AIG Launches New Cyber Threat Analysis Service to Understand Cyber Risks

American International Group Inc., an American multinational insurance company, has launched a new system for cyber threat analysis.

The system scores companies on the degree to which a cyber attack may affect their business and the potential costs involved. It compares the company’s risk of having a breach to the safeguards it has in place.

Tracy Grella, AIG’s Global Head of Cyber Risk Insurance, in an interview said, “AIG’s underwriters have been using the computerized analysis since November, which combines information from a new insurance application designed for the process and data about current cyber threats to generate scores on various related factors.”

With mounting cyber threat to businesses, this system hopes to provide a way to measure the risk involved in a business so that cyber coverage in insurance may be taken into consideration.

This comes after AIG in October said that they will review all coverage types to check for cyber risk and give insurers a clear picture about cyber coverage and estimated financial exposure. They will also create a cyber-risk report for the customers with the analysis scores for understanding and comparing.

Along with this, AIG also announced their partnership with cybersecurity companies CrowdStrike Inc and Darktrace, on Tuesday, to launch CyberMatics, a service that verifies information AIG receives from customers’ cybersecurity tools.

Darktrace Chief Executive, Nicole Eagan, said, “The service uses artificial intelligence, or the ability of machines to carry out tasks normally associated with human intelligence, to look inside an insured company’s network for strengths and vulnerabilities.”

Tracy Grella said that while companies are not required to use the service, those who do may be able to negotiate more favourable policy terms.

Russia to create a National Internet filtering system that allows only WhiteListed sites

By 2020 Russia will launch a national web-filtering system, intended to protect children from the negative and dangerous content.

Denis Davydov, the head of the Secure Internet League, said that there are two versions of the project:

1. Traffic filtering in educational institutions.

2. Traffic filtering by default for all users.

With the second option users will be able to access unfiltered content, if they write a statement to provider or if they remove the checkbox in the account Settings.

Nowadays the League of Secure Internet has a "white list" of websites. It has more than 1 million resources.

Igor Ashmanov, IT businessman, thinks that the idea of "white lists" of websites is not viable. According to the expert, the system of "smart" operational filtering, which blocks prohibited content, is very important and necessary.

"We support the idea of ​​restricting children's access to unwanted content and have been working in this direction for a long time", the official representative of "MegaFon" Julia Dorokhina said.

- Christina

CERT – In empanelment norms may be suboptimal for national cyber security

IT Security compliance is a mandatory requirement for the critical sector organizations. Due to a Government directive or prevailing legal / regulatory provisions, only CERT - In empanelled IT Security auditing organisations are eligible to carry out such IT Security audits - Guidelines for applying to CERT - In for Empanelment of IT Security Auditing Organisations

Indian Computer Emergency Response Team (CERT – In) no doubt had the best intentions in mind when it issued its guidelines. But as they say, the best laid plans sometimes go awry and such a result may arise as a consequence of some of the technical qualifications specified in the guidelines.

Why should CERT – In be in the business of empanelling organisations or pre-qualifying the security industry? Neither in the US or the UK, for example, do the respective CERTs get involved in such issues. Does a CERT – In empanelment guarantee anything or is it part of a bureaucratic check list? Such practises also fly in the face of the Government’s commitment to Less Government and More Governance. The empanelment norms may also result in regulatory capture.

Pre-qualification criteria including minimum number of technical manpower, formal qualifications, formal experience, number of formal audits in a specified time frame – may be acceptable for financial audits, medical audits, bridge inspection etc but do not make sense in the area of cyber security.

The best in cyber security in India, indeed the world over, are freelancers - young kids/hackers who are on the Hall of Fames of companies such as Google, Facebook, Microsoft for having discovered vulnerabilities which bypassed the expert eyes of hundreds of highly qualified and experienced domain experts in such organisations. These freelancers and individuals have no certifications, no formal qualifications, no formal audit experience and will never work formally with any organisation.

Countries like the US have realised this. Instead of concentrating on a few empanelled entities, organisations are more focused on 0 Day exploit finders and bug bounty hunters. These countries realise that the main threat comes from hundreds of highly motivated (if maliciously so), highly skilled, highly unconventional individuals either working alone or in informal partnerships. Cyber risks are asymmetrical, unconventional and global and as such need an appropriate response.

Empanelment can also breed complacency, a false sense of security. In contrast, what effective cyber security needs is a degree of paranoia. Will anyone get fired for ineffective cyber security if the security audit has been done by a firm empanelled by CERT – In? Will CERT-In formally certify an organisation’s cyber security preparedness if the security audit is done by an empanelled firm? Will CERT-In and the empanelled firms provide financial guarantees to back up cyber audits?

It is commonly known that ISO 270001 as implemented in India by auditors concentrates more on process, rather than ferreting out vulnerabilities. Out of the 25 organisations that CSPF has done security consulting with, 21 suffered a hacker attack despite being certified by auditors. The certification did not prevent hackers from gaining access to data in these organisations. All 25 organisations had IS0 270001 certification and were conducting vulnerability assessments and penetration testing every 3 months as is mandatory in ISO 270001. When CSPF did APT assessment post incident, it found websites even had had simple vulnerabilities like CSRF, Sql injection (almost 3/10 OWASP top10 vulnerabilities). In over 50 % of cases, formal discovery of APT attacks or cyber espionage was made only after 7-8 months of the actual event.

0 Day exploits or unknown vulnerabilities in software are amongst the most potent tools used by black hat hackers for cyber attacks. How many cases does one know of black hats revealing their secrets on 0 Days, especially to security auditors? They would make more money selling it to National Security Agencies or Governments for use as espionage tools.

To counter black hats, one needs equally motivated, unconventional and highly skilled white hats who are more often than not lone wolves. Some of the best white hats this writer knows of have not even passed Std 10, but are yet on the Google Hall of Fame. This is the talent India needs to leverage, and talent that India cannot afford to waste.

Critical infrastructure organisations and businesses in India need to look beyond CERT – In empanelled security auditors. Formal rules and norms apart, organisations need to set up liberal bugs bounty programs and invite independent bugs bounty hunters to take a crack. This alone will separate the men from the boys.

J Prasanna, Founder, Cyber Security & Privacy Foundation

High School Teen claims he hacked CIA Director’s personal account

An American high school student says he hacked the personal email account of Central Intelligence Agency’s (CIA’s) Director, John Brennan. That’s what the law enforcement sources have also confirmed.

Brennan’s private account held sensitive files, including his 47-page application of SF-86 that Brennan had filled to obtain top-secret security clearance; until he recently learned that it had been infiltrated.

The applications are used by the government to conduct background check. They contain a lot of sensitive data about workers seeking security clearance, about their friends, spouses and other family members. They also include criminal history, psychological records and information about past drug use as well as potentially sensitive information about the applicant’s interactions with foreign nationals which can be used against those nationals in their own country.

The hacker said the director had the information stored on his personal AOL account which reportedly had social security numbers of more than a dozen American senior intelligence officials. Moreover, it also consisted of a document on ‘harsh interrogation techniques’ on terrorism suspects.

The high school kid who had hacked into Brennan’s account has not given his name or location where he lives but according to social media information, he said he was motivated to go after the CIA director’s because he is opposed to US foreign policy and supports Palestine. Even though he says he is not Muslim, his twitter page reportedly uses quotes from Quran and about Allah being the one true God.

He also mentions that he and his classmate will be tweeting “CWA owns John Brennan of the CIA” as a means of verifying his control over the @phphax Twitter account.

CWA stood for “Crackas with Attitude”.

Not only did he break in the account of Brennan but also posted some of the stolen documents and a portion of Brennan’s contact list on Twitter.

The teen claimed he has repeatedly prank-called America’s top spy since August, once reciting Brennan’s Social Security number to him.

The teen told New York post first that he used the tactic called ‘Social engineering’ to hack the account. He posed as a Verizon worker to trick another employee into hacking CIA director general’s personal information and getting duped AOL into resetting his password.

The hacker did not work alone but other unknown people were also involved with him in this work. Their team first did a reverse lookup of Brennan’s mobile number to discover that he was a Verizon customer after which one of them posed as a Verizon technician and called the company asking for details about Brennan’s account.

Brennan’s account was disabled as of Friday.

In a statement, the CIA said: “We are aware of the reports that have surfaced on social media and have referred the matter to the appropriate authorities.”

The Law enforcement agency, Federal Bureau of Investigation (FBI) and other federal agencies have started investigating about the hacker. There is a possibility that criminal charges are put on him.

Apart from Brennan’s account, the hackers also broke into the Comcast account of Homeland Security Secretary, Jeh Johnson.

The news of the breach comes in the midst of another email scandal involving Hillary Clinton who has been under fire for months over a private server and email account she maintained to do official work.

If the director of the CIA had kept a secret database of information on his personal account, it is a violation of the federal law of U S that requires people who have possession of top secret information to keep it only in a secure government venue. Breaking the law is a felony.

Cyber threats may well face an insurance vacuum, firms need to look after themselves

Anecdotal evidence suggests that the global insurance industry is unwilling to play ball on writing cyber insurance policies. Companies are facing unprecedented cyber threats and thus seeking ever larger cyber insurance covers. Insurers, however, are either unwilling to write policies, or are writing limited policies at a fat cost or with significant conditionalities. Firms are looking for US $ 1 billion covers, but the insurers are not biting.

It is not hard to understand the predicament of insurers. As it stand today, cyber insurers face a situation of information asymmetry, there is none or very limited actuarial insights available. No insurer has a clue as to what hidden vulnerabilities exist in a company’s IT set up - software, websites, network, data centres and processes. How can the insurers know when companies themselves do not fully understand their vulnerabilities?

The task for insurers is made even more difficult by the fact that attacks may not aimed at a big firm directly. The recent attack on iOS (Apple) app store suggests that hackers may have discovered another route to compromise the internet – by infecting machines of software developers writing legitimate programs and apps. Developers are a huge, globally dispersed (geopolitical risks) and logical target for hackers, and this approach may be harder to defend against.

Further, insurers also need to take into account that one lives in the days of internet linked business ecosystems which include multiple partners and suppliers of various sorts, apart from outsourced software development. Smaller, less prepared, less equipped members of ecosystems offer hackers a easier route to sneak into the systems of the big firms

The situation gets extremely complicated when one considers the size of cyber threats. One estimate of annual cost of cybercrime to global economy ranges from US $ 375 bn – US $ 575 bn. That’s a lot of money, and the reluctance of insurers to write out policies to protect against hugely expensive and unknown threats is unsurprising to say the least. Attackers are remotely located, face no direct/immediate physical threat and are unafraid to take risks.

Testing for vulnerabilities is a deeply technical issue. When one is faced with situations such as Advanced Persistent Threats (APT) and 0 Day Vulnerabilities, it needs to be borne in mind that businesses are up against attackers typically belong to organised criminal groups, mafia groups, Black Hat hacker groups or state backed groups.

APT attack happens when committed adversaries persistently utilise advanced technologies to compromise targets. Extremely hazardous 0 Day exploits (vulnerabilities found by hackers and never reported to security vendors) are found in Operating Systems, Application Software, Browsers, Antivirus Software, Firewall, and Internal Application Software. On an average, twenty 0 Day vulnerabilities exist in any given server. O Days have the greatest amount of success and damage rates and least probability of detection by firewalls/IDS/AV's etc.

The problem is also compounded by lack of senior management involvement in a vulnerability assessment and penetration testing similar exercise. This is a matter that cannot be left to systems administrators or developers who are better equipped to remediate security issues than discovering vulnerabilities.

Given the reluctance of insurers to play ball, companies may have little choice but to look after themselves. The buck needs to stop at the desk of senior management and Boards need to ask difficult questions. Cyber threats are strategic in nature and as such a strategic response is called for to defend against financial and non-financial damage.

Constant vigilance, vulnerability assessments and penetration testing are essential for defence. Companies also need to utilise country-cyber espionage and counter-intelligence techniques to protect themselves against cyber-attacks, as well as inject themselves with a healthy dose of paranoia.

Author: Prasanna J, Founder of Cyber Security and Privacy Foundation(CSPF)

Turn off macros in Microsoft Office applications to protect yourselves from active malware spam campaign

Email samples. 

Think before while opening an attachment from unsolicited emails especially if you are in Japan, as you might be the victim of malware-ridden spam attack. No need to worry, to protect yourselves, turn off macros in Microsoft Office applications. It prevents from macro-based threats from executing.

The problem came in to light when the employees of various corporations in Japan started to receive suspicious-looking emails which turned out to carry malicious attachments on October 8.

Researchers from Symantec, who found out the malware, confirmed that those emails were part of a wave of malware-ridden spam attacks that were currently active in Japan.

Along with the emails, there were attached Microsoft Word document files, which contained a malicious macro.

Researchers said that it attempted to download the same executable file (65g3f4.exe) from multiple remote locations. The multiple downloads was probably a redundancy measure in case some sources were taken down.

“We have observed download attempts from the following domains: Leelazarow[.]com, Rockron[.]com, www[.]profes-decin[.]kvalitne[.]cz,” they said in a blog post.

“There are two variations of the emails: one is an order confirmation from a Japanese equipment supplier and the other pretends to come from a local printing company,” the researchers added.

They have detected a malicious Word document dubbed W97M.Downloader, a known vehicle for other threats such as Trojan.Cryptodefense and Trojan.Cridex.

In the process, along with the document a banking Trojan which Symantec detects as Infostealer.Shiz, also gets downloaded. The researchers said that installing such a Trojan on corporate computers could give the attackers a foothold on the network from which they can spread and find other items of value.

It is also said that the malware is especially designed for Japan as 98 percent this malware detections are located in the country.

“Our telemetry shows that this particular variant of Infostealer.Shiz is being distributed almost exclusively in Japan, as 98 percent of the detections are located in this region. There are currently no indications that specific industries or companies are targeted,” the researchers concluded.

Encryption Law Outrage forces Indian Government to Retreat

Ruling Bhartiya Janata Party (BJP) withdrew the contentious draft encryption policy on Tuesday (September 22) after massive public uproar on proposed measures.

The government said it would place it in public domain again after reworking some of the “expressions” that had given rise to “misgivings”.

The draft policy which was set up by an "expert group" under the Department of Electronics and Information Technology (DeitY) which comes under the union ministry of communications and information technology, sparked outrage on social media, as most messaging services use some form of encryption.

The policy was introduced under Section 84 A of the Information Technology Act (2000). It was proposed to enhance information security in India.

It was released earlier on Monday (September 21) and proposed to make it mandatory for every citizen including business, telecoms and internet companies to save all digital communications, including emails and chats, for a period of 90 days in plain text which should be presented before the law enforcement agencies whenever asked to. Failing to do so would mean legal action as per the laws of the country.

Later in the day, it had sought to address the issue by releasing an addendum to the draft which clarified that web-based applications and social media sites such as WhatsApp, Facebook and Twitter were exempt. Payment gateways; e-commerce and password based transactions were also excluded as the transaction details through payment gateways could be vulnerable to hackers.

But the next morning Union Minister for Communications and Information Technology (IT), Ravi Shankar Prasad had directed withdrawal of the draft.

During a news conference held, Prasad stressed that users would not come under the ambit of the encryption policy which the government is in the process of framing.

The minister also said that the government completely supported freedom on social media. But the regulation of encryption technologies was the need of the hour.

With the regular stream of terrorist attacks, cyber attacks from international borders, freedom has become very vital. Though it’s the basic right, but citizens need safety, security and assurance that their lives will continue to be safe.

Most experts termed this policy as non practical as the end consumers did not have any idea about encryption and in most cases it was done by applications. Users could not decrypt that, only application providers could.

Meanwhile, the Opposition parties too attacked the government on the issue with the Congress saying that the Centre’s intent stood “exposed,” while the Communist Party of India (Marxist) (CPI(M)) tagged it ‘Gujarat Snooping Model.’

In 2010, the United Progressive Alliance (UPA) government said it would ban Blackberry Messenger Service (BBM) in India unless the company gave security agencies access to snoop on emails. The two eventually reached an arrangement that allowed the government to intercept messages sent on Blackberry's platform.

WordPress Team releases version 4.3.1, fixes two vulnerabilities

(pc- google images)
The WordPress security team has released version 4.3.1 which is now available for download. This release fixes three issues including two cross-site scripting vulnerabilities and a potential privilege escalation. The vulnerabilities were revealed by Check Point researchers Shahar Tal and Netanel Rubin.

The first vulnerability CVE-2015-5714, a cross-scripting issue was present in all WordPress versions 4.3 and earlier. The earlier versions were vulnerable to this issue while processing shortcode tags.

Most users are very well-acquainted with shortcodes and it is a valuable asset for WordPress developers. The Check Point researchers have found a fault in the way shortcodes are handled. In general, a "KSES filtering is performed prior to the insertion of data into the DB, and shortcode parsing is performed when printing it to responses."

The researchers, then, came up with a method that tangled HTML code with the shortcode’s content, and they were able to leave an HTML anchor tag open to perform persistent attacks. This as the HTML and shortcode validations took place at different times.

The second vulnerability CVE-2015-5714, a privilege escalation bug, grants the users to publish private posts and even make them sticky on a site. This last vulnerability could have a greater impact on WordPress websites that use the CMS' built-in user management features to build a community around the site.

Besides this, WordPress has also fixed 26 bugs in this new version.

G Data releases new secure chat app for Android users

G Data, a Germany based internet security firm has released its highly secure messaging chat application, SECURE CHAT, on its 30 Anniversary for Android users.

Secure Chat has opted for the secure multiple-encrypted asynchronous chat protocol, Axolotl, which is internationally considered to be practically impossible to hack. The app guarantees the secure exchange of photos, videos and other media. It protects the privacy of the user from the hackers and cyber eavesdropping.

"In today's world, the privacy of the individual as well as businesses is in constant peril with the growing ability of hackers to tap into and steal data," said Andy Hayter, security evangelist, G DATA. "We created the SECURE CHAT app with the strongest encryption protocol possible, to offer users the ability to easily communicate with each other without having to worry about the security of their conversations and data."

While installing G Data Secure Chat, it will ask you to verify your mobile number, it will use this number to identify you if you wish to install it on another device. It first sends SMS on your mobile  number, but if it doesn't verify correctly — it didn't like my Google Voice number — you have the option to verify over a voice call.

One of the most prominent feature of G Data Secure Chat is to set timer for messages to auto delete from both ends, senders as well as receivers, filter for incoming and outgoing messages and SMS, and its ability to  hide SMS messages from specific contacts.

G DATA SECURE CHAT is now available for free in the Google Play store.

Security Bug allows Hackers to take Control of Curiosity Rover's OS

Serious security flaws has been discovered in VxWorks, a real-time operating system made by Wind River of Alameda, California, US, in 1987. The OS is used from network  routers to critical instruments like NASA's Curiosity Rover on Mars and Boeing 787 Dreamliners.

A Canadian researcher Yannick Formaggio presented a detailed significant flaw in VxWorks at 44Con, an information security conference in London. He said that, "VxWorks is the world's most widely used real-time operating system deployed in embedded systems. Its market reach spans across all safety critical fields, including the Mars Curiosity rover, Boeing 787 Dreamliner, network routers to name a few." Formaggio added, "In this age of IoT, the issue will have a widespread impact."

The researcher discovered the flaw after an Istuary client requested about the understanding of the critical  infrastructure industry.

The flaw allowed Formaggio “to target a specific part of the operating system and write to memory on the machine running VxWorks. From there, it was possible to set up a backdoor account and control functions of the operating system."

One of the another major finding of his research was that the “FTP server is susceptible to ring buffer overflow when accessed at a high speed” and crashes when sent a “specially crafted username and password”.

The current version of VxWorks is 7, Versions 653 has the problem, which might have affected many millions of devices and they need to be patched. Wind River has acknowledged the flaw and is in the process of providing patches.

Global XMPP Android Ransomware Campaign hits tens thousands devices

Check Point’s malware research team has detected a new variant of mobile ransomware that encrypts the content of Android smartphones is putting a new spin on both how it communicates with its masters and how it spurs its victims into action.

“We estimate that tens of thousands of devices have been infected. We have evidence that users have already paid hundreds of thousands of dollars to get their files unencrypted, and the actual infection rate may be much higher. ” the research team posted in its blog.

The updated version of Simplocker masquerades on app stores and download pages as a legitimate application, and uses an open instant messaging protocol to connect to command and control servers.

Now, the phone owner sees a message holding his data hostage. The message, which looks like an official text, is also not a new ruse: the “NSA” allegedly accuses the mobile phone holder of wrong-doings such as browsing to pornographic sites on his phone, or violating copyrights law by holding/using protected content such as video, music, etc. To regain access to his device, he will have to pay a “fine.”

“The victim seems to have no alternative. The app can’t be removed by a regular user. Even if he were somehow able to remove it, his files would still remain encrypted. The ransom payment, however, will probably not reach the NSA but rather make its way to the hands of a cyber-criminal,” the team added.

According to team, while posing as a legal or governmental authority to intimidate the victim into paying up is not new, the use of Extensible Messaging and Presence Protocol (XMPP), the instant messaging protocol used by Jabber and previously by GTalk, is a shift in tactics to evade detection by anti-malware tools. 

XMPP communication makes it more difficult for security and anti-malware tools to catch the ransomware before it can communicate with its command and control network because it conceals the communication in a form that looks like normal instant message communications.

Most previous ransomware packages have communicated with a website over HTTPS to obtain encryption keys; those websites can generally be identified by their URLs, IP addresses, or the signature of their Web requests and then blocked.

An application making a secure HTTP request to a suspicious destination would be a good sign that something bad was afoot. But the XMPP communications channel used by the new Simplocker variant uses an external Android library to communicate with the command and control network through a legitimate messaging relay server. And these messages can be encrypted using Transport Layer Security (TLS). The messages were pulled from the command and control network by the operators of the scheme via Tor.

The XMPP channel allows a number of other commands to be launched remotely by the malware operators, including sending SMS messages and placing phone calls, as well as re-setting the configuration of the malware's communications (and the Bitcoin account to be used to submit victims' payments).

The team observed that ~10% of the users paid between $200 and $500 in ransom to decrypt their files. This means that for every 10k infections, the malware authors raked in $200k-$500k. They say the actual infection rate is probably much higher.

Security vulnerabilities fixed in latest Drupal versions

After addressing several vulnerabilities, Drupal  has asked its user to upgrade its existing Drupal 7 and 6 sites.

A XSS vulnerability found in the auto-complete functionality of forms as the requested URL is not sanitized properly, which affected both Drupal 6 and 7. The flaw could allow an attacker to upload files to vulnerable websites under another user’s account.

“For security reasons, the autocomplete system now makes Ajax requests to non-clean URLs only, although protection is also in place for custom code that does so using clean URLs,” Drupal explained.

The Drupal, which is used by more than 1.1 million websites, published a security advisory on August 19 confirming that it had patched several vulnerabilities in its versions 7.39 and 6.37.

It revealed that the version 7 was affected by a cross-site scripting (XSS) vulnerability that could allow an attacker to launch attacks by invoking Drupal.ajax() on a whitelisted HTML element.

Drupal developers warn that version 7 of the CMS is plagued by a SQL injection vulnerability that allows an attacker with elevated privileges to inject malicious code in SQL comments. The flaw, found in the SQL comment filtering system, can only be exploited on one contributed module.

“When form API token validation fails (for example, when a cross-site request forgery attempt is detected, or a user tries to submit a form after having logged out and back in again in the meantime), the form API now skips calling form element value callbacks, except for a select list of callbacks provided by Drupal core that are known to be safe. In rare cases, this could lead to data loss when a user submits a form and receives a token validation error, but the overall effect is expected to be minor,” Drupal said in the advisory.

The last vulnerability patched in Drupal 6 and 7 is an information disclosure issue related to menu links.

“Users without the ‘access content’ permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to,” reads Drupal’s advisory.

The vulnerabilities affect Drupal core 6.x versions prior to 6.37 and Drupal core 7.x versions prior to 7.39. CVE identifiers have yet to be assigned to these vulnerabilities.

Fourth Android vulnerability detected; Is it safe to use?

One after another vulnerability in Android has raised various questions about its safety. Android users are now, thinking is it safe to use or not?

Researchers from Trend Micro, a security firm, have uncovered yet another Android mediaserver vulnerability in its versions 2.3 to 5.1.1, which they have said, could allow attackers to run their code with the same permissions that the mediaserver program already has as part of its normal routines.
However, Google has patched the vulnerability via the Android Open Source Project (AOSP).

According to the researchers, the vulnerability comes with the AudioEffect, a component of the mediaserver program. It uses an unchecked variable which comes from the client, which is usually an app. In order to attack, the attacker must convince the victim to install an app that doesn’t require any required permissions, giving them a false sense of security.

“Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk. Devices with customized versions of Android but with no modification made to the mediaserver component are also affected,” they said.

The researchers have suggested that in order to block the threat, the Android users can download Trend Micro Mobile Security (TMMS), which can detect threats trying to use this vulnerability and running any of the scenarios presented. They can also reboot their device using safe mode to uninstall the malicious app.

“We also recommend that device manufacturers patch their devices regularly to prevent their users from suffering from attacks that use this vulnerability,” they explained.

 It is said that the new flaw is quite similar to those three other major vulnerabilities in Android’s mediaserver component that detected recently. CVE-2015-3823 could allow attackers to trap phones in endless reboots and ANDROID-21296336 may render devices silent. Lastly, CVE-2015-3824 dubbed Stagefright can be used to install malware through a multimedia message.

Facebook rewards Researchers for Vulnerability Discovery Tool

(pc- google images)
Facebook has awarded a prize of $100,000 to a team of security researchers in Georgia for finding a new class of vulnerabilities in browser-based C++ programs.

The award “Internet Defense Prize” was given at the 24th USENIX Security Symposium in Washington D.C. for projects that encourage internet safety. The payout of $100,000 was double of what was awarded to German researchers Johannes Dahse and Thorsten Holz last year, who won the prize for their paper, “Static Detection of Second-Order Vulnerabilities in Web Applications.”

This year’s prize winners; PhD students Byoungyoung Lee and Chengyu Song, along with Professors Taesoo Kim and Wenke Lee revealed a new class of C++ vulnerabilities and introduced CaVeR, a runtime bad-casting detection tool.

CaVeR performs instrumentation at compile time and uses a new runtime type tracing mechanism—the type hierarchy table—to overcome the limitation of existing approaches and efficiently verify type casting dynamically. The researchers claim to have applied CAVER to the code of the Chromium and Firefox browsers and discovered 11 previously unknown security vulnerabilities: nine in GNU libstdc++ and two in Firefox.

Facebook Security Engineering Manager Ioannis Papagiannis explains, “C++ supports two major different types of casting operators to convert one type of data into another: static and dynamic casts. Dynamic casts are checked at runtime for correctness, but they also incur a performance overhead.
People typically prefer to use static casts because they avoid that overhead, but if you cast to the wrong type using a static cast, the program may end up creating a pointer that can point past the memory allocated to a particular object. That pointer can then be used to corrupt the memory of the process."

Papagiannis said that CAVER makes it possible to have the best of both worlds: using static type casting to improve performance, but identifying type casting vulnerabilities that can then be addressed.

He added, “We all benefit from this kind of work. A large part of why Facebook has been successful in serving nearly 1.5 billion people is because we have been quick to introduce and adopt categories of systems and frameworks that prevent whole classes of vulnerabilities at once. As an industry, we need to invest in those kinds of solutions that scale.”

34-year-old woman receives vulgar images on phone via Apple's Airdrop sharing function

Normal day, that was. As always, Lorraine Crighton-Smith took a train to go to her work. However, something unusual happened which left her shocked and violated.

The 34-year-old lady was holding her phone in the train as she thinking of sending message. But, two messages back to back arrived on her phone. The messages contained images pictures of an unknown man's penis on her phone via Apple's Airdrop sharing function.

Crighton-Smith told BBC, "I had Airdrop switched on because I had been using it previously to send photos to another iPhone user, and a picture appeared on the screen of a man's penis, which I was quite shocked by.”

Soon after that, she reported it to the British Transport Police (BTP).

As per the report published in BBC, the police are now investigating a "new" crime of cyber-flashing after the incident.

Since, Crighton-Smith declined the message, the BTP said that there was no technological evidence for them to work with and recorded it as intelligence.

"I declined the image, instinctively, and another image appeared, at which [point] I realised someone nearby must be sending them, and that concerned me. I felt violated, it was a very unpleasant thing to have forced upon my screen. I was also worried about who else might have been a recipient, it might have been a child, someone more vulnerable than me,” she told BBC.

According to the report, Supt Gill Murray said this particular crime was new to her force and urged people to report any other incidents.

Murray said the force had dealt with cases involving Bluetooth but an incident via Airdrop was "new to us".

"We have a dedicated Cyber Crime Unit who can analyze mobile phones and track data transfers back to suspects' devices. By linking this to physical evidence, such as CCTV footage or witness statements, we can catch offenders and bring them to justice through the courts,” Murray added.

Air gapped PC's not safe anymore

Researchers have proven that even air-gapped computers are not safe any more as they can be hacked through simple devices such as a cell phone.

The researchers who are based out of Israel achieved this extra-ordinary feat simply by making using of the GSM network, electro-magnetic waves a simple mobile phone.

The researchers wrote in a paper, “Unlike some other recent work in this field, [this attack] exploits components that are virtually guaranteed to be present on any desktop/server computer and cellular phone."

They have called for companies which work with sensitive information to improve their security standards so that they don't fall prey to suck kind of cyber attacks.

Creepy Voice that you heard from Your Baby Monitor is not of a Ghost

Beware of the cameras connected to the Internet or the security cameras and monitoring as these systems can be easily hacked by the hackers. It camera hacking has become a serious issue now as of the potential for unauthorized people to make video recordings.

Ontario Provincial Police (OPP) issued a warning on Wednesday reminding people that these systems can be susceptible to hackers because many have an option to be used remotely enabled by default after a family from southwestern Ontario witnessed on July 7 a baby monitor watching their young child when it suddenly began playing music and a voice said they were being watched.

According to Liz Melvin, the OPP Const, the child was about to sleep in the nursery when the camera was remotely activated.  

“The camera played some eerie music and a voice could be heard indicating the parent and child were being watched,” Melvin told National Post. “Obviously it’s going to be disturbing.”

She said the family’s Internet service provider confirmed the router had been hacked and the source of the hack could be from anywhere in the world.

Although, such kid monitor hacking cases have been reported every month, Melvin said no other incidences have been reported and she wasn’t aware of any past investigations into this type of camera hacking in the area.

She said there are no suspects in the case and the investigation is ongoing.

In a bid to protect, people should use passwords to protect access to the Internet connection and access to monitoring systems. Similarly, buy cameras from trusted sources and cover them cameras when not in use.

Google protests against US government's new legislation "Wassenaar Arrangement"

Google has protested against the proposed legislation changes in the “Wassenaar Arrangement”  that would let the US government control the export of security research and technologies.

Google’s legal team member Neil Martin, and Tim Willis, Hacker Philanthropist, Chrome Security Team, opposed the proposed legislation by saying “it will hurt general web users” in a blog post.

Blog emphasized on how the proposed changes will directly affect the security research, “The time and effort it takes to uncover bugs is significant, and the marketplace for these vulnerabilities is competitive. That’s why we provide cash rewards for quality security research that identifies problems in our own products or proactive improvements to open-source products. We’ve paid more than $4 million to researchers from all around the world - our current Hall of Fame includes researchers from Germany, the U.S., Japan, Brazil, and more than 30 other countries.”

According to the blog post proposed legislation changes would apply Wassenaar Arrangement controls to software and tools, which will hamper the companies, who hire hackers to find vulnerabilities in their network and products.

If the proposed changes are approved then the companies operating in the US have to have a license to export their security technologies, or information on newly discovered vulnerabilities to anywhere other than Canada.

Google submitted their comments on the proposed rules to the United States Commerce Department’s Bureau of Industry and Security (BIS).

GarettCom launches new versions to tackle Magnum vulnerabilities

US-based company GarrettCom has produced new firmware versions to mitigate vulnerabilities in Magnum 6k and Magnum 10k product lines. Issues like authentication, denial of service, and cross-site scripting vulnerabilities have been encountered in those versions. All versions prior to 4.5.6 of both the product lines have been affected.

The vulnerabilities can be exploited remotely by executing arbitrary code on the target device.

However, operational environment, architecture, and product implementation are the factors on which the impact on the individual organizations is based.

Researchers have found multiple XSS (cross-site scripting) vulnerabilities in the web server present on the device, which can be exploited by an unauthenticated attacker.

CVE-2015-3960 has been assigned for the vulnerabilities related to the use of hard core credentials. The firmware contains hard-coded RSA private keys and certificate files, which are used by the server for SSH connections and HTTPS connections. There is a hard-coded password for a serial console connected high privileged user.

Memory can be corrupted by issuing a certain form of URL against the device’s web server.

These vulnerabilities can be remotely exploited and no known public exploits specifically target them.

 According to the ICS-CERT, the latest versions of GarrettCom Magnum 6K and Magnum 10K software fix these vulnerabilities. Version 4.5.5 was released December 2014, and Version 4.5.6 was released January 2015. Users may download the latest software version and release notes from the following web site:

ICS-CERT recommends that users should perform access control checks to limit the user’s reach of the feature. Use an application firewall to detect XSS attacks. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.

Airtel injecting Scripts into browsers? Will it Affect Your Privacy and Security?

After receiving huge criticism by its Airtel Zero plan, Bharti Airtel, an Indian multinational telecommunications services company, is now being accused of secretly injecting Javascripts, and iframes into the web browser in order to alter the browsing experience.

Thejesh GN, an info-activist and a programmer, published his findings on GitHub according to which Airtel is inserting Javascripts into user browsing sessions.

He said that the iframe tries to insert a toolbar into the browsing experience and that the parent URL of both the iframe and Javascript belongs to Bharti Airtel Bangalore.

He shared the injected script in Github.  The script is trying to inject an iframe pointing to this url "hxxp://". 

However, Airtel has released a statement clarifying that it is building a tool to allow broadband users to get information about the amount of data they have used.

The company said that it developed new tool as non-mobile consumers demanded for easily tracking data usage while using surfing the web.

“Our customers have frequently asked us for ways of easily keeping a track of their data consumption specifically dongle and broadband users, who unlike mobile users, cannot receive real-time alerts on their usage,” Airtel said in a statement to NextBigWhat.

It is said that for an ISP, it is highly unethical to carry out such programs. However, no one has come up with any solution or anything.

In a reddit post, one of the users accused Vodafone of doing the same.

Just a month ago, a user posted the same issue in reddit.