Connect with us

Security

25 million Android devices hijacked by ‘Agent Smith’ malware

Published

on

Agent Smith has taken over more than 25 million Android devices in newly found malware that is rampant

Some new information has come out of some security researchers, according to the researchers a new form of malware called ‘Agent Smith’ has hijacked over 25 million Android units.     The security firm called Check Point has recently released a new press release that details the malware, saying that once the malware is installed it begins to look for common apps and replace them with malicious versions of them. The apps that are infected by Agent Smith begin to display crooked ads designed for financial manipulation and gain.   According to Check Point’s Head of Mobile Threat Detection Research, Jonathan Shimonovich, “The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own.” At the moment, most of the infected devices are located in India and surrounding counters, as the malware is distributed through 9Apps which as third-party app store that is popular within those countries.     The origins of the malware have been linked back to China, and according to the security researchers the developers attempted to get some infected apps on the Google Play Store and actually successfully managed to get 11 apps on there. Since the discovery of Agent Smith, Google has removed these apps.   Jonathan Shimonovich gave a statement on the malware, saying “This application was as malicious as they come. Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first’ approach to safeguard digital assets is the best protection against invasive mobile malware attacks like Agent Smith. In addition, users should only be downloading apps from trusted app stores to mitigate the risk of infection as third-party app stores often lack the security measures required to block adware loaded apps.”

Read more: https://www.tweaktown.com/news/66572/25-million-android-devices-hijacked-agent-smith-malware/index.html

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Security

Hackers steal secret crypto keys for NordVPN. Here’s what we know so far

Published

on

By

Breach happened 19 months ago. Popular VPN service is only disclosing it now.

Hackers breached a server used by popular virtual network provider NordVPN and stole encryption keys that could be used to mount decryption attacks on segments of its customer base.

log of the commands used in the attack suggests that the hackers had root access, meaning they had almost unfettered control over the server and could read or modify just about any data stored on it. One of three private keys leaked was used to secure a digital certificate that provided HTTPS encryption for nordvpn.com. The key wasn’t set to expire until October 2018, some seven months after the March 2018 breach. Attackers could have used the compromised certificate to impersonate the nordvpn.com website or mount man-in-the-middle attacks on people visiting the real one. Details of the breach have been circulating online since at least May 2018.

Based on the command log, another of the leaked secret keys appeared to secure a private certificate authority that NordVPN used to issue digital certificates. Those certificates might be issued for other servers in NordVPN’s network or for a variety of other sensitive purposes. The name of the third certificate suggested it could also have been used for many different sensitive purposes, including securing the server that was compromised in the breach.

The revelations came as evidence surfaced suggesting that two rival VPN services, TorGuard and VikingVPN, also experienced breaches the leaked encryption keys. In a statement, TorGuard said a secret key for a transport layer security certificate for *.torguardvpnaccess.com was stolen. The theft happened in a 2017 server breach. The stolen data related to a squid proxy certificate.

TorGuard officials said on Twitter that the private key was not on the affected server and that attackers “could do nothing with those keys.” Monday’s statement went on to say TorGuard didn’t remove the compromised server until early 2018. TorGuard also said it learned of VPN breaches last May, “and in a related development we filed a legal complaint against NordVPN.

VikingVPN officials have yet to comment.

Serious concerns

One of those keys expired on December 31, 2018, and the other went to its grave on July 10 of the same year, a company spokeswoman told me. She didn’t say what the purpose of those keys were. A cryptography feature known as perfect forward secrecy ensured that attackers couldn’t decrypt traffic simply by capturing encrypted packets as they traveled over the Internet. The keys, however, could still have been used in active attacks, in which hackers use leaked keys on their own server to intercept and decrypt data.

It was unclear how long the attackers remained present on the server or if they were able to use their highly privileged access to commit other serious offenses. Security experts said the severity of the server compromise—coupled with the theft of the keys and the lack of details from NordVPN—raised serious concerns.

Here is some of what Dan Guido, who is the CEO of security firm Trail of Bits, told me:

Compromised master secrets, like those stolen from NordVPN, can be used to decrypt the window between key renegotiations and impersonate their service to others… I don’t care what was leaked as much as the access that would have been required to reach it. We don’t know what happened, what further access was gained, or what abuse may have occurred. There are many possibilities once you have access to these types of master secrets and root server access.

Insecure remote management

In a statement issued to reporters, NordVPN officials characterized the damage that was done in the attack as limited.

Officials wrote:

The server itself did not contain any user activity logs… None of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either. The exact configuration file found on the internet by security researchers ceased to exist on March 5, 2018. This was an isolated case, no other datacenter providers we use have been affected.

The breach was the result of hackers exploiting an insecure remote-management system that administrators of a Finland-based datacenter installed on a server NordVPN leased. The unnamed datacenter, the statement said, installed the vulnerable management system without ever disclosing it to its NordVPN. NordVPN terminated its contract with the datacenter after the remote management system came to light a few months later.

NordVPN first disclosed the breach to reporters on Sunday following third-party reports like this one on Twitter. The statement said NordVPN officials didn’t disclose the breach to customers while it ensured the rest of its network wasn’t vulnerable to similar attacks.

The statement went on to refer to the TLS key as expired, even though it was valid for seven months following the breach. Company officials wrote:

The expired TLS key was taken at the same time the datacenter was exploited. However, the key couldn’t possibly have been used to decrypt the VPN traffic of any other server. On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com.

Not as hard as claimed

The suggestion that active man-in-the-middle attacks are complicated or impractical to carry out is problematic. Such attacks can be carried out on public networks or by employees of Internet services. They are precisely the type of attacks that VPNs are supposed to protect against.

“Intercepting TLS traffic isn’t as hard as they make it seem,” said a security consultant who uses the handle hexdefined and has spent the past 36 hours analyzing the data exposed in the breach. “There are tools to do it, and I was able to set up a Web server using their TLS key with two lines of configuration. The attacker would need to be able to intercept the victim’s traffic (e.g. on public Wi-Fi).”

A cryptographically-impersonated site using NordVPN's stolen TLS key.
A cryptographically-impersonated site using NordVPN’s stolen TLS key.hexdefined

Note also that the statement says only that the expired TLS key couldn’t have been used to decrypt VPN traffic of any other server. The statement makes no mention of the other two keys and what type of access they allowed. The compromise of a private certificate authority could be especially severe because it might allow the attackers to compromise multiple keys that are generated by the CA.

Putting all your eggs in one basket

VPNs put all of a computer’s Internet traffic into a single encrypted tunnel that’s only decrypted and sent to its final destination after it reaches one of the provider’s servers. That puts the VPN provider in the position of seeing huge amounts of its customers’ online habits and metadata, including server IP addresses, SNI information, and any traffic that isn’t encrypted.

The VPN provider has received recommendations and favorable reviews from CNET, TechRadar, and PCMag. But not everyone has been so sanguine. Kenneth White, a senior network engineer specializing in VPNs, has long listed NordVPN and TorGuard as two of the VPNs to reject because, among other things, they post pre-shared keys online.

Until more information is available, it’s hard to say precisely how people who use NordVPN should respond. At a minimum, users should press NordVPN to provide many more details about the breach and the keys and any other data that were leaked. Kenneth White, meanwhile, suggested people move off the service altogether.

“I have recommended against most consumer VPN services for years, including NordVPN,” he told me. “[The services’] incident response and attempted PR spin here has only enforced that opinion. They have recklessly put activists lives at risk in the process. They are downplaying the seriousness of an incident they didn’t even detect, in which attackers had unfettered admin LXC ‘god mode’ access. And they only notified customers when reporters reached out to them for comment.”

Source: https://arstechnica.com/information-technology/2019/10/hackers-steal-secret-crypto-keys-for-nordvpn-heres-what-we-know-so-far/

Continue Reading

Security

Samsung: Anyone’s thumbprint can unlock Galaxy S10 phone

Published

on

By

A flaw that means any fingerprint can unlock a Galaxy S10 phone has been acknowledged by Samsung. It promised a software patch that would fix the problem.

The issue was spotted by a British woman whose husband was able to unlock her phone with his thumbprint just by adding a cheap screen protector.

When the S10 was launched, in March, Samsung described the fingerprint authentication system as “revolutionary”.

Air gap

The scanner sends ultrasounds to detect 3D ridges of fingerprints in order to recognise users.

Samsung said it was “aware of the case of S10’s malfunctioning fingerprint recognition and will soon issue a software patch”.

South Korea’s online-only KaKao Bank told customers to switch off the fingerprint-recognition option to log in to its services until the issue was fixed.

Previous reports suggested some screen protectors were incompatible with Samsung’s reader because they left a small air gap that interfered with the scanning.

Thumb print

The British couple who discovered the security issue told the Sun newspaper it was a “real concern”.

After buying a £2.70 gel screen protector on eBay, Lisa Neilson found her left thumbprint, which was not registered, could unlock the phone.

She then asked her husband to try and both his thumbs also unlocked it.

And when the screen protector was added to another relative’s phone, the same thing happened.

Source: https://www.bbc.com/news/technology-50080586

Continue Reading

Security

Without Naming Huawei, E.U. Warns Against 5G Firms From ‘Hostile’ Powers

Published

on

By

A 5G supplier from a “hostile” country could be forced by its home government to wreak havoc by causing cyberattacks, a European Union report warned on Wednesday, but the bloc stopped short of naming the Chinese giant Huawei, which the United States blacklisted after the White House labeled it a tool for espionage by Beijing.

The advisory report, drafted with input from all 28 European Union members, laid out the types of major security failures that 5G networks could be vulnerable to.

It said that putting all functions of a 5G network — including hardware and software, operations and maintenance — in the hands of a single company could leave entire countries at risk.

In May, the United States Commerce Department put Huawei on a so-called entity list of firms that need special permission to buy American components and technology because they have been deemed security threats.

President Trump has called on the European Union to follow his lead in barring the company from its market.

The European Union report, intended to provide advice to member states, said a “strong link” between a 5G technology supplier and a government “where there are no legislative or democratic checks and balances in place” could prove a major source of vulnerability.

The language appears to point to Huawei. The company has vehemently denied all allegations of being under the control of the Chinese government, stressing that it is owned by its employees and that only about 1 percent of the company is held by its founder.

In a statement that brushed aside any implied criticism, Huawei said it welcomed the report and would “work with European partners” to develop a cybersecurity framework “and deliver safe and fast connectivity for Europe’s future needs.”

The idea behind 5G, a major leap from the 3G and 4G telecommunications technology used currently, is that it will become ubiquitous, connecting almost everything, from defense systems to domestic devices like refrigerators and coffee machines, to an ultrafast wireless network.

Huawei is thought to be ahead of other 5G equipment providers around the world, including European Union companies such as Ericsson and Nokia, in being able to install networks. Also, it has traditionally been a cheaper provider of technology.

Mr. Trump and other critics contend that a 2017 Chinese law could be used to force Huawei to hack its customers through preinstalled “back doors” into the network’s software, on behalf of Beijing.

The European report sounded some related concerns. “In particular, as 5G networks will be largely based on software, major security flaws, such as those deriving from poor software development processes within equipment suppliers, could make it easier for actors to maliciously insert intentional back doors into products and make them also harder to detect,” it found.

Abraham Liu, Huawei’s vice president for Europe, has said his company does not and will not use back doors to spy on customers.

“In the past, we have never planted any back door, and we are committed not to do anything like this, forced by any government, including U.S. government, Chinese government or any other government. We are committed to this,” he said in a recent interview.

The report presented on Wednesday could pave the way for the European Commission, the executive arm of the European Union, to recommend that its member states take additional security measures when procuring 5G networks.

The commission is expected to publish a “toolbox” of measures that countries can take to mitigate the risks, but it can’t force them to comply. Officials hope that by publicizing the risks and proposing ways to address them, countries that take a lax approach to security will be pushed into action by their citizens.

But when it comes to Huawei, neither the European Commission nor the majority of national cybersecurity agencies in member states have shown much interest in complying with Mr. Trump’s demand that they bar it.

In part, this is down to practical concerns.

No single company, experts say, will be able to handle all the demand for 5G work once network operators begin making the transition. Therefore, unless Huawei is barred from the European Union or by individual countries, it will most likely play some part in the Continent’s 5G future.

And in Europe, Huawei already has a deep and long presence in countries like Britain and Germany, which other nations look to for expertise and guidance.

A Nokia spokesman said that “it is vital that all parties commit to the highest levels of security and resilience of 5G networks, and realize that 5G will only deliver on its promise if the networks that underpin it are and remain secure.”

“There can be no exceptions,” he added.

Source: https://www.nytimes.com/2019/10/09/world/europe/eu-huawei-report.html

Continue Reading
Advertisement

Trending

%d bloggers like this: