Pat Dickinson

Melbourne man Paul Sant has been charged with unauthorised broadcasting over to pilots over radio bands restricted to aviation users, causing one plane to abort a landing to Tullamarine Airport.

Sant, 19, is alleged to have placed 16 separate transmissions to pilots at Tullamarine and Avalon airports between 5 September and 3 November.

He faces up to a maximum 20 years jail.

The Rockbank man and one-time employee of airline Virgin Australia has been charged with four counts of endangering the safety of aircraft and one count of interference likely to endanger safety.

Media report Sant's lawyer told the court he has been diagnosed with autism and depression without medication.

Australian Federal Police (AFP) confirmed to Vulture South Sant is not alleged to have "hacked" any aviation system, contrary to reports, but merely used broadcasting equipment to make transmissions to pilots in contravention of aviation security laws.

Aviation transmission kit on eBay

Aviation transmission kit on eBay.

Aviation transmission gear capable of communicating with pilots can be bought online for around AU$ 200.

Enthusiasts regularly tune into the broadcasts which are sent unencrypted meaning no hacking is required to make transmissions.

The AFP’s crime operations head acting assistant commissioner Chris Sheehan says aviation security laws are "robust".

“The current security measures in place for the airline industry are robust, and the traveling public should be reassured we are treating this matter appropriately,” Sheehan says.

“These incidents were thoroughly investigated by the AFP with the technical support of Airservices and the Australian Communications and Media Authority. ®

Sponsored: Customer Identity and Access Management


The Register - Security

In the early days of the internet, communication was by email. Originally siloed by companies like Compuserve, AT&T and Sprint so that messages could only be exchanged with others on the same system, email is now ubiquitous. Pretty much anyone can communicate with anyone else without worrying about app or device or browser.

Today there are additional methods of communicating via the internet, such as chat and voice. These new methods, however, are currently similar to early email: siloed by different vendors so that users can communicate only with other users on the same system. Matrix.org aims to change this, so that any user on one system can communicate with any user on a different system; just like email today.

Matrix: De-centralized Encrypted Real-time Communications over IPMatrix is an open standard for interoperable, decentralized, real-time communication over IP. It can be used for any type of IP communication: IM, VoIP, or IoT data. One system already operating on Matrix is the open team collaboration app, Riot. While Riot is described as "a simple and elegant collaboration environment that gathers all of your different conversations and app integrations into one single app," it can actually communicate with any user anywhere in the Matrix ecosphere.

The Matrix organization has not adopted the usual method of approaching all the big companies and trying to get the world to adopt Matrix. Instead, technical co-founder Matthew Hodgson told SecurityWeek, "We're just building it -- putting it out there on the internet as a de facto standard, and we then go and build bridges through to the existing communities. We've already got bridges through to Slack and to Skype and to IRC and various other online communities. Since the entire thing is open source, we're also getting contributors from all round the world building bridges to their own systems; such as Ericsson building bridges into their own infrastructure. Or it could be contributors who write their own bridge to link something like Telegram or Twitter -- and they basically act as a bridge to link existing silos into matrix. It's a very pragmatic way of solving the problem."

This still requires cooperation from the vendors. New companies like Slack are often open to cooperation, but larger companies like Microsoft (Skype) are not necessarily so. However, the Nadella Microsoft seems to be far more pragmatic than the Ballmer Microsoft.

"They've not fundamentally changed their spots," said Hodgson, "but at least superficially there's much more openness to this sort of technology; and the reality is that Skype is on the back foot, hemorriging users. Microsoft could do with any help it can get in trying to regain the 'cool' factor and market share. It has actually been very positive in letting us integrate with Skype. We haven't integrated Skype into Matrix, but we're in conversation -- especially since Skype is turning into a platform itself, and Microsoft realizes there is a problem of reach for its O365 customers (who have their own teams using Slack and other 'silos'). Matrix is the only common ground that can be used to link these different apps together."

He said that the only pushback Matrix has had so far has been from Facebook, "unsurprisingly," he added, since they are the incumbent and want to keep their monopoly as long as they can. But literally everyone else is amenable to pooling resources to make the world a better place. Matrix is the necessary counterbalance that can maintain the openness of the internet against monopolistic designs of big organizations."

However, the matrix itself is not enough: users, especially enterprise users, need to trust the privacy of their communications. The solution is the new beta launch of Olm encryption.

"E2E encryption is particularly important to Matrix where its decentralized nature means that a conversation can end up replicated over thousands of different servers. When the participant 'rooms' are public, that's not a problem. But if they're private rooms you get a huge attack envelope where you basically just blindly trust all of the server admins not to snoop on the content of the room." 

"In practice, he added, it's not much different to email. If I send an email to 1,000 people, it could end up on 1,000 different mail servers. But with Matrix we can and should do better. We've spent the last two years building our E2E encryption, so that if I send a message to someone on Matrix it is never stored unencrypted on any of the servers, and it can only be decrypted by the participants. It's much like WhatsApp and Allo; but we are the only one that is decentralized and not dependent on a silo or walled garden like Signal. We think it's the perfect storm for communications, combining encryption with decentralization."

To this end, Matrix has announced and launched the formal beta of the new Olm end-to-end encryption implementation across Web, iOS and Android. “With Matrix.org and Olm," commented Hodgson, "we have created a universal end-to-end encrypted communication fabric -- we really consider this a key step in the evolution of the Internet."

Olm is the Matrix implementation of the Double Ratchet algorithm designed by Trevor Perrin and Moxie Marlinspike. It was chosen, explained Hodgson in a blog post Monday, "in its capacity as the most ubiquitous, respected and widely studied e2e algorithm out there – mainly thanks to Open Whisper Systems implementing it in Signal, and subsequently licensing it to Facebook for WhatsApp and Messenger, Google for Allo, etc."

Olm has been reviewed by NCC Group (PDF). In keeping with its open philosophy, Matrix has ensured this review is available online. Several issues were discovered by NCC, including one high risk and one medium risk. The most exotic of these was an 'unknown key share attack'. "Needless to say," wrote Hodgson, "all of these issues have been solved with the release of libolm 2.0.0 on October 25th and included in today’s releases of the client SDKs and Riot."

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags:


SecurityWeek RSS Feed

The Manhattan District Attorney's Office released an updated report denouncing smartphone encryption, but experts said the data was willfully misleading.

Cyrus Vance, Jr., district attorney for New York County, released version 2.0 of the Report on Smartphone Encryption and Public Safety. According to the report, the Manhattan DA's Office has "423 Apple iPhones and iPads lawfully seized since October 2014 [that] remain inaccessible due to default device encryption." Vance said the number of inaccessible devices has been on the rise.

"While the Manhattan District Attorney's Office has been locked out of approximately 34% of all Apple devices lawfully recovered since October 2014, that number jumped to approximately 42% of those recovered in the past three months," the report said. "With over 96% of all smartphones worldwide operated by either Apple or Google, and as devices compatible with operating systems that predate default device encryption are becoming outdated, this trend is poised to continue."

Experts said there was important context information omitted from this portion of the report, notably how many total cases the Manhattan DA's Office handled over that time period in order to understand the proportion of cases influenced by inaccessible mobile devices.

Rebecca Herold, CEO of Privacy Professor, said given the population and the amount of crime in the New York area, 423 inaccessible devices collected over two years "seems very low."

"Plus, for those 400 devices, how many were they able to get metadata, logs from associated cloud services, and other data from that did help with their investigation?" Herold asked. "They should have provided those insights to support a balanced report."

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, said the report also didn't mention the number of people protected by smartphone encryption.

"It's safe to estimate that the number of people protected from threat actors by iOS security is by far greater than the 400 devices in question by the Manhattan DA," Arsene said. "Encryption technologies have caused more good than harm when it comes to protecting privacy."

Matthew Gardiner, cybersecurity strategist at Mimecast, said "Apple sells approximately 50 million iPhones every quarter, and has sold approximately 1 billion since the beginning of time. Increasing the vulnerability of the vast majority of those users to open up 400 phones is not a reasonable tradeoff."

The report said "approximately 10% of the impenetrable devices pertain to homicide or attempted murder cases and 9% to sex crimes," and Arsene said these distinctions were important.

"While 400 devices might not seem like a large number, it all depends to whom those devices belong to and whether or not those individuals were involved in activities endangering national security," Arsene told SearchSecurity. "However, it's entirely possible that incriminating evidence involving terrorist or criminal activities could probably be procured from other sources, rather than relying on a single phone as a single point conviction."

Surveillance and privacy

The report discussed the potential other sources for gathering investigative data, but argued against the idea that we live in a "golden age of surveillance."

"The other sources of information may be incomplete, or unavailable to law enforcement," the report read. "They generally do not give as complete a picture of criminal liability, or as complete access to evidence relevant to a criminal investigation or prosecution, as would a mobile device."

Additionally, the report said the end-to-end encryption being added to communication apps like Facebook Messenger and WhatsApp "show that far from it being a "golden age" for law enforcement, today's criminals have means of communication that are more secure from law enforcement’s scrutiny than criminals had ever dared hope."

Experts pointed out this argument ignored two major sources of data available to investigators faced with smartphone encryption: metadata and cloud backups. Apple has admitted to providing law enforcement with metadata and iCloud backup data when presented with a valid warrant.

Arsene said there was no way to know if there was iCloud data associated with the devices in question obtained by the Manhattan DA's Office, but he stressed that metadata can be valuable.

"Metadata is at the core of modern day information collection technologies as it removes any personally identifiable information about the individual from the picture, and focuses on his behavior, without infringing on his right to privacy," Arsene said.

Herold said strong encryption was not only available in the U.S. and "if a terrorist or criminal is bent on keeping their communications with others strongly protected, they have many options available elsewhere throughout the world they can use." Additionally, Herold said the constant argument for weakened encryption or backdoors has ultimately limited law enforcement from getting metadata for investigations.

"Requiring U.S. technology companies to build backdoors into encryption will result in criminals and terrorists using encryption tools from other countries, will only hurt U.S. businesses by driving all consumers to other countries for such technologies and will not lead to measurably any more capabilities for their investigation purposes," Herold said. "In fact, investigators will now have less data, because those non-U.S. technology companies will not cooperate with U.S. investigators on cases where they could have gotten a lot of metadata, logs and other useful data beyond the encrypted data from a U.S.-based tech company, such as Apple or any other tech business they seem focused on ruling over."

The Manhattan DA's Office declined to comment on this story.

Getting around smartphone encryption

According to the report, the Manhattan DA's Office "advocates enactment of a federal law that would require smartphone manufacturers and software designers whose software is used in smartphones to retain the ability to extract the information on the smartphones, if and when the manufacturer or designer receives a search warrant for that information. The proposed legislation would restore the status quo before Apple's iOS 8, and would be no different conceptually than legislation that requires products to be safe, buildings to be constructed with exits and egresses that satisfy specific requirements, and roads to have maximum speed limits."

The "status quo" refers to the time before iOS 8 when full device encryption was not the default for Apple products. The report asserts "the actual benefits of iOS 8's default device encryption [has] not been demonstrated by Apple" and "default device encryption does not meaningfully increase smartphone users' protection from unauthorized hackers."

Experts widely disagreed with this assessment, and Herold pointed out the report referenced a decision in The Netherlands that contradicted the argument of the Manhattan DA's Office.

In the list of actions from other countries the report pointed out that "in January 2016, the Dutch government announced that it would not require technology companies to share encrypted communications with security agencies."

The link in the footnote quoted the Dutch Ministry of Security and Justice saying that allowing law enforcers to access protected data would make digital systems vulnerable to "criminals, terrorists and foreign intelligence services," and added "this would have undesirable consequences for the security of information stored and communicated and the integrity of [information and communication technology] systems, which are increasingly of importance for the functioning of the society."

Herold said, "That point summarizes the heart of the issue well: we need strong encryption for the peaceful and privacy-respecting functioning of our modern, digital society."

The report reiterated the various security claims made by Apple regarding iOS 7 in 2012,. Specifically, it said that before iOS 8 Apple maintained the ability to aid law enforcement with investigations and said that "Apple's method of data extraction before iOS 8 was never compromised."

Arsene said Apple's advancement of iOS security was "not necessarily aimed at hindering law enforcement efforts, but at offering users more privacy and security features with the purpose of adding value to Apple's products."

"Good enough security has never been best practice, especially since the digitalization of services and infrastructures has brought forward new attack methods and threats. Security is all about constantly developing and placing more barriers between you and the attacker, increasing the cost of attack and making it difficult for someone to gain access to your data," Arsene said. "Cybercriminals are more creative than we'd like to think and relying on outdate or deliberately vulnerable technologies to protect and secure our data is not just bad practice, but also shortsighted."

Ultimately, the report said there was "an urgent need for federal legislation that would compel software and hardware companies that design or build mobile devices or operating systems to make such devices amenable to appropriate searches," but said all current attempts, including the Burr-Feinstein bill were inadequate. Because of this, the Manhattan DA's Office has proposed legislation that "would require those who design operating systems to do so in a way that would permit law enforcement agents with a search warrant to gain access to the mobile devices."

Herold said "it is misleading, at best, to vilify the use of strong encryption," and said the Manhattan DA's Office is asking for a smartphone encryption backdoor, just without using the word "backdoor."

"Law enforcement has got to stop propagating the false narrative of encryption being all bad. They must balance the effect of encryption to also point out the significantly larger amount of good this effective technology tool does than any harm that they always seem to focus upon," Herold said. "Overall their report is not balanced, and is skewed to promoting fear, uncertainty and doubt within the public in an effort to get their way, and to in effect get access to everyone in the U.S.'s digital selves. If people cannot be compelled to speak in person, then they should not be compelled to have their digital voices revealed either."

Next Steps

Learn more about how encryption legislation could affect enterprise.

Find out why experts say lawmakers don't understand encryption backdoors.

Get info on whether the feds needed Apple's help to bypass smartphone encryption.


SearchSecurity: Security Wire Daily News

Here’s an overview of some of last week’s most interesting news, podcasts, reviews and articles:

Researchers reveal WiFi-based mobile password discovery attack
A group of researchers has come up with WindTalker, a new attack method for discovering users’ passwords and PINs as they enter them into their smartphones.

New users flock to ProtonMail in wake of Trump’s victory
ProtonMail is a Swiss-based secure email service launched by a group of CERN and MIT scientists in 2013.

Ransoc browser locker/ransomware blackmails victims
An unusual combination of browser locker and ransomware, dubbed Ransoc by researchers, is targeting users who visit adult sites.

Review: iStorage diskAshur Pro SSD
The iStorage diskAshur Pro SSD is the hard drive for users with security on their mind.

Traveling on business? Beware of targeted spying on mobile
Corporate spying is a real threat in the world of cyber war. Employees traveling on behalf of their company could create opportunities for sophisticated adversaries to take sensitive corporate data. This is especially true if they are not careful with their mobile devices.

Low-cost PoisonTap tool can compromise locked computers
Dubbed PoisonTap, the tool consists of a Raspberry Pi Zero controller with a USB or Thunderbolt plug, loaded with open source software. All in all, this setup can be achieved by anyone who has $ 5 to spare.

Fraudsters accessed Three UK customer database with authorised credentials
Three UK, a telecom and ISP operating in the United Kingdom, has suffered a data breach.

8 million GitHub profiles scraped, data found leaking online
Technology recruitment site GeekedIn has scraped 8 million GitHub profiles and left the information exposed in an unsecured MongoDB database. The backup of the database was downloaded by at least one third party, and it’s likely being traded online.

Encryption ransomware hits record levels
PhishMe’s Q3 2016 Malware Review identified three major trends previously recorded throughout 2016, but have come to full fruition in the last few months

How hackers will exploit the Internet of Things in 2017
Here are three IoT threats likely to emerge in 2017 and what organizations can do to protect themselves.

Why Unidirectional Security Gateways can replace firewalls in industrial network environments
In this podcast recorded at IoT Solutions World Congress Barcelona 2016, Andrew Ginter, VP of Industrial Security at Waterfall Security, talks about Unidirectional Security Gateways. They can replace firewalls in industrial network environments, providing absolute protection to control systems and operations networks from attacks originating on external networks.

Final warning: Popular browsers will soon stop accepting SHA-1 certificates
Starting with Chrome 56, planned to be released to the wider public at the end of January 2017, Google will remove support for SHA-1 certificates. Other browser makers plan to do the same.

Researchers identify domain-level service credential exploit
The exploit could allow cyber attackers to harvest encrypted service credentials from the registry and inject them into a new malicious service to achieve lateral movement and full domain compromise.

Dangerous Android threat points to Italian spyware maker
A piece of Android spyware recently analyzed by researchers with the RedNaga Security team seemed to be yet another Hacking Team spying tool but, according to more recent revelations, another Italian company is its likely source.

Compromised: 339 million AdultFriendFinder users
Friend Finder Networks, the company that operates sites like Adultfriendfinder.com (“World’s largest sex & swinger community”), and Cams.com (“Where adults meet models for sex chat live through webcams”) has been breached – again!

Weave a web of deception to secure data
How can organizations leverage deception-based network security to keep sensitive data safe? Here are three basic steps what to look for.

Analyzing the latest wave of mega attacks
A new report, using data gathered from the Akamai Intelligent Platform, provides analysis of the current cloud security and threat landscape, including insight into two record‑setting DDoS attacks caused by the Mirai botnet.

Cloud adoption hits all-time high, Microsoft and Google dominate
Fifty-nine percent of organizations worldwide now use Office 365 or G Suite, up from 48 percent in 2015.

Critical Linux bug opens systems to compromise
Researchers from the Polytechnic University of Valencia have discovered a critical flaw that can allow attackers – both local and remote – to obtain root shell on affected Linux systems.

Facebook, Google ban fake news sources from their ad networks
Despite Mark Zuckerberg’s dismissive attitude regarding the claim that Facebook had an inappropriate impact on the US elections, the company has moved to bar sources of fake news from its Facebook Audience Network ads.

The new age of quantum computing
Quantum encryption is the holy grail of truly secure communications. If and when quantum computing becomes a widespread reality, many public-key algorithms will become obsolete.

Consumer and business perspectives on IoT, augmented reality risks
As every business becomes a digital business, the spread of technology such as augmented reality (AR) and Internet of Things (IoT) devices can add significant business value and personal convenience. Yet a new study from ISACA shows that consumers and IT professionals disagree on the risks and rewards.

Waterfall BlackBox: Restoring trust in network information
Waterfall Security Solutions announced the launch of the Waterfall BlackBox, developed to maintain the integrity of log repositories in the event of a cyber attack. Based on Waterfall’s patented unidirectional technology, the Waterfall BlackBox creates a physical barrier between networks and logged data, so that stored logs become inaccessible to attackers who are trying to cover their tracks.

Cyber risk in advanced manufacturing: How to be secure and resilient
Study results indicate nearly 40 percent of surveyed manufacturing companies were affected by cyber incidents in the past 12 months, and 38 percent of those impacted indicated cyber breaches resulted in damages in excess of $ 1 million.

New infosec products of the week​: November 18, 2016
A rundown of infosec products released last week.


Help Net Security

Like a train in the night, cybercriminals are fast and stealthy. They are more skilled than ever, and no one is immune to their innovative weapons and tactics. They work in the shadows but don’t shy away from publicly protecting their brands. Most likely, only once the damage is done will they get your full attention.

Building a Security Immune System

While very scary, this problem is also somewhat fascinating. Sitting back and admiring it, however, is not the solution. It’s time to figure out what we are going to do about it. In most cases, our traditional security practices are coming up short. An integrated security immune system can help fill in the gaps.

The Right Tools

It’s not uncommon for an enterprise to have a mess of fragmented tools across a handful of vendors. We often become enamored with the next big thing. In an industry where one breach can carry $ 4 million worth of damage, it’s critical to make sure you’re protected.

But each added tool carries complexity and cost. Instead of buying all the tools, it’s critical to buy the right tools — ones that provide analytics that monitor continuously and can be integrated across the ecosystem.

Risk Versus Innovation

Cloud, mobile, social and the Internet of Things (IoT) are transforming the workplace. But they are also making security a lot more challenging. Case in point, one-third of employees are saving work data to unapproved external cloud apps. They do this because it’s easy and convenient, but they often fail to consider the risk of exposing sensitive data.

One solution is to block the cloud completely, but that would mean missing out on its benefits. Chief information security officers (CISOs) need to balance the trade-off between risk and innovation.

It Can Happen to You

More than half of security attacks target small to medium-sized businesses. Security leaders who think their company isn’t big enough to be on a cybercriminal’s radar should think again. Hoping you aren’t a target is not enough to keep criminals out. For all you know, they’ve been inside your network for months.

We need to move from reactive to proactive strategies. That means assuming you’ve already been breached, constantly testing your security operations and continuously monitoring your network.

Human Error

Despite the tools and technology at our disposal, humans are often the weakest links in the security chain. In fact, 60 percent of attacks come from the inside.

At the end of the day, we’re only human and we make mistakes. But that doesn’t mean we can’t be better. Using stronger passwords, employing privileged access, automating patching and response, and promoting wider education are a just a few ways we can help ourselves.

Find Threats Before They Find You

At IBM Security, we champion the immune system approach. With so many vendors, tools and capabilities, we believe it’s the clearest way to manage the complexity.

Analytics is the core component of the security immune system. It enables your team to consume massive amounts of security data locally — such as logs and flows, usage, sources, cloud risks, mobile alerts, threat intelligence — and externally — including research, blogs, white papers and tweets. With a cognitive engine, data becomes insight that can help your team quickly investigate and respond to incidents.

At the root of this process is the security operations center (SOC), which enterprises are expanding into true security fusion centers. With analytics, you can ditch your passive strategy and go on the offensive to find the threat before it finds you.

Integrate to Innovate

Integration is the other key piece. Siloed approaches to security often result in siloed visibility. To achieve full visibility into your threat environment, you need capabilities that can communicate and interoperate. Enterprises embracing the cloud need full visibility into cloud app usage, for example.

This requires integration across identity and access, intrusion prevention and security intelligence solutions. With this combination working together, you can gain full visibility into cloud events and usage, enable secure access and protect against cloud-related threats. Integration not only provides full visibility into your environment, but also enables you to embrace innovation.

Let’s rethink our traditional approach to security and upgrade the areas in which we’re still coming up short. An intelligent and integrated security system can help get you on the right track.

Learn more about building a healthy security environment


Security Intelligence

  • info
  • discussion
  • exploit
  • solution
  • references
Veritas NetBackup Appliance CVE-2016-7399 Arbitrary Command Execution Vulnerability

Bugtraq ID: 94384
Class: Input Validation Error
CVE: CVE-2016-7399
Remote: Yes
Local: No
Published: Nov 17 2016 12:00AM
Updated: Nov 17 2016 12:00AM
Credit: Matthew Hall.
Vulnerable: Veritas NetBackup Appliance 2.7.2
Veritas NetBackup Appliance 2.7.1
Veritas NetBackup Appliance 2.6.1.2
Veritas NetBackup Appliance 2.6.1.0
Veritas NetBackup Appliance 2.6.0.4
Veritas NetBackup Appliance 2.6.0.0
Not Vulnerable:


SecurityFocus Vulnerabilities

Attackers with a little more than a minute to spare can compromise Linux boxes by holding down the Enter key for 70 seconds, an act that gifts them a root initramfs shell .

The simple exploit exists due to a bug in the Linux Unified Key Setup (LUKS) used in popular variations of Linux.

With access to the shell, an attacker could then decrypt Linux machines. The attack also works on virtual Linux boxen in clouds.

Debian, Fedora and are confirmed as suffering from this problem.

The problem was identified by Hector Marco, alecturer of the Univeristy West of Scotland, together with Polytechnic University of Valencia assistant professor Ismael Ripoll. The pair say the problem does not require particular system configuration and offer the following analysis of the flaw:

This vulnerability allows to obtain a root initramfs shell on affected systems. The vulnerability is very reliable because it doesn't depend on specific systems or configurations.

Attackers can copy, modify or destroy the hard disc as well as set up the network to exfiltrate data. This vulnerability is especially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protect (password in BIOS and GRUB) and we only have a keyboard or/and a mouse.

Marco and Ripoll says the "very reliable" exploit has been patched and a workaround developed that shutters the hack.

The pair says the vulnerability could have been forged during patch process when other security fixes were developed. ®

Sponsored: Magic quadrant for enterprise mobility management suites


The Register - Security

Brazilian cybercriminals are expanding their tactics and have recently adopted ransomware as a new means of attack, Kaspersky Lab reveals.

Security researchers from the Moscow-based security firm have analyzed a new variant of the Brazilian-made ransomware "Xpan" Trojan (Trojan-Ransom.Win32.Xpan). The malware has been used by the “TeamXRat” group, also identified as “CorporacaoXRat” (the Portuguese equivalent of “CorporationXRat”) to target local companies and hospitals. The ransomware’s signature is extension “.___xratteamLucked,” which is appended to encrypted files.

While Xpan isn’t the first ransomware to come out of Brazil – TorLocker and HiddenTear copycats were seen in local attacks – it packs code improvements that reveal increased interest in this type of malware. The threat is developed by an organized gang that uses targeted attacks via Remote Desktop Protocol (RDP) to infect systems, Kaspersky says.

When executed, the ransomware checks the system’s default language, sets a registry key, obtains the computer name from the registry, and deletes any Proxy settings defined in the system. During execution, Xpan logs all actions to the console, but clears it when the process is completed. It then informs victims that their files were encrypted using a RSA 2048-bit encryption.

Unlike the previous ransomware used by the TeamXRat group, Xpan doesn’t use persistence, has switched from Tiny Encryption Algorithm to AES-256, and encrypts all files on the system, except for .exe and .dll files, and those that include blacklisted substrings in the path. The malware, Kaspersky says, uses the implementation of cryptographic algorithms provided by MS CryptoAPI.

The security researchers have identified two versions of the Trojan, based on their extensions and the different encryption techniques. The first version uses the “___xratteamLucked” (3 ‘_’ symbols) extension and generates a single 255-symbol password for all files, while the second one uses the “____xratteamLucked” (4 ‘_’ symbols) extension and generates a new 255-symbol password for each file.

Before encryption, the ransomware attempts to stop popular database services, and deletes itself when the process has been completed. After encryption, the Trojan modifies the registry so that, when the victim double-clicks on a file with the extension “.____xratteamLucked,” the ransom note is displayed using msg.exe (a standard Windows utility).

The TeamXRat attacks are performed manually by hacking servers via RDP brute force and installing the ransomware on them. After gaining  access to a server, the attackers disable the installed anti-virus product and begin installing their malware.

“Connecting remote desktop servers directly to the Internet is not recommended and brute forcing them is nothing new; but without the proper controls in place to prevent or at least detect and respond to compromised machines, brute force RDP attacks are still relevant and something that cybercriminals enjoy,” Kaspersky researchers explain.

RDP vulnerabilities are also exploited for remote code execution when an attacker sends a specially crafted sequence of packets to a targeted system. Servers that haven’t been patched are extremely valuable to cybercriminals, as the reports on the xDedic server marketplace revealed.

“Not surprisingly, Brazil was the country with the most compromised servers being offered in the underground market to any cybercriminal,” Kaspersky notes.

The good news when it comes to the Xpan ransomware is that Kaspersky managed to break the malware’s encryption, allowing for free file decryption. In fact, the researchers already helped a hospital in Brazil to recover from an Xpan attack. The security researchers expect new ransomware variants to come from the same threat actor.

Related: Apocalypse Ransomware Leverages RDP for Infection

Related: Shade Ransomware Updated With Backdoor Capabilities

 

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:


SecurityWeek RSS Feed

mobile security strippedWe’re all familiar with the cartoon image of a character stopping a water leak by plugging a finger into the hole, only for another leak to start, needing another finger, and so on, until the character is soaked by a wave of water.

It’s a little like the current, fragmented state of mobile security – the range of threats is growing fast, outpacing current security measures. Also, the devices themselves have inherent vulnerabilities that can be exploited by resourceful attackers. So it’s no surprise that enterprises are struggling with the issue of mobile security.

Finding flaws and mRATs

The list of potential security challenges and vulnerabilities across Android and iOS devices is complex. It starts with the devices’ mobility: they are connecting to public cellular networks, corporate networks, public hotspots to home internet providers and back again. This makes them vulnerable to Man in the Middle (MitM) attacks via rogue cellular base stations, WiFi hotspots or compromised public networks, allowing attackers to track, intercept and eavesdrop on data traffic and even voice calls, using SS7 protocol exploits.

Then, the Android and iOS mobile operating systems themselves have been shown time and time again to be plagued with vulnerabilities that smart malicious hackers can exploit to their advantage. One major recent example is ‘Quadrooter’, a privilege escalation vulnerability shown to affect over 900 million Android devices. These vulnerabilities often have long patching cycles which can take months to roll out, leaving millions of devices vulnerable to remote attack.

Similarly, iOS has also recently been in the headlines after news broke that it had been compromised in the NSO hack. This affected all Apple devices, making the iOS, the phones resources and any application running on it, including security apps such as anti-virus, vulnerable to attack. It’s worth highlighting that this wasn’t discovered by Apple or any detection applications but was only discovered because the attacker was negligent in concealing it.

Mobile remote access trojans (mRATs) give an attacker the ability to remotely access the resources and functions on Android or iOS devices, and stealthily exfiltrate data without the user being aware. mRATs are often embedded in supposedly benign apps available from appstores. Compromised or falsely certified apps are another security risk, as they can allow attackers to remotely take over devices, using the device resources without the user being aware.

As a result, the mobile security industry is always playing catch-up. Zero-day attacks, where cybercriminals exploit inbuilt vulnerabilities on mobile operating systems that haven’t yet been patched or even identified, are a major ongoing problem.

Protection versus performance

Ultimately, there are three main threat vectors for mobile devices. These are: targeting and intercepting the communications to and from devices; targeting the devices’ external interfaces (Cellular, WiFI, Bluetooth, USB, NFC, Web etc.) for the purpose of device penetration and planting malicious code (virtually as well as physically); and targeting the data on the device and the resources/functions the device/underlying OS provides access to such as microphone, camera, GPS, storage, network connectivity, etc.

While there is a wealth of technologies designed to help manage the security gaps on devices – from Enterprise Mobile Management to mobile anti-malware– these protections come at a price. First, a collection of multiple security tools and processes is a big drain on processing power, complex to manage, and doesn’t really fix the underlying device and OS vulnerabilities. Second, the conventional approach to mobile security is based on locking down or denying features and functions. This causes further problems on the end user’s acceptance front. It’s critical to balance security and usability: If protecting the device forces people to change the way they use it, they will find workarounds that will also undermine security measures.

So if enterprises are to continue harnessing the benefits of mobile devices without compromising their performance and usability, then we need to rethink our approach to mobile security, from the ground up.

Secure foundations

This new approach starts with the foundations of the mobile device: the OS and firmware. As the various software layers on devices have fundamental vulnerabilities which can be exploited, these should be replaced with secure, hardened versions from which the flaws have been removed/patched and advanced security layers have been put in place to effectively manage and protect against those three threat vectors mentioned above. This means attackers cannot use their conventional techniques to target vulnerabilities – but the device is still using an OS that the user is familiar with, giving users access to the full app ecosystem, so usability is not affected or restricted.

This stronger foundation is then used to build a strong, security architecture consisting of four layers to address each of the three main mobile threat vectors. The first layer is the Encryption Layer, in charge of encrypting all data stored on the phone, as well as all traffic from and to the device, securing all communications, whether voice, data or messaging, from any network sniffing and man-in-the-middle attacks.

The second layer is the Protection Layer, securing the device’s externally available interfaces, from WiFi, cellular, USB, NFC, Bluetooth to web. These need protecting against threats using an embedded firewall to monitor and block all downloads and exploit attempts.

Next layer is the Prevention Layer, monitoring for unauthorized attempts to access operating system functions like stored data, the microphone or camera, location technology and so on. These need their own specialist protective technologies.

The final layer is the Detection and Enforcement Layer monitoring, detecting and blocking execution attempts of malicious code or misbehaving apps, in the same way that we currently monitor for device and network anomalies on corporate networks.

In conclusion, mobile security is currently too fragmented, and the range of threats growing too fast for conventional protections. Instead of plugging leaks as they appear, we need to start again, from the foundations up – and fundamentally rethink the way in which we protect and secure mobile devices.


Help Net Security

Just two days after Yahoo! admitted hackers had raided its database of at least 500 million accounts, the Purple Palace is being dragged into court.

Two Yahoo! users in San Diego, California, filed on Friday a class-action claim [PDF] against the troubled web biz: Yahoo! is accused of failing to take due care of sensitive information under the Unfair Competition Act and the state's Consumer Legal Remedies Act, plus negligence for its poor security, and breaking the Federal Stored Communications Act.

The stolen Yahoo! database includes people's names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers about their personal lives.

“There's a sense of violation,” the plaintiffs' lawyer David Casey of Casey Gerry Schenk Francavilla Blatt & Penfield told The Register last night.

“We think they breached their duty of trust to the clients and violated privacy laws. I anticipate hundreds of cases will be filed and then those will be consolidated into one federal class action suit.”

Casey said that at least one of his clients had already seen dodgy activity on their credit card which had been attributed to the attack and another was concerned that their financial and tax data had been viewed by outsiders. The plaintiffs are seeking redress and damages from Yahoo!

The court filing also states that Yahoo! had “unreasonably delayed” telling its customers about the mega-hack. It points out that the incident, which Yahoo! blamed on state-sponsored hackers, occurred back in 2014, and the webmail giant should have detected it sooner and let people know a long time ago.

“There’s a lot of anger over the delay,” Casey said. “The delay is pretty inexplicable.”

While this is the first sueball lobbed at Yahoo!, it is unlikely to be the last. If even a fraction of the 500 million Yahoo! users targeted by hackers take action against the company, and win even a miserly award, the potential costs to the biz could count in the high multi-millions.

Under the circumstances the due diligence team at Verizon, which in July confirmed it wanted to buy Yahoo! for $ 4.8bn, are going to be recalculating their figures as to the net worth of the Purple Palace. Having such large liabilities hanging over Yahoo! can only depress its value.

Verizon told The Register that it was informed about the hack just a few days in advance of this week's staggering confession – which raises questions in itself. In late July and early August, news articles were circulating warning that stolen Yahoo! customer information was being sold on the dark web. One wonders why Verizon didn’t pick up on this earlier.

One possible theory is that while investigating the 200 million or so account records being touted on underground souks, Yahoo! discovered a separate larger break-in by government-backed hackers – and has only just confirmed that.

In the meantime, legal action will continue to mount in America, the land of the lawsuit. Yahoo! should also expect folks overseas to start lawyering up, too. It’s going to be an expensive Fall for the organization. ®

Sponsored: HPC and HPDA for the Cognitive Journey with OpenPOWER


The Register - Security