HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Sophisticated, persistent mobile attack against high-value targets on iOS

• “Persistent, enterprise-class spyware is an underestimated problem on mobile devices. However, targeted attack scenarios against high-value mobile users are a real threat.”
• “Citizen Lab (Munk School of Global Affairs, University of Toronto) and Lookout have uncovered an active threat using three critical iOS zero-day vulnerabilities that, when exploited, form an attack chain that subverts even Apple’s strong security environment. We call these vulnerabilities “Trident.” Our two organizations have worked directly with Apple’s security team, which was very responsive and immediately fixed all three Trident iOS vulnerabilities in its 9.3.5 patch.”
• “Trident is used in a spyware product called Pegasus, which according to an investigation by Citizen Lab, is developed by an organization called NSO Group. NSO Group is an Israeli-based organization that was acquired by U.S. company Francisco Partners Management in 2010, and according to news reports specializes in “cyber war.” Pegasus is highly advanced in its use of zero-days, obfuscation, encryption, and kernel-level exploitation.”
• “We have created two reports that discuss the use of this targeted attack against political dissidents and provide a detailed analysis of the malicious code itself. In its report, Citizen Lab details how attackers targeted a human rights defender with mobile spyware, providing evidence that governments digitally harass perceived enemies, including activists, journalists, and human rights workers. In its report, Lookout provides an in-depth technical look at the targeted espionage attack that is actively being used against iOS users throughout the world.”
• The target of the attack was Ahmed Mansoor, an internationally recognized human rights defender
• “On August 10th and 11th, he received text messages promising “secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. Recognizing the links as belonging to an exploit infrastructure connected to NSO group, Citizen Lab collaborated with Lookout to determine that the links led to a chain of zero-day exploits that would have jailbroken Mansoor’s iPhone and installed sophisticated malware.”
• “This marks the third time Mansoor has been targeted with “lawful intercept” malware. Previous Citizen Lab research found that in 2011 he was targeted with FinFisher spyware, and in 2012 with Hacking Team spyware. The use of such expensive tools against Mansoor shows the lengths that governments are willing to go to target activists.”
• “Citizen Lab also found evidence that state-sponsored actors used NSO’s exploit infrastructure against a Mexican journalist who reported on corruption by Mexico’s head of state, and an unknown target or targets in Kenya. The NSO group used fake domains, impersonating sites such as the International Committee for the Red Cross, the U.K. government’s visa application processing website, and a wide range of news organizations and major technology companies. This nods toward the targeted nature of this software.”
• “Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile — always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists. It is modular to allow for customization and uses strong encryption to evade detection.”
• “The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.”
• “We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code (e.g., a kernel mapping table that has values all the way back to iOS 7). It is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android, and Blackberry.”
• CitizenLab report
• Lookout Report PDF
• Additional Coverage: Arstechnica: Apple releases iOS 9.3.5 with “an important security update”
• Additional Coverage: NY Times
• Additional Coverage: Motherboard
• Additional Coverage: WaPo

Hacking Electronic Safes

• An interesting bit of research was brought to my attention via Bruce Schneier’s blog
• “On Friday, a hacker known as Plore presented strategies for identifying a safe custom-selected keycode and then using it to unlock the safe normally, without any damage or indication that the code has been compromised”
• “Plore’s techniques interesting is what they lack: any physical or even algorithmic sabotage”
• “Plore used side-channel attacks to pull it off. These are ways of exploiting physical indicators from a cryptographic system to get around its protections.”
• “Plore was able to figure out the keycodes for locks that are designated by independent third-party testing company Underwriter’s Laboratory as Type 1 High Security. These aren’t the most robust locks on the market by any means, but they are known to be pretty secure. Safes with these locks are the kind of thing you might have in your house.”
• “In practice, Plore was able to defeat the security of two different safe locks made by Sargent and Greenleaf, each of which uses a six-digit code. “I chose Sargent and Greenleaf locks due to their popularity. They are the lock manufacturer of choice on Liberty brand gun safes, among others, and safes featuring those locks are widely available at major stores,” Plore told WIRED”
• “Plore said he didn’t have time before Defcon to try his attacks on other lock brands, but he added, “I would not be particularly surprised if techniques similar to those I described would apply to other electronic safe locks, other electronic locks in general (e.g., door locks), or other devices that protect secrets (e.g., phones).”
• I am glad the 6 digit combination lock that protects my house is mechanical
• “For the Sargent and Greenleaf 6120, a lock developed in the 1990s and still sold today, Plore noticed that when he entered any incorrect keycode he could deduce the correct code by simply monitoring the current being consumed by the lock.”
• ““What you do here is place the resistor in series with the battery and the lock, and by monitoring voltage across that resistor we can learn how much current the lock is drawing at any particular time. And from that we learn something about the state of the lock,” Plore explained. As the lock’s memory checked the input against its stored number sequence, the current on the data line would fluctuate depending on whether the bits storing each number in the code were a 0 or a 1. This essentially spelled out the correct key code until Plore had all of its digits in sequence and could just enter them to unlock the safe. Bafflingly easy.”
• “For the second demonstration, he experimented with a newer lock, the Sargent and Greenleaf Titan PivotBolt. This model has a more secure electronics configuration so Plore couldn’t simply monitor power consumption to discover the correct keycode. He was able to use another side-channel approach, though, a timing attack, to open the lock. Plore observed that as the system checked a user code input against its stored values there was a 28 microsecond delay in current consumption rise when a digit was correct. The more correct digits, the more delayed the rise was. This meant that Plore could efficiently figure out the safe’s keycode by monitoring current over time while trying one through 10 for each digit in the keycode, starting the inputs over with more and more correct digits as he pinpointed them. Plore did have to find a way around the safe’s “penalty lockout feature” that shuts everything down for 10 minutes after five incorrect input attempts, but ultimately he was able to get the whole attack down to 15 minutes, versus the 3.8 years it would take to try every combination and brute force the lock.”
• This is why cryptography is usually implemented in ‘constant time’, where it is purposely slow. Both the right input and the wrong input take the same amount of time to return the result, so the attack can’t learn anything from the amount of time the response takes
• ““Burglars aren’t going to bother with this. They’re going to use a crowbar or a hydraulic jack from your garage or if they’re really fancy they’ll use a torch,” Plore said. “I think the more interesting thing here is [these attacks] have applicability to other systems. We see other systems that have these sorts of lockout mechanisms.” Plore said that he has been trying to contact Sargent and Greenleaf about the vulnerabilities since February. WIRED reached out to the company for comment but hadn’t heard back by publication time.”
• “Even though no one would expect this type of affordable, consumer-grade lock to be totally infallible, Plore’s research is important because it highlights how effective side-channel attacks can be. They allow a bad actor to get in without leaving a trace. And this adds an extra layer of gravity, because not only do these attacks compromise the contents of the safe, they could also go undetected for long periods of time.”
• This practical example makes the software versions much easier to understand

Turkish Journalist Jailed for Terrorism Was Framed, Computer Forensics Report Shows

• Turkish investigative journalist Barış Pehlivan spent 19 months in jail, accused of terrorism based on documents found on his work computer.
• But when digital forensics experts examined his PC, they discovered that those files were put there by someone who removed the hard drive from the case, copied the documents, and then reinstalled the hard drive.
• The attackers also attempted to control the journalist’s machine remotely, trying to infect it using malicious email attachments and thumb drives.
• Among the viruses detected in his computer was an extremely rare trojan called Ahtapot, in one of the only times it’s been seen in the wild.
• The attackers seemed to pull everything out of their bag of tricks,” Mark Spencer, digital forensics expert at Arsenal Consulting, said.
• Pehlivan went to jail in February of 2011, along with six of his colleagues, after electronic evidence seized during a police raid in 2011 appeared to connect all of them to a group accused of terrorism in Turkey.
• It is not clear who perpetrated the attack, but the sophistication of the malware used, the tightly-targeted way Ahtapot works, and the timing of Pehlivan’s arrest suggests a highly-coordinated, well-funded attack.
• A paper recently published by computer expert Mark Spencer in Digital Forensics Magazine sheds light into the case after several other reports have acknowledged the presence of malware.
• Spencer said no other forensics expert noticed the trojan, nor has determined accurately how those documents showed up on the journalist’s computer.
• However, almost all the reports have concluded that the incriminating files were planted.
• What baffled Spencer the most during the investigation was an unusual malware, one he hasn’t seen before. It was installed on Pehlivan’s computer on the evening of February 11, 2011, a Friday. The police raid took place on the following Monday morning.
• Spencer called Gabor Szappanos, principal researcher at Sophos, who has been analyzing computer viruses for over two decades. They worked together to find out what happened.
• This malware appeared to be in unfinished beta development. It was a Remote Access Trojan (RAT), a malicious software that allows attackers to control a computer without having physical access.
• There are clues to suggest the malware is Turkish in origin, including Turkish words in Ahtapot’s code, yet security experts are almost always uncomfortable talking about attribution.
• The Sophos researcher believes this Remote Access Trojan was rushed into use out of desperation, after several attacks failed to deliver expected results. “Looking at the code revealed some mistakes that are typical at the beginning of development processes [of a malware],” the researcher said.
• Prior to bringing in Ahtapot trojan, the attackers relied on more common malware. First, they tried to infect Pehlivan’s computer with the Turkojan RAT through a thumb drive. Email attachments were also used.
• Spencer said, attackers copied both malware and incriminating documents to Pehlivan’s hard drive the nights of February 9 and 11, to cover their bases in case they won’t be able to control the computer remotely using the malware.
• They were smart enough to forge the dates associated with these documents, Spencer said. The key to his investigation was constructing the true timeline of the events.
• He suspects the journalist’s PC was attacked locally during those two evenings of February 9 and 11, because previous attempts to remotely infect it with malware failed.
• “There were about a dozen different malware samples found. Analyzing them in detail revealed that these were not independent incidents, we could find connection between them,” Szappanos said.
• He believes this was an expensive targeted attack, which used malware samples and command and control servers dedicated to this case alone.
• Most infosec professionals refrain from saying who the attacker is, as attribution is usually difficult to establish in the cyberworld. “We think it was developed by a Turkish speaking person/people. Internal texts found in the malware samples were all in the Turkish language,” Szappanos said.
• Meanwhile in Turkey, Barış Pehlivan is getting ready for his next hearing, scheduled for September 21. He believes the trial could end this year, and hopes to be acquitted.

Feedback:

• Slow file transfer speeds over NFS between FreeNAS and VMware VMs?

• Bypassing the Ultimate Blocking – My life sucks here!

• Owncloud/Nextcloud frontend with access to files outside of cloud interface

• Stop Windows 10 spying.

Round up:

• Behind the Scenes of iOS Security
• Researchers find bug in libgcrypt’s random number generator that has existed since 1998
  
• Encryption under fire in Europe as France and Germany call for decrypt law
• Using PGP on your phone does not make you a criminal
• PlayStation Network finally adds two-factor authentication
• New collision attacks against 3DES, impact legacy HTTPS, and against Blowfish impacts OpenVPN
• Researchers are able to detect your keystrokes with over 90% accuracy using Wi-Fi devices. Not using a malicious software, but by detecting the ripples in the Wi-Fi signal.
• DiskFiltration: New air gap jumping malware can steal data from your hard drive my the noises it makes. Can steal a 4096 bit PGP key in 25 minutes
• WhatsApp is going to share your phone number with Facebook
• MS Excel corrupting 20% of scientific papers about genes
• Microsoft breaks millions of webcams with Windows 10 Anniversary Update
• How compression works
• Saving a Rare NeXT Computer

The post iPhishing Expedition | TechSNAP 281 first appeared on Jupiter Broadcasting.

Spy agencies target mobile phones, app stores to implant spyware & the extent of the effort is shocking. Linux 4.0 has a EXT4 corruption bug, YouTube brings the fight to Twitch & Netflix has some big updates.

Then we have a Kickstarter of the week to help you men lucid dream, the penis way.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Spy agencies target mobile phones, app stores to implant spyware

Electronic intelligence agencies began targeting UC Browser — a massively popular app in China and India with growing use in North America — in late 2011 after discovering it leaked revealing details about its half-billion users.

Their goal, in tapping into UC Browser and also looking for larger app store vulnerabilities, was to collect data on suspected terrorists and other intelligence targets — and, in some cases, implant spyware on targeted smartphones.

The 2012 document shows that the surveillance agencies exploited the weaknesses in certain mobile apps in pursuit of their national security interests, but it appears they didn’t alert the companies or the public to these weaknesses. That potentially put millions of users in danger of their data being accessed by other governments’ agencies, hackers or criminals.

NSA Planned to Hijack Google App Store to Hack Smartphones – The Intercept

Linux 4.0 Has a File-System Corruption Problem, RAID Users Warned

For the past few days kernel developers and Linux users have been investigating an EXT4 file-system corruption issue affecting the latest stable kernel series (Linux 4.0) and the current development code (Linux 4.1). It turns out that Linux users running the EXT4 file-system on a RAID0 configuration can easily destroy their file-system with this newest “stable” kernel. The cause and fix have materialized but it hasn’t yet worked its way out into the mainline kernel, thus users should be warned before quickly upgrading to the new kernel on systems with EXT4 and RAID0.

• Apparently this was fixed in the 4.0.3 Kernel. The current release is 4.0.4.

YouTube eyes Twitch user base, adds 60 FPS live streams with HTML5 playback | Ars Technica

The HTML5 player will not only save users from the CPU and batter__y-eating Flash player, but will also enable variable speed playback, allowing users to “skip backward in a stream while it’s live and watch at 1.5x or 2x speed to catch back up.”

Netflix To Roll Out A New, More Immersive Web Interface Starting In June | TechCrunch

Netflix confirms today that it will roll out a new user interface on the web to all users worldwide beginning next month. A number of Netflix customers are already seeing the updated look-and-feel, however, according to various reports. The interface, which was previously demonstrated at CES and Mobile World Congress, brings the design of Netflix’s website more in line with what users today see on mobile phones, tablets, on gaming consoles and on other streaming media players, like Roku.

NPT Lucid Dreamer by NPT Lucid Dreamer — Kickstarter

Men, trigger lucid dreams using nocturnal penile tumescence (NPT). By far the simplest & most reliable method possible.

The post Corrupt Accomplices | Tech Talk Today 174 first appeared on Jupiter Broadcasting.

It’s great to be a malware author, if your selling to the government, Bypassing PayPal’s two-factor authentication is easier than you might think. Plus a great batch of your questions and our answers and much, much more!

Thanks to:

— Show Notes: —

Flaw in mobile app allows attackers to bypass PayPal two-factor authentication

• Researchers at Duo Security have produced a proof-of-concept app that is able to bypass the two-factor authentication when using the PayPal mobile app, allowing an attacker to transfer funds out of a PayPal account with only the username and password, without needing to provide the one-time password
• The PayPal bug was discovered by an outside researcher, Dan Saltman, who asked Duo Security for help validating it and communicating with the PayPal security team
• “PayPal has been aware of the issue since March and has implemented a workaround, but isn’t planning a full patch until the end of July”
• Currently, the PayPal mobile apps do not support 2 factor authentication, meaning if you have 2FA enabled on your PayPal account, you cannot use the mobile app
• The exploit tricks the PayPal app into ignoring the 2FA flag and allowing the mobile app to work anyway
• The researchers found that in the PayPal mobile app, the only thing preventing a 2FA enabled account from working was a flag in the response from the server
• After modifying that flag, it was found that the client could login, and transfer funds
• The check to prevent 2FA enabled accounts from logging in without the one-time passwords appears to only be enforced on the client, not the server as it should be
• Once logged in with a valid session_id, the proof-of-concept app is able to use the API to transfer funds
• “There are plenty of cases of PayPal passwords being compromised in giant database dumps, and there’s also been a giant rise in PayPal related phishing”
• It is not clear how large the bug bounty on this vulnerability will be

“Hacking Team”

• “Hacking Team” is an Italian company that develops “legal” spyware used by law enforcement and other government agencies all over the world
• They originally came to light in 2011 after WikiLeaks released documents from 2008 where Hacking Team was trying to sell its software to governments
• The software bills itself as “Offensive Security”, allowing LEAs to remotely monitor and control infected machines
• The software claims to be undetectable, however when samples were anonymously sent to AV vendors in July of 2012, most scanners added definitions to detect some variants of the malware
• In newly released research, Kaspersky has tracked the Command & Control (C2) servers used by “HackingTeam”
• The countries with the most C2 servers include the USA, Kazakhstan, Ecuador, the UK and Canada
• It is not clear if all of the C2 servers located in these countries are for the exclusive use of LEAs in those countries
• “several IPs were identified as “government” related based on their WHOIS information and they provide a good indication of who owns them.”
• The malware produced by Hacking Team has evolved to include modern malware for mobile phones
• Although this is rarely seen, if it is only used by LEAs rather than for mass infection, this is to be expected
• On a jail broken iOS device, the malware has the following features:
• Control of Wi-Fi, GPS, GPRS
• Recording voice
• E-mail, SMS, MMS
• Listing files
• Cookies
• Visited URLs and Cached web pages
• Address book and Call history
• Notes and Calendar
• Clipboard
• List of apps
• SIM change
• Live microphone
• Camera shots
• Support chats, WhatsApp, Skype, Viber
• Log keystrokes from all apps and screens via libinjection
• The Android version is heavily obfuscated, but it appears to target these specific applications:
• com.tencent.mm
• com.google.android.gm
• android.calendar
• com.facebook
• jp.naver.line.android
• com.google.android.talk
• The article also provides details about how mobile phones are infected. Connecting a phone to an already compromised computer can silently infect it. In addition, the research includes screenshots of the iOS “Infector”, that merely requires LEAs connect the phone to their computer, where they can manually infect it before returning it to the owner
• Additional Coverage – ThreatPost
• Additional Coverage – SecureList
• Additional Coverage – SecureList – Original article on HackingTeam from April 2013

Feedback:

• What is the point of SUDO?
  • SUDO Mastery

• Sending E-mail from a server

• How To Install and Setup Postfix on Ubuntu 14.04 | DigitalOcean

• How To Configure a Mail Server Using Postfix, Dovecot, MySQL, and SpamAssasin | DigitalOcean

• Securing data in a database with GnuPG or OpenSSL

Round Up:

• Google Starts Removing Search Results Under Europe’s ‘Right to be Forgotten’
• Malware authors targeting vendors of legitimate apps as new infection vector. By hacking the websites of legitimate applications used by plants that also employ ICS (Industrial Control Systems), such as power plants, they gain a way to get a foothold in secure networks.
• Nation States implicated in two airports hacked with spear-phishing emails
• Yeah, I trust that ATM, looks totally legit
• Intel offering x86 based robot kits designed to be augmented with 3d printed parts
• MIT researchers unveil 36 core ‘tile’ processor that uses a routed network to move data between cores
• Red Hat Assistant General Counsel posts analysis of Supreme Court’s patent ruling
• Intuit defeats patent troll that bested NewEgg, may finally put an end to the SSL+RC4 trials

The post Big Brother's Malware | TechSNAP 169 first appeared on Jupiter Broadcasting.

Coming up on this week’s TechSNAP…

Researches have developed a way to tie your file sharing to your Skype account. We’ll share the details on how this works, and what you can do to prevent being tracked!

Plus we cover the Ultimate way to host your own email, and what happened when Chinese hackers took control of US Satellites!

All that and more, on this week’s episode of TechSNAP!

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3

[ad#shownotes]

Show Notes: