Dell says "sorry" for installing vulnerable digital certificate

Dell has apologized as it confirmed via a blog post that a certificate (eDellRoot), installed on its PCs that introduced a security vulnerability.

It is said that the certificate allows attackers to cryptographically impersonate HTTPS-protected websites. However, the company has issued a software tool that removes the transport layer security credential from affected machines.

The certificate will not reinstall itself, once it is properly removed using the recommended Dell process.

“The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it,” the company said in the blog post.

According to the blog post, Dell’s customers, Hanno Böck, Joe Nord and Kevin Hicks, aka rotorcowboy, informed the company about the presence of such certificate on its PC.

Dell has claimed that the certificate was not a malware but was there to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service their customers.

“We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward,” the company added. 

A Security bug in MetroPCS could allow hackers to access customer data

A critical security bug in MetroPCS could allow anyone who knew your phone number access your personal details from the website including your home address, phone’s model and serial number .

It was revealed in a report by Motherboard that a pair of researchers discovered a bug that left the customer’s personal data exposed to cybercriminals.

With the personal details in hand, cybercriminals could easily move on to identity theft and accessing bank accounts.

 Eric Taylor and Blake Welsh found the flaw on MetroPCS's payment page in mid-October. Motherboard independently verified the flaw and reached out to T-Mobile, which owns MetroPCS, on October 22.

Well-known researchers have claimed it as a pretty nasty bug and a serious privacy exposure.  MetroPCS was unaware of the problem before being contacted by Motherboard prior to their published report. A spokesperson for T-Mobile told Motherboard that the flaw was fixed and the data is not exposed anymore.

But the thing that raised eyebrows was that the hacker won’t even need someone's phone number. An attacker could just run an automated script and obtain the personal data of many MetroPCS customers.

Hackers won $1 million iPhone Jailbreak prize

Zerodium, which had announced to pay $1 million USD to those that could provide a good iOS 9 jailbreak, finally made it public via twitter that some hackers have won $1 million by finding a remote jailbreak of an iPhone.

“Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!,” Zerodium tweeted on November 2.

Last month, the company launched "The Million Dollar iOS 9 Bug Bounty" program which aimed to buy an "exclusive, browser-based, and untethered jailbreak" for Apple's latest mobile operating system,

However, the company has not revealed the winner names or any further details.

A news published in Forbes Magazine, reported that the winners must have spent a significant amount of time trying to meet the tough requirements of the $1 million bounty: a remote attack that successfully took control of an iPhone via either Apple’s Safari browser, Google GOOGL +0.13% competitor Chrome or a text message. The $1 million bounty also required exploits work on the iPhone 6 or 6S, not any earlier models.

As per the news report, it had contacted the Zerodium’s founder, Chaouki Bekrar, however, he had not commented on it.

“The winning team has submitted the exploits just a few hours before the expiration of the Zerodium bounty as they have been working very hard to finish and polish the code until the last day. The exploit chain includes a number of vulnerabilities affecting both Google Chrome browser and iOS, and bypassing almost all mitigations in place. The exploit is still being extensively tested by Zerodium to understand each of the underlying vulnerabilities,” the founder added.

ATMs of Sparkasse Bank not only gives you Money but also Sensitive Information

A security researcher, Benjamin Kunz-Mejri discovered that ATM machines of German savings bank, ‘Sparkasse’ can leak sensitive information during software updates.

Mejri who is a CEO and founder of Germany based security firm Vulnerability Lab, used the ATM of Sparkasse when the machine suddenly ejected his card, and changed its status to “temporarily not available.” The machine later showed details of an update process on the screen which was when Mejri realised that the terminal had become temporarily unavailable because it was performing a software update.

For this attack, Mejri coined the term “timing attack”.

Software updates are normally conducted in the background, but Mejri discovered, the progress and details of the update process can be made visible by interacting with the device as he did.

The researcher found that a lot of sensitive data like bank’s main system branch usernames, serial numbers, firewall settings, network information, device IDs, ATM settings, and two system passwords was vulnerable to the hackers.

During the whole process, the card reader remained available and usable for other operations.

The ATM’s keyboard was also not disabled and the attacker could execute system commands via the available command prompt.

The ATM’s analysed were manufactured by Wincor Nixdorf, a German company that manufactures, sells, installs and services retail and banking hardware and software. The affected ATMs and self-service terminals were running Windows 7 and Windows XP operating systems.

According to the experts, a large scale attack can be coordinated by a criminal ring due to this vulnerability.
An attacker who has a physical access to bank nework can use the information disclosed during the update process to run a man-in-the-middle (MitM) attack on the targeted bank’s local network.

The attacker could push a bogus update to reconfigure the ATMs.

The attacker could conduct fraudulent transactions by forcing the ATM crash and corrupt the logging or debugging mechanism.

If fraudsters can determine the time and date of update schedules, they can conduct a larger, coordinated attack targeting multiple ATMs and self-service terminals as it takes 17 minutes to record all the information displayed on the screen.

There is a possibility that apart from Sparkasse, other banks who use Wincor Nixdorf ATMs and self-service terminals might also be affected.

The bank has already pushed out updates that fix the issue to a limited number of ATMs in German city of Kassel as a pilot project. The update will be installed in other regions after the test of new configuration becomes successful.

It is the first time that a German bank has admitted the security vulnerability in an ATM and rewarded the researcher with undisclosed amount of money.

Last week only, Berlin Police announced that they have been looking for a man who illegally withdrew cash from two ATMs using a USB stick that he connected to the devices after unscrewing their front panel.

Duuzer attacks South Korea that helps to steals data

Symantec, a security firm, has found out that the South Korea has been targeted by an active back door Trojan, dubbed as Backdoor.Duuzer that provides an attacker remote access to the compromised computer, downloads additional files, and steals data.

Researchers from Symantec posted in its blog stating that Duuzer was especially focused on the South Korean manufacturing industry.

It is designed to work on both 32-bit and 64-bit computers. If Duuzer finds the infected computer is a virtual machine that was made using Virtual Box or VMWare, then it stops executing. It allows Duuzer to attempt to evade detection from security researchers who are running virtual machines that are designed to be compromised with malware for analysis.

Once Duuzer infects a computer, it opens a back door, giving the attackers access to almost everything. The attackers can get access to gather system and drive information, create, enumerate, and end processes, access, modify, and delete files, upload and download files, change the time attributes of files and execute commands.

“Based on our analysis of Duuzer, the attackers behind the threat appear to be experienced and have knowledge about security researchers’ analysis techniques. Their motivation seems to be obtaining valuable information from their targets’ computers,” the researchers wrote in the blog. There is also evidence to suggest that the actors behind Duuzer are spreading two other threats, detected as W32.Brambul and Backdoor.Joanap, to target more organizations in South Korea.”

The researcher said that the detected malwares Brambul and Joanap used to download extra payloads and carry out reconnaissance on infected computers. Although, the exact distribution method is still unknown, it is likely that the malware is spreading through spear-phishing emails or watering-hole attacks.

According to the researchers, Duuzer, Brambul, and Joanap are just a small selection of many threats affecting South Korea. The nation has been impacted in high-profile, targeted campaigns over the last few years.

In order to protect, Symantec recommends that users and businesses to change default user names and passwords and not to use common or easy-to-guess passwords, regularly update the operating system and software, don’t open suspicious emails.

YISPECTER: Jailbreak, No Longer a Pre-Requisite for malware attacks

YISPECTER; a new iOS malware that is capable of attacking both jail-broken and non-jailbroken apple devices has been detected, which abuses private APIs and implements malicious functionalities.

(PC- google images)
This malware has been identified in Mainland China and Taiwan, and is hijacking the traffic from the countries’ ISPs. This has led to a huge outbreak of reports to Apple Inc. in the past few weeks and the existence of YISPECTER is being discussed on several online forums for the last months in which, out of the 57 top world cyber security systems, only one has been able to detect this specific malware

The malware comprises of four components which are co-dependent upon each other. With the approval of enterprise certificates, these components abuse private APIs and download files for each other from a command and control (C2) server. Three of them use complex tricks to hide their icons from the SpringBoard, that prevents detection and removal.

 YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server from the infected iOS devices.

This malware has the capability to determine:
  • Whether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed
  • Even if you manually delete the malware, it will automatically re-appear
  • Using third-party tools you can find some strange additional “system apps” on infected phones
  • On infected phones, in some cases when the user opens a normal app, a full screen advertisement will show up.

YiSpecter began to spread in November 2014, as per the forums. The main iOS apps of this malware have user interface and functionality that enable the watching of free porn videos online, and were advertised as “private version” or “version 5.0” of a famous media player “QVOD”. QVOD was developed by Kuaibo and became popular in China by users of porn trafficking.

As far as now, there are two main apps distributed in thus far:
  • HYQvod (bundle id: weiying.Wvod)
  • DaPian (bundle id: weiying.DaPian)
Both of them were spread by one or more of the multiple ways described earlier. They include the functionality of watching videos online by consuming credits and users can get credits by installing promoted iOS apps . But most important, it will download and install another malicious app popularly named NoIcon.

The aforementioned apps install NoIcon in a peculiar way. The app opens an HTTP server and listens on port 8080 using [HYAppDelegate createLocalHTTP Server]. This downloads NoIcon’s IPA and PLIST files and then QVOD  uses these local files to construct a local HTTP server that infects iOS and spreads the apps distribution.

From the evidences that have been collected, it is being suggested that a company named YingMob Interaction is the sole developer of YISPECTER. YingMob Interaction’s enterprise certificate. In the NoIconUpdate’s code, we even found a which names the company in the app’s release notes. YiSpecter’s C2 server has hosted some websites belonging to YingMob. For example, if we directly visit the subdomain for YiSpecter’s downloading, qvod.bb800[.]com, we can find it’s an “WAP iOS Traffic Platform Backend Management System” with copyright information of YingMob Interaction.
The world where only jailbroken iOS devices were threatened by malware is a thing of the past. WireLurker proved that non-jailbroken iOS devices can also be infected through abuse of the enterprise distribution mechanism. YiSpecter further shows us that this technique is being used to infect many iOS devices in the wild.