CyberSecurity Pulse 2017-05-1

CyberSecurity Pulse 2017-05-1

“In the middle of difficulty lies opportunity..”
Albert Einstein

Analyst Insight

FBI Obtained Warrant Under Rule 41 to Take Down Kelihos Botnet

On April 5, Deborah M. Smith, chief magistrate judge of the US District Court in Alaska, greenlighted to hack the computers of thousands of victims in a bid to free them from the global botnet named Kelihos. The FBI sought the 30-day warrant to liberate victims through a new procedural rule change that has taken effect in December amid worries among privacy advocates that the update would open a new door for government abuse. However, the first use of the amendments to Rule 41 of the Federal Rules of Criminal Procedure has also brought a lot of fears due to the fears linked to how the feds could be using these new powers to more than just killing a botnet.

CyberSecurity Pulse 2017-05-1Anyway, this was not the first time that the government has gained permission from a federal court to jump in and clean infected computers worldwide. To dismantle Gameover Zeus, which was once considered the most damaging botnet, the US obtained civil and criminal court orders in federal court in Pittsburgh that authorized "measures to redirect the automated requests by victim computers for additional instructions away from the criminal operators to substitute servers," as well as "to collect dialing, routing, addressing and signaling ("DRAS") information from the infected computers," Justice Department officials said at the time in 2014.

For Kelihos, the feds needed stronger legal standing to free hostage computers because of the P2P nature of the infection, which demanded more "active measures" as said by John Bambenek, a manager at Fidelis Cybersecurity who is helping with the botnet cleanup. The FBI "had to infect machines,"convert them into so-called supernodes that distribute connection lists to other victimized computers, and then "poison" all the computers so they would never again try to communicate with hacker-controlled devices, said Bambenek, who also assisted on the 2014 Gameover Zeus cleansing operation.

In spite of the benefits that this procedures imply for the Law Enforcement Agencies, others, like the Electronic Frontier Foundation are more skeptical. "Often, the feds use uncertainty as an excuse, or cover, for not getting a warrant", EFF staff attorney Andrew Crocker said. This time, "the government was proceeding with a lot more caution than in some of the other cases". He pointed to the government's warrantless use of secretive cellphone "Stingray" tracking equipment that continued for many years until the Justice Department released a seven-page legal use policy in 2015. This case is a positive step toward accountability and transparency in FBI computer break-ins.

» More information at Ars Technica

Top Stories

Wikileaks Revealed the Scribbles Tool Used By the CIA to Mark Documents and Track Whistleblowers

CyberSecurity Pulse 2017-05-1Scribbles is a software allegedly developed to embed "web beacon" tags into confidential documents aiming to track whistleblowers and foreign spies. Wikileaks has leaked the Scribbles documentation and its source code, the latest released version of Scribbles (v1.0 RC1) is dated March 1, 2016, the date suggests it was used until at least last year. According to documents leaked by Wikileaks, Scribbles is "a document-watermarking preprocessing system to embed 'Web beacon'-style tags into documents that are likely to be copied by insiders, whistleblowers, journalists or others". The Scribbles software was written in C# programming language and generate a random watermark that is inserted into each document. Unfortunately for the CIA agents, the Scribbles software only works with Microsoft Office. According to the user manual, the CIA tool was developed for off-line preprocessing of Microsoft Office documents, this means that if the watermarked documents are opened in any other application like OpenOffice or LibreOffice, they may reveal watermarks and URLs to the user.

» More information at Security Affairs

China Launching Digital Attacks to Stop South Korea's Deployment of Missile Defense System

CyberSecurity Pulse 2017-05-1Chinese government officials have been very vocal in their opposition to the deployment of the Terminal High-Altitude Air Defense (THAAD) system in South Korea, raising concerns that the anti-ballistic missile system's sensitive radar sensors could be used for espionage. And according to researchers at the information security firm FireEye, Chinese hackers have transformed objection to action by targeting South Korean military, government, and defense industry networks with an increasing number of cyberattacks. Those attacks included a denial of service attack against the website of South Korea's Ministry of Foreign Affairs, which the South Korean government says originated from China. FireEye's director of cyberespionage analysis John Hultquist told the Wall Street Journal that FireEye had detected a surge in attacks against South Korean targets from China since February, when South Korea announced it would deploy THAAD in response to North Korean missile tests. The espionage attempts have focused on organizations associated with the THAAD deployment. They have included spear-phishing e-mails carrying attachments loaded with malware along with watering hole attacks that put exploit code to download malware onto websites frequented by military, government, and defense industry officials.

» More information at Ars Technica

Rest of the Week´s News

Poorly Designed Apps Leave Millions of Phones at Risk of Open Port Attack

A group of security researchers from the University of Michigan discovered a security hole in hundreds of applications in Google Play Store that could be exploited by hackers to steal data from and even deliver malicious code on millions of Android devices. The issue affects all the applications that open ports and don't properly manage them due to insecure coding practices of the development teams. Usually, mobile applications open ports to allow the communications with other entities, for example, to exchange data with a web service, clearly these ports are a potential entry point for hackers in presence of a vulnerability like authentication flaws, buffer overflow vulnerabilities, or a remote code execution issues.

» More information at Security Affairs

Location Tracking Spyware Hid in App in Google Play Store

The Google Play Store has removed an app called System Update that was harboring spyware. The app that had been available in the Google Play store since 2014 claimed to ensure users got the latest Android operating system updates, but actually contained malware known as SMSVova that can track a user's location and send it to a third party. The app containing malware had been downloaded between one million and five million times before it was removed.

» More information at SC Magazine

Facebook Releases SDKs for Delegated Account Recovery Protocol

Facebook is sharing the code for a beta version of its Delegated Account Recovery protocol. The feature will allow third-party applications to let users reset account passwords by proving their identity to Facebook instead of answering security questions or receiving a password reset link in a text or email.

» More information at Facebook

Further Reading

US Air Force Bug Bounty Program

» More information at Dark Reading

Mysterious Hajime Botnet Has Pwned 300,000 IoT Devices

» More information at The Register

Hacker Leaks Episodes From Netflix Show and Threatens Other Networks

» More information at The New York Times