Absolute Computrace, which is embedded in the BIOS, of a large chunk of PCs could be a security nightmare according to research from Kaspersky labs. The software allows companies to track and secure all of their PCs from a single cloud-based console, but Kaspersky claims that it runs without user-consent, persistently activates itself at system boot, and can be exploited to perform various attacks and to take complete control of an affected machine.
Vitaly Kamluk and Sergey Belov along with Annibal Sacco of Core Security demonstrated the flaw at the Black Hat 2014 conference. Kamluk said that the software is extremely flexible. It’s a tiny piece of code which is a part of the BIOS. As far as it is a piece of the BIOS, it is not very easy to update the software as often. So they made it was extensible.
“It can do nearly anything. It can run every type of code. You can do to the system whatever you want. Considering that the software is running on these local system privileges, you have full access to the machine. You can wipe the machine, you can monitor it, you can look through the webcam, you can actually copy any files, you can start new processes. You can do absolutely anything”.
What is alarming is that after Kaspersky warned about the problem Computrace is still exploitable and once it has been activated it’s very persistent and difficult to turn off. It also doesn’t enforce encryption when it communicates and doesn’t verify the identity of servers from which it receives commands, so could expose users to attacks.
It is also not clear what is activating Computrace? Kaspersky believe it may be down to manufacturers’ testing of new machines to check for Computrace compatibility.
A group of German hackers claimed to have successfully breached the iPhone fingerprint scanner on Sunday, just two days after Apple Inc debuted the technology that it promises will better protect devices from criminals and snoopers seeking access.
If the claim is verified, it will be embarrassing for Apple which is betting on the scanner to set its smartphone apart from new models of Samsung Electronics Co Ltd and others running the Android operating system of Google Inc.
Two prominent iPhone security experts told Reuters that they believed the German group, known as the Chaos Computing Club, or CCC, had succeeded in defeating Apple’s Touch ID, though they had not personally replicated the work.
One of them, Charlie Miller, co-author of the iOS Hacker’s Handbook, described the work as “a complete break” of Touch ID security. “It certainly opens up a new possibility for attackers.”
Apple representatives did not respond to requests for comment.
CCC, one the world’s largest and most respected hacking groups, posted a video on its website that appeared to show somebody accessing an iPhone 5S with a fabricated print. The site described how members of its biometrics team had cracked the new fingerprint reader, one of the few major high-tech features added to the latest version of the iPhone.
The group said they targeted Touch ID to knock down reports about its “marvels,” which suggested it would be difficult to crack.
“Fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints,” a hacker named Starbug was quoted as saying on the CCC’s site.
The group said it defeated Touch ID by photographing the fingerprint of an iPhone’s user, then printing it on to a transparent sheet, which it used to create a mold for a “fake finger.”
CCC said similar processes have been used to crack “the vast majority” of fingerprint sensors on the market.
“I think it’s legit,” said Dino Dai Zovi,” another co-author of the iOS Hacker’s Handbook. “The CCC doesn’t fool around or over-hype, especially when they are trying to make a political point.”
Touch ID, which was only introduced on the top-of-the-line iPhone 5S, lets users unlock their devices or make purchases on iTunes by simply pressing their finger on the home button. It uses a sapphire crystal sensor embedded in the button.
Data used for verification is encrypted and stored in a secure enclave of the phone’s A7 processor chip.
Two security experts who sponsored an impromptu competition offering cash and other prizes to the first hackers who cracked the iPhone said they had reviewed the information posted on the CCC website, but wanted more documentation.
“We are simply awaiting a full video documentation and walk through of the process that they have claimed,” said mobile security researcher Nick DePetrillo, who started the contest with another security expert, Robert Graham. “When they deliver that video we will review it.”
The two of them each put up $100 toward a prize for the contest winner, then set up a website inviting others to contribute. While the booty now includes more than $13,000 in cash, it was not clear that the CCC would receive the full payout, even if DePetrillo and Graham declared them winners.
A hacker has stolen the names, addresses and bank account numbers of about 2 million Vodafone Germany customers who should beware that the cybercriminals may now try to gain other information such as passwords, the company said.
The mobile phone operator, which has around 32 million clients in Germany said on Thursday that the hacker, who had gained access to one of its servers, had not obtained any passwords, security numbers or connection data.
“It is hardly possible to use the data to get direct access to the bank accounts of those affected,” the mobile phone network operator said in a statement.
But it warned customers that criminals could launch so-called “phishing” attacks, using fake e-mails, to try to trick them into revealing more details.
“This attack was only possible with the utmost criminal energy as well as insider knowledge and happened deep within the IT infrastructure of the company,” Vodafone said.
A source close to the company, who declined to be named, said the investigation was looking into a person who was working for a sub-contractor for Vodafone’s administration system.
Privacy and personal data are sensitive issues in Germany due partly to a history of heavy surveillance of citizens in the former communist East and under Nazi rule.
“This may well be one of the largest cases of personal data thefts for German customers,” Mikko Hypponen, chief research officer at internet security company F-secure told Reuters.
In a previous major international case, which also involved Germans amongst others, data was stolen more than two years ago from almost 80 million user accounts of Sony’s PlayStation Network.
And in 2009 in the United States, a hacker called Albert Gonzalez pleaded guilty to stealing tens of millions of payment card numbers by breaking into corporate computer systems at companies such as 7-Eleven Inc and Target Co.
Vodafone said it was working with police to investigate the matter and had sealed the ports the hacker had used to access its servers.
Verizon Communications Inc has been sued by a shareholder attempting to void its $130 billion acquisition of Vodafone Group Plc’s stake in the companies’ wireless joint venture on the grounds the price is too high.
In a lawsuit filed in a New York state court last Thursday, just three days after the transaction was announced, Natalie Gordon said Verizon shareholders are being “shortchanged” by the purchase of Vodafone’s 45 percent stake in Verizon Wireless, the largest U.S. mobile phone operator.
Verizon, which owns the other 55 percent, agreed to pay Vodafone $59 billion in cash, $60 billion in stock and other sums. Verizon Wireless has about 100 million customers.
Gordon said “it is evident that Verizon has overpaid,” adding that “Wall Street analysts concur” and that Moody’s Investors Service downgraded Verizon’s credit.
She also pointed to a drop in Verizon’s share price to $45.08 on September 3, the first trading day after the purchase was announced, from a peak of $48.60 on August 29, when news that Verizon and Vodafone had revived talks surfaced. The lawsuit characterized the 7.2 percent decline as “almost 10%.”
The lawsuit seeks class-action status, and also names Verizon Chief Executive Lowell McAdam and 12 directors as defendants, accusing them of breaching their fiduciary duties.
It seeks to force Verizon to rescind the purchase or improve the terms, and force the individual defendants to pay damages.
“We believe this lawsuit is entirely without merit, and Verizon intends to defend itself vigorously,” Randal Milch, Verizon executive vice president and general counsel, said in a statement.
Vodafone, which is not a defendant, declined to comment.
Gordon is represented by law firm Faruqi & Faruqi, and has within the last five years been a shareholder plaintiff in several other lawsuits filed by that firm, court records show.
Juan Monteverde, a partner at the New York-based firm, did not immediately respond to a request for comment.
The Verizon-Vodafone transaction would be the third-largest in corporate history, and end their 14-year joint venture.
Talks resumed in earnest this summer as Verizon grew concerned that rising interest rates might make a transaction too pricey.
The price rose from the $100 billion that Verizon had earlier floated, people familiar with the matter said.
Moody’s one-notch downgrade left Verizon’s long-term credit rating at “Baa1,” a low investment grade, reflecting the company’s plan to add $67 billion of debt and more than double its debt load. Nonetheless, Moody’s ratings outlook is “stable.”
The case is Gordon v. Verizon Communications Inc et al, New York State Supreme Court, New York County, No. 653084/2013.
Apple’s security was once again made a laughing stock as a team of researchers demonstrated how it is possible to sneak apps past Apple’s test regime. A group of researchers presenting at Usenix were able to spreading malicious chunks of code through an apparently-innocuous app for activation later.
According to their paper the Georgia Tech team wanted to create code that could be rearranged after it had passed AppStore’s tests. The code would look innocuous running in the test environment, be approved and signed, and would later be turned into a malicious app.
They created an app that operated as a Georgia Tech “news” feed but had malicious code was distributed throughout the app as “code gadgets” that were idle until the app received the instruction to rearrange them. After the app passes the App Review and lands on the end user device, the attacker can remotely exploit the planted vulnerabilities and assemble the malicious logic at runtime by chaining the code gadgets together.
The instructions for reassembly of the app arrive through a phone-home after the app is installed.
The app will run inside the iOS sandbox, but can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.
“This is a new tactic we haven’t really seen before,” said Paul Wood, senior intelligence analyst for Symantec.cloud, the company’s Web-based security and email branch.
The emails invariably contain some kind of Trojan downloader, which can be used to download other malware or steal documents from the computer.
Symantec published examples of the emails collected recently in its latest monthly Symantec Intelligence Report, released on Tuesday. The emails at first glance look quite convincing, with a subject line “Fwd: Scan from a HP Officejet.” The email reads “Attached document was scanned and sent to you using a Hewlett-Packard HP Officejet 05701J” and then “Sent by Morton.”
Wood said it is common for the scammmers to spoof the sender’s name and make it appear the email came from the same domain as the one that belongs to the recipient. Some of the messages captured by Symantec appear to be at a cursory glance internal company email, which makes it more likely that the person who receives the message will open the attachment.
The attachment is a “.zip” file, which is odd. Wood said it is unlikely that most printers with the email sending ability can actually send a “.zip” file; those printers mostly send image file, he said.
U.S. prosecutors have launched a criminal inquiry into whether eBay Inc employees took confidential information from classified ad website Craigslist as eBay sought to build a rival service, a copy of a grand jury subpoena obtained by Reuters shows.
The two companies have been feuding for years in civil court over allegations that online giant eBay took a stake in Craigslist and then misappropriated confidential information while it covertly planned its own classifieds site.
The subpoena seeks information regarding several eBay personalities, including founder and Chairman Pierre Omidyar and Joshua Silverman, the former Skype chief executive who served as eBay’s representative on Craigslist’s board.
An eBay spokeswoman, Amanda Miller, said the company would cooperate in any inquiry related to the disputes with Craigslist.
“EBay believes that Craigslist’s allegations against eBay are without merit,” Miller said in an email on Tuesday. “We will continue to vigorously defend ourselves, and we will aggressively pursue our claims against Craigslist.”
Last year, a Delaware’s Chancery Court judge ruled that Craigslist properly removed an eBay representative from its board. The judge also ruled that Craigslist could not dilute eBay’s 28.4 percent stake in the company.
Miller said allegations of misconduct were leveled by Craigslist as a defense in the Delaware case, and the court did not rule in Craigslist’s favor on the defense.
Craigslist representatives did not respond to an email seeking comment.
Dubbed BMW by 360 and Mebromi by other security vendors, the threat has separate components for the operating system, the master boot record (MBR) and the system BIOS.
A computer’s BIOS holds a set of low-level instructions that execute before the boot loader to detect and initialise the computer’s hardware components.
There are various types of BIOS, depending on motherboard and manufacturer, but according to 360, BMW only infects Award BIOS versions produced by Phoenix Technologies.
The malware adds a BIOS module called HOOK.ROM, which determines if malicious code has been erased from the MBR and restores it if necessary.
The MBR instructions serve a similar purpose. They check to see if certain Windows files are still infected before the operating system starts and reinfects them if they’re not.
Thus, the BIOS hook and MBR code restore the rootkit at every reboot. Ultimately malicious code is added to winlogon.exe on Windows XP and Windows Server 2003, and to wininit.exe on Windows Vista and Windows 7.
BIOS malware is very rare, which makes BMW an interesting find, however hooking BIOS for malicious purposes is not a new concept. One of the first attempts to put it into practice was in 1999 with the CIH virus that ended up damaging infected systems.
Fortunately, because of hardware diversity users don’t need to worry about this type of malware becoming widespread. BIOS flashing is so different from one motherboard manufacturer to another that it is almost impossible to develop code that does it reliably on the majority of systems.
It’s worth pointing out that motherboards are not the only devices whose firmware can be infected by malware. Certain home routers have also been targeted by trojans in the past and have even been joined together in botnets.
The company’s assertion came after a massive theft of more than 500 SSL (secure socket layer) certificates, including several that could be used to impersonate Microsoft’s update services, was revealed by Dutch authorities and several other affected developers.
“Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers,” said Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), in a Sunday blog post. “The Windows Update client will only install binary payloads signed by the actual Microsoft root certificate, which is issued
and secured by Microsoft.”
Seven of the 531 certificates now known to have been fraudulently obtained by hackers in July were for the domains update.microsoft.com and windowsupdate.com, while another six were for *.microsoft.com.
According to Microsoft, the certificates issued for windowsupdate.com couldn’t be used by attackers because the company no longer uses that domain. (Windows Update is now at windowsupdate.microsoft.com..) However, those for update.microsoft.com — the domain for Microsoft Update — and the wildcard *.microsoft.com could be.
As Ness said, updates delivered via Microsoft’s services are signed with a separate certificate that’s closely held by the company.
The part of the site has been taken down, and instead delivers a statement from the company about the intrusion.
Nokia said that during its ongoing investigation of the incident, it discovered that a database table containing e-mail addresses of developer forum members was accessed, by exploiting a vulnerability in the bulletin board software that allowed an SQL injection attack.
“Initially we believed that only a small number of these forum member records had been accessed, but further investigation has identified that the number is significantly larger,” the statement said.
Nokia did not specify when the site was hacked, though it is likely to have happened last week, according to some reports.
The database table records includes members’ e-mail addresses and, for fewer than 7% who chose to include them in their public profile, either birth dates, homepage URL (uniform resource locator) or usernames for AIM, ICQ, MSN, Skype or Yahoo services. Sensitive information such as passwords and credit cards details were not compromised, and the potential fallout of the hack is likely to be limited to unsolicited mail, Nokia said.
After addressing the initial vulnerability, Nokia said it took the developer community website offline as a precautionary measure, while it conducts further investigations and security assessments. The developer community section was still down on Tuesday.
Soon after the hack, visitors to the community pages were taken to a third-party web page containing an image of Homer Simpson, the character from the TV series The Simpsons, and a message, warning the company to patch its security holes, according to reports.
A list of 27 user names and encrypted passwords allegedly for an Apple website was posted to the Internet over this past weekend along with a warning from hacker group Anonymous that the Cupertino-based computer maker could be a target of its attacks.
The list was posted to the Pastebin website, a hosting site for text files, by an unknown user under the title “Not Yet Serious.” It wasn’t immediately clear if the user is a member of the Anonymous hacking group, but the existence of the file became widely known after Anonymous linked to it in a Twitter message.
“Not being so serious, but well,” the message read before linking to the PasteBin page. “Apple could be target, too. But don’t worry, we are busy elsewhere,” the message said.
The data appears to be a set of user names and encrypted passwords from an SQL database for an online survey at the Apple Business Intelligence website. The site is currently offline.
Apple did not immediately respond to a request for comment.
In an apparently unrelated posting, a Lebanese grey-hat hacker called idahc_hacker said he had found vulnerabilities on another Apple website. The SQL injection and iFrame code attacks can be used by hackers to gain unauthorized access to data.
Grey hat hackers do not normally hack for malicious purposes and the Lebanese hacker did not post and data obtained from the site.
In pointing out the hacks, he said he was not part of Anonymous or LulzSec, an allied group that disbanded recently.
A flaw in Skype for Android could let criminals collect private information from mobile devices, including the user’s name and email address, contacts and chat logs, the Internet calling software maker confirmed Friday.
One security researcher called it “sloppy coding” and a “disrespect for your privacy.”
Last week, Justin Case, a regular contributor to the Android Police blog, disclosed that Skype on Android does not block access to a number of sensitive data files stored on the cellular phone.
The files contain an abundance of information about the Skype account and the smartphone’s owner, ranging from full name and date of birth to alternate phone numbers and account balance. Also accessible, said Case, are instant chat logs and all Skype contacts.
“Skype mistakenly left these files with improper permissions, allowing anyone or any app to read them,” said Case. “Not only are they accessible, but [they're] completely unencrypted.”
Case created an Android application that demonstrated retrieving the unsecured data, and warned that hackers could do the same.
“A rogue developer could modify an existing application with code from our proof of concept, distribute that application on the [Android] Market, and just watch as all that private user information pours in,” Case said.
Case’s concern is well-founded. Last month Google yanked more than 50 malware-infected apps from its Android Market, while three weeks ago Czech security company AVAST said a different rogue designed to shame software pirates sent personal information to the maker of the “Walk and Text” app.
On Friday, Skype acknowledged what it called a “privacy vulnerability” in its Android client. Although it promised to address the problem, it did not spell out a timetable.
“We are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application,” said Adrian Asher, Skype’s chief information security officer, in an entry on a company blog.
As of late Sunday, the Skype app for Android had not been updated.
Although the Hamburglar is known for attempting to steal from McDonald’s, he is probably not the culprit in this latest,more serious theft. McDonald’s reported that they are working with law enforcement authorities after hackers broke into another company’s databases and stole information about an undetermined number of the fast food chain’s customers.
McDonald’s has also alerted potentially affected customers via email and through a message on its Web site.
“We have been informed by one of our long-time business partners, Arc Worldwide, that limited customer information collected in connection with certain McDonald’s websites and promotions was obtained by an unauthorized third party,” a McDonald’s spokeswoman said via email on Saturday.
McDonald’s hired Arc to develop and coordinate the distribution of promotional email messages, and Arc in turn relied on an unidentified email company to manage the customer information database. This email company’s systems were hacked into.
The data, which customers had provided voluntarily, doesn’t include Social Security Numbers, credit card numbers, nor any sensitive financial information, she said.
“Rather, the limited information includes what was required to confirm the customer’s age, methods to contact the customer, and other general preference information,” the spokeswoman added.
This means that customer data likely includes full names, phone numbers, postal addresses and e-mail addresses. The spokeswoman didn’t say what information was required for age confirmation, so it’s not clear if customers simply checked a box saying they were adults or if they had to provide their date of birth.
“In the event that you are contacted by someone claiming to be from McDonald’s asking for personal or financial information, do not respond and instead immediately contact us,” reads the McDonald’s note to customers. The number to call is 1-800-244-6227.
In addition to working with law enforcement agencies, McDonald’s is probing the security breakdown at the company hired by Arc, which is the marketing services division of ad agency Leo Burnett. Arc’s specialities include digital communications, direct marketing, promotions and shopper marketing, according to its website.
The Federal Communications Commission (FCC) confirmed on Wednesday that it is investigating whether Google broke any federal eavesdropping laws when collecting data for its increasingly unpopular Street View mapping service.
The investigation stems from Google’s disclosure recently that its Street View cars collected passwords, e-mails and other personal information from unprotected residential wireless networks, the FCC said in a statement.
In light of Google’s disclosure, “we can now confirm that the Enforcement Bureau is looking into whether these actions violate the Communications Act,” Michele Ellison, chief of the FCC’s Enforcement Bureau, said in the statement.
“As the agency charged with overseeing the public airwaves, we are committed to ensuring that the consumers affected by this breach of privacy receive a full and fair accounting,” the FCC statement said.
The FCC’s investigation adds to the growing list of organizations that are looking into whether Google broke any laws when collecting data for Street View. In May, Google disclosed that the accidental inclusion of code written for an experimental Wi-Fi project was causing its Street View vehicles to inadvertently collect “payload” data from unprotected Wi-Fi networks along the routes.
Google said that it has since removed the code and stopped collecting any Wi-Fi data. The company’s disclosure has prompted regulators in several countries, including the United Kingdom, Germany, Canada and South Korea, to launch investigations into the matter.
In the U.S. in June, Connecticut attorney general Richard Blumenthal announced that he was launching a multistate investigation into “Google’s deeply disturbing invasion of personal privacy.”
The Federal Trade Commission also launched a similar investigation earlier this year but closed it last month as a result of what it said was Google’s assurances that it would delete any data that it had collected and not use it in any manner.
The Electronic Privacy Information Center (EPIC), which in May had asked the FCC for an investigation into Google’s Street View data collection, today welcomed the investigation.
EPIC president Marc Rotenberg said by e-mail that none of Google’s Wi-Fi collection activities would have to light if European data protection officials hadn’t opened an investigation. “The public also does not understand that while the interception of communications traffic may have been accidental, the collection of Wi-Fi device name and location information was not,” Rotenberg said.
Google reiterated what it has been saying since the controversy first began. “We are profoundly sorry for having mistakenly collected payload data from unencrypted networks,” the company said in a statement.
As soon as Google realized what was happening it stopped collecting all Wi-Fi data from its Street View cars and informed appropriate authorities, the company said. “We assured the FTC, which has closed its inquiry, we did not want and have never used the payload data in any of our products and services,” the company said, adding that it will delete the data as “soon as possible.”