Hacking Your Fridge – Internet of Things Security

So one of the latest fads is IoT or the Internet of things phenomena which has been talked about for a while (especially since the discussion of IPv6 started), IoT is connecting physical items to the Internet and giving them some kind of IP (be in NAT or a proper IPv6 address).

This enabled you to control your lights (on/off & dimming) via your phone, or anything else that can be connected (turn on your kettle, check your fridge temperature, warm up your oven etc).

The possibilities are basically endless.

Internet of Things Security

The issues IoT brings is of course a whole new set of security concerns, if everything is Internet connected, it’s also prone to get hacked, spammed, DDoSed and generally fscked up.

Imagine if your house alarm is Internet savvy and someone DDoSed the control box, so you can’t get into your own house, unless you pay some kind of ransom. These things are going to happen.

Those convinced that the emerging Internet of Things (IoT) will become a hackers’ playground were given more grist for their mill with news on Friday that security researchers have discovered a weakness in Wi-Fi/mesh networked lightbulbs.

Researchers at Context Information Security discovered that LED light bulbs from manufacturer LIFX – which are designed to be controlled from a smartphone – have security weaknesses. By gaining access to the master bulb, Context was able to control all connected lightbulbs and expose user network configurations.

Context worked with LIFX to develop a patch for the security bug before releasing a fix in the form of a firmware update. Simon Walker from LIFX stated: “Prior to the patch, no one other than Context had exposed this vulnerability, most likely due to the complexity of the equipment and reverse engineering required.”

Thankfully IoT is a fairly new thing so not many malicious hackers are looking into it, plus for now – there’s no real monetary value when it comes to hacking into a lightbulb. Rather annoying yes? Business critical? No.

That is of course, until the point where your Lightbulb is part of your corporate LAN and hacking the lightbulb gives you access to the internal network..then it becomes a whole different story.

Context’s find is part of its ongoing research into the security of the Internet of Things (IoT) – which includes parking meters, internet-enabled fridges and much more besides. Many of these components are being put together with little thought for basic security precautions, according to Context.

“It is clear that in the dash to get onto the IoT bandwagon, security is not being prioritised as highly as it should be in many connected devices,” said Michael Jordon, research director at Context. “We have also found vulnerabilities in other internet connected devices from home storage systems and printers to baby monitors and children’s toys.”

So yah, as IoT becomes more of a ‘thing’ and adoption goes up, Internet of Things Security is going to become a major issue and it could well become the next hackers playground.

Fortunately this case is more of a research/knowledge share than actually something exposing risk or a published zero-day exploit against an IoT device. I would imagine in the coming year or so we’ll see a lot more similar incidents.

Source: The Register

Source: Hacking Your Fridge – Internet of Things Security

Posted in Darknet, English-Italian Translations and tagged , by with no comments yet.

Cybercrooks Breed Self-Cloning Mutant That Steals Your Bank Details

Cybercrooks Breed Self-Cloning Mutant That Steals Your Bank Details Cybercrooks have put together a botnet client which bundles in worm-like functionality that gives it the potential to spread quickly.
Seculert warns that the latest version of the Cridex (AKA Geodo) information stealing Trojan includes a self-spreading infection method.

Infected PCs in the botnet download a secondary strain of malware – an email worm – from the botnet’s command and control servers. That worm pushes out an email with links to download a zip file containing the primary Cridex Trojan.

Seculert discovered that the the email worm is provided with approximately 50,000 stolen SMTP account credentials, including the related SMTP servers. The bot then uses these credentials to target mostly German marks by sending spoofed emails posing as messages from German banks and financial organisations.

Read more.

Source: The Register

Fonte: Cybercrooks Breed Self-Cloning Mutant That Steals Your Bank Details

Posted in DFI News, English-Italian Translations and tagged by with no comments yet.

Yes, your smartphone camera can be used to spy on you…

smartphone-camera-170Yes, smartphone cameras can be used to spy on you – if you’re not careful.

A researcher claims to have written an Android app that takes photos and videos using a smartphone camera, even while the screen is turned off – a pretty handy tool for a spy or a creepy stalker.

University student Szymon Sidor claimed in a blog post and a video that his Android app works by using a tiny preview screen – just 1 pixel x 1 pixel – to keep the camera running in the background.

Now that most smartphones come with a camera (or two), and camera use is popular with apps like Instagram that encourage photo sharing, it’s a little surprising it has taken so long for hackers to find sneaky ways to exploit them.

Spyware of this sort has been around for a long time for Windows – the malware called Blackshades for example, which hackers have used to secretly record victims with their computer’s webcam.

But this seems to be the first reported instance of an Android application that can hijack a smartphone or tablet’s camera for the same devious purpose.

According to Sidor, the Android operating system won’t allow the camera to record without running a preview – which is how Sidor discovered that he could make the preview so small that it is effectively invisible to the naked eye.

Sidor demonstrated how the app works in a video, using his Nexus 5 smartphone.

Sidor said his app worked so well it was “scary”:

The result was amazing and scary at the same time - the pixel is virtually impossible to spot on Nexus 5 screen (even when you know where to look)!

Also it turned out that even if you turn the screen completely off, you can still take photos, as long as the pixel is still there.

Allowing the camera to run in the background – without an indicator in the notification bar – is “inexcusable” and should be fixed by Google’s Android team, Sidor commented in his blog post.

Selfie spies

smartphone-spycam-170There are other Android spyware apps readily available, such as mSpy, that allow snoops to access a device’s activity such as text messages, location, and even make audio recordings.

This is one of the first reported instances, however, of an app that successfully uses the smartphone camera without the user’s knowledge.

But just because this Android vulnerability is something that researchers are just recently discovering doesn’t mean others haven’t tried to exploit it maliciously.

In March 2014 we reported at Naked Security about a spyware app for Google Glass that could take photos without the Glass display being lit.

Mike Lady and Kim Paterson, graduate researchers at Cal Poly, in California, uploaded to Play Store a Google Glass spyware app (disguised as a note-taking app called Malnotes).

Google only discovered the Glass spyware and took it down from Play Store when the pair’s professor tweeted about their research experiment.

Perhaps the researchers were wrong to knowingly violate Google’s developer policies to serve up their spyware – but it’s a warning sign that even the all-powerful Google can’t completely secure Google Play against malicious apps.

The best advice we have for Android users still applies here and in many other examples of bad apps:

  • Stick as far as possible to Google Play.
  • Avoid apps that request permissions they don’t need.
  • Consider using an Android anti-virus that will scan apps automatically before you run them for the first time.

Source:Yes, your smartphone camera can be used to spy on you…

Posted in Naked Security, English-Italian Translations and tagged , by with no comments yet.

Pirated ‘Watch Dogs’ Game Made A Bitcoin Mining Botnet

Pretty smart idea this one, we wrote about Yahoo! spreading Bitcoin mining malware back in January, but we haven’t really seen any of that type of activity since then.

Watch Dogs Bitcoin Mining Botnet

But this, this is a much better target audience – gamers with high powered GPUs! Especially as this is one of most hyped ‘next-gen’ games for 2014 (yes I’ve been eagerly awaiting it for my PS4). But pirating Watch Dogs via a torrent from popular warez group SkidRow could make you part of a Bitcoin mining botnet!

Tens of thousands of pirate gamers have been enslaved in a Bitcoin botnet after downloading a cracked copy of popular game Watch Dogs.
A torrent of the infected title, which supposedly has had its copy-protection removed, had almost 40,000 active users (seeders and leachers) and was downloaded a further 18,440 times on 23 May on one site alone.
Pirates reported on internet forums that the torrent package masquerading under the popular torrent brand SkidRow had quietly installed a Bitcoin miner along with a working copy of the game.
The Windows miner ran via two executables installed in the folder AppData\Roaming\OaPja and would noticeably slow down lower performance machines sucking up to a quarter of CPU power.
Most sources have removed the offending torrent. Analysis has yet to be done to determine the location or identities of actors behind the attack.

It seems like it was a massively popular torrent, so the infection could easily reach tens of thousands of pirate gamers, which would then turn into a Bitcoin mining botnet with tens of thousands of users (A fairly profitable proposition, even with the current Bitcoin mining difficulty).

It’s also slightly ironic that the tagline for the game is “Everything is connected” as if you pirate it, everyone is connected..to the botnet. And of course the fact it’s a game about ‘hacking’ – although I haven’t played it yet and the reports of the hacking part aren’t great.

Gamers were choice targets for Bitcoin mining malefactors because they often ran high-end graphical processing units (GPUs) and shunned resource-draining anti-virus platforms.

“If you happen to download cracked games via Torrent or other P2P sharing services, chances are that you may become a victim of [a] lucrative trojan bundled with a genuine GPU miner,” BitDefender chief strategist Catalin Cosoi said of an early Bitcoin miner that targeted gamers.

“We advise you to start checking your system for signs of infection, especially if you are constantly losing frames-per-second.”

Using stolen dispersed compute resources was one of the few ways punters could make decent cash by crunching the increasingly difficult mathematical algorithms required to earn Bitcoins.

Crims have in recent years foisted the compute-intensive Bitcoin miners in a host of attacks targeting valuable high-end GPUs right down to ludicrously slow digital video recorders.

They might have been better off mining something else though (Scrypt based coins like Litecoin or perhaps even X11 mining), if they did X11 mining the users probably wouldn’t even notice any framedrops or their GPU fans spinning at full speed.

I’m honestly surprised we don’t see more botnets based around cryptocurrency mining, I guess it’s just not that mainstream yet. And you need a good bait to get so many people to install malware these days (and get past their anti-virus software).

Which is another reason gamers make a good target as they often don’t even use AV software or disable it for maximum performance.

Source: The Register

Source: Pirated ‘Watch Dogs’ Game Made A Bitcoin Mining Botnet

Posted in Darknet, English-Italian Translations and tagged , , , by with no comments yet.

Money Laundered through Online Gambling Sites

A new report by McAfee sheds light on the underground world of online gambling. It identifies the proliferation of online casinos, an industry set to grow nearly 30 percent over the next three years, and how their use is fuelling cyber crime by making it easy to “cash in” on illegal activities.

Online gambling involves huge volumes of transactions and cash flows that can obscure and disguise money laundering. Players are not dealing with a tangible, physical product; physical currency does not change hands. As a result, illegal proceeds can be laundered by wagering them on one end of a transaction and receiving the payouts as gambling wins on the other end.
Furthermore, gambling winnings are tax free in many jurisdictions, making official reporting to governments unworkable and authorities often incapable of monitoring transactions.
Online gambling sites facilitate money laundering while the number of unlicensed sites is over ten times that of licensed operators. This trend, combined with the many sites now operating on the Dark Web and leveraging virtual currencies, shows the extent of the challenge for law enforcement.
Read more.
Source: Help Net Security

Source: Money Laundered through Online Gambling Sites

Posted in DFI News, English-Italian Translations and tagged , , by with no comments yet.

Malicious Apps Can Make Android Phones Useless

Security researchers said they have uncovered bugs in Google’s Android operating system that could allow malicious apps to send vulnerable devices into a spiral of endlessly looping crashes and possibly delete all data stored on them.

Apps that exploit the denial-of-service vulnerability work on Android versions 2.3, 4.2.2, 4.3, and possibly many other releases of the operating system, researcher Ibrahim Balic wrote in a blog post. Attackers could exploit the underlying memory corruption bug by hiding attack code in an otherwise useful or legitimate app that is programmed to be triggered only after it is installed on a vulnerable handset. By filling the Android “appname” field with an extremely long value exceeding 387,000 characters, the app can cause the device to go into an endless series of crashes.

Read more.

Source: Ars Technica

Source: Malicious Apps Can Make Android Phones Useless

Posted in DFI News, English-Italian Translations and tagged by with no comments yet.

Secure Erasing Android Devices Guide for the Super Paranoid Seller.

Any of my friends would tell you that I’m crazy paranoid about malicious users–especially when I sell off my old electronics. I’m the type of guy who’d prefer to put a nail through an old device. Unfortunately I’m also the type of guy that likes to buy the new Nexus devices every time they release–so I prefer to sell my old devices to help fund my new purchases. To do this I had to come up with a way to make myself feel good about selling my old devices. Now I know one really easy way to do this is to enable encryption on your device and then format it. For some reason when selling my HTC One X the encryption just kept failing and the SD card is non removable so I needed to find a way to get piece of mind and still sell the device–which led me to come up with this method.

I’m not 100% sure, but I believe you might need BusyBox/Root installed to do this–or it’s possible you can do it using just using the Android SDK (which, you will need) but I am going to assume anyone who understand that factory resetting your device doesn’t actually remove any data are more than likely the same type of people who’d be rooting their android devices.

Also just as a side note, I’m not saying this is the most secure thing in the world but it’s what I do and it makes me feel pretty good. I’ve confirmed by running Recuva in deep scan mode that I wasn’t able to recover any data from the /sdcard, however, I have no way to confirm for the /data partition. I’m just assuming it works just as well as it did for the internal SD card.

This process essentially includes 2 steps

  1. Formatting the Storage
  2. Zeroing out /sdcard, and /data

So let’s get started…

Step 1 — Formatting the Storage

This is a pretty basic deal and when you buy a phone online that’s used it’s likely as far as the other user has gone to secure the data–which I assure you isn’t much at all. All this is going to do is tell the OS that where your data used to be is now “Available” so that the OS can write over it. If you were to run a tool like Recuva after running a simple Factory Reset you’ll be able to recover much of the files. This isn’t just an Android thing–it applies to all storage mediums though not so much to flash media as hard drives. The reason I used this as a starting point is to tell the OS that everything is “available” for writing, which is how we want it. To do this you can either use your recovery or by going to Settings > Backup and Reset > Factory Reset and let the OS do its thing.

Step 2 — Zeroing out /sdcard and /data

Now that we’ve labeled all the data on the device as available for the writing, it’s time to start “Zeroing Out” the data. Which essentially means writing 0′s over the data that we previously marked as “Available”. Ideally after doing this if someone attempts to restore your data they’ll be restoring the 0′s and not your personal data. On older HDD’s it’s a good idea to do this multiple times but many experts have suggested one pass is all that’s necessary on flash media.

First thing you’ll want to do is fire up the Android SDK using the command line and navigate to the platform-tools folder where you’ll find fastboot and adb. It’s found in /androidsdk/platform-tools.

Once in your platform tools run the following command:

./adb devices

If you get a print out with a serial number you are good to go–this means that your computer is reading your phone just fine. If you don’t get anything be sure to go into your Developer Settings and enable USB Debugging.

Once you’ve got the phone and the SDK speaking together type the following command to access the shell of your device:

./adb shell

You should be greeted by a bash as shown in the image below:

Screen Shot 2013-02-16 at 1.10.14 PM

Once in your phones command line run the following command:

dd if=/dev/urandom of=/sdcard/junkfile

You won’t get a response for a while, what this is essentially doing is creating a file filled with random data on your phones SD Card until it’s completely full–at which point it will be brought to a hault. You can verify this by going into Settings > Storage and watching the % free on your SD card continue to go down.

When the process is all done you should get a message like the following, that details the amount of space written. It should resemble the size of your SD Card.

Screen Shot 2013-02-16 at 5.01.55 PM

Once the process is complete we’ll want to repeat the same line, with a slight modification as follows:

dd if=/dev/urandom of=/data/junkfile

This will create another junk file on your device with random data, except rather than being in /sdcard it’ll be in /data. /data is where all the settings for your various apps are stored. The way that I verified this process was still running was by opening a another terminal window and using ./adb shell to run ls -all -h to watch the size of the file continue to grow as shown below:

Screen Shot 2013-02-16 at 4.59.52 PM

You can see the size of “junkfile” going from ~600MB to ~1.5GB. Once the /data folder is completely full you’ll not only get a confirmation on the shell but your Android device should pop down a message in your notification window that the data partition is full and system functions might start breaking–for once this is good!

So at this point you’ve successfully filled your /data and /sdcard folders, the two main areas where personal information is stored on Android, with a bunch of random data.

The next and final step of the process is to simply return to Step 1 and Factory Reset the phone one last time. This will mark the data as “Available” and give the new owner of your device a “new phone” experience. It’s not necessary I suppose, but I’m guessing the buyer of your phone won’t take too kindly to turning on a phone filled with error messages. ;)

I’m not expert, however, as I stated before when running recovery software I was unable to recover any data from my HTC One X when I sold it–so I’d say this method is pretty handy at cleaning the device from 99.9% of users out there.

A little over the top? Definitely. That’s exactly how I like it!

Source: Secure Erasing Android Devices Guide for the Super Paranoid Seller

Posted in English-Italian Translations, Zackery Fretty and tagged , , by with no comments yet.

Using heartbeats as passwords to secure medical devices

Heartbeat. Image courtesy of Shutterstock.It is time to start thinking of our hearts as random number generators. That’s so they can serve as passwords to secure medical devices that are vulnerable to hacking, researchers at Rice University have proposed.

In Softpedia’s Eduard Kovacs that, in essence, given a heartbeat’s variability, the heart can function as something of a random number generator:

The signal from your heartbeat is different every second, so the password is different each time. You can’t use it even a minute later.

Hacking of medical devices is, at this point, demonstrably feasible.

The US government in October 2012 told the US Food and Drug Administration (FDA) to finally start taking medical device security seriously, whether we’re talking about intentional hacking, unencrypted data transfer that can be manipulated or a host of other threat vectors.

In June 2013, the FDA complied, calling on medical device manufacturers and health care facilities to start addressing medical devices’ vulnerability to cyberattack.

Koushanfar and Rostami will present the system in November at the Conference on Computer and Communications Security in Berlin.

Before we see H2H debut, it will need to obtain FDA approval. After that, it’s up to medical device manufacturers to adopt the technology.

It’s a fascinating approach to authentication.

My insulin pump and I look forward to seeing whether it wins approval and achieves adoption in the medical device industry.

After that, who knows?

Perhaps our beating hearts will someday be a viable alternative to the easily guessable, completely hackable security questions that are now used to supposedly verify that we are, indeed, who we say we are.

Source: Using heartbeats as passwords to secure medical devices

Posted in Naked Security, English-Italian Translations and tagged , , , by with no comments yet.

iPhone Sensor Surveillance

The new iPhone has a motion sensor chip, and that opens up new opportunities for surveillance:

The M7 coprocessors introduce functionality that some may instinctively identify as “creepy.” Even Apple’s own description hints at eerie omniscience: “M7 knows when you’re walking, running, or even driving…” While it’s quietly implemented within iOS, it’s not secret for third party apps (which require an opt-in through pop-up notification, and management through the phone’s Privacy settings). But as we know, most users blindly accept these permissions.

It all comes down to a question of agency in tracking our physical bodies.

The fact that my Fitbit tracks activity without matching it up with all my other data sources, like GPS location or my calendar, is comforting. These data silos can sometimes be frustrating when I want to query across my QS datasets, but the built-in divisions between data about my body ­– and data about the rest of my digital life — leave room for my intentional inquiry and interpretation.

Fonte: iPhone Sensor Surveillance

Posted in Bruce Schneier, English-Italian Translations by with no comments yet.

Whatever Happened to Facebook Likejacking?

Back in 2010, Facebook likejacking (a social engineering technique of tricking people into posting a Facebook status update) was a trending problem. So, whatever happened to likejacking scams and spam? Well, Facebook beefed-up its security — and the trend significantly declined, at least when compared to peak 2010 numbers.

But you can’t keep a good spammer down. Can’t beat them? Join them.

Today, some of the same junk which was spread via likejacking… is now spread via Facebook Advertising.

Facebook Sponsors

The top middle thumbnail above is some kind of malformed egg. Typical click-bait.

The ad links to a Page with localized campaigns. Note the “Ca” and the “Fi”.

Cooking Lessons 101

The landing page uses an “app” trick to automatically redirect to a spam campaign:

Work from home scheme

We’re pretty sure such tricks are a violation of Facebook’s ToS. But so far, Facebook hasn’t reacted to the sample we sent them.


Some of the spam campaigns are not exactly “safe for work” depending on the source ads:

Jailbait ads

Also a concern: some of the ads appear to be linked to compromised websites. The spammers may not even be paying for these ads.

Are you judged by the company you keep?

That’s probably a question legitimate brands with a Facebook presence should be asking themselves.

Source: Whatever Happened to Facebook Likejacking?

Posted in F-Secure, English-Italian Translations and tagged , , , by with no comments yet.