STE WILLIAMS

Security researchers have discovered “backdoored” versions of an ad library embedded in thousands of iOS apps originally published in the Apple App Store.

The affected versions of this library embedded backdoors in iOS apps that used the library to display ads, opening the door for hackers to access sensitive user data and device functionality. Mobile security researchers at FireEye have identified 2,846 iOS apps containing backdoored versions of mobiSage SDK.

Many of these phoned home to an ad server capable of delivering JavaScript code to control the backdoors. FireEye supplied Apple with the complete list of affected apps and technical details on 21 October, prior to going public with its discovery this week.

Malicious JavaScript code from a remote server could be used to do all manner of mischief on vulnerable devices including capturing audio and screenshots, monitor and upload device location, “side-loading” non-App Store apps by prompting the user to click an “Install” button and more. Thankfully nothing too malicious has happened as yet, as FireEye explains.

While we have not observed the ad server deliver any malicious commands intended to trigger the most sensitive capabilities such as recording audio or stealing sensitive data, affected apps periodically contact the server to check for new JavaScript code. At any time, malicious JavaScript code that triggers the backdoors could be posted, and it eventually would be downloaded and executed by affected apps.

FireEye’s blog post – which lays out the technical details of its discovery – can be found here.

Ghost in the shell

The latest threat is separate from a fresh outbreak of the XcodeGhost malware, another iOS threat, that was also subject to a warning from FireEye this week. The threat – which began in China – has recently surfaced in the US, the security firm warns.

Tod Beardsley, security research manager at Rapid7, the firm behind the Metasploit pen testing tool, said that the latest wave of XcodeGhost (like the one before) relies on developers following insecure practices.

“While it’s troubling to see Trojaned applications continue to pop up on Apple’s App Store, it’s important to remember that XCodeGhost (and its variants) still rely on software developers to break at least two rules when it comes to installing developer tools.

“First, developers must seek out a an unofficial source for XCode, the development platform for iOS, and second, they must affirmatively bypass Gatekeeper, the anti-malware system that is designed to prevent installation of unsigned application binaries,” he added. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/06/ios_ad_library_threat/

Most public companies subscribe to cybersecurity insurance of some sort, and 90% say third-party software vendors should be held liable for vulnerabilities in their code.

Most US publicly traded companies now employ cybersecurity insurance to protect them from liability fallout, and 90% believe regulators should hold companies liable for breaches if they didn’t properly secure their data.

The heat is also on third-party software vendors: 90% of the companies say those suppliers should be held liable for vulnerabilities found in their software, and 65% have either already or are planning to include liability clauses in their contracts with their software suppliers.

Meanwhile, 91% of companies that have cybersecurity insurance have protection for business interruption and data restoration; 54% for expense reimbursement for fees such as PCI fines, breach notification, and extortion. Some 35% say they want coverage for software coding and human error causes for data loss, according to a survey of some 276 board directors or senior executives by New York Stock Exchange (NYSE) Governance Services and Veracode.

Some 52% say they are buying employee/insider threat liability coverage. Coding and human error are rising on their radar screens: “I was surprised that 35% already are [seeking] insurance for coding and human errors. That number will increase, when there’s standardization around what that means,” says Chris Wysopal, co-founder and CTO of Veracode. “The insurance industry will drive the standards.”

Wysopal says cyber insurance is becoming the norm for recovering costs of rebuilding and cleaning up after a breach. “The really important thing about cybersecurity insurance is it’s really going to [define] best practices. You have regulators like the FTC … and SEC … talking about what they think is best,” he says, and cyber insurance policies will likely “piggyback” off of those recommendations and influence what gets covered.

Deborah Scally, who heads up NYSE research, says cyber insurance is more pervasive than you’d think. “There’s always insurance in place. You may not even know if you’re covered [for cybersecurity] under your larger policies,” she says. “We’re going to be interested in looking at where this goes. We’re kind of at the beginning states of that right now.”

Some 90% of execs believe the Federal Trade Commission and other regulatory bodies should indeed hold businesses liable if they don’t practice due diligence in data protection. And more than half anticipate that their shareholders will expect more transparency about cybersecurity.

“Boards are concerned about brand damage,” Wysopal says. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/risk/what-the-boardroom-thinks-about-data-breach-liability/d/d-id/1323037?_mc=RSS_DR_EDT

Analysis The Home Office has revealed some of the costs associated with its proposed Investigatory Powers law – but the final price tag could arguably run into billions of pounds.

At present, Secretary of State Theresa May’s department has estimated a price tag of £247m over a 10-year-period to cover the costs of communications data and oversight.

Government estimates for previous abandoned bids to legislate for greater surveillance of Brits’ online activity were far higher. For example, Labour’s Interception Modernisation Programme carried a £2bn price tag, while May’s Communications Data Bill would have lifted an estimated £1.8bn from the public purse.

However, the current £247m does not take into account the potential costs for interception of bulk personal data and hacking into computer systems. Costs associated with those “policy provisions” are marked as “N/K” – not known.

The only breakdown of estimated costs the Home Office does offer in its “Overarching Impact Assessment” [PDF] for the draft Investigatory Powers Bill – which was laid before Parliament on Wednesday – relate to communications data (£187.1m) and oversight (£59.9m).

It’s unclear where the comms data figure comes from, but according to industry sources, little or no consultation has taken place on costs so far. The Home Office may therefore be referring to cost estimates [PDF] outlined in 2012’s draft Communications Data Bill (CDB).

As The Register noted in early 2013, Charles Farr – Director General of the Office for Security and Counter Terrorism – previously estimated to MPs that around 50 per cent of the highly-questioned £1.8bn price tag placed on the Communications Capabilities Development Programme (which morphed into CDB) would have been used to pay communications providers for storage of the data.

Those compensation costs of around £859m to be paid to ISPs over the course of 10 years were widely dismissed by the industry, which complained at the time that those estimations of payment were full of assumptions.

The reason? The Home Office had failed to seek the advice of comms providers when drawing up its draft bill.

May’s department said in its latest Impact Assessment that:

There would be minimal increases above existing baseline costs for interception, equipment interference, and bulk personal data.

The government can openly say this now, after May disclosed to Parliament that Brit spooks have, for years, been using section 94 of the 1984 Telecommunications Act to intercept bulk communications data of people in the UK.

The Home Office added in its assessment:

The costs of the Bill are primarily in relation to increased cost of establishing a new oversight body (led by the Investigatory Powers Commissioner), including accommodation, overheads, running costs, and the administration of a new warranty process.

The provisions in the Bill in relation to internet connection records and the request filter for communications data have associated costs to business, which are reimbursed by government.

Section 185 of the draft IPB [PDF] notes that telcos should “receive an appropriate contribution in respect of such of their relevant costs as the Secretary of State considers appropriate”.

However, we’ll have to wait and see exactly what price tags are applied to these particular provisions once the proposed law has been scrutinised by politicos and peers and re-drafted. By then, we may have a better idea about whether ISPs would be required to suck up any hidden costs that could ultimately hit the pockets of their customers. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/06/draft_investigatory_powers_bill_cost_estimates/

US broadband watchdog the FCC has fined Cox Communications $595,000 (£391,000, AU$832,000) after a Lizard Squad hacker swiped its customer records.

The FCC announced the punishment on Thursday, ending an investigation into the 2014 security breach. The fine is the first such penalty the FCC has dished out against a US cable operator.

The regulator said Cox failed to provide adequate security for its customer database, and then failed to notify the commission when the intrusion was discovered.

“Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections,” said Travis LeBlanc, FCC enforcement bureau chief.

“This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media.”

The breach in question occurred in August of 2014 when, the FCC says, a hacker called “eviljordie” phoned Cox customer service claiming to be an employee in the company’s IT department. After tricking the call-center staffer into visiting a fake support website and entering their username and password, the hacker used the login details to access Cox’s customer database.

Once in the database, the hacker had control over customer billing information, including names, addresses, payment data, and even partial social security and state ID numbers.

The hacker, later identified as a member of the infamous Lizard Squad hacking team, leaked partial information on eight customers and changed the passwords of 28 others as proof of the breach.

In addition to paying the FCC nearly $600,000, Cox has agreed to implement a stricter security program including regular testing, audits, and monitoring of customer data. The cable giant will also notify all customers whose details were exposed in the breach and pay for a year of credit monitoring.

The FCC said the enforcement decree and its monitoring of Cox will run for a period of seven years. ®

Sponsored:
Are DLP and DTP still an issue?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/06/fcc_cox_data_breach/

As police across Europe crack down on the use of the DroidJack malware, a similar software nasty has emerged that can control not just Android, but also Windows, Mac, and Linux systems and is being sold openly at a fraction of the cost.

The remote-control tool, detected by security firm Avast, is called OmniRAT and appears to be of German origin. The seller promises that the “remote administration tool” can operate on Android smartphones but also allow full control of Windows systems and some control of OS X and Unix computers after installation.

Avast investigated an incident of the code being used in Germany, where the victim received a text message that claimed to be unable to show an image because of Android’s now-patched Stagefright bug. In order to view the image, the victim was asked to download an app to do so.

This, of course, should have set off warning signs – any software download from an unknown or untrusted source should be viewed with caution. Once downloaded, Google’s permissions model also showed a long list of access and privacy privileges the software required, and yet the victim still OK’d the install.

Once installed, OmniRAT proves very hard to get rid of. Deleting the original downloaded software does no good and the software’s controller completely owns the device and is capable of making calls, stealing files, and remote controlling other devices after sending them the code.

“We know that the data collected by the customized version of OmniRat targeting the German person from the Techboard-online forum post is being sent back to a Russian domain, based on the command and control (CC) server address the data is being sent to,” said Nikolaos Chrysaidos, mobile malware and security analyst at Avast.

What could potentially make OmniRAT a bigger problem than DroidJack is its cost. The older malware cost over $200 but OmniRAT, which reused much of the same code, only wants $25 for the software and includes a “lifetime guarantee,” although that’s presumably only until the police move in. ®

Sponsored:
Are DLP and DTP still an issue?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/06/omnirat_malware_android_poc_mac_linux/

Malfeasants have embedded a phishing scam inside the Financial Reporting Council of Nigeria’s web site.

The Council is legit: it’s Nigeria’s accounting standards and corporate governance oversight organisation. That role, says Netcraft, doesn’t make it a wizard at information security, because someone’s found their way in to an images directory on the Council’s web site and planted a phish there.

The scam asks for users email address and password, and the phone number used as backup login creds for Gmail. As Netcraft points out, the scam’s a little unusual because most phishes go straight for bank account details. This effort looks like an attempt to cash in on those who use one password one multiple sites.

Planting the scam on the Council’s site appears to have been possible because it runs version 2.5.28 of the Joomla content management system. That code went end of life in 2014 and is therefore unsupported.

As ever, caution is advised when in receipt of emails suggesting Nigerian transactions of any sort. ®

Sponsored:
Are DLP and DTP still an issue?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/06/nigerian_government_site_popped_used_for_phishing_scam/

After spending months pressuring tech companies to add backdoors into their encryption software, the FBI says it has given up on the idea.

Speaking at a conference in Boston on Wednesday, the bureau’s general counsel James Baker even used the term that has been repeatedly used to undermine the FBI’s argument: magical thinking.

“It’s tempting to try to engage in magical thinking and hope that the amazing technology sector we have in the United States can come up with some solution,” he told attendees at the Advanced Cyber Security Center (ACSC) annual conference.

“Maybe that’s just a bridge too far. Maybe that is scientifically and mathematically not possible.”

The response is a world away from comments made by FBI director James Comey a year ago. In October 2014, Comey decried the decision by Apple and Google to turn on file system encryption as a default on devices following revelations of mass surveillance, complaining that it was impinging the ability of cops to do their jobs.

Apple also turned on an implementation of end-to-end encryption in its messaging software, as has Facebook-owned WhatsApp, meaning the Feds cannot easily decrypt intercepted chatter.

“We aren’t seeking a backdoor approach,” Comey told the Brookings Institute. “We want to use the front door, with clarity and transparency, and with clear guidance provided by law. We are completely comfortable with court orders and legal process – front doors that provide the evidence and information we need to investigate crime and prevent terrorist attacks.”

Terminal-ology

The term “magical thinking” has comes to represent the problem with introducing so-called “split-key encryption” where law enforcement would be given a skeleton key to decrypt information. The magical part is where it is assumed that only law enforcement would ever discover and use the key, and that such a design does not completely hobble the strength of the cryptography.

As a sign that the obvious flaw in this approach has picked up advocates within the US government came when FTC Commissioner Julie Brill referenced “magical thinking” when she told a privacy conference last week why she did not support the idea of an encryption backdoor.

Few expected to hear the words from an FBI official, however.

Last year, Comey complained that criminals were “going dark” – and that phrase formed the title of the session this week in Boston: Going Dark: The Balance Between Encryption, Privacy, and Public Safety.

The FBI is still unhappy about the fact it can’t easily access strongly encrypted data, with general counsel Baker saying it does make it harder for law enforcement to carry out surveillance.

And he complained that even when the FBI does get a warrant it can’t get access to communications – a reference to the ongoing court case with Apple where the computer company has said it is simply unable to provide the unencrypted data from a specific individual.

However in a line that was used repeatedly at the conference, Baker noted that the FBI was there to serve the American people. “We are your servants,” he said. “We will do what you want us to do.”

Continuing that line of thinking, he said: “At the most fundamental level, it is about the relationship between the people and government. When it comes to surveillance, what do you want us to do and what risks are you willing to take on?”

Last month, FBI director Comey confirmed what a leaked Obama administration document had implied – that the administration would not seek legislative powers from Congress to force tech companies to install a backdoor. But he did say that the FBI would work privately with tech companies to reach agreement on a similar system. Baker’s comments this week would appear to show that the FBI has given up on that plan, too.

Makes you wonder what they’re doing instead to track and surveil citizens, no? ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/05/fbi_gives_up_on_backdoor_plan/

A casino owner in Michigan is warning its players after detecting bank-card-stealing malware in its payment systems.

The Four Winds Casino Resort, which operates three casinos and a service station on tribal lands in the state, said it found the software nasty after banks alerted it to fraudulent transactions.

According to Four Winds, the malware specifically sought out payment card data including cardholder name, number, expiration date, and verification numbers. The data would have been collected from cards swiped at sales terminals at the various resorts.

“It is possible that any card that was used in person at the Four Winds casino properties in New Buffalo, Hartford, or Dowagiac, or the Bent Tree Market service station on the Dowagiac property, between October 2014 and October 21, 2015, could have been copied by the program,” Four Winds said.

“We do not have sufficient information to identify the name and address of individuals who swiped their payment card at our properties during this time frame.”

Four Winds said it is working with the cops to investigate the security breach, and a third-party infosec biz has been brought in to check its networks and prevent any further infection. The company has also set up a site for customers who were possibly exposed in the breach.

Anyone who visited the casinos in the last year or so is being advised to keep a close eye on their bank statements and credit monitors for any suspicious or unauthorized activity. The resort has yet to say whether it will be offering affected customers a credit monitoring service.

The Four Winds resort company is one of several to have fallen victim to point of sale (POS) malware infections aimed at collecting payment card information. Big names including Hilton, Mandarin Oriental, and Trump have fallen prey to malware infections that harvest card data from cash registers and point of sale (POS) terminals. The stolen card data is typically sold off and used for fraudulent charges. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/05/michigan_casino_credit_card_hack/

Network traffic inspection and vulnerability scanning of all networked devices in the house, home office.

A startup co-founded by two renowned security experts and entrepreneurs has developed a home router that monitors network traffic from each device and scans them for security vulnerabilities.  

Paul Judge and Mike Van Bruinesse, today launched Luma, which offers this next-generation home WiFi router of the same name. Aside from the security features, Luma also provides granular parental controls and extends WiFi coverage in the home, akin to a sophisticated repeater.

The home office, increasingly surrounded by Internet of Things devices that were not built with security in mind, traditionally has relied on desktop antivirus and corporate VPN connections. Concerns over malware being delivered to the network, and ultimately to a home worker’s device, via a smart thermostat or the online gaming system, has made the home WiFi network risky. IoT devices are notorious for lacking security altogether, or coming with weak security features such as hardcoded or default passwords that can easily be accessed and used by remote attackers.  Home-market routers, too, are notoriously weak when it comes to security, many with vulnerabilities that are exposed by researchers and then not actually patched.

“We look at outbound traffic and do vulnerability scanning of all devices on the network: is the connected fridge talking to your cameras? The [networked] doorknob to your new light bulbs?” Judge says. “Nothing in the house [has been] looking to see if those devices are secure or vulnerable or communicating with each other or are connected. This IDS [intrusion detection system] and vulnerability scan lets you understand what’s going on” in the home network, he says.

Judge says the Luma approach is the reverse of the old-school telecommuting perspective. “The traditional enterprise view is that [users] get viruses and bring them from home into the office” network, he says. “This is one of the first times we can take a deep view at what’s happening in the home network and try to do something about it.”

The Luma device sees DNS and HTTP web traffic coming and going. “It’s looking for signs of infection, communications with a command-and-control [server], a malicious host,” Judge says. And the vulnerability scanner detects things like default passwords in the camera, or a video game with ports wide open to the Internet, for example.

Luma, which Judge describes as a next-generation home router that filters content and provides security, costs $199 and $499 for a pack of three.

Judge and Van Bruinesse previously founded CipherTrust, which was acquired by Secure Computing (later purchased by McAfee), and PureWire, which was acquired by Barracuda Networks in 2009.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/endpoint/startup-builds-secure-router-for-iot-laden-home-wifi-/d/d-id/1323019?_mc=RSS_DR_EDT

Researchers examined four mobile-app controlled home devices and found vulnerabilities in every single one of them.

Most people probably never think of their faithful coffee machine providing a way for a hacker to gain access to the home network. But if you happen to be using one of the new-fangled WiFi enabled brewers that are becoming available these days, you might have a small problem.

Turns out that the devices, which can be controlled via a mobile app, do more than just let users brew a hot pot of coffee from anywhere via their smartphones. A vulnerability in the way the coffee maker exchanges information with a smartphone during initial setup provides a way for an attacker to grab the password to the home wireless network, security vendor Kaspersky Lab said in a report released Thursday.

The smart coffee maker was one of four wireless-enabled home devices that the researchers examined for vulnerabilities. They discovered flaws of varying severity in each of them.

None of the flaws that Kaspersky discovered were of the show-stopping variety. And some of them, like the one in the coffee maker, can only be exploited under certain pretty unlikely conditions. (An attacker would need to know exactly when someone was setting up their new coffee maker and be physically near the device in order to be able to intercept the password).

Even so, the vulnerabilities provide an indication of the sort of security issues that will need to be mitigated before an IoT-enabled world can be fully embraced, the research says. “The results of our investigation provide much food for thought,” Kaspersky researchers Victor Alyushin and Vladimir Krylov said in the report.

The four devices that the researchers examined were Google’s Chromecast video-streaming USB dongle; a smartphone-controlled IP camera; a similarly enabled home security system; and the smart coffee maker.

In the case of Chromecast, the researchers found that a previously discovered flaw in the system could be exploited from a significantly longer distance than previously thought. The so-called “rickrolling” vulnerability basically allows an attacker to flood the Chromecast USB dongle with requests to disconnect itself from the home WiFi network. Once disconnected, the Chomrecast USB tries reconnecting to the network in a process that involves using its own WiFi network to connect to a smartphone or tablet. The rickrolling flaw allows an attacker to essentially intercept this process and get the device to connect to its rogue device instead.

Up to now, it had been thought that only someone situated physically close to the Chromecast dongle could exploit the flaw. What the Kaspersky researchers found is that the vulnerability can be exploited from a far greater distance using an inexpensive directional WiFi antenna and a version of Linux used for penetration testing purposes.

The researchers found three security flaws in the smartphone-controlled IP camera that they examined, all of which have now been fixed. One of the flaws basically gave attackers a way to gain complete control of the camera by intercepting the communication between the smartphone app and camera as it gets routed via a cloud service provider. Another of the now patched flaws gave attackers root-level access to the camera hardware and would have allowed them to change the firmware at will.

A similar inspection of the home security system showed a weakness in the sensors used to inform homeowners if a locked window or door is opened. The flaw would have let attackers bypass the sensors relatively easily using little more than a magnet.

The main takeaway from the report is that any mobile app-controlled consumer device is likely to have security holes in them, Alyushin told Dark Reading. “The probability that they will be critical is not that high,” he says.

“At the same time, the low severity of such security issues doesn’t guarantee that they won’t be used in an attack,” he says. Attackers can cause real damage by combining multiple low-level flaws, he warns.

“Criminals might exploit several of these issues at once, which is why it is so important for vendors to fix all issues — even those that are not critical,” he says.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/endpoint/vulnerable-coffee-machine-demonstrates-brewing-security-challenges-of-iot/d/d-id/1323022?_mc=RSS_DR_EDT