dontbeevil

Speaking at the Chaos Computer Club (CCC) Congress here Tuesday, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network “sniffers,” a laptop computer and a variety of open source software. While such capabilities have long been available to law enforcement with the resources to buy a powerful network-sniffing device for more than $50,000 (remember The Wire?), the pieced-together hack takes advantage of security flaws and shortcuts in the GSM network operators’ technology and operations to put the power within the reach of almost any motivated tech-savvy programmer. “GSM is insecure, the more so as more is known about GSM,” said Security Research Labs researcher Karsten Nohl. “It’s pretty much like computers on the net in the 1990s, when people didn’t understand security well.” Several of the individual pieces of this GSM hack have been displayed before. The ability to decrypt GSM’s 64-bit A5/1 encryption was demonstrated last year at this same event, for instance. However, network operators then responded that the difficulty of finding a specific phone, and of picking the correct encrypted radio signal out of the air, made the theoretical decryption danger minimal at best. Naturally this sounded like a challenge. Working the audience through each step of the process, Nohl and OsmocomBB project programmer Sylvain Munaut demonstrated how the way in which GSM networks exchange subscriber location data, in order to correctly route phone calls and SMSs, allows anyone to determine a subscriber’s current location with a simple internet query, to the level of city or general rural area. Once a phone is narrowed down to a specific city, a potential attacker can drive through the area, sending the target phone “silent” or “broken” SMS messages that do not show up on the phone. By sniffing to each bay station’s traffic, listening for the delivery of the message and the response of the target phone at the correct time, the location of the target phone can be more precisely identified. To create a network sniffer, the researchers replaced the firmware of a simple Motorola GSM phone with their own alternative, which allowed them to retain the raw data received from the cell network, and examine more of the cellphone network space than a single phone ordinarily monitors. Upgrading the USB connection allowed this information to be sent in real time to a computer. By sniffing the network while sending a target phone an SMS, they were able to determine precisely which random network ID number belonged to the target. This gave them the ability to identify which of the myriad streams of information they wanted to record from the network. All that was left was decrypting the information. Not a trivial problem, but made possible by the way operator networks exchange system information with their phones. As part of this background communication, GSM networks send out strings of identifying information, as well as essentially empty “Are you there?” messages. Empty space in these messages is filled with buffer bytes. Although a new GSM standard was put in place several years ago to turn these buffers into random bytes, they in fact remain largely identical today, under a much older standard. This allows the researchers to predict with a high degree of probability the plain-text content of these encrypted system messages. This, combined with a two-terabyte table of precomputed encryption keys (a so-called rainbow table), allows a cracking program to discover the secret key to the session’s encryption in about 20 seconds. This is particularly useful, the researchers said, because many if not most GSM operators reuse these session keys for several successive communications, allowing a key extracted from a test SMS to be used again to record the next telephone call. “There is one key used for communication between the operators and the SIM card that is very well protected, because that protects their monetary interest,” Nohl said. “The other key is less well protected, because it only protects your private data.” The researchers demonstrated this process, using their software to sniff the headers being used by a phone, extract and crack a session-encryption key, and then use this to decrypt and record a live GSM call between two phones in no more than a few minutes. Much of this vulnerability could be addressed relatively easily, Nohl said. Operators could make sure that their network routing information was not so simply available through the internet. They could implement the randomization of padding bytes in the system information exchange, making the encryption harder to break. They could certainly avoid recycling encryption keys between successive calls and SMSs. Nor is it enough to imagine that modern phones, using 3G networks, are shielded from these problems. Many operators reserve much of their 3G bandwidth for internet traffic, while shunting voice and SMS off to the older GSM network. Nohl elicited a laugh from the audience of hackers when he called the reprogrammed network-sniffing phones “GSM debugging devices.” But he was serious, he said. “This is all a 20-year-old infrastructure, with lots of private data and not a lot of security,” he said. “We want you to help phones go through the same kind of evolutionary steps that computers did in the 1990s.” Sursa

Due to the artistic nature of cybercriminals, they never run out of ideas. After using social media, popping up fake-av, hacking into websites… what’s more? We’ve discovered a rogueware campaign using “useable apps” to distribute rogueware. When the victim runs the binary, this rogueware will run and pop up “Installing Flash FLV Player”. No doubt, this is a more colorful version, and maybe XVID means something more interesting ? Our final word? Most of the common media players will be able to play most of the video formats. You don’t need a “Special Player” to play yet another video format. Sursa

Laboratorul anti-malware de la Panda Security încheie anul aruncând o privire vesel? asupra viru?ilor care au ap?rut pe parcursul ultimelor 12 luni. R?ut?ciosul iubitor de Mac. Acest titlu a fost câ?tigat de c?tre un program de control de la distan??, purtând numele HellRaiser.A. Acesta afecteaz? doar sistemele Mac ?i are nevoie de acordul utilizatorului pentru a se instala pe un calculator. Odat? instalat, poate prelua controlul de la distan?? al sistemului ?i poate efectua o întreag? serie de func?ii, deschide chiar ?i suportul DVD-ului din unitatea optic?. Bunul Samaritean. Bredolab.Y vine deghizat sub forma unui mesaj de suport tehnic al Microsoft, sus?inând c? un patch nou de securitate pentru Outlook trebuie instalat imediat ... Dar, ave?i grij?! Dac? desc?rca?i antivirusul ve?i instala rogueware SecurityTool (antivirus fals), care va începe s? v? informeze c? sistemul este infectat ?i c? ar trebui s? cump?ra?i un anumit produs pentru a remedia problema. Bineîn?eles, dac? pl?ti?i pentru acest program, nu-l ve?i primi niciodat?, nu va ve?i rezolva problema, iar banii pl?ti?i nu-i ve?i mai recupera niciodat?. Lingvistul anului. Premiul pentru lingvistul anului merge la MSNWorm.IE. Acest virus, care, în sine, nu are nimic special, este distribuit prin Messenger cu un link îndemnând utilizatorul sa vizualizeze o fotografie... în 18 limbi! Cel pu?in emoticonul de la sfâr?it ": D" este universal. Cel mai îndr?zne?. În acest an, premiul merge la Stuxnet.A. Dac? ar trebui s? alegem o coloan? sonor? pentru acest virus, ar trebui s? fie ceva de genul celei din "Misiune imposibil?" sau "Sfântul". Acest cod mali?ios a fost conceput pentru a ?inti sistemele SCADA, adic? infrastructurile critice. Viermele exploateaz? o bre?? de securitate din Microsoft USB in scopul de a penetra direct în sistemele centralelor nucleare. Cel mai enervant: Oscar. V? aminti?i cum erau viru?ii pe vremuri? Sau acea "glum?", care odat? instalat? va întreba: "Sunte?i sigur ca dori?i s? închide?i programul? Da - Nu "?. Indiferent de op?iunea aleas?, ap?rea acela?i ecran: "Sunte?i sigur c? doriti s? închide?i programul?", iar ?i iar, suficient pentru a pune la încercare chiar ?i r?bdarea unui sfânt ... Ei bine, asta este ceea ce face acest vierme:Oscarbot.YQ. Odat? instalat ar fi bine s? începeti s? v? ruga?i, s? medita?i, s? face?i yoga, orice va trece prin minte, pentru ca acest virus v? va înebuni. De fiecare dat? când îl inchide?i, o alt? fereastr? se va deschide cu o alt? întrebare sau deschizând o nou? fereastr? sau… Cel mai enervant virus, f?r? îndoial?. Cel mai sigur virus. Clippo.A, un nume care ar aminti unor utilizatori de “Clippy”, porecla asistentului Microsoft Office în forma de agraf? de birou, este cel mai sigur dintre viermi: odat? instalat pe un calculator va proteja prin parola toate documentele. În felul acesta, când un utilizator încearca s? le deschid?, va fi imposibil dac? nu cunoa?te parola. Dar care este scopul ac?iunii acestui virus? Este ciudat dar…f?r? nici un motiv! Nu este solicitat? nici o recompens?, utilizatorii nu trebuie s? cumpere nimic… este acolo doar pentru a te enerva. Cu toate acestea, nu e nimic distractiv pentru cel infectat, chiar dac? nu exist? alt simptom vizibil. Victima crizei: Ramsom.AB. Criza economic? a f?cut multe victime în toat? lumea, iar acest lucru se reflect? ?i în lumea criminalit??ii informatice. În urm? cu câ?iva ani, programele de r?scump?rare (programe care blocau computerele ?i cereau o recompens? pentru deblocarea lor) î?i permiteau s? cear? sume frumoase: pân? la 300 dolari. Acum, datorit? crizei ?i competi?iei dintre infractorii cibernetici… toata lumea simte efectele. Pentru numai 12 dolari po?i presupune c? vei putea s? î?i recape?i accesul la calculator. Cea mai profitabil? minciun?. În acest an, premiul se acord? c?tre SecurityEssentials2010 (antivirusul fals, nu cel oficial produs de Microsoft). Chiar dac? se încadreaz? la categoria “adware”, acesta se manifest? c? orice antivirus fals: anun?? utilizatorii c? au calculatoarele infectate ?i în pericol ?i nu se opre?te pân? când ace?tia nu “cump?r?” produsul recomandat. Este modul în care ac?ioneaz? orice alt antivirus fals. Cu toate acestea, designul este atât de conving?tor, cu mesaje care arat? atât de autentic, interfe?e aparent originale etc încât a ajuns în topul primelor 10 infec?ii din acest an. Sursa

If Bank of America were to rebrand itself based on major events of recent years, it might start calling itself the Bad Karma Bank given all of its self-inflicted, dunderheaded publicity. B of A's purchase of stock brokerage giant Merrill Lynch was a public relations and shareholder disclosure disaster. The undignified retirement of former CEO Ken Lewis, a big player in building the megabank, was hardly what he or the bank had hoped for. B of A's ill-conceived purchase of Countrywide Home Loans spurred the bank's decision Monday to buy back billions in soured mortgages from Fannie Mae and Freddie Mac. And B of A's prominent role in home foreclosure practices from hell — especially targeting the wrong homes in foreclosure action, including the one that was paid for in cash and others already sold to new buyers — raises issues of competence, if not negligence. Now looms WikiLeaks, the new online enterprise that's already published reams of revealing and embarrassing U.S. diplomatic cables. Wiki*Leaks chief Julian Assange recently indicated there soon will be a dump of internal documents from a big bank. The bet is the records are from Bank of America, documents that WikiLeaks says will reveal an "ecosystem of corruption." While Bank of America isn't entirely sure it's the bank in WikiLeaks' sights, the institution is taking defensive steps in case those documents are as damaging as promised. The bank has assembled a team of 15 to 20 top officials lead by aptly titled chief risk officer Bruce R. Thompson to scour internal documents in case they become public and to review cases in which lost or misplaced laptops may have compromised B of A records systems, reports the New York Times. The bank hired consulting firm Booz Allen Hamilton to help manage its internal review, and talked to some high-powered law firms. This is already getting pricey. But this last step taken by B of A is my favorite. Well aware that the Internet is notorious for creating websites that can criticize and insult big companies for any number of reasons, the bank has reportedly hired a company to register more than 300 mostly naughty website addresses with domain names that could disparage Bank of America Corp. executives and directors. California-based MarkMonitor registered these websites, which include names most likely to malign the bank or its top executives. Among those registered, which means others may not use the site names: BrianMoynihanSucks.com and BrianTMoynihanSucks.com. Moynihan is Bank of America's CEO. This is a loser's game. For example, the website BrianMoynihan*Stinks.com was not registered. And there are thousands of other derogatory domain name options. If MarkMonitor's strategy was to protect Bank of America's reputation on the Internet, it's not working so far. A Web-based news service called Domain Name Wire last month reported on MarkMonitor's massive name registration on behalf of Bank of America. The Dec. 20 story carried the blazing headline "Bank of America Wants You To Know Its Executives Don't Suck." Sursa

According to mobile security firm Lookout, a new sophisticated Trojan has emerged in China that is affecting Android devices. Lookout Mobile, fresh off announcing a $19.5 Million round of funding last week, said that the Trojan, which it is calling “Geinimi,” can compromise a significant amount of personal data on a user’s phone and send it to remote servers. Geinimi Mobile Malware In a blog post detailing the discovery, the company says the mobile malware is “The most sophisticated Android malware we’ve seen to date, Geinimi is also the first Android malware in the wild that displays botnet-like capabilities. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone.” What makes the Trojan different than most “standard” mobile malware is that Geinimi is being “grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. According to Lookout, this is how it works: When a host application containing Geinimi is launched on a user’s phone, the Trojan runs in the background and collects significant information that can compromise a user’s privacy. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI). At five minute intervals, Geinimi attempts to connect to a remote server using one of ten embedded domain names. A subset of the domain names includes widifu.com, udaore.com, frijd.com, islpast.com and piajesj.com. If it connects, Geinimi transmits collected device information to the remote server. Lookout says the Geinimi mobile malware has only been seen being distributed via third-party Chinese app stores and has not seen any apps infected with the Geinimi Trojan in the official Google Android Market. Google's Android mobile OS is rapidly growing with over 300,000 Android devices being activated every day, however, Android's openness has turned the Android Market into a breeding ground for malicious applications capable of stealing sensitive user information from the mobile phones. After initial analysis, Lookout researchers have evidence that Geinimi so far has the capability to: Send location coordinates (fine location) Send device identifiers (IMEI and IMSI) Download and prompt the user to install an app Prompt the user to uninstall an app Enumerate and send a list of installed apps to the server Earlier this year Lookout Mobile’s App Genome project revealed that 29 percent of free applications available in the Android Market were capable of stealing user location at any given point of time while 8 percent of them can browse through users' contact list. PCs are no longer the dominant form of computing and threats targeting the smartphone and tablet markets top the list of cyber concerns in 2011 according to several recent reports. Respondents to a 2010 Mobile & Smart Device Security Survey recognize the quickly growing world of connected smart devices and acknowledge that device security problems are not only inevitable, but serious.

Mozilla inadvertently exposed the passwords of 44,000 inactive addons.mozilla.org accounts, but says there’s nothing to worry about. “On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server,” Mozilla’s director of infrastructure security Chris Lyon wrote in a posting on the Mozilla Security Blog late Monday night. Although that exposure may seem a wee bit scary, Lyons notes that all the passwords were for inactive accounts, that Mozilla was able to account for every download of the database, and that the password hashes were of the “older md5-based” variety, and that they all have now been deleted, effectively disabling those accounts. “All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts” since April 9, 2009, Lyons said. “It is important to note that current addons.mozilla.org users and accounts are not at risk.” Mozilla informed all affected users of the slip-up by email, prompting one Larry Seltzer to add a comment to Lyon’s post, saying: “I got the e-mail a while before this blog post or anything else about the matter was on the web. The e-mail looked legit, but…” Sursa