CyberSecurity Pulse 2017-05-1
|“In the middle of difficulty lies opportunity..”|
FBI Obtained Warrant Under Rule 41 to Take Down Kelihos Botnet
Anyway, this was not the first time that the government has gained permission from a federal court to jump in and clean infected computers worldwide. To dismantle Gameover Zeus, which was once considered the most damaging botnet, the US obtained civil and criminal court orders in federal court in Pittsburgh that authorized "measures to redirect the automated requests by victim computers for additional instructions away from the criminal operators to substitute servers," as well as "to collect dialing, routing, addressing and signaling ("DRAS") information from the infected computers," Justice Department officials said at the time in 2014.
For Kelihos, the feds needed stronger legal standing to free hostage computers because of the P2P nature of the infection, which demanded more "active measures" as said by John Bambenek, a manager at Fidelis Cybersecurity who is helping with the botnet cleanup. The FBI "had to infect machines,"convert them into so-called supernodes that distribute connection lists to other victimized computers, and then "poison" all the computers so they would never again try to communicate with hacker-controlled devices, said Bambenek, who also assisted on the 2014 Gameover Zeus cleansing operation.
In spite of the benefits that this procedures imply for the Law Enforcement Agencies, others, like the Electronic Frontier Foundation are more skeptical. "Often, the feds use uncertainty as an excuse, or cover, for not getting a warrant", EFF staff attorney Andrew Crocker said. This time, "the government was proceeding with a lot more caution than in some of the other cases". He pointed to the government's warrantless use of secretive cellphone "Stingray" tracking equipment that continued for many years until the Justice Department released a seven-page legal use policy in 2015. This case is a positive step toward accountability and transparency in FBI computer break-ins.
Wikileaks Revealed the Scribbles Tool Used By the CIA to Mark Documents and Track Whistleblowers
Scribbles is a software allegedly developed to embed "web beacon" tags into confidential documents aiming to track whistleblowers and foreign spies. Wikileaks has leaked the Scribbles documentation and its source code, the latest released version of Scribbles (v1.0 RC1) is dated March 1, 2016, the date suggests it was used until at least last year. According to documents leaked by Wikileaks, Scribbles is "a document-watermarking preprocessing system to embed 'Web beacon'-style tags into documents that are likely to be copied by insiders, whistleblowers, journalists or others". The Scribbles software was written in C# programming language and generate a random watermark that is inserted into each document. Unfortunately for the CIA agents, the Scribbles software only works with Microsoft Office. According to the user manual, the CIA tool was developed for off-line preprocessing of Microsoft Office documents, this means that if the watermarked documents are opened in any other application like OpenOffice or LibreOffice, they may reveal watermarks and URLs to the user.
China Launching Digital Attacks to Stop South Korea's Deployment of Missile Defense System
Chinese government officials have been very vocal in their opposition to the deployment of the Terminal High-Altitude Air Defense (THAAD) system in South Korea, raising concerns that the anti-ballistic missile system's sensitive radar sensors could be used for espionage. And according to researchers at the information security firm FireEye, Chinese hackers have transformed objection to action by targeting South Korean military, government, and defense industry networks with an increasing number of cyberattacks. Those attacks included a denial of service attack against the website of South Korea's Ministry of Foreign Affairs, which the South Korean government says originated from China. FireEye's director of cyberespionage analysis John Hultquist told the Wall Street Journal that FireEye had detected a surge in attacks against South Korean targets from China since February, when South Korea announced it would deploy THAAD in response to North Korean missile tests. The espionage attempts have focused on organizations associated with the THAAD deployment. They have included spear-phishing e-mails carrying attachments loaded with malware along with watering hole attacks that put exploit code to download malware onto websites frequented by military, government, and defense industry officials.
Rest of the Week´s News
Poorly Designed Apps Leave Millions of Phones at Risk of Open Port Attack
A group of security researchers from the University of Michigan discovered a security hole in hundreds of applications in Google Play Store that could be exploited by hackers to steal data from and even deliver malicious code on millions of Android devices. The issue affects all the applications that open ports and don't properly manage them due to insecure coding practices of the development teams. Usually, mobile applications open ports to allow the communications with other entities, for example, to exchange data with a web service, clearly these ports are a potential entry point for hackers in presence of a vulnerability like authentication flaws, buffer overflow vulnerabilities, or a remote code execution issues.
Location Tracking Spyware Hid in App in Google Play Store
The Google Play Store has removed an app called System Update that was harboring spyware. The app that had been available in the Google Play store since 2014 claimed to ensure users got the latest Android operating system updates, but actually contained malware known as SMSVova that can track a user's location and send it to a third party. The app containing malware had been downloaded between one million and five million times before it was removed.
Facebook Releases SDKs for Delegated Account Recovery Protocol
Facebook is sharing the code for a beta version of its Delegated Account Recovery protocol. The feature will allow third-party applications to let users reset account passwords by proving their identity to Facebook instead of answering security questions or receiving a password reset link in a text or email.