NICHOLAS CONFESSORE, GABRIEL J.X. DANCE, RICHARD HARRIS and MARK HANSEN JAN. 27, 2018
THE REAL JESSICA RYCHLY is a Minnesota teenager with a broad smile and wavy hair. She likes reading and the rapper Post Malone. When she goes on Facebook or Twitter, she sometimes muses about being bored or trades jokes with friends. Occasionally, like many teenagers, she posts a duck-face selfie.
But on Twitter, there is a version of Jessica that none of her friends or family would recognize. While the two Jessicas share a name, photograph and whimsical bio — “I have issues” — the other Jessica promoted accounts hawking Canadian real estate investments, cryptocurrency and a radio station in Ghana. The fake Jessica followed or retweeted accounts using Arabic and Indonesian, languages the real Jessica does not speak. While she was a 17-year-old high school senior, her fake counterpart frequently promoted graphic pornography, retweeting accounts called Squirtamania and Porno Dan.
All these accounts belong to customers of an obscure American company named Devumi that has collected millions of dollars in a shadowy global marketplace for social media fraud.
Smartphones know an awful lot about us. They know if we’re in a car that’s speeding, and they know when we’re walking, running, or riding in a bus. They know how many calls we make and receive each day and the precise starting and ending time of each one. And of course, they know the personal identification numbers we use to unlock the devices or to log in to sites that are protected by two-factor authentication. Now, researchers have devised an attack that makes it possible for sneaky websites to surreptitiously collect much of that data, often with surprising accuracy.
The demonstrated keylogging attacks are most useful at guessing digits in four-digit PINs, with a 74-percent accuracy the first time it’s entered and a 94-percent chance of success on the third try. The same technique could be used to infer other input, including the lock patterns many Android users rely on to lock their phones, although the accuracy rates would probably be different. The attacks require only that a user open a malicious webpage and enter the characters before closing it. The attack doesn’t require the installation of any malicious apps.
HP is selling more than two dozen models of laptops and tablets that covertly monitor every keystroke a user makes, security researchers warned Thursday. The devices then store the key presses in an unencrypted file on the hard drive.
The keylogger is included in a device driver developed by Conexant, a manufacturer of audio chips that are included in the vulnerable HP devices. That’s according to an advisory published by modzero, a Switzerland-based security consulting firm. One of the device driver components is MicTray64.exe, an executable file that allows the driver to respond when a user presses special keys. It turns out that the file sends all keystrokes to a debugging interface or writes them to a log file available on the computer’s C drive.
People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device.
The concern arises from research that shows how replacement screens—one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0—can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it.
Security researchers have unearthed a sprawling list of login credentials that allows anyone on the Internet to take over home routers and more than 1,700 “Internet of things” devices and make them part of a destructive botnet.
The list of telnet-accessible devices, currently posted at this Pastebin address, was first posted in June, but it has been updated several times since then. It contains user names and passwords for 8,233 unique IP addresses, 2,174 of which were still running open telnet servers as of Friday morning, said Victor Gevers, chairman of the GDI Foundation, a Netherlands-based nonprofit that works to improve Internet security. Of those active telnet services, 1,774 remain accessible using the leaked credentials, Gevers said. In a testament to the poor state of IoT security, the 8,233 hosts use just 144 unique username-password pairs.
It is likely that criminals have been using the list for months as a means to infect large numbers of devices with malware that turns them into powerful denial-of-service platforms. Still, for most of its existence, the list remained largely unnoticed, with only some 700 views. That quickly changed Thursday with this Twitter post. By Friday afternoon, there were more than 13,300 views.
Applications, operating systems, and firmware all need to be updated to defeat Meltdown and protect against Spectre, two attacks that exploit features of high-performance processors to leak information and undermine system security. The computing industry has been scrambling to respond after news of the problem broke early a few days into the new year.
But that patching is proving problematic. The Meltdown protection is revealing bugs or otherwise undesirable behavior in various drivers, and Intel is currently recommending that people cease installing a microcode update it issued to help tackle the Spectre problem. This comes as researchers are digging into the papers describing the issues and getting closer to weaponizing the research to turn it into a practical attack. With the bad guys sure to be doing the same, real-world attacks using this research are sure to follow soon.
Back when initially releasing its Windows patch, Microsoft acknowledged incompatibilities with some anti-virus software. To receive the Meltdown and Spectre fixes, anti-virus software on Windows is required to create a special registry entry indicating that it’s compatible.
WikiLeaks: CIA Has Targeted Everyday Gadgets for Snooping
3/8/2017
Anick Jesdanun
US News
WikiLeaks has revealed yet another set of CIA-centered documents revealing that the agency uses technology like smart TVs to monitor Americans’ everyday goings-on, weeding through personal conversations held in citizens’ homes. The site has yet to release specifics of the “hacks,” citing a desire to wait “‘until a consensus emerges’ on the nature of the CIA’s program and now the methods should be ‘analyzed, disarmed and published.’” These documents, if released in full, could contain detailed information for anyone who reads them to have the same access the CIA has.
WikiLeaks itself claims that the CIA’s access to the data available from phones and TVs relies heavily on security vulnerabilities within the software of these devices, which they have yet to disclose to the developers of said technology. These vulnerabilities, obviously, are accessible to anyone who finds them, potentially leaking this same information to malicious entities as well.
Yet more worrying is that WikiLeaks claims that the CIA has found ways to abuse these vulnerabilities to intercept data before encryption or after decryption, leaving even supposedly protected information passed through apps like WhatsApp in fact vulnerable. Additionally, WikiLeaks claims that the CIA makes use of virus-like secretive applications that target Windows PCs.
Developers of the widely used LastPass password manager are scrambling to fix a serious vulnerability that makes it possible for malicious websites to steal user passcodes and in some cases execute malicious code on computers running the program.
The flaw, which affects the latest version of the LastPass browser extension, was briefly described on Saturday by Tavis Ormandy, a researcher with Google’s Project Zero vulnerability reporting team. When people have the LastPass binary running, the vulnerability allows malicious websites to execute code of their choice. Even when the binary isn’t present, the flaw can be exploited in a way that lets malicious sites steal passwords from the protected LastPass vault. Ormandy said he developed a proof-of-concept exploit and sent it to LastPass officials. Developers now have three months to patch the hole before Project Zero discloses technical details.
Malicious Microsoft Word documents that abuse macros have long been the bane of Windows users. Now, security researchers have found what may be the first such real-world attack to infect Macs.
The attack was found in a Word file titled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.”
Two years ago, researchers at Moscow-based Kaspersky Lab discovered their corporate network was infected with malware that was unlike anything they had ever seen. Virtually all of the malware resided solely in the memory of the compromised computers, a feat that had allowed the infection to remain undetected for six months or more. Kaspersky eventually unearthed evidence that Duqu 2.0, as the never-before-seen malware was dubbed, was derived from Stuxnet, the highly sophisticated computer worm reportedly created by the US and Israel to sabotage Iran’s nuclear program.
Recent Comments