Cyber warning over "Royal Baby" video

Cybercriminals have already taken advantage of the whirlwind of excitement surrounding the birth Prince of Cambridge, warned internet security experts today.

Malicious emails promise the latest video news - but instead deliver Trojan software into PCs, including one known to steal online banking information.

Yahoo! News has seen one example of a spam email titled ‘The Royal Baby: Live Updates’ and purporting to lead to live CNN video coverage of the birth.

“The Duke and Duchess of Cambridge have welcomed their first baby — a son and a future heir to the British throne — into the world. CNN has all the latest details of this momentous occasion,” the email says.

The email claims to come from a company called ScribbleLive, a popular media marketing service.

Spam emailClicking any of the links in the email prompted users to upgrade their Flash player plugin, but in fact downloaded a Trojan known to be used to steal personal details, including online banking information.

Security expert Graham Cluley said, “ It’s very likely that we will see more of this kind of attack. There are several common tricks hackers use – it could be asking you for a username and password to see photos of the baby, or making you complete an innocuous-looking survey.”

Social networks are another fertile ground for hackers to sow dangerous material. At the time of the announcement of the birth, 23,500 tweets mentioning the Royal baby were sent per minute.

“People should be careful what they’re clicking on Facebook and Twitter,” said Cluley.
“Links can be automatically generated to include the trending hashtags. There are also a lot of joke pictures doing the rounds – if you get into the habit of clicking on them as soon as they’re posted, you’re less likely to be careful about where they come from.”

This is not the first time that the Duke and Duchess of Cambridge have been used by hackers to spread viruses.

When their engagement was first announced, hackers were quick to hijack the most popular search engine image results – with the result that clicking on an apparently innocent picture of the couple led to a warning message asking users to download fake antivirus software, which was in fact malware designed to take over PCs and steal data.

In 2011, a story posted on Aol.co.uk about a ‘Pregnant Kate Middleton’ children’s doll was found to have been infected by hackers. Visiting the page would attempt to run malicious software in the background without users’ knowledge.

Fiberio is first touchscreen that reads fingerprints as you use it

A new fiber-optic tabletop PC system is the first which “reads” fingerprints as people use it – and could form the basis of a secure identification system for transactions in shops or banks.

Sensors inside Fiberio “read” reflected light from the table’s surface, with enough detail to identify fingerprints as a user touches the surface. Users can be identified instantly and seamlessly as they use the device. The prototype machine is multi-touch, so that several users can use it at any one time.
“Fiberio is the first interactive tabletop system that authenticates users during touch interaction – unobtrusively and securely using the biometric features of fingerprints, which frees users from carrying identification tokens,” says designer Christian Holz.

The rear-projection “Tabletop PC” will be detailed in a paper Fiberio: A Touchscreen that Senses Fingerprints to be presented at the ACM symposium on User Interface Software and Technology.

Holz suggests that Fiberio could be used in banks to, “verify that the respective user has the authority to perform the current activity – such as approve invoices above a certain value.”
The table would identify both the bank manager and the customer instantly, Holz suggests – working out both whether the manager had the authority to approve invoices, and also securely identifying the customer.
“The key that allows Fiberio to display an image and sense fingerprints at the same time is its screen material: a fiber optic plate,” says Holz.
Fiberio works using a rear-projection system, similar to the one found in Microsoft’s Surface table PCs, which are often used in point-of-sale situations. The projection system allows the machine to “read” reflections in the plate – the system could not work in its current guise in normal tablets and smartphones.
ESET Senior Research Fellow David Harley discusses the advantages of biometric systems in a We Live Security blog post, “The sad fact is, static passwords are a superficially cheap but conceptually unsatisfactory solution to a very difficult problem, especially if they aren’t protected by supplementary techniques. Biometrics and one-time passwords and tokens are much more secure, especially when implemented in hardware as a two-factor authentication measure.”

The rise of TOR-based botnets

TOR-based botnets are not a new trend and were already being discussed a few years ago at Defcon 18 (“Resilient Botnet Command and Control with Tor”). But in the last year we’ve been able to confirm some interesting facts concerning the use of these ideas in real-world botnets. This topic was already discussed around the beginning of 2013 in a Rapid7 blog post (“Skynet, a Tor-powered botnet straight from Reddit”). In early July Dancho Danchev also posted information about a TOR-based C&C for a ring-3 rootkit.
We have been tracking the rise of TOR-based botnets this summer. In July two different malware families were detected that use the TOR hidden service protocol for stealth communication with C&C’s. The TOR hidden service protocol is well-suited to organizing stealth communication channel with a C&C but is slow for stealing high volumes of data from an infected machine. For cybercriminals the most useful way to use the hidden service protocol is for communicating with C&C, getting update for configuration information, or downloading additional malicious modules.
In July ESET researchers detected two different types of TOR-based botnets based on the malware families Win32/Atrax and Win32/Agent.PTA. Both botnets have form-grabbing functionality for possible further fraud operations. The Atrax botnet looks more complex and interesting, so we begin this blog by analysing it.

Win32/Atrax.A

Win32/Atrax.A is an interesting TOR-based backdoor family which is installed by a simple downloader program we detect as Win32/TrojanDownloader.Tiny.NIR. The decompiled main routine of this downloader looks like this:

More interesting information is that its hardcoded domain name is “kundenservice-paypal.com”, registered in the middle of June (12-Jun-2013) (so named to pass itself off as PayPal Customer Service).
All trojan components and the downloader binary were compiled in July, according to information extracted from the PE header time stamp.

After download and execution of the main dropper file, the decompress routine is started for three PE modules: TOR client, DLL module for x86 and DLL module for x64 platform. For decompression WinAPI function RtlDecompressBuffer() Is used. The code for the decompiled decompress routine looks like this:

Before installation the dropper makes simple checks, so as to detect whether it’s on a virtual machine and any debugger activity. The bot ID is an MD5-calculated hash based on unique values from the system registry DigitalProductID and MachineGuid. Here’s the call graph for the routine that infects the machine (you’ll probably need to click it to view it as it’s an awkward size for the blog page.):

This routine tries during the last stages of execution to search for the initialization of additional AES-encrypted plugins in the %APPDATA% directory. All plugins are named according to the following pattern: %APPDATA%\CC250462B0857727*. Plugins are decrypted on the fly during the bot initialization process but the encryption key depends on the infected machine. This approach to plugin encryption makes it difficult to extract information during the forensic process.
The TOR client is embedded into the dropper executable and stored in the %APPDATA% directory as an AES-encrypted file. Initialization of the TOR connection takes place after checking for an active browser process and injection of TOR client code into the browser process by NtSetContextThread(). Win32/Atrax.A supports code injection techniques for x86 and x64 processes.

All communications between the C&C and the bot are made via a special HTTP request function call. The prototype of this function looks like this:

If the second parameter request_via_tor setup is in the TRUE state all communications will be initialized by the TOR client. TOR communications have the following call graph:

After execution a new thread with the Tor client software will be set up using the following parameters:

• AUTHENTICATE – password for authentication
• SIGNAL NEWNYM – change proxy-nodes chain

When the first connection is made with the C&C, Atrax.A sends collected information about the infected system to an address inside the TOR network:

It isn’t possible to ascertain the original C&C IP address or domain with a TOR enabled connection but it is possible to use the address generated in the TOR network for analysis. After we played a little bit with the internal address in the TOR network we found the following login panel for C&C:

We recognize the name Atrax on the login screen. It’s the main reason why we chose the name Win32/Atrax.A for detection by ESET products.
Win32/Atrax.A supports the execution of remote commands for setting up bot behavior on the infected machine. The main routine for recognizing and executing remote commands looks like this:

The list of supported remote command types:

• dlexec – download and execute file
• dlrunmem – download file and inject it to browser
• dltorexec – download TOR executable file and execute
• dltorrunmem – download TOR executable file inject it to browser
• update – update itself
•  install – download file, encrypt with AES and save to %APPDATA%
• installexec – download file, encrypt with AES and save to %APPDATA% and execute afterward
• kill – terminate all own threads

After reconstruction of the structure of remote commands and the execution algorithm we tried playing with the C&C protocol. We tried to send a status to C&C confirming a successful plugin installation process and fortune smiled upon us: we got a path to the next plugin download:

Two different type of plugins were downloaded: the first is a form grabber and the second is a password stealer. All downloaded modules were compiled in July according to the compilation time stamp:

[Form Grabber]

[Password stealer]
Win32/Atrax.A is interesting example of a TOR-based botnet with AES encryption for additional plugins and a unique encryption key dependent on hardware parameters of the infected machine for its generation. We continue to track activity for this botnet.

Win32/Agent.PTA

Another family tracked in July and using a TOR-based communication protocol is Win32/Agent.PTA. This is not a new malware family and has already been tracked by ESET since 2012. But the TOR-based protocol is new functionality detected during this summer. This trojan also uses TOR hidden service protocol for communicating with command control panel. Agent.PTA has embedded configuration information encrypted by RC4 cypher with C&C addresses inside the TOR network. Decrypted configuration information looks like this:

Win32/Agent.PTA is a trojan with a simple form grabber and the ability to download additional plugins. This trojan also can activate a SOCKS5 proxy by receiving a special command from the C&C.  

Conclusion

This year we had already detected TOR-based botnets but during the summer we have observed a growth in the numbers of malware families starting to use TOR-based communications. The TOR-based botnets make it really hard to pursue investigation and C&C location tracking. But we have demonstrated with Win32/Atrax.A botnet that ways to analyze communication protocols have not changed and all the old tricks work with addresses in a TOR network too.
Anton Cherepanov, Malware Researcher
Aleksandr Matrosov, Security Intelligence Team Lead
                                                                                                                     
SHA1 hashes for analyzed samples:
Win32/TrojanDownloader.Tiny.NIR -                      7c19ad6b9b229bf559e7cfbbec2d1eb089318b54
Win32/Atrax.A (dropper) –                                          a7da414a5033cd3178fa5dc2cd52017e5e658b98
Win32/Atrax.B (formgrabber32) -                             5bcb59b0025ba397d30938d16bc6904475bb3f89
Win32/PSW.Agent.NXG (atraxstealer32) -            16b7b43625ccba34f67258fa1c4b8017e8d0e747
Win32/Agent.PTA -                                                         3a30e858294d214c68d14069c615017626d1b39d

Phishing Google Wallet and Paypal by abusing WhatsApp

Introduction

WhatsApp is one of the most common used tools aka ‘Apps’ on Smarphone-Devices with access to wireless networks or a so called Data-’Flatrate’. By using the internet link to communicate, people do not have to pay any extra fees for sending a text-message somewhere, even if the receiver is in another country.

WhatsApp is available for almost every architecture on the market. The program exists for Nokia, Blackberry, Android and iOS. It is available here: https://www.whatsapp.com. This post will focus on the version for android.

The app is free for one-year in Android devices. After that time the user has to buy a yearly license. The application provides 3 methods of payment:

• google wallet
• paypal
• payment link.

They can be selected via Menu->Settings->Account->Payment Info.

Bug

Google-wallet and Paypal payments work in the same way. When selecting it, WhatsApp opens an in-app browser and contacts its main server www.whatsapp.com with the request:

/payments/google.php?phone=XXXXXXXXXXXX&cksum=<request checksum>&sku=1&lg=en&lc=US

or

/payments/paypal.php?phone=XXXXXXXXXXXX&cksum=<request checksum>&sku=1&lg=en&lc=US

Responding to this request the browser gets redirected to the proper checkout service.
The payment link option seems to be currently not working, i.e., nothing happens.

Attacks

Even tough the communication with the payment systems is HTTPS secured, the initial contact with the main server www.whatsapp.com is NOT, as we can see in Wireshark logs:

GET /payments/google.php?phone=xxxxxxxxxx&cksum=<checksum>&sku=1&lg=en&lc=US HTTP/1.1
Host: www.whatsapp.com
Accept-Encoding: gzip
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.7;
Cookie: __utmmobile=0xxxxxxxxxxxxxxx
Accept:application/xml,application/xhtml+xml,text/html;
q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7

After Whatsapp sent this unencrypted request, it will receive the following answer.

HTTP/1.1 200 OK
X-Powered-By: PHP/5.4.7
Content-type: text/html
Transfer-Encoding: chunked
Date: Mon, 10 May 2013 5:34:36 GMT
Server: lighttpd/1.4.31
5e4

<html>
<head>
<meta name="HandheldFriendly" content="true"/>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>WhatsApp Messenger payment</title>
</head>
<body onLoad="document.getElementById('google').submit()">
<p>Please wait...</p>
<form id="google" method="POST" action="https://checkout.google.com api/checkout/v2/checkoutForm/Merchant/xxxxxxxxxxxxxx" accept-charset="utf-8">
<input type="hidden" name="shopping-cart.items.item-1.item-name" value="One year of WhatsApp service for phone XXXXXXXXXXXXXXX"/>
<input type="hidden" name="shopping-cart.items.item-1.item-description" value="WhatsApp Messenger"/>
<input type="hidden" name="shopping-cart.items.item-1.merchant-item-id" value="1"/>
<input type="hidden" name="shopping-cart.items.item-1.merchant-private-item-data" value="XXXXXXXXXXXXXXX"/>
<input type="hidden" name="shopping-cart.items.item-1.unit-price" value="0.99"/>
<input type="hidden" name="shopping-cart.items.item-1.unit-price.currency" value="USD"/>
<input type="hidden" name="shopping-cart.items.item-1.quantity" value="1"/>
<input type="hidden" name="shopping-cart.items.item-1.digital-content.display-disposition" value="OPTIMISTIC"/>
<input type="hidden" name="shopping-cart.items.item-1.digital-content.email-delivery" value="true"/>
<input type="hidden" name="checkout-flow-support.merchant-checkout-flow-support.continue-shopping-url" value="http://www.whatsapp.com/payments/success.php"/>
<input type="hidden" name="_charset_" />
</form>
</body>
</html>
0

This means an attacker could intercept the first request via a suitable man-in-the-middle attack and successfully redirect the user to any Webpage when the user is trying to buy Whatsapp credit. To gain useraccounts the attacker could setup a fake Google-Wallet or Paypal Systems page to harvest user accounts. It might even be possible to gather directly money through this, for instance let the user pay the 0,99 cents via Google Wallet or Paypal to the account of the attacker.

Besides an attacker could forward some other content like a webpage with a new apk necessary for using google-wallet or paypal, like the (in)-famous Zitmo Trojan did at visiting a Bankingsite and spending users some extra “Security”-Features.

Practical abuse of the bug

As buying the credit only happens one time per year the attack itself is quite uncommon to be practical for a huge misuse as the attacker needs to be in control of the wireless or gsm network to intercept and redirect the traffic.

Affected Versions

2.9.6447 to 2.10.751 (latest as of 2013 July 2)

Contact with Vendor History

19.06.2013	1st Mail from crt
19.06.2013	2nd Mail from crt
15.07.2013	3rd Mail – Send full bugdescription

First active Google Android Master Key exploit discovered in the wild

A wave of attacks exploiting a Master Key vulnerability in Google's Android OS has been discovered.
Symantec researchers confirmed detecting two cases where legitimate applications have been warped into malware-spreading tools using the Master Key vulnerability.
"Norton Mobile Insight – our system for harvesting and automatically analysing Android applications from hundreds of marketplaces – has discovered the first examples of the exploit being used in the wild. Symantec detects these applications as Android.Skullkey. We found two applications infected by a malicious actor. They are legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments," read the statement.
"Using the vulnerability, the attacker has modified the original Android application by adding an additional classes.dex file (the file which contains the Android application code) and also adding an additional Android manifest file (the file which specifies permissions)."
Symantec warned that the apps are designed for a variety of malicious purposes and expects to see further attacks leveraging the vulnerability. "An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI [International Mobile Equipment Identity] and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available," read the report.

"We expect attackers to continue to leverage this vulnerability to infect unsuspecting user devices. Symantec recommends users only download applications from reputable Android application marketplaces."
The Master Key vulnerability was first uncovered by Bluebox Security. Google has released a patch for the vulnerability to carriers and hardware partners. It is currently up to the partners to distribute the fix, a cycle that can take several months.
The news comes during a wider boom in the number of cyber attacks targeting Android. Most recently security firm BitDefender reported detecting a spike in the number of finance industry-focused attacks and ransomware levels targeting the ecosystem.

Android threats shifting to banking and ransomware

Android malware is becoming more sophisticated, with ransomware and attacks that harvest bank details on the increase, according to Bitdefender.
A report from the security software firm highlighted that SMS-based malware – which send texts to premium-rate numbers – is still by far the most common form of Android malware, but more advanced viruses are also on the rise.
The firm highlighted an attack that targets text messages related to banking, known as ZitMo. "ZitMo receives commands from a Command and Control server and can forward all incoming SMS messages to it. This is of particular interest to attackers as they can receive the banking mTAN (mobile Transaction Authentication Number) as soon as users initiate the transaction."
Almost half of ZitMo reports currently come from China, but European countries such as Germany and Romania are also reporting outbreaks.
Ransomware, already a common sight for unwitting PC users, is also on the rise. The malware demands payment in order for users to regain control of their devices and is distributed as antivirus software.
Catalin Cosoi, Bitdefender's chief security strategist, said that ransomware is following the same pattern as it did when it first emerged on PCs. "The increased level of sophistication and its similarity with PC ransomware might suggest that Android malware coders are branching out," he said.
"Emulating the behaviour of PC malware on Android is no novelty, as we saw in the past how adware gained traction and evolved on the mobile OS."
Last week, an Android vulnerability that allowed malicious code to be hidden inside legitimate app installer packages was discovered by security firm Sohpos, which labelled it as an "elementary mistake".

ICO slams police for invading motorists' privacy with 'unlawful' ANPR camera use

The Information Commissioner's Office (ICO) has sent a warning to police forces that use automatic number plate recognition (ANPR) cameras excessively, labelling one town in particular as a ‘ring of steel'.
Royston, in Hertfordshire, has received an enforcement notice from the ICO after its use of seven ANPR cameras branded as ‘disproportionate'. The notice said that they had "effectively made it impossible for anyone to drive their car in and out of Royston without a record being kept of the journey".
The investigation carried out by the ICO stemmed from a joint complaint from privacy activist groups Big Brother Watch, Privacy International and No CCTV. The ICO found that Hertfordshire Constabulary failed to carry out "any effective impact assessments" before the system went live.
The ICO ruled that this use was "unlawful" as it breached the Data Protection Act, and that it was not justifiable for Hertfordshire Constabulary to log every vehicle passing through the town on its system.
The ICO's head of enforcement Stephen Eckersley said: "It is difficult to see why a small rural town such as Royston, requires cameras monitoring all traffic in and out of the town, 24 hours a day. The use of ANPR cameras and other forms of surveillance must be proportionate to the problem it is trying to address."
He said that other UK police forces should be taking note of Royston's plight. "We hope that this enforcement notice sends a clear message to all police forces, that the use of ANPR cameras needs to be fully justified before they are installed. This includes carrying out a comprehensive assessment of the impact on the privacy of the road-using public."
Privacy group No CCTV hailed the enforcement notice as a "landmark decision" but said the crackdown should go further. "This can only be the beginning – our concerns go beyond regulatory frameworks, highlighting the detrimental consequences on our society of sacrificing freedoms without question and turning everyday life into a scene of crime," it said.
Hertfordshire Constabulary was unable to provide comment when contacted by V3, but on the launch of the ANPR system in 2011, it said: “Combined with the local Royston Safer Neighbourhood Team, dedicated ANPR road policing team and county-wide resources, criminals now have even more reason to keep out of the area.”

TAO NSA Cyber Warriors Unit has Been Hacking China For 15 years

The primary complaint against China's outift of military hackers has been dual pronged: the U.S. private sector is losing expensive proprietary information, and the public sector is having its sensitive weapons systems compromised.
China's response has been, simply: yeah but the U.S. did it to us first, and worse.
It turns out, China might just be telling it like it is this time.
The deafening sound of internet aggregators shredding Edward Snowden's life into digestible pieces drowned out probably one of the most epic posts of the week: Matthew M. Aid's Foreign Policy piece titled "Inside the NSA's Ultra-Secret China Hacking Group."
In it, Aid describes how the U.S. has a long history of penetrating China's systems what they call "Computer Network Exploitation." The U.S. government, as we should have assumed, knows the most intimate details about the Chinese communist party and its People's Liberation Army.
From Aid's piece:
A highly secretive unit of the National Security Agency (NSA) ... called the Office of Tailored Access Operations, or TAO, has successfully penetrated Chinese computer and telecommunications systems for almost 15 years, generating some of the best and most reliable intelligence information about what is going on inside the People's Republic of China.
TAO mirrors China's methods by first hacking into computer networks, then protecting themselves from being identified, and finally copying ALL communications and files from within that network.
If that sounds familiar, its because the process nearly matches the description Mandiant the company that caught Chinese hackers red-handed gave to explain the method the PLA uses to steal American information.
Except America's system pre-dates that of China.
Chinese Defense Ministry spokesman, Geng Yansheng, recently said in a briefing:
“The team was set up to better safeguard the internet security of the armed forces. Cyber security was an international problem, affecting civil and military areas. China is still “relatively weak” in internet security protection, and vulnerable to cyber-terrorism.”
It's not just China in the mix either — it's Israel, Singapore, Japan, Switzerland, the U.K. and others, British intelligence analyst Glenmore Trenear-Harvey told InfoSec.com.
"This is not just conventional military powers. Put bluntly, everyone’s at it. It is a game anyone can play. But do remember that we – the U.S. and UK – are doing this in reverse and we are very successful," said Trenear-Harvey.
Not only has Obama ordered the military to draw up a list of potential cyber targets around the globe, but most of the military academies now offer majors in Cyber Warfare.
There's also been revelations that the cyber war is getting a big boost from the civilian side. Apparently, more than a third of the Marine Corps' cyber war will be fought by contractors.
Hackers may be full of old tricks, but it's a new battlefield, and it looks like everyone is down to play the game.
"[Cyber Warfare] an incredibly potent weapon which will certainly be utilized,” said Trenear-Harvey.

Hackers use Android 'master key' exploit in China

A security firm says it has identified the first known malicious use of Android's "master key" vulnerability.
The bug - which was first publicised earlier this month - allows attackers to install code on to phones running Google's mobile operating system and then take control of them.
Symantec said its researchers had found two apps distributed in China that had been infected using the exploit.
Google has already taken moves to tackle the problem.
A fortnight ago it released a patch to manufacturers, but it will not have been sent to all handset owners yet.
Google also scans its own Play marketplace for the exploit, but this will not protect consumers who download software from other stores.
Premium texts
The vulnerability was first reported by security research firm BlueBox on 3 July.
All Android apps contain an encrypted signature that the operating system uses to check the program is legitimate and has not been tampered with.
But BlueBox said it had found a way to make changes to an app's code without affecting the signature.
It warned the technique could be used to install a Trojan to read any data on a device, harvest passwords, record phone calls, take photos and carry out other functions.
According to Symantec, hackers have now exploited the flaw to install malware called Android.Skullkey, which steals data from compromised phones, monitors texts received and written on the handset, and also sends its own SMS messages to premium numbers.
It said the Trojan had been added to two legitimate apps used in China to find and make appointments with a doctor.
We expect attackers to continue to leverage this vulnerability to infect unsuspecting user devices," its report warned.
"Symantec recommends users only download applications from reputable Android application marketplaces."
The firm added that affected users could manually remove the software by going into their settings menu.
One telecoms consultant said the news highlighted the difficulty Google had in distributing changes to Android.
"When Google releases its updates, manufacturers want to check them and then network operators also want to certify the code as well," said Ben Wood, director of research at CCS Insight.
"It's a consequence of having so many different firms making Android devices, with most running their own user interfaces on top.
"By contrast, Apple just pushes its updates directly to consumers."

French-based Server Host OVH Hacked Across U.S. EU ,CA Data compromised

Top Server host based in France published on its status page that a few days ago, they discovered that the security of its  internal network at their offices in Roubaix had been compromised.
Following read on OVH website
After internal investigations, it appeared that a hacker was able to obtain access to an email account of one of our system administrators. With this email access, they was able to gain access to the internal VPN of another employee. Then with this VPN access, they were able to compromise the access of one of the system administrators who handles the the internal backoffice.
Until then, internal security was based on 2 levels of verification:
- Geographical: required to be in the office or to use the VPN, i.e.: the IP source
- Personal: password
Measures taken following this incident
---------------------------------------
Immediately following this hack, we changed the internal security rules:

•  Passwords of all employees were regenerated for all types of access.
•  We set up a new VPN in a secure PCI-DSS room with highly restricted access
• Consulting internal emails is now only possible from the office / VPN
•  All those who have critical access now have 3 verification levels:
• Ip source
•  Password
• Staff's USB security token (YubiKey)

Findings
-------
After our internal investigation, we assume that the hacker exploited the access to achieve two objectives:
- Recover the database of our customers in Europe
- Gain access to the installation server system in Canada
The European customer database includes personal customer information such as: surname, first name, nic, address, city, country, telephone, fax and encrypted password.
The encryption password is "Salted" and based on SHA-512, to avoid brute-force attacks. It takes a lot of technical means to find the word password clearly. But it is possible. This is why we advise you to change the password for your user name. An email will be sent today to all our customers explaining these security measures and inviting them to change their password.
No credit card information is stored at OVH. Credit card information was not viewed or copied.
As for the server delivery system in Canada, the risk we have identified is that if the client had not withdrawn our SSH key from the server, the hacker could connect from your system and retrieve the password stored in the .p file. The SSH key is not usable from another server, only from our backoffice in Canada .
Therefore, where the client has not removed our SSH key and has not changed their root password, we immediately changed the password of the servers in the BHS DC to eliminate an risk there. An email will be sent today with the new password. The SSH key will be systematically deleted at the end of the server delivery process in both Canada and Europe. If the client needs OVH for support, a new SSH key will need to be reinstalled.
Overall, in the coming months the back office will be under PCI-DSS which will allow us to ensure that the incident related to a
specific hack on specific individuals will have no impact on our databases. In short, we were not paranoid enough so now we're switching to a higher level of paranoia. The aim is to guarantee and protect your data in the case of industrial espionage that would target people working at OVH.
We also filed a criminal complaint about this to the judicial authorities. In order not to disrupt the work of investigators, we will not give other details before the final conclusions.
Please accept our sincere apologies for this incident. Thank you for your understanding.
Regards,
Octave

Android Remote Access Trojan for Sale, Cheap!

Computer viruses replicate indiscriminately, spreading their infection at every opportunity. A Remote-Access Trojan, or RAT, is a targeted tool, and that makes it quite a different story. When a PC has a RAT running, the RAT's owner can download files, run programs, spy using your webcam... the RAT gives total control. RATs exist for Android too, and for just $37 you can easily create a Trojan that will install your very own Android RAT. Scary? You bet! Open-Source Origins
RAT can also stand for the safer-sounding phrase "Remote Administration Tool." That's the phrase used to describe the open-source tool Androrat, which provides the actual remote control and monitoring. Written by a team of four French university students, the tool consists of two parts, a client written in Java Android and a server written in Java/Swing.
Looking at the project's home page you'll find a laundry list of actions that the remote controller can trigger on the Android device. The list includes, but isn't limited to: get all contacts, call logs, and messages; get the device's location by GPS or network; monitor phone calls and texts in real time; stream sound from the microphone; and send a text.
The client runs as a service that starts during the boot process. That means it can run without the phone owner's knowledge. Of course the RAT-herder won't be managing it all the time, but a simple text can engage the phone's connection to the server.
Send in the Trojans
Androrat is a free, open-source project that anybody can download and use. With full access to someone's phone, you could just install it manually. What you get for your $37 is the Androrat APK Binder. Using this simple tool, you can take the APK file for any Android app and inject Androrat's code into it. Of course you'll have to somehow convince your victim to run the Trojanized app.
The Binder's author strongly advises that you start by learning how to use Androrat. He points out that he is not the creator of Androrat and does not offer Androrat support. And he doesn't offer refunds. Still, for $37 even someone with only minimal skillz can create an effective Trojan that will install Androrat.

Summer of Spam, or Why Over 25 Percent of Belarus's IP Addresses Are Being Blocked

A new report from the Cloudmark security company has two big takeaways. First, that spam comes in waves, playing off popular terms that will appeal to victims. Second, that more than a quarter of Belarus' total IP space has been blocked for sending out spam. Wow.
Belarus Bombed by Spam
Let's work through that Belarus figure because not only is it a bit complicated, it also exposes how spammers operate. According to Cloudmark's report, the company is blocking 27.4 percent of Belarus's total IP address space. The former longtime record holder for percentage of IP addresses blocked is Romania, which currently has 22.3 percent of its total IP space blocked by Cloudmark.
That sounds like a lot, and it is, but Cloudmark researcher Andrew Conway broke down what these numbers really mean. He explained that IP addresses are assigned differently country-by-country. "The US has been allocated five IP addresses per person, where as Nigeria has one address for every 120 people," he went on to explain that each IP address can be further split using different translation processes.
When you look at the actual number of IP addresses blocked, you see that Belarus is almost tied with the U.S., both hovering around three million sites. By comparison, only 0.2 percent of US addresses are being blocked. This means that Belarus has far fewer IP addresses assigned to it than the US, but that a hefty portion of them are being used by spammers.
Also interesting is how Belarus burst onto the spam scene only recently. In January of 2013 only about five percent of the country's IP addresses were blocked for sending spam. That number shot up over the course of just a few months as spammers moved their operations to Belarus hosting services, peaking in May of 2013 at just under 30 percent.
"We were blocking so much of Romania that spammers started moving to Belarus and Russia," explained Conway. "Spammers will follow the path of least resistance."

Robot vs Android: PIN-cracking machine can break any code in hours

The PIN codes used to protect Android smartphones offer a useful line of defense against criminals – unless, that is, your device falls into the hands of the robot R2B2.
R2B2 – it stands for Robotic Reconfigurable Button Basher – was designed by two researchers from iSec and will be shown off at the Black Hat security conference in Las Vegas. R2B2 can “guess” any Android 4-digit PIN code within 20 hours, the researchers claim – by simply trying every possible combination. A video of R2B2 at work can be seen here.
Justin Engler of iSec says that many companies argue, “R2B2 can also handle more esoteric lockscreen types such as pattern tracing. R2B2 can crack a stock Android 4 digit PIN exhaustively in 20 hours.”
“There’s nothing to stop someone from guessing all the possible PINs,” says Engler,. “We often hear ‘no one would ever do that.’ We wanted to eliminate that argument. This was already easy, it had just never been done before. Products relying on PINs or short passwords need to defend against online attacks. Our hope is that with the information for building these devices available to the public, vendors will implement software protections against this trivial hardware brute force attack.”
The researchers admit, however, that R2B2 would be foiled by an iPhone – the device “times out” after repeated wrong answers, according to a report in Forbes.
“R2B2 can operate on touchscreens or physical buttons. Times for other devices vary depending on lockout policies and related defenses,” say the researchers. A companion password robot, C3B0, is designed to work with capacitive touchscreens, and remains a work in progress.
“Capacitive Cartesian Coordinate Bruteforceing Overlay (C3BO) is a combination of electronics designed to electrically simulate touches on a capacitive touch screen device. C3BO has no moving parts and can work faster than R2B2 in some circumstances,” say the researchers.

Tango messaging app hacked – “millions” of user details leaked

 

The popular messaging app Tango has been hacked – and hacker group Syrian Electronic Army (SEA) claims to have accessed “millions” of users’ personal details, downloading 1.5 terabytes of information including private phone numbers, contact lists and emails.

The app is used by more than 100 million people. Tango confirmed the breach via its Twitter feed, saying, “Tango experienced a cyber intrusion that resulted in unauthorized access to some data. We are working on increasing our security systems.” The company also apologized, saying, “”We sincerely apologise for any inconvenience this breach may have caused our members.”

“Much of the information in the databases that were downloaded  will be delivered to the Syrian government,” the group claimed in a post on its website. “ The databases content a of millions of  the app users phone numbers and contacts and their emailsMore than 1,5 TB of the daily-backups of the servers network has been downloaded successfully.”

The hackers reportedly gained access due to Tango’s use of an outdated version of WordPress, according to E Hacking News.
The group also targeted chat app Viber this week, although the company claims only minor systems were affected.

“Today the Viber Support site was defaced after a Viber employee unfortunately fell victim to an email phishing attack,” the company said in a statement. “The phishing attack allowed access to two minor systems: a customer support panel and a support administration system. Information from one of these systems was posted on the defaced page.”

In a post on its official site, the SEA claimed to have, “hacked today the website and the database of  the Israeli-based “Viber” app The SEA downloaded some of the app databases And after we gain access to some systems of that app, it was clear for us that the propuse of this app is spying and tracking of its users The SEA hacked the support page of the Viber app and uploaded screenshots of one of the app systems in addition to the app administrators names/phone numbers.”

Lakeland databases hit by ‘sophisticated cyber attack’ exploiting Java flaw

Retailer Lakeland has emailed customers to inform them the website was hit by a “sophisticated and sustained attack” that led to two databases being breached, after cyber criminals used a Java flaw to target its systems.
An email from Lakeland’s managing director, Sam Rayner, informed customers that the attack occurred on 19 July and was undertaken by attackers with “concerted effort and considerable skill".
He wrote: “Immediate action was taken to block the attack, repair the system and to investigate the damage done, and this investigation continues. It has become clear that two encrypted databases were accessed, though we've not been able to find any evidence that the data has been stolen.”
However, in order to be secure, the firm has deleted all existing passwords and will prompt users to resubmit a new password the next time they access the website.
“We also advise, as a precaution, that if you use the same password on any other account/s, you should change the passwords on these accounts as soon as possible,” Rayner added.
In order to be open with customers and industry the firm gave more insights on the hack, explaining it targeted Java, which will come as no surprise to many security vendors who revealed huge flaws with the software at the start of the year.
“Lakeland had been subjected to a sophisticated cyber attack using a very recently identified flaw in the Java software used by the servers running our website, and indeed numerous websites around the world. This flaw was used to gain unauthorised access to the Lakeland web system and data."
The hack is the latest incident of the threats facing companies, especially those that store customer data and financial information, from the rising tide of cyber threats and attacks being carried out by cyber criminals.