Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for January 2016

BlackBerry to Stay in Pakistan after BES Encryption 'Victory'

BlackBerry to Stay in Pakistan after BES Encryption 'Victory'

BlackBerry’s uncompromising stance on encryption has paid off in Pakistan where the government has withdrawn its demands to access the data of enterprise customers.

In a blog post late last week, chief operating officer, Marty Beard, said that Islamabad had “rescinded its shutdown order” and that as such the Canadian firm had “decided to remain in the Pakistan market.”

He added:

“We are grateful to the Pakistan Telecommunication Authority and the Pakistani government for accepting BlackBerry’s position that we cannot provide the content of our customers’ BES traffic, nor will we provide access to our BES servers.

We look forward to serving the Pakistani market for years to come, including introducing new products and services, and thank our valued customers in Pakistan for their patience and loyalty.”  

It’s not clear what will happen to BBM chat messages.

In July, the government ordered BlackBerry to leave the country by 30 November, citing “security reasons,” because the smartphone maker wouldn’t allow it to access BlackBerry Enterprise Service (BES) emails and BBM chats.

That deadline was extended to the end of December, but it was thought that Pakistan’s hardline stance would result in BlackBerry being forced to leave—in a move which would have affected thousands of enterprise customers in the country.

The once-dominant mobile maker prides itself on the security of its platforms but has been forced into compromise by regional governments in the past.

This occurred most notably in India where in 2013 a long-running stand-off with the authorities ended with BlackBerry providing access to BIS and BBM messages but not those of BES customers.

The arguments between governments and providers of strongly encrypted messaging services have grown particularly fierce of late in the UK and US, where lawmakers are using the terrorism threat to try and strong arm tech firms into providing backdoor access to messages.

In the UK the matter is currently under debate in the form of the draft Investigatory Powers Bill passing through parliament, while in Washington no formal legislation has yet been proposed.

Critics argue that any so-called ‘backdoors’ into such messaging systems created for intelligence agencies and law enforcers will eventually find their way onto the black market, undermining security and privacy for millions of corporate users and consumers.

Photo © Svetlana Dikhtyareva/  

Source: Information Security Magazine

Tor Project Fights Back with Bug Bounty Promise

Tor Project Fights Back with Bug Bounty Promise

Non-profit the Tor Project is set to offer a bug bounty program this year designed to encourage researchers to find vulnerabilities in the internet anonymization platform.

The news was revealed during a “State of the Onion” presentation by several key Tor Project members at last week’s Chaos Communication Congress in Hamburg.

Tor browser lead developer, Mike Perry, claimed during the presentation that the program would begin life as “invite only” and cover vulnerabilities specific to Tor applications.

“We are grateful to the people who have looked over our code over the years, but the only way to continue to improve is to get more people involved,” Tor Project co-founder Nick Mathewson told Motherboard.

“This program will encourage people to look at our code, find flaws in it, and help us to improve it.”

The bug bounty will be run by HackerOne—a platform designed specifically to streamline and co-ordinate such programs.

The money will apparently be put up by the Open Technology Fund; a community of experts which use funds to support internet freedom projects around the world.

The news comes after a year in which the Tor Project was involved in a war of words with Carnegie Mellon university after accusing researchers there of accepting $1 million from the FBI to research holes in the platform.

The university hit back at “inaccurate media reports” in a statement which seemed to imply it had been subpoenaed, rather than paid.

A six-month attack on the Tor network which began in January 2015 was made public by the Tor Project in July the same year.

It claimed that an unidentified party had joined the network in the form of a group of relays, and then set about “modifying Tor protocol headers to do traffic confirmation attacks.”

The FBI was accused of getting Carnegie Mellon to effectively do its dirty work—bypassing legal safeguards preventing federal officers from engaging in this kind of activity without a court order or specific target in mind.

Photo © auremar

Source: Information Security Magazine

Pre-packaged Russian Dating Scam Templates Revealed

Pre-packaged Russian Dating Scam Templates Revealed

Enterprising cyber-criminals are making life easier for Russian fraudsters by selling them pre-formed packages providing everything they need to carry out online dating scams, according to Brian Krebs.

The security researcher claimed in a blog post yesterday that the plug-and-play packages include email 'love letter' templates written in English and a variety of other European languages; instructions; pictures; and videos.

“Many of the sample emails read a bit like Mad Libs or choose-your-own-adventure texts, featuring decision templates that include advice for ultimately tricking the mark into wiring money to the scammer,” he explained.

The individual selling one of the fraud packages seen by Krebs apparently guaranteed response rates of at least 1.2%, with fraudsters averaging 30 scam messages a day likely to earn around $2,000 per week.

The scam template is claimed to be more than 20% effective within three replies and over 60% effective after eight.

Several other tricks of the trade espoused by the vendor of the scam include featuring an email from the ‘girl’s’ mother in the first 10 emails—to add legitimacy to the situation. A list of excuses for not talking on the phone is apparently also included.

There’s even advice on how a target can get credit, if he doesn’t have the funds necessary to pay the scammer.

The scams are said to be mainly aimed at lonely straight men, although Krebs claimed the makers of the package also have advice for targeting gay men.

Further legitimacy is added to the dating scam by the inclusion of photos and videos of attractive Russian women—some of whom apparently hold up blank signs onto which can be Photoshopped personalized messages.

A shady call center operative can be hired towards the end of the scam to pretend to be the girl in question. She will claim to be stranded en route to the victim and requires money to buy a visa or get an onward ticket, Krebs revealed.

Photo © spaxiax

Source: Information Security Magazine

Ukraine Investigates Russia in Power Grid Attack

Ukraine Investigates Russia in Power Grid Attack

Ukraine is investigating a suspected cyber-attack on its power grid by Russia.

Reuters has reported that that a Western Ukraine power company said that part of its service area, including the regional capital Ivano-Frankivsk, was left without power due to "interference" in its industrial control systems. The energy ministry in Kiev said that it has set up a special commission to investigate what happened.

The news comes after Crimea lost at least one quarter of its power after Ukraine switched off supplies to the peninsula. Ukrainian police said that the situation was a result of unidentified saboteurs blowing up an electricity pylon; here, it would appear the bellicosity is a bit more virtual.

Ukraine's SBU state security service blamed its neighbor, noting in a statement that it had thwarted malware that was wielded by "Russian security services.” The Kremlin has yet to comment on the allegation.

"It was an attempt to interfere in the system, but it was discovered and prevented," an SBU spokeswoman said, adding that the region would have faced a much longer blackout if the malware had executed as the attackers had intended.

To date, there have been very few documented assaults on industrial targets, although the possibility and the vulnerability of the sector is highly publicized. If the Ukraine’s accusations are validated, it would be the first time a specific power outage has been credibly linked to a cyber-attack, according to Robert Lee, a former US Air Force cyber warfare operations officer. However, if the accusations are proved out, it could open the floodgates for a deluge of nation-state attacks on critical infrastructure.

"Once there is a precedent, that would open up avenues for states to feel comfortable in going that route," said Lee, CEO of cybersecurity firm Dragos Security, speaking to Reuters. He said it was too early to say whether the SBU's account was credible.

Photo © glenda

Source: Information Security Magazine

Google Patches Another Critical Remote Code Execution Flaw

Google Patches Another Critical Remote Code Execution Flaw

Google has released a security update to Nexus devices that patches a critical remote code execution vulnerability, among other issues.

The main flaw allows exploitation on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.

The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media. The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps cannot normally access.

The issue is eerily similar to the Stagefright vulnerability, which was found to affect 95% of Android devices. One of the most dangerous vulnerabilities to hit the Android scene, Stagefright makes Android devices targets of remote take-over by simply receiving an MMS message or other specially crafted media file, without even having to open or view it. That issue also involved a media library that processes several popular media formats.

The other vulnerabilities addressed in the latest update involve privilege elevation flaws in the Imagination Technologies driver and in the misc-sd driver from MediaTek (among others), that could enable a local malicious application to execute arbitrary code within the kernel; and information disclosure vulnerabilities in the kernel and in Bouncy Castle that could enable a local malicious application to gain access to user’s private information.

Google said in its advisory that it has had no reports of active customer exploitation of the newly reported issues, but that the Android Security team is actively monitoring for abuse with Verify Apps and SafetyNet which will warn about potentially harmful applications about to be installed. Also, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.

The update was sent out over the air (OTA); users should accept the patch and upgrade to the latest version of the Android operating system.

Photo © Quka/

Source: Information Security Magazine

Destructive BlackEnergy Attacks Blitz Ukrainian News and Energy Firms

Destructive BlackEnergy Attacks Blitz Ukrainian News and Energy Firms

The team behind the infamous BlackEnergy malware have been busy in 2015 launching destructive attacks against Ukrainian media and energy companies, according to researchers.

Eset’s Anton Cherepanov explained in a blog post yesterday that the group were spotted last year using a new component detected as Win32/KillDisk.NBB, Win32/KillDisk.NBC and Win32/KillDisk.NBD trojan variants.

Its job is to overwrite documents with random data and to make a victim OS unbootable, he added.

In one instance, it destroyed a large number of video files and documents at various Ukrainian news organizations in a November attack during the local elections, according to the CERT-UA.

The malware component is designed to destroy more than 4,000 separate file extension types.

A separate version spotted in attacks on energy companies was refined to target just 35 file types. New features mean it can now be programmed with a specific time delay, and used to delete Windows Event Logs: Application, Security, Setup, System.

“As well as being able to delete system files to make the system unbootable—functionality typical for such destructive trojans—the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems,” explained Cherepanov.

The researchers also found a new SSH backdoor being used to infect systems.

BlackEnergy malware dates back to 2007, when it was discovered as a relatively simple DDoS trojan. However, it emerged a few years later as a sophisticated malware family with modular architecture, used in everything from targeted attacks to banking fraud.

A BlackEnergy Lite version was discovered last year targeting over 100 organizations in Poland, Ukraine and elsewhere.

And the US ICS-CERT warned in October of a three-year campaign using the malware, aimed at industrial control systems.

Although the attackers are thought to be Russian speakers, attribution to state-sponsored activity has been resisted by security researchers.

Photo © Maximus256

Source: Information Security Magazine

New JavaScript Ransomware-as-a-Service Kicks off 2016

New JavaScript Ransomware-as-a-Service Kicks off 2016

Security researchers are warning of a newly discovered Ransomware-as-a-Service campaign using malware written in JavaScript for the first time.

Fabian Wosar of security firm Emsisoft explained in a blog post that Ransom32 can be signed up to on a Tor site using just a Bitcoin address to which the spoils will be sent—minus a 25% cut.

After signing up, users will be able to access a basic admin page—enabling them to see how many systems are infected; observe how much money has been collected; and tweak various settings for the ransomware.

These include how much BTC to request from victims, and whether to fully lock the computer or allow a victim to minimize the lock screen—enabling them to check whether their files are fully encrypted or not.

Ransom32 is a 22MB self-extracting RAR file, which weighs in at over 67MB when extracted. Once run, the executable creates a shortcut, ChromeService, which points to a chrome.exe package.

This is in fact a packed NW.js application containing the JavaScript which will encrypt a victim’s computer files and pop up the ransom note.

NW.js has several advantages.

As a legitimate framework it can fly in under the radar of traditional signature defenses, and could theoretically work with a few minor adjustments on Linux and Mac OS X systems, although it’s only been observed as a Windows threat thus far.

Once Ransom32 is executed and installed, it will connect to a C&C server on Tor, note the Bitcoin address to which the victim is told to pay the ransom, and display the blackmail message.

Encryption is AES-128 bit and the malware includes an option to decrypt one file to prove to the victim it can be done.

Wosar claimed that, when it comes to ransomware, “the best protection is a well-organized backup strategy.”

He added that security tools featuring behavioral analysis to complement traditional signature techniques are more likely to catch such advanced strains.

Photo © Sergey Tarasov

Source: Information Security Magazine

Microsoft Turns on Nation State Attack Warnings after China Criticism

Microsoft Turns on Nation State Attack Warnings after China Criticism

Microsoft has finally bowed to pressure and will now warn customers if it thinks their accounts are being targeted by nation state spies, following reports that it had failed to do so in the past to Hotmail users hit by Chinese hackers.

Trustworthy Computing vice president, Scott Charney, explained in a blog post that the notifications would enhance Redmond’s current warnings of attacks that could indicate compromise by a third party.

He added:

“We’re taking this additional step of specifically letting you know if we have evidence that the attacker may be ‘state-sponsored’ because it is likely that the attack could be more sophisticated or more sustained than attacks from cybercriminals and others. These notifications do not mean that Microsoft’s own systems have in any way been compromised.

If you receive one of these notifications it doesn’t necessarily mean that your account has been compromised, but it does mean we have evidence your account has been targeted, and it’s very important you take additional measures to keep your account secure. You should also make sure your computer and other devices don’t have viruses or malware installed, and that all your software is up to date.”

Charney recommended customers turn on two-step verification; use strong passwords, regularly changing them; monitor recent account activity; be careful of suspicious emails or sites; and keep computer software and AV up-to-date.

The decision to notify customers of possible nation state attacks comes as former employees told Reuters that Microsoft refused to act despite concluding that the Hotmail accounts of thousands of customers—including Tibetan and Uighur leaders—were hacked by the Chinese authorities.

The attacks in 2011 apparently exploited a Microsoft flaw to forward copies of all incoming mail to the hackers.

At the time, Microsoft didn’t inform the users that they might be being targeted by nation state spies, instead merely telling them to choose new account passwords. The concern is that the hackers may have gained enough persistence into target networks to see even these new credentials being inputted.

Microsoft’s decision brings it in line with the likes of Google, Twitter, Facebook and Yahoo.

Photo © JuliusKielaitis 

Source: Information Security Magazine