STE WILLIAMS

Although Samsung has yet to issue patches for most of the phones affected by a recently discovered remote-wipe vulnerability, a German security researcher has released an app that he says can block the exploit.

As El Reg reported on Tuesday, a flaw in Samsung’s dialing software causes its phones to execute some tel protocol URIs (universal resource identifiers) without the user even pressing the Dial button. At worst, this allows a remote attacker to send the Unstructured Supplementary Service Data (USSD) code that resets the phone to its factory state, wiping all the data in the process.

On Wednesday, Samsung issued a firmware fix that resolved the issue in the Galaxy S III, its flagship Android handset. But no other phones have yet received a similar patch, and it’s not clear just how many mobiles may be affected.

For those whose phones may still be vulnerable, security researcher Collin Mulliner has issued an app that he says slaps a quick fix over the problem. Called TelStop, it works by publishing a URI handler for the tel protocol. The result is that whenever a tel URI is activated, the Android OS asks the users whether to open it using the phone app or TelStop.

Block that call!

“If you suddenly see the application selector that includes Phone and TelStop you know something just invoked a TEL URI,” Mulliner explains on his website. “If you didn’t click a TEL link or tried to dial a number it is likely to be an attack.”

TelStop also attempts to interpret the contents of tel URIs to offer the user some guidance as to whether they might be malicious. Links that just contain digits are probably legitimate phone numbers, but ones that contain special characters such as asterisks or per cent signs trigger an additional warning.

On his Twitter feed, Mulliner describes the current version of TelStop as a “quick and dirty fix,” and says a more user-friendly version is in the works (although the current version does block the exploit).

Owners of Samsung phones can download the latest version of TelStop either directly from Mulliner’s website or from the Google Play store. Mulliner recommends the latter method, since users who install it from Google Play will be automatically notified of future updates. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/26/samsung_remote_wipe_app_fix/

FireEye has put together a list of the most common words and phrases that appear in fake emails designed to infect corporate networks and steal data.

The security firm said that the list spotlights the social engineering techniques that feature as a key component of so-called spear phishing attacks. Hackers tend to use words that create a sense of urgency in a bid to trick unsuspecting recipients into downloading malicious files.

The top word category in email-based attacks relates to express shipping. Words such as “DHL”, “UPS”, and “delivery” featuring in a quarter of overall attacks. Urgent terms such as “notification” and “alert” are included in about 10 per cent of attacks. Some attacks mix and match terms from these two popular categories such as “UPS-Delivery-Confirmation-Alert_April-2012.zip”, one example cited by FireEye.

Email-based attacks increased 56 per cent between Q1 2012 and Q2 2012, according to FireEye. The security firm claims these attacks often get through multiple layers of defence – including anti-virus, firewalls and intrusion prevention systems – to reach corporate desktops.

Cybercrooks and spies are also fond of finance-related words, such as the names of financial institutions and an associated transaction such as “Lloyds TSB – Login Form.html”, and tax-related words, such as “Tax_Refund.zip”. Travel and billing words including “American Airlines Ticket” and “invoice” are also popular spear phishing email attachment keywords.

FireEye warns that crooks often use phrases from social engineering sites to “personalise” booby-trapped emails and make them look more authentic.

Attackers primarily use zip files in order to hide malicious code, but other file types, including PDFs and executable files, also feature in attacks ultimately aimed at gaining access to corporate networks before stealing intellectual property, customer information, and other valuable data. It’s hard to believe that executables, in particular, aren’t routinely blocked at corporate email gateways, but FireEye’s research suggests otherwise.

The study, Top Words Used in Spear Phishing Attacks to Successfully Compromise Enterprise Networks and Steal Data (PDF), is based on data from the FireEye Malware Protection Cloud, a service shared by thousands of FireEye appliances, as well as input from FireEye’s research team. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/26/spear_phishing_hooks/

FireEye has put together a list of the most common words and phrases that appear in fake emails designed to infect corporate networks and steal data.

The security firm said that the list spotlights the social engineering techniques that feature as a key component of so-called spear phishing attacks. Hackers tend to use words that create a sense of urgency in a bid to trick unsuspecting recipients into downloading malicious files.

The top word category in email-based attacks relates to express shipping. Words such as “DHL”, “UPS”, and “delivery” featuring in a quarter of overall attacks. Urgent terms such as “notification” and “alert” are included in about 10 per cent of attacks. Some attacks mix and match terms from these two popular categories such as “UPS-Delivery-Confirmation-Alert_April-2012.zip”, one example cited by FireEye.

Email-based attacks increased 56 per cent between Q1 2012 and Q2 2012, according to FireEye. The security firm claims these attacks often get through multiple layers of defence – including anti-virus, firewalls and intrusion prevention systems – to reach corporate desktops.

Cybercrooks and spies are also fond of finance-related words, such as the names of financial institutions and an associated transaction such as “Lloyds TSB – Login Form.html”, and tax-related words, such as “Tax_Refund.zip”. Travel and billing words including “American Airlines Ticket” and “invoice” are also popular spear phishing email attachment keywords.

FireEye warns that crooks often use phrases from social engineering sites to “personalise” booby-trapped emails and make them look more authentic.

Attackers primarily use zip files in order to hide malicious code, but other file types, including PDFs and executable files, also feature in attacks ultimately aimed at gaining access to corporate networks before stealing intellectual property, customer information, and other valuable data. It’s hard to believe that executables, in particular, aren’t routinely blocked at corporate email gateways, but FireEye’s research suggests otherwise.

The study, Top Words Used in Spear Phishing Attacks to Successfully Compromise Enterprise Networks and Steal Data (PDF), is based on data from the FireEye Malware Protection Cloud, a service shared by thousands of FireEye appliances, as well as input from FireEye’s research team. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/26/spear_phishing_hooks/

SourceForge mirror cracked: Served admin tool with gaping backdoor

Evil Korean load befouls 400 hapless punters

By John Leyden • Get more from this author

Posted in Security, 26th September 2012 12:17 GMT

Free whitepaper – AccelOps’ Unified Infrastructure Management Examined

SourceForge has launched a clean-up after a backdoored copy of phpMyAdmin was served up from a Korean-based mirror maintained by the popular open source repository.

Logs indicate 400 users downloaded a corrupted copy of the phpMyAdmin database admin tool before the compromised code was identified and access to the ‘cdnetworks-kr-1′ mirror which had been dishing it out was suspended. The malicious code would have allowed hackers to remotely execute (potentially malicious) PHP code, according to a statement by phpMyAdmin’s developers.

The compromised phpMyAdmin-3.5.2.2-all-languages.zip package was available for three days from 22 September until its discovery on 25 September, according to a statement by SourceForge, which said the tainted code was only served from its Korean mirror. The motives, tactics or perpetrators behind the breach remain unclear.

Through logs, we have identified that approximately 400 users downloaded this corrupted file. Notice of this corrupted file has been transmitted through security notice by the phpMyAdmin project and direct email to those users we were able to identify through our logs. The corrupted copy included malicious code allowing arbitrary commands by the Web server user.

It is our recommendation that downloaders of this corrupted file (which contains ‘server_sync.php’) assess risk and take action as they deem appropriate, including deletion of the corrupted file and downloading a fresh copy. Downloaders are at risk only if a corrupt copy of this software was obtained, installed on a server, and serving was enabled.

Security researchers at Tencent are credited with blowing the whistle on the breach. ®

Free whitepaper – AccelOps’ Unified Infrastructure Management Examined

• Send corrections
  
• Be the first to post a comment!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/26/sourceforge_backdoor_code_compromise/

SourceForge mirror cracked: Served admin tool with gaping backdoor

Evil Korean load befouls 400 hapless punters

By John Leyden • Get more from this author

Posted in Security, 26th September 2012 12:17 GMT

Free whitepaper – AccelOps’ Unified Infrastructure Management Examined

SourceForge has launched a clean-up after a backdoored copy of phpMyAdmin was served up from a Korean-based mirror maintained by the popular open source repository.

Logs indicate 400 users downloaded a corrupted copy of the phpMyAdmin database admin tool before the compromised code was identified and access to the ‘cdnetworks-kr-1′ mirror which had been dishing it out was suspended. The malicious code would have allowed hackers to remotely execute (potentially malicious) PHP code, according to a statement by phpMyAdmin’s developers.

The compromised phpMyAdmin-3.5.2.2-all-languages.zip package was available for three days from 22 September until its discovery on 25 September, according to a statement by SourceForge, which said the tainted code was only served from its Korean mirror. The motives, tactics or perpetrators behind the breach remain unclear.

Through logs, we have identified that approximately 400 users downloaded this corrupted file. Notice of this corrupted file has been transmitted through security notice by the phpMyAdmin project and direct email to those users we were able to identify through our logs. The corrupted copy included malicious code allowing arbitrary commands by the Web server user.

It is our recommendation that downloaders of this corrupted file (which contains ‘server_sync.php’) assess risk and take action as they deem appropriate, including deletion of the corrupted file and downloading a fresh copy. Downloaders are at risk only if a corrupt copy of this software was obtained, installed on a server, and serving was enabled.

Security researchers at Tencent are credited with blowing the whistle on the breach. ®

Free whitepaper – AccelOps’ Unified Infrastructure Management Examined

• Send corrections
  
• Be the first to post a comment!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/26/sourceforge_backdoor_code_compromise/

The US Federal Trade Commission (FTC) has settled a case against a software vendor and seven rent-to-own PC sellers over charges that they illegally spied on customers.

According to the settlement, software company DesignerWare sold an application for sellers of rent-to-own PCs that would enable them to brick computers that were stolen or if the user stopped making rental payments. It also included a feature called “Detective Mode” which would log keystrokes, allow remote use of a webcam, or record the geographical location of systems.

The software is installed on around 420,000 computers in circulation in the US, and seven PC rental companies named in the suit used it on their systems. But the scope of the software’s reach and the fact that customers were not informed it was installed broke the rules, according to the FTC.

“An agreement to rent a computer doesn’t give a company license to access consumers’ private emails, bank account information, and medical records, or, even worse, webcam photos of people in the privacy of their own homes,” said Jon Leibowitz, chairman of the FTC in a statement. “The FTC orders today will put an end to their cyber spying.”

The sheer depth of data such systems recorded unsettled the FTC, as it included user names and passwords for email accounts, social media websites, and financial institutions; Social Security numbers; medical records; private emails to doctors; bank and credit card statements; and webcam pictures of children, partially undressed individuals, and intimate activities at home.

You could argue that the computer rental firms have a perfect right to protect their property from theft or delinquent customers by installing such software. Where the rental firms overstepped the mark was by not making it clear to customers that this software was installed and what it could record.

The FTC ruled that the software is illegal, and has ordered an end to its use by DesignerWare and the seven rental firms using it: Aspen Way Enterprises, B. Stamper Enterprises, C.A.L.M. Ventures, J.A.G. Rents, Red Zone Investment Group, Showplace and Watershed Development Corp. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/26/ftc_computer_rental_spying/

Thefts of iPhones and iPads in New York City have increased at a rate ten times higher than other crime during this year – and the police are offering help to protect your Apple kit.

New York Police Department spokesman Paul Browne told Bloomberg that iPads and iPhones are a “magnet for crime, including robberies, driving the spike we’ve experienced this year.”

NYPD records show that Apple products accounted for 11,447 incidents since the beginning of this year – an increase of 40 per cent over the same period last year. By comparison, other “index crimes” – seven offenses that include such heinous unpleasantries as murder, rape, and robbery – increased a mere 4 per cent.

“As if to mirror the market place,” Browne told Cnet, “thefts of Apple products increased this year as the theft of electronics by other manufacturers declined.”

To combat this surge in felonious fanboi filching, members of the NYPD constabulary positioned themselves in 21 New York stores selling the iPhone 5 on its debut day last Friday to help purchasers of Apple’s latest kit register their new shiny-shiny to enable the police to trace them if they were to fall into the wrong hands.

The helpful members of New York’s finest registered the iPhone’s serial numbers and offered to engrave upon them a unique serial number with the letters “NYC” added to help identify recovered handsets. Brown said that around 1,500 iPhone 5’s were set up with help from the NYPD boys in blue.

The wily gendarmes have also run sting operations to catch miscreants attempting to fence Apple kit, as well as using decoys to catch theives preying on subway passengers.

Officers have also used the iCloud-based “Find my iPhone” feature, which uses the handset’s location services to pinpoint its whererabouts, to track down stolen handsets, and during last Friday’s “Operation ID” in-store events, passed out instructions to iPhone users on how to set up that feature on their new iPhone 5s.

That cloudy phone-finding system, by the way, was recently used by San Francisco police to track down a stolen iPhone in an altercation that involved an officer discharging her sidearm at one of the alleged thieves. She missed.

iPhones may be popular status symbols and reasonably fine smartphones, but is acquiring one worth commiting a felony and being shot at? The Reg thinks not. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/26/nypd_iphone_theft_statistics/

Oracle’s Java is making a play to wrest back the title of world’s leakiest code from Internet Explorer, after Polish researcher Adam Gowdiak claimed another critical flaw exists in the product.

The new claim is stated on the Full Disclosure mailing list where Gowdiak writes that the newly-found flaw impacts “all latest versions of Oracle Java SE software” and that it allows “a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7.” That’s apparently worse than previous exploits, as they only hit Java 7.

Gowdiak also says “the bug allows to violate a fundamental security constraint of a Java Virtual Machine (type safety).”

There’s not much detail beyond what we’ve quoted above, which is a little unusual for a Full Disclosure post.

It’s also worth noting that there seems to be some grandstanding in Gowdiak’s post, which he says he discovered the problem “exclusively” for Oracle’s imminent JavaOne conference, commencing September 30th. He also taunts Larry Ellison, writing that he hopes news of the new flaw does not spoil his morning coffee. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/26/gowdiak_claims_new_java_flaw/

IEEE members will be scrambling to change their logins after it emerged that more than 100,000 members’ names and plaintext passwords were left in plain sight for more than a month.

In this documentation and analysis of the breach, Danish FindZebra computer scientist Radu Dragusin notes, among other things, that bad password habits can exist even among the computer scientists, engineers and standards-developers of the IEEE as anywhere else. The most common password, he notes, was “123456”, followed closely by ieee2012.

Dragusin says the data was left lying around – along with raw Web server logs documenting more than 376 million HTTP requests – on an IEEE FTP server at ftp://ftp.ieee.org/uploads/akamai/ (the server was closed after he reported it to the organization).

While he highlighted some big-name companies and organisations whose staffers’ IEEE logins were compromised – Apple, Google, IBM, Oracle, Samsung, NASA, Stanford University and so on – practically any outfit that employs high-ranking engineers in electrical, electronics, computer sciences and communications disciplines will probably get mentioned somewhere in the logs.

Dragusin has undertaken not to make any of the raw data public. It’s not known at this stage whether any other organization downloaded the same data set, or if anything odd has happened to any standards developments processes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/25/ieee_leaks_logins/

An enterprising hacker has demonstrated how a simple web page can reset various Samsung phones back to the state they left the factory – enabling a click, bump or text to take out a victim’s mobe entirely.

The devastating flaw lies in Samsung’s dialling software, triggered by the tel protocol in a URL. It isn’t applicable to all the company’s Android handsets, but those that are vulnerable can have their PIN changed or be wiped completely just by visiting a web page or snapping a bad QR code, or even bonking up against the wrong wireless NFC tag.

The tel protocol is generally used with phone numbers to provide clickable “call me” links on websites: tapping on the hyperlink in the handset’s web browser opens up the dialling software and calls the number contained in the link. Such calls aren’t made until the fandroid presses a “dial” button, so security is maintained – but some numbers don’t require “dial” to be pressed, and it’s those which are exploited in this attack.

The best example of an executing number – aka an unstructured supplementary service data message – is *#06#: enter that into just about any GSM phone and it will display the IMEI, the device’s serial number. But, importantly, it will do that without one pressing the “dial” button.

That’s benign, but try entering *2767*3855# on a Samsung Galaxy S3 and you’ll be rewarded with an impossible-to-cancel factory reset before you can say shudda-bought-an-iPhone.

Once one has established that any automatically loaded URL can trigger the behaviour, the attack becomes easy to expand: automatically opening iframes, pushed WAP/USSD messages and NFC tags are capable conduits as elegantly demonstrated over the weekend at Ekoparty 2012:

Not all Samsung handsets are affected; they need to interpret numbers submitted from the browser as though they were typed on the pad, and it seems that some operators have tweaked their handsets to prevent that – although probably not deliberately, it’s just a side effect of other changes. Using another web browser should not be effective; there are some claims that Google Chrome is immune, but there are an equal number claiming otherwise.

Samsung hasn’t confirmed the attack at the time of writing, but it’s safe to assume that a fix will be forthcoming pretty quickly – there’s no big technical barrier and Samsung will want to be seen responding rapidly.

The XDA Developers forum has some non-destructive examples should one want to try the hack, but the overall risk should be quite small as the attacker gains nothing from destroying all the data on a phone.

Despite that it might be worth steering clear of unknown URLs, NFC, QR Codes for a while, particularly if they come from smug friends touting new iPhones who might see more humour than most in trashing a Samsung handset or two. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/25/samsung_flaw/