Monthly Archives: February 2016

Security

Socat Warns Weak Prime Number Could Mean It’s Backdoored

Leave a comment

Socat published a security advisory warning users that a hard-coded 1024 Diffie-Hellman prime number was not prime, and that an attacker could listen and recover secrets from a key exchange.

ESET

Android has some critical remotely-exploitable security holes. But can you get the patch?

Leave a comment

Remote code execution vulnerabilities have been found in the Android operating system, and patches released for Nexus devices.

But what about your smartphone? Is there a patch for you, and can you get your hands on it?

The post Android has some critical remotely-exploitable security holes. But can you get the patch? appeared first on We Live Security.

Panda Security

US man jailed for massive SMS spam operation – How to avoid becoming a victim

Leave a comment

From offering discounted sunglasses (designer label, of course) to gift card for well-known stores, the world of SMS spam is one that continues to trick unwitting victims. You’d think that by now we would all be aware of the scams behind these messages which we receive on our mobile devices, but with these spammers becoming increasingly desperate to make a quick buck, they are using all manner of tactics to dupe their victims.

Luckily, the authorities are taking spam campaigns seriously. Just this week a US judge ordered Phillip Fleitz, a 37-year-old native of Pennsylvania, to 27 months in federal prison for his role in a massive spam campaign.

smartphone

Over the course of nearly 2 years, the spammer sent millions of illegal spam messages to US and international cellphones and computers. With the help of two accomplices, Fleitz managed to earn between $2,000 and $3,000 per month by violating a 2003 law designed to protect cellphone and computer users from unwanted marketing and pornography emails and text messages.

The trio carried out their attacks by operating computer servers from China and using them to infiltrate the personal computers of millions of people worldwide. Naveed Ahmed, one of the accomplices, wrote a program that helped match cellphone numbers with their carriers. That allowed the scammers to bombard the phones with unsolicited messages.

The computer and text-message spam both included internet links. Those who received the text messages were told they had won gift cards that could be accessed by clicking on the links. In reality, those who followed the links were directed to web pages controlled by internet “cost per action” networks – marketing companies that collect email addresses and other personal information. Such companies are legal but using spam to drive traffic to them is not.

So, with this in mind, what can steps can you take if you receive unwanted spam on your cellphone? You’re in luck, as the latest Apple and Android cellphones allow users to block spam with relative ease.

iPhone users

If you have iOS 7 or later installed, open the spam message and click on contact, then on the “i” button that appears. A small contact card, mainly blank, will pop up and all you need to do is scroll down and select “Block this contact”.

To check out all of the numbers and spammers that you have blocked, you can view them in your message settings by scrolling down to Blocked.

Android users

For users of this operating service, blocking spammers is a little trickier but can still be done. First of all, the inbuilt messaging app doesn’t allow you to block anybody, so you’ll need to get an app from the Google Play store (remember to only download apps from official or trusted sources).

The apps available offer different forms of spam-blocking assistance – from ones that allow you to create a blacklist of contacts to others that automatically flag suspicious messages as spam.

If your Android device has been updated to KitKat (you can verify this by clicking on the “About Phone” section of your settings; if it’s 4.3 or above then it’s on KitKat) then you have it a little more complicated again. However, you can install Google Hangouts which not only sends and receives standard SMS messages, but lets you place spammers on a “blocked” list.

The post US man jailed for massive SMS spam operation – How to avoid becoming a victim appeared first on MediaCenter Panda Security.

Hackers News

They Named it — Einstein, But $6 Billion Firewall Fails to Detect 94% of Latest Threats

Leave a comment
einstein-cybersecurity-firewall

The US government’s $6 Billion firewall is nothing but a big blunder.

Dubbed EINSTEIN, the nationwide firewall run by the US Department of Homeland Security (DHS) is not as smart as its name suggests.
An audit conducted by the United States Government Accountability Office (GAO) has claimed that the firewall used by US government agencies is failing to fully meet its objectives and leaving the agencies open to zero-day attacks.

EINSTEIN, which is officially known as the US’ National Cybersecurity Protection System (NCPS) and has cost $5.7 Billion to develop, detects only 6 percent of today’s most common security vulnerabilities and failed to detect the rest 94 percent.

How bad is EINSTEIN Firewall in reality?

In a series of tests conducted last year, Einstein only detected 29 out of 489 vulnerabilities across Flash, Office, Java, IE and Acrobat disclosed via CVE reports published in 2014, according to a report [PDF] released by the GAO late last year.
Among the extraordinary pieces of information revealed are the fact that the system is:
  • Unable to monitor web traffic for malicious content.
  • Unable to uncover malware in a system.
  • Unable to monitor cloud services either.
  • Only offers signature-based threat and intrusion detection, rather than monitoring for unusual activity.
Yes, Einstein only carries out signature-based threat and intrusion detection, which means the system acts like a dumb terminal that waits for the command what to find, rather than to search itself for unusual activity.

Einstein Uses Outdated Signatures Database

In fact, more than 65 percent of intrusion detection signatures (digital fingerprints of known viruses and exploit code) are outdated, making Einstein wide open to recently discovered zero-day vulnerabilities.
However, in response to this, DHS told the office Einstein was always meant to be a signature-based detection system only. Here’s what the department told the auditors:

“It is the responsibility of each agency to ensure their networks and information systems are secure while it is the responsibility of DHS to provide a baseline set of protections and government-wide situational awareness, as part of a defense-in-depth information security strategy.”

Einstein is Effectively Blind

If this wasn’t enough to figure out the worth of the $6 Billion firewall, Einstein is effectively Blind.
The Department of Homeland Security (DHS), which is behind the development of Einstein, has not included any feature to measure the system’s own performance, so the system doesn’t even know if it is doing a good job or not.

So, “until its intended capabilities are more fully developed, DHS will be hampered in its abilities to provide effective cybersecurity-related support to federal agencies,” reads the report.

Einstein was actually developed in 2003 to automatically monitor agency network traffic, and later in 2009 expanded to offer signature-based detection as well as malware-blocking abilities.
Most of the 23 agencies are actually required to implement the firewall, but the GAO found that only 5 of them were utilising the system to deal with possible intrusions.
Despite having spent $1.2 Billion in 2014 and $5.7 Billion in total project, Einstein still only monitors certain types of network flaws along with no support for monitoring web traffic or cloud services.

Hackers News

Microsoft Starts automatically Pushing Windows 10 to all Windows 7 and 8.1 Users

Leave a comment
windows-10-upgrade-installation

As warned last year, Microsoft is pushing Windows 10 upgrades onto its user’s PCs much harder by re-categorizing Windows 10 as a “Recommended Update in Windows Update, instead of an “optional update.
Microsoft launched Windows 10 earlier last year and offered the free upgrade for Windows 7 and Windows 8 and 8.1 users. While the company has been successful in getting Windows 10 onto more than 200 Million devices, Microsoft wants to go a lot more aggressive this year.
So, If you have enabled Automatic Windows Update on your Window 7, 8 or 8.1 to install critical updates, like Security Patches, you should watch your steps because…
…From Monday, Windows Update will start upgrading your PC to the newest Windows 10 as a recommended update, Microsoft confirmed.
This means Windows 10 upgrade process will download and start on hundreds of millions of devices automatically.
The move is, of course, the part of Microsoft’s goal to get Windows 10 running on 1 Billion devices within 2-3 years of its actual release.
market-share-windows10
Market Share of Windows 10 is on the rise. It has already grabbed a market share of 11.85% as of January 2016, increasing from 9.96% in December. But, Windows 7 is still running on over 50% of all PCs in the world, so targeting even half of its user base would bring Microsoft very near to its goal.

“As we shared in late October on the Windows Blog, we are committed to making it easy for our Windows 7 and Windows 8.1 customers to upgrade to Windows 10,” a Microsoft spokesperson said. “We updated the update experience today to help our clients, who previously reserved their upgrade, schedule a time for their upgrade to take place.”

This means if the ‘Give me recommended updates the same way I receive important update’ option in Windows Update section is enabled on your PC, the Windows 10 update will not only be downloaded but also, the installation will be started automatically.
windows10-update
You are also required to stay alert because even if you have adopted manual updates you may still end up downloading Windows 10 anyway. As Windows Update is automatically pre-selecting the option for you, without your need to click on the box to get it.
However, the company says that you won’t be forced to upgrade the creepy OS as there will still be a prompt window that will require you to click through and confirm the Windows 10 upgrade after the files have silently been downloaded and unpacked in the background.
Even if the Windows 10 upgrade is accidentally completed, there is still a way to opt out of it. Microsoft is offering a 31 day grace period in which you will be able to revert to your old installation after trying Windows 10 and deciding you not like the operating system.
Though we know this revert will also be an aggressive push by Microsoft.