Stealthy new malware snatching credit cards from retailer’s POS systems

US Computer Emergency Response Team, in cooperation with the Secret Service and researchers at Trustwave’s Spiderlabs, have issued an alert about a newly-identified variant of malware installed on point-of-sale (POS) systems that was used in a series of recent attacks by cyber criminals. Called “Backoff,” the malware shares characteristics with the one used to attack Target’s point of sale systems last year: it scrapes credit card data out of the infected computer’s memory. Until now, it was undetectable by antivirus software.

POS machines are a big target for hackers, who use malware like Backoff to collect data from credit cards and other transaction information to either create fraudulent credit cards or sell the data. In many ways, the Backoff-based attacks were similar to the attack in 2011 on Subway franchises—hackers used remote desktop software left active on the machines to gain entry, either by brute-force password attacks or by taking advantage of a default password, and then installing the malware on the hacked system.

According to US-CERT, Backoff runs in background watching memory for the “track” data from credit card swipes, which can be used to both obtain the account number on the card and to create fraudulent cards that can be used in ATMs and other point-of-sale systems. Backoff also has a keylogger function that records the key-presses on the infected computer. The malware installs a malicious stub in Internet Explorer that can reload the in-memory component if it crashes and communicates with the criminals’ command and control network—sending home captured credit card data and checking for malware updates.

Read 1 remaining paragraphs | Comments

CIA boss apologizes for snooping on Senate computers

The head of the Central Intelligence Agency has apologized to leaders of the Senate Intelligence Committee after determining that his officers improperly accessed computers that were supposed to be available only to committee investigators, according to multiple reports on Thursday.

The mea culpa from CIA Director John O. Brennan was in sharp contrast to a defiant statement he made in March. After US Senator Dianne Feinstein accused the agency of breaching long-recognized separations between employees of the legislative and executive branches, Brennan maintained that there had been no inappropriate monitoring of Senate staffers' computer activity.

"When the facts come out on this, I think a lot of people who are claiming that there has been this tremendous sort of spying and monitoring and hacking will be proved wrong," he said at the time.

Read 2 remaining paragraphs | Comments

10 Dramatic Moments In Black Hat History

From Google hacking to ATM "jackpotting" to the NSA -- Black Hat has had some memorable moments over the years.

Black Hat USA 2014: Breaking Windows

In our last Intel update before the imminent show (are you hyped? we are!) we're checking out three Briefings that center on vulnerabilities in Microsoft Windows. No kidding, Windows has vulnerabilities! Let's see what's what.

This thumbdrive hacks computers. “BadUSB” exploit makes devices turn “evil”

When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses.

Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.

"Please don't do anything evil"

"If you put anything into your USB [slot], it extends a lot of trust," Karsten Nohl, chief scientist at Security Research Labs in Berlin, told Ars. "Whatever it is, there could always be some code running in that device that runs maliciously. Every time anybody connects a USB device to your computer, you fully trust them with your computer. It's the equivalent of [saying] 'here's my computer; I'm going to walk away for 10 minutes. Please don't do anything evil."

Read 10 remaining paragraphs | Comments

Hackers Can Control Your Phone Using a Tool That’s Already Built Into It

A lot of concern about the NSA’s seemingly omnipresent surveillance over the last year has focused on the agency’s efforts to install back doors in software and hardware. Those efforts are greatly aided, however, if the agency can piggyback on embedded software already on a system that can be exploited. Two researchers have uncovered such […]

New Mobile Phone ’0wnage’ Threat Discovered

Widespread major vulnerabilities discovered in client control software that affect nearly all smartphone platforms: Details to come at Black Hat USA next week.

Why the Security of USB Is Fundamentally Broken

Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t […]

Inside Citizen Lab, the “Hacker Hothouse” protecting you from Big Brother

Citizen Lab / Aurich Lawson

It was May of 2012 at a security conference in Calgary, Alberta, when professor Ron Deibert heard a former high-ranking official suggest he should be prosecuted.

This wasn't too surprising. In Deibert's world, these kinds of things occasionally get whispered through the grapevine, always second-hand. But this time he was sitting on a panel with John Adams, the former chief of the Communications Security Establishment Canada (CSEC), the National Security Agency's little-known northern ally. Afterward, he recalls, the former spy chief approached and casually remarked that there were people in government who wanted Deibert arrested—and that he was one of them.

Adams was referring to Citizen Lab, the watchdog group Deibert founded over a decade ago at the University of Toronto that's now orbited by a globe-spanning network of hackers, lawyers, and human rights advocates. From exposing the espionage ring that hacked the Dalai Lama to uncovering the commercial spyware being sold to repressive regimes, Citizen Lab has played a pioneering role in combing the Internet to illuminate covert landscapes of global surveillance and censorship. At the same time, it's also taken the role of an ambassador, connecting the Internet's various stakeholders from governments to security engineers and civil rights activists.

Read 41 remaining paragraphs | Comments

Active attack on Tor network tried to decloak users for five months

Officials with the Tor privacy service have uncovered an attack that may have revealed identifying information or other clues of people operating or accessing anonymous websites and other services over a five-month span beginning in February.

The campaign exploited a previously unknown vulnerability in the Tor protocol to carry out two classes of attack that together may have been enough to uncloak people using Tor Hidden Services, an advisory published Wednesday warned. Tor officials said the characteristics of the attack resembled those discussed by a team of Carnegie Mellon University researchers who recently canceled a presentation at next week's Black Hat security conference on a low-cost way to deanonymize Tor users. But the officials also speculated that an intelligence agency from a global adversary might have been able to capitalize on the exploit.

Either way, users who operated or accessed hidden services from early February through July 4 should assume they are affected. Tor hidden services are popular among political dissidents who want to host websites or other online services anonymously so their real IP address can't be discovered by repressive governments. Hidden services are also favored by many illegal services, including the Silk Road online drug emporium that was shut down earlier this year. Tor officials have released a software update designed to prevent the technique from working in the future. Hidden service operators should also consider changing the location of their services. Tor officials went on to say:

Read 5 remaining paragraphs | Comments

Phishing: What Once Was Old Is New Again

I used to think the heyday of phishing had passed. But as Symantec notes in its 2014 Internet Security Threat Report, I was wrong!

[webapps] – D-Link AP 3200 Multiple Vulnerabilities

D-Link AP 3200 Multiple Vulnerabilities

[webapps] – SkaDate Lite 2.0 – Multiple CSRF And Persistent XSS Vulnerabilities

SkaDate Lite 2.0 - Multiple CSRF And Persistent XSS Vulnerabilities

[webapps] – SkaDate Lite 2.0 – Remote Code Execution Exploit

SkaDate Lite 2.0 - Remote Code Execution Exploit

Dark Reading Radio: Data Loss Prevention (DLP) Fail

Learn about newly found vulnerabilities in commercial and open-source DLP software in the 7/30 episode of Dark Reading Radio.

Chinese military “hacked” Israel’s Iron Dome

Iron Dome

The technology behind Iron Dome, the missile defense system Israel has been using since 2011, was allegedly stolen by Chinese military hackers.

That claim was made by Cyber Engineering Services to Brian Krebs of security news site Krebs On Security, and it identifies Elisra Group, Israel Aerospace Industries (IAI), and Rafael Advanced Defense Systems as the three defense companies that were compromised during the cyber assault. The perpetrators, Cyber Engineering Services says, are the same ones behind a spate of attacks that have come to light in the past few years, all attributed to Unit 61398, a Shanghai-based arm of the Chinese army. The five Chinese military officers indicted by the US earlier this year for allegedly hacking energy firms in the country also belong to the same unit.

The hacks took place from October 2011, some six months after Iron Dome became operational, and continued up until August 2012. Israel Defense Forces (IDF) has said that many hundreds of rockets fired from Gaza, particularly during the current military operation and a series of clashes in 2012, have been scuppered by the system, which is thought to be one of the most effective missile-defense technologies in the world.

Read 7 remaining paragraphs | Comments

Instasheep: Coder builds tool to hijack Instagram accounts over Wi-Fi

This isn't the only way Instagram and sheep are related.
Sean Gallagher

Stevie Graham, a London-based developer, recently submitted a bug report to Facebook outlining what he saw as a security vulnerability in Instagram that would allow someone to hijack a user’s session based on data captured over a public Wi-Fi network. When he was told that he wouldn’t get a bug bounty from Facebook, which owns Instagram, he tweeted about it—and set about building a proof-of-concept tool to exploit it. “Denied bug bounty. Next step is to write automated tool enabling mass hijacking of accounts,” he wrote. “Pretty serious vuln, FB. please fix.”

As we reported in our recent coverage of mobile application privacy holes, Instagram uses HTTP for much of its communications, passing the user’s account name and an identifying account number in the clear. And as Graham demonstrated, there are other pieces of data sent between Instagram’s iOS client and the service that are passed in the clear. Even though the user’s credentials are submitted using a secure connection, information passed back by Instagram’s application interface to the phone client provides a cookie that can be used on the same network without reauthentication to connect via the Web to Instagram as that user and gain access to private messages and other data. “Once you have a cookie, any endpoint can be authenticated with the cookie, HTTPS or HTTP,” he wrote. Graham said that he has known about the flaw for years.

Graham posted the following steps to reproduce his findings:

Read 3 remaining paragraphs | Comments

Internet Of Things Contains Average Of 25 Vulnerabilities Per Device

New study finds high volume of security flaws in such IoT devices as webcams, home thermostats, remote power outlets, sprinkler controllers, home alarms, and garage door openers.

Android crypto blunder exposes users to highly privileged malware

A slide from next week's Black Hat talk titled Android Fake ID vulnerability.
Bluebox Security

The majority of devices running Google's Android operating system are susceptible to hacks that allow malicious apps to bypass a key security sandbox so they can steal user credentials, read e-mail, and access payment histories and other sensitive data, researchers have warned.

The high-impact vulnerability has existed in Android since the release of version 2.1 in early 2010, researchers from Bluebox Security said. They dubbed the bug Fake ID because like a fraudulent driver's license an underage person might use to sneak into a bar, it grants malicious apps special access to Android resources that are typically off limits. Google developers have introduced changes that limit some of the damage that malicious apps can do in Android 4.4, but the underlying bug remains unpatched, even in the 5.0 preview.

The Fake ID vulnerability stems from the failure of Android to verify the validity of cryptographic certificates that accompany each app installed on a device. The OS relies on the credentials when allocating special privileges that allow a handful of apps to bypass Android sandboxing. Under normal conditions, the sandbox prevents programs from accessing data belonging to other apps or to sensitive parts of the OS. Select apps, however, are permitted to break out of the sandbox. Adobe Flash in all but version 4.4, for instance, is permitted to act as a plugin for any other app installed on the phone, presumably to allow it to add animation and graphics support. Similarly, Google Wallet is permitted to access Near Field Communication hardware that processes payment information.

Read 8 remaining paragraphs | Comments

Hacker turns ATM into ‘Doom’ arcade game

Its screen now eschews balances and transfers in favor of the familiar sight of a hand wrapped around a gun, going around dark corners and blasting stuff. Where did scrap metal hacker "Aussie50" pick this thing up? Do we have to worry about threats to our bank balances? And is he going to rig it with a coin mechanism so we can all play?

Your iPhone Can Finally Make Free, Encrypted Calls

If you’re making a phone call with your iPhone, you used to have two options: Accept the notion that any wiretapper, hacker or spook can listen in on your conversations, or pay for pricey voice encryption software. As of today there’s a third option: The open source software group known as Open Whisper Systems has announced […]

[webapps] – WiFi HD v7.3.0 iOS – Multiple Vulnerabilities

WiFi HD v7.3.0 iOS - Multiple Vulnerabilities

1,000,000 lost credit cards = £150,000 fine

A UK travel company has been fined £150,000 for putting an "internal only" parking database system on the internet without securing it first. The vulnerable system was used as a stepping stone for a crook to steal more than 1M e-commerce records.

Hackers seed Amazon cloud with potent denial-of-service bots

Attackers have figured out a new way to get Amazon's cloud service to wage potent denial-of-service attacks on third-party websites—by exploiting security vulnerabilities in an open source search and analytics application known as Elasticsearch.

The power of Backdoor.Linux.Ganiw.a was documented earlier this month by researchers from antivirus provider Kaspersky Lab. Among other things, the trojan employs DNS amplification, a technique that vastly increases the volume of junk traffic being directed at a victim by abusing poorly secured domain name system servers. By sending DNS queries that are malformed to appear as if they came from the victim domain, DNS amplification can boost attack volume by 10-fold or more. The technique can be especially hard to block when distributed among thousands or hundreds of thousands of compromised computers.

Late last week, Kaspersky Lab expert Kurt Baumgartner reported that the DDoS bot is actively compromising Amazon Elastic Cloud Computing (EC2) hosts and very possibly those of competing cloud services. The foothold that allows the nodes to be hijacked is a vulnerability in 1.1.x versions of Elastisearch, he said. The attackers are modifying proof-of-concept attack code for the vulnerability, indexed as CVE-2014-3120 in the Common Vulnerabilities and Exposures database, that gives them the ability to remotely execute powerful Linux commands through a bash shell Window. The Gani backdoor, in turn, installs several other malicious scripts on compromised computers, including Backdoor.Perl.RShell.c and Backdoor.Linux.Mayday.g. The Mayday backdoor then floods sites with data packets based on the user datagram protocol.

Read 4 remaining paragraphs | Comments

[webapps] – Sphider 1.3.6 – Multiple Vulnerabilities

Sphider 1.3.6 - Multiple Vulnerabilities

[remote] – Oxwall 1.7.0 – Remote Code Execution Exploit

Oxwall 1.7.0 - Remote Code Execution Exploit

[webapps] – Oxwall 1.7.0 – Multiple CSRF And HTML Injection Vulnerabilities

Oxwall 1.7.0 - Multiple CSRF And HTML Injection Vulnerabilities

[webapps] – Ubiquiti UbiFi / mFi / AirVision – CSRF Vulnerability

Ubiquiti UbiFi / mFi / AirVision - CSRF Vulnerability

[web applications] – DirPHP 1.0 – Local File Include Vulnerability

[web applications] – ZeroCMS 1.0 – Persistent Cross-Site Scripting Vulnerability

[web applications] – Moodle 2.7 – Persistent Cross-Site Scripting Vulnerability

[dos / poc] – Sagem Fast 3304-V1 – Denial Of Service Vulnerability

[webapps] – DirPHP 1.0 – LFI Vulnerability

DirPHP 1.0 - LFI Vulnerability

[webapps] – ZeroCMS 1.0 – Persistent Cross-Site Scripting Vulnerability

ZeroCMS 1.0 - Persistent Cross-Site Scripting Vulnerability

[webapps] – Sagem Fast 3304-V1 – Denial Of Service Vulnerability

Sagem Fast 3304-V1 - Denial Of Service Vulnerability