Antivirus Vendors
An Iranian hacker group has been breaching computer networks of 50 of the world’s biggest energy, transport and infrastructure groups for the last two years, reports Tech Spot.
The post Iranian hackers targeted transport, energy and infrastructure firms appeared first on We Live Security.
Losing contacts from your mobile phone is highly inconvenient. There’s seems to be a solution – You can find them online! The catch? Your contacts are in a publicly accessible place.
Seriously.
If you care for your privacy you should always be suspicious about “Cloud Backup” solutions you find in the Google Play Store. The solution that is being analyzed here backs up your personal contacts online. In public.
Upon starting the application, you will find a screen where you can put your mobile number and a password of your choice. Then you can upload your contacts in the cloud.
A brief analysis inside this application shows us how exactly it backs up your contacts in the cloud. The contacts are associated with the phone number that you have given in the previous step and they are sent through HTTP POST requests in a PHP page.
Further analysis through IP traffic capturing with Fiddler helped usdiscover the results in the pictures above; a page located online, for anyone to see, that contains thousands of un-encrypted entries of phone numbers and passwords. Using the info in the app you can retrieve personal private data (contacts) from another user.
We found log in data inside those entries from countries like Greece, Brazil, and others
The Play Store page says that this app has been installed 50.000-100.000 times. This is a big number of installations for an application that doesn’t deliver the basic secure Android coding practices. The developer must use technologies like HTTPS, SSL and encryption on the data that are transferred through the web and stored in the server. Nogotofail is a useful network security testing tool designed by Google to “to help developers and security researchers spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and applications in a flexible, scalable, powerful way.“
The application has been reported to Google without receiving any response.
Avast detects it as Android:DataExposed-B [PUP].
Samples (SHA-256):
F51803FD98C727F93E502C13C9A5FD759031CD2A5B5EF8FE71211A0AE7DEC78C 199DD6F3B452247FBCC7B467CB88C6B0486194BD3BA01586355BC32EFFE37FAB
Following the release of confidential documents and four unreleased films, as reported by We Live Security here, the bad news for Sony continued as it was reported that the company’s own PlayStation servers were used to distribute the stolen data, The Independent reports.
The post Sony hacking: were PlayStation servers used to spread stolen data? appeared first on We Live Security.
Nowadays we are defined by our phones. When you buy a smartphone, you automatically become a convert, defending the benefits of your particular brand over others. Some users become part of the Apple faithful, flocking to their exclusive stores to buy designer iPhones. Others are Google fanatics, with alerts set in their Nexus 5 to warn of the imminent arrival of Nexus 6. Compulsive Amazon shoppers click away on their Fire Phone cart, while traditionalists continue to trust in the numerous and much-lauded features of Samsung Galaxy.
Unless you are one of those who has joined the retro phone trend and have renounced WhatsApp forever, we are sorry to inform you that your smartphone -whatever the make- has a security flaw. Specifically, in the use of NFC (‘Near Field Communication’), a wireless communications system that lets you transfer data at high frequency over short distances, at a range of 10 centimeters. In fact, NFC is a subset of RFID (Radio-frequency identification) systems that have been used for years now to identify pets (microchips). So if dogs can be recognized through this system, why not phones?
In smartphones, NFC allows data to be exchanged between devices, although a more interesting use for this technology is that it allows our phones to be used as credit cards.
You can already use your NFC to pay for things thanks to Google and its PassWallet app. Apple, not wanting to be left behind, has introduced the Apple Pay system with iPhone 6. And now banks are getting on the mobile payment technology bandwagon. In the future, we will even be able to use phones as subway tickets or door keys. NFC offers the potential for all-in-one devices with myriad uses.
If you weren’t previously aware of this technology, then you must be marveling at the thought of not having to rummage around drawers looking for your wallet or keys. Well, it’s true, but don’t get too excited. Even though the system operates over very short distances, it still has security flaws. In the recent Pw20wn Mobile 2014 competition in Tokyo, where there was a reward of US$150,000 (€120,000) for the sharpest hackers on the planet, security flaws were detected in the NFC systems of many top-of-the-range phones.
Two separate groups of experts demonstrated during the competition different ways of compromising the NFC technology on Samsung Galaxy S5. These hackers are two-nil up on one of the most prestigious smartphones on the market.
Even the all-powerful Google has been unable to keep its precious Nexus 5 free from security problems. In the Pw20wn Mobile 2014 competition, a third NFC attack forced the pairing of devices thanks to a combination of two malicious programs.
And it’s not the first time that an NFC security hole has been uncovered in Google’s device. Charlie Miller, an ‘ethical hacker’, was able to communicate with a Nexus S through a chip placed near the device, as he demonstrated at Black Hat 2012 in Las Vegas. After this he forced the phone to enter a malicious website, from where he took complete control of the phone by exploiting the NFC vulnerability. The Nokia N9 was also subject to the same attack on this occasion.
Although there can be no doubt that the detection of these flaws improves the security of our smartphones, perhaps for the moment at least we all feel a little safer keeping our money and the keys to our houses in our pockets, handbags or under a pile of papers on our desks. Even the sharpest hacker would find it difficult to exploit a security hole there.
Nevertheless, your NFC could still be useful for many things. And no doubt it will gradually become more secure. For the moment, fans of Nexus 6 are looking forward to getting their hands on it, and plans are afoot to unlock the phone automatically with the help of an NFC ring on the user’s finger. Could the phone’s PIN also be hacked? Let’s see.
The post With NFC, even the most expensive smartphones are vulnerable appeared first on MediaCenter Panda Security.
ATM scams can come in a variety of forms, so make sure to keep your guard up by following these 5 simple tips.
The post Top 5 tips for avoiding ATM scams appeared first on We Live Security.
Buying used electric goods may be a economical alternative, but it can also be a security risk. Follow these 5 tips for safer shopping.
The post Top 5 things to consider when buying pre owned tech appeared first on We Live Security.
What inspires our innovation most is our customers – and finding solutions to better protect them, their personal data and their devices. In order to do this, we are constantly tracking new security threats in today’s ever-changing digital world.
As a starting point for the day, we showed a Live Global Threat Map. This dynamic map provides a snapshot of virus/malware activity we are tracking real-time on PCs and mobile devices all around the world. On our map, you can zoom in and actually see the number of infections in each country over a period of time. With 188 million active users, 90 million of which are mobile, we have a pretty good pulse on the threats around the world.
Most of our demos for the day were focused on the new generation of attacks uniquely focused on mobile functionality. While the first generation of mobile attacks were primarily using vectors and methods used in the PC world, now we are starting to see the second generation mobile attacks.
These new attacks include the use of voice, social engineering, rough access points and exploitation of various vulnerabilities in apps.
Here are a few of the mobile threats we demoed:
Voice Activation
Voice activated software is a standard feature on smartphones and is also appearing in smart TVs and other Internet-connected devices. It also, unfortunately, can be used maliciously. Did you know some applications can respond to voice, even when a phone is locked? We demonstrated how the mobile operating system will respond to a synthetic voice and allow a malicious app to bypass the limitations of a locked device or permissions, allowing it to call a phone number, send mail and other malicious actions. The flaw is very simple and it impacts a broad range of products utilizing voice activation technologies; they simply do not authenticate the source of the voice.
App Vulnerabilities
In the PC world, software can be distributed and installed on the PC from any source. As a result we are seeing many malicious programs impacting this platform. The mobile world has learned this lesson and is centralizing app distribution via app stores. This approach improves control and scan the apps for malicious intent. However, the fact that an app is not malicious doesn’t mean it isn’t vulnerable. We showed an app available on an app store that was downloaded over 5 million times, but is vulnerable. Our demo showed how easy it would be to exploit the vulnerability and take over the mobile device from a remote – allowing streaming video and voice from the device to the hacker.
iOS Threats
All mobile platforms share security issues and we at AVG always keep an eye on emerging threats in all mobile platforms. For example, we demoed the recent Apple iOS “Masque Attack” technique. This technique allows an attacker to substitute malware for a legitimate iOS application under a limited set of circumstances. It works by luring users to install an application from a source other than the iOS app store or their organization’s provisioning system, such as delivered through a phishing link. This technique takes advantage of a security weakness that allows an untrusted application with the same “bundle identifier” as that of a legitimate application to replace the legitimate application on an affected device, while keeping all of the user’s data. This vulnerability exists because iOS does not enforce matching certificates for applications with the same bundle identifier. Apple’s own iOS platform apps, such as Mobile Safari, are not vulnerable. In our demo we created a malicious iOS application named ‘FakeBook’ that steals all the user’s data that the legitimate Facebook application have access to.
Visual ID Hijacks
Malicious apps that assume visual identification of a “real” well-known brand (think about banking and social media applications) can replace a legitimate app and wreak havoc. Take Droidphish, a new attack vector we discovered, for example. If a hacker registers with a specific URL, when a link within the real app or even on a web page is clicked, the malicious app can assume the identity of the legitimate application. In our demo, the attacker gains complete control over your device, your email and data, even to the point of taking a photo of you using the device.
Texting Hijinks
We’ve all been warned to beware of URLs sent via a text (SMS) message. When clicked, they can redirect you to a malicious website. In our demo we showed media that a malicious app can even read and reply to incoming text messages without any visual appearance and without the owner of the device being aware that something is going on!
Cross-Platform Infection
Another demo scenario involved an app that creates a malicious PDF that is later automatically synced—via a cloud-based, file sharing service like DropBox – between a PC and mobile device, infecting the other device without even knowing. Imagine if the PDF had an “interesting” name that may trick the user into opening it.
Wi-Fi Hacks
We are constantly warned that public open Wi-Fi is unsafe, but there are millions of public Wi-Fi hot spots open and that means a lot of security risks ahead. Here are three scenarios we demonstrated on public Wi-Fi:
For these very scenarios, our Innovations Labs team created AVG Wi-Fi Assistant to smartly turn your Wi-Fi on/off along with a secure Virtual Private Network (VPN) service – so that no one can track you through Wi-Fi, or look at your data being transmitted. Additionally, AVG Wi-Fi Assistant also offers substantial battery life improvements.
Finally, we also demoed some current innovative mobile security products that help people protect themselves: AVG Zen and new apps from Location Labs, a new AVG company.
This was our first Experiential Lab day and we look forward to hosting many more in the future!
