STE WILLIAMS

Democrats draft laws in futile attempt to protect US internet privacy

Less than a week after President Trump signed the law allowing ISPs to sell customers’ browsing habits to advertisers, Democratic politicians are introducing bills to stop the practice.

On Thursday, Senator Ed Markey (D-MA) submitted a bill [PDF] that would enshrine the FCC privacy rules proposed during the Obama administration into law – the rules just shot down by the Trump administration. Americans would have to opt in to allowing ISPs to sell their browsing data under the proposed legislation, and ISPs would have to take greater care to protect their servers from hacking attacks.

“Thanks to Congressional Republicans, corporations, not consumers, are in control of sensitive information about Americans’ health, finances, and children. The Republican roll-back of strong broadband privacy rules means ISP no longer stands for Internet Service Provider, it stands for ‘Information Sold for Profit’,” said Senator Markey.

“This legislation will put the rules back on the books to protect consumers from abusive invasions of their privacy. Americans should not have to forgo their fundamental right to privacy just because their homes and phones are connected to the internet.”

The bill has been cosponsored by ten senators, all Democrats except for the independent Bernie Sanders. No Republicans have added their name to the legislation – nor shown any support for it – which probably means it’s doomed to failure given the GOP-dominated composition of the Senate.

The new bill echoes similar legislation introduced in the House of Representatives earlier in the week. Representative Jacky Rosen, who was a software developer before she got into politics, has introduced the Restoring American Privacy Act of 2017.

“As someone who has first-hand experience as a computer programmer, I know that keeping privacy protections in place is essential for safeguarding vulnerable and sensitive data from hackers,” said Representative Rosen (D-NV).

“I will not stand by and let corporations get access to the most intimate parts of people’s lives without them knowing and without consent. It is appalling that Republicans and President Trump would be in favor of taking Americans’ most personal information to sell it to the highest bidder.”

The FCC rules would have required internet users to sign up to allow their browsing histories to be sold, and put an increased onus on ISPs to protect their private data. One of the first acts of the new administration was to drop the FCC rules and legislate against them, with President Trump signing off on the legislation on Monday.

Facing a public backlash, the major ISPs have promised that they won’t sell off an individual’s browsing history – but left the door open for selling the data as part of a group. Customers will also have the choice to opt out, but you can bet the form to do so will be in the internet equivalent of a locked filing cabinet carrying a sign reading “Beware of the leopard.”

The bills will be welcomed by many but, realistically, have no chance of passing unless a sizable number of Republicans cross the floor. That’s not going to happen, so individual states have been taking action of their own.

Last week, Minnesota and Illinois legislatures began enacting legislation to provide privacy protections for internet users, and now New York has done the same. Senator Tim Kennedy (D-Buffalo) has introduced legislation to stop ISPs selling off their customers’ browsing histories.

“When voters across the country elected this House and US Senate last November, I doubt they were voting with the hope that their ISP would be allowed to sell their browsing history,” said Senator Kennedy.

“This kind of anti-consumer, anti-privacy action doesn’t benefit anyone except large corporations. This is not an abstract threat to regular folks – this is bad policy with real-world consequences.”

It’s possible the ISPs could have bitten off more than they can chew on this one by seriously underestimating quite how angry this issue has made people. Despite frantic PR moves, more and more states are now taking matters into their own hands – which is just as the Founding Fathers designed the system. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/06/democrats_move_to_restore_internet_privacy/

  • 06/04/2017
  • adm

Commodity Ransomware Is Here

When deploying ransomware is as easy as ordering a pizza, the best defense is through better threat intelligence sharing.

With “Philadelphia,” a slick ransomware-as-a-service interface that enables almost anyone to launch a sophisticated ransomware campaign, suddenly, deploying ransomware is easy as ordering a pizza. The criminal developers behind Philadelphia even had the heart to offer a “mercy” feature should a victim plead for access to ransomed family photos of lost family and friends.

Welcome to the new world of commodity malware!

As the co-founder of a threat intelligence exchange platform, I see of lot of trending campaigns before they reach mainstream, and Philadelphia typifies many of the new age indicators we’re starting to see in incident data from companies across the cloud, finance, and healthcare sectors.

Below are some key insights about this new era of commodity malware so that you can spot patterns within your own data.

Insight #1 – The Exploit Kit Playbook: Many incident reports show multiple ransomware campaigns relying on an easy-to-buy RIG exploit kit, and then combining it with commoditized ransomware like Cerber and Locky. The playbook for creating new ransomware campaigns has been written and everyone is following it.

Insight #2 – Block and Tackle: Blocking a specific exploit kit or ransomware software will lead to short-term disruption of some campaigns but bad actors will find a different exploit kit or ransomware to weaponize and evolve into a new campaign.

For example, from January to June of 2016, Angler was the predominant exploit kit being seen in reports submitted to the wider security community until it was disrupted due to arrests of a criminal hacking gang in Russia. When the Angler exploit kit went down, cybercriminals began searching for a new go-to exploit kit, and in early September 2016 the RIG exploit kit became the predominant cybercriminals exploit kit. 

Image Source: Paul Kurtz Visualization shows the connection between infrastructure and payload IoCs initially used with the Angler exploit kit, now being delivered by RIG EK.

Insight #3 – Low-Effort, High-Efficacy: Malware usually requires additional steps to monetize a successful exploit. Whether it is pulling exfiltrated data from the first level C2 or stolen passwords, the bad guys have to do the work of posting that information for sale after packaging the data in a specific size and/or format. On the other hand, ransomware is fire and forget. As soon as it hits a system the payoff is instantaneous.

In previous malware models there was usually a way for the user to remove or mitigate the issue. If the user gets a keylogger, RAT, or rootkit on their system there is almost always a way to remove the offending malware. Sometimes the steps to remove the malware can be tedious, or special tools are needed, but there is a path to a solution. This is not the case with ransomware. Pretty much all ransomware utilizes asynchronous encryption, making reversal extremely difficult.

It’s Not Just You
Ransomware campaigns bar access to critical data but they can also be used to disrupt system operations. Recall the Hollywood Presbyterian ransomware attack just over a year ago. The attack disrupted emergency room operations and patients had to be diverted to other hospitals.

The trend of commoditized ransomware raises an even larger issue within the security community: companies need to stop assuming they are being singled out for attacks. The truth is, you’re not that special. In fact, according to our latest platform analysis, 65% of our threat reports are correlating across companies regardless of sector.

There is absolutely no reason that after one victim has been hit by a particular ransomware attack others must fall victim to the same attack. What we’re seeing in the media and from our own platform data insights underscore the fact that commoditized ransomware campaigns will become increasingly opportunistic, and will not be as targeted.

As hacks continue to be replicated with more ease, the private sector must not fight alone. Exchanging threat intelligence to identify trending campaigns and provide context to mitigate against these campaigns is the only path forward.

Related Content:

 

Paul Kurtz is the CEO and cofounder of TruSTAR Technology. Prior to TruSTAR, Paul was the CISO and chief strategy officer for CyberPoint International LLC where he built the US government and international business verticals. Prior to CyberPoint, Paul was the managing partner … View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/commodity-ransomware-is-here/a/d-id/1328578?_mc=RSS_DR_EDT

  • 06/04/2017
  • adm

7 Ways Hackers Target Your Employees

One employee under reconnaissance by cyberattackers can put your whole business at risk. Where are they being targeted, and what should they know? PreviousNext

(Image: Bluebay via Shutterstock)

(Image: Bluebay via Shutterstock)

Cybercriminals are testing the strength of your organization’s defensive wall, looking for the one crack they need to launch their attacks. Oftentimes that flaw isn’t a “what,” but a “who.”

Employees only need to download a bad attachment, click a malicious link, or give attackers one piece of information they need to break in. Security is a business-wide responsibility.

“Companies need to realize if their employees are picking up the phone and answering emails, they are making security decisions every day that can affect the company,” says Michele Fincher, COO for Social-Engineer, Inc. “They don’t realize how many good decisions employees need to make to be secure.”

Addressing the importance of security during annual training sessions isn’t enough, says Fincher. “If you only talk about it once a year, you’re doing the staff a grave disservice.”

Social engineering attacks also make it harder to differentiate legitimate from malicious activity. In the past, cybercriminals needed more technical skills to launch attacks. These days, they can wreak havoc with social network browsing, phone calls, and emails. They can conduct surveillance without raising red flags.

As Social-Engineer, Inc. CEO Chris Hadnagy explains, “There’s no bar for entry for an attacker.”

Here are seven common strategies attackers use to target employees. Share these with your teams to inform them of today’s dangers and where hackers may be hiding.

 

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she’s not catching up on the latest in tech, Kelly enjoys … View Full BioPreviousNext

Article source: http://www.darkreading.com/vulnerabilities---threats/7-ways-hackers-target-your-employees/d/d-id/1328580?_mc=RSS_DR_EDT

  • 06/04/2017
  • adm

How to Crack Cybersecurity’s Glass Ceiling

Sage career advice to young women from the female CTO of a security startup: Get a pair of earplugs, and put them in when you hear words like ‘can’t’ or ‘don’t.’

Does the “glass ceiling” still exist? On the one hand, a woman was almost elected president of the United States, and government statistics show that women constitute about half the US high-tech workforce. On the other hand, US Census data shows that of the women in the workforce, more work at lower-paying jobs than at higher-paying ones. And when it comes to the cybersecurity industry, women represent quite a slim margin, representing 11% of the world industry’s workforce, making me somewhat of a unique creature.  

I’m the CTO of a cybersecurity startup called Secret Double Octopus (an odd name, but one people tend to remember), and it’s my job to oversee the company’s RD operations and conduct the tech deep dive at client meetings. My immersion into a male-dominated environment dates back to my days as a soldier in the Israel Defense Forces, where I served as a sabotage and mines instructor.

My professional career in cybersecurity began as part of my academic research as a PhD student at Hebrew University, where I focused on anomaly detection for zero-day attacks, fast pattern matching for deep packet inspection and software-defined networks (SDN), and then continued as a postdoctoral researcher at Ben-Gurion University in Beer Sheba with Professor Shlomi Dolev. It was there that JVP, one of Israel’s leading venture capital firms, approached me because of my research and proposed practically applying my research, matching me with our CEO, Raz Rafaeli.

I wouldn’t say I’m a women’s rights activist by choice, but being in an executive position within the IT industry automatically makes me one, whether I like it or not. As a result, I’ve become a de facto spokesperson of sorts, advising young women professionals on how to make it in an industry where the glass ceiling is still pretty thick. My advice: Get a pair of earplugs, and put them in when you hear words like “can’t” or “don’t.” It worked for me.

Image Source: kryzhov via Shutterstock

Fortunately for me, the path of STEM has been clear to me since I was a little girl. Thankfully, I do not experience the “thick glass ceiling” on a daily basis within my own team, but intentional or not, the fact of the matter is that cybersecurity is indeed a male-dominated field and, although we do live in a heightened gender-aware generation, gender biases still exist.

There are numerous reasons for this lingering sexism. According to a 2015 National Bureau of Economic Research study, teacher (both male and female) gender biases turn girls off from studying STEM subjects. These biases “have an asymmetric effect by gender — positive effect on boys’ achievements and negative effect on girls. Such gender biases also impact students’ enrollment in advanced level math courses in high school — boys positively and girls negatively,” the study noted.

Others blame it on parents: According to the UK’s Institution of Engineering and Technology, only half as many parents had tech aspirations for their daughters as they had for their sons while only 1% saw engineering as a career path for their daughters. Still others blamed the “geeky environment” in tech, with “girls’ lower sense of belonging could be traced to lower feelings of fit with computer science stereotypes.”

All this may be true, but there is a way to fight it: Determination. If the glass ceiling for deep tech is still thick, the good news is that there is a lot more support for girls in school today than there was when I was a student. High schools, universities, and the business world are much more sensitive to the glass ceiling than ever, and there is a plethora of organizations and programs that help girls get involved in math, science, and tech. I know some people are uncomfortable with preferential programs of this type, but they exist for a reason — and when there is an employment imbalance as in cybersecurity, such programs are more than justified.

In the end, it’s about motivating yourself, believing in yourself. Don’t let others’ attitudes put you off from your goal. I know it sounds like a cliché, but it’s still true: You have to believe in yourself, and believe that you are just as good as men — and maybe better because we’re blessed with women’s intuition, and that’s one thing they will never have.

Related Content:

 

Shimrit Tzur-David is the chief technology officer and co-founder of Secret Double Octopus, the world’s only keyless multi-shield authentication technology that protects identity and data across cloud, mobile and IoT environments. Shimrit has over 10 years of research … View Full Bio

Article source: http://www.darkreading.com/careers-and-people/how-to-crack-cybersecuritys-glass-ceiling/a/d-id/1328581?_mc=RSS_DR_EDT

  • 06/04/2017
  • adm

Open sesame – unless you complain about your ‘smart’ door opener

Who needs horror films? We have the IoT. Or, more precisely, the IoST: the Internet of Scary Things!

If it isn’t creepy dolls – those WiFi-enabled, microphone-sporting, speech-recognizing, eavesdropping, interactive mouthpieces to corporates  – then it’s a thing-maker who bricks your IoT garage door opener if you dare to leave a crappy review.

Meet Denis Grisak. He’s the creator of Garadget, the garage door “futurizer”.

Did you not know that you could breathe life into your existing garage door? For $99, you get a box full of stuff.

Add your garage door, smartphone and WiFi network, and hey presto!

You’ll be able to control and monitor your garage doors “from anywhere, anytime” and receive alerts when you forget to close the garage, according to the Amazon listing. The Garadget system is equipped with laser sensors and works with your existing garage door opener.

Unless your username is R. Martin, that is. He’s one dissatisfied Garadget customer and the author of the one-star Amazon review titled “Junk – DO NOT WASTE YOUR MONEY – iPhone app is a piece of …”

That wasn’t the first time he complained about his experience. He had previously commented, on the Garadget community page, about his Garadget iPhone App not staying open and just flashing when he tried to launch it.

The unhappy customer, whose Garadget community user name is Rdmart7, must have been frustrated.

Just installed and attempting to register a door when the app started doing this. Have uninstalled and reinstalled iphone app, powered phone off/on …

The father of the Garadget was not pleased. He had, after all, spent two years developing his IoT gadget. And thus did Martin come to feel the wrath of Grisak, who banished him from the Garadget kingdom, temporarily sending the cussing customer into the wilderness of unsmart things by turning off server support for the unit in question.

The banishment got picked up by a Twitter account that goes by the name of @internetofshit.

From there, it went viral, rising to the top of Hacker News and getting written up by a long, long list of publications, including Ars Technica, BBC News, Mashable, The Atlantic… and, now, us.

The 1-star Amazon review was posted on April Fool’s Day. As of Tuesday, Grisak was shrugging off the hubbub and referring to it as an April Fool’s joke, reassuring everybody that Martin’s access had since been restored:

Ok, calm down everybody. Save your pitchforks and torches for your elected representatives. This only lacks the death threats now.

The firing of the customer was never about the Amazon review, just wanted to distance from the toxic individual ASAP. Admittedly not a slickest PR move on my part. Access restored, note taken.

A quote from a random guy.

PS: Anybody has Streisand’s phone number?

That “quote from a random guy” was that of Elon Musk, who has also gained infamy by throwing a tantrum over an annoying customer and refusing to sell him a car.

Is it a slow news day when IoT products glitch, and the makers lash out at customers who complain by bricking their systems? Is this real news that deserves consideration, beyond the novelty of anti-customer-service customer service?

Let’s consider that by asking this followup question: is our security threatened when IoT gadget-makers moodily turn off our service?

We already know that our lives could, theoretically, be put at risk when it comes to the security of code that runs our WiFi-enabled medical devices. In January, five months after the Food and Drug Administration and the Department of Homeland Security launched probes into claims that its pacemakers and cardiac monitoring technology were vulnerable to potentially life-threatening hacks, St Jude Medical issued security fixes.

And then too, there are those Jeeps that automotive cybersecurity researchers Charlie Miller and Chris Valasek keep driving into ditches out by the cornfields.

Would our lives ever be endangered by a grumpy developer who bricks our WiFi-enabled, garage-door-opening apps?

Maybe not. But it’s just one more reason to question the IoT, which has already been plagued by a lack of smarts when it comes to security.

If we’re going to have smart things manipulating our home security (and letting our neighbors walk right into our locked homes while they’re at it), administering our life-saving drugs (thank you, insulin pumps) and more, then we should expect the developers behind the gadgets to at least take a deep breath before they brick.

Here are seven tips from Sophos’s Chester Wisniewski on how we can better secure the IoT.

Here are seven tips for dealing with angry customers.

And here, posted on Wednesday night, is Garadget’s ultimate mea culpa:

We at Garadet [sic] would like to thank everyone for sharing their feedback regarding the denying of server access with a client that was not happy with our product. We would like to apologize to both the individual user and our broad user base for the manner in which this incident was handled.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TE1jybdzZQ8/

  • 06/04/2017
  • adm

Bill would block warrantless searches of Americans’ phones at borders

A bipartisan bill would force border agents to get warrants before “wasting their time thumbing through innocent Americans’ personal photos and other data”.

Those are the words of one of the bill’s backers, Oregon Democratic Senator Ron Wyden. His fellow backers of the Protecting Data at the Border Act are Kentucky Republican Senator Rand Paul, Colorado Democratic Representative Jared Polis, and Texas Republican Blake Farenthold.

The proposed law, introduced on Tuesday, would shut down the warrantless searches that agents are now doing at borders: the 100-mile zones around border crossings commonly referred to as “Constitution-free”.

Wyden referred to border zones as the place where data gets sucked into a black hole in his press release:

The bipartisan, bicameral bill shuts down a legal Bermuda Triangle that currently allows law enforcement agencies to search Americans’ phones and laptops – including pictures, email, and anything on the device and possibly the cloud – when they cross the border without suspicion or a warrant.

The bill, if enacted, would stop warrantless searches on Americans’ phones, but it wouldn’t do anything to protect foreigners’ devices. As such, it doesn’t do much to counteract the “extreme vetting” measures the Trump administration is currently mulling.

Namely, the government is considering demanding phone contacts, social media passwords, financial records, and details about ideology from foreigners entering the US.

As far as citizens’ rights go, we’ve already been through this, the legislation notes, citing a landmark, unanimous 2014 decision in Riley v. California (134 S.Ct. 2473) that recognized the “extraordinary privacy interests in electronic equipment like cell phones”.

Here’s Orin S. Kerr, a law professor at George Washington University, explaining that 2014 decision:

One rights group, the Center for Democracy and Technology, came out in favor of the Protecting Data at the Border Act on Tuesday.

Greg Nojeim, CDT director of the Freedom, Security, and Technology Project:

A search of your cell phone or social media account is a direct look behind the curtain that covers the most intimate aspects of your life. A border stop shouldn’t be an excuse for extreme surveillance such as downloading the entire contents of your phone. This bill would ensure that the government demonstrates a good reason for searches at the border, and that a judge agrees.

Wyden noted that he asked the Department of Homeland Security (DHS) in February to explain the legal authorization behind warrantless searches and to report on numbers of digital searches at the border, but he says nobody’s gotten back to him yet.

We do know, however, that warrantless device searches have spiked sharply in recent years.

NBC News apparently managed to get numbers out of DHS: it reports that searches of cellphones by border agents has grown fivefold, from fewer than 5,000 in 2015 to nearly 25,000 in 2016. This year’s numbers will dwarf those of past years: DHS officials say that 5,000 devices were searched in February alone, which is more than in all of 2015.

Beyond barring warrantless searches of Americans at the border, the bill would require that those Americans actually know their rights before they consent to giving up online account information.

As Kerr notes in that YouTube video commentary on Riley v. California, one of the exceptions to the 2014 ruling was that police could conduct warrantless searches if an individual agreed to let them do so.

Unfortunately, those individuals often don’t know that they have the right to refuse. As well, it’s tough to insist on your legal rights when you’re in a chokehold, as allegedly happened to New York-born US citizen Akram Shibly … or when you’re threatened with seizure and detention if you don’t comply, as allegedly happened with NASA engineer and natural-born citizen Sidd Bikkannavar.

The law would require that such people know their rights before they consent to give law enforcement access to their devices. It would limit their detention to four hours and would require that they be given written notice of their rights.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-BebZcBq0GQ/

  • 06/04/2017
  • adm

F-Secure gobbles up Zdziarski’s Little Flocker, sucks into antivirus kit

F-Secure has completely absorbed Little Flocker, the macOS security tool built by computer forensics boffin Jonathan Zdziarski.

Financial terms of the deal, announced Thursday, were undisclosed. Zdziarski just recently joined Apple on its security engineering team, so the handover of the paid-for software to F-Secure makes a lot of sense.

Little Flocker acts as a file system firewall: it basically intercepts file accesses by applications and processes, and asks the user if they are OK with that. This means folks can stop errant processes, ransomware, and other malware, from meddling with documents, executables, and system data. A whitelist can be built by the user for trusted apps so their file accesses usually get through.

The software – which runs at the kernel level and can also detect microphone and webcam snooping – will be built into F-Secure’s products, such as XFENCE, its Protection Service for Business, and F-Secure SAFE.

Right now, the Little Flocker website is down, and has been since just before the weekend leaving punters wondering what was going on.

The software also cannot be updated if you’ve already bought and installed it. We’re told the tool will be available soon as a free beta as part of the XFENCE suite – so this looks like the end of the road for a standalone Little Flocker. You’ll have to install F-Secure’s gear to get hold of future versions, it appears.

F-Secure was not available for immediate comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/06/fsecure_buys_mac_security_specialist/

  • 06/04/2017
  • adm

‘Evidence of Chinese spying’ uncovered on eve of Trump-Xi summit

Evidence of Chinese cyber-espionage against the US has been uncovered on the eve of an important Sino-US presidential summit.

The “Scanbox” malware – used by nation-state threat actors associated with or sponsored by the Chinese government – has been discovered embedded on webpages on the US National Foreign Trade Council (NFTC) site, Fidelis Cybersecurity reports.

The possible cyber-espionage was found ahead of President Trump’s meeting with Chinese President Xi Jinping taking place on Thursday and Friday. Items on the agenda are likely to include North Korea, trade and the use of chemical weapons against civilians in Syria.

Fidelis researchers have also discovered a similar threat campaign was conducted involving a site masquerading as the Ministry of Foreign Affairs of Japan.

Hardik Modi, vice president, Threat at Fidelis Cybersecurity, comments: “The motive is most likely to be intelligence collection and although it’s impossible to determine specifically how this information will be used, it could empower the Chinese government to steer negotiations in its favour. While this is classic inter-government espionage, it should be noted that we observed it spilling into the private sector and that the same actors have been observed impacting private enterprise in the UK and Japan.

“The information accessed by the threat actors, coupled with targeted phishing campaigns, could be used to prepare the Chinese President for today’s discussions.”

The Operation TradeSecret campaign – even if it’s linked to China – is unlikely to violate the Obama-Xi Jinping no-hacking agreement of 2015. The 2015 agreement only covered hacking geared towards the theft of trade secrets rather than inter-government snooping, which has always been considered fair game. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/06/us_china_summit_suspected_espionage/

  • 06/04/2017
  • adm

Teaching Hospitals at Greater Data Breach Risk

John Hopkins researcher studies data breaches at hospitals between 2009 and 2016.

A research on data breaches at hospitals has revealed that those with major teaching facilities and more beds were at greater breach risk, says a Johns Hopkins University report. Conducted by Ge Bai of John Hopkins Carey Business School, the study examined federal Department of Health and Human Services’ data breach statistics of health facilities between 2009 and 2016.

“It is very challenging for hospitals to eliminate data breaches, since data access and sharing are crucial to improve the quality of care and advance research and education,” explains Bai. “To understand the risk of data breaches is the first step to manage it,” she believes.

The study found 15% of the affected hospitals were breached twice and in all the breaches health information of millions were compromised. Data of over 60,000 were exposed in six hospitals while Illinois’ Advocate Health and Hospitals Corporation reported 4,031,767 impacted by two breaches.

Read details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/teaching-hospitals-at-greater-data-breach-risk/d/d-id/1328576?_mc=RSS_DR_EDT

  • 06/04/2017
  • adm

Pegasus For Android Spyware Just As Lethal As iOS Version

Researchers from Lookout, Google describe it as highly sophisticated tool for targeted surveillance purposes.

Last year when security firm Lookout and the University of Toronto’s Citizen Lab disclosed details of a particularly pernicious iOS spyware product called Pegasus, one unanswered question was whether an Android version of the software was available.

The answer, it turns out somewhat unsurprisingly, is a resounding ‘Yes.’

Lookout and Google this week released details of an Android version of Pegasus, which like the original appears to have been designed for highly targeted surveillance operations and lawful intercepts.

As with the iOS version, Pegasus for Android packs a boatload of nasty capabilities – including the ability to log keystrokes, capture screenshots and live audio, and read messages sent via apps like WhatsApp, Skype, and Facebook. It can also steal email from Android’s native email client and pilfer browser histories, text messages and contact details from infected devices.

One of the software’s more sinister features is its ability to use an infected device’s microphone and camera to spy on activities in the immediate vicinity.

Among the many features that make it one of the most lethal mobile endpoint threats ever is a self-destruct capability that causes the malware to obliterate itself under certain conditions.

For example, the malware self-destructs if it lands on a device with an invalid SIM Mobile Country Code ID, or on one in which an antidote file exists, Lookout said. Similarly, the malware commits suicide if it is unable to connect with a command-and-control server for a period of 60 days or if it is commanded to do so by the server.

Android for Pegasus is another indication that mobile devices have become the surveillance tool of choice for nation state-level attackers in sophisticated, targeted attacks, says Kristy Edwards, director of security product management at Lookout. The iOS version of the spyware for instance was used to spy on human rights activists and journalists in at least two countries.

“Users should be aware that their mobile devices [could] be turned into a tool for espionage,” she says. “It’s extremely important to install security patches as they become available, be careful about clicking on links like those delivered in email, SMS, Whatsapp, Facebook messages or any messaging app.”

The author of the malware is NSO Group, the same Israel-based maker of mobile surveillance software that was responsible for creating the iOS version of Pegasus as well.

Google, which calls the threat Chrysaor, this week described it as malware that was used in targeted attacks against a small number of Android users.

In an alert, security researchers from Google said they discovered the malware installed on less than three-dozen Android devices after Lookout warned the company about the malware last year.

A Google chart of the countries where the infected devices were discovered shows that Pegasus for Android so far at least has been used mostly to spy on individuals based in Israel. Other countries where infected devices surfaced include Georgia, Mexico, and Turkey. All Android users are currently protected against the threat.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

One major difference between the Pegasus version for iOS and the one for Android is that the latter does not use any zero-day flaws to root an Android device. Pegasus for iOS exploited a trio of zero-day vulnerabilities collectively dubbed “Trident” to jailbreak iOS devices. Pegasus for Android instead uses a known rooting technique dubbed Framaroot to break into a system.

It’s unclear how exactly devices get infected. “We speculate that users are phished or social engineered and convinced to download a malicious APK without their knowledge,” says Edwards. “We saw this before with Pegasus for iOS and have seen it more recently in ViperRat and related attacks.”

According to Google, once Chrysaor is installed on a device it can spy on all user activities on the device and also within the immediate vicinity using the device microphone and camera and via logging and tracking applications. Chrysaor is even capable of answering phone calls silently and staying connected in the background so the caller can hear conversations that are taking place nearby and of quickly resetting everything back to normal if the user picks up the phone to interact with it, the Google researchers noted.

The software is capable of escalating privileges on an infected device and breaking out the application sandbox. Once it gains elevated privileges it takes multiple measures to gain persistence, for instance by installing itself in such a way as to resist factory resets or by disabling auto-updates.

Related stories:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/mobile/pegasus-for-android-spyware-just-as-lethal-as-ios-version/d/d-id/1328574?_mc=RSS_DR_EDT

  • 06/04/2017
  • adm