Tuesday, December 18, 2012

Samsung Galaxy SIII and Note II Can Be Easily Hacked

A serious exploit that affects certain Exynos devices has been found.  It appears that the Samsung kernel allows read and write access to all physical memory on the device, including the kernel itself.  In essence, the kernel is the "brain" of the operating system.  With this vulnerability, it is easy for anyone to obtain root access to the device and also makes it possible to execute code code injections and RAM dumps from apps containing malware available in the Google Play store.

The exploit appears to work on any device running a Exynos 4210 or 4412 processor.  We have previously seen other vulnerabilities in Samsung Galaxy devices.  This one, in particular, is very dangerous given the amount of malware-infected apps in the Google Play store.

SMS Trojan For Macs: Apple Users - You Are Not Immune

A new variant of the SMSSend Trojan is targeting Mac users. A variation of  his trojan originally started by tricking users into entering their cell phone number in order to continue the installation of what appeared to be an official software installer. After supplying attackers with their phone number, the victim would unknowingly agree to terms of a chargeable subscription and a fee will be debited from their mobile phone account on a regular basis. This particular Trojan imitated the VKMusic 4 program, a popular Russian music client.  VKMusic 4 Mac has now been added to Apple's  Xprotect.plist blacklist.  Apple promptly patched the issue.

Wednesday, November 21, 2012

Trojan Communicates Through Google Docs

Many trojans and other malware use IRC chat to communicate with the command and control.  Botnets are infamous for using this feature to communicate with their botmaster in this manner.   However, according to Symantec, the Trojan Backdoor.Makadocs hides in Rich Text Format (RTF) and Microsoft Word documents and injects malicious code via Trojan.Dropper. The Trojan uses the Google Docs service’s Viewer feature to communicate with its command-and-control (C&C) server.

"Google docs has a function called viewer that retrieves the resources of another URL and displays it," said Takashi Katsuki of Symantec. "Basically, this functionality allows a user to view a variety of file types in the browser. In violation of Google's policies, Backdoor.Makadocs uses this function to access its C&C server." He added that "it is possible that the malware author has implemented this functionality in an attempt to prevent the direct connection to the C&C from being discovered. The connection to the Google docs server is encrypted using HTTPS, thereby making it difficult to be blocked locally. It is possible for Google to prevent this connection by using a firewall."

Malware authors already use Twitter and Facebook for C&C in addition to IRC Chat.  Now Google Docs is another participant.

Tuesday, November 6, 2012

Cyberwar? Iran Wants "indigenous cyber defense model"

According to Iran's state affiliated Fars News Agency, a senior Iranian military commander said Monday that Iran needs a new strategy to protect its infrastructure from computer attacks.

"Cyber threats against Iran's national security infrastructure have found a special place and share in enemies' hostile strategy,” the Deputy Chief of Staff of the Iranian Armed Forces for Basij and Defense Culture said. “Given the country's current conditions it is necessary to consider (developing) an indigenous cyber defense model as our important priority."

According to the Irani official, the US and Israel own a major share of infrastructural companies and hi-tech firms to the very same end. "Thus, Iran is necessitated to design a new model for cyber defense."  Iran claims that the Stuxnet worm is an American and Israeli effort dating back to 2006, designed to set back Iranian nuclear enrichment.  

Saturday, November 3, 2012

Twenty Five Percent of Android Apps Present Security Risks

Do people really pay attention to the laundry list of permissions presented to the user when installing Android apps?  Why would a wallpaper or a board game need access to a user's GPS data or call history?  Bit9 examined the security permissions of more than 400,000 Android applications.  Its CTO stated that “a significant percentage of Google Play apps have access to potentially sensitive and confidential information.” “When a seemingly basic app such as a wallpaper requests access to GPS data, this raises a red flag. Likewise, more than a quarter of the apps can access email and contacts unbeknown to the phone user, which is of great concern when these devices are used in the workplace.”

Other findings included:
  • 42 percent of applications access GPS location data, and these include wallpapers, games and utilities
  • 31 percent access phone calls or phone numbers
  • 26 percent access personal data, such as contacts and email
  • 9 percent use permissions that can cost the user money 
To explain its findings, Bit9 created this chart (you may also see Bit9's article here):

Thursday, November 1, 2012

U.S. Banks Under Cyber Attack

The U.S. Secretary of Homeland Security said as follows:
"Right now, financial institutions are actively under attack. We know that. I'm not giving you any classified information."  "I will say this has involved some of our nation's largest institutions. We've also had our stock exchanges attacked over the last [few] years, so we know ... there are vulnerabilities. We're working with them on that."
When asked whether the cyber attackers had stolen money, Napolitano answered in the affirmative, but declined to provide further details, according to The Hill.  She added "one of the possible areas of attack, of course, is attacks on our nation's control systems – the control systems that operate our utilities, our water plants, our pipelines, our financial institutions. If you think that a critical systems attack that takes down a utility even for a few hours is not serious, just look at what is happening now that Mother Nature has taken out those utilities. The urgency and the immediacy of the cyber problem; the cyber attacks that we are undergoing and continuing to undergo can not be overestimated."   Given this current economic and technology environment, businesses should enlist the assistance of computer security experts to identify and correct vulnerabilities in their systems.

Wednesday, October 31, 2012

VA Computers Still Unencrypted After Six Years

Six years ago, the U.S. Department of Veterans Affairs spent almost $6 million on encryption software for its PCs and laptops following a breach.  In 2006, an unencrypted external hard drive containing personal information on 26 million veterans was stolen from the home of an employee. The situation resulted in a $20 million remediation when the VA was forced to notify veterans and provide credit monitoring.  The VA secretary ordered that all of the VA's computers be protected by encryption software.

Unfortunately, now an investigation by the VA's inspector general found that the encryption software has been installed on only 16% of the VA's  computers.  This came from an anonymous tip received 12 months months ago on the VA's complaint hotline, claiming that the encryption software was not being widely deployed.   According to the IG's report the VA's Office of IT was at fault for inadequate planning and management of the project.  Today, 335,000 licenses remain inactive, leaving those computers unprotected. "Veterans' data remained at risk due to unencrypted computers," the report states.

Friday, October 19, 2012

Pacemakers Can Be Hacked... Shocking (literally)

Hackers may be able to control pacemakers from several manufacturers, making them capable of delivering a deadly, 830-volt shock.  All the hacker needs is a laptop up to 50 feet away.  This is all due to bad programming.  The new research comes from Barnaby Jack of security vendor IOActive, known for his analysis of other medical equipment such as insulin-delivering devices. 

Jack spoke at the Breakpoint security conference in Melbourne on Wednesday, saying that the flaw lies with the programming of the wireless transmitters used to give instructions to pacemakers and implantable cardioverter-defibrillators (ICDs), which detect irregular heart contractions and deliver an electric shock to avert a heart attack.  A successful attack using the flaw "could definitely result in fatalities," said Jack. 

Jack was able to send a series of 830-volt shocks (enough to cause death) to a pacemaker and use a "secret function" to activate other pacemakers within a 30-foot radius. With the function activated, the devices would give up their serial numbers, allowing hackers to upload malware that could spread like a virus to other pacemakers. Jack said that the devices, if infected, could release personal and manufacturer data.

"The worst case scenario that I can think of, which is 100 percent possible with these devices, would be to load a compromised firmware update onto a programmer and… the compromised programmer would then infect the next pacemaker or [defibrillator] and then each would subsequently infect all others in range,” he said.

Wednesday, October 17, 2012

Computer viruses and malware in medical technology

Today's piece of troubling news: High-risk medical technology has been found to be infected by computer viruses and malware.  Virus infections (and we are not even referring to the ones in the patients' bodies, but to the ones in the systems used to support the patient's lives) could become so severe that a patient may end up getting harmed.   At least one hospital in the United States claims to be deleting viruses from up to two machines a week.

The warnings were given as part of a panel discussion in Washington DC, by Technology Review from the Massachusetts Institute of Technology.  Mark Olsen, chief information security officer at Beth Israel Deaconess Medical Center in Boston, said the hospital had 664 pieces of medical equipment running on old versions of Windows.  The explanation given was that the machines were not updated to newer versions of Windows where the vulnerabilities are patched because of fears that doing so would mean they were in breach of regulations put in place by the US Food and Drug Administration (FDA).  It seems like the FDA is busy regulating the treatment of human viruses but unprepared to handle cyber infections.

Wednesday, September 26, 2012

Samsung Galaxy Smartphones Vulnerable to Malicious Wiping

A security researcher demonstrated at a security conference last week in Argentina the weaknesses built into Samsung's Unstructured Supplementary Service Data (USSD), which allows message communication to go from the phone to the application server. Samsung's TouchWiz communicates with USSD and appears to be affected, he said.  The demonstration showed how a hacker could take advantage of the vulnerability and attack a user who accesses on a bad link.  Hackers can then remotely wipe the handset and SIM card in just a few minutes, and re-set the device to factory mode. This happens because of malicious code embedded within a website.

Visit our site to learn about computer forensics or Information Security.  We are also experts in forensic analysis of mobile devices.

Sunday, September 23, 2012

Iranian hackers target Bank of America, JPMorgan, Citi

Iranian hackers have repeatedly attacked Bank of America Corp, JPMorgan Chase & Co and Citigroup Inc over the past year as part of a broad cyber campaign targeting the United States, according to people familiar with the situation. The attacks, which began in late 2011 and escalated this year, have primarily been "denial of service" campaigns that disrupted the banks' websites and corporate networks by overwhelming them with incoming web traffic, said the sources. They said there was evidence suggesting the hackers targeted the three banks in retaliation for their enforcement of Western economic sanctions against Iran. Visit our site to learn about computer forensics or Information Security. Cases of computer trespass or criminal hacking allegations may involve complex legal issues that may be addressed by an Internet lawyer.

Saturday, September 22, 2012

Microsoft says has fixed Internet Explorer flaw

Microsoft Corp said it has fixed a security bug in Internet Explorer that hackers exploited to attack some customers. The attacks prompted the German government and security experts to urge people to temporarily stop using the browser.

The software maker said late Wednesday that the permanent repair to the software, used by hundreds of millions of people, would be released on Friday. A majority of Microsoft Windows users have their computers set to automatically download that update.

Visit our site to learn about computer forensics or Information Security

Monday, September 17, 2012

Flame cyber virus linked to more malware

The Flame virus is an interesting example of the effort against Iran's nuclear plant. The Flame virus believed to be part of a cyberwarfare effort against Iran was developed as early as 2006 and is linked to at least three other malware programs, a new analysis says.
The report suggests the effort to develop Flame, widely reported to be part of a US-Israeli effort to slow Iran's suspected nuclear weapons drive, has been going on longer than initially believed and has more components, including some not yet fully understood.

The report on Monday by the Russian security firm, Kaspersky Lab, with US-based Symantec, Germany's computer emergency response team and the International Telecommunication Union's cybersecurity arm showed that development of the Flame platform dates back to 2006.

An earlier analysis by Kaspersky had reported the code for Flame, which is likely related to Stuxnet and other viruses, was written in 2009.

Visit our site to learn about computer forensics or Information Security

Wednesday, September 5, 2012

Bitfloor Hacked

Bitfloor, the fourth largest exchange dealing in US dollars, has just announced that it has been hacked, and the service has taken a loss worth about $250,000 at the time of the theft. As Roman Shtylman, the founder of Bitfloor, describes it, “last night, a few of our servers were compromised. As a result, the attacker gained accesses to an unencrypted backup of the wallet keys (the actual keys live in an encrypted area). Using these keys they were able to transfer the coins. This attack took the vast majority of the coins BitFloor was holding on hand.” As a result, BitFloor has paused all exchange operations and, depending on the effect that this will have on BitFloor’s finances, BitFloor may take one of two options. They may either take the loss and continue running in an attempt to eventually earn the money back or, in the worst case, shut down entirely and begin an account partial refund process out of the available funds.Visit our site to learn about computer forensics or Information Security. Cases involving criminal hacking allegations may involve complex legal issues that may be addressed by an Internet lawyer.

Sunday, September 2, 2012

Cyber-espionage Mahdi virus spreads further in Middle East

Virus developers have changed the code to evade detection, according to Israel-based Seculert, which said that there have been 150 new victims over the past six weeks. That brings the total number of infections to about 1,000, Reuters reports.

In Islamic tradition, the Mahdi is the prophesied redeemer of Islam who will rule before the Day of Judgment, ridding the world of injustice and tyranny. Appropriately, the spyware virus that takes its name appears to be politically motivated, built to steal files and monitor emails and instant messages. It also sends screenshots and snapshots of audio and keystroke sequences back to its developers.

Visit our site to learn about computer forensics or Information Security. Cases of computer trespass or criminal hacking allegations may involve complex legal issues that may be addressed by an Internet lawyer.

Saturday, September 1, 2012

Pirate Bay's Gottfrid Svartholm Arrested in Cambodia

Reports indicate that the founder of the popular file-sharing site The Pirate Bay, Gottfrid Svartholm, was picked up by Cambodian police on Thursday.
There's no indication as to what the 27-year-old was specifically arrested for, but Svartholm's lawyer has since been quoted as saying that the arrest likely relates to Svartholm's presence on an "international wanted list."

Visit our site to learn about computer forensics or Information Security.  Cases of piracy allegations may involve complex legal issues that may be addressed by an Internet lawyer.