A bug in the Android MediaProjection service lets hackers to record audio and screen activity on 77% of all devices

By: sikur

Capturar

By Pierluigi Paganini

November 20, 2017

A vulnerability affecting Android smartphones running Lolipop, Marshmallow, and Nougat (Around 77.5% of all Android devices)  could be exploited by an attacker to record audio and screen activity.

The vulnerability resides in the Android MediaProjection service that has the access to both screen contents and record system audio.

Starting with the release of Android Lolipop (5.0), the MediaProjection service is not restricted to users with root access.

“To use the MediaProjection service, an application would simply have to request access to this system Service via an Intent. Access to this system Service is granted by displaying a SystemUI pop-up that warns the user that the requesting application would like to capture the user’s screen.” the MWR team wrote in a report.

The researchers explained that an attacker could overlay this SystemUI pop-up which warns the user that the contents of the screen and system audio would be captured, with an arbitrary message to trick the user into granting a malicious application the ability to capture the user’s screen.

The lack of specific android permissions to use this API makes it difficult check if an application uses the MediaProjection service to record video and audio. The unique access control mechanism available to prevent the abuse of the MediaProjection service s the SystemUI pop-up that could be easily bypassed.

MORE: http://securityaffairs.co/wordpress/65786/hacking/android-mediaprojection-service-bug.html

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist

Scammers Hijacking Cellphone Accounts, Racking Up Big Bills In Victim’s Name

By: sikur

Capturar

by David Highfield

PITTSBURGH (KDKA) — Scammers are at it again.

This time, hijacking people’s cellphone accounts, leaving your phone with no service while they get new phones on your dime.

“I was on the phone, and suddenly my phone cut out,” said Lorrie Cranor, of Squirrel Hill.

Then, she learned her husband’s phone also quit working.

“So, I called my phone carrier and said: ‘What’s going on here?’” said Cranor. “I said my two phones have stopped working, and they said, “Oh, your two new iPhones?’ And I said, ‘No, no, my two old Android phones.’”

She was told to go to a store to straighten it out.

“The person there said somebody has hijacked your account,” said Cranor.

Eventually, she learned someone with a fake ID with Cranor’s name on it, but the thief’s photo, went to a store in Ohio and asked for an upgrade. They walked out with two new iPhones assigned to Cranor’s number and charged to her account.

MORE: https://pittsburgh-cbslocal-com.cdn.ampproject.org/c/pittsburgh.cbslocal.com/2017/11/10/hijacked-cell-phone-account-scam/amp/

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist

Kaspersky: Yes, we obtained NSA secrets. No, we didn’t help steal them

By: sikur

Capturar

By DAN GOODIN

For almost two months in 2014, servers belonging to Moscow-based Kaspersky Lab received confidential National Security Agency materials from a poorly secured computer located in the United States that stored the files, most likely in violation of US laws, company officials said.

The classified source code, documents, and executable binaries were stored on a computer that used an IP address reserved for Verizon FIOS customers in Baltimore, about 20 miles from the NSA’s Fort Meade, Maryland, headquarters, Kaspersky Lab said in an investigation report it published early Thursday morning. Starting on September 11, 2014 and running until November 9 of that year, Kaspersky Lab servers downloaded the confidential files multiple times after the company’s antivirus software, which was installed on the machine, found they contained malicious code from Equation Group, an NSA-linked hacking group that operated for at least 14 years before Kaspersky exposed it in 2015.

The downloads—which, like other AV software, the Kaspersky program automatically initiated when it encountered suspicious software that warranted further inspection—included a 45MB 7-Zip archive that contained source code, malicious executables, and four documents bearing US government classification markings. A company analyst who manually reviewed the archive quickly determined it contained confidential material. Within a few days and at the direction of CEO and founder Eugene Kaspersky, the company deleted all materials except for the malicious binaries. The company then created a special software tweak to prevent the 7-Zip file from being downloaded again.

“The reason we deleted those files and will delete similar ones in the future is two-fold,” Kaspersky Lab officials wrote in Thursday’s report. “We don’t need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials. Assuming that the markings were real, such information cannot and will not [be] consumed even to produce detection signatures based on descriptions.”

MORE: https://arstechnica.com/information-technology/2017/11/kaspersky-yes-we-obtained-nsa-secrets-no-we-didnt-help-steal-them/

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist

Another Shady App Found Pre-Installed on OnePlus Phones that Collects System Logs

By: sikur

Capturar.JPG

November 15, 2017 

The OnePlus Saga Continues…

Just a day after the revelation of the hidden Android rooting backdoor pre-installed on most OnePlus smartphones, a security researcher just found another secret app that records tons of information about your phone.

Dubbed OnePlusLogKit, the second pre-installed has been discovered by the same Twitter user who goes by the pseudonym “Elliot Alderson” and discovered the controversial “EngineerMode” diagnostic testing application that could be used to root OnePlus devices without unlocking the bootloader.

OnePlusLogKit is a system-level application that is capable of capturing a multitude of things from OnePlus smartphones, including:

  • Wi-Fi, NFC, Bluetooth, and GPS location logs,
  • Modem signal and data logs, hot and power issue logs,
  • list of the running processes, list of running service and battery status,
  • media databases, including all your videos and images saved on the device.

Unlike EngineerMode (which was found on devices by several manufacturers including HTC, Samsung, LG, Sony, Huawei, and Motorola), the OnePlusLogKit application (decompiled APK) most certainly is present only in OnePlus devices.

Since OnePlusLogKit is disabled by default, the attacker would require access to the victim’s smartphone to enable it.

With the physical access to the targeted smartphone, one can quickly enable it by dialing *#800# → “oneplus Logkit” → enable “save log,” or one can use social engineering to get the owner of the device to do it themselves.

Once enabled, any other application installed on your device can collect the logged information (stored unencrypted in the /sdcard/oem_log/ folder) remotely without requiring user interaction.

Although the app in question has been designed for device manufacturers and engineers to log the events/activities to diagnose system issues, the amount of information collected here could also be used for nefarious purposes.

MORE: https://thehackernews.com/2017/11/oneplus-logkit-app.html

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist

Local businesses a target for next cyberattacks

By: sikur

Capturar

by Elizabeth Leary

If your favorite yoga studio or local hardware store doesn’t have cybersecurity measures in place, it might be time to worry — most small businesses that have been targeted by cyberattacks don’t realize it.

A survey of small-business owners by Nationwide found only 13 percent of respondents believed they had experienced a cyberattack. However, when owners were shown a list of specific examples of attacks, including phishing, viruses and ransomware, the figure of those reporting attacks increased to 58 percent.

“Although awareness is increasing, small-business owners are still not even realizing when they’ve been victims of cyberattacks,” said Karen Johnston, technical consultant for Nationwide. “Small-business owners have a misconception that cybercriminals are only targeting large corporations, but that couldn’t be further from the truth.”

Phishing emails are the most common form of successful cyberattackd, according to the Better Business Bureau, which released a report Thursday on the state of cybersecurity among North American small businesses.

About a quarter of small-business respondents to BBB’s survey had not heard of phishing. About a third had not heard of ransomware, and nearly half had not heard of point-of-sale malware. Point-of-sale systems were involved in three-quarters of cyberbreaches involving the hotel and restaurant industry, according to the BBB.

“Small businesses may feel like there’s nothing they can do,” said Michael Kaiser, executive director of the National Cyber Security Alliance. “They may also feel like they’re not going to be the target of an attack because they don’t have as much to protect.”

MORE: https://www.cnbc.com/2017/10/13/local-businesses-a-target-for-next-cyberattacks.html?platform=hootsuite

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist

Ordinypt ‘Ransomware’ Destroys Data Instead of Encrypting It

By: sikur

Capturar

By Tara Seals

14 NOV 2017

A new malware called Ordinypt that targets German users is making the rounds—billing itself as ransomware. However, the code is really a wiper, with apparent twin motives of financial gain as well as disrupting business operations.

G Data security researcher Karsten Hahn found that the malware, which also goes by the name HSDFSDCrypt, is targeting German users for the moment, using emails and ransom notes that are written in flawless Deutsch. It’s being spread via responses to job ads—the emails purport to have a ZIP file with a resume and CV attached.

According to an analysis from Valthek, once opened, the malware infects a victim’s machine, making files inaccessible, and then requests 0.12 Bitcoin (around 600 EUR) for recovering them. Unbeknownst to the target, the files are actually destroyed, not encrypted, and the attackers have no code for “unlocking” them, even if victims pay up.

Interestingly, Valthek found that the malware deletes files, overwriting them with garbage strings of random letters and numbers.

More: https://www.infosecurity-magazine.com/news/ordinypt-ransomware-destroys-data/

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist

OnePlus Left A Backdoor That Allows Root Access Without Unlocking Bootloader

By: sikur

Capturar

by Swati Khandelwal

November 13, 2017

Another terrible news for OnePlus users.

Just over a month after OnePlus was caught collecting personally identifiable information on its users, the Chinese smartphone company has been found leaving a backdoor on almost all OnePlus handsets.

A Twitter user, who goes by the name “Elliot Anderson” (named after Mr. Robot’s main character), discovereda backdoor (an exploit) in all OnePlus devices running OxygenOS that could allow anyone to obtain root access to the devices.

The application in question is “EngineerMode,” a diagnostic testing application made by Qualcomm for device manufacturers to easily test all hardware components of the device.

This APK comes pre-installed (accidentally left behind) on most OnePlus devices, including OnePlus 2, 3, 3T, and the newly-launched OnePlus 5. We can confirm its existence on the OnePlus 2, 3 and 5.

You can also check if this application is installed on your OnePlus device or not. For this, simply go to settings, open apps, enable show system apps from top right corner menu (three dots) and search for EngineerMode.APK in the list.

MORE: https://thehackernews.com/2017/11/oneplus-root-exploit.html

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist

The US’s most secretive intelligence agency was embarrassingly robbed and mocked by hackers

By: sikur

Capturar

by Alex Lockie

Nov 13, 2017

The National Security Agency, the US’s largest and most secretive intelligence agency, has been deeply infiltrated by anonymous hackers, as detailed in a New York Times exposé published Sunday.

The NSA, which compiles massive troves of data on US citizens and organizes cyberoffensives against the US’s enemies, was deeply compromised by a group known as the Shadow Brokers, which has made headlines in the past year in connection to the breach, whose source remains unclear.

The group now posts cryptic, mocking messages pointed toward the NSA as it sells the cyberweapons, created at huge cost to US taxpayers, to any and all buyers, including US adversaries like North Korea and Russia.

“It’s a disaster on multiple levels,” Jake Williams, a cybersecurity expert who formerly worked on the NSA’s hacking group, told The Times. “It’s embarrassing that the people responsible for this have not been brought to justice.”

“These leaks have been incredibly damaging to our intelligence and cybercapabilities,” Leon Panetta, the former director of the Central Intelligence Agency, told The Times. “The fundamental purpose of intelligence is to be able to effectively penetrate our adversaries in order to gather vital intelligence. By its very nature, that only works if secrecy is maintained and our codes are protected.”

Furthermore, a wave of cybercrime has been linked to the release of the NSA’s leaked cyberweapons.

Another NSA source who spoke with The Times described the attack as being at least in part the NSA’s fault. The NSA has long prioritized cyberoffense over securing its own systems, the source said. As a result the US now essentially has to start over on cyberinitiatives, Panetta said.

MORE: https://amp-businessinsider-com.cdn.ampproject.org/c/s/amp.businessinsider.com/nsa-embarrassingly-robbed-mocked-by-shadow-brokers-2017-11

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist

Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core

By: sikur

Capturar

By SCOTT SHANE, NICOLE PERLROTH and DAVID E. SANGER
November 12, 2017

WASHINGTON — Jake Williams awoke last April in an Orlando, Fla., hotel where he was leading a training session. Checking Twitter, the cybersecurity expert was dismayed to discover that he had been thrust into the middle of one of the worst security debacles ever to befall American intelligence.

Mr. Williams had written on his company blog about the Shadow Brokers, a mysterious group that had somehow obtained many of the hacking tools the United States used to spy on other countries. Now the group had replied in an angry screed on Twitter. It identified him — correctly — as a former member of the National Security Agency’s hacking group, Tailored Access Operations, or T.A.O., a job he had not publicly disclosed. Then the Shadow Brokers astonished him by dropping technical details that made clear they knew about highly classified hacking operations that he had conducted.

America’s largest and most secretive intelligence agency had been deeply infiltrated.

“They had operational insight that even most of my fellow operators at T.A.O. did not have,” said Mr. Williams, now with Rendition Infosec, a cybersecurity firm he founded. “I felt like I’d been kicked in the gut. Whoever wrote this either was a well-placed insider or had stolen a lot of operational data.”

The jolt to Mr. Williams from the Shadow Brokers’ riposte was part of a much broader earthquake that has shaken the N.S.A. to its core. Current and former agency officials say the Shadow Brokers disclosures, which began in August 2016, have been catastrophic for the N.S.A., calling into question its ability to protect potent cyberweapons and its very value to national security. The agency regarded as the world’s leader in breaking into adversaries’ computer networks failed to protect its own.

MORE: https://mobile-nytimes-com.cdn.ampproject.org/c/s/mobile.nytimes.com/2017/11/12/us/nsa-shadow-brokers.amp.html

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist