STE WILLIAMS

Purported Brute-Force Attack Aims at Linksys Routers as More People Work Remotely

The attack takes control of poorly secured network devices, redirecting Web addresses to a COVID-themed landing page that attempts to fool victims into downloading malware.

A cybercriminal group has started scanning the Internet for vulnerable Linksys routers in the first stage of an attack that ultimately aims to fool users into downloading and installing malware, security firm Bitdefender stated in an advisory this week.

The attack first compromises vulnerable routers by purportedly trying weak or default credentials and mainly targeting Linksys routers, the company said. Once an attacker gains access, they hijack DNS functionality, redirecting victims to a page that attempts to convince them to download a malicious, information-stealing program known as Oski. The attacker’s page aims to harness the fear of the coronavirus pandemic to fool victims.

Bitdefender discovered the attack after several users found their browsing blocked by the company’s program, even though they were trying to visit legitimate sites.

“The attack is not subtle,” says Liviu Arsene, global cybersecurity research at Bitdefender. “The page does not necessarily look legitimate, but considering that this is an attack that targets home users and home routers, the victims may not have the expertise to figure that out.”

The attack joins a general rise in malicious activity aimed at home users as many of the world’s knowledge workers are sequestered at home in an effort to blunt the spread of the novel coronavirus. About 1,200 users have seemingly downloaded the malware between March 18 and March 23, the company said.

Multiple security firms have warned that attackers are using coronavirus-themed messages to attempt to lure users into clicking on malicious links. 

“While it’s not uncommon for hackers to piggyback global news, such as the pandemic, to deliver phishing emails laced with tainted attachments, this recent development proves they are nothing if not creative in compromising victims,” Bitdefender stated in a blog post on the attack.

The attackers are focused on the US and European countries, according to the company’s analysis. The US, Germany, and France account for 73% of the targeted routers. 

The attack targets a list of legitimate Web pages and domains, including:

  • aws.amazon.com
  • goo.gl
  • bit.ly
  • washington.edu
  • imageshack.us
  • ufl.edu
  • disney.com
  • cox.net
  • xhamster.com
  • pubads.g.doubleclick.net
  • tidd.ly
  • redditblog.com
  • iddler2.com
  • winimage.com

When a user attempts to go to one of those domains, the compromised router’s settings will send them to an attacker-controlled site claiming to be distributing a COVID information application from the World Health Organization. If the user clicks through to the landing page, they will be download a program from one of four Bitbucket repositories, Bitdefender stated in its analysis.

The program is a downloader that installs Oski, a relatively new Trojan developed in 2019.

“Some of the features that it packs revolve around extracting browser credentials and cryptocurrency wallet passwords, and its creators even brag that it can extract credentials stored in SQL databases of various Web browsers and Windows Registry,” the company said.

The attack is not the first time cybercriminals have used a legitimate software storage service as a distribution mechanism. Both GitHub and Bitbucket have been used by attackers in the past. 

Bitdefender’s researchers believe the original compromise is accomplished by a brute-force attack of either the router itself or the Linksys Cloud account, which can be used to remotely manage a router. The attack could be using a vulnerability or other method, Arsene says. However, all evidence points to a broad brute-force scanning attack as the main culprit.

With so many workers using home networks and systems to connect to their companies’ systems, such weakly secured routers are not just a consumer problem but an enterprise one as well, Arsene says.

“The router is the home user’s gateway to the Internet,” he says. “If you don’t disable the Linksys cloud account or you don’t update your firmware, it is game over for your entire network infrastructure.”

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How to Evict Attackers Living Off Your Land.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/purported-brute-force-attack-aims-at-linksys-routers-as-more-people-work-remotely/d/d-id/1337430?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Wild, Wild West(world) of Cybersecurity

Though set in the future, HBO’s “Westworld” works as an allegory for the present moment in cybersecurity.

'Your face doesn't matter--it's your actions that identify you.' Source: AF Archive/Alamy Stock Photo

In the gunslingin’ world of cybersecurity, there are threats everywhere. It can sometimes feel as dangerous to run a modern business as it was to run a saloon in the shadiest part of the Wild West.

Actually, the parallels between the cowboy days and modern cybersecurity issues are aplenty — and one need look no further for proof of that than HBO’s standout series Westworld

If you haven’t seen Westworld yet, here’s the general gist (Note: spoilers ahead!): The story centers around a Western-themed amusement park populated by robots (or “hosts”) who spend each day acting out the same storyline as the day before.

Visitors to the Westworld park interact with the hosts and are free to indulge their most hedonistic desires, spared from the consequences of the real world. But Westworld suffers from issues that are strikingly similar to the ones faced by cybersecurity professionals today. In fact, Westworld’s flaws are a useful allegory for navigating today’s most insidious digital threats.  

Identity
If your business struggles with verifying identities, you’re not alone: The same issues exist in the Westworld park.

After all, we thought we knew who Charlotte Hale was — the executive director of Westworld’s board — but it turns out that she was killed at the beginning of season two by a robot version of herself. And then there’s Bernard. Who’s actually Arnold, the creator of the hosts. Who’s dead.

If you’re confused by all of this, imagine how confused your systems are by the millions of access requests coming from both legitimate and illegitimate users, day after day.

Credentials don’t cut it: They can be easily stolen in today’s threat landscape. Instead, the best bet for accurately identifying users (or hosts) is to rely on a combination of validations like multifactor authentication, behavioral biometrics (such as voice recognition, typing patterns, mouse movements, etc.), and browser and IP information. 

If a system were to analyze Charlotte Hale during season two, it would discover that, even though she looks exactly like Charlotte, she’s not. Similarly, even if an attacker possesses a single authentication, it’s still nearly impossible for him or her to replicate a combination of validations.

AI Regulation
Part of Westworld‘s appeal is its examination of what makes us human. If our consciousness is the crux of individuality, what happens in a world when consciousness can be constructed, altered, downloaded, uploaded, and destroyed at will? It’s the question that weighs on Arnold’s conscience so heavily that it determines his own demise.

But while this wrangling of human and artificial consciousness isn’t easily resolved in Westworld, it’s no more cleanly handled in real life. In 2017, Elon Musk called for the regulation of artificial intelligence (AI) before it posed a risk to humanity. And yet regulation hobbles innovation, so Congress adopted a “wait and see” approach to AI legislation. The result so far has been a quantum leap of AI innovation — for proof, one need look no further than the proliferation of deepfakes that have been created using machine learning and AI — without stringent regulation, standards, or requirements.

I believe a practical approach to regulating AI would be to use existing data privacy laws and expand or replicate them to cover machine learning and AI.

Threats and Vulnerabilities
Even the most advanced hosts in Westworld are susceptible to malware. But what’s most interesting about this, perhaps, is that the threats manifested in the show can easily be seen as allegories for modern cybersecurity threats:

  • Insider threat: A Westworld programmer, Elsa, finds a laser-based satellite uplink inside a robot host that someone has been using to smuggle data out of the park.

  • Advanced persistent threat: The robot host Maeve uses Felix, a Westworld technician, and other hosts to start an uprising — because someone has programmed her to take over Westworld and infiltrate the mainland in a pre-scripted insurgency.

  • Malware: Clementine, who works in the saloon, is updated with a new code that turns her into a walking virus. With only a thought sent through the mesh network, Clementine can force hosts to brutally kill each other.

  • Internet of Things vulnerabilities: In the season three premiere, Dolores hacks into the smart house of a billionaire, making the home no longer responsive to his commands. The show doesn’t make it clear whether the smart home was compromised by insecure network services, ecosystem interfaces, or default settings, but Dolores is able to take control quickly.

What can we learn from the threats and vulnerabilities above, as well as the identity issues and the AI quandaries seen in Westworld? To take them seriously. It’s tempting to think of cybersecurity as existing only in a vacuum, affecting only digital networks that can be ignored as soon as we step away from a computer. But the reality is that cybersecurity is tied to the real world, and its breaches have very real damage. Westworld shows us that issues can only be ignored for so long before they demand their time in the spotlight.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?

Bil Harmer is the CISO and chief evangelist of SecureAuth. He brings more than 30 years of experience in leading security initiatives for startups, government, and established financial institutions. He’s CISSP, CISM, and CIPP certified — and is recognized for … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/the-wild-wild-west(world)-of-cybersecurity/a/d-id/1337382?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Virgin Media Could Pay GB pound 4.5B for Leak Affecting 900,000 Customers

A misconfigured database holding personal data was left available online between April 2019 and February 2020.

Virgin Media could pay up to £4.5 billion (US$5.6 billion) in compensation to customers affected in a security incident that exposed the personal details of some 900,000 people.

Between April 2019 and late February 2020, a misconfigured database exposed customer information including full names, email addresses, birthdates, and contact phone numbers. For some users, it exposed requests to block or unlock pornographic or explicit content. If accessed, the data could give cybercriminals means to launch phishing attacks of blackmail customers. 

Your Lawyers, a UK-based consumer action and data breach compensation law firm, is representing claimants pursuing compensation as a result of the leak. Those who have received confirmation they were affected could be entitled to thousands of pounds, the firm says. The average compensation claim for financial and emotional distress could total £5,000 per claimant.

“Virgin Media failed to take the steps required to keep customer data safe,” said Aman Johal, director at Your Lawyers, in a statement. “It is vital for the company to understand the severity of this breach.”

When data is left exposed, it’s “open season” for fraudsters to scam vulnerable people, he adds. “Your Lawyers has formally notified Virgin Media that we are taking action and our claimant base is growing daily.”

Those affected are urged to make a claim as soon as possible. Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “ How to Evict Attackers Living Off Your Land.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/virgin-media-could-pay--gb-pound-45b-for-leak-affecting-900000-customers/d/d-id/1337433?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Malicious USB Drive Hides Behind Gift Card Lure

Victims are being enticed to insert an unknown USB drive into their computers.

Malicious actors are hoping the lure of a free gift card will be strong enough to convince people to throw caution to the wind and plug an unknown USB drive into their computers. The drive, which came attached to what purported to be a Best Buy gift card, supposedly contained a list of items for which the gift card could be used. What it actually contained was quite different.

According to researchers at Trustwave, the USB drive was actually an Arduino microcontroller ATMEGA32U4 programmed to emulate a USB keyboard. Since USB keyboards are trusted devices on most systems, malicious commands can easily be injected.

In this case, the malicious commands were a series of obfuscated PowerShell commands that ultimately uploaded full system configuration data to a command-and-control server and then awaited further instruction. The researchers warn that no unexpected USB drives should be inserted into production systems, no matter how large the gift card they’re attached to.

Read more here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “ How to Evict Attackers Living Off Your Land.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/malicious-usb-drive-hides-behind-gift-card-lure/d/d-id/1337435?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

FBI takes down hacker platform Deer.io

The FBI on Tuesday shut down Deer.io, a Russia-based platform catering to cybercrooks that offered turnkey online storefront design and hosting and a place where they could sell and advertise their wares, including ripped-off credentials, hacked servers, hacking services, gamer accounts and more.

Earlier this month, the bureau nabbed the guy they think was running the show: 28-year-old Kirill Victorovich Firsov, whom the FBI arrested on 7 March 2020 in New York City. He’s been federally charged with unauthorized solicitation of access devices, which carries a maximum penalty of 10 years in prison, though maximum sentences are rarely handed out.

Deer.io was a top market for stolen accounts: a place where crooks could buy and sell credentials for hacked accounts siphoned off of malware-infected computers, PII, and financial and corporate data.

The unsealed indictment claims that Deer.io started up around October 2013 and claims to host over 24,000 active shops. Up until the FBI stuck a wheel in its spokes, the platform was doing brisk business, with sales exceeding $17 million, selling hacked accounts for video streaming services like Netflix and Hulu and social media platforms such as Facebook, Twitter and Vkontakte (the Russian equivalent of Facebook). It was also selling phony social media accounts, which are popular for crooks running online dating scams.

Court documents claim that Firsov is a Russian hacker and allegedly the administrator of Deer.io. He not only managed the platform, the indictment alleges; he also advertised it on other forums that catered to hackers.

A federal complaint says that the criminally inclined could order a variety of things on Deer.io virtual stores, which offered hacked and/or compromised financial and corporate data from US and international victims and PII such as usernames, passwords, taxpayer IDs, dates of birth and victims’ addresses. It was as easy as ordering from Amazon: you could get to the Deer.io platform with a web browser, and from there you could get to storefronts running under the Deer.io domain.

Visitors could search for hacked accounts from specific companies or PII from specific countries. Users could also navigate through the platform, scanning stores advertising an array of hacked accounts or cybercriminal services for sale, the Department of Justice (DOJ) says.

Purchases were also conducted using cryptocurrency, such as Bitcoin, or through Russian-based money transfer systems. The Deer.io platform removed any friction involved in setting up shop: it gave shop owners an easy-to-use interface that enabled automated purchase and delivery of criminal goods and services.

After a client purchased access, the site held their hand to guide the newly minted shopkeeper through an automated set-up to upload their products and services and to configure cryptocurrency wallets to collect payments for purchases. All that, for bargain basement prices: the DOJ says that as of 2019, cybercriminals could buy a storefront directly from the Deer.io website for 800 Rubles per month (the DOJ says that was about USD $12.50, though at current rates, it’s even cheaper: it’s down to about USD $10 or £8.50). The monthly fee was payable by Bitcoin or a variety of online payment methods such as WebMoney, a Russian version of PayPal.

The FBI’s investigation included a Deer.io shopping spree. Earlier this month, agents made these buys:

  • About 1,100 gamer accounts, including usernames and passwords, for under $20 in Bitcoin. Those accounts often have linked payment methods that hackers can use to make purchases on the real owners’ dime.
  • About 999 individual PII accounts for about $170 in Bitcoin.
  • On the same day, it bought another 2,650 accounts for about $522 in Bitcoin. That bought them names, dates of birth and US Social Security numbers: all the data you need to do identity theft and pull off financial fraud.

These purchases confirmed that Deer.io shops were selling the real deal: it was all authentic information, as opposed to fake data.

Firsov is scheduled to make a 16 April appearance before the Southern District of California Court, which issued the order to seize Deer.io.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/pDwxIQo-h8Y/

Thousands of Dark Web sites deleted in attack on free hosting service

One of the most popular Dark Web hosting services, Daniel’s Hosting (DH), has been slaughtered. Again.

Daniel Wizen, the German software developer who runs DH, said that this time, the provider of free hosting services is kaput… at least for the foreseeable future… which he also said, more or less, last time, in September 2018, when hackers rubbed 6,500 sites off the Dark Web in one fell swoop.

Wizen acknowledged the attack in a post on the hosting provider’s portal, saying that the recent attack happened last Tuesday – 10 March – during the small hours. At least, that’s when all databases associated with hosting Dark Web sites were deleted.

DarkOwl – a darknet intelligence, tools, and cybersecurity outfit that keeps an eye on DH and other Dark Web goings-on and which analyzed the September 2018 breach – spotted Wizen’s post and shared it on Twitter on 10 March. That’s the same day that Wizen says his hosting database got knocked out.

As Wizen tells it, he found that a new database had been created that had user permissions. He can’t do much with that, though: without his hosting database, he can’t figure out who they are and how they got full permissions on the platform.

According to ZDNet, the attack took down 7,600 sites. Wizen says he’s not entirely sure when it happened, nor who did it. If anybody has ideas about what vulnerability might have led to the attack, or ideas for future versions or feature requests, he’s invited them to share input on his open source project.

Wizen also invited supporters to chip in to help out his efforts: invitations that suggest that he’ll likely resurrect the hosting provider at some point. At this point, he’s fed up, he says. He gives freely of his time, which adds on to his full-time job. It’s time-consuming, he said, particularly given the work it takes to “keep the server clean from illegal and scammy sites.”

I spend 10 times more time on deleting accounts than I can find time to continue development. At this time I do not plan on continuing the hosting project, but this doesn’t have to be the end.

How clean are the servers at Daniel’s Hosting? When DarkOwl analyzed the demolished sites at the time of the 2018 attack, its analysts found that out of 6,500 sites, the world lost the following – not all of which are what you’d call “I’d eat from that plate” clean:

  • 657 of the hidden services had the title “Site Hosted by Daniel’s Hosting Service” and little else (but may have been used for something other than serving web content).
  • 457 of the hidden services contain content related to hacking and/or malware development.
  • 304 were classified as forums.
  • 148 were chatrooms.
  • 136 included drug-specific keywords.
  • 109 contained content related to counterfeiting.
  • 54 specifically mentioned carding information.
  • Over 20 referred to weapons and explosives.

DarkOwl says stay tuned: it’s now preparing an analysis of what the Dark Web lost from last week’s attack on DH.

Of course, not all sites on the Dark Web are devoted to illegal activity. Some are there for the privacy-minded, and/or for those living in areas of tight government censorship and repression.

According to ZDNet, by design, the hosting service doesn’t keep backups. Wizen thinks that the attack only affected the backend database account, not the accounts of users who had been hosting sites on his platform. Still, he said, users should “treat all data as leaked” and change their passwords if they reuse them on other sites. Which, of course, underscores the fact that none of us should be reusing passwords, be we political dissidents or whether we’re up to more unsavory activity (though we have a tough time feeling sympathy for the latter if their credentials get hacked).

Better safe than sorry, Wizen says – particularly given that he hasn’t had much time to figure out what, exactly, happened:

[As] I am currently very busy with my day-to-day life and other projects, I decided to not spend too much time investigating.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tCTTVLsf_ao/

Firefox 76 will have option to enforce HTTPS-only connections

Converting websites from HTTP to HTTPS over the last decade must count as one of the most successful quiet security upgrades ever to affect web browsing.

Using an HTTPS site means that your browser and the site establish an encrypted connection which can’t be snooped on by ISPs, rogue Wi-Fi access points, or anyone else trying to monitor the content of that traffic with bad intent.

It’s not universal yet, but with search engines such as Google downgrading sites that stick with HTTP, and popular browsers marking them as ‘not secure’, unencrypted web connections are surely heading for extinction.

There are some HTTPS security caveats worth mentioning, but before getting to them we’ll start with the news that that Mozilla’s Firefox will, from May’s version 76, offer the option to browse in an HTTPS-only mode.

It won’t be the default for now, only an option that can be turned on, but if the past is any guide it will eventually become something that has to be turned off in future releases.

This presumably is how the industry plans to force the final few percent of HTTP sites offline, making it hard for users to browse to them in the first place.

That said, according to the brief description offered, when a user visits a site not offering HTTPS, they’ll be given the option to continue if they choose to. That will probably also disappear in time because it’s an obvious point of failure should users get used to overriding the setting for the sake of convenience.

Given the decline of plain HTTP, you might be wondering why any of this is necessary. The short answer is to block the browser from reaching the small number of sites that cling to HTTP, closing the small but still plausible security risk they pose in some circumstances.

Another objection is that users could just type HTTPS into their address bar for themselves. While true, there are going to be times (clicking on malicious HTTP links for instance) it would be easy to overlook. HTTPS shouldn’t be something users have to remember to pay attention to.

What about mixed content?

This is where a site uses HTTPS at domain level but fills its pages with things like images, JavaScript, audio, and video that are fetched via HTTP. This creates new man-in-the-middle security risks that undo good work done by HTTPS.

It’s an ancient problem – browsers have been throwing up warnings about mixed content for years (in Firefox it’s currently a gray padlock with a diagonal red line through it) with Internet Explorer’s baffling notifications dating back as far as version 3.0.2 in 1997.

Firefox 76’s answer is to attempt to upgrade mixed content to HTTPS or simply block them from loading at all. On sites that still have this issue, that could cause gaps that would normally be filled by such content, which at least makes it easy for website owners to see the problem.

The caveats…

Of course, users can already do the above in Firefox, including controlling mixed content, by installing the HTTPS Everywhere plugin. Integrating it into Firefox just turns this function into something that is updated and maintained as part of the browser rather than as a separate feature, which follows the path taken by many once-optional browser security and privacy functions.

It also needs to be reiterated that while making HTTPS connections the default is a good thing, it is not a magic forcefield against bad actors.

There are still misconceptions around this point, including in official advice where you’d least expect it. For example, security blogger Brian Krebs recently discovered the following message buried on the website of the US Census Bureau:

The HTTPS:// ensures that you are connecting to the official website and that any information you provide is encrypted and secure.

The bit about information being encrypted is true but HTTPS does not ensure that you’re connecting to the official website.

As a recent Naked Security article explained, HTTPS is also very popular with crooks running fake websites. Just because a site uses HTTPS does not mean it is a good site.

TLS 1.0 and 1.1 reprieved…

The minor irony in Mozilla’s enthusiasm for HTTPS security is that after announcing earlier this month that Firefox 74 had finally abandoned support for the TLS 1.0 and 1.1, older versions of the protocol which underpins HTTPS, the company later decided to reinstate support. The company explained at the time:

We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information.

Even privacy and security can be limited by real-world events.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XzQEq40rKx0/

Android apps are snooping on your installed software

Android apps are snooping on other software on your device – and that could tell shady advertising companies more about you than you’d like.

The news emerged this week in a paper from researchers in Italy, the Netherlands, and Switzerland. The privacy violations centre around installed application methods (IAMs), which are application programming interfaces (APIs) that allow applications to interact with other software on your phone without telling you. It lets them do a variety of things including finding the names of those other installed apps.

There are legitimate uses for IAMs. An app such as a VPNs, backup software, or firewall might use them to co-operate with other installed software. An accessibility app can use them to make other software more usable for people with disabilities.

That doesn’t mean all instances are in the user’s best interest. The researchers studied 14,342 free Android apps in the Google Play Store, along with 7,886 open-source Android apps. They analysed the software’s use of IAM APIs and also followed up with a questionnaire for the apps’ developers to assess how aware they were of what the apps were doing (70 developers participated).

The most common piece of information collected via IAMs was packageName, which just reports the names of other installed apps. This alone can reveal a lot about a phone’s user, though. The paper cites other research showing that it’s possible to deduce certain things about the user purely from the apps installed on their devices, including gender, religion, relationship status, and countries of interest. They can also predict major life events such as marriage and becoming a parent with up to 87% accuracy.

It’s no surprise, then, that commercial applications tended to use IAMs far more. 4,214 commercial apps used these, compared to just 228 of open-source apps. The most popular types of commercial app using this technique were games at 73%.

Most of the commercial apps snooping on other installed software didn’t do it from within their own code. Instead, 83.66% of these queries came from third-party libraries that the apps used. More than one third (36%) of those libraries were classed as advertising-based, while the next most common category (31%) came under the utility category, which is effectively a catch-all of different functions to streamline software development.

In many cases, app developers were not aware that these libraries were making calls at all, and in one case asked the researchers which piece of code the call was being made from so that it could be removed. One developer blamed a point-and-click app builder that they used.

The fact that developers don’t always know what their apps are doing is worrying, and it leaves two options. The first is for Google to enforce stricter notifications and controls around their use. The paper said:

As other privacy-sensitive parts of the Android platform are protected by app permissions, forcing developers to explicitly notify users before attempting access to these parts, begs the question on why IAMs are treated differently.

You’d think Google would be wise to apps that like to sniff around their users’ installed software. Apple politely asked Facebook to remove the VPN app Onavo from its app store for just this reason after the media giant used it to snoop on its users’ other mobile app software usage.

Google didn’t respond to our request for comment but it seems to be aware of the problem now. It is introducing a queries tag in app manifest files that enable apps to describe what app they’re querying. However, it isn’t clear what limitations the company will enforce on these queries. It will include a QUERY_ALL_PACKAGES permission that lets an app talk to any other app it wants, for which the company will provide usage guidelines in the future.

This new tag and permission will ship with Android 11 but the researchers aren’t entirely happy with it. They said:

The newly introduced permission does not appear to be considered as a dangerous permission. Hence, access to IAMs is still silent for the end-user. Although these new rules are a step in the right direction, it is unclear whether they are sufficient to limit data collection activities.

This use of IAMs is a risk in iOS, too, the researchers said, but Apple seems ahead of Google here. More recent versions of iOS force apps to declare applications of interest for app store moderators to review.

The other option for stopping this kind of information harvesting is to rely on privacy-aware users to fill in the gaps. The researchers recommended that users check vetting services like Virus Total to examine an app’s activities and focus on those that don’t make their money from ads.

The takeaway here is clear: no matter how many ad blockers and other tools you deploy, data-hungry companies continue to find new ways to carry off data about you under the radar that they can use to profile you more accurately. If they can do this by sneaking such things into other apps via libraries, they will. This will continue to erode trust in mobile apps. Isn’t it time for a more honest app ecosystem?


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xisoMfD2BIc/

Insurance Giant Chubb Might Be Ransomware Victim

A ransomware operator claims to have successfully attacked Chubb Insurance databases.

Maze, a ransomware operator that typically steals information from a victim and threatens to release sensitive data, says it has successfully attacked Chubb Insurance, a company with a major presence in the cyber insurance industry.

According to a newsletter released by Maze, it has taken personally identifiable information from the insurance giant and will release information on executives and others if a ransom is not paid. (The ransom amount has not be disclosed.) Chubb has stated it is investigating a potential breach at a third-party provider; it says it has no evidence that one of its own networks was breached.

Researchers have noted that Chubb does have vulnerable components in its network infrastructure, though, again, there is no evidence that any of those devices were a point of entry.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/insurance-giant-chubb-might-be-ransomware-victim/d/d-id/1337423?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cyber Version of ‘Justice League’ Launches to Fight COVID-19 Related Hacks

Goal is to help organizations – especially healthcare entities – protect against cybercriminals trying to take advantage of the pandemic.

A group of cybersecurity experts from around the world — including from companies like Microsoft and Okta — have teamed to help organizations fight COVID-19 related hacking and phishing attacks.

The restricted-invite COVID-19 Cyber Threat Intelligence (CTI) League consists of cyberthreat intelligence experts, incident responders, and other security experts experienced at detecting, responding, and neutralizing threats.

Initially, at least, league members will prioritize efforts on helping hospitals and healthcare facilities fend off ransomware and other threats from attackers seeing to exploit the general mayhem triggered by the COVID-19 health crisis. In recent weeks, security researchers have reported a surge in attacks — especially phishing — targeted at a broad set of organizations.

But the COVID-19 CTI League’s mission is broader than helping just healthcare entities. It will also work to neutralize other cyberthreats looking to exploit the current pandemic, according to a brief description on the group’s website.

The site identified the four individuals who launched the effort: Ohad Zaidenberg, lead cyber intelligence researcher at Israeli firm ClearSky Security; Nate Warfield and Chris Mills, security researchers at Microsoft; and Marc Rogers, vice president of security at Okta and head of security operations at DefCon.

“Attackers are using a mixture of old, reskinned, and relatively new malware to attack users during the COVID-19 pandemic,” Rogers said. “Their diversity indicates a global reach and a wide variety of campaigns. In essence, we are looking at a cybercrime gold rush.”

Yet few details are currently publicly available on how exactly the volunteer community of security experts will actually help fight the surge in hacking and malicious activity.

Comments that Zaidenberg made to NBC News suggest the COVID-19 CTI League’s strategy, at least with regard to healthcare entities, is to use its collective strength to identify the vulnerabilities and strategies that attackers are exploiting in campaigns. They will then search for hospitals and medical facilities that are vulnerable to the exploits so they can address the issue before they get attacked. League members will also assist healthcare entities recover if they do get attacked.

“If some hospital gets attacked by some ransomware and wouldn’t be able to pay, people will die because they wouldn’t be able to get the medical services needed,” NBC quoted Zaidenberg as saying.

According to the NBC report, COVID-19 CTI League members will coordinate over Slack. What isn’t clear at the moment is whether the community members will use any kind of shared infrastructure — or systems belonging to the companies they work for — to hunt for new and emerging cyberthreats exploiting the crisis.

It is also not clear whether the league will engage in any kind of offensive cybersecurity exercises to take down infrastructure and systems that threat actors might be using to launch these attacks. A story in Reuters that quoted Rogers described the new community as leveraging their contacts within the Internet service provider community to “squash garden variety” phishing attacks and financial scams related to COVID-19. Whether those kinds of actions would need coordination with law enforcement and other entities is not clear.

“To be really meaningful, the security community will have to continue to work together, cooperate, share resources, and defend critical organizations,” says Atif Mushtaq, CEO and founder at SlashNext. “This would require cooperation and support from corporations, executives, employees, white hat hackers, coders, researchers” and others, he says.

Apurva Kumar, staff security intelligence engineer at Lookout, says community efforts like the COVID-19 CTI League is what is needed to address opportunistic cyberattacks during a global crisis. “I suspect that this will be a meaningful initiative,” she says. “There are already many private information-sharing initiatives that exist as email lists for the purpose of identifying emerging threats in various industries.”

Often competitors are happy to work with each other privately for the greater good. Lookout, for instance, could contribute to an effort like the COVID-19 CTI League, Kumar says. “Lookout Phishing AI is already actively engaging with the cybersecurity community and with the many major brands that are frequently targeted in phishing attacks to help identify new and emerging threats as fast as they are created,” she says.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/cyber-version-of-justice-league-launches-to-fight-covid-19-related-hacks-/d/d-id/1337424?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple