Ars Technica

Syndikovat obsah Risk Assessment – Ars Technica
Serving the Technologist for more than a decade. IT news, reviews, and analysis.
Aktualizace: 49 min 52 sek zpět

Gizmodo went phishing with the Trump team—will they catch a charge?

12 Květen, 2017 - 16:25

Enlarge / Go phishing the White House and you may need a bigger boat. (credit: Lsuff)

Earlier this week, the team at Gizmodo's Special Projects Desk published a report on how they "phished" members of the administration and campaign teams of President Donald Trump. Gizmodo identified 15 prominent figures on Trump's team and sent e-mails to each posing as friends, family members, or associates containing a faked Google Docs link.

"This was a test of how public officials in an administration whose president has been highly critical of the security failures of the DNC stand up to the sort of techniques that hackers use to penetrate networks," said John Cook, executive editor of Gizmodo's Special Projects Desk, in an e-mail conversation with Ars. Gizmodo targeted some marquee names connected to the Trump administration, including Newt Gingrich, Peter Thiel, (now-ex) FBI director James Comey, FCC chairman Ajit Pai, White House press secretary Sean Spicer, presidential advisor Sebastian Gorka, and the administration's chief policymakers for cybersecurity.

The test didn't appear to prove much. Gingrich and Comey responded to the e-mail questioning its provenance. And while about half of the targeted officials may have clicked the link—eight devices' IP addresses were recorded accessing the linked test page—none entered their login credentials. The test could not determine whose devices clicked on the link.

Read 23 remaining paragraphs | Comments

Kategorie: Hacking & Security

HP laptops covertly log user keystrokes, researchers warn

11 Květen, 2017 - 20:50

Enlarge / Keyloggers like this one surreptitiously store passwords and other confidential data entered into a computer. (credit:

HP is selling more than two dozen models of laptops and tablets that covertly monitor every keystroke a user makes, security researchers warned Thursday. The devices then store the key presses in an unencrypted file on the hard drive.

The keylogger is included in a device driver developed by Conexant, a manufacturer of audio chips that are included in the vulnerable HP devices. That's according to an advisory published by modzero, a Switzerland-based security consulting firm. One of the device driver components is MicTray64.exe, an executable file that allows the driver to respond when a user presses special keys. It turns out that the file sends all keystrokes to a debugging interface or writes them to a log file available on the computer's C drive.

"This type of debugging turns the audio driver effectively into keylogging spyware," modzero researchers wrote. "On the basis of meta-information of the files, this keylogger has already existed on HP computers since at least Christmas 2015."

Read 6 remaining paragraphs | Comments

Kategorie: Hacking & Security

Macron campaign team used honeypot accounts to fake out Fancy Bear

10 Květen, 2017 - 15:58

Enlarge / Newly elected French president Emmanuel Macron poses with a woman for a selfie. (credit: PATRICK KOVARIK / Getty Images)

The failed effort by Russian attackers to influence the outcome of the French presidential campaign in its final hours was in part a forced error, thanks to an active defense by the digital team of French president-elect Emmanuel Macron's campaign organization, the digital director of the campaign has claimed. Campaign team members told the New York Times that as the phishing attacks mounted, they created a collection of fake e-mail accounts seeded with false information.

"We created false accounts, with false content, as traps," Macron campaign digital director Mounir Mahjoubi told the Times. "We did this massively, to create the obligation for them to verify, to determine whether it was a real account."

The move was a delaying tactic aimed at increasing the attacker's workload. The "honeypot" accounts were filled with large volumes of fake documents. "That forced them to waste time, by the quantity of the documents we put in and documents that might interest them,” Mahjoubi said. "Even if it made them lose one minute, we’re happy.”

Read 2 remaining paragraphs | Comments

Kategorie: Hacking & Security

Cisco kills leaked CIA 0-day that let attackers commandeer 318 switch models

9 Květen, 2017 - 22:41

Cisco Systems has patched a critical flaw that even novice hackers could exploit using Central Intelligence Agency attack tools that were recently leaked to the Internet.

As previously reported, the zero-day exploit allowed attackers to issue commands that remotely execute malicious code on 318 models of Cisco switches. The attack code was published in early March by WikiLeaks as part of its Vault7 series of leaks, which the site is billing as the largest publication of intelligence documents ever.

The bug resides in the Cisco Cluster Management Protocol (CMP), which uses the telnet protocol to deliver signals and commands on internal networks. It stems from a failure to restrict telnet options to local communications and the incorrect processing of malformed CMP-only telnet options.

Read 2 remaining paragraphs | Comments

Kategorie: Hacking & Security

Microsoft’s recent success in blocking in-the-wild attacks is eerily good

9 Květen, 2017 - 21:06

Enlarge (credit: Stephen Brashear / Getty Images News)

Microsoft engineers have neutralized a series of attacks that took control of targeted computers by exploiting independent vulnerabilities in Word and Windows. Remarkably, the software maker said fixes or partial mitigations for all four security bugs were released before it received private reports of the attacks.

Both versions of the attacks used malformed Word documents that were attached to phishing e-mails sent to a highly select group of targets. The malicious documents chained together two exploits, one that targeted flaws in an Encapsulated PostScript filter in Word and the other that targeted elevation-of-privilege bugs in Windows so that the attack could break out of the security sandbox that fortifies Office. Encapsulated PostScript is an old format that's rarely used any more.

One version of the attacks combined an exploit for a Word EPS flaw designated as CVE-2017-0261 with an exploit for CVE-2017-0001, a Windows privilege-escalation bug. By the time Microsoft received a private report of ongoing attacks in March, the company had already released a partial fix as part of its March Update Tuesday release. A second attack version exploited an EPS flaw indexed as CVE-2017-0262 in combination with CVE-2017-0263, a separate Windows privilege-elevation flaw.

Read 8 remaining paragraphs | Comments

Kategorie: Hacking & Security

Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable

9 Květen, 2017 - 15:20

Enlarge (credit: Timothy A. Clary/AFP/Getty Image)

A massive and rather embarrassing remote code execution vulnerability has been discovered in Microsoft's MsMpEng, the malware protection engine used by Windows Defender, Microsoft Security Essentials, Microsoft Forefront, and Microsoft Endpoint in almost every recent version of Windows (7, 8, 8.1, 10, and Server 2016). Notably, Windows Defender is installed by default on all consumer-oriented Windows PCs.

The exploit (officially dubbed CVE-2017-0290) allows for a remote attacker to take over a system without any interaction from the system owner: it's simply enough for the attacker to send an e-mail or instant message that is scanned by Windows Defender. Likewise, anything else that is automatically scanned by Microsoft's malware protection engine—websites, file shares—could be used as an attack vector.

Because MsMpEng runs at the highest privilege level and is so ubiquitous across Windows PCs, this vulnerability is about as bad as it gets. Fortunately, the security researchers who discovered it—Natalie Silvanovich and Tavis Ormandy of Google Project Zero—reported it responsibly, and last night Microsoft released a patch. MsMpEng automatically updates every 48 hours, so disaster has probably been averted. The security bulletin notes that Microsoft hadn't seen any public exploitation of the vulnerability.

Read 8 remaining paragraphs | Comments

Kategorie: Hacking & Security

Mac users installing popular DVD ripper get nasty backdoor instead

8 Květen, 2017 - 22:50

(credit: Patrick Wardle)

Hackers compromised a download server for a popular media-encoding software named HandBrake and used it to push stealthy malware that stole victims' password keychains, password vaults, and possibly the master credentials that decrypted them, security researchers said Monday.

Over a four-day period ending Saturday, a download mirror located at delivered a version of the DVD ripping and video conversion software that contained a backdoor known as Proton, HandBrake developers warned over the weekend. At the time that the malware was being distributed to unsuspecting Mac users, none of the 55 most widely used antivirus services detected it. That's according to researcher Patrick Wardle, who reported results here and here from the VirusTotal file-scanning service. When the malicious download was opened, it directed users to enter their Mac administrator password, which was then uploaded in plain text to a server controlled by the attackers. Once installed, the malware sent a variety of sensitive user files to the same server.

In a blog post published Monday morning, Thomas Reed, director of Mac offerings at antivirus provider Malwarebytes, wrote:

Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security

Evidence suggests Russia behind hack of French president-elect

8 Květen, 2017 - 20:18

Enlarge / A last-minute information operation against French presidential candidate Emmanuel Macron did not stop him from winning Sunday's run-off election. But it did have the fingerprints of Russia all over it. (credit: Getty Images/ Chesnot )

Late on May 5 as the two final candidates for the French presidency were about to enter a press blackout in advance of the May 7 election, nine gigabytes of data allegedly from the campaign of Emmanuel Macron were posted on the Internet in torrents and archives. The files, which were initially distributed via links posted on 4Chan and then by WikiLeaks, had forensic metadata suggesting that Russians were behind the breach—and that a Russian government contract employee may have falsified some of the dumped documents.

Even WikiLeaks, which initially publicized the breach and defended its integrity on the organization's Twitter account, has since acknowledged that some of the metadata pointed directly to a Russian company with ties to the government:

#MacronLeaks: name of employee for Russian govt security contractor Evrika appears 9 times in metadata for "xls_cendric.rar" leak archive

— WikiLeaks (@wikileaks) May 6, 2017

Evrika ("Eureka") ZAO is a large information technology company in St. Petersburg that does some work for the Russian government, and the group includes the Federal Security Service of the Russian Federation (FSB) among its acknowledged customers (as noted in this job listing). The company is a systems integrator, and it builds its own computer equipment and provides "integrated information security systems." The metadata in some Microsoft Office files shows the last person to have edited the files to be "Roshka Georgiy Petrovich," a current or former Evrika ZAO employee.

Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security

The hijacking flaw that lurked in Intel chips is worse than anyone thought

6 Květen, 2017 - 18:01

Enlarge (credit: Intel)

A remote hijacking flaw that lurked in Intel chips for seven years was more severe than many people imagined, because it allowed hackers to remotely gain administrative control over huge fleets of computers without entering a password. This is according to technical analyses published Friday.

As Ars reported Monday, the authentication bypass vulnerability resides in a feature known as Active Management Technology. AMT, as it's usually called, allows system administrators to perform a variety of powerful tasks over a remote connection. Among the capabilities: changing the code that boots up computers, accessing the computer's mouse, keyboard, and monitor, loading and executing programs, and remotely powering on computers that are turned off. In short, AMT makes it possible to log into a computer and exercise the same control enjoyed by administrators with physical access.

AMT, which is available with many vPro processors, was set up to require a password before it could be remotely accessed over a Web browser interface. But, remarkably, that authentication mechanism can be bypassed by entering no text at all. According to a blog post published Friday by Tenable Network Security, the cryptographic hash that the interface's digest access authentication requires to verify someone is authorized to log in can be anything at all, including no string at all.

Read 8 remaining paragraphs | Comments

Kategorie: Hacking & Security

Google phishing attack was foretold by researchers—and it may have used their code

5 Květen, 2017 - 22:17

Enlarge (credit: Sean Gallup / Getty Images)

The "Google Docs" phishing attack that wormed its way through thousands of e-mail inboxes earlier this week exploited a threat that had been flagged earlier by at least three security researchers—one raised issues about the threat as early as October of 2011. In fact, the person or persons behind the attack may have copied the technique from a proof of concept posted by one security researcher to GitHub in February.

The issue may not technically be a vulnerability, but the way Google has implemented its application permissions interface—based on the OAuth 2 standard used by a large number of Web application providers—makes it far too easy to fool unsuspecting targets into giving away access to their cloud, e-mail, storage, and other Google-associated accounts. The websites used in the phishing attack each used domains that mimicked Google's in some way. The sites would call a Google Apps Script that used Google's own authentication system against itself. The malicious Web application (named "Google Docs") was delivered by an HTML e-mail message that looked so much like a genuine Google Docs sharing request that many users just sailed right through the permissions requested without thinking.

Researchers have repeatedly warned Google about this potential social engineering threat, and this shortcoming had already been exploited in malicious e-mails used by an alleged state actor. While Google quickly shut down the malicious application's access to customers' credentials, the threat remains, since all it takes to relaunch a campaign is to configure another application with Google's authentication API.

Read 10 remaining paragraphs | Comments

Kategorie: Hacking & Security

More Android phones than ever are covertly listening for inaudible sounds in ads

5 Květen, 2017 - 17:14

Enlarge (credit: Arp et al.)

Almost a year after app developer SilverPush vowed to kill its privacy-threatening software that used inaudible sound embedded into TV commercials to covertly track phone users, the technology is more popular than ever, with more than 200 Android apps that have been downloaded millions of times from the official Google Play market, according to a recently published research paper.

As of January, there were 234 Android apps that were created using SilverPush's publicly available software developer kit, according to the paper, which was published by researchers from Technische Universitat Braunschweig in Germany. That represents a dramatic increase in the number of Android apps known to use the creepy audio tracking scheme. In April 2015, there were only five such apps.

The apps silently listen for ultrasonic sounds that marketers use as high-tech beacons to indicate when a phone user is viewing a TV commercial or other type of targeted audio. A representative sample of just five of the 234 apps have been downloaded from 2.25 million to 11.1 million times, according to the researchers, citing official Google Play figures. None of them discloses the tracking capabilities in their privacy policies.

Read 11 remaining paragraphs | Comments

Kategorie: Hacking & Security

Not-so-secret DOD “spy drone” footage, live on the Internet [Updated]

5 Květen, 2017 - 13:00

On Wednesday, Kenneth Lipp, a contributor to the Daily Beast, was doing what amounts to a random search on the security search engine Shodan when he discovered what appears to be a Web console for full-motion video feeds from two Predator drones.

The website Lipp found bears the logos of the National Reconnaissance Office, the National Geospatial-Intelligence Agency's (NGA's) Aerospace Data Facility-East, and the Washington University Cortex Innovation Center—an incubator that has partnered with NGA. The site displayed streaming video from drones named "Ranger1" and "Bonker," apparently flying somewhere over the Gulf of Mexico along the coast of Florida. So he tweeted and blogged about it. Soon, many were watching the same thing: aerial surveillance video of boats speeding across the Gulf's waters.

Read 8 remaining paragraphs | Comments

Kategorie: Hacking & Security

Don’t trust OAuth: Why the “Google Docs” worm was so convincing

4 Květen, 2017 - 01:13

An evil phishing worm masquerading as "Google Docs" took the Internet by storm today. It sent an e-mail claiming to be from a friend or relative who wanted to share a document with you. Clicking on the "Open in Docs" button asked you to log in to Google, then it popped up a familiar OAuth request asking for some permissions. If you clicked "Allow," the permissions granted it full control over your e-mail and access to all your contacts. The worm then e-mailed everyone in your contacts list before doing god-only-knows what else to the victim's e-mail.

The interesting thing about this worm was just how convincing it was. The e-mail was great—it used the exact same language as a Google Docs sharing e-mail and the exact same "Open" button. Clicking on the link brought up an authentic Google log-in page, served up from Google's servers. Then you were presented a real Google OAuth permissions page, also from Google's servers. The trick was that the app claiming to be "Google Docs" wasn't really Google Docs. The screen showed a third-party app with the name "Google Docs" and a profile picture that matched the Google Docs logo.

Read 4 remaining paragraphs | Comments

Kategorie: Hacking & Security

All your Googles are belong to us: Look out for the Google Docs phishing worm

3 Květen, 2017 - 22:25

Enlarge / Don't click.

A widely reported e-mail purporting to be a request to share a Google Docs document is actually a well-disguised phishing attack. It directs the user to a lookalike site and grants the site access to the target's Google credentials. If the victim clicks on the prompt to give the site permission to use Google credentials, the phish then harvests all the contacts in the victim's Gmail address book and adds them to its list of targets.

The phish appears to have been initially targeted at a number of reporters, but it quickly spread widely across the Internet. Some of the sites associated with the attack appear to have been shut down.

The e-mail uses a technique that a Trend Micro report linked last week to Pawn Storm, an ongoing espionage campaign frequently attributed to Russian intelligence operations. The attack uses the OAuth authentication interface, which is also used by many Web services to allow users to log in without using a password. By abusing OAuth, the attack is able to present a legitimate Google dialogue box requesting authorization. However, the authentication also asks permission for access to "view and manage your e-mail" and "view and manage the files in your Google Drive."

Read 4 remaining paragraphs | Comments

Kategorie: Hacking & Security

Thieves drain 2fa-protected bank accounts by abusing SS7 routing protocol

3 Květen, 2017 - 21:40

Enlarge (credit: Raimond Spekking)

A known security hole in the networking protocol used by cellphone providers around the world played a key role in a recent string of attacks that drained bank customer accounts, according to a report published Wednesday.

The unidentified attackers exploited weaknesses in Signalling System No. 7, a telephony signaling language that more than 800 telecommunications companies around the world use to ensure their networks interoperate. SS7, as the protocol is known, makes it possible for a person in one country to send text messages to someone in another country. It also allows phone calls to go uninterrupted when the caller is traveling on a train.

The same functionality can be used to eavesdrop on conversations, track geographic whereabouts, or intercept text messages. Security researchers demonstrated this dark side of SS7 last year when they stalked US Representative Ted Lieu using nothing more than his 10-digit cell phone number and access to an SS7 network.

Read 8 remaining paragraphs | Comments

Kategorie: Hacking & Security

Facebook enters war against “information operations,” acknowledges election hijinx

3 Květen, 2017 - 16:40

Enlarge / Facebook Security gave details last week on how the company is fighting nation-state and other groups' efforts to use the social network to amplify false news and for covert propaganda efforts. (credit: Getty Images/ NurPhoto)

Facebook Security has revealed more of how the company has begun to combat the spread of propaganda and "fake news," acknowledging for the first time that the company tracked a campaign that attempted to influence the 2016 US presidential campaign. Facebook began to fight "fake news" posts (sort of) earlier this year when the company introduced a "disputed" label that is now being added to some shared stories of questionable provenance. But the company has also launched a less-visible effort to clamp down on "false amplification" of propaganda efforts on its social media platform.

During the 2016 presidential campaign, Facebook Security team members monitored a number of activities that "we assessed to fit the pattern of information operations," according to a paper published by the company last week. The paper, authored by Facebook Security's Jen Weedon, William Nuland, and Facebook Chief Security Officer Alex Stamos—entitled "Information Operations and Facebook"—acknowledges that Facebook accounts were used as part of a coordinated effort to spread misinformation and influence the shape of political conversations. Facebook did not attempt to attribute the campaign to a specific party.

While acknowledging that activity, the authors also downplayed its scope. "In short," the Facebook team wrote, "while we acknowledge the ongoing challenge of monitoring and guarding against information operations, the reach of known operations during the US election of 2016 was statistically very small compared to overall engagement on political issues." Nevertheless, Facebook reported the activity as part of a growing trend that the company now feels compelled to combat because of its potential poisoning effect on the more organic conversations on social media.

Read 20 remaining paragraphs | Comments

Kategorie: Hacking & Security

Behold, the spear phish that just might be good enough to hook you

3 Květen, 2017 - 00:05

Enlarge (credit: Unbiassed)

To understand why Carbanak is one of the Internet's most skilled and successful criminal groups, consider the recent spear-phishing campaign it used to infect computers in the hospitality and restaurant industries with malware that steals banking credentials.

One variation started with an e-mail threatening a lawsuit because a visitor got sick after eating at one of the company's restaurants. To increase the chances the attached Microsoft Word document is opened, the attackers personally follow up with a phone call encouraging the recipient to open the booby-trapped file and click inside. The attacker calls back a half-hour later to check if the recipient has opened the document. The attacker immediately hangs up in the event the answer is yes.

Behind the scenes, macros embedded inside the Word document infect the employee's computer with a trojan that surreptitiously takes screenshots and retrieves credit card data and other sensitive banking credentials. The trojan then attempts to infect other computers on the same network in an attempt to steal additional loot. And all because the attacker, who is halfway around the globe, made a compelling case that it was in the employee's best interests to open the document and allow the embedded macro to run.

Read 4 remaining paragraphs | Comments

Kategorie: Hacking & Security

Intel patches remote hijacking vulnerability that lurked in chips for 7 years

2 Květen, 2017 - 01:55

Enlarge (credit: Intel)

Remote management features that have shipped with Intel processors since 2010 contain a critical flaw that gives attackers full control over the computers that run on vulnerable networks, according to advisories published by Intel and the researcher credited with discovering the critical flaw.

Intel has released a patch for the vulnerability, which resides in the chipmaker's Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability. Business customers who buy computers running vPro processors use those services to remotely administer large fleets of computers. The bug doesn't affect chips running on consumer PCs. The chipmaker has rated the vulnerability critical and is recommending vulnerable customers install a firmware patch.

In the company's Monday post, Intel officials wrote:

Read 9 remaining paragraphs | Comments

Kategorie: Hacking & Security

Meet, the site that doesn’t allow password changes

1 Květen, 2017 - 19:28

Enlarge / This is what e-mails you when you forget your password.

When it comes to websites with bad password policies, there's no shortage of bad actors. Sites—some operated by banks or other financial services—that allow eight- or even six-character passwords, sometimes even allowing letters to be entered in either upper- or lower-case? Yup. Sites that e-mail forgotten passwords in plaintext? Sadly, all the time. Ars largely stopped reporting on them because they're better covered by Twitter accounts like this one.

But recently, I saw a site policy so bad I couldn't stay quiet. It's, a site that among other things lets people book bus travel and redeem rewards for past trips. The site allows passwords as short as four characters—including 1234. And when a user forgets a password, will send the plaintext of the PIN or password in e-mail, an indication that the site isn't using any sort of cryptographic hashing to protect user passwords in the event that Greyhound's database is ever breached.

Worst of all: provides no mechanism for changing a password. Ever. If an account is breached or a password is compromised, the account is stuck with that bad passcode indefinitely. Last week, I explained to a Greyhound spokeswoman why password hashing and password resets were crucial to security and asked if her company had any plans to add them to Her response:

Read 2 remaining paragraphs | Comments

Kategorie: Hacking & Security

Hacker leaks Orange is the New Black new season after ransom demands ignored

1 Květen, 2017 - 19:01

(credit: Lionsgate/Netflix)

An individual or group going by the name "thedarkoverlord" has posted much of the upcoming season of Netflix's series Orange is the New Black, apparently as punishment for not paying an extortion demand. According to information obtained by, the episodes were stolen from a post-production studio along with episodes from dozens of other television programs on Netflix and other networks. And the person or people behind the breach are now attempting to further extort the networks that distribute the programs.

Whoever is behind "thedarkoverlord" has breached a number of small and mid-sized organizations' networks over the past year, apparently by exploiting common vulnerabilities in their websites to gain access. In each case, according to Twitter posts and Pastebin notes by the hacker or hackers, those responsible have posted proof of breaches to GitHub and attempted to extort payments in bitcoins from the victims, threatening to dump customer data and other records if they failed to comply. One target was a US Navy supplier, according to a report from (though no sensitive information was part of the breach).

Thedarkoverlord has also been active on xEdic, a dark web site trafficking in "brute-forced" credentials for Remote Desktop Protocol (RDP) servers, according to a report from Flashpoint. Credentials purchased off the marketplace were used in a number of hospital breaches connected to thedarkoverlord.

Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security