It’s Not a Game – It’s a Violation of Human Dignity

Still don’t set a passcode on your phone?

From Matthias Gafni and Malaika Fraley at the Contra Costa Times:

The California Highway Patrol officer accused of stealing nude photos from a DUI suspect’s phone told investigators that he and his fellow officers have been trading such images for years

The five-year CHP veteran called it a “game” among officers, according to an Oct. 14 search warrant affidavit.

CHiPs, theft of images
Source: Contra Costa Times

A game?

IT’S A CRIME. (Or it certainly ought to be.)

Again from the Contra Costa Times:

CHP Commissioner Joe Farrow said in a statement that his agency too has “active and open investigations” and cited a similar case several years ago in Los Angeles involving a pair of officers.

“The allegations anger and disgust me,” Farrow said. “We expect the highest levels of integrity and moral strength from everyone in the California Highway Patrol, and there is no place in our organization for such behavior.”

Let’s hope Commissioner Farrow, who began his tenure in 2008, truly means what he says.

Here’s an incident from 2006 for him to consider:

CHiPs, violation of dignity
Source: The New Yorker

It appears that the CHP has a culture problem which goes back quite some time.

With great power comes great responsibility.

Anybody who thinks violating the dignity of another human being is “a game” doesn’t deserve to be a cop.

—————

Offer the California Highway Patrol your feedback here and/or here.

On 29/10/14 At 03:14 PM

More here

Posted in Uncategorized | Leave a comment

101 Bad Android Apps

Flash Player installers, so-called Android security updates, pirated games, and XXX-video players… there’s almost never a shortage of suspicious Android apps. We have automation which analyzes such apps and takes screenshots in the process.

Some examples:

101 bad Android apps
101 Bad Android Apps

Here’s one particular example: Activate device administrator?

Activate device administrator?

Erase all data; Reset password; Limit password.

China Mobile customers should select… “Cancel”.

On 28/10/14 At 12:54 PM

More here

Posted in Uncategorized | Leave a comment

A Tale of Two Powerpoint Vulnerabilities

It’s been already a week after the announcement of the CVE-2014-4114 vulnerability, and the tally of the exploiters have only increased.

There are even files where the metadata has remained the same, which clearly shows that they have been copied from the original as in the case of Mirtec and Cueisfry (a trojan linked to Japanese-related APT attacks). Authors behind these malware copied the PowerPoint Document originally used by BlackEnergy and just replaced the payload and the content with legitimate material found online.

file_properties (110k image)
BlackEnergy, Mirtec, Cueisfry document metadata, respectively

Well, if another party’s winning formula already worked, there is no need to reinvent the wheel. Until a patch is pushed out, that is. Which brings us to Taleret, a malware family known to be behind certain Taiwanese APT attacks. After CVE-2014-4114 was patched, there was a need to improvise and as such, Taleret this time grabbed a clean PowerPoint and embedded its payload to get it executed via the CVE-2014-6352, a weakness left over from CVE-2014-4114.

file_properties_update (49k image)

Although Microsoft has released a patch for CVE-2014-4114, CVE-2014-6352 has yet to be patched.

However, a Fix it tool is available here.

It seems that most of the content used by the malicious PowerPoint documents have been harvested from educational institutions or R&D materials that are available in the Internet, thus making it quite challenging to tell them apart.

Here are some examples of both the clean documents and their malicious counterparts:

clean_malware (145k image)

While, there isn’t a patch for the other vulnerability yet, if you couldn’t tell which one is clean and malicious, please verify the documents received from the source. Or, you can update your antivirus signatures to check if they are detected.

product_scan (60k image)

Hashes:
8f31ed3775af80cf458f9c9dd4879c62d3ec21e5 – Mirtec – C&C: 116.212.127.20
66addf1d47b51c04a1d1675b751fbbfa5993a0f0 – Cueisfry – C&C: ms.privacyserve.org
488861f8485703c97a0f665dd7503c70868d4272 – Taleret – C&C: 70.88.151.213
e9020a3cff098269a0c878a58e7abb81c9702691
02b9123088b552b6a566fc319faef385bec46250
98841ea573426883fdc2dad5e50caacfe08c8489
7d0cecfad6afbe9c0707bf82a68fff44541a2235

On 24/10/14 At 01:10 PM

More here

Posted in Uncategorized | Leave a comment

Wanted: Testers For The Greatest Android App Ever

Okay… so the greatest Android app “ever” is a bit of friendly hyperbole. But still, it’s a really is a great app. What app? Well, F-Secure Freedome of course (currently available for Android and iOS).

The Freedome team (along with a Labs team) is developing a new Android feature — cloud-based reputation scanning. And we need numerous testers for the beta app. (You?)

Here’s a preview:

Freedome beta, App security
See it in action

The function is entirely cloud-based, i.e., no database updates to download. So it’s very light.

People wanting to exercise their freedom of speech are increasingly turning to VPN services to circumvent censorship. And in return, many are being targeted by government-sponsored malware.

We need your help. Even just using the beta contributes.

Participants will receive three months of free service, and active participants are eligible to receive Freedome hoodies.

But wait, there’s something more…

We’ve designed a new “labs sticker“. And testers will be the first people offered a chance to get one.

So join the beta now!

Don’t worry if you already have Freedome installed, this beta can be installed side-by-side, so you can also participate.

Cheers!

—————

F-Secure’s Privacy Principles.

On 22/10/14 At 07:20 PM

More here

Posted in Uncategorized | Leave a comment

Android NFC hack allow users to have free rides in public transportation

More and more people keep talking about the feature of payments via NFC. The problem in this particular case is that somebody reversed the “Tarjeta BIP!” cards and found a means to re-charge them for free.

More here

Posted in Uncategorized | Leave a comment

Hacking a Video Poker Machine

Kevin Poulsen has written an interesting story about two people who successfully exploited a bug in a popular video poker machine.

More here

Posted in Uncategorized | Leave a comment

One Doesn’t Simply Analyze Moudoor

Today we are pleased to see an important milestone reached in a coordinated campaign against a sophisticated and well-resourced cyber espionage group. We have recently been participating in a Coordinated Malware Eradication initiative led by Novetta, in cooperation with other security vendors particularly iSight, Cisco, Volexity, Tenable, ThreatConnect, ThreatTrack Security, Microsoft and Symantec, in the aims of disrupting the operations of this particular group. Today, we are jointly releasing an improved level of coverage against the threats utilized by the group.

This espionage group, which we believe to have a strong Chinese nexus, has been targeting several industry sectors from finance, education and government to policy groups and think tanks. They have been operational at least since 2010.

The attackers use several different tools to conduct their operations. One of the tools used by these criminals is Moudoor.

Moudoor is a derivative of the famous Gh0st RAT (remote access tool) that spawned many derivatives over time. In fact, its source code has been circulating across the internet at least since 2008.

Moudoor was named after the functions that were exported by the malware components.

screenshot1_mydoor (21k image)

screenshot2_door (21k image)

Later versions of this malware have dropped such explicit strings, however, the name of the threat remains.

One of the things that allows us to distinguish between Moudoor from other many derivatives of Gh0st is the particular magic value that it uses to communicate with its C&C. This value has been consistently set to “HTTPS”, and that is one of the key distinguishers that we have used to track this particular strain over time.

At its core, Moudoor is a powerful remote access tool. The chain of events that lead to Moudoor infections usually begins with the exploitation of 0-day vulnerabilities through watering hole attacks. For example, the attackers used CVE-2012-4792 before to eventually have Moudoor land on the victim machines.

Moudoor has an impressive list of capabilities, some of which are inherited from being a derivative of the Gh0st RAT. Gh0st features extensive file system manipulation functionalities, advanced spying, monitoring features and more.

Of course, Moudoor’s authors have continued to customize their “fork” over time by adding new features and removing those which were not needed. For example, earlier variants of Moudoor kept Gh0st’s ability to open a remote shell, but this capability has disappeared in the newer versions. On the other hand, the attackers have worked to tailor which information is extracted from the victim machines to their specific needs and interests.

Analysis of the code of Moudoor also gave us hints that the authors of this threat are of Chinese origin. During its execution, the malware builds a string containing the current time information; such string uses Chinese characters to represent the time in human-readable format.

screenshot3_chinese (24k image)

You can read a more detailed summary of the whole operation here. Microsoft has also published information about this operation, which is available from this link.

We are detecting this family as Backdoor:W32/Moudoor. Our customers have received automatic updates to detect the tools known to be used by the attackers. You can also use our Online Scanner to check for signs of compromise. Our Online Scanner is a stand-alone tool that does not require installation, thus will allow you to quickly check for infections simply by downloading and running it.


Moudoor hashes:

0fb004ed2a9c07d38b4f734b8d1621b08be731c1
83f3babe080ef0dd603ea9470a4151354f0963d5
b315fe094bb444b6b64416f3c7ea41b28d1990a4

On 14/10/14 At 04:06 PM

More here

Posted in Uncategorized | Leave a comment

Bob and Alice Discover a Mac OPSEC Issue

The following is a true story. The names have been changed because the identity of those involved is none of your business.

Bob uses Linux. Alice uses Mac. Bob gave Alice a file via FAT32 formatted USB drive. Alice inserted the USB drive into her Mac, copied the file, and then gave the USB drive back to Bob. Later, Bob inserted the USB drive into his Linux computer and saw Mac files. Lots and lots of Mac files. And that’s typical.

Mac files on a USB drive as seen via Linux

Anybody who has exchanged files with a Mac user knows that Mac OS X copies various “hidden” files to USB drives.

Here’s the interesting part…

Bob was curious about the function of the files. (And why so many, what do they do?) Being a reverse engineer, Bob naturally examined the files with a hex editor. And that’s when he discovered that a file called “.store.db” contained e-mail addresses, subject lines, and in a few cases, the opening sentence of Alice’s messages.

Alarmed that such data/metadata was copied to his USB drive, Bob investigated further and found that the information couldn’t be seen using a forensic tool designed specifically for viewing such .db files. From a conventional view, “.store.db” appeared to be identical to “store.db”. Only a hex editor view revealed the leaked info embedded within .store.db — so it isn’t at all obvious with standard forensic tools.

We have examined Bob’s USB drive and can confirm that there is data in the .store.db file that really shouldn’t be there. We have been unsuccessful in reproducing the issue with our own Mac computers. We don’t have access to Alice or her computer, so we can only speculate. The data may have leaked due to an unknown configuration, it may have leaked due to third-party software, or it may have leaked due to malware.

Here’s the concern…

Imagine you’re a reporter. Do you want data about the e-mail to your sources leaking to somebody else’s USB drive? Definitely not! In some countries, an OPSEC failure such as this could easily land people in jail.

We don’t normally write about unknowns. But we do so in this particular case in the hope that somebody will be able to identify the source of the issue. And if somebody does — we’ll update this post.

On 13/10/14 At 01:21 PM

More here

Posted in Uncategorized | Leave a comment

NSA Has Undercover Operatives in Foreign Companies

The latest Interceptarticle on the Snowden NSA documents talks about their undercover operatives working in foreign companies. There are no specifics, although the countries China, Germany, and South Korea are mentioned. It’s also hard to tell if the NSA has undercover operatives working in companies in those countries, or has undercover contractors visiting those companies. The document is dated 2004, although there’s no reason to believe that the NSA has changed its behavior since then.

The most controversial revelation in Sentry Eagle might be a fleeting reference to the NSA infiltrating clandestine agents into “commercial entities.” The briefing document states that among Sentry Eagle’s most closely guarded components are “facts related to NSA personnel (under cover), operational meetings, specific operations, specific technology, specific locations and covert communications related to SIGINT enabling with specific commercial entities (A/B/C)”"

It is not clear whether these “commercial entities” are American or foreign or both. Generally the placeholder “(A/B/C)” is used in the briefing document to refer to American companies, though on one occasion it refers to both American and foreign companies. Foreign companies are referred to with the placeholder “(M/N/O).” The NSA refused to provide any clarification to The Intercept.

That program is SENTRY OSPREY, which is a program under SENTRY EAGLE.

The document makes no other reference to NSA agents working under cover. It is not clear whether they might be working as full-time employees at the “commercial entities,” or whether they are visiting commercial facilities under false pretenses.

Least fun job right now: being the NSA person who fielded the telephone call from the The Intercept to clarify that (A/B/C)/(M/N/O) thing. “Hi. We’re going public with SENTRY EAGLE next week. There’s one thing in the document we don’t understand, and we wonder if you could help us….” Actually, that’s wrong. The person who fielded the phone call had no idea what SENTRY EAGLE was. The least fun job belongs to the person up the command chain who did.

Wired article. SlashDot and Hacker News threads.

More here

Posted in Uncategorized | Leave a comment

Online Activism and the Computer Fraud and Abuse Act

Good essay by Molly Sauter: basically, there is no legal avenue for activism and protest on the Internet.

Also note Sauter’s new book, The Coming Swarm.

More here

Posted in Uncategorized | Leave a comment