Wanted: Testers For The Greatest Android App Ever

Okay… so the greatest Android app “ever” is a bit of friendly hyperbole. But still, it’s a really is a great app. What app? Well, F-Secure Freedome of course (currently available for Android and iOS).

The Freedome team (along with a Labs team) is developing a new Android feature — cloud-based reputation scanning. And we need numerous testers for the beta app. (You?)

Here’s a preview:

Freedome beta, App security
See it in action

The function is entirely cloud-based, i.e., no database updates to download. So it’s very light.

People wanting to exercise their freedom of speech are increasingly turning to VPN services to circumvent censorship. And in return, many are being targeted by government-sponsored malware.

We need your help. Even just using the beta contributes.

Participants will receive three months of free service, and active participants are eligible to receive Freedome hoodies.

But wait, there’s something more…

We’ve designed a new “labs sticker“. And testers will be the first people offered a chance to get one.

So join the beta now!

Don’t worry if you already have Freedome installed, this beta can be installed side-by-side, so you can also participate.



F-Secure’s Privacy Principles.

On 22/10/14 At 07:20 PM

More here

Posted in Uncategorized | Leave a comment

Android NFC hack allow users to have free rides in public transportation

More and more people keep talking about the feature of payments via NFC. The problem in this particular case is that somebody reversed the “Tarjeta BIP!” cards and found a means to re-charge them for free.

More here

Posted in Uncategorized | Leave a comment

Hacking a Video Poker Machine

Kevin Poulsen has written an interesting story about two people who successfully exploited a bug in a popular video poker machine.

More here

Posted in Uncategorized | Leave a comment

One Doesn’t Simply Analyze Moudoor

Today we are pleased to see an important milestone reached in a coordinated campaign against a sophisticated and well-resourced cyber espionage group. We have recently been participating in a Coordinated Malware Eradication initiative led by Novetta, in cooperation with other security vendors particularly iSight, Cisco, Volexity, Tenable, ThreatConnect, ThreatTrack Security, Microsoft and Symantec, in the aims of disrupting the operations of this particular group. Today, we are jointly releasing an improved level of coverage against the threats utilized by the group.

This espionage group, which we believe to have a strong Chinese nexus, has been targeting several industry sectors from finance, education and government to policy groups and think tanks. They have been operational at least since 2010.

The attackers use several different tools to conduct their operations. One of the tools used by these criminals is Moudoor.

Moudoor is a derivative of the famous Gh0st RAT (remote access tool) that spawned many derivatives over time. In fact, its source code has been circulating across the internet at least since 2008.

Moudoor was named after the functions that were exported by the malware components.

screenshot1_mydoor (21k image)

screenshot2_door (21k image)

Later versions of this malware have dropped such explicit strings, however, the name of the threat remains.

One of the things that allows us to distinguish between Moudoor from other many derivatives of Gh0st is the particular magic value that it uses to communicate with its C&C. This value has been consistently set to “HTTPS”, and that is one of the key distinguishers that we have used to track this particular strain over time.

At its core, Moudoor is a powerful remote access tool. The chain of events that lead to Moudoor infections usually begins with the exploitation of 0-day vulnerabilities through watering hole attacks. For example, the attackers used CVE-2012-4792 before to eventually have Moudoor land on the victim machines.

Moudoor has an impressive list of capabilities, some of which are inherited from being a derivative of the Gh0st RAT. Gh0st features extensive file system manipulation functionalities, advanced spying, monitoring features and more.

Of course, Moudoor’s authors have continued to customize their “fork” over time by adding new features and removing those which were not needed. For example, earlier variants of Moudoor kept Gh0st’s ability to open a remote shell, but this capability has disappeared in the newer versions. On the other hand, the attackers have worked to tailor which information is extracted from the victim machines to their specific needs and interests.

Analysis of the code of Moudoor also gave us hints that the authors of this threat are of Chinese origin. During its execution, the malware builds a string containing the current time information; such string uses Chinese characters to represent the time in human-readable format.

screenshot3_chinese (24k image)

You can read a more detailed summary of the whole operation here. Microsoft has also published information about this operation, which is available from this link.

We are detecting this family as Backdoor:W32/Moudoor. Our customers have received automatic updates to detect the tools known to be used by the attackers. You can also use our Online Scanner to check for signs of compromise. Our Online Scanner is a stand-alone tool that does not require installation, thus will allow you to quickly check for infections simply by downloading and running it.

Moudoor hashes:


On 14/10/14 At 04:06 PM

More here

Posted in Uncategorized | Leave a comment

Bob and Alice Discover a Mac OPSEC Issue

The following is a true story. The names have been changed because the identity of those involved is none of your business.

Bob uses Linux. Alice uses Mac. Bob gave Alice a file via FAT32 formatted USB drive. Alice inserted the USB drive into her Mac, copied the file, and then gave the USB drive back to Bob. Later, Bob inserted the USB drive into his Linux computer and saw Mac files. Lots and lots of Mac files. And that’s typical.

Mac files on a USB drive as seen via Linux

Anybody who has exchanged files with a Mac user knows that Mac OS X copies various “hidden” files to USB drives.

Here’s the interesting part…

Bob was curious about the function of the files. (And why so many, what do they do?) Being a reverse engineer, Bob naturally examined the files with a hex editor. And that’s when he discovered that a file called “.store.db” contained e-mail addresses, subject lines, and in a few cases, the opening sentence of Alice’s messages.

Alarmed that such data/metadata was copied to his USB drive, Bob investigated further and found that the information couldn’t be seen using a forensic tool designed specifically for viewing such .db files. From a conventional view, “.store.db” appeared to be identical to “store.db”. Only a hex editor view revealed the leaked info embedded within .store.db — so it isn’t at all obvious with standard forensic tools.

We have examined Bob’s USB drive and can confirm that there is data in the .store.db file that really shouldn’t be there. We have been unsuccessful in reproducing the issue with our own Mac computers. We don’t have access to Alice or her computer, so we can only speculate. The data may have leaked due to an unknown configuration, it may have leaked due to third-party software, or it may have leaked due to malware.

Here’s the concern…

Imagine you’re a reporter. Do you want data about the e-mail to your sources leaking to somebody else’s USB drive? Definitely not! In some countries, an OPSEC failure such as this could easily land people in jail.

We don’t normally write about unknowns. But we do so in this particular case in the hope that somebody will be able to identify the source of the issue. And if somebody does — we’ll update this post.

On 13/10/14 At 01:21 PM

More here

Posted in Uncategorized | Leave a comment

NSA Has Undercover Operatives in Foreign Companies

The latest Interceptarticle on the Snowden NSA documents talks about their undercover operatives working in foreign companies. There are no specifics, although the countries China, Germany, and South Korea are mentioned. It’s also hard to tell if the NSA has undercover operatives working in companies in those countries, or has undercover contractors visiting those companies. The document is dated 2004, although there’s no reason to believe that the NSA has changed its behavior since then.

The most controversial revelation in Sentry Eagle might be a fleeting reference to the NSA infiltrating clandestine agents into “commercial entities.” The briefing document states that among Sentry Eagle’s most closely guarded components are “facts related to NSA personnel (under cover), operational meetings, specific operations, specific technology, specific locations and covert communications related to SIGINT enabling with specific commercial entities (A/B/C)”"

It is not clear whether these “commercial entities” are American or foreign or both. Generally the placeholder “(A/B/C)” is used in the briefing document to refer to American companies, though on one occasion it refers to both American and foreign companies. Foreign companies are referred to with the placeholder “(M/N/O).” The NSA refused to provide any clarification to The Intercept.

That program is SENTRY OSPREY, which is a program under SENTRY EAGLE.

The document makes no other reference to NSA agents working under cover. It is not clear whether they might be working as full-time employees at the “commercial entities,” or whether they are visiting commercial facilities under false pretenses.

Least fun job right now: being the NSA person who fielded the telephone call from the The Intercept to clarify that (A/B/C)/(M/N/O) thing. “Hi. We’re going public with SENTRY EAGLE next week. There’s one thing in the document we don’t understand, and we wonder if you could help us….” Actually, that’s wrong. The person who fielded the phone call had no idea what SENTRY EAGLE was. The least fun job belongs to the person up the command chain who did.

Wired article. SlashDot and Hacker News threads.

More here

Posted in Uncategorized | Leave a comment

Online Activism and the Computer Fraud and Abuse Act

Good essay by Molly Sauter: basically, there is no legal avenue for activism and protest on the Internet.

Also note Sauter’s new book, The Coming Swarm.

More here

Posted in Uncategorized | Leave a comment

NCR ATM API Documentation Available on Baidu

A recent ATM breach in Malaysia has caused havoc for several local banks. According to reports, approximately 3 million Malaysian Ringgit (almost 1 million USD) was stolen from 18 ATMs. There is no detailed information on how the attack was performed by the criminals, but according to one local news report, police claimed the criminals installed malware with the file name “ulssm.exe” which was found on the compromised ATMs. Based on the file name, we know that the malware in question was first discovered by Symantec and it is known as “PadPin”. The basic technical information of this malware can be found here. We have no confirmation that PadPin is the same malware used in the Malaysian ATM hacks. But even so, we have discovered something interesting by doing our own analysis of PadPin’s code.

We searched through our backend sample collection system and quickly located a few samples related to the aforementioned file name. Our automated sample analysis system did not determine the samples to be malicious because the sample will not work on a typical Windows computer; it requires a DLL library which appears to be available on machines such as ATMs or self-service terminals running Windows Embedded operating system. The DLL library is known as Extension for Financial Services (XFS):

Malware import Extension for Financial Services library
Image: Malware import Extension for Financial Services library

When we took a look at the code, we saw some unfamiliar API functions which are apparently imported via MSXFS.dll as shown in the image above. Unfortunately Microsoft does not provide official documentation for these APIs which makes understanding of the malware code more difficult. Questions continued until we came across a part of the malware code in which the malware attempts to establish a communication channel with the ATM pin pad device via one of the APIs. Basically, its purpose is to listen and wait for the key entered into the pin pad by the criminals in order to carry out different tasks as described in Symantec’s write-up. In other words, the commands supported by the malware are limited to the keys available on the pin pad device. For instance, when the criminal enters “0″ on pin pad, it will start dispensing money from the ATM machine. Analyzing the code, we started wondering how the malware author knows which pin pad service name to provide to the API so that the program is able to interact with the pin pad device. It’s a valid question because the pin pad service name used in the code is quite unique and it is very unlikely one can figure out the service name without documentation.

Therefore, we did some web searches for the API documentation using the API name and the pin pad service name. And the result? We easily found the documentation from a dedicated ebooks website hosted on Baidu which appears to be the NCR programmer’s reference manual.

WOSA/XFS Programer's Reference Manual

After skimming through the documentation, we concluded that writing a program interacting with the ATM machine becomes handy even for someone without any prior knowledge on how to write software communicating with these ATM devices. The documentation is helpful enough to give programmers some sample code as well. Coincidentally, we also found that the alleged malware targeting Malaysian banks’ ATM machines attempt to remove the “AptraDebug.lnk” shortcut file from the Windows startup folder as well as the launch point registry key “AptraDebug” on the infected machine. Its purpose is presumably to disable the default ATM software running on the machine and replaced it with the malware when the machine is rebooted. This file and registry key seem to be referring NCR APTRA XFS software, so it is safe to assume that the malware aims to target only the machine running this self-service platform software.

In conclusion, it’s possible this documentation was leaked and uploaded by somebody other than PadPin’s authors. And we should not rule out that the malware could be written by some experienced programmers who are or were bank employees.

It is practically impossible to stop somebody from viewing or downloading the documentation once it is available on the Internet, but there are some countermeasures banks can use to prevent such breaches from happening again. One of the most straightforward mitigation methods is to prevent the ATM machine from running files directly from USB or CD-ROM.

Post by — Wayne

On 07/10/14 At 02:28 PM

More here

Posted in Uncategorized | Leave a comment

iPhone Encryption and the Return of the Crypto Wars

Last week, Apple announced that it is closing a serious security vulnerability in the iPhone. It used to be that the phone’s encryption only protected a small amount of the data, and Apple had the ability to bypass security on the rest of it.

From now on, all the phone’s data is protected. It can no longer be accessed by criminals, governments, or rogue employees. Access to it can no longer be demanded by totalitarian governments. A user’s iPhone data is now moresecure.

To hear US law enforcement respond, you’d think Apple’s move heralded an unstoppable crime wave. See, the FBI had been using that vulnerability to get into people’s iPhones. In the words of cyberlaw professor Orin Kerr, “How is the public interest served by a policy that only thwarts lawful search warrants?”

Ah, but that’s the thing: You can’t build a backdoor that only the good guys can walk through. Encryption protects against cybercriminals, industrial competitors, the Chinese secret police and the FBI. You’re either vulnerable to eavesdropping by any of them, or you’re secure from eavesdropping from all of them.

Backdoor access built for the good guys is routinely used by the bad guys. In 2005, some unknown group surreptitiously used the lawful-intercept capabilities built into the Greek cell phone system. The same thing happened in Italy in 2006.

In 2010, Chinese hackers subverted an intercept system Google had put into Gmail to comply with US government surveillance requests. Back doors in our cell phone system are currently being exploited by the FBI and unknown others.

This doesn’t stop the FBI and Justice Department from pumping up the fear. Attorney General Eric Holder threatened us with kidnappers and sexual predators.

The former head of the FBI’s criminal investigative division went even further, conjuring up kidnappers who are also sexual predators. And, of course, terrorists.

FBI Director James Comey claimed that Apple’s move allows people to “place themselves beyond the law” and also invoked that now overworked “child kidnapper.” John J. Escalante, chief of detectives for the Chicago police department now holds the title of most hysterical: “Apple will become the phone of choice for the pedophile.”

It’s all bluster. Of the 3,576 major offenses for which warrants were granted for communications interception in 2013, exactly one involved kidnapping. And, more importantly, there’s no evidence that encryption hampers criminal investigations in any serious way. In 2013, encryption foiled the police nine times, up from four in 2012­ — and the investigations proceeded in some other way.

This is why the FBI’s scare stories tend to wither after public scrutiny. A former FBI assistant director wrote about a kidnapped man who would never have been found without the ability of the FBI to decrypt an iPhone, only to retract the point hours later because it wasn’t true.

We’ve seen this game before. During the crypto wars of the 1990s, FBI Director Louis Freeh and others would repeatedly use the example of mobster John Gotti to illustrate why the ability to tap telephones was so vital. But the Gotti evidence was collected using a room bug, not a telephone tap. And those same scary criminal tropes were trotted out then, too. Back then we called them the Four Horsemen of the Infocalypse: pedophiles, kidnappers, drug dealers, and terrorists. Nothing has changed.

Strong encryption has been around for years. Both Apple’s FileVault and Microsoft’s BitLocker encrypt the data on computer hard drives. PGP encrypts e-mail. Off-the-Record encrypts chat sessions. HTTPS Everywhere encrypts your browsing. Android phones already come with encryption built-in. There are literally thousands of encryption products without back doors for sale, and some have been around for decades. Even if the US bans the stuff, foreign companies will corner the market because many of us have legitimate needs for security.

Law enforcement has been complaining about “going dark” for decades now. In the 1990s, they convinced Congress to pass a law requiring phone companies to ensure that phone calls would remain tappable even as they became digital. They tried and failed to ban strong encryption and mandate back doors for their use. The FBI tried and failed again to ban strong encryption in 2010. Now, in the post-Snowden era, they’re about to try again.

We need to fight this. Strong encryption protects us from a panoply of threats. It protects us from hackers and criminals. It protects our businesses from competitors and foreign spies. It protects people in totalitarian governments from arrest and detention. This isn’t just me talking: The FBI also recommends you encrypt your data for security.

As for law enforcement? The recent decades have given them an unprecedented ability to put us under surveillance and access our data. Our cell phones provide them with a detailed history of our movements. Our call records, e-mail history, buddy lists, and Facebook pages tell them who we associate with. The hundreds of companies that track us on the Internet tell them what we’re thinking about. Ubiquitous cameras capture our faces everywhere. And most of us back up our iPhone data on iCloud, which the FBI can still get a warrant for. It truly is the golden age of surveillance.

After considering the issue, Orin Kerr rethought his position, looking at this in terms of a technological-legal trade-off. I think he’s right.

Given everything that has made it easier for governments and others to intrude on our private lives, we need both technological security and legalrestrictions to restore the traditional balance between government access and our security/privacy. More companies should follow Apple’s lead and make encryption the easy-to-use default. And let’s wait for some actual evidence of harm before we acquiesce to police demands for reduced security.

This essay previously appeared on CNN.com

EDITED TO ADD (10/6): Threemoreessays worth reading. As is this on all the other ways Apple and the government have to get at your iPhone data.

And an Washington Posteditorial manages to say this:

How to resolve this? A police “back door” for all smartphones is undesirable–a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant.

Because a “secure golden key” is completely different from a “back door.”

More here

Posted in Uncategorized | Leave a comment

Are malware authors targeting people via marketing services?

We spotted an interesting case of a person complaining about e-mail malware with social engineering content which hits home almost too well, and decided to investigate a bit.

The person had been talking to his friend about possibly booking tickets to San Francisco in near future. And 6 hours after the phone call he got an e-mail about an electronic plane ticket to San Francisco with an attachment. The person was cautious enough not to touch the attachment, which was a good decision, as in our analysis it was identified as a variant of Trojan.Krypt.AU.

This may be just a case of mass spammed malware and with social engineering text which hit this particular user at just exactly the right moment. But when we checked our sample collection, there was only 1250 instances of related malware, which would indicate that this particular malware is not being spammed to large audiences. And thus possibilities of getting exactly the right hit are very small.

Over the last year providers of targeted advertising have become a lot better at profiling users. For example, when I have been browsing for flight or hotel information. I have started to receive e-mail about flight and hotel offers in that particular destination from Trip advisor and other companies. Of course in order to experience this one has to have Freedome disabled, so that I can be tracked, but that is the price of wanting to experience the net like a regular user.

So this case looks very much like some targeted advertising services were misused for victim discovery by malware authors. We have seen advertising misused a lot with search engines, but this is the first case where we have indications that e-mail advertising services would be used in similar manner.

So far there is no proof the victim selection was done by abusing targeting profiling, and if profiling was used, was it based on phone call analysis. Perhaps the person searched for something which provided a match for profilers. But this is an interesting case and we will be keeping an eye out for future developments.

Fake Delta e-mail

Post by — Jarno

On 26/09/14 At 11:38 AM

More here

Posted in Uncategorized | Leave a comment