FBI spooks use MALWARE to spy on suspects’ Android mobes – report
Spear-phishing: It’s not just for the bad guys
The Register / UK by Bill Ray August 2, 2013
The Federal Bureau of Investigation is using mobile malware to infect, and control, suspects’ Android handsets, allowing it to record nearby sounds and copy data without physical access to the devices.
That’s according to “former officers” interviewed by the Wall Street Journal ahead of privacy advocate Christopher Soghoian’s presentation at hacker-conflab Black Hat later today.
The FBI’s Remote Operations Unit has been listening in to desktop computers for years, explains the paper, but mobile phones are a relatively new target.
It would never work with tech-savvy suspects, though: suspects still need to infect themselves with the malware by clicking a dodgy link or opening the wrong attachment. This is why computer hackers are never targeted this way – they might notice and publicise the technique, said the “former officers”, who noted that in other cases it had proved hugely valuable.
Such actions do require judicial oversight, but if one is recording activities rather than communications, the level of authorisation needed is much reduced. A US judge is apparently more likely to approve reaching out electronically into a suspect’s hardware than a traditional wiretap, as the latter is considered a greater intrusion into their privacy.
Gaining control of that hardware still requires a hole to crawl through; ideally a zero-day exploit of which the platform manufacturer is unaware.
Given the convergence of mobile and desktop, it’s no surprise to see desktop techniques being applied to mobile phone platforms by both hackers and law enforcement agencies.
The usual techniques of not opening unknown attachments or unsigned downloads should protect you against the FBI, just as it would against any spear-phishing attempt. But then again, if you know that, they probably wouldn’t try using it against you.
The computer hackers and phishing experts ‘on our side’
BBC News June 21, 2013
Article Related Viseo : The computer hackers and phishing experts ‘on our side’
If you have been hacked it means someone somewhere is watching your computer’s every move. Hackers deploy a variety of tricks to gain access to your computer but a fight-back has begun. Some companies are now even paying hackers to test their own firm’s security.
LJ Rich meets some professional hackers who are on the right side of the law, explains how people go about trying to get inside your computer and has some useful tips on how to stay safe from unwanted invaders.
Homeland Security database leaks employee information
PC World by Ellen Messmer May 26, 2013
The Department of Homeland Security (DHS) said lat week it has notified employees and others with DHS clearance to be on alert for potential fraud due to a vulnerability discovered in software used by a vendor to process personally identifiable information (PII) for background investigations. The software hole in had been there since July 2009.
“During the week of May 20, 2013, DHS is alerting employees of the potential vulnerability and outlining ways that they can protect themselves, including requesting fraud alerts and credit reports,” the DHS said in its statement “Privacy Response to Potential PII Incident.” DHS says a vulnerability in software that an unnamed vendor uses to maintain a database of background investigations had a hole in it that left open to potential unauthorized access information that includes name, Social Security number, and date of birth.
DHS has set up a call center to address any employee concerns related to the notifications and is advising affected individuals concerned about potential fraud to consider taking certain measures, such as letting potential creditors know to contact them before opening a new account in their name. DHS also listed the three credit reporting firms, Equifax, Experian, and TransUnion, saying an individual can place a fraud alert.
DHS also indicated it’s in a legal confrontation with the unnamed vendor with this background investigations database and has raised a “stop work request” while engaging with the “vendor’s leadership to pursue all costs incurred mitigating the damages.” DHS is in talks with this unspecified vendor on “notification requirements for current contractors, inactive applicants and former employees and contractors.”
DHS was alerted by a law enforcement partner of the potential vulnerability, and says it took immediate steps to address the problem with the vendor. Though DHS does not know that PII related to this security hole has been stolen, it’s investigating the matter.
Employees who submitted background investigation information, and individuals who received a DHS clearance between July 2009 and May 2013, primarily for positions at the DHS headquarters, Customs and Border Protection (CBP), and Immigration and Customs Enforcement, may be affected.
* Spreading word to former contacts
DHS also says it is making “every possible effort” to reach out to former employees, applicants, former contractors, and “similar individuals who received a DHS clearance that may be impacted.”
In its privacy notification alert, DHS sought to address concerns, such as whether employees should alert the contacts they provided for the background investigation. DHS says it has no reason to believe that kind of step is needed.
As to whether DHS will continue to work with the unnamed vendor whose software had the security hole, the Department indicated the CBP has put the brakes on work at this time while DHS is “evaluating all legal options.”
Hotel Lock Hack Still Being Used In Burglaries, Months After Lock Firm’s Fix
FORBES by Andy Greenberg 5/15/2013
More than nine months after the hotel lock firm Onity announced a fix for a security flaw that allowed anyone to gain access to millions of hotel rooms in seconds, that lock-hacking technique seems to be thriving–and thieves are still using it to perform dozens of burglaries with hardly a trace.
The latest reports of criminals implementing the Onity lock hack come from Arizona, where police say that hotel rooms have been burglarized across the cities of Phoenix, Scottsdale, Tempe, and Mesa, with between six and nine robberies in each city. In every case, police and hotel staff believe that the burglars used a small device that can be inserted into a data port on the underside of hotel locks to read their memory, access a digital key, and trigger the locks’ opening mechanism in seconds. The targeted hotels include the Holiday Inn, Extended Stay, Quality Inn, Laquinta Inn, Red Roof Inn, Motel Six, Budget Inn, Courtyard By Marriot, and Comfort Inn, according to a Phoenix police spokeperson.
The video below shows two of the suspects entering the Coast Hotel in Phoenix and allegedly leaving with a 27-year old woman’s suitcases. Though the video footage doesn’t capture the accused thieves using the lock-hacking device to open the room’s door, police say that hotels found evidence in its lock’s memory that a device accessed the lock during the brief time when the men were in the building. That hacking device, which was first revealed by the security researcher and software developer Cody Brocious at the Black Hat security conference last year, can be built for less than $50, and spoofs the “portable programmer” used by hotel staff to change locks’ settings and open locks with depleted batteries.
Local police are offering a $1,000 reward for information about the suspects.
In cases at other hotels, thieves stole luggage, TVs, laptops, iPads, the gun and badge of a U.S. marshall, and the full uniform of an airline pilot, along with every other possession he’d left in the Tempe hotel room. “Since all my stuff was cleaned out, I thought I was in the wrong room,” pilot Ahmiel Fried told local news TV station ABC15, who first reported the break-ins. “[I was] not expecting everything to be gone.
Phoenix police spokesperson Darren Burch says it’s still not clear how many people are exploiting the vulnerability in Onity’s locks to rob hotels, or even whether the Arizona burglaries were performed by a single group or by individuals working separately. But he warns that while he’s only aware of the Arizona thefts, it’s likely that the lock-hacking technique is being exploited across the country, and that it may be being used more often than it’s being reported. After all, Onity’s keycard locks protect more than four million rooms worldwide. “We’ve just learned about this locally, but it’s my understanding this is happening elsewhere,” Burch says. “This is just the tip of the iceberg.”
Given that some of the Arizona hotels are among the customers whose fixes Onity agreed to cover, it’s not clear how they’ve remained vulnerable. I’ve reached out to Onity for a response and will update this post if I hear from the company.
Microsoft to Close Critical IE Security Holes on Patch Tuesday
Security Week by Brian Prince May 9, 2013
Microsoft is prepping fixes for close to three dozen vulnerabilities for this month’s Patch Tuesday, including critical issues affecting Internet Explorer.
Tucked in among the 10 security bulletins is one aimed squarely at the Internet Explorer 8 zero-day vulnerability being exploited in the wild. Microsoft has already issued a “Fix It” tool this week to offer protection in lieu of a patch. According to the company, the issue is due to the way IE accesses an object in memory that has been deleted or that has not been properly allocated. By exploiting the issue, an attacker could potentially remotely execute code.
“In all cases, however, an attacker would have no way to force users to view the attacker-controlled content,” Microsoft noted. “Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email.”
The vulnerability has been at the center of a spate of water holing attacks that have roped in a number of sites, including the U.S. Department of Labor site.
All totaled, 33 vulnerabilities are expected to be fixed. Just two of the bulletins are rated ‘critical’, while the other eight are considered ‘important.’ Both critical bulletins address issues in Internet Explorer. The remaining bulletins are focused on issues in Windows, Microsoft Lync, Microsoft Office and Microsoft Windows Essentials.
“With ten bulletins, eight important this month, we have seen 45 to date in 2013, or 10 more bulletins than last year at this time,” said Paul Henry, security and forensic analyst at Lumension. “This tells me Microsoft is continuing to dig deeper into their code base to uncover lower level vulnerabilities. This is good news and I believe the trend toward higher numbers of important bulletins will continue given Microsoft’s apparent commitment to proactively discovering and patching security issues in their code.”
“As always, I recommend patching the important bulletins based on what programs you’re using,” he said. “Looking through the bulletins, Bulletin 4 is probably the most interesting, affecting all versions of Windows, from XP through Windows RT and Windows 8. This is a spoofing issue, which we don’t see very often in Microsoft bulletins. I’ll be very interested to see what this one turns out to be on Tuesday.”