Palo Alto Networks Inc has uncovered a new group of malware that can infect Apple Inc’s desktop and mobile operating systems, underscoring the increasing sophistication of attacks on iPhones and Mac computers.
The “WireLurker” malware can install third-party applications on regular, non-jailbroken iOS devices and hop from infected Macs onto iPhones through USB connector-cables, said Ryan Olson, intelligence director for the company’s Unit 42 division.
Palo Alto Networks said on Wednesday it had seen indications that the attackers were Chinese. The malware originated from a Chinese third-party apps store and appeared to have mostly affected users within the country.
The malware spread through infected apps uploaded to the apps store, that were in turn downloaded onto Mac computers. According to the company, more than 400 such infected apps had been downloaded over 350,000 times so far.
It’s unclear what the objective of the attacks was. There is no evidence that the attackers had made off with anything more sensitive than messaging IDs and contacts from users’ address books, Olson added.
But “they could just as easily take your Apple ID or do something else that’s bad news,” he said in an interview.
Apple, which Olson said was notified a couple weeks ago, did not respond to requests for comment.
Once WireLurker gets on an iPhone, it can go on to infect existing apps on the device, somewhat akin to how a traditional virus infects computer software programs. Olson said it was the first time he had seen it in action. “It’s the first time we’ve seen anyone doing it in the wild,” he added.
A team of cybersecurity firms financed by big banks plan to introduce a platform that will allow financial companies to communicate faster about potential cyber breaches, the Wall Street Journal reported.
The move follows cybersecurity attacks on some big banks last month, where JPMorgan Chase & Co’s computer systems were hacked exposing the contact details of 73 million households and 7 million small businesses.
The group gathered funds from 16 banks including JPMorgan,Citigroup Inc , BB&T Corp and U.S. Bancorp, to help lead the effort, the newspaper said.
The product, called ‘Soltra Edge’, is being launched by Financial Services Information Sharing Analysis Center (FS-ISAC) and the Depository Trust & Clearing Corp (DTCC). It has been in works for more than a year and is expected to be out next month, the report said.
Earlier this year, JP Morgan said it expects to spend more than $250 million on cyber security, with about 1,000 people working on that area, after being warned by U.S. regulators about the threat of rising cyber attacks on bank machines.
A pilot version of Soltra was used in spreading the information received by FS-ISAC from JPMorgan after the breach, the Journal said, citing sources.
Soltra, which offers a free edition as well as a paid one, will help track threat information within seconds, a spokesman for Soltra told Reuters.
The banks would be major competitors to handset makers Apple and Google because unlike others pushing mobile wallet technology, such as mobile phone carriers and retailers, they already have an intimate relationship with consumers and know their spending habits.
“Banks all around the world are working on this right now,” said James Anderson, senior vice president for mobile and emerging payments at MasterCard.
Anderson didn’t name any of the banks, but said MasterCard is already in conversations with them on how to add mobile payment capability to the existing apps that millions of consumers already have on their phones.
The most likely way will be through a technology called host card emulation, that was introduced in Android 4.4 “KitKat” and allows software apps to emulate the secure element chip found on some bank cards and the iPhone 6. Using software means wider compatibility with phones than if a dedicated chip was required.
The mobile payments market had been relatively quiet until recently. Google Wallet and Softcard, a competitor backed by cellular carriers, were in the market but consumer awareness and interest appeared to be low.
That changed with the launch of Apple Pay on Oct. 20. A million cards were activated in the first three days of use and early adopters have praised its ease of use: users just need to hold their thumb over the iPhone 6 fingerprint reader and bring the device near a terminal for payment to be made.
As a result, competitors are planning their attack. Next year CurrentC, backed by some of the biggest retailers in the U.S., will launch and companies like PayPal are also hoping to expand their footprint in stores.
But an app from a bank might have an edge because it removes a potential hurdle to adoption: unease among consumers that at a third-party is getting access to details of purchases they make.
Apple has stressed that it doesn’t see any of the purchases made by its users but Google’s system is set up so that all payments run through the company’s servers — giving the company an additional layer of information into the lives of its users.
A bank already has access to this information because of its nature and is presumably trusted by its customers. If a customer has a banking app on their phone, it would suggest they also have faith in the bank’s online security system.
A comprehensive security audit of its ads code was recently completed, but Facebook “would like to encourage additional scrutiny from whitehats to see what we may have missed,” wrote Collin Greene, a security engineer, in a blog post. “Whitehats” refers to ethical security researchers, as opposed to “blackhats” who take advantage of vulnerabilities.
According to bug bounty program guidelines, Facebook pays a minimum of $500 for a valid bug report. Until the end of the year, that has been increased to $1,000.
Greene wrote that the majority of reports it receives concern more common parts of Facebook’s code, but the company would like to encourage interest in ads “to better protect businesses.”
Facebook’s ad tools include the Ads Manager, the ads API (application programming interface) and Analytics, which is also called Insights, Greene wrote. The company also wants close scrutiny of its back-end billing code.
“There is a lot of backend code to correctly target, deliver, bill and measure ads,” Greene wrote. “This code isn’t directly reachable via the website, but of the small number of issues that have been found in these areas, they are relatively high impact.”
Greene wrote that Facebook typically sees bugs such as incorrect permission checks, insufficient rate-limiting, edge-case CSRF (cross-site request forgery) issues and problems with Flash in its ads code.
Last month, the FBI warned healthcare providers to guard against cyber attacks after one of the largest U.S. hospital operators, Community Health Systems Inc, said Chinese hackers had broken into its computer network and stolen the personal information of 4.5 million patients.
Security experts say cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry, which has many companies still reliant on aging computer systems that do not use the latest security features.
“As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit,” said Dave Kennedy, an expert on healthcare security and CEO of TrustedSEC LLC. “Hospitals have low security, so it’s relatively easy for these hackers to get a large amount of personal data for medical fraud.”
Interviews with nearly a dozen healthcare executives, cybersecurity investigators and fraud experts provide a detailed account of the underground market for stolen patient data.
The data for sale includes names, birth dates, policy numbers, diagnosis codes and billing information. Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyber attacks on healthcare organizations.
Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.
Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.
Community Health Systems Inc., one of the largest U.S. hospital groups, is reporting that it was the victim of a cyber attack from China, resulting in the theft of Social Security numbers and other personal data belonging to 4.5 million patients.
Security experts said the hacking group, known as “APT 18,” may have links to the Chinese government.
“APT 18″ typically targets companies in the aerospace and defense, construction andengineering, technology, financial services and healthcare industry, said Charles Carmakal, managing director with FireEye Inc’s Mandiant forensics unit, which led the investigation of the attack on Community Health in April and June.
“They have fairly advanced techniques for breaking into organizations as well as maintaining access for fairly long periods of times without getting detected,” he said.
The information stolen from Community Health included patient names, addresses, birth dates, telephone numbers and Social Security numbers of people who were referred or received services from doctors affiliated with the hospital group in the last five years, the company said in a regulatory filing.
The stolen data did not include medical or clinical information, credit card numbers, or any intellectual property such as data on medical device development, said Community Health, which has 206 hospitals in 29 states.
The attack is the largest of its type involving patient information since a U.S. Department of Health and Human Services website started tracking such breaches in 2009. The previous record, an attack on a Montana Department of Public Health server, was disclosed in June and affected about 1 million people.
Chinese hacking groups are known for seeking intellectual property, such as product design, or information that might be of use in business or political negotiations.
Social Security numbers and other personal data are typically stolen by cybercriminals to sell on underground exchanges for use by others in identity theft.
Over the past six months Mandiant has seen a spike in cyber attacks on healthcare providers, although this was the first case it had seen in which a sophisticated Chinese group has stolen personal data, according to Carmakal. Mandiant monitors about 20 hacking groups in China.
The UK Government isn’t doing enough to warn about the risks of cybercrime on a mass level, security firm Kaspersky has claimed.
Speaking at a company roundtable event at the firm’s European hub in London on Thursday, Kaspersky security researcher David Emm said isn’t doing as much as it could be to educate people about cyber security.
“I’d like to see the government doing more to get the message out to mainstream citizens and individuals because that’s the bone in which the industry is growing; the individuals with ideas,” Emm said
“If you look at it, the recent Cyber Street Wise campaign aside, I don’t think the government is doing very much in terms of mainstream messaging and I would certainly like to see it do more.”
Emm used the example of major UK marketing campaigns promoting the dangers of drink driving as an ideal model because they have been drilled into us over the years.
“As parents, we’ve this body of common sense, such as drinks driving, and it’s drip, drip, drip, over the years that has achieved that and I think we need to get to a point where we have some body of online common sense in which business people can draw upon; there’s definitely a role for education.”
Barclay’s bank, which was also present at the roundtable, agreed with Emm.
“The government really needs to recognise this is a serious issue – if you’re bright enough to set up your own business, you’re bright enough to protect yourself,” added the firm’s MD of fraud prevention Alex Grant.
Emm concluded by saying that the government’s Cyber Street Wise campaign that was launched in January was good enough to make people aware of the risks of cybercrime in the metropolitan areas. However, he said he’d like to see the government focus more on regional areas as people in sparsely populated areas weren’t as aware of it.
Kaspersky’s roundtable took place as part of the firm’s launch of a report that found small businesses in the UK are “woefully unprepared” for an IT security breach, despite relying increasingly on mobile devices and storing critical information on computers.
The study found that nearly a third, or 31 percent, of small businesses would not know what to do if they had an IT security breach tomorrow, with four in ten saying that they would struggle to recover all data lost and a quarter admitting they would be unable to recover any.
Duo Security Research has warned that it is possible to bypass two factor, or second factor authentication (2FA) protection on Paypal.
Paypal said that all users will need to access an account is a username and password, but the firm added that it has a workaround in place and a fix is on the way.
“An attacker only needs a victim’s Paypal username and password in order to access a two-factor protected account and send money. The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified,” Duo Security Research said.
“Paypal has put a workaround in place to limit the impact of the vulnerability, and is actively working on a permanent fix. In light of the vulnerability reporting timeline and the trivial discoverability of the vulnerability, we have elected to publicly disclose this issue, so that users can be informed to the risks to their Paypal account security.”
The problem exists in the mobile Paypal apps that can be tricked into ignoring 2FA protection on user accounts.
The security firm, which developed a proof of concept exploit for the bug, said, “The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified.”
It added, “While Paypal’s mobile apps do not currently support 2FA-enabled accounts, it is possible to effectively trick the Paypal mobile applications into ignoring the 2FA flag on the account, subsequently allowing the an attacker to log in without requiring secondary authentication.”
Paypal has penned a blog post saying that this is all in hand, and that the flaw has been disabled.
“The workaround identified by the researcher is related to an extra layer of security (2FA) some customers have chosen to add to their Paypal account. Customers who do not use the Paypal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way,” Paypal said.
“Even though 2FA is an additional layer of authentication, Paypal does not depend on 2FA to keep accounts secure. We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers’ accounts secure from fraudulent transactions, everyday.”
Paypal said that customer accounts were, and have remained secure. Duo Security said that it hopes that “full support of two-factor authentication in the [Paypal] official mobile applications and third-party merchant apps” follows.
Recently Paypal’s parent company eBay was the scene of a security scandal that made people question whether it really understands security at all.
The components of a digital surveillance tool used by governments around the globe have been uncovered by Kaspersky Lab, whose research team tracked down and reverse engineered the Hacking Team’s Remote Control System (RCS) tool.
Hacking Team is an Italian company that develops the ‘legal’ RCS spyware tool, and supposedly sells it to governments as a surveillance device. Kaspersky’s Securelist has been tracking the Hacking Team since 2011, when Wikileaks released documents describing the functions of the spyware programs the company has offerred to government agencies since 2008.
In early 2012, Kaspersky Lab experts detected malicious programs running on Windows that were suspiciously similar to the programs described on Wikileaks as the Remote Control System, the description of which was published at the company’s website www.hackingteam.it. However, at the time, Kaspersky Lab had no way of knowing about the connections between the threats that were detected and the Hacking Team spyware program.
However, now the Russian security company said that new components target iOS, Android, Windows Phone and Blackberry users, and are actually part of Hacking Team’s much bigger set of tools targeting desktops and laptops.
From its findings, Kaspersky said the iOS and Android modules provide a multitude of features to whoevers hands they fall into, giving them complete control over targeted phones.
“Secretly activating the microphone and taking regular camera shots provides constant surveillance of the target-which is much more powerful than traditional cloak and dagger operations,” Kaspersky Lab researcher Sergey Golovanov said in a blog post about the findings.
The tools could give governments access to emails, text messages, call history and address books, as well as logging keystrokes and obtaining search history data.
From this point onwards, the tool can track a user’s location via the phone’s GPS signal, take screenshots, record audio from the phones to monitor calls or conversations, or hijack the phone’s camera to take pictures.
“We have also seen the emergence of privately owned companies that, according to the information on their official websites, develop and offer software to law enforcement agencies to facilitate the collection of data from user computers,” Kaspersky’s Securelist post read.
“Countries that do not have the requisite technical capabilities are thus able to purchase software with similar functions from private companies.
“In spite of the fact that most countries have laws prohibiting the creation and distribution of malicious programs, this spyware is offered with almost no attempt to conceal its functions.”
The firm added that so far, there aren’t very many of these companies and almost no competition in this particular market, which makes it very attractive to new players and thus sets the stage for a technology race among them.
Hackers have found a way to reverse engineer the technology of the United States National Security Agency (NSA) spy gadgets.
Thanks to documents leaked by fugitive former NSA contractor and whistleblower Edward Snowden, the group has built a copycat device able to gather private data from computer systems.
The Advanced Network Technology catalogue, leaked by Snowden, is the Argos book of the NSA showing a range of toys available to agents. One such device known has a “retro reflector” had eluded identification, beyond that it acted as a bug, keylogger and screengrabber.
Michael Ossman and his team from Great Scott Gadgets, a Colorado based hacking group, decided that the best defence against such devices was to create their own to understand what makes them tick.
It transpired that the key technology being used is called software defined radio (SDR), an approach that uses software to generate radio transmissions through signal processing, doing away with a lot of hardware circuitry.
“SDR lets you engineer a radio system of any type you like really quickly so you can research wireless security in any radio format,” Ossmann told New Scientist.
The technique can be used for almost any type of radio signal and therefore the devices are capable of tracking anything, from what you’re listening to through a Bluetooth headset to the binary signals of your internet traffic.
The group, which will demonstrate its work at the Defon hacking conference in Las Vegas, runs a website at NSAplayset.org that is a repository for all of the information it gathered.
Speaking at a roundtable at the company’s lab in Helsinki, Finland on Tuesday, F-Secure CEO Christian Fredrikson said that Google knows far too much about us, and any kind of profiling is not something we should condone.
“We don’t think profiling is just innocent, [that] it doesn’t matter; we think it is extremely dangerous,” Fredrikson said.
“It actually means that if you have all the information of people gathered over 10 years, you – in democracies even – could stay in power forever, because if you have all the information, you have all the power.”
For example, Fredrikson said that if you were to go into a job interview tomorrow, the company could, in theory, know that three months ago you went through a divorce, went to a doctor and were prescribed some medicine, all due to Google’s profiling, which could in turn affect the outcome of the interview.
“Taking profiling to a personal level is not innocent, so we feel mass gathering of data of every individual is not something we should be condoning,” he concluded.
A Cryptolocker-style Android virus dubbed Simplocker has been detected by security firm Eset, which confirmed that it scrambles files on the SD cards of infected devices before issuing a demand for payment.
The message is in Russian and the demand for payment is in Ukrainian hryvnias, equating to somewhere between £15 and £20.
Naturally, the warning also accuses the victim of looking at rather unsavoury images on their phone. However, while the source of the malware is said to be an app called “Sex xionix”, it isn’t available at the Google Play Store, which generally means that anyone who sideloads it is asking for trouble.
Eset believes that this is actually more of a “proof of concept” than an all-out attack, and far less dangerous than Cryptolocker, but fully functional.
Robert Lipovsky of Eset said, “The malware is fully capable of encrypting the user’s files, which may be lost if the encryption key is not retrieved. While the malware does contain functionality to decrypt the files, we strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them.”
Eset recommends the usual – use a malware app. It recommends its own, obviously, and advises punters to keep files backed up. Following such advice, said Lipovsky, ensures that ransomware is “nothing more than a nuisance”.
This is not the first Android cryptolocker style virus. Last month a similar virus was found, which Kaspersky said was “unsurprising, considering Android’s market share”.
Hacker blogger Quinn Norton is getting a lot of coverage with her blog claiming that the Internet is broken. She argues that every computer and every piece of software we use is vulnerable to hackers because of terrible security flaws. Norton blames these flaws on the fact that developers who face immense pressure to ship software quickly.
Norton says that those bugs may have been there for years unnoticed, leaving systems susceptible to attacks. One of her hacker mates accidentally took control of more than 50,000 computers in four hours after finding a security vulnerability. Another one of her colleagues accidentally shut down a factory for a day after sending a “malformed ping.”
She said that the NSA wasn’t, and isn’t, the great predator of the internet, it’s just the biggest scavenger around. It isn’t doing so well because they are all powerful math wizards of doom. The other problem is software is too complicated and the emphasis placed on security too light.
“The number of people whose job it is to make software secure can practically fit in a large bar, and I’ve watched them drink. It’s not comforting. It isn’t a matter of if you get owned, only a matter of when,” Norton said.
Following an attack disclosed last week that exposed sensitive information of up to 145 million people, the auction giant is scrambling to repair several other problems reported in its vast network by security enthusiasts.
“As a company, we take all vulnerabilities reported to us very seriously, evaluating any reported issue within the context of our entire security infrastructure,” wrote Ryan Moore, lead manager of eBay’s business communications, in an email to IDG News Service.
EBay has long been a target for cybercriminals. It is the seventh most visited site in the U.S, according to statistics from Amazon’s Alexa Web analytics unit. Its combination of a marketplace and payments platform, PayPal, means it holds sensitive data and poses opportunity for fraudsters.
Three U.S. states — Connecticut, Florida and Illinois — are jointly investigating eBay’s data breach, a sign that regulators and law enforcement are taking a keen interest in how consumer data is protected following Target’s data breach last year.
EBay’s size puts it in the league of companies such as Facebook, Google and Microsoft. All run large networks constantly prodded by “black hat” hackers, those who are seeking to damage a company or profit from attacks, and “white hats,” who alert companies to problems.
Yasser Ali, a 27-year-old who lives in Luxor, Egypt, said it took him all of three minutes last week to find a serious vulnerability that could let him take over anyone’s eBay account if he knows a person’s user name, which is public information.
Ali shared a video with eBay showing how the flaw could be exploited, he said in a phone interview Tuesday night. He hasn’t received a response from eBay, but said the video was viewed by company officials 17 times, according to a statistics counter on the clip. Moore said eBay has now fixed the bug, and Ali plans to release details of it.
Security experts have poured cold water on an OpenSSL vulnerability which a group of hackers have dubbed Heartbleed 2. A group of five hackers claimed on Pastebin that they have discovered another major security flaw in OpenSSL. They said they had found an vulnerability in the patched version OpenSSL. A missing bounds check in the handling of the variable DOPENSSL_NO_HEARTBEATS.
“We could successfully Overflow the DOPENSSL_NO_HEARTBEATS and retrieve 64kb chunks of data again on the updated version,” they said.
The hackers said they would not make the vulnerability public as it would only allow companies to patch the flaw. They added they could exploit the flaw themselves “for a long time” before it gets patched, but they are also willing to sell it for $1,085.
“We are team of five people, and we have coded nonstop for 14 days to see if we could find a workaround, and we did it! We have no reason to make it public when the vendors will go for a update again,” the group said.
The only evidence given that the vulnerability is realise this image of what appears to be the output from a server to a request from the attackers. However Security experts have pointed out that the DOPENSSL_NO_HEARTBEATS variable mentioned by the hackers doesn’t actually exist.