Category Archives: Android

Pegasus spyware

Pegasus is spyware that can be installed on Apple and Android mobile systems. It’s difficult to detect, and difficult to remove. Pegasus is developed by NSO Group, who deny that the software is being used for anything nefarious, or that if it is, that use has nothing to do with NSO Group.

The methods used to install Pegasus on mobile devices have changed over the years. It can be installed directly, with physical access to the target device, which is presumably how it ends up on devices legitimately. Pegasus can also be installed more surreptitiously. Previously, that involved inviting the user to click a link in an email or SMS message. More recently, it’s being installed using app and O/S exploits that require no interaction from the user, including a very nasty exploit for WhatsApp.

Pegasus is not a virus. It does not spread on its own. Further, it’s important to distinguish between Pegasus and the methods used to install it. Pegasus does not typically arrive on a device at random. Devices are specifically targeted, and those targets are often used by journalists, suspected terrorists, and other people whose activities are tracked by government agencies and criminal organizations.

The main problem here is not Pegasus, but the way security vulnerabilities are discovered and — more importantly — how information about vulnerabilities is disseminated. Unfortunately, some organizations perform this research not for the public good, but for themselves and their partners, legitimate and otherwise. In an ideal world, when a vulnerability is discovered, the vendor is informed privately and then proceeds to develop and release a fix. In reality, vulnerabilities and exploits are often hoarded.

Advice to anyone who operates a mobile device and wants to reduce the likelihood of Pegasus or other unwanted software being installed without their knowledge: stay informed regarding security vulnerabilities in your device’s O/S and any apps you run. When you learn about a zero-click exploit, immediately install a fix if one is available, or uninstall the affected app. If it’s an unpatched O/S vulnerability, all you can do is hope that you’re not being targeted.

Related

KRACK Wi-Fi vulnerability: what you need to know

Last week, security researchers identified a series of vulnerabilities affecting almost all Wi-Fi devices, from computers to refrigerators. The vulnerability could allow attackers to intercept wireless communications and potentially steal credentials and other sensitive information. The vulnerabilities are collectively referred to as KRACK.

The good news is that computers running Windows and Linux already have patches available. Microsoft included fixes in the October 2017 Patch Tuesday updates.

Apple says that fixes are ready for MacOS, but there’s no word on exactly when they will actually be made available.

The bad news is that mobile devices, particularly those that run Google’s Android operating system, are vulnerable, and in some cases, might stay that way indefinitely. That’s because even though Google has prepared fixes for Android, those fixes won’t get to devices made by other vendors until those vendors make them available. Some vendors are better than others at pushing updates to their devices. Worse, some devices running older O/S versions may never get updates at all, rendering them permanently insecure.

There are mitigating factors. First, because of the responsible way in which these vulnerabilities were reported, Microsoft and other major players have had time to develop fixes, while details of the vulnerabilities were kept relatively secret until recently. That means we have a head start on the bad guys this time.

Second, exploiting these vulnerabilities requires close proximity. Attacks based on these vulnerabilities can’t be executed over the Internet.

Use caution with unpatched devices

If you use a public Wi-Fi access point with an unpatched device, you’re exposed. So until patches for your device become available, you might want to disable its Wi-Fi when you’re not at home. Most devices have settings that prevent automatically connecting to Wi-Fi networks it finds in the vicinity.

IoT devices may remain vulnerable forever

‘Internet of Things’ (IoT) devices, including thermostats, cars, appliances, and basically anything that can have a computer stuffed into it, often connect to the Internet using Wi-Fi. There are no security standards for IoT devices yet, and many are extremely unlikely to ever be patched.

Recommendation: identify all of your IoT devices that have the ability to connect to the Internet. For each, make sure that you’re using a wired connection, or disable networking completely, if possible. As for devices that connect to the Internet via Wi-Fi and cannot or won’t be patched or disabled, consider taking them to the nearest landfill.

References

Strange times for Microsoft

Microsoft’s relentless push to get everyone using Windows 10 is creating problems for the software giant. At least one class action lawsuit is underway in Illinois, where annoyed users claim that Microsoft owes more than $5 million in damages related to Windows 10 upgrades, both wanted and unwanted.

Meanwhile, Windows is no longer the most popular way to access the Internet. As recently as 2012, up to 90% of all Internet access was via Windows, but that number has been dropping steadily in recent years, and it’s now at an all-time low. For the first time ever, another operating system is in first place: the mobile O/S Android. Microsoft has bet heavily on Windows 10 and its universal touch interface, alienating traditional desktop enthusiasts and power users in the process. But if consumers are increasingly choosing Android over Windows 10 for their mobile devices, where does that leave Windows?

Microsoft’s efforts to herd users towards their advertising platform Windows 10 includes discontinuing support for newer processors on older versions of Windows. While it’s clearly Microsoft’s prerogative to decide which hardware they support, there’s no obvious technical reason for this limitation. In light of Microsoft’s historical support for older systems, this is particularly annoying news for anyone expecting to be able to use Windows 7 or 8.1 with new hardware.

The April 12 publication of a set of exploits by hacking group The Shadow Brokers included several that were widely reported as unpatched zero-day Windows vulnerabilities. It turns out that most of those vulnerabilities were already fixed by March’s Patch Tuesday updates. While this is good news for Windows users, it raises questions about when and how Microsoft learned about the Shadow Brokers exploits, why there was no mention of the source in March’s patch release notes, and whether this has anything to do with the rescheduling of February’s Patch Tuesday updates. Update: TechDirt’s analysis.

Firefox 48.0

The announcement for Firefox 47.0 highlights a few changes: synchronized tabs (between Firefox instances), improved video playback, and some security and performance improvements for Android users.

According to the release notes, Firefox 47.0 takes a few more steps in the process of moving away from Flash and toward HTML5 for video, and removes support for some older technologies related to plugins. The click-to-activate plugin whitelist, a security feature that was introduced in 2013, has been removed.

Most importantly, Firefox 47.0 fixes at least thirteen security issues. So don’t delay, update Firefox as soon as you can.

Check your Firefox version and trigger an update by navigating to its About page:

  1. Click the ‘hamburger’ (three horizontal bars) menu button at the top right.
  2. Click the question mark at the bottom of the menu.
  3. Click ‘About Firefox’ in the menu.

April security roundup

People who store Slack credentials in Github code repositories learned that this a bad idea, as researchers demonstrated the ease with which this information can be gathered without any explicit permissions.

Scary news: computers at a German nuclear reactor facility were found to be loaded with malware. The only thing that prevented miscreants from playing with real nuclear reactors was the fact that these computers are not connected to the Internet.

Crappy security practices led to the theft of user account information (email addresses and poorly-encrypted passwords) from Minecraft community site Lifeboat.

The notorious hacking group known as Hacking Team made the news again, this time with reports of active drive-by exploits affecting Android devices.

The Nuclear exploit kit is still operating, despite recent, partially-successful, efforts to shut it down. Researchers showed that the kit is still being used, and may be involved in recent ransomware infections.

Good news: the two men responsible for the notorious SpyEye banking trojan, recently extradited to the US to face federal prosecution, will be spending nine and fifteen years in prison.

Zero-day exploits are on the rise, doubling from 24 in 2014 to 54 in 2015. A zero-day exploit is a hack that takes advantage of software vulnerabilities before the software’s maintainers have had a chance to develop a fix.

Cisco security researchers identified vulnerabilities in several enterprise software systems, including Red Hat’s JBoss. As many as three million web-facing servers running this software are at risk of being infected with ransomware, and in fact as many as 2100 infected servers were identified.

More good news: the Petya ransomware was found to contain a flaw that allows its victims to decrypt their data without paying any ransom.

The Mumblehard botnet was taken down by ESet researchers, after it infected at least 4000 computers and sent out countless spam emails.

Microsoft announced plans to prevent Flash content from playing automatically in the Windows 10 web browser Edge. All the major browsers appear to be heading in this direction, if they don’t already have the feature, as does Chrome.

April’s issue of the SANS ‘Ouch!’ newsletter is titled “I’m Hacked, Now What?” (PDF) and provides helpful information for the recently-hacked. The newsletter is aimed at regular users, so it may not be particularly useful for IT professionals, except as a means to educate users.

The wildly popular WhatsApp – a messaging application for mobile devices – now has end-to-end encryption. This will make life more difficult for spy agencies who want to know what users are saying to each other. But WhatsApp users should be aware that this does not make their communications invulnerable, since techniques exist to get around full encryption, such as keystroke loggers.

Bad idea: someone at CNBC thought it would be a good idea to ask users to submit their passwords to a web-based system that would test the passwords and report on their relative strength. The service itself was vulnerable, and exposed submitted passwords to network sniffing. The service was taken offline soon after the vulnerability was identified.

The web site for toy maker Maisto International was hacked and serving up ransomware for an unknown amount of time, probably several days or even weeks. The hack was made possible because the site was using outdated Joomla software.

Security roundup for March 2016

Ransomware made news frequently in March. Two more healthcare networks in the USA were hit with ransomware. A new variety of ransomware called Petya took things to a new level, encrypting the core data structures of hard drives. TeslaCrypt continued its destructive march across Europe and into the USA. A surge in malware-laden advertising (aka malvertising) on several popular web sites, including the Certified Ethical Hacker site, led to numerous ransomware infections.

Smartphones and tablets running Google’s Android operating system remain a popular target for malware. A newly-discovered vulnerability can allow malware to permanently take over a device at the root level. Malware that exploits the still largely unpatched Stagefright vulnerability was identified.

Security researchers discovered malware that can infect computers that are not connected to networks, using external USB devices like thumb drives. The malware, dubbed USB Thief, steals large quantities of data and leaves very little evidence of its presence.

A hacking group known as Suckfly is using stolen security certificates to bypass code signing mechanisms, allowing them to distribute malware-laden apps more effectively.

The folks at Duo Security published an interesting post that aims to demystify malware attacks, describing malware infrastructure and explaining how malware spreads.

Ars Technica reported on the surprising resurgence of Office macro malware. Macros embedded in Office (Word, Excel) documents were a major problem in the 1990s but subsequent security improvements by Microsoft reduced their prevalence until recently. Getting around those improvements only requires tricking the document’s recipient into enabling macros, and it turns out that this is surprisingly easy.

Millions of customer records were made available in the wake of yet another major security breach, this time at Verizon.

Google continued to improve the security of its products, with more encryption, better user notifications and other enhancements to GMail.

Brian Krebs reported on spammers taking advantage of the trust users have in ‘.gov’ domains to redirect unsuspecting users to their spammy offerings.

Opera announced that their web browser will now include ad-blocking features that are enabled by default.

Critical security flaw affects millions of systems

Here we go again. Researchers have discovered (actually more like rediscovered) a very bad flaw in the commonly-used GNU C Library, also known as glibc.

The flaw has existed, undiscovered, since 2008. It was discovered and reported to the glibc maintainers in July of 2015 (CVE-2015-7547), but nothing was done about it until Google researchers re-discovered the flaw and reported it on a public security blog.

The glibc maintainers reacted to the Google revelations by developing and publishing a patch. It’s not clear why such a serious vulnerability was not fixed sooner.

But that’s not the end of the story. Any computer or device that runs some flavour of Linux, including most of the world’s web servers and many routers, is potentially vulnerable. Individual software applications that are compiled with glibc are also potentially vulnerable.

Although it’s safe to assume that diligent sysadmins will update their Linux computers, tracking down all the affected software will take time. The Linux firmware running on routers and other network devices will be updated much more slowly, if at all. All of this opens up many exploitation possibilities for the foreseeable future.

The good news is that there are several mitigating factors. Many routers don’t use glibc. In some cases, default settings will prevent exploits from working. Android devices are not vulnerable. Still, this problem is likely to get worse before it gets better.

Update 2016Feb20: Dan Kaminsky just posted his analysis of the glibc vulnerability. It’s very technical, but if you’re looking for a deeper dive into this subject, it’s a great place to start. Dan helpfully explains why it’s difficult to predict just how bad things will get.

Security and privacy roundup for January 2016

Your devices are talking about you

You already know that your web browser is tracking your activity. You are probably also aware of ‘The Internet of Things‘ – the increasing prevalence of devices that are connected to the Internet – and you recognize that any such device can also track your activities. Bruce Schneier reveals the next step in this evolution: enabling devices to share information about you. Of course, since the goal of all this surveillance is merely better-targeted advertising, most people are unlikely to care. Still, if privacy and control are important to you, this will not be welcome news.

Brian Krebs reminded us that ransomware can affect files in your cloud storage space as well as on your physical computer and network-connected devices.

A summary of software vulnerabilities over at VentureBeat shows Mac OS X topping the list for 2015. Microsoft’s security efforts seem to be paying off, as the highest-ranked version of Windows on the 2015 list is Windows 8.1 at number 10, and fewer than half the vulnerabilities as OS X.

Serious vulnerabilities were discovered in OpenSSH (a very commonly-used secure terminal client), OpenSSL (the ubiquitous security library), and Trend Micro antivirus software.

Vulnerabilities in the Linux kernel (affecting Android phones and Linux PCs) remain unpatched on many affected devices.

Google produced more patches for vulnerabilities affecting Android devices, but as always, the patches are finding their way to devices very slowly.

The very weak hashing functions MD5 and SHA1 are still being used in HTTPS encryption in some contexts.

It’s official: your smart TV can become infected with malware.

Network devices made by Juniper and Fortinet were found to contain serious vulnerabilities, including an NSA-developed back-door function and a hard-coded back-door password (more).

The free-to-use deep search tool Shodan made the news when researchers showed that it can be used to find household cameras, including baby-cams. Note that the problem here is not Shodan, which is just a useful search tool. The problem is the failure to properly secure Internet-connected devices.

There were more serious corporate security breaches in January, at Time Warner and Linode. As usual in these cases, the login credentials of subscribers were obtained by the attackers.

Amazon’s security practices were (unwillingly) tested by a customer, and found seriously deficient.

More malicious apps were found in the Google Play store. Google removed those apps, but not until they were downloaded millions of times by unsuspecting Android device users.

LG fixed a critical security hole affecting as many as ten million of its mobile devices.

Security and privacy roundup for November 2015

PCs from Dell were found to include support software and related security certificates that potentially expose users to various threats. Dell moved quickly to provide fixes, but many systems remain vulnerable. As if we needed more convincing, this is yet another reason to remove manufacturer-installed software from new PCs as soon as possible after purchase.

A hacking tool called KeeFarce looks for KeePass password databases, attempts to decrypt the stored passwords, and makes the decrypted passwords available to intruders. For this to work, the target computer must already be compromised, and the KeePass database left unlocked. According to researchers, the technique could be used on any password management software. Please, if you use password management software, remember to leave it locked, even if you’re the only user. Why make things any easier for intruders?

Anti-adblocking service provider PageFair was hacked on Halloween, and for a couple of hours, visitors to about 500 web sites were shown fake Flash update warnings that actually installed malware. PageFair fixed the problem relatively quickly and apologized for the breach.

The web site for the popular vBulletin forum software was hacked and user account information stolen. Site admins reset all user passwords and warned users, but have yet to address claims that the attackers used a long-standing vulnerability in the vBulletin software itself to achieve the intrusion. If true, anyone who manages a vBulletin site should immediately install the patch, which was made available after the vBulletin site hack.

With all the furor over Windows 10’s privacy issues, it’s important to recognize that modern phones have all the same issues. Anyone who uses a smartphone has observed that most apps ask for access to private information when they are installed. Generally, user choices are limited to agreeing or cancelling installation. A new study looks at popular iOS and Android apps, the user information they collect, and where they send it. The results are about as expected, and the authors conclude, “The results of this study point out that the current permissions systems on iOS and Android are limited in how comprehensively they inform users about the degree of data sharing that occurs.” No kidding.

A nasty new type of Android malware has been discovered. Researchers say that the perpetrators download legitimate Android apps, repackage them with malware, then make the apps available on third-party sites. Once installed, the infected apps allow the malware to install itself with root access. So far, the malware only seems to be used to display ads, but with root access, there’s no limit to the potential damage. Worse still, it’s extremely difficult to remove the malware, and in many cases it’s easier to simply buy a new phone.

Ransomware was in the news a lot in November. SANS reported seeing a malware spam campaign that impersonates domain registrars, tricking recipients into clicking email links that install the ransomware Cryptowall. Ars Technica reports on changes in the latest version of Cryptowall, and a new ransomware player called Chimera. Brian Krebs reports on new ransomware that targets and encrypts web sites. Luckily, the encryption applied by that particular ransomware is relatively easy to reverse.

Several web sites and services were hit with Distributed Denial of Service (DDoS) attacks in November. In some cases, the attackers demanded ransom money to stop the attack. ProtonMail, provider of end-to-end encrypted email services (and used by yours truly) was hit, and the attacks didn’t stop even when the ransom was paid.

Security certificates generated using the SHA1 algorithm are nearing the end of their usefulness. Plans are already underway to stop providing them and stop supporting them in web browsers and other software. SHA1 is being phased out in favour of the much more secure SHA2 algorithm.

A rash of vulnerabilities in popular WordPress plugins, including the excellent BPS Security plugin, came to light in November. WordPress site operators are strongly encouraged to either enable auto-updates or configure their sites to send alerts when new plugin versions are detected.

An app called InstaAgent was pulled from the Apple and Google app stores when it was discovered that the app was transmitting Instagram userids and passwords to a server controlled by the app’s developer. It’s not clear how the app managed to get past the quality controls in place for both stores.

Security researchers discovered a bizarre new form of privacy invasion that uses inaudible sound – generated by advertisements on TV and in browsers – to track user behaviour. As weird as it seems, this technology is allowing true Cross Device Tracking (CDT).

On a brighter note, Google is now detecting web sites that appear to use social engineering techniques to trick users. Chrome’s Safe Browsing feature will now show a warning when you are about to visit a page Google thinks is using these devious methods.

The whole-disk encryption technology TrueCrypt was previously reported as vulnerable, and a new study has confirmed those vulnerabilities. The study also found that if TrueCrypt is used on unmounted drives, it is perfectly secure, but what use is a hard disk if it isn’t connected to anything? TrueCrypt users are still anxiously awaiting new encryption technologies like VeraCrypt.

Security researchers discovered a critical flaw in many Virtual Private Network (VPN) services. VPN software and services are used by many torrent users to protect their identity. The flaw allows a malicious person to obtain the true IP address of a VPN user.

The Readers Digest web site was infected with a variant of the Angler malware and proceeded to infect unpatched visitor computers for about a week before site operators took action. Thousands of Windows computers may have been infected before the site was finally cleaned up.

October Security Roundup

You probably shouldn’t rely on the security of your encrypted email. Even if you’re using current encryption technologies, certain conditions may arise during transit that cause your message to be transmitted in plain text.

There’s a well-reasoned response to a common question about the responsibility of Certificate Authorities over on the Let’s Encrypt blog. These fine folks will soon be providing free HTTPS certificates to the world, so they’ve been answering a lot of questions about how their service will work.

There’s going to be a minor apocalypse, starting January 1, 2016. On that date, Certificate Authorities will stop issuing certificates that use SHA1 encryption. SHA1 is now considered too weak for use, and is being phased out in favour of SHA2, which is much stronger. Just one problem: people stuck using older browser software and devices will lose their ability to access secure web sites and use those devices. There’s more technical nitty-gritty over at Ars Technica.

Symantec hasn’t done enough to clean up its Certificate Authority activities, according to Google. This follows the discovery that Symantec employees were issuing unauthorized certificates. Google has warned Symantec to provide a proper accounting of its CA activities or face the consequences.

A critical vulnerability in the blogging platform Joomla was discovered in October. The bug exists in all versions of Joomla from 3.2 onward. A patch was developed and made available, and anyone who manages a Joomla 3.x -based site is strongly advised to install the patched version (3.4.5) as soon as possible.

It’s increasingly dangerous to be a computer security researcher. New agreements could even make the work illegal in some regions.

Flaws in many self-encrypting external hard drives from Western Digital mean their encryption can be bypassed, according to researchers.

Google made it easier to determine why a site is flagged as unsafe, adding a Safe Browsing Site Status feature to their Transparency Report tools.

Mozilla is following the lead of Google and Microsoft, and plans to all but eliminate support for binary plugins in Firefox by the end of 2016. Binary browser plugins for Java, Flash, and Silverlight provide convenience but are a never-ending security headache. There’s one exception: Mozilla will continue to support Flash as a Firefox plugin for the foreseeable future.

The FBI teamed up with security vendors to take down another botnet in October. The Dridex botnet mainly targeted banking and corporate institutions, gathering private data and uploading it to control servers.

Cisco researchers, working with Limestone Networks, disrupted a lucrative ransomware operation in October.

A stash of thirteen million user names and plain text passwords was recently obtained by a security researcher. The records were traced to 000Webhost, an Internet services provider.

The Patreon funding web site was breached, and private information about subscribers, including encrypted passwords and donation records, was published online. Source code was also stolen, which may make decrypting the passwords much easier.

Researchers discovered numerous iPhone applications that collect and transmit private user information, in violation of Apple’s privacy policies. These apps apparently made it into the App Store because of a loophole in the validation process.

87% of Android-based devices are vulnerable to security exploits. Google develops Android updates quickly enough, but phone makers are typically very slow to make updates available to users.

New Android vulnerabilities, dubbed ‘Stagefright 2.0’ by researchers, were announced in early October. As many as a billion Android devices are vulnerable, and although patches were made available by Google, they may take weeks or months to find their way to individual devices.

A malicious Android adware campaign tricks unwary users into installing apps that appear to be from trusted vendors. These apps use slightly-modified icons of legitimate apps to fool users.