The Hacker News

Mise à jour

Mise à jour de la base de données, veuillez patienter...

Apple's SSL Vulnerability might allow NSA to hack iOS Devices Remotely

mardi 25 février 2014 à 18:45

Apple's SSL Vulnerability may allowed NSA to hack iOS Devices Remotely

Just two days before Apple has disclosed a critical Security flaw in the SSL implementation on the iOS software that would allow man-in-the-middle attacks to intercept the SSL data by spoofing SSL servers.

Dubbed as CVE-2014-1266, the so-called ‘goto fail;’ vulnerability in which the secure transport failed to validate the authenticity of the connection has left millions of Apple users vulnerable to Hackers and Spy Agencies, especially like the NSA.

Last Friday, Apple had also released updated version iOS 7.0.6 to patch the vulnerability, which was first discovered in Apple's iOS Devices, but later company had acknowledged its presence in Mac OSX also, that could allow hackers to intercept email and other communications that are meant to be encrypted in iPhone, iPad and Mac computer. Affected versions include iOS up to version 7.0.5 and OS X before 10.9.2.

Security Researchers confirmed, 'Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured.' with man-in-the-middle attack.

Apple Vulnerability and NSA

I am sure; you still remember the NSA's DROPOUTJEEP Hacking Tool, implant for Apple iOS devices that allows the NSA to remotely control and monitor nearly all the features of an iPhone, including text messages, Geo-Location, microphone and the Camera.

DROPOUTJEEP program was developed in 2008 to conduct espionage on iPhone users, which was revealed by the documents provided by Edward Snowden a month ago. "The initial release of DROPOUTJEEP will focus on installing the implant via close access methods." document reads.

According to the vulnerability details published by a Google's Security Researcher 'Adam Langley', a basic mistake in a line of the SSL Encryption code almost screwed up the iOS SSL certificate verification process with an open invitation for the NSA's Prying Eyes.

"This sort of subtle bug deep in the code is a nightmare," Adam Langley said on his blog, "I believe that it's just a mistake, and I feel very bad for whoever might have slipped in an editor and created it."

Security researchers, Jacob Applebaum said last December, "Either the NSA has a huge collection of exploits that work against Apple products, meaning that they are hoarding information about critical systems that American companies produce and sabotaging them, or Apple sabotaged it themselves."

Although, those old techniques are no longer in circulation, but the NSA has a track record of continually evading the privacy of users by exploiting vulnerabilities in various softwares and obviously NSA's capabilities have improved significantly in the past five years.

In the DROPOUTJEEP document, the NSA also admitted, 'A remote installation capability will be pursued for a future release.' That means, it's practically possible that the NSA had already discovered this iOS SSL flaw in an effort to hack iPhone users' remotely by sniffing data and spoofing them to install malware.

An Unanswered Question

'Was the Apple intentionally injected backdoors for NSA or the flaw was an accident???' If it was an accident, then Apple would have been able to release patches for both iOS and Mac OS X at the same time, instead of releasing the patches for both, it silently released a fix for iOS devices on Friday night, but when the cryptographers and security experts began criticizing the company for leaving OS X without the patch, they finally acknowledged Mac OS X too; But it's the 4th day after disclosure and no patch yet has been released for Mac OS X.

Also, Apple contacted CVE (Common Vulnerabilities and Errors database) on 8th January 2014 to reserve the bug number CVE 2014-1266 for the SSL vulnerability and later they have released updated iOS 7.1, which was also vulnerable to the flaw that Apple had already discovered.

However, Apple categorically denied working with the NSA on a backdoor after it was accused last December of creating a way for the US intelligence agency NSA to access contacts and other data in iPhones.

On Dec. 31, Apple spokesperson released a statement saying:

"Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products. Whenever we hear about attempts to undermine Apple's industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers. We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them."

In 2013, The US Department of Defense passed Apple's iOS 6 for the Government use, that means if the NSA was aware of this flaw, they didn't seem to have informed them.

To Check, whether your web browser is vulnerable to SSL flaw, Click here and to be safe, you are recommended to use an alternate web browser, rather than Safari web browser and avoid using public and unsecured networks.

UPDATE: Apple has finally today releases Mac OS X 10.9.2, which includes a fix for a major SSL security flaw and bringing with it a number of "improvements to the stability, compatibility and security of your Mac."

Pony Botnet steals $220,000 from multiple Digital Wallets

mardi 25 février 2014 à 12:17

Are you the one of the Digital Currency Holder? PONY is after You.

A Group of cyber criminals has used hundreds of thousands of infected computers of the digital currency holders to filch approximately $220,000 worth of Bitcoins and other virtual currencies.

The researchers at the security firm, Trustwave have uncovered the Bitcoin Heist that was accomplished by the computers infected with a new class of malware that has been dubbed as ‘Pony’, a very powerful type of Spying Keylogger Malware with very dangerous features that was last time found two months ago.

Pony, for those who have not yet heard about it, is a bot controller much like any other, with the capability to capture all kinds of confidential information and access passwords. It contains a control panel, user management, logging features, a database to manage all the data and, of course, the statistics. It can see the passwords and login credentials of infected users when they access applications and Internet sites.

The security firm has found that the botnet has infected over 700,000 accounts in four months of the period, between September 2013 and mid-January 2014, and allowed criminals to control those accounts.

“Not only did this Pony botnet steal credentials for approximately 700,000 accounts, it’s also more advanced and collected approximately $220,000 worth, at the time of writing, of virtual currencies such as BitCoin (BTC), LiteCoin (LTC), FeatherCoin (FTC) and 27 others,” reads the report.

In December, the same piece of malware infected a number of popular websites and services such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc., by stealing a couple of million passwords, that provide them access to all those accounts.

Latest Pony attack

This Time the Pony botnet stole over 700,000 credentials, including 600,000 website login credentials, 100,000 email account credentials, 16,000 FTP account credentials and other Secure Shell account information.

“This instance of Pony compromised 85 wallets, a fairly low number compared to the number of compromised credentials. Despite the small number of wallets compromised, this is one of the larger caches of BitCoin wallets stolen from end-users.”

The Malware was in the wild when the virtual currency, such as Bitcoin value touched the sky, which was developed by cryptographic experts as a way to move money at a lower cost than traditional financial systems.

"Bitcoins are stored in virtual wallets, which are essentially pairs of private and public keys," the Trustwave researchers said, adding that “whoever has those keys can take the currency, and stealing Bitcoins and exchanging them for another currency, even a regulated one such as US dollars, is much easier than stealing money from a bank."

They said that cyber thieves with Bitcoins can use any number of trading websites, to get real cash while maintaining anonymity.

NOT just BITCOINS

Here, if you think that the botnet went after only the Bitcoin, then you are wrong. Currently, the Bitcoin value is swinging between $300 and $500. So, instead of sticking to only Bitcoin wallets, the Pony botnet looks for a list of virtual currencies including Anoncoin, BBQcoin, Bytecoin, Craftcoin, Devcoin, Digitalcoin, Fastcoin, Feathercoin, Florincoin, Franko, Freicoin, GoldCoin, I0coin, Infinitecoin, Ixcoin, Junkcoin, Litecoin, Luckycoin, Mincoin, Namecoin, NovaCoin, Phoenixcoin, PPCoin, Primecoin, Quarkcoin, Tagcoin, Terracoin, Worldcoin, Yacoin and Zetacoin.

If you are wondering that the attack was being shut down by some security companies, then you are guessing wrong, because the attackers themselves “closed shop” during January.

Researchers haven't explained any Malware removal mechanism, but in order to protect your virtual currency, you are advised to encrypt your wallets. Keep your virtual currency wallets safe!

In a separate news, you may also like to read, Worlds Largest Bitcoin Exchange Mt. Gox Shuts Down.

Caphaw Banking Malware Distributed via YouTube Ads

mardi 25 février 2014 à 11:20

More than one billion of unique visitor spend about 6 billion hours on YouTube to watch videos, according to monthly YouTube Stats. Security researchers from Bromium Labs recently found that YouTube advertising network has been abused by rogue advertisers to distribute malware.

YouTube In-Stream Ads were redirecting users to malicious websites, hosting the 'Styx Exploit Kit' and was exploiting client side vulnerabilities by drive-by-download attack to infect users' computer with Caphaw Banking Trojan.

The Exploitation process relied upon a Java vulnerability (CVE-2013-2460) and after getting dropped into the target computer system, the malware detects the Java version installed on the operating system and based upon it requests the suitable exploit.

"We don’t yet know the exact bypass which the attackers used to evade Google’s internal advertisement security checks. Google has informed us that they’re conducting a full investigation of this abuse and will take appropriate measures." researchers said.

Further investigation has revealed that the banking malware uses Domain Generation Algorithm (DGA) for communicating with Command and Control server (C&C). The C&C panel of this Trojan seems to be hosted somewhere in Europe and the case is still under investigation. Caphaw Banking Malware has been marked as malicious by a number of anti-virus companies.

How many users had become victim of this attack is yet a question. Google has taken down the malvertisment campaign and is beefing up internal procedures to prevent such events from occurring again.

Oracle has already patched the respective Java vulnerability last year, So users are advised to keep their Java software up-to-date and install latest Security updates of the softwares and operating system.

First Tor-Based Android Malware Spotted in the Wild

mardi 25 février 2014 à 09:13

We use our Smartphone devices to do almost everything, from Internet Banking to Sharing private files and at the same pace, the mobile malware sector is also growing.

The number of variants of malicious software aimed at mobile devices has reportedly risen about 185% in less than a year.

Security researchers have observed a growth in the numbers of computer malware families starting to use TOR-based communications, but recently the Security Researchers at anti-virus firm Kaspersky Lab have spotted the world's first Tor-Based Malware for Android Operating system.

The Android Malware dubbed as 'Backdoor.AndroidOS.Torec.a', using Tor hidden service protocol for stealth communication with Command-and-Control servers.

Researchers detected that the Trojan is running from .Onion Tor domain and working on the functionality of an open source Tor client for Android mobile devices, called 'Orbot', thus eliminating the threat of the botnet being detected and blocked by law enforcement authorities, although often it's not clear how many devices has been infected by this malware till now.

The Trojan is capable of intercepting and stealing incoming SMS, can make USSD requests, stealing device information including 'the phone number, country, IMEI, model, version of OS', can retrieve the list of installed applications on the mobile device, and also can send SMSs to a specified number.

Kaspersky didn't mention particularly that the malware is focused on stealing banking information or not, but the popularity of Android OS is kept motivating cyber criminals to develop far more advanced Android malware with more stealthy and anti-reverse methods.

Here are some things you can do to dramatically reduce the risk of malware infections on your Android phone:

Install apps from official Android Market instead of third-party app stores or websites.
Before installing any apps, check the publisher and app reviews.
Pay attention to app permissions during the installation.
Install Antivirus and Firewall apps.

World’s largest Bitcoin exchange Mt. Gox Shuts Down; CEO quits Bitcoin Foundation

mardi 25 février 2014 à 07:53

World’s largest Bitcoin exchange Mt. Gox has shut down its website, withdrawal system, deleted its Twitter feed and halted all trading systems after it detected "unusual activity."

The Bitcoin Foundation, a Bitcoin advocacy group, confirmed that Mark Karpeles, the chief executive of Tokyo-based Mt. Gox bitcoin exchange has resigned from the board of the Bitcoin Foundation. This comes just days after the exchange gave an update regarding the technical issues.

Last week, Mt. Gox said a technical glitch that had forced the exchange to suspend bitcoin withdrawals for a week. They discovered the transaction falsification glitch and same flaw alleged to have been used to steal all of the bitcoins worth about $2.7 million from Silk Road 2.0.

Later, some sources close to the matter have confirmed that more than 700,000 bitcoins are indeed missing from MtGox records, in a 'slow-leak' hack that went on for years. The repeated technical glitches over the past several months caused the Shut down of the biggest Bitcoin Industry.

Bitcoin companies 'Coinbase, Blockchain.info, Circle, Kraken, Bitstamp, and BTC China' have issued a joint statement regarding MtGox.

"This tragic violation of the trust of users of Mt.Gox was the result of one company’s abhorrent actions and does not reflect the resilience or value of bitcoin and the digital currency industry. There are hundreds of trustworthy and responsible companies involved in bitcoin. These companies will continue to build the future of money by making bitcoin more secure and easy to use for consumers and merchants." "We strongly believe in transparent, thoughtful, and comprehensive consumer protection measures. We pledge to lead the way."

MtGox has also deleted its entire Twitter feed, which is nearly unprecedented. Late last week, Bitcoin prices dropped to the lowest they have been since June, by $300 and currently, the value on MtGox is swinging between $300 and $500.