STE WILLIAMS

Virus writers are paying top dollar for access to “active” Google Play accounts to help them spread mobile malware across the Android ecosystem.

Google charges $25 to Android developers who wish to sell their wares through the Google Play marketplace but a denizen of an underground cybercrime forum is offering to purchase these accounts for $100 apiece, a 300 per cent mark-up.

The miscreant is offering “$100 for sellers willing to part with an active, verified Play account that is tied to a dedicated server”. Developer accounts at Google Play can be used to offer malware up as legitimate apps before offering these Trojanised packages for sale to prospective marks.

The same wheeler-dealer is also selling an Android mobile malware creation toolkit that targets banking customers of Citibank, HSBC and ING and many other banks in multiple countries, reports investigative journalist turned security blogger Brian Krebs.

The Perkele (a Finnish curse word for “devil” or “damn”) malware sold by the trickster is designed to intercept incoming SMS messages from banks sent to infected Android phones. Perkele is designed to work in tandem with malware on compromised PCs. When a surfer visits a banking site from an infected PC they are prompted to supply their number and install a “special security certificate” on their mobile phone.

Links to a website hosting mobile malware are then sent to this phone number in the hopes of tricking victims into installing the mobile component of Perkele onto their Android smartphones.

As Krebs explains (screenshot here), this approach to mobile banking malware is fairly rudimentary and doesn’t bear comparison with the most advanced mobile malware but scores in terms of flexibility and apparent effectiveness. Perkele is designed to work alongside any malware family that support web injects. The hawker of the cybercrime tool has been endorsed by several forum buyers.

Denizens of the underground marketplace can purchase a custom application that targets one specific financial institution for $1,000, or a complete mobile malware creation toolkit for $15,000.

The market for hijacked or fraudulent developer accounts on Google Play is part of the reason, among many others, that Android malware is a growing problem. By contrast, Apple’s much tighter control of its marketplace has meant the mobile malware on iOS has been almost non-existent right from the off and going back seven years. It is only spoiled by extremely isolated example of worms that only affected users of jailbroken iPhones, such as the “Duh” or Ikee-B worm, which formed the key part of a banking scam back in 2009.

By contrast, according to figures from Kaspersky Lab, by the end of 2012 more 43,000 malicious programs were targeting Android devices. More than 99 per cent of new threats discovered by the Russian security firm last year targeted Android-based smartphones and tablets, with less than one per cent aimed at devices running Symbian and BlackBerry operating systems or supporting the mobile version of Java.

The most widespread Android threats can be divided into three major groups: SMS Trojans, which steal money by sending premium texts; adware; and exploits to gain root access that allow criminals to enter the device and extract any data stored on it. Most of the small number of nasties targeting Symbian and BlackBerry smartphones specifically target victims’ bank accounts, according to Kaspersky Lab. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/08/google_play_malfeasence/

Microsoft plans to issue seven security bulletins for its products next week – four critical and three important – in the March edition of its regular Patch Tuesday software update cycle.

The most troublesome of the critical vulnerabilities carries a remote code execution risk and affects every version of Windows – from XP SP3 up to Windows 8 and Windows RT as well as all versions of Internet Explorer.

A second critical update addresses critical vulnerabilities in Microsoft Silverlight both on Windows and Mac OS X. Silverlight is widely used as an alternative to Flash, in particular to run media applications, for example Netflix.

Third on the critical list is a vulnerability in Visio and the Microsoft Office Filter Pack.

The final critical update covers a privilege elevation flaw in SharePoint, Microsoft’s portal and content management enterprise server software.

The practical upshot is that ALL versions of Windows, some Office components and many consumer Mac OS X installations and more will need updating because of a myriad of security flaws.

The “important” bulletins cover an update to Microsoft Office for Mac 2008 and 2011 as well as an elevation of privilege security bug in Windows that affects XP SP3 up to Windows 8.

Last, and probably least, comes at “important” update for OneNote, Microsoft’s note-taking software. Microsoft’s pre-release advisory is here.

In related news, the ZDI’s Pwn2Own competition at CanSecWest security conference in Vancouver led to the discovery of all manner of new vulnerabilities in browser platforms (IE, Chrome and Firefox), Java and Adobe apps. This is likely to produce plenty of patching action over upcoming weeks, especially if past form is any guide.

Commentary on all this and more can be found in a blog post by Wolfgang Kandek, CTO of Qualys, here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/08/ms_patch_tuesday_pre_alert/

It’s back to the drawing board for coders at Microsoft, Google, Adobe, Mozilla, and Oracle after entrants in the annual Pawn2Own contest waltzed off with over half a million dollars in prizes for subverting popular software.

At this year’s CanSecWest security conference in Vancouver, contestants had a choice of two hacking contests; the traditional Pwn2Own trial against Internet Explorer 10, Firefox, Chrome, Java, and Adobe’s Reader and Flash, plus Google’s own Pwnium contest – which this time focused on cracking the Chrome OS.

HP provided most of the sponsorship for Pwn2Own this year, and Brian Gorenc, head of its DVLabs team, told The Register that the company had paid out $480,000 in cash to the crackers, along with laptops and subscriptions that brings the total prize pot to over half a million dollars.

“It’s a really good investment,” he explained. “It puts us on the cutting edge of security research and we get to see the latest and greatest attack techniques, which we can then feed into our other security products,” Gorenc said.

In the first day of cracking on Wednesday IE10, Firefox, Chrome, and Java all fell prey to the skill of the security researchers, and on Thursday Flash, Adobe Reader, and IE10 on the Surface Pro all got successfully pwned (despite some frantic last-minute patching) – with some of the hacks beating expectations at what was possible.

“VUPEN Security’s crack on IE 10 running on Surface Pro was an eye-opener,” Gorenc said. “The vulnerability was so elegant it didn’t even crash the browser. They launched the process from outside the sandbox so the user wouldn’t even know if they had been hacked.”

Meanwhile, two researchers from MWR Lab managed to subvert Google’s Chrome browser so completely that they compromised the entire target system it was installed on, which Gorenc praised as “highly skilled.”

But there will still be a lot of smiles down at the Chocolate Factory after Google appears to have come to the end of its Pwnium challenge against Chrome OS without having to pay a penny from the $3.14159m prize pot that it put up for grabs.

“Pwnium 3 has completed and we did not receive any winning entries. We are evaluating some work that may qualify as partial credit,” Google told El Reg in an emailed statement. “Working with the security community is one of the best ways we know to keep our users safe, so we’re grateful to the researchers who take the time to help us in these efforts.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/08/pwn2own_contest_cansecwest/

The US has reclaimed its position as the world’s leading spam-relaying country, but you’d be wasting your time looking for junkmail crimelords…

In the last three months, almost one-fifth (18.3 per cent) of all global spam has been pushed through computers in the US, according to figures from anti-virus firm Sophos.

However, the list illustrates the location of abused computers (almost always Trojan-infected zombie drones) pwned by spammers rather than the location of current spam kingpins. The latest figures suggest that the hackers who harvested compromised computers for spammers are reaping a bumper harvest in the Land of the Free, suggesting that the security of American computers needs to be improved.

In the latter half of 2012, India had been leading the way as a conduit for junk mail but it recently fell back to third place, relaying an estimated 4.2 per cent of spam between December 2012 and February 2013.

The Dirty Dozen, in order, are:

• 1 USA – 18.3 per cent
• 2 China – 8.2 per cent
• 3 India – 4.2 per cent
• 4 Peru – 4.0 per cent
• 5= France – 3.4 per cent
  
  5= South Korea – 3.4 per cent
  
  5= Italy – 3.4 per cent
• 8= Taiwan – 2.9 per cent
  
  8= Russia – 2.9 per cent
• 10. Spain – 2.8 per cent
• 11. Germany – 2.7 per cent
• 12. Iran – 2.6 per cent
• Other – 41.1 per cent

China leapfrogged the likes of Russia and South Korea to rise to second place in the chart (8.2 per cent of spam), after a spell in the lower half of the Sophos’s “Dirty Dozen” of top spam relayers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/07/spam_relay_chart/

Vulnerabilities in the baseband processors of a wide range of mobile phones may allow attackers to inject malicious code, monitor calls, and extract confidential data stored on the device, according to recent research from mobile security experts. However, according to El Reg‘s mobile correspondent, Bill Ray, this would be extremely difficult to pull off.

A three-year research project by GSMK CryptoPhone has discovered that certain baseband processors – AKA phone modems – in smartphones can be manipulated by over-the-air updates without requiring any physical access to the victim’s phone.

Compromised phones can then be used to record conversations or gain access to sensitive data. It would also be possible to monitor content being accessed through pwned smartphones.

GSMK CryptoPhone’s research into mobile phone security was sponsored by the German Federal Ministry of Research. It found flaws in baseband processors from Qualcomm and Infineon that might be used to cause crashes, freeze applications, zap data from phones or – in the most extreme cases – push malicious code through over the air communications.

GSMK CryptoPhone has reported its findings to Qualcomm and Infineon and is holding back on publishing details of the most serious of the security bugs it has unearthed to give these manufacturers an opportunity to patch at least the most pressing vulnerabilities it has unearthed.

Baseband processors act as radio modems that control real-time communication functions between devices including Wi-Fi and Bluetootth links. The baseband stack in a smartphone is, effectively, an entirely separate computing device with its own processor, memory and storage, and will be as vulnerable as any embedded system.

According to ARM, a modern smartphone will contain somewhere between eight and 14 ARM processors, one of which will be the application processor (running Android or iOS or whatever), while another will be the processor for the baseband stack.

El Reg mobile man: It wouldn’t be a trivial feat

Baseband flaws have turned up before, but the operating systems used are pretty old and thus fairly robust. El Reg mobile correspondent Bill Ray said he’d not heard of anyone successfully taking control of a baseband processor to install malware but added the caveat that such an attack is at least theoretically possible. “Getting from there into data stored on the phone would also not be trivial, so applicable only to specific models of handset and requiring a lot of effort,” Ray said.

Bjoern Rupp, chief exec of GSMK CryptoPhone, explained: “While the attack is indeed not trivial, we have implemented a demonstrable exploit in the form of test malware which we successfully injected over the air interface, realising a very compact, minimally invasive attack which was optimised for minimal code payload in order to test our defence concept under realistic conditions.”

Rupp said GSMK CryptoPhone had unearthed the flaws through a fuzzing process on the 2G and 3G interfaces of phones that involved attacking bugs in the security of baseband processors rather than in the mobile OS running on the smartphone or feature’s phones main CPU. Tests by GSMK CryptoPhone suggest that 80 per cent of smartphones and feature phones are potentially vulnerable to attacks against mobile phone components that are more or less independent of the operating system run by a smartphone or less advanced feature phone.

“We tested various attacks against products made by Apple (iPhone/iPad), HTC, Motorola and Nokia,” Rupp explained. “We have been able to compromise entire product ranges using the same baseband processor family. The consequences of the vulnerabilities that we identified range from attacker-induced crashes to infinite loops, remote ‘freezing’ and ‘zapping’ of mobile devices, and last but not least of course the ‘royal league’ of attacks, remote code execution via the air interface.”

GSMK Cryptophone said that code execution on the base processor can be a springboard for attacks on a phone’s main CPU.

“Access from the main CPU (and OS) to the baseband processor is typically only via a serial port that accepts AT commands, even though there are various methods to start code on the baseband processor from the main CPU (one example is a known bug in the AT+XAPP command),” Rupp explained.

Attacking the main CPU of a mobile from the baseband processor can be compared to attacking the CPU of a PC through its graphic processor.

“Just like on PCs, modern (smart)phone designs are based on a shared memory architecture,” Rupp told El Reg. “In other words, the baseband processor and the application processor share the same physical memory to communicate with each other. Even though there are various protection techniques like DEP (Data Execution Prevention) in place that should in principle prevent that, memory pages which contain executable code can be written to.

“All the techniques found on currently shipping baseband processors that we have looked into have issues or are only partially implemented. Once you have gained initial data access to the baseband processor beyond the strict limits of the 2G/3G protocols (eg, via a buffer overflow attack), it is possible to write data in these memory areas, and get [injected code] executed by the processor later on.”

Rupp said that mobile attacks against baseband processors are technically difficult but possible. “Advanced but well-established attack techniques that allow you to circumvent privilege separation and thus execute privileged processor operations without having to coordinate that with the operating system. By manipulating memory mapping of the target system, you can also gain many insights into what else you can do,” Rupp said.

Next page: Heavily funded spooks might be more motivated

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/07/baseband_processor_mobile_hack_threat/

A class-action lawsuit launched against LinkedIn after hackers leaked the website’s user passwords has been dismissed before reaching trial.

Northern California US District Judge Edward Davila ruled that two premium-account holders had been unable to demonstrate they suffered any actual harm as a result of the 2012 hack, which resulted in the online exposure of 6.5 million password hashes.

LinkedIn failed to salt these encoded login credentials, which were created using the outdated SHA-1 algorithm. Salting hashes, for the uninitiated, thwarts attempts to recover the original passwords. The website’s engineers did not do this.

Katie Szpyrka of Illinois and Khalilah Wright of Virginia sued within days of the breach becoming public knowledge in June 2012, alleging that LinkedIn failed to stick by a promise on security outlined in its privacy policy.

The duo sought compensation for an alleged breach of contract, claiming in part that they would not have paid to upgrade to a premium account if they had known that the social network didn’t offer industry-recommend security even to its paying customers.

However, Judge Davila said premium users were paying for extra networking tools and website features rather than tighter security.

Szpyrka and Wright also admitted that they had not read LinkedIn’s privacy policy prior to the hack, another factor that counted against them, according to Threatpost.

The privacy policy at the time made a promise that “LinkedIn is password-protected, and sensitive data (such as credit-card information) is protected by SSL encryption” and stated that the social network audits its system for vulnerabilities. The policy also declared that “all information that you provide will be protected with industry-standard protocols and technology” which could be taken to refer to how LinkedIn itself stored and protected passwords, among other things. The policy went on to warn that security breaches were a potential problem for any online business.

Judge Davilia tossed out the case after ruling that the exposure of Wright’s password didn’t necessarily place her at greater risk of identity theft.

It was feared miscreants would crack the unsalted password hashes, discover the original passwords and use them to unlock accounts on other websites as too many folks reuse the same login credentials across the web for convenience.

But the breach didn’t result in any financial harm or injury to Wright, according to the judge:

Wright merely alleges that her LinkedIn password was “publicly posted on the Internet on June 6, 2012”. In doing so, Wright fails to show how this amounts to a legally cognizable injury, such as, for example, identify theft or theft of her personally identifiable information.

Judge Davila’s ruling can be found here [PDF]. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/07/linkedin_password_breach_lawsuit_dismissed/

Australian Senator Cory Bernardi has declared Google Glass might just be the end of privacy as we know it, because Google could use the device to conduct enable mass surveillance.

Bernardi is a Liberal Senator for South Australia. Australia’s Liberals are the nation’s dominant right wing party and claim kinship with the UK’s Conservative Party and the USA’s Republicans.

Bernardi is on his party’s right wing, probably its extreme end. How extreme? In 2012 he was demoted for suggesting polygamy and even bestiality could be the consequences of legalising gay marriage.

If you doubt us, head to page 7245 of Hansard (PDF) from September 18th, 2012, when Bernardi said the following:

“If we are prepared to redefine marriage so that it suits the latest criterion that two people who love each other should be able to get married irrespective of their gender and/or if they are in a sexual relationship, then what is the next step? The next step, quite frankly, is having three people or four people that love each other being able to enter into a permanent union endorsed by society—or any other type of relationship.”

He then went on to utter these words:

“There are even some creepy people out there—and I say ‘creepy’ deliberately—who are unfortunately afforded a great deal more respect than I believe they deserve. These creepy people say it is okay to have consensual sexual relations between humans and animals. Will that be a future step? In the future will we say, ‘These two creatures love each other and maybe they should be able to be joined in a union.'”

Bernardi’s latest thought bubble emerged on his blog, which he uses as an unashamedly populist forum to attract supporters to his far-right (by Australian standards) policies.

Titled “Big Brother is Closer Than You Think”, the post suggests Google Glass could become an instrument of surveillance, with Google taking on the role of Big Brother.

Bernardi’s logic on on Google Glass, which he refers to as “GG”, is as follows:

“GG comes with the ability to record video and audio of everything that happens throughout your day. No longer is there a need to grab an iPhone and click to capture the moment. GG can do it all day, every day, automatically. That might be fine if you are the user but what if you are an unwitting victim of such recording?

A single GG wearer in your favourite restaurant could capture your image and your conversation without you ever knowing. The footage would be stored on the Google servers, your voice could be translated into text and with the use of facial recognition, could be actually matched to your Google profile. You might even find it on a social media site somewhere for millions of others to see.

It could mean the end of privacy as we know it.”

Bernardi’s final sentence says Google Glass is “… one reason we should question whether some of the great advancements in technology are designed to serve us or serve the interests of others.”

He’s far from the only one to ask that question when it comes to Google, which might just redeem some of the above, and previous Australian technology policies like the proposed national internet filter.

If only he hadn’t also said that stuff about animals, he might even be taken seriously. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/07/cory_bernardi_google_glass_end_of_privacy/

Japanese boffins have demonstrated a rather nifty way of preventing online password theft by screen capture and shoulder surfing – flood the screen with a barrage of dummy cursors.

Researchers at the government backed Japan Science and Technology (JST) Agency showed off the rather unusual approach to preventing fraud to local tech vid site DigInfoTV.

The technique works by camouflaging the user’s cursor so anyone looking over their shoulder or remotely taking screen grabs of the page will not be able to detect which keys on the software keyboard are being chosen.

The dummy cursors are designed to move in a random fashion across the screen to make it even more difficult to spot the real one, although apparently they need to number around 20 before detection rates drop to low enough levels.

“At first sight, it looks as if the user, too, will get confused which cursor is real,” said Keita Watanabe of the JST’s Igarashi Design Interface Project.

“But when you try this system, it’s surprisingly easy to understand which one is your cursor. Observers though, don’t know which cursor you’re using.”

The project, part of the JST’s long running research program Exploratory Research for Advanced Technology (ERATO), has also been working on designs for circular software keyboards to fool password peepers.

The SymmetricCursors system also uses dummy cursors to hide the movement of the real one, but with each moving at the same speed around a clock-face keyboard it becomes even more difficult to obtain the user’s PIN.

The researchers will be looking to spin out other security applications based on this technology but first need to “find out more about how people recognise their cursor”, by studying eye-tracker and functional magnetic resonance imaging (fMRI) tests, Watanabe claimed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/07/japan_dummy_cursor_password_protector/

Italian banking group UniCredit has developed a commercial biometric payment system based on Fujitsu PalmSecure palm vein reader technology.

UniCredit selected palm vein reader technology instead of more widely touted biometric technologies, such as fingerprint readers and retina scanners, to underpin a prototype mobile payment mechanism, dubbed Papillon. Fujitsu provided a sensor which captures the payer’s unique vein pattern data as well as software development technology that allowed UniCredit to independently develop its bespoke Papillon application.

Japan’s Ogaki Kyoritsu Bank began offering its customers the option of using ATM services without the need for a cash card or passbook using the same type of palm-scanning biometric technology from Fujitsu last year.

Fujitsu reckons the tech has applications across a range of industries including aviation (as a potential replacement for boarding cards), entertainment (access control for gyms) and potentially anti-theft features in cars as well as banking. The IT giant used the opening of the CeBit trade fair in Hanover, Germany on Tuesday to announce the general availability of authentication products based on its PalmSecure technology.

Dr Joseph Reger, chief technology officer at Fujitsu Technology Solutions, commented: “PalmSecure is a proof point of Fujitsu’s increasing focus on end-to-end technology solutions designed to solve real-world problems, and is already tried, tested and proven to combat identity fraud.”

Fujitsu PalmSecure involves a contactless scan of the palm vein pattern of a user’s hand to confirm their identity. The pattern of oxygen-depleted veins in the palm of hands can be used to develop biometrics that have a a false acceptance rate of less than 0.00008 per cent and a false rejection rate of only 0.01 per cent, according to research by Fujitsu. The figures suggest that the system would mistake someone’s vein pattern for those of another enrolled person in only one in 1.25 million cases and fail to match up the vein print of a user with his or her previously recorded characteristics in only one in 10,000 cases, according to Fujitsu.

Palm vein reader technology is both reliable and virtually impossible to forge, according to Fujitsu. Users can be authenticated in seconds, simply by holding their hand over a sensor.

Live palms – dismembered hands won’t do

The PalmSecure Palm Vein Unit emits near-infrared rays that are absorbed by deoxidised haemoglobin present in blood flowing through the patient’s palm veins. A proprietary algorithm takes this image, converts it into a digitised biometric template, and then matches it against a database of pre-registered templates. Providing a perfect match is found, identity is verified.

The non-intrusive and contact-less reader device prevent the spread of germs and diseases, which are often transmitted by hand.

Vein pattern matching is not a new biometric technology but its low false positives, false negatives and resistance to forging have drawn favourable commentaries from independent sections of the security community, such as encryption guru Bruce Schneier (here).

Pictures of Fujitsu’s PalmSecure technology in action and more on the application of the technology in UniCredit Papillon can be found in a blog post by Fujitsu here.

At CeBIT, Fujitsu is showcasing a range of different iterations including a prototype of a tablet with a built-in scanner, an access control device, a USB pluggable device and a micro-size device. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/06/palm_vein_reader_banking_trial/

Malware researchers at Seculert say they’ve found two more cases of highly targeted malware coming out of China, and claim to have back-traced it to the same geographical region that was fingered as the source of the Project Aurora attacks.

“It’s using a similar MO – infected PDFs sent out as part of a spear-phishing campaign,” Aviv Raff, CTO of Seculert, told The Register. “We resolved it and found it was reporting to an IP address in China with the same physical location as the previous attacks. They are up to something.”

One of the malware samples was found to communicate with Japanese government websites, seemingly from a location in Korea. However, on Tuesdays between 8am and 7pm (local time) the malware would contact the IP address 123.234.29.35, which is found in Jinan, the capital of the Shandong province of China.

Once the malware got in contact with the new server it would attempt to download a new payload. Raff said this malware exploited a recently patched Java flaw and arrived in the form of an email with an attachment.

Jinan has long been fingered as a source of the spear-phishing attacks that were aimed at Google and other businesses as part of the attacks dubbed Project Aurora. Google was so put out by the attacks that it pulled out of the Chinese mainland and relocated to Hong Kong.

Do all roads lead to China?

In the interests of fairness, it should be pointed out that Jinan is a big place, with lots of universities full of mischievous young pranksters who might enjoy hacking Chain’s traditional enemy. But the area was also identified as the location of hacking squads apparently linked to the People’s Liberation Army in last month’s Mandiant report into the New York Times attack.

“The ISP killed this time bomb by blocking the malware from reaching its target server, but based on the evidence from this we’re going to be taking a much more in-depth study of this kind of targeted malware from China,” Ruff said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/05/seculert_china_hacking/