Recently Google introduced a remote Device locking feature to its Android Device Manager to unlock a stolen or lost device. This feature was exploited
Researchers from Curesec Research Team from Germany discovered a vulnerability on Android 4.3 that allow a malicious app to remove device locks.leading to CVE 2013-6271.
As per the blog, “ The bug exists on the “com.android.settings.ChooseLockGeneric class”. This class is used to allow the user to modify the type of lock mechanism the device should have. “
It further states that “ Android implements several locks, like pin, password, gesture and even face recognition to lock and unlock a device. Before a user can change these settings, the device asks the user for confirmation of the previous lock (e.x. If a user wants to change the pin or remove it it has to first enter the previous pin).”
As per CureSec,it had reported this bug multiple times to Google Security team but the has not responded to this issue. Entire blog is available here
Visualizing cyber attacks around the world has become easier than before and its made real by Google & Arbor Networks. A joint collaboration between the two companies resulted in ‘Digital Attack map” tool.
The usability of the tool is not still expanded but the beautiful graphical page shows various points of ho the attack takes place. However this is a real-time map and its surprising to see how giants like Arbor Networks and Google sees the data. In fact this is an excellent indicators to see what’s going on in this world.
As per the page
“Digital Attack Map is a live data visualization of DDoS attacks around the globe, built through a collaboration between Google Ideas and Arbor Networks. The tool surfaces anonymous attack traffic data to let users explore historic trends and find reports of outages happening on a given day“
- Mobilesecuritythreat.com Source : Digital Attack Map
Screenshot from Digital Attack Map
Youtube presentation of the tool :
As per F-Secure labs, 259 new mobile threat families and variants of existing families were discovered in the third quarter of 2013. The growing concern in Google Play are the apps that violate privacy by over collection of data. Screenshots from below from F-Secure reports shows the threats.
“People understand there’s something questionable about giving their information to big data, yet they give a lot of the same information to questionable apps all the time” says Sean Sullivan, Security Advisor at F-Secure Labs.
Link to F-Secure threat report
iOS 7 release was a major news for Apple users. Its unbelievable to see how many users want the cool new Operating system. This is always the fun part every year when something new comes from Apple. This time its for the new powerful Apple iOS7 release on September 18th.
As reported on SANS, the data request was tripled from the users who wanted the new update. As of 12PM, the request for downloading the new iOS 7 from users tripled and this caused DDOS kind of scenario.
As per SANS, “Swa, one of our handlers, indicates that this can be easily resolved for a corporate network by enabling the Apple Caching Service and/or Software Update Server on a single OSX Server in the network, which serves as the update “broker” for all clients on the netowrk. (thanks for the screenshot Swa). The Caching Server will serve up all Apple content (including updates), while the Update Server will only server up Updates. “
Microsoft releases Security advisory 2887505 which infected all versions of Internet Explorer. Currently based on Microsoft’s observation all targeted attacks directed for Internet Explorer 8 and 9.
As per Microsoft “
This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type. This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message”
Microsoft is current actively working to develop an update for this issue however they recommend users with Internet Explorer use the following measures.
- Apply the Microsoft Fix it solution, “CVE-2013-3893 MSHTML Shim Workaround,” that prevents exploitation of this issue
See Microsoft Knowledge Base Article 2887505 to use the automated Microsoft Fix it solution to enable or disable this workaround.
- Set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
A underground hacker from Russia with handle ‘fil9” posted a zero day android exploit for sale. (screenshot below)
This zero day exploit works on Firefox 23/24/26 as claimed by the author. Joshua from Malwarebytes spotted this advertisement on Inj3ct0r, an exploit database, where the author was selling the zero day for $460 Us dollars.
As per Malware bytes The exploit forces the mobile browser to download and execute a (possibly) malicious app.
fil9 shows the exploit in action, downloading and installing what appears to be an update for Firefox. However, when the “update” is executed automatically, viewers can see the potential for malicious code to be inserted.”
However the user must allow installation of the app from an unknown source, which is typically not a recommended policy.
“The biggest problem in this situation is that Firefox automatically executes certain known files once they’re downloaded, and doesn’t give users an option to disable this. Without some sort of prompt, users have no idea that an external app has just been executed.” as explained by Malwarebytes.
“fil9” demonstrates using YouTube video.
We have seen fingerprint reader, face recognition authentication for a while. Smartphone manufacturers have been rumoring about this and Apple finally introduces it. Apple announced their new IPhone 5s with fingerprint reader yesterday. It’s a cool factor to have fingerprint instead of the password or pattern based authentication. Apple claims that fingerprint is stored local on the A7 chip and can only be accessed by the print sensor itself. How safe is “safe” for Apple? In the past Apple has proven to have weak software security implementation. So that raises the question about privacy and security.
As per Apple (data), the sensor:
uses advanced capacative touch to take, in essence, a high-resolution image of your fingerprint from the sub-epidermal layers of your skin. It then intelligently analyses this information with a remarkable degree of detail and precision.
Recently we have seen governments getting into people lives using the digital world in big way. So the concerns will be how much of what Apple claims is a reality because they are known to secretly respond to government requests without user concern.
Why fingerprint reader on smartphone is a concern for smartphone Vs laptops ?
World is going towards mobile and data transfers are being handy. Desktops percentage have been reducing exponentially and smartphones have been a media for communications in the recent years. So if hackers manage to get in or steal the stored data then it’s a matter of time how it will be used. IN few years from now its possible that fingerprint authentication will be used as single form of login and that can be a huge risk if fingerprint data is compromised.
Maladvertisers targeted L.A. Times sending its thousands of users to Blackhole exploit kit and other malicious sites. Security researcher’s from Blue Coat have discovered a set of malicious domains sending traffic to the searcherstypediscksruns dot com/.net/.org family of Blackhole sites, including adhidclick.com, ortclick.com and several other affiliated sites. These sites were registered During December 2012 as per Bluehost.
The traffic increased with thousands of hits in short time which drew researchers from bluecoat’s attention. When analysed they discovered that the traffic source was L.A.Times , LA Weekly, the Fiscal Times, The Knot Wikia and doubleclick.com.
As per Bluehost blog “All of the sites it relayed traffic to were evil. Besides the exploit kit sites mentioned, there were also a bunch of malicious junk subdomains hosted on a DynDNS host (servehttp.com), a handful of links to what I call “survey hell” sites (basically spam/scam networks that use fake surveys or quizzes as bait), and a couple to a porn-malware site, just for variety. (All of which were flagged in real-time by WebPulse, btw…) “
As per Infosec “All of the victimized host sites are large, popular destinations, but are not likely to be directly compromised, or even directly hosting the malicious ads, Larsen said in a blog post: “Most likely the ads are ending up there as part of the advertising ecosystem. Malvertising is hard to pin down.”
It’s a common practice for maladvertisers to target the larger news media or hijack user accounts of advertisers and spam search engines which is one of the effective way infecting user computers.
Recently Roger from posted a question regarding increased traffic on TOR network. After NSA’s surveillance the first suspect was assuming internet users have started using tor network to surf anonymously. However the exponential increased intraffic showed its something more than just the users. The suspect was it must be a botnet.
Even Arma posted saying “Starting around August 20, we started to see a sudden spike in the number of Tor clients. By now it’s unmistakable: there are millions of new Tor clients and the numbers continue to rise”
“The fact is, with a growth curve like this one, there’s basically no way that there’s a new human behind each of these new Tor clients. These Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight. Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers and as part of their plan they installed Tor clients on them,” as described by Tor officials described on their blog.
“It doesn’t look like the new clients are using the Tor network to send traffic to external destinations (like websites). Early indications are that they’re accessing hidden services — fast relays see “Received an ESTABLISH_RENDEZVOUS request” many times a second in their info-level logs, but fast exit relays don’t report a significant growth in exit traffic. One plausible explanation (assuming it is indeed a botnet) is that it’s running its Command and Control (C&C) point as a hidden service.”
After analyzing this Fox-IT blog wrote “Previously, the botnet communicated mainly using HTTP as well as alternative communication methods. More recently and coinciding with the uptick in Tor users, the botnet switched to Tor as its method of communication for its command and control channel. The botnet appears to be massive in size as well as very widespread. Even prior to the switch to Tor, it consisted of tens of thousands of confirmed infections within a limited amount of networks. When these numbers are extrapolated on a per country and global scale, these are definitely in the same ballpark as the Tor user increase,”
According to Securelist.com, Obad.a infects in two steps along with another mobile Trojan named as TrojanSMS.AndroidOS.Opfake.a. This Trojan was noted as one of the most sophisticated Trojan by Kaspersky this May.
The infection starts when a legitimate user gets a text message with following text.
“MMS message has been delivered, download from www.otkroi.com”.
When a user click on the link, a file named mms.apk the Trojan Trojan-SMS.Andrid.Opfake.a is downloaded automatically to the smartphone. ( smartphone OS) . The use has to run it to install the malware or else it will not do it itself. If user runs the malware , the Command & Control server can instruct the infected smartphone to send out the message below to all the contacts from address book.
“You have a new MMS message, download at – hxxp://otkroi.net/12”
When a user clicks the link from the text , it loads Backdoot.Android.Obad.a under the name mms.apk or mmska.apk
T As per Kaspersky lab analysis, approx. 600 messages were sent out in 5 hours with one of the Trojan-SMS modifications. Most of the delivery was via infected devices using SMS gateways.
The interested part was, only a few devices infected with Trojan-SMS.AndroidOS.Opfake.a distributed links to Backdoor.AndroidOS.Obad.a.
As reported, there are 12 versions of Backdoor.AndroidOS.Obad and all of them had the same level of code obfuscation. Google closed out the security hole in Android 4.3 version.
Entire article can be found here