Researchers hack into software with malware threat

New York: A team of researchers has hacked the working of software with the potential risk of malware — disguised as lucrative advertisements — opening computers and other devices to hijacking.

A team of researchers from Google and the New York University Tandon School of Engineering next week will offer the first public view into shady practices that deliver unwanted advertising and software bundled with legitimate downloads — a problem that occurs far more often than malware attempts.

Their research material, provided by The New York University, suggested that some of the affiliates that distribute such softwares might be complicit in the scheme, which provides layers of deniability that they are installing unwanted software.

 Researchers hack into software with malware threat

Generally, when a person goes to the “legitimate software update or download”, a barrage of advertisements overruns the screen. Sometimes flashing pop-ups warn of the presence of malware, demanding the purchase of what is often fraudulent antivirus software.

On other occasions, the system`s default browser is hijacked, redirecting to ad-laden pages.

The researchers conducted the first analysis of the link between commercial pay-per-install (PPI) practices and the distribution of unwanted software.

Kurt Thomas, a research scientist at Google, and Damon McCoy, an Assistant Professor of Computer Science and Engineering at NYU Tandon and their colleagues cite reports indicating that commercial PPI is a highly lucrative global business, with one outfit reporting $460 million in revenue in 2014 alone.

“If you have ever downloaded a screen saver or other similar feature for your laptop, you have seen a `terms and conditions` page pop up where you consent to the installation,” McCoy explained.

“Buried in the text that nobody reads is information about the bundle of unwanted software programmes in the package you are about to download,” McCoy added.

The report explains that PPI businesses operate through a network of affiliates — brokers who forge the deals that bundle advertisements (often unwanted software) with popular software applications, then place download offers on well-trafficked sites where they are likely to be clicked on.

Parties are paid separately — meaning some legitimate developers do not know their products are being bundled with unwanted software — and they are paid as much as two dollars per install.



Posted in Cyber Security, Vulnerabilidad | Tagged , | Leave a comment

Hackers detail the blood and guts of the 2016 Pwn2Own exploit expo

Kernel carnage bashes browsers and punishes plug-ins. Black Hat Zero Day Initiative researchers have detailed the winning hacks of this year’s Pwn2Own competition, painting a picture of broken browsers and owned systems.

The quartet of Matt Molinyawe, Abdul-aziz Hariri, Jasiel Spelman, and Jason Smith of Trend Micro’s Zero Day Initiative vulnerability clearing house detailed and demonstrated the devastating white hat hacks during their presentations at the Black Hat conference in Las Vegas.

They walked delegates through the exploitation steps of the eight successful Pwn2Own hacks pulled off at the Pwn2Own competition in March, recapping the steps and the 21 vulnerabilities which lead to digital goring of Chrome, Safari, Microsoft Edge, Apple OS X, and Adobe Flash.

“The winning submissions to Pwn2Own 2016 provided unprecedented insight into the state-of-the-art techniques in software exploitation” the quartet says in a 65-page technical paper [PDF] published after the talk.

“Every successful submission provided remote code execution as the super user (SYSTEM/root) via the browser or a default browser plug-in … attained through the exploitation of the Microsoft Windows or Apple OS X kernel.”

The attacks, detailed in a bid to improve the hacking chops of delegates, use different attack paths to achieve remote code execution using similar Kernel exploitation methods for attaining read and write capabilities.

Those exploitation methods using browsers as a first vector was rare in former Pwn2Own contests.

Molinyawe, Hariri, Spelman, and Smith say application sandboxing improvements have helped, but did not shutter the attacks used at the contest.

“Application sandboxing is a step in the right direction, but the kernel attack surface remains expansive and exposed,” they say. “Each of the winning entries was able to avoid the sandboxing mitigations by leveraging vulnerabilities in the underlying OSs.”

Mitigations that isolate access to kernel APIs from sandboxed processes will add hurdles to frustrate future attempts to pop god-mode shells, they say.


Posted in Cyber Security, Vulnerabilidad | Leave a comment

US Uses Submarines as Portable Hacking Platforms

USA is exploring the future of cyber-warfare. This may come as a surprise to some, but the US has special submarines that it uses to hack into strategic targets, be they underwater communications cables or the infrastructure of other nations.

This piece of information is not necessarily new since the media had reported on it in 2015, when it was revealed that USS Annapolis is one of the Navy’s special submarines that has cyber-offensive capabilities.

According to documents leaked by Edward Snowden, the Annapolis is a computer network exploitation (CNE) toolkit, a portable hacking platform that spies on any designated target, be it be another country’s military troops, its infrastructure, or underwater communications cables.

US submarines used as portable hacking platforms

The Navy’s use of submarines as cyber weapons was confirmed at the start of the month by US Navy Rear Admiral Michael E. Jabaley, Program Executive Officer for Submarines, and US Navy Rear Admiral Charles A. Richard, Director, Undersea Warfare Division (N97), both speaking at a conference in Washington (video below, past 50:00).

“There is an offensive capability that we prize very highly, and this is where I can’t talk about much, but suffice to say that we have submarines out on the frontlines that are very involved at the highest technical level with doing exactly the kind of things that you would want them to do,” Rear Admiral Jabaley said.

US Air Force experiments with an airborne hacking platform

It may not be much information, but we never expected a US general to be a loud-mouth about his country’s secret cyber-missions.

Submarines can intercept and tamper with unencrypted traffic

In a piece published on Saturday, the Washington Post reveals that US submarines are equipped with powerful antennas that are capable of intercepting and even manipulating other people’s communications, especially unencrypted traffic.

The USS Annapolis still plays a major role in these operations, the publication reveals.

Future plans see the US expanding the cyber capabilities of its submarines with drones, in order to broaden the sub’s reach even further whenever needed.

Something similar is also under development by the US Air Force, who started testing modified EC-130 airplanes as portable hacking platforms last fall.

Posted in Cyber Security | Leave a comment

South accuses North Korea for massive data breach affecting 10 million online shoppers

Authorities in South Korea are blaming hackers from North Korea for a massive data breach affecting 10 million Interpark online shoppers.

North Korea launched a new cyber attack against the South, according to the Government of Seoul a massive data breach exposed data belonging to an Internet shopping mall.

This week, authorities in South Korea accused the North to have compromised the website of the Interpark internet shopping mall exposing personal data of more than 10 million online shoppers.

The South Korea’s National Police Agency published an official statement that accuses the North Korea’s General Bureau of Reconnaissance for the hack.

The IT staff at the Interpark confirmed the incident, it discovered the attack on July 11 when the hackers demanded 3 billion won worth of Bitcoin.

“On July 11, Interpark became aware that some of our users’ information had been stolen by a hacker group through an advanced persistent threat attack, and reported the hack to the police the next day,” said an official statement on the company’s website.”

The authorities believe that the company servers have been breached on May by an “advanced persistent threat attack” and alerted authorities the following day.

“The hackers first gained access to an employee’s computer, and identified email patterns that were familiar to the employee before sending an email that contained the malware [and] opening a back door, which is why the employee was fooled,” a spokesperson told the Korea Herald.

The hacker remained inside the Interpark systems for a long time in order to continuously steal data.

north korea hackers

Why the North Korea?

The South Korean police discovered that the addresses involved in the attack are linked to Pyongyang.

“Following an investigation, the National Police Agency said in a statement Thursday that IP addresses involved in the hack as well as the specific language used by the attackers suggests North Korean spies were responsible.”


Posted in Cyber Security | Leave a comment

Two Vulnerabilities Affect LastPass, Both Allow Full Password Compromise

LastPass fixed one, is currently fixing the second. July 27, 2016, will not be remembered as a quiet day for the LastPass team, as two vulnerabilities surfaced online that could allow an attacker to compromise their application.

The first one is an issue discovered by Mathias Karlsson of Detectify. The researcher explains in a blog post that the problem resided in the JavaScript code that parsed the URL of the page LastPass was working on.

LastPass could be tricked into spewing out credentials for other sites

He discovered that by tricking a user into accessing a URL in the form of, the LastPass URL parsing function would be fooled into thinking it was on the site, instead of

Because LastPass comes with an auto-fill function, the application would have pre-filled any login forms on that page with the user’s credentials.

If the attacker ran JavaScript code on that site that automatically parsed and recorded any text filled in the login forms, he would have been able to extract the user’s credentials.

The good news is that Karlsson informed LastPass of the issue a while back, and the dev team fixed the problem on the same day, pushing out an update to their app.

Project Zero researcher finds second bug

However, Karlsson wasn’t the only one who hacked LastPass. Google Project Zero top researcher Tavis Ormandy also discovered an issue that would have led to a complete LastPass compromise.

The bad news is that this issue is not patched in current LastPass versions. The good news is that nobody except Ormandy and the LastPass team knows what this problem is, making it highly improbable for anyone to exploit it.


Posted in Uncategorized | Tagged | Leave a comment

France Serves Notice to Mircosoft on Data Tracking

Paris – France on Wednesday said it had served notice to Microsoft to stop collecting what it deems excessive data and tracking browsing by users without their consent on civil liberty grounds.

The National Data Protection Commission (CNIL) said in a statement that it had given the US computing giant three months to comply with the French Data Protection Act to ensure user data security and confidentiality.

The agency said media and political groups brought the issue to its attention after Microsoft launched its latest Windows 10 operating system a year ago.

CNIL undertook seven “online observations” to determine the extent of the problem and questioned Microsoft Corporation on its privacy policy to see if Windows 10 fully complied with French data protection legislation, the agency said.

Those investigations “revealed many failures” including collection of “irrelevant or excessive (user) data”, the statement said.

CNIL also criticized Microsoft over the four-character PIN number that enables users to authenticate access to online services, saying the tech giant failed to limit the number of attempts to enter the correct code, threatening data and personal security.

The agency condemned Windows 10’s use of targeted advertising without first obtaining users’ consent, as well as the operating system’s lack of a way to block cookies.

“The company puts advertising cookies on users’ terminals without properly informing them of this in advance or enabling them to oppose this,” the statement said.

Microsoft is still transferring user data outside the European Union even though the European Court of Justice ruled on privacy grounds in October that the transfer of European citizens’ data to the United States under the obsolete “safe harbor” basis was no longer valid, CNIL said.

Should Microsoft fail to comply with the formal notice, CNIL would draw up a report on Data Protection Act breaches that could result in a fine of 150,000 euros ($165,000), the agency added.

Microsoft said it would cooperate with CNIL to address its concerns.

“We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections,” Microsoft vice president David Heiner said in a statement.

Concerning transfer of data from Europe to the United States, Microsoft relies on a variety of legal mechanisms, in addition to “safe harbor”, he added.

After a legal wrangle over handling web data between Europe and the United States, the European Union earlier this month launched a controversial deal with Washington aimed at curbing government spying on EU citizens’ personal internet data.

A new “Privacy Shield” sets out tough rules to prevent US intelligence agencies from accessing Europeans’ data, with companies facing penalties if they do not meet European standards of protection.

Microsoft will release an updated privacy statement next month that will say it intends to adopt the Privacy Shield, the company said.


Posted in Vulnerabilidad | Tagged | Leave a comment


Apple fixed dozens of vulnerabilities in its software on Monday, including 60 vulnerabilities in its operating system, OS X, and 43 in its mobile operating system, iOS. The OS X update graduates the desktop and server operating system to OS X El Capitan v10.11.6 and applies to anyone running OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, or OS X El Capitan v10.11. The updates mostly fix a number of glitches and bugs under the hood of the OS. As usual, the bulk of them apply to software libraries like OpenSSL, LibreSSL, and libxml2. Apple updated each library to their most recent versions to mitigate the issues. Meanwhile 21 of the vulnerabilities could lead to arbitrary code execution, six with kernel privileges, and two that could go on and lead to the compromise of user information. Seven vulnerabilities – each one of them dug up by Ke Liu, of Tencent’s Xuanwu Lab – exist in Quicktime. The bugs mostly stem from memory corruption issues and could allow malicious images to trigger code execution. A nasty issue with libc++abi – an implementation for a C++ library, was patched that could have allowed an app to execute arbitrary code with root privileges.


The update also fixed an issue with Safari’s Login Autofill feature that could have revealed a users’ password on screen. An interesting bug involving Facetime was fixed in both OS X and iOS that could have allowed an attacker in a privileged network position to get a relayed call to continue transmitting audio by tricking a user into thinking the call had been terminated. According to Apple’s advisory, “user interface inconsistencies” existed when Facetime was handling relayed calls. Apple claims it fixed the issue through improved display logic. Martin Vigo, a security engineer who spoke at Black Hat Europe last year, discovered the vulnerability. He acknowledged via Twitter Monday that he hasn’t publicly disclosed details around the bug yet because there are “other related vulns” in Facetime that still need to be fixed by Apple.


The iOS update, iOS 9.3.3, fixes 43 vulnerabilities, including a bug in the Calendar app that could have been leveraged to cause a device to unexpectedly restart. Henry Feldman, an Assistant Professor of Medicine at Beth Israel Deaconess Medical Center, who also runs the software development team for the hospital’s Division of Clinical Informatics discovered the bug could be caused by a malicious calendar invite. Bugs that affect Siri have been a dime a dozen since the personal assistant’s inception. The latest, discovered by a researcher in Portugal could have allowed anyone with physical access to someone’s device to see private contact information. Apple fixed the issue, which stemmed from the way Siri handles Contact cards, through what it calls improved state management. Aside from the Calendar app bug and the Siri bug, most of the iOS bugs, 12 in total, affect WebKit and could result in the exfiltration of data cross-origin, script execution, interface spoofing, and the disclosure of process memory, to name a few outcomes. As WebKit is the web browser engine used by Safari, the same 12 bugs fixed in the iOS update are also fixed by the Safari update, which updates the browser to version 9.1.2. As it usually does, Apple used the opportunity to release updates for both its watchOS and tvOS operating systems, along with iTunes. The iTunes update only applies to Windows 7 users and updates the media player to version 12.4.2. The updates are likely some of the last both OS X and iOS will receive in the near future as the company has its hands full readying new versions, iOS 10 and macOS Sierra, for release later this fall. Apple released the third beta of of both iOS 10 and macOS Sierra to developers and public beta testers on Monday, as well. Apple announced both operating systems in June at its Worldwide Developers Conference in San Francisco. macOS in particular is expected to include updates to Gatekeeper, and a new file system that includes native support for encryption.


Posted in Vulnerabilidad | Tagged , | Leave a comment