Daily Archives: January 11, 2020

#nationalcybersecuritymonth | Security lifeline: WhatsApp to pull support for older Android and iOS devices next month

Source: National Cyber Security – Produced By Gregory Evans

Upgrade or be left behind

ANALYSIS Millions of smartphone users may have a little less mobile security next month, after WhatsApp withdraws its support for older versions of Android and iPhone operating systems.

Devices running on iOS 8 and earlier, or Android versions 2.3.7 and earlier, will no longer receive updates from the free messaging service, with app features expected to deprecate on these systems from February 1.

“WhatsApp for iPhone requires iOS 9 or later,” WhatsApp said in a recent statement on its website.

“On iOS 8, you can no longer create new accounts or reverify existing accounts.

“If WhatsApp is currently active on your iOS 8 device, you’ll be able to use it until February 1, 2020.”

According to the UK’s National Cyber Security Centre, a security vulnerability is much more likely to be exploited on end-of-life devices that run unsupported software.

The damage that these issues can cause also increases, with attackers finding an easy target in technology where the only fix available is to upgrade to patch supported hardware or operating system.

The general functionality of the retired product tends to break, as well.

“We don’t explicitly restrict the use of jailbroken or unlocked devices,” WhatsApp said.

“However, because these modifications might affect the functionality of your device, we can’t provide support for devices using modified versions of the iPhone’s operating system.”

There is no industry standard as to when to end support for dated versions of an app or software. The decision is largely decided in the boardrooms of tech conglomerates, and generally viewed as a balancing act between consumer market share, cost, and security.

In order to keep on top of the software lifecycle, consumers are often required to upgrade their hardware. In the case of Apple, iOS 13 – the latest version of its mobile OS – is only compatible with the iPhone 6S and above.

At the other end of the spectrum, iOS 8, Apple’s eighth major operating system released in 2014, receives only minimal third-party application support.

“Of course Apple wants us to upgrade to their latest and greatest iPhones and MacBooks,” Patrick Wardle, Mac security expert and creator of the infosec blog and security toolkit site Objective-See, told The Daily Swig last year.

“But from a security point of view (versus just a consumer/marketing point of view), there is no denying that the latest version of their software and hardware (for example devices) are often far more secure than their predecessors,” Wardle said.

“Users should really upgrade to newer versions,” he added.

Read the latest mobile security news and breaches

This is an ongoing game for consumers, and indeed businesses, to have a healthy level of security and rid themselves of, what is known in the industry, as technical debt – the migration away from Windows 7 is one example.

Affordability can outweigh the guarantee of vendor support, however, which illustrates the reality of many individuals who lose the security guarantee that comes alongside regular patches on compatible hardware.

While there are no official statistics related to the version types of mobile ownership, Angela Siefer, executive director of the US non-profit National Digital Inclusion Alliance (NDIA), says it’s safe to assume that those in low income brackets are less likely to be using the latest devices.

The most vulnerable populations are put at even more risk, she says.

“The situation with WhatsApp is definitely alarming, but it’s also not surprising,” Siefer told The Daily Swig.

“As technology keeps innovating there is going to continue to be people left behind, and society needs to figure out how to support those folks as technology moves forward.”

The NDIA works to address affordability issues related to internet access and ownership of digital devices. Part of that mandate is education, where security, in particular, needs to move outside the tech industry bubble in order to reach individuals who may not realize that their software needs fixes.

“They’re [consumers] not reading tech blogs, they’re probably not reading anything about WhatsApp, they’re just frustrated because now it [WhatsApp] doesn’t work anymore,” Siefer said.

There are certain cases where tech companies or software vendors provide extended support for their products, whether in full due to their popularity or through open sourcing specific applications, as the case with the iPhone.

But these third-party applications fall few and far between, and some, including Paul Roberts, founder of the right to repair infosec group Securepairs, believing legislation should compel companies to release unsuppoprted software into the public domain.

“So, in the context of WhatsApp, open source discontinued versions of the app and put it on GitHub,” Roberts told The Daily Swig.

“That way, technically minded users can pick up where the company left off: making a ‘public’ version of the app that will continue to work on older phones and tablets.”

WhatsApp deciding to make versions of iOS and Android obsolete follows a move to end its support for all Windows phones at the beginning of the year, similar to one taken by parent company Facebook in April 2019, which sunset Facebook, Messenger, and Instagram apps for users of the limited Microsoft smartphone.

WhatsApp is currently one of the most popular chat apps for smartphones operated in 2017 by an approximate 1.5 billion consumers across the globe.

The company did not reply to The Daily Swig’s request for comment about how many people use its service on the soon-to-be out-of-date operating system, but as Facebook, and other tech giants, continue to gain a foothold in emerging markets, consumer desire to hold onto older devices may drive the industry to rethink the end-of-life ecosystem.

RELATED Apple pulls U-turn on right to repair

Source link

The post #nationalcybersecuritymonth | Security lifeline: WhatsApp to pull support for older Android and iOS devices next month appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof

#cybersecurity | hacker | Federally funded Unimax smartphone pre-loaded with malware

Source: National Cyber Security – Produced By Gregory Evans

The Unimax UMX
U686CL is a Chinese-made smartphone distributed by the federally funded Assured
Wireless by Virgin Mobile has been found to come pre-loaded with two malicious

researchers found
the malware every owner finds on their phone is Wireless Update and amazingly the
device’s own Settings app, neither of which can be removed from the phone or it
will not operate properly.

Collier, Malwarebytes senior malware intelligence analyst, said settings
functions as a heavily obfuscated trojan dropper detected as Android/Trojan.Dropper.Agent.UMX.
After being installed one of the first pieces of malware dropped is HiddenAds.

The Malwarebytes
team was able to witness this first-hand as the UMX U686CL it bought as a test
bed was soon infected with HiddenAd adware. Malwarebytes reported the adware
runs silently in the background, creates no icon and the only way to tell it is
functioning is through device’s notifications bar area. Unlike a typical notification,
it cannot be turned off or removed by swiping, instead an uninstall process
must be undertaken.

“If you
press and hold the notification, it will give the option to go to MORE
SETTINGS. After clicking MORE SETTINGS, it will take you to the app’s
notification settings. From there, press the app’s icon at the top. Lastly, it
will take you to the app’s App info, where you can uninstall,” wrote Collier.

HiddenAd has
been operating in the wild since spring 2019, but reports of malicious activity
began climing in October 2019.

Wireless Update
is the device’s primary method of receiving operating system updates, but Collier
noted it also has the ability to auto-install apps without the user’s
permission. Something it begins to do immediately upon activation.

Wireless Update
is a variant of the previously known Adups, a Chinese company that has been
caught collecting data and installing auto installers.

“While the
apps it installs are initially clean and free of malware, it’s important to
note that these apps are added to the device with zero notification or
permission required from the user. This opens the potential for malware to
unknowingly be installed in a future update to any of the apps added by
Wireless Update at any time,” he said.

The most
nefarious aspect of these two apps is they cannot be removed from the phone
without disrupting operations. Pulling Wireless Update would halt any OS
updates from being downloaded, a risk Collier said is worth taking, but Settings
has to be left on board as its removal would destroy the phone.

U686CL is an entry level phone distributed by Assurance Wireless, a federally
subsidized through the Universal Service Fund and only to people who qualify
based on federal or state-specific eligibility criteria. This includes being on
certain public assistance programs, like Medicaid, Supplemental Nutrition
Assistance Program or on your household income.

Original Source link

The post #cybersecurity | hacker | Federally funded Unimax smartphone pre-loaded with malware appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof

#nationalcybersecuritymonth | This Is What Is Really Happening Right Now

Source: National Cyber Security – Produced By Gregory Evans

A week on from the U.S. killing of Iran’s Qassem Suleimani on January 3, media warnings around the cyber threat now facing the U.S. and its allies show no signs of diminishing. On January 8, the New York Times warned that even as “Iran’s military response maybe ‘concluded,’ [the] cyberwarfare threat grows,” and, a day later, the Wall Street Journal that the “threat of cyberattack by Iran [is] still critical.”

In the week since Suleimani, there have been around 35 organisations attacked by cyber offensives “specifically traced” to Iran’s state-sponsored hacking groups. Around 17% of those targets were in the U.S., a further 7% were in Israel. As ever with Iran, more of its focus is on strategic regional targets. That’s according to cyber threat researchers at Check Point, which has stepped up its monitoring. The team says this is not a material change over what was happening before Suleimani. “No significant response has yet been seen by us,” the company told me.

Beyond the noisy nuisance attacks—website defacements and denials of service, there are two genuine concerns. First, that a state-sponsored attack might be mounted against critical infrastructure targets—energy, transportation, finance. And, second, that a raft of commercial organisations in the U.S. and elsewhere will see concerted attacks on data and systems, to steal or destroy. But, one week on, it seems eerily quiet. Is this the calm before the storm or has the danger passed, with the same downgraded response as in the physical realm as Iran holds fire for fear of reprisals?

Iran has invested heavily in recent years to become a credible cyber player. But the country has nothing anywhere close to U.S. capabilities. And that’s a major issue for the planners in Tehran, in the same way that they will view the implications of a more dangerous missile strike than we saw on January 8. A disproportionate strike risks a devastating response. And Iran knows full well that the U.S. can take uses its offensive cyber weapons to take out large parts of its infrastructure if suitable provoked.

Despite this, “the threat of a nation-state cyber-attack on high profile corporations, government arms, and SCADA systems is very real,” maintains Brian Hussey, cyber threat detection lead at Trustwave SpiderLabs. But Hussey also tells me that “it is not clear how capable Iran is to conduct these attacks now,” even though, in his view, “it is possible that Iran already has SCADA attack capabilities in place, hidden deep within U.S. SCADA environments, waiting for the right time to attack.”

My colleague Kate O’Flaherty has pulled together a detailed overview of the history of Iran’s cyber capability build-up and the likely nature of its attacks, “the cyber warfare threat from Iran shouldn’t be dismissed,” she writes. “The country’s state sponsored hackers are capable of launching significant attacks on critical infrastructure–and they may target specific individuals and networks.”

In the meantime, what has happened is that the cyber noise levels have gone up. That has nothing to do with Iran the state and everything to do with Iran the influencer. “While there is relatively no change in Iranian APT groups attack volume,” Check Point’s cyber intel lead Lotem Finkelstein tells me, “we do see more independent attacks that are being carried out by private hackers, not associated with a known or official Iranian entity. These attacks usually involve a corruption of public websites and their goal is to generate panic more than any real damage.”

Philip Ingram, formerly a senior officer within U.K. military intelligence, has become a frequent media commentator on the threat he sees from Iran. “I think in the medium to longer term,” he tells, me, “we will still likely see a steady increase in Iranian or Iranian-sponsored activity—all, of course, at a time and place of their choosing. On the cyber side, over the last two years, hardly a month has passed without a cyber incident with an Iranian fingerprint. I see no reason for this to stop and every reason, especially with the U.S. elections, for this to ramp up and increase.”

A day after Suleimani, hackers claiming links with Iran targeted the website of the U.S. Federal Depository Library Program, defacing its home page with threats of vengeance alongside imagery of President Trump, Ayatollah Khamenei and the Iranian flag. Hussey describes these attackers as “hacktivists and patriotic types—while these types of attacks are frustrating to the victim, they do not carry the same threat level that nation-state attackers would likely focus on carrying out.”

“The purpose of these attacks is just to create an echo,” Finkelstein says. “Geopolitical events ignite private groups—but it fades after a few days. Such waves are seen after every tension in the Middle East and North Africa. Now, the main target is the U.S.”

More seriously, Iran is continually probing for weaknesses in certain high-profile U.S. systems as well as those of strategic regional targets—read oil and gas entities in Saudi, UAE and Bahrain—as well as sponsoring a mainstream malware industry that orients around denial of services attacks, ransomware, credential theft, but which is steered towards under-protected industry and public sector targets. This is not hardened military and intel targets, core command and control, military systems.

To deploy a significant attack,” Finkelstein says, “one needs to invest the time and effort to design and craft it perfectly. If Iran ever strikes through the cyber medium, we expect it be at the time and place they feel ready. This means that we all need to make the necessary preparations today.”

On December 29, a week ahead of the Suleimani killing, an Iranian state-sponsored hacking group reportedly attacked Bahrain’s national oil company—for Tehran, this is a strategic regional target. In November, one such Iranian group, APT33, was exposed for deploying a long-running campaign against such targets. The same group was behind the Shamoon attack on Saudi’s state-oil company back in 2012.

Hussey warns that attacks on strategic commercial targets will continue and will the same kind of “wiper programs” for which Iran is becoming infamous, “motivated,” he says, “by destruction. The [Shamoon] Saudi Aramco attack was the most infamous use of wiper programs bricking over 30,000 devices causing massive damage.”

Post-Suleimani, the U.S. government has warned that “Iranian cyber threat actors have continuously improved their offensive cyber capabilities.” CISA, the cyber agency within DHS has highlighted noisy attacks—“website defacement, distributed denial of service, and theft of personally identifiable information (PII),” but also “destructive wiper malware and, potentially, cyber-enabled kinetic attacks.”

Information security remains the order of the day. Right now, U.S. public and private entities do need to be mindful of an attack, even if that’s just part of the fragmented echo chamber that has been created by the rhetoric emanating from Tehran. Network resilience, data backups, user training. “I think people should be vigilant,” Ingram says, “if there are any links to U.S. government or its supply chain or research, then they are a legitimate target.”

For Check Point and Finkelstein, “Saudi Arabia and U.S. government entities and critical infrastructure remain the main targets for genuine Iranian cyber operations.” He also echoes Ingram’s warnings where commercial entities are indirectly engaged in government activity. “To allow these kind of attacks, groups may also compromise third-parties and government contractors and work through their networks to reach the main targets. We have seen this tactic few times over the past years.”

All of which, Ingram says, “is [Iran’s] background level of activity and we are likely to see an increase in areas they feel can influence events in different countries from a disruptive perspective.” He suggests attacks in the lead up to the U.S. election, and “in areas where U.S. forces are stationed across the Gulf and the possibility of attacks on shipping to disrupt safe passage and possibly have ships to stray into Iranian waters.”

So, the bottom-line—we are where we expected to be in the immediate aftermath of the Suleimani killing. A raft of low-level attacks from a fragmented hacking world sympathetic to Iran or just looking for an excuse to cause trouble, with very limited state activity beyond what was taking place. But, because Iran is so active, warnings for companies and government entities to step up their defences should be heeded.

Critically, of course, none of this will happen in isolation. Iran is on the back foot right now. A retaliatory missile strike on the U.S. that was benign was likely deliberate, albeit painted in some quarters as incompetent. More importantly, “the accidental shoot down [of Ukrainian Flight 752],” Ingram says, “has caused Iran to step back from the brink of an immediate spectacular and reassess their whole approach to revenge. Consequence management is part of their psyche and this will have rocked them a bit—it certainly seems to have quietened the rhetoric in the short term.”

That covers the short-term, but this will likely run and run. As Check Point warns, “we don’t see Iran’s known APT groups changing tactics or increasing volumes, but that doesn’t mean it’s not work-in-progress.”

Source link

The post #nationalcybersecuritymonth | This Is What Is Really Happening Right Now appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof

#deepweb | Alleged Member of Neo-Nazi Swatting Group Charged — Krebs on Security

Source: National Cyber Security – Produced By Gregory Evans

Federal investigators on Friday arrested a Virginia man accused of being part of a neo-Nazi group that targeted hundreds of people in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios were phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.

In July 2018, KrebsOnSecurity published the story Neo-Nazi Swatters Target Dozens of Journalists, which detailed the activities of a loose-knit group of individuals who had targeted hundreds of individuals for swatting attacks, including federal judges, corporate executives and almost three-dozen journalists (myself included).

A portion of the Doxbin, as it existed in late 2019.

An FBI affidavit unsealed this week identifies one member of the group as John William Kirby Kelley. According to the affidavit, Kelley was instrumental in setting up and maintaining the Internet Relay Chat (IRC) channel called “Deadnet” that was used by he and other co-conspirators to plan, carry out and document their swatting attacks.

Prior to his recent expulsion on drug charges, Kelley was a student studying cybersecurity at Old Dominion University in Norfolk, Va. Interestingly, investigators allege it was Kelley’s decision to swat his own school in late November 2018 that got him caught. Using the handle “Carl,” Kelley allegedly explained to fellow Deadnet members he hoped the swatting would get him out of having to go to class.

The FBI says Kelley used virtual private networking (VPN) services to hide his true Internet location and various voice-over-IP (VoIP) services to conduct the swatting calls. In the ODU incident, investigators say Kelley told ODU police that someone was armed with an AR-15 rifle and had placed multiple pipe bombs within the campus buildings.

Later that day, Kelley allegedly called ODU police again but forgot to obscure his real phone number on campus, and quickly apologized for making an accidental phone call. When authorities determined that the voice on the second call matched that from the bomb threat earlier in the day, they visited and interviewed the young man.

Investigators say Kelley admitted to participating in swatting calls previously, and consented to a search of his dorm room, wherein they found two phones, a laptop and various electronic storage devices.

The affidavit says one of the thumbs drive included multiple documents that logged statements made on the Deadnet IRC channel, which chronicled “countless examples of swatting activity over an extended period of time.” Those included videos Kelley allegedly recorded of his computer screen which showed live news footage of police responding to swatting attacks while he and other Deadnet members discussed the incidents in real-time on their IRC forum.

The FBI believes Kelley also was linked to a bomb threat incident in November 2018 at the predominantly African American Alfred Baptist Church in Old Town Alexandria, an incident that led to the church being evacuated during evening worship services while authorities swept the building for explosives.

The FBI affidavit was based in part on interviews with an unnamed co-conspirator, who told investigators that he and the others on Deadnet IRC are white supremacists and sympathetic to the neo-Nazi movement.

“The group’s neo-Nazi ideology is apparent in the racial tones throughout the conversation logs,” the affidavit reads. “Kelley and other co-conspirators are affiliated with or have expressed sympathy for Atomwafen Division,” an extremist group whose members are suspected of having committed multiple murders in the U.S. since 2017.

Investigators say on one of Kelley’s phones they found a photo of he and others in tactical gear holding automatic weapons next to pictures of Atomwaffen recruitment material and the neo-Nazi publication Siege.

As I reported last summer, several Deadnet members maintained a site on the Dark Web called the “Doxbin,” which listed the names, addresses, phone number and often known IP addresses, Social Security numbers, dates of birth and other sensitive information on hundreds of people — and in some cases the personal information of the target’s friends and family. After those indexed on the Doxbin were successfully swatted, a blue gun icon would be added next to the person’s name.

One of the core members of the group on Deadnet — an individual who used the nickname “Chanz,” among others — stated that he was responsible for maintaining SiegeCulture, a white supremacist Web site that glorifies the writings of neo-Nazi James Mason (whose various books call on followers to start a violent race war in the United States).

Deadnet chat logs obtained by KrebsOnSecurity show that another key swatting suspect on Deadnet who used the handle “Zheme” told other IRC members in March 2019 that one of his friends had recently been raided by federal investigators for allegedly having connections to the person responsible for the mass shooting in October 2018 at the Tree of Life Jewish synagogue in Pittsburgh.

At one point last year, Zheme also reminded denizens of Deadnet about a court hearing in the murder trial of Sam Woodward, an alleged Atomwaffen member who’s been charged with killing a 19-year-old gay Jewish college student.

As reported by this author last year, Deadnet members targeted dozens of journalists whose writings they considered threatening to their worldviews. Indeed, one of the targets successfully swatted by Deadnet members was Pulitzer prize winning columnist Leonard G. Pitts Jr., whose personal information as listed on the Doxbin was annotated with a blue gun icon and the label “anti-white race/politics writer.”

In another Deadnet chat log seen by this author, Chanz admits to calling in a bomb threat at the UCLA campus following a speech by Milo Yiannopoulos. Chanz bragged that he did it to frame feminists at the school for acts of terrorism.

On a personal note, I sincerely hope this arrest is just the first of many to come for those involved in swatting attacks related to Deadnet and the Doxbin. KrebsOnSecurity has obtained information indicating that several members of my family also have been targeted for harassment and swatting by this group.

Finally, it’s important to note that while many people may assume that murders and mass shootings targeting people because of their race, gender, sexual preference or religion are carried out by so-called “lone wolf” assailants, the swatting videos created and shared by Deadnet members are essentially propaganda that hate groups can use to recruit new members to their cause.

The Washington Post reports that Kelley had his first appearance in federal court in Alexandria, Va. on Friday.

“His public defender did not comment on the allegations but said his client has ‘very limited funds,’” The Post’s courts reporter Rachel Weiner wrote.

The charge against Kelley of conspiracy to make threats carries up to five years in prison. The affidavit in Kelley’s arrest is available here (PDF).

Tags: Atomwaffen Division, Chanz, Deadnet, Doxbin, fbi, John William Kirby Kelley, Zheme

Source link

The post #deepweb | <p> Alleged Member of Neo-Nazi Swatting Group Charged — Krebs on Security <p> appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof