Aug 022013
 

A New Surveillance Defeating Messaging App

Info-Security
July 11, 2013

 

A New Surveillance Defeating Messaging App

A New Surveillance Defeating Messaging App

 

An app for both Android and iOS is being planned by one of the original founders of The Pirate Bay. In the wake of PRISM server surveillance and Tempora traffic surveillance, it plans to use true end-to-end encryption so that only its users will ever see the content.

 

Peter Sunde, co-founder and former spokesman for The Pirate Bay, is part of a new company and project: Heml.is. ‘Hemlis’ is Swedish for secret, and the project is a completely secure and secret chat app for iOS and Android. The intention is to use end-to-end encryption so that only the users can ever know the content of the message.

“All communication on today’s networks is being monitored by government agencies and private companies,” says Sunde in a video. “The politicians are not going to stop it, they’re actually asking for more. That’s why we decided to build a messaging platform where no one can spy on you, not even us.” If law enforcement or intelligence agencies intercept the messages, they will not be able to decipher them. If they obtain court orders for access to the servers, they will only get encrypted files because that’s all that will exist on the servers.

Sunde doesn’t accept the political argument that encrypted chat would be a boon for terrorists and organized crime. “We are talking here about normal people who do not have access to that technology yet. So terrorists are definitely not going to be on our system – they are already on their own systems; they wouldn’t trust us… so I think the only people we are helping are the [ordinary citizens] whom the government is surveilling,” he told RT yesterday.

The app will be free for basic messages, but there will be a charge ‘to unlock certain features’. The purpose is to provide the funding to run the service and maintain development (future file-sharing, for example, is an aspiration). Details are not yet clear, but Heml.is stresses that it “will never introduce adds or selling your data to fund the app.” One option might be a time-limiter for storage on the server: if the message is not collected within a specified time period, it could be automatically deleted.

The project is being funded by donations. “The fundraising campaign is in its early stage, though,” warned RT yesterday, “so there is no official release date planned for the application.

But this morning Heml.is blogged, “Funded 100% in 36 hours!

Wow and incredible thanks to all our backers for funding us in 36 hours…

“Now it’s time to get to work!”

At the time of writing this report, Heml.is had received $110.324 (the target was $100,000) in 42 hours.

 

Direct Link:  http://www.infosecurity-magazine.com/view/33402/a-new-surveillance-defeating-messaging-app/

Jun 302013
 

Over 1 million American Android users have downloaded adware

That’s the claim from security firm Lookout, which claims that 6.5 percent of the free applications in the Google Play marketplace contain adware.

C/NET News
by Don Reisinger
June 26, 2013

 

A look at adware's breakdown. (Credit: Lookout)

A look at adware’s breakdown.
(Credit: Lookout)

 

Adware has become a somewhat concerning issue on Android, a new study from security firm Lookout has discovered.

According to the security company, over the last year alone, over 1 million American Android users have unknowingly downloaded adware. What’s worse, 6.5 percent of the free applications available in the Google Play marketplace now contain adware of some sort.

Adware isn’t exactly the easiest topic to define, since there’s a gray area between what’s proper ad practice and what’s not.

However, Lookout says that there are a few key hallmarks that turn seemingly innocuous ads into adware:

  • The app displays advertising that’s “outside of the normal experience;
  • The ad “harvests unusual personally identifiable information; or
  • The ad “performs unexpected actions as a response to ad clicks.

Adware has long been a concern for computer users. But with mobile device usage skyrocketing, advertisers — and adware creators — are focusing their attention on Android. Even worse, a report from Juniper Networks released earlier this week shows that mobile malware is up 614 percent in the last year, and 92 percent of all detected threats are running on Google’s operating system

To illustrate the impact adware is having on Android, Lookout provided some statistics on where Android users are most likely to find the annoyance. Lookout says that 26 percent of the free Personalization apps in Google Play contain adware. On the gaming side, 9 percent of the free programs have adware. Interestingly, social apps are least likely to contain adware, with Lookout finding just 2 percent of those free programs bundling adware.

“Questionable mobile advertising practices, such as adware, can get in the way of user privacy and experience, doing things like capturing personal information (i.e., email, location, address list, etc.) without proper notification and modifying phone settings and desktops without consent,” Lookout said in a blog post on Wednesday. “While the majority of mobile ads are A-OK, as the industry grows, it needs to protect user privacy and excellent user experience.”

 

Related stories

 

Direct Link:  http://news.cnet.com/8301-1009_3-57591075-83/over-1-million-american-android-users-have-downloaded-adware/

 

Feb 222013
 

Critical cURL library flaw could expose many apps to hackers

Libcurl 7.29.0 addresses a critical remote code execution vulnerability


Computer World

by Lucian Constantin
February 8, 2013

Critical cURL library flaw could expose many apps to hackers

Critical cURL library flaw could expose many apps to hackers

IDG News Service –

A critical buffer overflow vulnerability patched this week in the widely used open-source cURL library (libcurl) has the potential to expose a large number of applications and systems to remote code execution attacks.

CURL is a cross-platform command line tool and library for transferring data using URL (uniform resource locator) syntax. It supports a wide range of protocols including HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, DICT, FILE, FTP, FTPS, Gopher, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, Telnet and TFTP.

The vulnerability can be exploited when a program that uses libcurl or the cURL command line tool communicates with a malicious server over the POP3, SMTP or IMAP protocols, the cURL developers said Wednesday in a security advisory. The flaw is located in the libcurl function that handles SASL DIGEST-MD5 authentication and affects versions 7.26.0 to 7.28.1 of the library, they said.

Libcurl 7.29.0 was released Wednesday to address the flaw. However, the issue can also be mitigated by using the CURLOPT_PROTOCOLS option to disable support for the vulnerable protocols at run-time.

Vulnerability research and management firm Secunia rated the flaw as highly critical. “Successful exploitation may allow execution of arbitrary code but requires tricking a user into connecting to a malicious server,” the company said Thursday in a security advisory.

Even though a potential exploit involves POP3, IMAP or SMTP authentication, HTTP URLs can also be used as an initial attack vector because cURL supports redirection, said Volema, the vulnerability research outfit that discovered the vulnerability, in a blog post Wednesday.

If a program that uses libcurl is instructed to open an HTTP URL to a malicious server, the server can respond with status “302 Found” and redirect the library to another location, which can be pop3://x:x@evilserver.com/, Volema said. The library will then attempt authentication and the server can deliver the exploit.

There’s a run-time option called CURLOPT_FOLLOWLOCATION that can be used to prevent libcurl from following “Location” headers sent in HTTP responses. If this feature is needed, another option called CURLOPT_REDIR_PROTOCOLS can be used to limit what protocols are supported for redirect attempts.

“I don’t expect that many applications use these options to limit exposure – at least not before this discovery,” Carsten Eiram, chief research officer at security firm Risk Based Security, said Friday via email.

CURL is highly portable and works on Windows, Mac OS X, Linux, Solaris, BSD variants, other UNIX-derived OSes including those for embedded systems, as well as mobile OSes like iOS, Android, BlackBerry Tablet OS and BlackBerry 10 OS. This makes it very popular among application developers who would rather use an already robust library for data transfer than code their own solution from scratch.

The library is used by a wide range of desktop, Web and mobile applications. According to the cURL developers it’s even used in Internet-connected TV sets and Bluray players, in embedded systems and in games. An incomplete list of applications that use libcurl is available on the project’s website.

Some applications bundle a copy of the library with their installers while others use the version of the library installed on the operating system. Some Linux distributions come with libcurl installed by default, while others provide it as an optional package.

Because of the many ways and places where libcurl is used, a lot of systems and applications are likely to remain vulnerable to this vulnerability for some time to come, despite a patch being available.

This will especially be the case for those applications that use it statically, meaning that the applications include a copy of the library, Eiram said.

“This is one of the problems in general with software that often includes a lot of third-party components and libraries,” Eiram said. “How do these software vendors get informed about vulnerabilities in any components that they bundle, and how quick are they at evaluating if their software is vulnerable and update it?”

“We regularly see products affected by vulnerabilities in their bundled components, which were fixed upstream a long time ago,” he said. “An example is the latest http://www.pcworld.com/article/2026654/researcher-upnp-flaws-expose-millions-of-networked-devices-to-remote-attacks.html“>UPnP research by Rapid7. Some of the described vulnerabilities were fixed many years ago, yet device vendors are still using old, vulnerable versions of the components.”

Eiram believes that if a reliable exploit is released, there will definitely be attacks that will target this vulnerability. “We will at least see random websites trying to exploit this if targets happen — or are tricked — to visit it with a vulnerable application,” he said.


Direct Link: 
http://www.computerworld.com/s/article/9236644/Critical_cURL_library_flaw_could_expose_many_apps_to_hackers?taxonomyId=11&pageNumber=1

Jan 242013
 

Attack Turns Android Devices Into Spam-Spewing Botnets

Beware Trojan app sending 500,000 spam SMS messages per day, charging messages to smartphone owners.

Information Week
by Mathew J. Schwartz
December 19, 2012

 

SPAM-BOT

SPAM-BOT

 

From an attacker’s perspective, malware doesn’t need to be elegant or sophisticated; it just needs to work.

That’s the ethos behind a recent spate of Trojan applications designed to infect smartphones and tablets that run the Android operating system, and turn the devices into spam-SMS-spewing botnets.

By last week, the malware was being used to send more than 500,000 texts per day. Perhaps appropriately, links to the malware are also being distributed via spam SMS messages that offer downloads of popular Android games–such as Angry Birds Star Wars, Need for Speed: Most Wanted, and Grand Theft Auto: Vice City–for free.

Despite the apparent holiday spirit behind the messages, however, it’s just a scam. “If you do download this ‘spamvertised’ application and install it on your Android handset, you may be unknowingly loading a malicious software application on your phone which will induct your handset into a simple botnet, one that leverages the resources of your mobile phone for the benefit of the malware’s author,” according to an overview of the malware written by Cloudmark lead software engineer Andrew Conway.

The malware in question uses infected phones “to silently send out thousands of spam SMS messages without your permission to lists of victim phone numbers that the malware automatically downloads from a command and control server,” said Conway. Of course, the smartphone owner gets to pay any associated SMS-sending costs.

An earlier version of the malware was discovered in October, disguised as anti-SMS spam software, but it remained downloadable for only a day. “Apparently using SMS spam to promote a bogus SMS spam blocking service was not an easy sell,” said Conway. Subsequently, the malware was repackaged as free versions of popular games, and the malware’s creator now appears to be monetizing the Trojan by sending gift card spam of the following ilk: “You have just won a $1000 Target Gift Card but only the 1st 777 people that enter code 777 at [redacted website name] can claim it!”

As with the majority of Android malware, the malicious apps can be downloaded not from the official Google Play application store, but rather from third-party download sites, in this case largely based in Hong Kong. In general, security experts recommend that Android users stick to Google Play and avoid third-party sites advertising supposedly free versions of popular paid apps, since many of those sites appear to be little more than “fakeware” distribution farms. But since Android users are blocked from reaching Google Play in some countries, including China, third-party app stores are their only option.

After installing the malware and before it takes hold, a user must first grant the app numerous permissions — such as allowing it to send SMS messages and access websites. Only then it can successfully transform the mobile device into a spam relay. Of course, people in search of free versions of paid apps may agree to such requests. Furthermore, “not many people read the fine print when installing Android applications,” said Conway.

If a user does grant the malware the requested permissions, it will transform their Android device into node, or zombie, for the malware creator’s botnet. At that point, the malware immediately “phones home” to a command-and-control server via HTTP to receive further instructions. “Typically a message and a list of 50 numbers are returned,” said Conway. “The zombie waits 1.3 seconds after sending each message, and checks with the C&C server every 65 seconds for more numbers.”

Again, the Android malware used to build the accompanying SMS-spewing botnet isn’t sophisticated, but it does appear to be earning its creator money. “Compared with PC botnets this was an unsophisticated attack,” said Conway. “However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs. Now that we know it can be done, we can expect to see more complex attacks that are harder to take down.”

Your employees are a critical part of your security program, particularly when it comes to the endpoint. Whether it’s a PC, smartphone or tablet, your end users are on the front lines of phishing attempts and malware attacks. Read our Security: Get Users To Care report to find out how to keep your company safe. (Free registration required.)

 

**** [ Anonymous hacks Westboro Baptist Church in aftermath of Connecticut school shooting. Read more at Anonymous Posts Westboro Members' Personal Information. ] ******

 

Direct Link:  http://www.informationweek.com/security/attacks/attack-turns-android-devices-into-spam-s/240144988?cid=SBX_iwk_related_news_Attacks/breaches_security&itc=SBX_iwk_related_news_Attacks/breaches_security

Nov 062012
 

Android-Based Network Built to Study Cyber Disruptions and Help Secure Hand-Held Devices

As part of ongoing research to help prevent and mitigate disruptions to computer networks on the Internet, researchers at Sandia National Laboratories in California have turned their attention to smartphones and other hand-held computing devices.

 

ScienceDaily
Oct. 2, 2012

 

Sandia’s David Fritz holds two Android smartphones, representing the virtual network of 300,000 such devices that he and other researchers are using to advance understanding of malicious computer networks on the Internet. (Credit: Dino Vournas)


Sandia cyber researchers linked together 300,000 virtual hand-held computing devices running the Android operating system so they can study large networks of smartphones and find ways to make them more reliable and secure. Android dominates the smartphone industry and runs on a range of computing gadgets.

The work is expected to result in a software tool that will allow others in the cyber research community to model similar environments and study the behaviors of smartphone networks. Ultimately, the tool will enable the computing industry to better protect hand-held devices from malicious intent.

The project builds on the success of earlier work in which Sandia focused on virtual Linux and Windows desktop systems.

“Smartphones are now ubiquitous and used as general-purpose computing devices as much as desktop or laptop computers,” said Sandia’s David Fritz. “But even though they are easy targets, no one appears to be studying them at the scale we’re attempting.”

The Android project, dubbed MegaDroid, is expected to help researchers at Sandia and elsewhere who struggle to understand large scale networks. Soon, Sandia expects to complete a sophisticated demonstration of the MegaDroid project that could be presented to potential industry or government collaborators.

The virtual Android network at Sandia, said computer scientist John Floren, is carefully insulated from other networks at the Labs and the outside world, but can be built up into a realistic computing environment. That environment might include a full domain name service (DNS), an Internet relay chat (IRC) server, a web server and multiple subnets.

A key element of the Android project, Floren said, is a “spoof” Global Positioning System (GPS). He and his colleagues created simulated GPS data of a smartphone user in an urban environment, an important experiment since smartphones and such key features as Bluetooth and Wi-Fi capabilities are highly location-dependent and thus could easily be controlled and manipulated by rogue actors.

The researchers then fed that data into the GPS input of an Android virtual machine. Software on the virtual machine treats the location data as indistinguishable from real GPS data, which offers researchers a much richer and more accurate emulation environment from which to analyze and study what hackers can do to smartphone networks, Floren said.

This latest development by Sandia cyber researchers represents a significant steppingstone for those hoping to understand and limit the damage from network disruptions due to glitches in software or protocols, natural disasters, acts of terrorism, or other causes. These disruptions can cause significant economic and other losses for individual consumers, companies and governments.

“You can’t defend against something you don’t understand,” Floren said. The larger the scale the better, he said, since more computer nodes offer more data for researchers to observe and study.

The research builds upon the Megatux project that started in 2009, in which Sandia scientists ran a million virtual Linux machines, and on a later project that focused on the Windows operating system, called MegaWin. Sandia researchers created those virtual networks at large scale using real Linux and Windows instances in virtual machines.

The main challenge in studying Android-based machines, the researchers say, is the sheer complexity of the software. Google, which developed the Android operating system, wrote some 14 million lines of code into the software, and the system runs on top of a Linux kernel, which more than doubles the amount of code.

“It’s possible for something to go wrong on the scale of a big wireless network because of a coding mistake in an operating system or an application, and it’s very hard to diagnose and fix,” said Fritz. “You can’t possibly read through 15 million lines of code and understand every possible interaction between all these devices and the network.”

Much of Sandia’s work on virtual computing environments will soon be available for other cyber researchers via open source. Floren and Fritz believe Sandia should continue to work on tools that industry leaders and developers can use to better diagnose and fix problems in computer networks.

“Tools are only useful if they’re used,” said Fritz.

MegaDroid primarily will be useful as a tool to ferret out problems that would manifest themselves when large numbers of smartphones interact, said Keith Vanderveen, manager of Sandia’s Scalable and Secure Systems Research department.

“You could also extend the technology to other platforms besides Android,” said Vanderveen. “Apple’s iOS, for instance, could take advantage of our body of knowledge and the toolkit we’re developing.” He said Sandia also plans to use MegaDroid to explore issues of data protection and data leakage, which he said concern government agencies such as the departments of Defense and Homeland Security.

 

Direct Link:  http://www.sciencedaily.com/releases/2012/10/121002091753.htm