Malicious Apps Can Make Android Phones Useless

Security researchers said they have uncovered bugs in Google’s Android operating system that could allow malicious apps to send vulnerable devices into a spiral of endlessly looping crashes and possibly delete all data stored on them.

Apps that exploit the denial-of-service vulnerability work on Android versions 2.3, 4.2.2, 4.3, and possibly many other releases of the operating system, researcher Ibrahim Balic wrote in a blog post. Attackers could exploit the underlying memory corruption bug by hiding attack code in an otherwise useful or legitimate app that is programmed to be triggered only after it is installed on a vulnerable handset. By filling the Android “appname” field with an extremely long value exceeding 387,000 characters, the app can cause the device to go into an endless series of crashes.

Read more.

Source: Ars Technica

Source: Malicious Apps Can Make Android Phones Useless


Posted in DFI News, English-Italian Translations and tagged by with no comments yet.

Secure Erasing Android Devices Guide for the Super Paranoid Seller.

Any of my friends would tell you that I’m crazy paranoid about malicious users–especially when I sell off my old electronics. I’m the type of guy who’d prefer to put a nail through an old device. Unfortunately I’m also the type of guy that likes to buy the new Nexus devices every time they release–so I prefer to sell my old devices to help fund my new purchases. To do this I had to come up with a way to make myself feel good about selling my old devices. Now I know one really easy way to do this is to enable encryption on your device and then format it. For some reason when selling my HTC One X the encryption just kept failing and the SD card is non removable so I needed to find a way to get piece of mind and still sell the device–which led me to come up with this method.

I’m not 100% sure, but I believe you might need BusyBox/Root installed to do this–or it’s possible you can do it using just using the Android SDK (which, you will need) but I am going to assume anyone who understand that factory resetting your device doesn’t actually remove any data are more than likely the same type of people who’d be rooting their android devices.

Also just as a side note, I’m not saying this is the most secure thing in the world but it’s what I do and it makes me feel pretty good. I’ve confirmed by running Recuva in deep scan mode that I wasn’t able to recover any data from the /sdcard, however, I have no way to confirm for the /data partition. I’m just assuming it works just as well as it did for the internal SD card.

This process essentially includes 2 steps

  1. Formatting the Storage
  2. Zeroing out /sdcard, and /data

So let’s get started…

Step 1 — Formatting the Storage

This is a pretty basic deal and when you buy a phone online that’s used it’s likely as far as the other user has gone to secure the data–which I assure you isn’t much at all. All this is going to do is tell the OS that where your data used to be is now “Available” so that the OS can write over it. If you were to run a tool like Recuva after running a simple Factory Reset you’ll be able to recover much of the files. This isn’t just an Android thing–it applies to all storage mediums though not so much to flash media as hard drives. The reason I used this as a starting point is to tell the OS that everything is “available” for writing, which is how we want it. To do this you can either use your recovery or by going to Settings > Backup and Reset > Factory Reset and let the OS do its thing.

Step 2 — Zeroing out /sdcard and /data

Now that we’ve labeled all the data on the device as available for the writing, it’s time to start “Zeroing Out” the data. Which essentially means writing 0′s over the data that we previously marked as “Available”. Ideally after doing this if someone attempts to restore your data they’ll be restoring the 0′s and not your personal data. On older HDD’s it’s a good idea to do this multiple times but many experts have suggested one pass is all that’s necessary on flash media.

First thing you’ll want to do is fire up the Android SDK using the command line and navigate to the platform-tools folder where you’ll find fastboot and adb. It’s found in /androidsdk/platform-tools.

Once in your platform tools run the following command:

./adb devices

If you get a print out with a serial number you are good to go–this means that your computer is reading your phone just fine. If you don’t get anything be sure to go into your Developer Settings and enable USB Debugging.

Once you’ve got the phone and the SDK speaking together type the following command to access the shell of your device:

./adb shell

You should be greeted by a bash as shown in the image below:

Screen Shot 2013-02-16 at 1.10.14 PM

Once in your phones command line run the following command:

dd if=/dev/urandom of=/sdcard/junkfile

You won’t get a response for a while, what this is essentially doing is creating a file filled with random data on your phones SD Card until it’s completely full–at which point it will be brought to a hault. You can verify this by going into Settings > Storage and watching the % free on your SD card continue to go down.

When the process is all done you should get a message like the following, that details the amount of space written. It should resemble the size of your SD Card.

Screen Shot 2013-02-16 at 5.01.55 PM

Once the process is complete we’ll want to repeat the same line, with a slight modification as follows:

dd if=/dev/urandom of=/data/junkfile

This will create another junk file on your device with random data, except rather than being in /sdcard it’ll be in /data. /data is where all the settings for your various apps are stored. The way that I verified this process was still running was by opening a another terminal window and using ./adb shell to run ls -all -h to watch the size of the file continue to grow as shown below:

Screen Shot 2013-02-16 at 4.59.52 PM

You can see the size of “junkfile” going from ~600MB to ~1.5GB. Once the /data folder is completely full you’ll not only get a confirmation on the shell but your Android device should pop down a message in your notification window that the data partition is full and system functions might start breaking–for once this is good!

So at this point you’ve successfully filled your /data and /sdcard folders, the two main areas where personal information is stored on Android, with a bunch of random data.

The next and final step of the process is to simply return to Step 1 and Factory Reset the phone one last time. This will mark the data as “Available” and give the new owner of your device a “new phone” experience. It’s not necessary I suppose, but I’m guessing the buyer of your phone won’t take too kindly to turning on a phone filled with error messages. ;)

I’m not expert, however, as I stated before when running recovery software I was unable to recover any data from my HTC One X when I sold it–so I’d say this method is pretty handy at cleaning the device from 99.9% of users out there.

A little over the top? Definitely. That’s exactly how I like it!

Source: Secure Erasing Android Devices Guide for the Super Paranoid Seller


Posted in English-Italian Translations, Zackery Fretty and tagged , , by with no comments yet.

Using heartbeats as passwords to secure medical devices

Heartbeat. Image courtesy of Shutterstock.It is time to start thinking of our hearts as random number generators. That’s so they can serve as passwords to secure medical devices that are vulnerable to hacking, researchers at Rice University have proposed.

In Softpedia’s Eduard Kovacs that, in essence, given a heartbeat’s variability, the heart can function as something of a random number generator:

The signal from your heartbeat is different every second, so the password is different each time. You can’t use it even a minute later.

Hacking of medical devices is, at this point, demonstrably feasible.

The US government in October 2012 told the US Food and Drug Administration (FDA) to finally start taking medical device security seriously, whether we’re talking about intentional hacking, unencrypted data transfer that can be manipulated or a host of other threat vectors.

In June 2013, the FDA complied, calling on medical device manufacturers and health care facilities to start addressing medical devices’ vulnerability to cyberattack.

Koushanfar and Rostami will present the system in November at the Conference on Computer and Communications Security in Berlin.

Before we see H2H debut, it will need to obtain FDA approval. After that, it’s up to medical device manufacturers to adopt the technology.

It’s a fascinating approach to authentication.

My insulin pump and I look forward to seeing whether it wins approval and achieves adoption in the medical device industry.

After that, who knows?

Perhaps our beating hearts will someday be a viable alternative to the easily guessable, completely hackable security questions that are now used to supposedly verify that we are, indeed, who we say we are.

Source: Using heartbeats as passwords to secure medical devices


Posted in Naked Security, English-Italian Translations and tagged , , , by with no comments yet.

iPhone Sensor Surveillance

The new iPhone has a motion sensor chip, and that opens up new opportunities for surveillance:

The M7 coprocessors introduce functionality that some may instinctively identify as “creepy.” Even Apple’s own description hints at eerie omniscience: “M7 knows when you’re walking, running, or even driving…” While it’s quietly implemented within iOS, it’s not secret for third party apps (which require an opt-in through pop-up notification, and management through the phone’s Privacy settings). But as we know, most users blindly accept these permissions.

It all comes down to a question of agency in tracking our physical bodies.

The fact that my Fitbit tracks activity without matching it up with all my other data sources, like GPS location or my calendar, is comforting. These data silos can sometimes be frustrating when I want to query across my QS datasets, but the built-in divisions between data about my body ­– and data about the rest of my digital life — leave room for my intentional inquiry and interpretation.

Fonte: iPhone Sensor Surveillance


Posted in Bruce Schneier, English-Italian Translations by with no comments yet.

Whatever Happened to Facebook Likejacking?

Back in 2010, Facebook likejacking (a social engineering technique of tricking people into posting a Facebook status update) was a trending problem. So, whatever happened to likejacking scams and spam? Well, Facebook beefed-up its security — and the trend significantly declined, at least when compared to peak 2010 numbers.

But you can’t keep a good spammer down. Can’t beat them? Join them.

Today, some of the same junk which was spread via likejacking… is now spread via Facebook Advertising.

Facebook Sponsors

The top middle thumbnail above is some kind of malformed egg. Typical click-bait.

The ad links to a Page with localized campaigns. Note the “Ca” and the “Fi”.

Cooking Lessons 101

The landing page uses an “app” trick to automatically redirect to a spam campaign:

Work from home scheme

We’re pretty sure such tricks are a violation of Facebook’s ToS. But so far, Facebook hasn’t reacted to the sample we sent them.

Apparently.

Some of the spam campaigns are not exactly “safe for work” depending on the source ads:

Jailbait ads

Also a concern: some of the ads appear to be linked to compromised websites. The spammers may not even be paying for these ads.

Are you judged by the company you keep?

That’s probably a question legitimate brands with a Facebook presence should be asking themselves.

Source: Whatever Happened to Facebook Likejacking?


Posted in F-Secure, English-Italian Translations and tagged , , , by with no comments yet.

Android Hack-Tool Steals PC Info

Yeh, one of our Security Response Analysts, came across an interesting report on a Chinese forum over the weekend about an Android app that basically turns the device into a hack-tool capable of stealing information from a connected Windows machine.

He managed to find a sample (Md5:283d16309a5a35a13f8fa4c5e1ae01b1) for further investigation. When executed, the sample (we detect it as Hack-Tool:Android/UsbCleaver.A) installs an app named USBCleaver on the device:

hacktool_android_usbcleaver_0 (53k image)

When the app is launched, it directs the user to download a ZIP file from a remote server:

hacktool_android_usbcleaver_1 (188k image)

Then unzips the downloaded file to the location /mnt/sdcard/usbcleaver/system folder. The files saved are essentially utilities used to retrieve specific pieces of information when the device is connected via USB to a Windows machine. Note: we detect most of the files with older detections.

The following details are grabbed from the connected PC machine:

 •   Browser passwords (Firefox, Chrome and IE)
 •  The PC’s Wi-Fi password
 •  The PC’s network information

The app gives the user the option of choosing what information they want to retrieve:

hacktool_android_usbcleaver_2 (178k image)

hacktool_android_usbcleaver_3 (196k image)

hacktool_android_usbcleaver_4 (185k image)

To run the utilities, the sample creates an autorun.inf and go.bat file at /mnt/sdcard. When the device is plugged into a Windows machine, the autorun script gets triggered, which then silently runs the go.bat file in the background, which in turn runs the specified files from the usbcleaver/system folder.

The collected details are stored on the device at /mnt/sdcard/usbcleaver/logs.The app’s user can click on the ‘Log Files’ button to view the information retrieved from the PC:

hacktool_android_usbcleaver_5 (186k image)

This isn’t the first Android trojan reported this year with PC-infecting capabilities, since that ‘distinction’ belongs to the trojan-spy apps family we detect as Sscul (listed in our Q1 2013 Mobile Threat Report).

Unlike the Sscul malware however, which is more focused on remote eavesdropping, USBCleaver seems to be designed to facilitate a targeted attack by gathering details that would be helpful in a later infiltration attempt.

Fortunately, the UsbCleaver’s Windows-infecting routine can be blocked by a simple measure that’s been standard security advice for the last couple years: disabling the Autorun by default (this is already standard on Windows 7 machines). An additional mitigating factor is that most older Windows systems need to have mobile drivers manually installed in order for this attack to work.

———————-
Analysis by – Yeh

Source: Android Hack-Tool Steals PC Info


Posted in F-Secure, English-Italian Translations and tagged , , , by with no comments yet.

Your BMW can be stolen by any idiot with a $30 hacking kit

BMW key On-board diagnostics (OBD) security bypass kits, replete with reprogramming modules and blank keys, are reportedly enabling low-intelligence thieves to steal high-end cars such as BMWs in a matter of seconds or minutes.

According to The Register, the $30 bypass tools are being shipped from China and Eastern Europe in kit form to unskilled criminals.

It looks like it’s not just BMWs, mind you.

A post on the car enthusiast site Pistonheads suggests that devices similar to those used to steal BMWs are also available for Opel, Renault, Mercedes, Volkswagen, Toyota and Porsche Cayennes.

UK police are also seeing fancy cars whisked away by criminals believed to be using the kits, with the deprived owners still having the keys in their possession.

It’s becoming so prevalent, in fact, that Warwickshire police released a press release warning BMW owners to take extra precautions, stating that 154 of the high-end cars have been stolen since January.

BBC WatchdogIn August, London’s Metropolitan Police left leaflets under windscreens, warning BMW owners their cars were likely to be targeted, according to a recent BBC Watchdog investigation into the thefts.

The tool was originally designed for garages and car recovery agents to get into different cars after owners had lost their keys. The kits have since been packaged up by criminal hackers, who have picked apart the security weaknesses of the OBD network.

To use the tool, car thieves first need to intercept the transmission between a valid key fob and a car before they can then reprogram the blank key, which they can then use to start or open the car via the OBD network.

The BBC rolled its camera skyward while its news reporters were using the key in its Watchdog investigation, but I found online videos showing how easy it is to use the tool – or, at least, a device that fits the tool’s description.

If the video I found is an accurate depiction, even the village idiot could be behind the wheel of a fine ride with a $30 investment and a few minutes.

Still from OBD tool video

(By the way, Naked Security has chosen not to embed the video because it may encourage criminal activity, and we have no wish to promote sales of such tools to unauthorised parties)

BMW last week put out a statement saying it’s aware of the new method of car thievery and is looking into how to mitigate it.

One way is to not own a BMW built before September 2011, apparently:

"After extensive research we are clear that none of our latest models - new 1 Series Hatch, 3 Series, 5 Series, 6 Series and 7 Series - nor any other BMW built after September 2011 can be stolen using this method. However, as a responsible manufacturer we are looking at ways of mitigating against this new kind of attack."

Customers worried about theft of targeted models can call their local BMW dealer.

BMW’s offering extra technical measures that it says will keep cars from getting ripped off with the hacking kits, although, it says, “there is no such thing as an unstealable car.”

So what are the security holes in OBD?

As pointed out by Rob VandenBrink in a presentation (PDF) delivered at a SANS Technology Institute security conference in July, OBD looks like “a slower, dumber Ethernet (sorta).”

For details on those weaknesses, check out his paper.

Rob VandenBrink's presentation

In summary, VandenBrink says:

"Unfortunately, the On Board Diagnostic (OBD) network in our cars is completely open, completely documented, and is being pushed more and more to open, documented and unauthenticated wireless access."

But wait, there’s more. Short of allowing your ride to be stolen, security researchers at the University of Michigan and the University of Washington have shown that OBD shortcomings allow these other automotive WiFi shenanigans:

  • Locking and unlocking doors
  • Honking the horn
  • Wireless attack through tire pressure sensors
  • Trojan delivered via music CD

This stuff isn’t new. The CD Trojan piece goes back to 2011.

What’s new is how erudite hacker knowledge of OBD’s limitations has been commoditized and marketed in these easy-to-use, cheap kits.

Should you shake down your car manufacturer to get better defences?

Unfortunately, it probably won’t do you much good if you do, between the need for mechanics to have some type of tool to get into your car and competition laws requiring open standards.

Here’s what the Pistonheads post had to say about it:

"The reason this form of theft is currently so rife … - is that European competition rules require diagnostic and security reprogramming devices to be available to non-franchised garages. As we understand it, this effectively means that car companies cannot restrict access to or use of OBD ports."

"Unfortunately it also means that, to a certain extent, the hands of car companies are tied..."

What you can do: contact your car dealer to see if they have mitigation techniques that will help, as BMW promises.

The Warwickshire Police also offer these safety tips, although they are unlikely to be much of a deterrent to a determined ODB hacker who gains access to your vehicle:

  • Try the door handle after using your key to lock your car, to double check that it is actually locked.
  • Take a good look around when leaving the vehicle to see if you can spot anyone waiting nearby or in a vehicle in the vicinity, especially if you check and find the door to still be open.
  • Report anything suspicious to the police: they want to nab these guys.

Ultimately, it’s worth remembering – as BMW admits – that there’s “no such thing as an unstealable car”.

Hat-tip: The Register

Source: Your BMW can be stolen by any idiot with a $30 hacking kit


Posted in Naked Security, English-Italian Translations and tagged , , , by with no comments yet.

ZeuS Ransomware Feature: win_unlock

Earlier today, while doing our daily data mining, we came across a new variant of ZeuS 2.x. It includes a new backdoor command called: win_unlock. Very interesting, turns out this slightly modified ZeuS 2.x includes a ransomware feature.

When this particular variant is executed, it opens Internet Explorer with a specific page (lex.creativesandboxs.com/locker/lock.php) and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it’s currently unavailable because the site is offline.

The most straightforward way to unlock the system is to simply delete the trojan. This can be a bit tricky since the trojan prevents doing anything with the infected system, luckily the locking itself can be easily disabled first.

Looking at the code that corresponds with a received win_unlock command, it’s clear the unlock information is stored to the registry.

ZeuS, ransom feature

Unlocking can therefore be performed quite easily with a registry editor:

  1. boot the system in safe mode
  2. add a new key named syscheck under HKEY_CURRENT_USER
  3. create a new DWORD value under the syscheck key
  4. set the name of the new DWORD value to Checked
  5. set the data for the Checked value to 1
  6. reboot

SHA1: 03f0c26c6ba77c05152a1e0cc8bc5657f0c83119

Analysis by — Mikko S. and Marko

Source: ZeuS Ransomware Feature: win_unlock


Posted in F-Secure, English-Italian Translations and tagged , , by with no comments yet.

No Reservations – Remote Access Trojan Pilfers Credit Cards from Hotels

Our intelligence center researchers recently uncovered a fraud “package” being sold in underground forums that uses a remote access Trojan to steal credit card information from a hotel point of sale (PoS) application. This scheme, which is focused on the hospitality industry, illustrates how criminals are planting malware on enterprise machines to collect financial information instead of targeting end users devices.

In this particular scenario, a remote access Trojan program is used to infect hotel front desk computers. The malware is able to steal credit card and other customer information by capturing screenshots from the PoS application. According the seller, the Trojan is guaranteed not to be detected by anti-virus programs.

No reservations

This fraud package is being offered for $280. The purchase price includes instructions on how to set-up the Trojan. The sellers even offer advice on how to use telephone social engineering techniques via VoIP software to trick front desk managers into installing the Trojan.

To prove the effectiveness of the fraud package, the seller uses a screenshot (above) taken by the remote access Trojan from the PoS system at one of the world’s largest hotel chains. The screenshot shows the PoS application populated with customer information gathered at check-in.

As we have mentioned in recent posts, criminals are increasingly expanding the focus of their attacks from online banking targets to enterprises. One of the reasons for this shift is that enterprise devices can yield high value digital assets when compromised.

Source: No Reservations – Remote Access Trojan Pilfers Credit Cards from Hotels


Posted in English-Italian Translations, Trusteer and tagged , by with no comments yet.

Android malware poses as Angry Birds Space game

Angry Birds Space Android malware authors have seized an opportunity to infect unsuspecting smartphone users with the launch of the latest addition to the immensely popular “Angry Birds” series of games.

SophosLabs recently encountered malware-infected editions of the “Angry Birds Space” game which have been placed in unofficial Android app stores. Please note: The version of “Angry Birds Space” in the official Android market (recently renamed “Google Play”) is *not* affected.

The Trojan horse, which Sophos detects as Andr/KongFu-L, appears to be a fully-functional version of the popular smartphone game, but uses the GingerBreak exploit to gain root access to the device, and install malicious code.
The Trojan communicates with a remote website in an attempt to download and install further malware onto the compromised Android smartphone.

Android phone with Trojan posing as Angry Birds Space

Interestingly, the malware hides its payload – in the form of two malicious ELF files – at the end of a JPG image file.

Hidden code at end of JPG file

With the malware in place, cybercriminals can now send compromised Android devices instructions to download further code or push URLs to be displayed in the smartphone’s browser.

Effectively, your Android phone is now part of a botnet, under the control of malicious hackers.

It feels like we have to keep reminding Android users to be on their guard against malware risks, and to be very careful – especially when downloading applications from unofficial Android markets.

Source: Android malware poses as Angry Birds Space game


Posted in Naked Security, English-Italian Translations and tagged , , , by with no comments yet.