposed:
  • Pandora, the music streaming service, uses location based advertisements. In this case, they ask for your ZIP code, enter a fake one
  • Many other sites also use location based advertisements, use a VPN to hide your real location
  • “Speaking of VPNs, use one. If you use Skype, there’s Skype Resolvers out there that can show your IP by simply entering a username”
  • “Amazon wishlists reveal your town, which is why people use PO boxes”
• “People can simply call Amazon/the shipper and find out the address their purchase was sent to if they pry enough. I don’t know what the company policy is for this, but it’s happened”
• “Camgirl #OpSec tip: I know craft beers are delicious, but they circumscribe your location to a very tight circle.”
• Make sure photos that you post online do not have GPS or location metadata included
• Even things as “smalltalk” as the weather, with multiple samples, can give away your location
• “Also make sure you don’t go to your PO box alone, because someone may be waiting for you there, especially if you publicly reveal your PO box address and/or say specifically when you’ll be going to it”
• “Google Voice provides fake numbers, so you can use them for texting, or any apps/sites that require a number”
• “Do not accept gift cards as payments towards your service from random people”, they may be able to track how/where it was spent
• Use a separate browser for “work” and “personal” internet use, to ensure cookies and logins do not get contaminated
• Especially things like Facebook and Google that track you all over the internet
• Avoid creating ‘intersections”, where your two identities can be correlated. Make sure your username doesn’t give it away
• Consider changing your alias on a regular basis. Balance building a reputation against OPSEC
• Use strong passwords, and DO NOT reuse passwords for multiple sites, use 2FA whenever possible

Feedback:

• Authenticated and encrypted DNS

• email spoofing

• Do end users need a public IP

• ZFS question

Round Up:

• Almost 2000 Vodafone UK accounts compromised using email addresses and passwords from an unknown source. Stop reusing passwords.
• FBI re: ransomware “we often advise people just to pay the ransom”. FBI can’t be tasked with recovering your data
• All CoinVault and Bitcryptor ransomware victims can now recover their files for free
• 25 GPU cluster can crack every 8 character NTLM password hash in 6 hours, at 350 billion-guess-per-second. Can make only 71,000 guesses/sec against Bcrypt and 364,000 guesses/sec against SHA512crypt
• Car hacking for plebs
• PageFair compromised by phishing attack, CDN account reset and used to distribute malware
• Malware that deletes your Chrome browser and replaces it with a fake one
• Inside the Shifu malware
• Unknown group sells iOS 9.1/9.2 zero-day exploit to Zerodium for $1 million. No details, will be hard to tell who VUPEN sells it to
• Top Germany government official infected with highly spohpistcated regin malware that may have ties to the NSA
• History: In 1988, the first internet worm infected more than 10% of the internet
• x86 considered harmful
• New LTE-U standard may distrupt WiFi, proponents’ labs show different results than detractors’ labs
• Microsoft drops unlimited OneDrive storage after people use it for unlimited storage
• XORsearch, brute force decryption against basical obfuscation like XOR, ROL, ROT, and SHIFT
• vBulletin zero-day in versions 5.1.4 to 5.1.9 used against vBulletin and Foxit. Appears to be SQL injection. May be used in watering hole attacks

The post Zero-Days Of Our Lives | TechSNAP 240 first appeared on Jupiter Broadcasting.

Erica Melzer is a support agent at Campaign Monitor, a service for excellent marketing mailings. She is also a site admin for Lady Loves Code.

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Codecademy
• Campaign Monitor
• Joomla
• Learn Code The Hard Way

Full transcription of previous episodes can be found at heywtr.tumblr.com

The post Social Marketing | WTR 17 first appeared on Jupiter Broadcasting.

Been putting off that patch? This week we’ll cover how an out of date Joomla install led to a massive breach, Microsoft and Google spar over patch disclosures & picking the right security question…

Plus a great batch of your feedback, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Data thieves target parking lots

• “Late last year, KrebsOnSecurity wrote that two huge swaths of credit card numbers put up for sale in the cybercrime underground had likely been stolen from Park ‘N Fly and from OneStopParking.com, competing airport parking services that lets customers reserve spots in advance of travel via Internet reservation systems. This week, both companies confirmed that they had indeed suffered a breach.”
• “When contacted by Krebs on Dec. 15, Atlanta-based Park ‘N Fly said while it had recently engaged multiple security firms to investigate breach claims, it had not found any proof of an intrusion. In a statement released Tuesday, however, the company acknowledged that its site was hacked and leaking credit card data, but stopped short of saying how long the breach persisted or how many customers may have been affected”
• “OneStopParking.com reached via phone this morning, the site’s manager Amer Ghanem said the company recently determined that hackers had broken in to its systems via a vulnerability in Joomla for which patches were made available in Sept. 2014. Unfortunately for OneStopParking.com and its customers, the company put off applying that Joomla update because it broke portions of the site.”
• “Unlike card data stolen from main street retailers — which can be encoded onto new plastic and used to buy stolen goods in physical retail stores — cards stolen from online transactions can only be used by thieves for fraudulent online purchases. However, most online carding shops that sell stolen card data in underground stores market both types of cards, known in thief-speak as “dumps” and “CVVs,” respectively.”
• “Interestingly, the disclosure timeline for both of these companies would have been consistent with a new data breach notification law that President Obama called for earlier this week. That proposal would require companies to notify consumers about a breach within 30 days of discovering their information has been hacked.”
• Krebs also appears to be having fun with the LizzardSquad

Microsoft pushes emergency fixes, blames Google

• Microsoft and Adobe both released critical patches this week
• “Leading the batch of Microsoft patches for 2015 is a drama-laden update to fix a vulnerability in Windows 8.1 that Google researchers disclosed just two days ago. Google has a relatively new policy of publicly disclosing flaws 90 days after they are reported to the responsible software vendor — whether or not that vendor has fixed the bug yet. That 90-day period elapsed over the weekend, causing Google to spill the beans and potentially help attackers develop an exploit in advance of Patch Tuesday.”
• Yahoo recently announced a similar new policy, to disclose all bugs after 90 days
• This is the result of too many vendors take far too long to resolve bugs after they are notified
• Researchers have found that need to straddle the line between responsible disclosure, and full disclosure, as it is irresponsible to not notify the public when it doesn’t appear as if the vendor is taking the vulnerability seriously.
• Microsoft also patched a critical telnet vulnerability
• “For its part, Microsoft issued a strongly-worded blog post chiding Google for what it called a “gotcha” policy that leaves Microsoft users in the lurch”
• There is also a new Adobe flash to address multiple issues
• Krebs notes: “Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).” because of the way Microsoft bundles flash
• Infact, if you use Chrome and Firefox on windows, you’ll need to make sure all 3 have properly updated.

What makes a good security question?

• Safe: cannot be guessed or researched
• Stable: does not change over time
• Memorable: you can remember it
• Simple: is precise, simple, consistent
• Many: has many possible answers
• It is important that the answer not be something that could easily be learned by friending you on facebook or twitter
• Some examples:
• What is the name of the first beach you visited?
• What is the last name of the teacher who gave you your first failing grade?
• What is the first name of the person you first kissed?
• What was the name of your first stuffed animal or doll or action figure?
• Too many of the more popular questions are too easy to research now
• Some examples of ones that might not be so good:
  • In what town was your first job? (Resume, LinkedIn, Facebook)
  • What school did you attend for sixth grade?
  • What is your oldest sibling’s birthday month and year? (e.g., January 1900) (Now it isn’t your facebook, but theirs that might be the leak, you can’t control what information other people expose)
• Sample question scoring

Feedback:

• FreeNAS Replication

• Ep 196 – Staples Hack

• Best at home router solution

• OpenWrt

• MyOpenRouter

• FQDN on LAN? Peace of mind on WAN?

• hardware upgrade

Round Up:

• Apache Spark: 100 terabytes (TB) of data sorted in 23 minutes
• Quick wins for cyber security
• The New CISPA Bill Is Literally Exactly the Same as the Last One
• Sony: Losses from hack will be covered by insurance
• Forget Wearable Tech. People Really Want Better Batteries.
• New data breach notification law not good enough
• Panasonic Arbitrator Back-End Server (BES) uses unencrypted communication
• US CENTCOM gets its twitter account hacked — Why no 2FA?
• Verizon Cloud system schedules 48 hour downtime
• Canadian Federal Police refuse to pay fees to telco for tracking suspects
• The path from beginner to expert
• Mac “bootkit” permanently backdoors macs

The post Patch and Notify | TechSNAP 197 first appeared on Jupiter Broadcasting.

The RSA leak exposes the dirty under-belly of the commercial security industry, it’s a story that sounds like it’s straight out of Hollywood.

Then – We’ve packed this episode full of Audience questions, and our answers. Find out how to plan for failure, start building a website….

All that and more, on this week’s TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | WebM Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3

[ad#shownotes]

Show Notes: