Ars Technica

Syndikovat obsah Risk Assessment – Ars Technica
Serving the Technologist for more than a decade. IT news, reviews, and analysis.
Aktualizace: 48 min 18 sek zpět

In slap at Trump, Shadow Brokers release NSA EquationGroup files

10 Duben, 2017 - 15:58

Enlarge (credit: NSA)

On April 8, as part of a long, awkwardly worded rant about President Donald Trump's betrayal of his "base," the individual or individuals known as the Shadow Brokers posted the password to an encrypted archive containing what appear to be components of a toolkit associated with the National Security Agency's alleged Equation Group hacking campaign. But those hoping for even more spectacular exploits than those leaked earlier by the Shadow Brokers will likely be disappointed. However, the files do include a number of tools that may still be usable, as well as significant amounts of information about systems that appear to have been hacked by the NSA.

Many information security analysts were unimpressed.

The Shadow Brokers are the No Man's Sky of the hacker world.

— Jonathan Nichols (@wvualphasoldier) April 9, 2017

In many respects, the files leaked earlier by the Shadow Brokers—in particular Cisco router and firewall exploits—were potentially far more damaging, as in many cases they worked against currently deployed Internet infrastructure. The tools in the master file, however, appear to be much older and targeted operating systems that are generally no longer in service—though some of the systems that they were apparently used to compromise are still online.

Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security

Found in the wild: Vault7 hacking tools WikiLeaks says come from CIA

10 Duben, 2017 - 15:01

Malware that WikiLeaks purports belongs to the Central Intelligence Agency has been definitively tied to an advanced hacking operation that has been penetrating governments and private industries around the world for years, researchers from security firm Symantec say.

Longhorn, as Symantec dubs the group, has infected governments and companies in the financial, telecommunications, energy, and aerospace industries since at least 2011 and possibly as early as 2007. The group has compromised 40 targets in at least 16 countries across the Middle East, Europe, Asia, Africa, and on one occasion, in the US, although that was probably a mistake.

Uncanny resemblance

Malware used by Longhorn bears an uncanny resemblance to tools and methods described in the Vault7 documents. Near-identical matches are found in cryptographic protocols, source-code compiler changes, and techniques for concealing malicious traffic flowing out of infected networks. Symantec, which has been tracking Longhorn since 2014, didn't positively link the group to the CIA, but it has concluded that the malware Longhorn used over a span of years is included in the Vault7 cache of secret hacking manuals that WikiLeaks says belonged to the CIA. Virtually no one is disputing WikiLeaks' contention that the documents belong to the US agency.

Read 7 remaining paragraphs | Comments

Kategorie: Hacking & Security

Hackers set off Dallas’ 156 emergency sirens over a dozen times

9 Duben, 2017 - 20:55

Enlarge / The Dallas skyline. (credit: Abhishek Chinchalkar on flickr)

Late Friday night and early Saturday morning, hackers set off 156 emergency sirens in and around the city of Dallas, Texas. According to The Dallas Morning News, the sirens began blaring shortly before midnight on Friday and were shut off and reactivated "more than a dozen times" before emergency workers shut the system down entirely at around 1:20am on Saturday morning, after confirming that there was no actual emergency and that it wasn't the result of some benign malfunction.

The city tried to tell residents that there was no emergency and not to call 911, but the system was nevertheless flooded with calls. The 911 line received more than 4,400 calls between 11:30pm Friday and 3am Saturday, double the number received between 11pm and 7am on a typical night. At its peak, the call volume and a short-staffed call center pushed wait times as high as six minutes—the city's goal is to answer most 911 calls within 10 seconds.

City officials have discovered how the system was compromised and are working to keep it from happening again—as of around noon on Saturday, the system had apparently been reactivated, and the city was working to implement "more safeguards" over the weekend. They aren't disclosing how the system was compromised or who may be responsible, but Dallas Office of Emergency Management directory Rocky Vaz told the Dallas Morning News that it was likely "someone outside our system" but still in the Dallas area.

Read 2 remaining paragraphs | Comments

Kategorie: Hacking & Security

Booby-trapped Word documents in the wild exploit critical Microsoft 0-day

8 Duben, 2017 - 22:00

(credit: Rob Enslin)

Update, 4/10/2017, 9:20 AM California time: Security experts are reporting that Microsoft will patch the vulnerability on Tuesday. In the meantime, users can block
code-execution exploits by adding the following to their Windows registry: Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2 and OpenInProtectedView to 0. What follows is the report as it was published on Saturday.

There's a new zero-day attack in the wild that's surreptitiously installing malware on fully patched computers. It does so by exploiting a vulnerability in most or all versions of Microsoft Word.

The attack starts with an e-mail that attaches a malicious Word document, according to a blog post published Saturday by researchers from security firm FireEye. Once opened, exploit code concealed inside the document connects to an attacker-controlled server. It downloads a malicious HTML application file that's disguised to look like a document created in Microsoft's Rich Text Format. Behind the scenes, the .hta file downloads additional payloads from "different well-known malware families."

Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security

WikiLeaks just dropped the CIA’s secret how-to for infecting Windows

7 Duben, 2017 - 21:13

Enlarge / The logo of the CIA's Engineering Development Group (EDG), the home of the spy agency's malware and espionage tool developers. (credit: Central Intelligence Agency)

WikiLeaks has published what it says is another batch of secret hacking manuals belonging to the US Central Intelligence Agency as part of its Vault7 series of leaks. The site is billing Vault7 as the largest publication of intelligence documents ever.

Friday's installment includes 27 documents related to "Grasshopper," the codename for a set of software tools used to build customized malware for Windows-based computers. The Grasshopper framework provides building blocks that can be combined in unique ways to suit the requirements of a given surveillance or intelligence operation. The documents are likely to be of interest to potential CIA targets looking for signatures and other signs indicating their Windows systems were hacked. The leak will also prove useful to competing malware developers who want to learn new techniques and best practices.

"Grasshopper is a software tool used to build custom installers for target computers running Microsoft Windows operating system," one user guide explained. "An operator uses the Grasshopper builder to construct a custom installation executable." The guide continued:

Read 6 remaining paragraphs | Comments

Kategorie: Hacking & Security

Do you want to play a game? Ransomware asks for high score instead of money

7 Duben, 2017 - 17:41

Rensenware's warning screen asks for a high score, rather than the usual pay off, to decrypt your files.

At this point, Ars readers have heard countless tales of computer users being forced to pay significant sums to unlock files encrypted with malicious ransomware. So we were a bit surprised when word started to trickle out about a new bit of ransomware that doesn't ask for money. Instead, "Rensenware" forces players to get a high score in a difficult PC shoot-em-up to decrypt their files.

As Malware Hunter Team noted yesterday, users on systems infected with Rensenware are faced with the usual ransomware-style warning that "your precious data like documents, musics, pictures, and some kinda project files" have been "encrypted with highly strong encryption algorithm." The only way to break the encryption lock, according to the warning, is to "score 0.2 billion in LUNATIC level" on TH12 ~ Undefined Fantastic Object. That's easier said than done, as this gameplay video of the "bullet hell" style Japanese shooter shows.

Gameplay from TH12 ~ Undefined Fantastic Object on Lunatic difficulty. Players needed to get 200 million points to unlock the "Rensenware" malware.

As you may have guessed from the specifics here, the Rensenware bug was created more in the spirit of fun than maliciousness. After Rensenware was publicized on Twitter, its creator, who goes by Tvple Eraser on Twitter and often posts in Korean, released an apology for releasing what he admitted was "a kind of highly-fatal malware."

Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security

Rash of in-the-wild attacks permanently destroys poorly secured IoT devices

6 Duben, 2017 - 23:15

Enlarge (credit: Guinnog)

Researchers have uncovered a rash of ongoing attacks designed to damage routers and other Internet-connected appliances so badly that they become effectively inoperable.

PDoS attack bots (short for "permanent denial-of-service") scan the Internet for Linux-based routers, bridges, or similar Internet-connected devices that require only factory-default passwords to grant remote administrator access. Once the bots find a vulnerable target, they run a series of highly debilitating commands that wipe all the files stored on the device, corrupt the device's storage, and sever its Internet connection. Given the cost and time required to repair the damage, the device is effectively destroyed, or bricked, from the perspective of the typical consumer.

Over a four-day span last month, researchers from security firm Radware detected roughly 2,250 PDoS attempts on devices they made available in a specially constructed honeypot. The attacks came from two separate botnets—dubbed BrickerBot.1 and BrickerBot.2—with nodes for the first located all around the world. BrickerBot.1 eventually went silent, but even now the more destructive BrickerBot.2 attempts a log-on to one of the Radware-operated honeypot devices roughly once every two hours. The bots brick real-world devices that have the telnet protocol enabled and are protected by default passwords, with no clear sign to the owner of what happened or why.

Read 6 remaining paragraphs | Comments

Kategorie: Hacking & Security

Researchers find China tried infiltrating companies lobbying Trump on trade

6 Duben, 2017 - 20:55

Enlarge / Chinese President Xi Jinping meets with the prime minister of Finland, Juha Sipila, during an official visit in Helsinki, Finland, on April 5, 2017. President Xi is traveling to the US today. (credit: ESA MOILANEN/AFP/Getty Images)

Researchers at Fidelis Security have revealed data suggesting Chinese state-funded actors engaged in acts of industrial espionage against a number of major US corporations, including the targeting of employees involved in lobbying the Trump administration on trade policy. The reveal comes just as China's president, Xi Jinping, begins his visit with President Donald Trump.

Fidelis' post shares details of a malware campaign that caused a number of websites—including that of the National Foreign Trade Council—to deliver a JavaScript-based reconnaissance tool called "Scanbox" to site visitors. A similar effort, this one coming from a fake site pretending to belong to the Japanese Foreign Ministry, was also detected.

Scanbox has been previously detected in a number of espionage campaigns, including one recently targeting a political site focused on China's Uighur minority. The forensic details of this new campaign led Fidelis researchers to believe it was conducted by Chinese government or government-funded attackers associated with the threat group known by researchers as APT10, or "Stone Panda."

Read 4 remaining paragraphs | Comments

Kategorie: Hacking & Security

Android devices can be fatally hacked by malicious Wi-Fi networks

5 Duben, 2017 - 21:46

Enlarge (credit: IntelFreePress)

A broad array of Android phones are vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated.

The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. Apple patched the vulnerability with Monday's release of iOS 10.3.1. "An attacker within range may be able to execute arbitrary code on the Wi-Fi chip," Apple's accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P "by Wi-Fi proximity alone, requiring no user interaction."

Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible. Company representatives didn't respond to an e-mail seeking comment for this post.

Read 6 remaining paragraphs | Comments

Kategorie: Hacking & Security

Samsung’s Tizen is riddled with security flaws, amateurishly written

4 Duben, 2017 - 20:16

Enlarge / Samsung's Smart TV interface, which seems to be running on Tizen. (credit: Samsung)

Tizen, the open source operating system that Samsung uses on a range of Internet-of-Things devices and positions as a sometime competitor to Android, is chock full of egregious security flaws, according to Israeli researcher Amihai Neiderman.

Samsung has been developing the operating system for many years. The project started as an Intel and Nokia project, and Samsung merged its Bada operating system into the code in 2013. Like Android, it's built on a Linux kernel, with a large chunk of open source software running on top. App development on Tizen uses C++ and HTML5.

Presenting at Kaspersky Lab's Security Analyst Summit and speaking to Motherboard, Neiderman had little positive to say about the state of Tizen's code. "It may be the worst code I've ever seen," Neiderman said. "Everything you can do wrong there, they do it."

Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security

Found: Quite possibly the most sophisticated Android espionage app ever

4 Duben, 2017 - 01:47

Enlarge (credit: MGM)

Researchers have uncovered one of the most advanced espionage apps ever written for the Android mobile operating system. They found the app after it had infected a few dozen handsets.

Pegasus for Android is the companion app to Pegasus for iOS, a full-featured espionage platform that was discovered in August infecting the iPhone of a political dissident located in the United Arab Emirates. Researchers from Google and the mobile-security firm Lookout found the Android version in the months following, as they scoured the Internet. Google said an Android security feature known as Verify Apps indicated the newly discovered version of Pegasus had been installed on fewer than three-dozen devices.

"Pegasus for Android is an example of the common feature-set that we see from nation states and nation state-like groups," Lookout researchers wrote in a technical analysis published Monday. "These groups produce advanced persistent threats (APT) for mobile with the specific goal of tracking a target not only in the physical world, but also the virtual world."

Read 8 remaining paragraphs | Comments

Kategorie: Hacking & Security

iOS 10.3.1 includes bug fixes and improves the security of your iPhone or iPad

3 Duben, 2017 - 19:53


iOS 10.3.1 is out. The release notes don't specify what it fixes that wasn't addressed in the wide-ranging iOS 10.3 update released just a week ago, but we do know that this new update includes bug fixes and improves the security of your iPhone or iPad. Specifically, according to the more detailed notes on Apple's security page, 10.3.1 addresses a buffer overflow that could be exploited to execute code on your phone or tablet's Wi-Fi chip.

The bug is credited to Google's Project Zero, which discloses bugs to the public 90 days after telling companies about them to encourage faster security patches.

Apple released a beta of iOS 10.3.2 last week shortly after releasing iOS 10.3. It will likely go through a handful of additional beta builds and be released to the public in a month or two. We don't expect it to change much, given that the public reveal of iOS 11 in June is just a couple of months away.

Read 1 remaining paragraphs | Comments

Kategorie: Hacking & Security

Wikileaks releases code that could unmask CIA hacking operations

2 Duben, 2017 - 18:21

Enlarge / A screenshot of foreign language samples used by a CIA tool to hide the nation of origin of CIA code implants, leaked on Friday by WikiLeaks.

Up until this week, WikiLeaks' "Vault 7" releases of files from a Central Intelligence Agency software development server have largely consisted of documentation for the various malware projects the CIA's Engineering Development Group created to aid the agency's mission. But on Friday afternoon, WikiLeaks began actually releasing portions of the CIA's development library. And while the release contains no malware, it's potentially the most damaging information released so far in that it could undermine ongoing CIA operations.

The release was of a repository of code for the CIA EDG's obfuscation tools called Marble. The tools were used to conceal the signature of the implants developed by the CIA from malware scans, to make it more difficult to reverse-engineer them if they were detected, and to figure out where the malware came from. University of California at Berkeley computer security researcher Nicholas Weaver told the Washington Post's Ellen Nakashima, "This appears to be one of the most technically damaging leaks ever done by WikiLeaks, as it seems designed to directly disrupt ongoing CIA operations.”

There's nothing particularly magical about the CIA's tools, other than that they were developed and tested by a professional team and that the code itself is extremely well-documented. Implant code for Windows systems was obfuscated with a tool called Marbler, a C++ application that obscures text strings and binary objects within implants in a number of ways. Those methods include "scrambling" binary content using a number of bit-shifting techniques and inserting snippets of foreign languages (such as Chinese or Farsi) with a feature called "WARBL." The characters in the sets included with the code appear to be mostly gibberish placeholder text (even including "Lorem ipsum" in Western characters in some cases), so they were either meant to be substituted in small chunks for strings that would give away that the code was written in the US or were supposed to be replaced with custom text before building for a specific project.

Read 1 remaining paragraphs | Comments

Kategorie: Hacking & Security

Smart TV hack embeds attack code into broadcast signal—no access required

31 Březen, 2017 - 23:07

Enlarge / A screen shot showing the exploit taking control of a Samsung TV.

A new attack that uses terrestrial radio signals to hack a wide range of Smart TVs raises an unsettling prospect—the ability of hackers to take complete control of a large number of sets at once without having physical access to any of them.

The proof-of-concept exploit uses a low-cost transmitter to embed malicious commands into a rogue TV signal. That signal is then broadcast to nearby devices. It worked against two fully updated TV models made by Samsung. By exploiting two known security flaws in the Web browsers running in the background, the attack was able to gain highly privileged root access to the TVs. By revising the attack to target similar browser bugs found in other sets, the technique would likely work on a much wider range of TVs.

"Once a hacker has control over the TV of an end user, he can harm the user in a variety of ways," Rafael Scheel, the security consultant who publicly demonstrated the attack, told Ars. "Among many others, the TV could be used to attack further devices in the home network or to spy on the user with the TV's camera and microphone."

Read 6 remaining paragraphs | Comments

Kategorie: Hacking & Security

How many NSA spy hubs are scooping up your Internet data? I counted 7

30 Březen, 2017 - 14:55


A couple of years ago, when I was investigating the UK's safest ISP, a high-ranking employee at Virgin Media told me there was no NSA or GCHQ Internet traffic interception equipment hiding within Virgin's network. He also said that, in his opinion, not much traffic interception actually occurs in the UK. I asked him why. "Because they don't need to. They'll get your data when lands in the US."

While it's not true that all Internet traffic flows through the US, the addition of a few listening posts at key Internet exchanges in Europe (London, Paris) and some in Asia (Hong Kong, Tokyo) ensure that the NSA and its Five Eyes partners can analyse and ingest the majority of international Internet traffic.

To visualise the extent of the NSA's surveillance network, IXmaps has created a tool that shows you the location of suspected Internet traffic interception points. You can input your own traceroute data, or if you're in a rush you can just bring up traceroute data from people living in the same city or using the same ISP. Then click the "layers" button and turn on NSA, AT&T/Fairview, and Verizon/Stormbrew.

Read 8 remaining paragraphs | Comments

Kategorie: Hacking & Security

Someone is putting lots of work into hacking Github developers

30 Březen, 2017 - 02:24

Enlarge (credit: MGM)

Open source developers who use Github are in the cross-hairs of advanced malware that can steal passwords, download sensitive files, take screenshots, and self-destruct when necessary.

Dimnie, as the reconnaissance and espionage trojan is known, has largely flown under the radar for the past three years. It mostly targeted Russians until early this year, when a new campaign took aim at multiple owners of Github repositories. One commenter in this thread reported the initial infection e-mail was sent to an address that was used solely for Github, and researchers with Palo Alto Networks, the firm that reported the campaign on Tuesday, told Ars they have no evidence it targeted anyone other than Github developers.

"Both messages appear to be hand-crafted, and the reference to today's data in the attachment file name IMHO, hint at a focused campaign explicitly targeting targets perceived as 'high return investments,' such as developers (possibly working on popular/open source projects)," someone who received two separate infection e-mails reported in the thread.

Read 4 remaining paragraphs | Comments

Kategorie: Hacking & Security

Potent LastPass exploit underscores the dark side of password managers

28 Březen, 2017 - 21:06

(credit: Wikimedia)

Developers of the widely used LastPass password manager are scrambling to fix a serious vulnerability that makes it possible for malicious websites to steal user passcodes and in some cases execute malicious code on computers running the program.

The flaw, which affects the latest version of the LastPass browser extension, was briefly described on Saturday by Tavis Ormandy, a researcher with Google's Project Zero vulnerability reporting team. When people have the LastPass binary running, the vulnerability allows malicious websites to execute code of their choice. Even when the binary isn't present, the flaw can be exploited in a way that lets malicious sites steal passwords from the protected LastPass vault. Ormandy said he developed a proof-of-concept exploit and sent it to LastPass officials. Developers now have three months to patch the hole before Project Zero discloses technical details.

"It will take a long time to fix this properly," Ormandy said. "It's a major architectural problem. They have 90 days, no need to scramble!"

Read 4 remaining paragraphs | Comments

Kategorie: Hacking & Security

Ransomware scammers exploited Safari bug to extort porn-viewing iOS users

28 Březen, 2017 - 02:44

(credit: Lookout)

Ransomware scammers have been exploiting a flaw in Apple's Mobile Safari browser in a campaign to extort fees from uninformed users. The scammers particularly target those who viewed porn or other controversial content. Apple patched the vulnerability on Monday with the release of iOS version 10.3.

The flaw involved the way that Safari displayed JavaScript pop-up windows. In a blog post published Monday afternoon, researchers from mobile-security provider Lookout described how exploit code surreptitiously planted on multiple websites caused an endless loop of windows to be displayed in a way that prevented the browser from being used. The attacker websites posed as law-enforcement actions and falsely claimed that the only way users could regain use of their browser was to pay a fine in the form of an iTunes gift card code to be delivered by text message. In fact, recovering from the pop-up loop was as easy as going into the device settings and clearing the browser cache. This simple fix was possibly lost on some uninformed targets who were too uncomfortable to ask for outside help.

"The attackers effectively used fear as a factor to get what they wanted before the victim realized that there was little actual risk," Lookout researchers Andrew Blaich and Jeremy Richards wrote in Monday's post.

Read 3 remaining paragraphs | Comments

Kategorie: Hacking & Security

Doxed by Microsoft’s Users unwittingly shared sensitive docs publicly

27 Březen, 2017 - 17:31


On March 25, security researcher Kevin Beaumont discovered something very unfortunate on, Microsoft's free document-sharing site tied to the company's Office 365 service: its homepage had a search bar. That in itself would not have been a problem if Office 2016 and Office 365 users were aware that the documents they were posting were being shared publicly.

Unfortunately, hundreds of them weren't. As described in a Microsoft support document, "with, you can create an online portfolio of your expertise, discover, download, or bookmark works from other authors, and build your brand with built-in SEO, analytics, and email and social sharing." But many users used to either share documents within their organizations or to pass them to people outside their organizations—unaware that the data was being indexed by search engines.

You can probably see where I'm going with this and

— Kevin Beaumont (@GossiTheDog) March 25, 2017

Within a few hours, Beaumont, a number of other researchers, and Ars found a significant number of documents shared with sensitive information in them—some of them discoverable by just entering "passwords" or "SSN" or "account number."

Read 9 remaining paragraphs | Comments

Kategorie: Hacking & Security