Ransomware – Jupiter Broadcasting

Google will no longer scan emails in Gmail accounts in order sell targeted advertising, the company said Friday.
Google’s blog post
more than 3 million paying companies that use G Suite
Bloomberg post on same topic

Does US have right to data on overseas servers? We’re about to find out

Feedback

AES-256 encryption keys cracked by hands-off hack from Shawn via Twitter
workflow and backup strategy advice
Regarding DNS, I think Dan mentioned that he didn’t have any of the books he used to learn about it. Any suggestions about some good reading material on that topic? Thanks for the awesome show. – DNS and BIND is the name of the book

Round Up:

The post Google Reads Your Email | TechSNAP 325 first appeared on Jupiter Broadcasting.

Kill Switch Engage | TechSNAP 320

chris — Tue, 23 May 2017 18:16:19 +0000

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Cisco’s Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to ‘WannaCry’

FCC Filings Overwhelmingly Support Net Neutrality Once Anti-Net Neutrality Spam is Removed

Net Neutrality II: Last Week Tonight with John Oliver (HBO)
Because of a procedural quirk, the FCC will not be considering any comments on the issue of net neutrality that are submitted over the next week or so.
https://youtu.be/qI5y-_sqJT0 — follow up video

Feedback

Round Up:

The post Kill Switch Engage | TechSNAP 320 first appeared on Jupiter Broadcasting.

When IT Security Cries | TechSNAP 319

chris — Tue, 16 May 2017 21:37:30 +0000

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Three C’s to Tweet By | TechSNAP 304

chris — Wed, 01 Feb 2017 01:23:17 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Dropbox Kept Files Around For Years Due To ‘Delete’ Bug

Dropbox has fixed a bug that caused old, deleted data to reappear on the site. The bug was reported by multiple support threads in the last three weeks and merged into one issue here. An anonymous Slashdot reader writes
In some of the complaints users reported seeing folders they deleted in 2009 reappear on their devices overnight. After seeing mysterious folders appear in their profile, some users thought they were hacked. Last week, a Dropbox employee provided an explanation to what happened, blaming the issue on an old bug that affected the metadata of soon-to-be-deleted folders. Instead of deleting the files, as users wanted and regardless of metadata issues, Dropbox choose to keep those files around for years, and eventually restored them due to a blunder. In its File retention Policy, Dropbox says it will keep files around a maximum 60 days after users deleted them
If you have sensitive data, do not rely on delete, rely on encryption.
If you have sensitive data, you shouldn’t have it on third-party systems without encryption.
The encryption and decryption should occur on your system, not theirs.
Imagine you deleted those risky files just before an international trip, you get requested to power up your laptop, and bang, there’s those deleted files back….!

Twitter Activist Security – Guidelines for safer resistance

We’ve covered privacy on the Internet before. We’ve stated very clearly that using privacy tools such as Tor is not illegal nor is it suspicious, no more so than someone paying cash at the grocery store.
This guideline is specfically for Twitter, but many of the suggestions can be apply to other social media as well, but I am not sure how well they will travel. Chose carefully
Many people are starting to get politically active in ways they fear might have negative repercussions for their job, career or life. It is important to realise that these fears are real, but that public overt resistance is critical for political legitimacy. This guide hopes to help reduce the personal risks to individuals while empowering their ability to act safely.
I am not an activist, and I almost certainly don’t live in your country. These guidelines are generic with the hope that they will be useful for a larger number of people.
Security Principles To Live By The basic principles of operational security are actually very simple, they’re what we call the three Cs: Cover, Concealment, Compartmentation

Move over skimmers, ‘shimmers’ are the newest tool for stealing credit card info

Consumers and retailers be on guard: there’s a new and more devious way for fraudsters to steal your credit and debit card information.
“Shimmers” are the newest form of credit card skimmers, only smaller, more powerful and practically impossible to detect. And they’re popping up all over the place, says RCMP Cpl. Michael McLaughlin, who sounded the alarm after four shimmers were extracted from checkout card readers at a Coquitlam, B.C., retailer.
“Something this sophisticated, this organized and multi-jurisdictional has all the classic hallmarks of organized crime,” said McLaughlin.
Unlike skimmers, a shimmer — named for its slim profile — fits inside a card reader and can be installed quickly and unobtrusively by a criminal who slides it into the machine while pretending to make a purchase or withdrawal.
Once installed, the microchips on the shimmer record information from chip cards, including the PIN. That information is later extracted when the criminal inserts a special card — also during a purchase or cash withdrawal — which downloads the data. The information is then used to make fake cards.
Shimmers have rendered the bigger and bulkier skimmers virtually obsolete, according to Const. Alex Bojic of the Coquitlam RCMP economic crime unit.
“You can’t see a shimmer from the outside like the old skimmer version,” Bojic said in a statement. “Businesses and consumers should immediately report anything abnormal about the way their card is acting … especially if the card is sticking inside the machine.”
McLaughlin said the Coquitlam retailer detected the shimmers through its newly introduced daily testing of point-of-sales terminals. A test card inserted into the machines kept on getting stuck and the shimmers were found when the terminals were opened.
“We want to get the word out,” said McLaughlin. “Businesses really need to be checking for these kinds of devices and consumers need to be aware of them.”
Bojic said using the tap function of a chip card is one way to avoid being “shimmed.”
“It’s actually very secure. Each tap transfers very limited banking information, which can’t be used to clone your card,” Bojic said.
Krebs wrote about this and has a post which is all about skimmer and shimmer
Not new tech, been around since at least 2015

Feedback:

Round Up:

The post Three C's to Tweet By | TechSNAP 304 first appeared on Jupiter Broadcasting.

Ending Ransomware | TechSNAP 275

chris — Thu, 14 Jul 2016 17:35:38 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A potential solution to Ransomware, the 15 year bug that cost CitiGroup $7 Million dollars, Dropbox’s new middle out compression & another flaw that affects all versions of Windows.

Plus your questions, our answers, a packed roundup & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

CitiGroup hit with $7 million fine over software bug dating back to 1999

CitiGroup, a large US Financial institution, is being fined for failing to properly report to the US Securities and Exchange Commission (SEC)
According to the SEC, the error [PDF] resulted in the financial regulator being sent incomplete “blue sheet” information for a remarkable 15 years – from May 1999 to April 2014.
The bank was required to send details of all stock transactions, and due to a bug, a number of branches were never included in those reports
The details are quite amusing
“The mistake was discovered by Citigroup itself when it was asked to send a large but precise chunk of trading data to the SEC in April 2014 and asked its technical support team to help identify which internal ID numbers they should run a request on.”
“That team quickly noticed that some branches’ trades were not being included in the automated system and alerted those above them. Four days later a patch was in place, but it wasn’t until eight months later that the company received a formal report noting that the error had affected SEC reports going back more than a decade. The next month, January 2015, Citigroup fessed up to the SEC.”
“It turned out that the error was a result of how the company introduced new alphanumeric branch codes. When the system was introduced in the mid-1990s, the program code filtered out any transactions that were given three-digit branch codes from 089 to 100 and used those prefixes for testing purposes.”
So any transaction with a branch code in that range, was considered test data, and not reported to the government
“But in 1998, the company started using alphanumeric branch codes as it expanded its business. Among them were the codes 10B, 10C and so on, which the system treated as being within the excluded range, and so their transactions were removed from any reports sent to the SEC.”
“The SEC routinely sends requests to financial institutions asking them to send all details on transactions between specific dates as a way of checking that nothing untoward is going on. The coding error had resulted in Citigroup failing to send information on 26,810 transactions in over 2,300 such requests.”
“The SEC was not impressed and said in a statement announcing the fine that the “failure to discover the coding error and to produce the missing data for many years potentially impacted numerous Commission investigations.””
“Broker-dealers have a core responsibility to promptly provide the SEC with accurate and complete trading data for us to analyze during enforcement investigations,” said Robert Cohen, co-chief of the SEC enforcement division’s market abuse unit. “Citigroup did not live up to that responsibility for an inexcusably long period of time, and it must pay the largest penalty to date for blue sheet violations.”
7 Million seems like a relatively small fine for such a large screw up, but it does not appear to have been malicious.

New system to detect ransomware by looking at filesystem patterns

“Our system is more of an early-warning system. It doesn’t prevent the ransomware from starting … it prevents the ransomware from completing its task … so you lose only a couple of pictures or a couple of documents rather than everything that’s on your hard drive, and it relieves you of the burden of having to pay the ransom,” said Nolen Scaife, a UF doctoral student and founding member of UF’s Florida Institute for Cybersecurity Research.
“Attacks most often show up in the form of an email that appears to be from someone familiar. The recipient clicks on a link in the email and unknowingly unleashes malware that encrypts his or her data. The next thing to appear is a message demanding the ransom, typically anywhere from a few hundred to a few thousand dollars.”
“It’s an incredibly easy way to monetize a bad use of software,” said Patrick Traynor, an associate professor in UF’s department of computer and information science and engineering at UF and also a member of the Florida Institute for Cybersecurity Research. He and Scaife worked together on developing CryptoDrop.
“We ran our detector against several hundred ransomware samples that were live,” Scaife said, “and in those case it detected 100 percent of those malware samples and it did so after only a median of 10 files were encrypted.”
“About one-tenth of 1 percent of the files were lost,” Traynor said, “but the advantage is that it’s flexible. We don’t have to wait for that anti-virus update. If you have a new version of your ransomware, our system can detect that.”
Video – Extortion extinction: Ransomware
It seems like it would be fairly trivial to detect the pattern that ransomware uses. I imagine most ransomware creates a new file, named original.ext.locked and then encrypts the contents of the original file, then removes the original
It is possible newer ransomware could use new patterns, like renaming files and overwriting in place, or encrypting files in random order instead of walking the directory tree to make it harder to detect
Additional Coveragge: Phys.org

Dropbox open sources Lepton image compression algorithm, save 22% by losslessly compressing JPEGs

“Lepton achieves a 22% savings reduction for existing JPEG images, by predicting coefficients in JPEG blocks and feeding those predictions as context into an arithmetic coder. Lepton preserves the original file bit-for-bit perfectly. It compresses JPEG files at a rate of 5 megabytes per second and decodes them back to the original bits at 15 megabytes per second, securely, deterministically, and in under 24 megabytes of memory.”
Speed seems very slow, compression is 5 MB/s, and decompression is 15 MB/s
It is not clear if the encoding can be multithreaded across many cores to increase speed, like xz can do. Even without that, in most cases you would be dealing with many image files at once, but even compressing many files at once, that is quite slow
“We have used Lepton to encode 16 billion images saved to Dropbox, and are rapidly recoding our older images. Lepton has already saved Dropbox multiple petabytes of space.”
The article has a very good description of how JPEG encoding works
“The DC coefficient (brightness in each 8×8 block) takes up a lot of room (over 8%) in a typical iPhone photograph so it’s important to compress it well. Most image formats put the DC coefficients before any AC coefficients in the file format. Lepton gets a compression advantage by coding the DC as the last value in each block. Since the DCs are serialized last, there is a wealth of information from the AC coefficients available to predict the DC coefficient. By defining a good and reproducible prediction, we can subtract the actual DC coefficient from the predicted DC coefficient, and only encode the delta. Then in the future we can use the prediction along with the saved delta to get the original DC coefficient. In almost all cases, this technique results in a significantly reduced number of symbols to feed into our arithmetic coder.”
“Lepton can decompress significantly faster than line-speed for typical consumer and business connections. Lepton is a fully streamable format, meaning the decompression can be applied to any file as that file is being transferred over the network. Hence, streaming overlaps the computational work of the decompression with the file transfer itself, hiding latency from the user.”
Because it can be streamed, this means that mobile devices could work via a proxy, that compresses all JPEG content before transmitting it to the mobile device, then an application on the mobile device could decompression it and display the resulting JPEG

Flaw in Windows Printing subsystem affects all versions of Windows

“A remote code execution vulnerability exists when the Windows Print Spooler service does not properly validate print drivers while installing a printer from servers. An attacker who successfully exploited this vulnerability could use it to execute arbitrary code and take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
“Most organizations try to apply the principle of least privilege to the devices in their networks. This works pretty well for things like laptops or desktops since the hardware they use doesn’t change that often. However printers are a bit different. While they still need drivers, printers need to support virtually any user that wants to connect to them. As end-users move through a building, they naturally want to use the printer closest to them. Mobile users expect to be able to easily connect and use a printer when they come into the office. In addition, most organizations don’t standardize on a single printer, and will have multiple models and manufacturers often within a single network.”
“So instead of having system administrators push all possible printer drivers to all workstations in the network, the solution was to develop a way to deliver the driver to a user device right before the printer is used. And this is where Point-and-Print showed up. This approach stores a shared driver on the printer or print server, and only the users of that printer receive the driver that they need. At first glance, this is a practical and simple solution to driver deployment. The user gets access to the printer driver they need without requiring an administrator – a nice win-win.”
“By default, in corporate networks, network admins allow printers to deliver the necessary drivers to workstations connected to the network. These drivers are silently installed without any user interaction and run under the SYSTEM user, with all the available privileges.”
The researchers managed to dissect a firmware update for an existing printer, and modify it to infect Windows clients that load its driver with malware
The malware allowed them access to the target Windows client, as the SYSTEM user
They detail a number of other ways this vulnerability could be exploited:
Watering hole attacks:
Backdooring an existing printer or printer server.
Microsoft print server: driver path: c:\windows\system32\spool\drivers*\3...
Linux/BSD cups server: check for share driver print$ in the configuration.
Multiple vendors support Point-and-Print on the printer itself
Re-flash printer with backdoored drivers.
Create a fake print server and broadcast with auto discovery.
Privilege escalation:
Use the add printer as a privileged escalation mechanism to get system access.
Mitm attack to the printer and inject the backdoored driver instead of the real one.
Going more global with IPP and Webpnp. Send users email with a link, when clicked, it attempts to connect to the (fake?) printer in question, and results in the driver being installed on the target computer
There is more detail in the blog post about infecting a computer remotely
Researcher blog post
Microsoft released a fix for this vulnerability as part of the July patch Tuesday
Official Microsoft Bulletin
Additional Coverage: softpedia

Feedback:

How secure is the passphrase?
FreeNAS On the Go
https://www.zfsbook.com — FreeBSD Mastery: Advanced ZFS

Round Up:

The post Ending Ransomware | TechSNAP 275 first appeared on Jupiter Broadcasting.

Can You Hack Me Now? | TechSNAP 259

chris — Thu, 24 Mar 2016 17:50:27 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Verizon Enterprise gets breached & the irony is strong with this one, details on the NPM fiasco & why the SAMSAM is holding up the doctor.

Plus some great questions, a packed round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

The NPM Fiasco

NPM is a package manager, for node.js
The Node.js ecosystem is “special”
It provides packages that are mostly code snippets, usually individual functions
Many packages, depend on a number of other packages to work correctly
For example, the package ‘isArray’, which is a one-line function to tell if an object is an array, is depended upon by 72 other packages
There was a package called ‘kik’, created by Azer Koçulu
Kik.com, a mobile messaging app, wanted to create their own new package, called kik, for some new open source project
Unpleasant discussions occurred
Eventually kik.com had the NPM managers transfer ownership of the kik package name to the kik.com account
Azer was offended by this, and deleted all of his packages from NPM (around 250 different packages)
This fallout had unintended consequences
One of the modules, left-pad, was a simple 11 line function to left-pad a string or number with spaces or zeros.
Left-pad had been downloaded 2,486,696 times in the last month
It was a dependency for a huge number projects, including: Node.js it self, Babel,
NPM then restored the module to unbreak the other applications
module’s author’s Medium.com post
kik.com’s Medium.com post
Official NPM blog post
Blog Post: Have we forgotten how to program?
Left-pad as a service
“The fact that this is possible with NPM seems really dangerous. The author unpublished (erm, “liberated”) over 250 NPM modules, making those global names (e.g. “map”, “alert”, “iframe”, “subscription”, etc) available for anyone to register and replace with any code they wish. Since these libs are now baked into various package.json configuration files (some with 10s of thousands of installs per month, “left-pad” with 2.5M/month), meaning a malicious actor could publish a new patch version bump (for every major and minor version combination) of these libs and ship whatever they want to future npm builds.”

Verizon Enterprise Customer Data Breached

“Verizon Enterprise Solutions, a B2B unit of the telecommunications giant that gets called in to help Fortune 500’s respond to some of the world’s largest data breaches, is reeling from its own data breach involving the theft and resale of customer data, KrebsOnSecurity has learned”
“Earlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise”
“The seller priced the entire package at $100,000, but also offered to sell it off in chunks of 100,000 records for $10,000 apiece. Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site”
“Verizon recently discovered and remediated a security vulnerability on our enterprise client portal,” the company said in an emailed statement. “Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible.”
So it seems to just be contact details from a database on the website, not more intimate details like login credentials for their networks, or other details that Verizon would posses as they administers and investigated the networks of the customers
It appears the data is in MongoDB format, which suggests that might be the format it was stored in on the Verizon side
“The irony in this breach is that Verizon Enterprise is typically the one telling the rest of the world how these sorts of breaches take place. I frequently recommend Verizon’s annual Data Breach Investigations Report (DBIR) because each year’s is chock full of interesting case studies from actual breaches, case studies that include hard lessons which mostly age very well (i.e., even a DBIR report from four years ago has a great deal of relevance to today’s security challenges).”
“According to the 2015 report, for example, Verizon Enterprise found that organized crime groups were the most frequently seen threat actor for Web application attacks of the sort likely exploited in this instance. “Virtually every attack in this data set (98 percent) was opportunistic in nature, all aimed at easy marks,” the company explained.”
While this attack may have been more targeted in nature. Although it is possible it was just opportunistic, because Verizon failed to secure its database
Customers of Verizon who’s data was breached are likely targets for various types of spear phishing, including emails pretending to be from Verizon, who provides network security and post-breach investigation services to these customers

Cisco Talos reveals SAMSAM ransom ware

Cisco Talos is currently observing a widespread campaign leveraging the Samas/Samsam/MSIL.B/C ransomware variant. Unlike most ransomware, SamSam is not launched via user focused attack vectors, such as phishing campaigns and exploit kits.
This particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom.
A particular focus appears to have been placed on the healthcare industry.
Adversaries have been seen leveraging JexBoss, an open source tool for testing and exploiting JBoss application servers, to gain a foothold in the network. Once they have access to the network they proceed to encrypt multiple Windows systems using SamSam.
Upon compromising the system the sample will launch a samsam.exe process which begins the process of encrypting files on the system.
SamSam encrypts various file types (see Appendix A) with Rijndael and then encrypts that key with RSA-2048 bit encryption. This makes the files unrecoverable unless the author made a mistake in the implementation of the encryption algorithms.
One interesting note regarding the samples Talos has observed is that the malware will abort the encryption routine if the system is running a version of Microsoft Windows prior to Vista. This is likely done for compatibility reasons.
There were a couple of open source tools that were seen being leveraged by the adversaries. The first is JexBoss, which is a testing and exploitation framework for JBoss application servers.
This was being used as an initial infection vector to gain a foothold in the network to spread the ransomware.
The second is a component of REGeorg, tunnel.jsp. REGeorg is an open source framework to create socks proxies for communication.
As we have monitored this activity, we have started to see changes in the amount and types of payment options available to victims. Initially, we saw a payment option of 1 bitcoin for each PC that has been infected.
Later we saw the price for a single system has been raised to 1.5 bitcoin. It is likely the malware author is trying to see how much people will pay for their files.
They even added an option for bulk decryption of 22 bitcoin to decrypt all infected systems.

Feedback:

HEADS UP Stand ready to patch all of your Windows, Linux, BSD, OS X, iOS, Android, and other servers. And all of your routers, print servers, set-top boxes, smart TVs, IoT devices. And basically anything with a CPU. The “BADLOCK” bug will be releaved on April 12th, 2016 , a critical vulnerability in the SMB protocol, so affects Windows and all other implementations of the protocol (samba, whatever apple uses, whatever android uses, etc)

Round up:

The post Can You Hack Me Now? | TechSNAP 259 first appeared on Jupiter Broadcasting.

Garbled Transmission | TTT 235

chris — Tue, 08 Mar 2016 12:00:16 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Bittorrent client Transmission gets hit with Ransomware, Facebook pays out $15k to a hacker & Microsoft is bringing SQL to Linux. It’s a HUGE edition of Tech Talk Today!

Direct Download:

RSS Feeds:

Become a supporter on Patreon

Show Notes:

Episode Links

Kickstarter of the Week

The post Garbled Transmission | TTT 235 first appeared on Jupiter Broadcasting.

Zero-Days Of Our Lives | TechSNAP 240

chris — Thu, 12 Nov 2015 10:22:06 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The first remote administration trojan that targets Android, Linux, Mac and Windows. Joomla and vBulletin have major flaws & tips for protecting your online privacy from some very motivated public figures.

Plus some great questions, a rockin’ roundup & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

First remote administration trojan that targets Android, Linux, Mac, and Windows: OmniRat

“On Friday, Avast discovered OmniRat, a program similar to DroidJack. DroidJack is a program that facilitates remote spying and recently made news when European law enforcement agencies made arrests and raided the homes of suspects as part of an international malware investigation.”
“OmniRat and DroidJack are RATs (remote administration tools) that allow you to gain remote administrative control of any Android device. OmniRat can also give you remote control of any Windows, Linux or Mac device. Remote administrative control means that once the software is installed on the target device, you have full remote control of the device.”
“On their website, OmniRat lists all of the things you can do once you have control of an Android, which include: retrieving detailed information about services and processes running on the device, viewing and deleting browsing history, making calls or sending SMS to any number, recording audio, executing commands on the device and more.”
“Like DroidJack, OmniRat can be purchased online, but compared to DroidJack, it’s a bargain. Whereas DroidJack costs $210, OmniRat costs only $25 to $50 depending on which device you want to control.”
“A custom version of OmniRat is currently being spread via social engineering. A user on a German tech forum, Techboard-online, describes how a RAT was spread to his Android device via SMS. After researching the incident, I have come to the conclusion that a variant of OmniRat is being used.”
“The author of the post received an SMS stating an MMS from someone was sent to him (in the example, a German phone number is listed and the SMS was written in German). The SMS goes on to say “This MMS cannot be directly sent to you, due to the Android vulnerability StageFright. Access the MMS within 3 days [Bitly link] with your telephone number and enter the PIN code [code]“. Once the link is opened, a site loads where you are asked to enter the code from the SMS along with your phone number. Once you enter your number and code, an APK, mms-einst8923, is downloaded onto the Android device. The mms-einst8923.apk, once installed, loads a message onto the phone saying that the MMS settings have been successfully modified and loads an icon, labeled “MMS Retrieve” onto the phone.”
“The OmniRat APK requires users to accept and give OmniRat access many permissions, including edit text messages, read call logs and contacts, modify or delete the contents of the SD card. All of these permissions may seem evasive and you may be thinking, “Why would anyone give an app so much access?”, but many of the trusted and most downloaded apps on the Google Play Store request many of the same permissions. The key difference is the source of the apps. I always recommend that users read app permissions carefully. However, when an app you are downloading directly from the Google Play Store requests permissions, it is rather unlikely the app is malicious.”
“The victim then has no idea their device is being controlled by someone else and that every move they make on the device is being recorded and sent back to a foreign server. Furthermore, once cybercriminals have control over a device’s contact list, they can easily spread the malware to more people. Inside this variant of OmniRat, there is a function to send multiple SMS messages. What makes this especially dangerous is that the SMS spread via OmniRat from the infected device will appear to be from a known and trusted contact of the recipients, making them more likely to follow the link and infect their own device.”
Additional Coverage: Softpedia
“The Softpedia article about OmniRAT includes a video, but declined to post the tool’s homepage. You can easily find it via a Google search.”

Joomla, one of the most popular web platforms after wordpress, has critical flaw affecting millions of sites

“Joomla is a very popular open-source Content Management System (CMS) used by no less than 2,800,000 websites (as of September 2015).”
An SQL injection attack was discovered that affects versions 3.2 through 3.4.4
“Unrestricted administrative access to a website’s database can cause disastrous effects, ranging from complete theft, loss or corruption of all the data, through obtaining complete remote control of the web server and abusing or repurposing it (for instance, as a host for malicious or criminal content), and ending in infiltration into the internal network of the organization, also-known-as lateral movement.”
“3 CVEs has been assigned to the vulnerability – CVE-2015-7297, CVE-2015-7857 and CVE-2015-7858. It has been tested and found working on a number of large websites, representing different business verticals”
“We encourage site administrators to update their Joomla installations immediately, deploy a 3rd-party protection product, or at the very least take their site down until a proper solution is found. According to the Verizon 2015 Database Breach Investigation Report, “99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published” so not patching your system will almost guarantee it will be hacked.”
Timeline:
Oct 15, 2015 – Disclosure to the Joomla security team
Oct 19, 2015 – Vulnerability is acknowledged by Joomla
Oct 22, 2015 – Patch released by Joomla
Oct 30, 2015 – Disclosure published by PerimeterX
It turns out, proper sanitization of the ‘select’ (columns) and ‘limit’ (pagination) parameter was not being done. One of the most obvious and ubiquitous SQL injection vectors.
“Using this SQLI we could extract all users, reset password tokens, sessions, and other configuration data stored in the DB. This will ultimately allow an attacker to obtain admin credentials, and therefore control the system’s PHP code using the ‘edit theme’ interface, effectively compromising the entire server.”
So I can replace the hash of the admin user with one I know the password for (or just create my own new admin user), as well as extract the hashed passwords of all other users.
“This vulnerability is a classic example of how having a too-dynamic code can reflect very severely on security. I expect this disclosure will stir up a hornet’s nest regarding the system’s dynamic nature, and more vulnerabilities exploiting it will be discovered. When you are developing a complex system, keep in mind that although your design is convenient for other developers, it is convenient for vulnerability researchers, too.”

Camgirl OPSEC: How the worlds newest porn stars protection their online privacy

Not the type of thing you would normally expect us to cover on TechSNAP, but it turns out, if you want to maintain your privacy online, it helps to take advice from the experts
Women already have more crap to deal with online, but camgirls often receive the worst of it
“But with modern technology comes modern problems: swatting, doxxing, and the fact that on most sites, there’s a large chat window right by the camgirl’s face, into which anyone with a credit card can say anything.”
If people can find out who you are, or where you live, they can do all sorts of nasty things.
Most “performers” use an alias, so for them, the first step is to protect their true identity
Related to this, they also wish to keep their location secret
Some examples of ways your location can be exposed:
- Pandora, the music streaming service, uses location based advertisements. In this case, they ask for your ZIP code, enter a fake one
- Many other sites also use location based advertisements, use a VPN to hide your real location
- “Speaking of VPNs, use one. If you use Skype, there’s Skype Resolvers out there that can show your IP by simply entering a username”
- “Amazon wishlists reveal your town, which is why people use PO boxes”
“People can simply call Amazon/the shipper and find out the address their purchase was sent to if they pry enough. I don’t know what the company policy is for this, but it’s happened”
“Camgirl #OpSec tip: I know craft beers are delicious, but they circumscribe your location to a very tight circle.”
Make sure photos that you post online do not have GPS or location metadata included
Even things as “smalltalk” as the weather, with multiple samples, can give away your location
“Also make sure you don’t go to your PO box alone, because someone may be waiting for you there, especially if you publicly reveal your PO box address and/or say specifically when you’ll be going to it”
“Google Voice provides fake numbers, so you can use them for texting, or any apps/sites that require a number”
“Do not accept gift cards as payments towards your service from random people”, they may be able to track how/where it was spent
Use a separate browser for “work” and “personal” internet use, to ensure cookies and logins do not get contaminated
Especially things like Facebook and Google that track you all over the internet
Avoid creating ‘intersections”, where your two identities can be correlated. Make sure your username doesn’t give it away
Consider changing your alias on a regular basis. Balance building a reputation against OPSEC
Use strong passwords, and DO NOT reuse passwords for multiple sites, use 2FA whenever possible

Feedback:

Round Up:

The post Zero-Days Of Our Lives | TechSNAP 240 first appeared on Jupiter Broadcasting.

E3 Pre-Show | Tech Talk Today 5

chris — Mon, 09 Jun 2014 10:01:37 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Microsoft’s big announcement is moments away, and we round up the expectations and potential surprises from the event. Plus Popcorn time gives users a built in VPN, Crypto ransomware for Android and more!

Direct Download:

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a Tech Talk Today supporter on Patreon:

Show Notes:

Headlines

How to Watch Microsoft\’s E3 Show Live, and What to Expect

Microsoft\’s E3 event is its biggest opportunity to distinguish the Xbox One from the PlayStation 4 and help close the gap on Sony\’s sales lead. Still, with a newly-appointed CEO and Phil Spencer now heading the company\’s Xbox division, there\’s no telling what Microsoft has in store

\’Popcorn Time\’ Gives Users Anonymity With a Free Built-In VPN

One of the Popcorn Time forks has included a free VPN option in its software, allowing users to hide their IP-addresses from the public, This feature is a response to copyright trolls, who regularly send settlement requests to users who pirate movies via BitTorrent.

“WARNING Your phone is locked!” Crypto ransomware makes its debut on Android

Security researchers have documented another first in the annals of Android malware: a trojan that encrypts photos, videos, and documents stored on a device and demands a ransom for them to be restored.

Google Chrome overtakes Microsoft\’s Internet Explorer as most-used US web browser

A report released by Adobe Digital Index (ADI) analyzing the market share of web browsers has shown Google\’s freeware is up 6 percent year-over-year, trouncing Internet Explorer – once a lone internet leader – which is sitting at 30.9 percent.

Support Tech Talk Today creating DAILY PODCASTS

Feedback:

Twitter / jphilipz: @ChrisLAS please add rss feeds

Unfilter Shirt: Unfilter Episode 100 Shirt! | Teespring

Hosts:

Guest:

Twitter Nunes

Chris:

The post E3 Pre-Show | Tech Talk Today 5 first appeared on Jupiter Broadcasting.