STE WILLIAMS

Oracle has published an out-of-band software update to address a handful of security flaws in parts of the PeopleSoft HR software.

The House of Larry said this week the five CVE-listed vulnerabilities all sit within the Jolt component of Tuxedo, an application server used by PeopleSoft to handle non-Java applications.

“Since Oracle PeopleSoft products include and use Oracle Tuxedo in their distributions, PeopleSoft customers should apply the Tuxedo patches,” Oracle explained.

The most serious of the flaws, CVE-2017-10269, allows an attacker with network access to the Jolt web application interface on a target server to effectively take over the underlying Tuxedo software and, in the process, compromise PeopleSoft-powered systems without the need for authentication.

“Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Tuxedo accessible data as well as unauthorized access to critical data or complete access to all Oracle Tuxedo accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Tuxedo,” the NIST summary reads.

A second flaw, CVE-2017-10272, requires the attacker to first log into the victim’s server in order to exploit it. The programming blunder is very similar to OpenSSL’s HeartBleed, and has even been dubbed Joltandbleed, as it allows an attacker to siphon off memory from the server and then leverage that information to cause more mischief and damage.

A third flaw, CVE-2017-10266, can be exploited to brute-force DomainPWD passwords to gain read-only access to data. A fourth bug, CVE-2017-10267, is a stack-overflow blunder that can be easily exploited to bypass authentication.

The final vulnerability, CVE-2017-10278, is a heap-overflow hole that is difficult to exploit, we’re told, but can also be used to bypass authentication.

Oracle is advising all companies running Tuxedo versions 11.1.1, 12.1.1, 12.1.3, and 12.2.2 on PeopleSoft to update their installations as soon as possible.

The database giant’s updates come as many admins already find themselves bogged down installing the monthly security updates from Microsoft as well as a massive November patch from Adobe. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/16/oracle_peoplesoft_tuxedo_security_vulnerabilities/

Deal enhances Optiv’s big data, automation, and orchestration efforts.

Optiv Security announced today it acquired Decision Lab in a move to expand its big data and security analytics services.

Decision Lab also offers automation and orchestration services to a customer base that includes government agencies and enterprises worldwide.

The deal aims to accelerate Optiv’s growth strategy and ride the wave of increasing security data that enterprises produce, Sean Catlett, Optiv’s senior vice president of emerging services, said in a statement.

Optiv notes the Decision Lab acquisition is also expected to increase the company’s staff of seasoned security experts and data scientists, as well as bolster its security analytics in the areas of incident response, insider threats, fraud, and anomaly detection. The Decision Lab transaction marks the second acquisition for Optiv this month, following its Conexsys purchase to increase its presence in the Canadian market.

Read more about the Decision Lab acquisition here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/optiv-acquires-decision-lab-to-expand-big-data-services/d/d-id/1330448?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Kaspersky Lab’s internal investigation found a backdoor Trojan and other malware on the personal computer of the NSA employee who took home agency hacking tools.

The personal computer used by the National Security Agency (NSA) employee who reportedly took classified tools from the office and loaded them onto that home machine was infected with a backdoor associated with Russian underground forums. Another 120 pieces of malware were flagged on the machine.

That’s the latest finding of an internal investigation published today by Kaspersky Lab, which has been under scrutiny amid allegations that its software assisted Russian nation-state actors in stealing the NSA hacking tools off the employee’s home computer, which was running Kaspersky Lab antivirus software. The security company has vigorously denied the allegations.

According to the security firm’s investigation, the NSA employee’s PC was infected with the Mokes backdoor, aka Smoke Bot and Smoke Loader. The information-stealing backdoor Trojan has been for sale since 2014 in Russian cybercrime underground forums, and from September to November 2011, its command-and-control servers were “registered to presumably a Chinese entity going by the name “Zhou Lou”,” Kaspersky Lab’s report says.

The NSA worker’s machine was breached on Oct. 4, 2014, after he installed what appeared to be a pirated Office 2013 application, and Kaspersky Lab’s AV later detected the malware as Mokes.

“At a later time after installation of the supposed MS Office 2013, the antivirus began blocking connections out on a regular basis to the URL “http://xvidmovies[.]in/dir/index.php”. Looking into this domain, we can quickly find other malicious files that beacon to the same URL. It’s important to note that the reason we know the system was beaconing to this URL is because we were actively blocking it as it was a known bad site. This does however indicate the user actively downloaded / installed malware on the same system around the same time frame as our detections on the Equation files,” Kaspersky Lab said in its report.

To have installed and run the malware in the first place, the victim would have had to disable Kaspersky Lab’s AV program, the company said.

During the period of September 11 and November 17, 2014, some 121 pieces of malware including Mokes and not including the NSA tools, were flagged by Kaspersky Lab’s software. The malware included other backdoors, Trojans, adware, and exploits. “All of these alerts, combined with the limited amount of available telemetry, means that while we can confirm our product spotted the threats, it is impossible to determine if they were executing during the period the product was disabled,” the report says.

The AV operated normally when it flagged the tools created by the Equation Group, Kaspersky Lab says. Equation Group is the moniker the security firm uses for the NSA since it steers clear of attribution of actual attack groups.

“In no way was the software used outside of this scope to either pull back additional files that did not fire on a malware signature or were not part of the archive that fired on these signatures,” the report says. “What is believed to be potentially classified information was pulled back because it was contained within an archive that fired on an Equation specific malware signatures.”

The security firm said it found no evidence that its researchers attempted to set up rogue signatures to search for classified or top-secret files on the NSA worker’s machine.

Given the discovery of the Mokes backdoor infection and possible infections from other malware on the machine, Kaspersky Lab concluded that the data “could have been leaked to an unknown number of third-parties as a result of remote access to the computer.” 

Related Content:

• Kaspersky Lab and the AV Security Hole
• Russian Hackers Pilfered Data from NSA Contractor’s Home Computer: Report
• Trump Orders Removal of Kaspersky Products from Federal Systems
• Insider Threats: Red Flags and Best Practices

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/analytics/121-pieces-of-malware-flagged-on-nsa-employees-home-computer/d/d-id/1330450?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Terdot Banking Trojan, inspired by Zeus, can eavesdrop and modify traffic on social media and email in addition to snatching data.

When is a banking Trojan more than a banking Trojan? When it can be used for cyberespionage.

Terdot, discovered by researchers at Bitdefender, can be used to view and modify traffic on email and social media platforms in addition to collecting victims’ financial information. It can also steal credentials, inject HTML code on visited Web pages, and download and execute files.

The malware derives inspiration from the 2011 source code leak of the Zeus banking Trojan. It’s not uncommon for banking Trojans to share similarities, however, and Zeus isn’t the first to have its code made public. This has also happened with the Mirai, KINS, and Carberp malware families.

Bitdefender first spotted Terdot in October 2016, says senior e-threat analyst Bogdan “Bob” Botezatu. It performs the main functionalities of a banking Trojan: Terdot arrives in a malicious email with a button disguised as a PDF link. When clicked, it infects a machine and creates a Web proxy to modify transactions. Any data that victims send to a bank is intercepted by Terdot and modified in real-time, and the malware intercepts and modifies the bank’s response.

The malware packs capabilities enabling hackers to collect far more than financial data. Because it lives in the browser, Terdot has unrestricted access to whatever is posted via that browser.

“The Web proxy is also instructed to steal sensitive information from the computer,” says Botezatu. “It’s not going after money; it harvests cookies from logged-in sessions and credentials for email accounts and social network accounts.”

Terdot uses a chain of droppers, injections, and downloaders to protect the payload. It can bypass restrictions imposed by TLS by generating its own Certificate Authority and creating certificates for every domain visited in a man-in-the-middle attack. By injecting itself into the browser process, it can monitor activity and inject spyware.

Targeted regions include the US, Canada, the UK, Germany, and Australia. Frequently hit websites include Canada’s PCFinancial, Desjardins, BMO, Royal Bank, Scotiabank, and CIBC. Affected email providers include Microsoft’s live.com, Yahoo Mail, and Gmail; social media platforms Facebook, Twitter, Google Plus, and YouTube.

Terdot is specifically instructed not to collect data from Russian social media platform VK, which suggests Eastern European actors may be behind it.

Detection and Defense

Botezatu says Terdot poses a significant risk to businesses because of the way it’s delivered and the damage a Trojan could inflict. However, its social media interception module adds a consumer spin to the malware.

“I don’t think the guys in accounting would spend too much time on Facebook,” he notes.

Terdot is extremely difficult to detect and remove, he continues. “It has modules that ensure persistence. It injects itself into every process on that machine, and these processes act like a watchdog to one another.”

Because Terdot uses both phishing and man-in-the-middle to attack, businesses with breach prediction systems to cover all attack vectors are better prepared to defend themselves, says Manoj Asnani, vice president of product and design at Balbix.

“It should be noted that most of today’s detection solutions are single attack vector-focused,” he says. “A multi-vector system is needed in this case – and would have proactively flagged users that are at risk of phishing, in addition to compromised or spoofed certificates.”

Unexpected Trend

This discovery is part of a growing trend of malware targeting financial institutions.

“We have started to see the reemergence of banker Trojans,” he explains, adding that they had previously experienced a heyday between 2012 and 2016. “But we could have sworn the trend was otherwise.”

It’s curious to see banking Trojans resurface because they require several players and are difficult to launch and monetize, unlike comparatively easy attacks like ransomware. Botezatu blames their return on earlier Trojan code leaks and oversaturation of the ransomware market.

To this point, researchers at Trend Micro recently discovered a new iteration of banking malware Emotet with a few changes to its original behavior. This version of Emotet has been updated to evade detection and analysis; for example, it swapped its RunPE dropper for a Windows API to make it harder to find. Another anti-analysis tactic is checking when the scanner monitors activities to evade detection. It can also detect when it’s inside a sandbox.

Related Content:

• ‘Silence’ Trojan Mimics Carbanak to Spy, Steal from Banks
  
• Hackers Poison Google Search Results to Deliver Zeus Panda
• Stealthy Android Malware Found in Google Play
• Deception Technology: Prevention Reimagined

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/terdot-banking-trojan-spies-on-email-social-media/d/d-id/1330449?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In a new twist to an old attack, threats actors are increasingly using the remote access protocol to install ransomware, Sophos says

In a new twist to an old attack technique, some threat actors have begun installing ransomware on Windows networks by breaking into them via weakly protected Microsoft Remote Desktop Protocol (RDP) services.

Security vendor Sophos says it has seen a spate of such attacks recently with the victims in most cases being small companies with 30 or fewer staff members that rely on external parties to manage their Windows networks remotely.

Unlike typical ransomware campaigns in which the malware is mass distributed via phishing and other means, the crooks in these attacks are breaking into Windows systems one at a time and running ransomware on them manually using RDP access.

The trend highlights the need for organizations to ensure that RDP is turned off on all computers on the network on which it is not needed, to use VPNs for external connections and to implement strong authentication where possible, Sophos said.

“For a small business, RDP is often the only way to get IT support at all,” says Paul Ducklin, senior technologist at Sophos. It allows a third party located across town, in another state, or overseas to remotely access a Windows network and administer it with nearly same level of control over it as a local user. RDP can be handy, but if the service is left open to the Internet as businesses sometimes do, attackers can try and brute force their way into your network, Ducklin says. 

“When an [RDP] server is open to the Internet, it means that you’ll accept incoming connections from anywhere, including users on computers in other companies, other cities, other states, other countries,” Ducklin says. “Loosely speaking, any computer, or mobile device, that can send packets outwards on the Internet can connect inward to your server and get a response of some sort.”

Recently, Sophos has seen evidence that attackers have begun using scanning services such as Shodan and Censys to search for systems with RDP open to the Internet. They have then been using the NLBrute tool to try and guess RDP passwords and brute force their way into such systems.

“Many small businesses have a dedicated computer to handle RDP connections, or will just let RDP users connect directly to the main server,” Ducklin says. “Shodan is looking for open ports visible somewhere, anywhere, that lead to RDP somewhere inside the network.”

Attacks against RDP are certainly not new. The difference is that attackers increasingly have begun using their RDP access to then install ransomware on systems. In several of the cases that Sophos has investigated, attackers have first initiated a series of measures to disable and disarm security settings on the network to which they have gained access, before running ransomware on them.

Some of the measures have included killing off processes that disallow shutdown, deleting locked files, changing configuration settings, disabling anti-malware tools, turning off database services, and deleting backup files. Because the systems have been rigged to become as insecure as possible, the threat actors are then able to run old and even free variants of ransomware on them until something works. “In several cases, we’ve found cryptocurrency mining software that had been around for a while,” Ducklin says.

Gartner analyst Avivah Litan says hackers have been using NLBrute for years to brute force their way into systems via RDP. In fact there are even YouTube videos on how to use the tool, she says.

However, the increase in RDP attacks to drop ransomware is a new twist, Litan says. “It reminds me of what happened with online banking attacks,” she notes. “As banks implemented more controls that prevented fully automated and mass attacks, criminals started using RDP to manually attack one user at a time.”

Attacks via RDP are big threats to organizations, Litan cautions. Endpoint security controls are not very effective at dealing with these attacks because the tools are typically looking for malicious files and fully automated attacks, rather than human-executed manual attacks, she says.

Organizations that want to enable RDP should first ask themselves if they require that access, adds Tyler Reguly, manager of Tripwire’s Vulnerability and Exposure Research Team. “Enabling RDP access to a Windows computer is no different than providing SSH access to a Linux server, so there’s definitely justification for doing it and businesses with a need should not be afraid to run RDP.”

But it is important to ensure strong passwords and two-factor authentication at a minimum when enabling the service, Reguly says. If possible, require a VPN connection to access the service and avoid direct Internet access.

Also, set a lockout policy to limit password-guessing attacks, Ducklin says. Simply by enforcing a five-minute lockout after three failed guesses you can ensure that crooks can at most try 48 passwords an hour, making a brute force attack impractical, he says.

The Sophos warning is the second in recent weeks involving RDP. In October, Flashpoint warned about Dark Web marketplaces selling access to tens of thousands of brute-forced RDPs around the world. Ultimate Anonymity Services, one of the outfits selling such access, alone had over 35,000 brute-forced RDPs for sale, Forcepoint noted in its report.

Threat actors can use such compromised RDP servers for a variety of reasons in addition to installing ransomware on systems, says Flashpoint cybercrime analyst Olivia Rowley.

“For some cybercriminals, it may be more advantageous to use a compromised RDP as a staging ground for conducting other fraud, such as making a fraudulent purchase,” Rowley says. “Cybercriminals may also find that the compromised RDP contains sensitive files or other proprietary information, thus making the RDP a tool for conducting data breaches.”

Related Content:

• Microsoft Flaw Demonstrates Dangers Of Remote Desktop Access
• ‘Backoff’ Malware: Time To Step Up Remote Access Security
• 10 Time-Consuming Tasks Security People Hate 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/crooks-turn-to-delivering-ransomware-via-rdp/d/d-id/1330451?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A Vietnamese security company called Bkav claims it has successfully bypassed Face ID authentication on Apple’s flagship iPhone X using – wait for it – a mask.

Before studying the claim and how Face ID works let’s state that, if true, this would be a big technical hiccup, and not just for Apple.

Face ID is supposed to be the hard launch for a new generation of biometric authentication tech and not simply a fancier way to unlock the iPhone X’s screen.

Anyone beating it is also potentially compromising its use as an authentication mechanism for financial transactions (currently Apple Pay) and, in time, wider online services. This matters because the world badly needs better authentication ASAP.

And yet Bkav says its proof-of-concept (POC) beat Face ID using a rudimentary mask constructed using $150-worth (£110) of 3D-printed plastic, paper cut-out eyes and lips, a silicone nose and some makeup.

In the video demo of the team unlocking an iPhone X, Face ID even fails to spot that two-dimensional images have been stuck onto the 3D surface.

This is surprising, not only because Apple said it has tested Face ID against sophisticated replica masks during its launch event, but third-parties have also tried to do the same without success.

The mask used was even non-naturalistic, representing barely half the real user’s face. What did Bkav do that Apple and others couldn’t?

The company said it fooled Apple’s AI neural engine, which is known to look for specific parts of the face. Somehow, its researchers were able to perfect the mask without having to test it first on a real iPhone X, which locks after five unsuccessful attempts.

Counterintuitively:

Apple’s AI can only distinguish either a 100% real face or a 100% fake one. So if you create a ‘half-real half-fake’ face, it can fool Apple’s AI.

Contrast this with the iPhone X’s Face ID spec which Apple says works by “projecting and analyzing over 30,000 invisible dots to create a depth map of your face [which is] matched against the stored mathematical representation to authenticate.”

The chance of a random person unlocking an older iPhone using the company’s Touch ID fingerprint system is said to be one in 50,000 – for Face ID it is supposed to be one in a million.

Inevitably, doubts have been raised about Bkav’s bypass, although the company has form after beating a variety of authentication systems in the past.

The caveat is that anyone using this technique would still have to have extensive access to the iPhone X’s owner in order to create an accurate mask in the first place. The company admits this puts exploits based on it into the realm of high-end cyber-espionage.

Or perhaps not. Reports have surfaced that a 10-year-old boy was able to unlock his mother’s iPhone X, possibly because their faces are similar. When a magazine asked her to re-enrol her face to check this wasn’t a one-off, he was able to access the phone intermittently.

Perhaps these incidents remind us that while Face ID is very good, it’s still short of perfection. It’s already known that identical twins can probably beat it – and Bloomberg reported that Apple cut corners on Face ID to meet iPhone X deadlines.

This could explain why Apple also requires users to enter a passcode when the iPhone X is turned on or rebooted, or hasn’t been unlocked for 48 hours, for instance.

The good news is that companies who set out to break Face ID (including, ironically, Apple itself during the iPhone X’s launch event) are really helping Apple make it better in the long run. Better to do that now when the technology is new than discover a big weakness after a real-world compromise.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MfSxHjji1qg/

Encryption! Gotta love it! It makes paying for things so easy, and secure… Most of the time.

You swipe your card when you buy a t-shirt, gas up your car, or whatever else you do with your plastic. Then, your sensitive, (hopefully) encrypted payment data gets fed into a Point-of-Sale (PoS) system, decrypted in the PoS’s RAM for processing, and you’re good to go.

Except when you’re not. And that gets us to PoS malware and its latest victim, the clothing store Forever 21.

Forever 21, based in Los Angeles, announced on Tuesday that an unidentified third party told the clothier that there may have been unauthorized access to data from payment cards that were used at certain stores.

Forever 21 began an investigation of its payment card systems, brought in a security and forensics firm to help out, and informed customers.

The retailer doesn’t appear to know much, including whether or not anybody’s payment data were actually compromised. But unlike many outfits that get hit with a data breach, the company actually gave us a tiny bit of detail about what’s been going on with encryption in its PoS devices.

Apparently, Forever 21 implemented its current encryption and tokenization solutions in 2015. However, it says that the encryption of some PoS devices in some Forever 21 stores wasn’t in operation. The retailer didn’t say when the encryption was nonfunctional, but the investigation is focusing on card transactions that took place between March and October 2017.

It’s too early to give out more details than that, Forever 21 says, but it expects to provide further information on the specific stores and timeframes that may have been involved as the investigation continues. It runs 815 stores in 57 countries, so this could well be a widespread breach.

Forever 21 says it’s “always advisable for customers to closely monitor their payment card statements.” If you see a fishy charge, immediately notify the bank that issued the card. Generally, you won’t be held responsible for any fraudulent charges.

SophosLabs has analyzed the various types of PoS crimeware over the years. In 2013, SophosLabs discovered what was then the highly prevalent Citadel crimeware targeting PoS systems.

The Citadel malware was using screen captures and keylogging instead of the RAM-scraping technique used by another PoS malware, Trackr.

It’s far from surprising that somebody chose to zero in on Forever 21. Retailers are one of the most targeted industries, right up there with service, healthcare, food services, education, and hotel/tourism.

That makes sense: if you want to get money, you rob a bank. If you want to rip off credit and debit cards, you go where there’s a ton of transactions taking place and there are goldmines of payment data that can be harvested – as ex-SophosLabs researcher Numaan Huq pointed out when he took a deep dive into PoS RAM scraper malware and how it works.

Compromising a single PoS system (e.g. in a fast food outlet) may yield thousands of credit cards per week, cheaply – much easier to gather 10,000 credit card details from one PoS system then attempt to infect 10,000 PCs, hoping to grab the data from there.

If not protected properly, PoS systems become easy targets, Huq said: ” a single point of failure that can affect thousands of people.”

One example: in September 2014, a PoS vendor lost a user name and password used to remotely access its systems. 324 US restaurants were breached as a result.

What to do if you’re a customer? Keep an eye on your credit card and bank statements, like Forever 21 advised, absolutely. And if you’re a vendor who’s outsourced payment card processing? It’s worth reiterating the advice that Naked Security’s Paul Ducklin has previously offered:

PoS vendors who insist on remote access to your network should be able to answer at least the following questions to your satisfaction:

• What technology they use (e.g. RDP).
• How they secure it (e.g. with two-factor authentication).
• Who has access (e.g. vetted support technicians only).
• What they use it for (e.g. installing updates).
• How they keep access to your network separate from other customers.
• How access by their staff is reviewed (e.g. what they do with the logs).
• How quickly you will be told if irregularities are spotted.

Don’t be afraid to ask. You’re handing over the keys to your commercial kingdom, Paul points out. The least you can expect is informative, educational answers.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hOIYWmAIl5E/

Have you ever sent a WhatsApp message to the wrong chat? Like, say, one about your jerky boss that was meant for your work buddy but somehow got sent to your jerky boss?

If so, you were probably pleased when WhatsApp recently introduced the ability to unsend messages. The “Delete for Everyone” feature was designed to let you virtually reach out and rub a message out of existence on recipients’ devices. Instead of seeing the post, they’d see a message that says: “This message was deleted,” but they couldn’t see the content. It works not only for text but also for attachments such as photos, videos, GIFs, and voice messages.

It’s kind of like the ephemeral nature of Snapchats, right? You can get a little risque, since you have a window of time (supposedly 7 minutes) to delete a WhatsApp post, just like that supposedly vanishing Snap of whatever fleshy hijinx you’ve been up to, right?

Well, unfortunately, it turns out that WhatsApp and Snapchat share another commonality: just as Snaps that were supposed to have “disappeared forever” turned out to stay right there on your phone, WhatsApp messages that are deleted are actually still on the device and can be easily accessed.

This is according to a report from the Spanish Android blog Android Jefe, which found that deleted WhatsApp messages – at least, the first 100 characters – can be read off of the notification log of the device.

What we found is that the messages are stored in the notification register of the Android system. So, it’s just a matter of entering that record to see the messages that the other person deleted.

Notification History is a hidden feature that first got added in Android 4.3. Hidden it may be, but there are apps on Google Play that will happily reveal it for you.

Then again, you might not need any special apps at all:

If the “Settings” widget is added to the home screen, you will probably find the “Notification registration” option, as we saw in this article with a Motorola Moto G.

“It works perfectly,” Android Jefe says, despite limitations. Those limitations include that the notification log usually only saves notifications for a few hours. Also, the log is deleted when the phone is restarted. Another limitation is that you can only retrieve messages that have already been seen or interacted with. According to Android Jefe, only when the system detects these events does it save a message in the registry.

To get at your phone’s not-deleted deleted messages, you need a phone running at least Android 6 or 7. In Notification History, look for the notification that says WhatsApp. The message will be in the line that says “android.text”.

Then again, as Android Jefe explains, you don’t have to bother with Notification History at all if you’re running one of the apps that make backups of your WhatsApp messages. That includes photos, which you can’t get to in notification history. Just go check out your backup! Oh, and all those limitations with Notification History? Android Jefe says it’s moot: there are none with backup apps!

Regardless of whether you retrieve deleted messages via notification history or a backup app, you need to make sure WhatsApp notifications aren’t disabled.

Should you do any of this? Should you go read messages that somebody obviously doesn’t want you to read? Isn’t that a bit rude?

Sure! Sure, it’s a bit rude, at the very least, to ignore somebody’s desire to whisk their communications off your phone.

But what really matters is that it can be done. It’s a reminder that once a message or a photo is off your phone, you don’t control it, no matter what comfort blankets your app might provide. Your “Delete for Everyone” button can’t save you from screenshots, backups or logs, or from giant picture-sucking websites like SnapSaved.com, the online repository of supposedly deleted Snapchats that was cracked open by hackers in 2014.

So keep this in mind when you compose a WhatsApp message that you might want to stamp out of existence at some point: it’s a lot easier not to write it in the first place than it is to ensure that it’s really, truly deleted – just like those oh-so-not-disappearing Snaps!

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fdpScEqfrI0/

Chinese drone maker DJI faces questions from infosec researchers about its bug bounty programme. Sources have told The Register that a non-disclosure agreement (NDA) they were invited to sign would result in the company “owning their actions”.

DJI’s scheme to pay those that highlight security weaknesses, announced months ago in late August, promised to cough “up to $30,000” for bug reports.

Sources, including prominent drone hacker Kevin Finisterre, expressed concern the NDA has effectively prohibited them from carrying out any further work. One who spoke on condition of anonymity told us: “They own you and your actions after you sign it.”

Finisterre himself alleged DJI “pretty well threatened me” by mentioning the US Computer Fraud and Abuse Act (CFAA) in the NDA forwarded to him by DJI US veep Brendan Schulman. The CFAA is the American legislation used to prosecute black-hat hackers and others who access computer systems they are not authorised to use.

Another drone researcher, Andreas Makris, told us:

“We need to sign [the NDA] before we see any bounty money. I responded that this NDA is just not signable for me and for most others in this area it is not signable too.”

We asked DJI’s Schulman to comment on the NDA the day before this article was published. He did not respond.

DJI itself, however, announced that it has upgraded its bug bounty scheme to a full-blown “Security Response Center”, which it said had paid out $3,200 so far.

“DJI created our Security Response Center because we know our customers value their information security, and we are committed to protecting it,” said Victor Wang, DJI tech security director, in a canned statement. “We continue investigating this issue, and we will share our findings as we learn more.”

Security reports can be submitted to DJI via security.dji.com. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/16/dji_bug_bounty_nda/

Terdot, a banking Trojan that has been around since mid-2016, has been re-engineered with updated information and credential thievery as well as social media account monitoring functionality.

Built on the Zeus framework, whose code was leaked in 2011, Terdot adds a number of novel techniques to the market, such as leveraging open-source tools for spoofing SSL certificates, antivirus firm BitDefender has reported. The malicious code also features a powerful man-in-the-middle proxy that filters the user’s entire web traffic in search of sensitive information that subsequently gets logged and exfiltrated.

This man-in-the-middle proxy also allows the banker Trojan to manipulate traffic on most social media and email platforms, and even post on the behalf of the infected user.

Terdot uses sophisticated hooking and interception techniques, and features several capabilities to ensure it is not detected or removed. The combination makes cleanup extremely difficult, BitDefender warned.

The Trojan is also predominately being distributed through websites compromised with the SunDown Exploit Kit, it added. The malware also spreads through booby-trapped emails with a bogus PDF icon button which, if selected, executes JavaScript code that downloads the malware.

In other banking Trojan news, miscreants have brewed up a entirely new strain of nasty called IcedID.

The malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the US. Two major banks in the UK are also on the target list the malware fetches, according to security researchers from IBM X-Force, which discovered the nasty.

In addition to its data-harvesting abilities, IcedID can also monitor victims’ online activities. In spite of being new and still in development, IcedID already possesses some advanced features that rival features experts have seen in older and more complex banking trojans (such as Dridex, Zeus and Gozi). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/16/terdot_banking_trojan/