Category: Blog

Inappropriate Ads Found In Some Game Apps for Kids

Normally, Google’s robust series of checks and audits are pretty good at catching malicious code and preventing it from making its way to the Play Store. Sometimes, however, something slips through anyway despite the company’s best efforts. This latest one is particularly bad.

Researchers from Check Point have identified a new strain of malware called “AdultSwine” lurking in more than sixty gaming apps on the Play Store. Each of these apps has been downloaded between 3 million and 7 million times, which gives us approximately 150 million infected devices.

As the name suggests, the malware primarily displays ads from the web that are of an adult nature, and often overtly pornographic. It also attempts to trick unsuspecting users into installing additional malware that masquerades as “security apps.”

An analysis of the code reveals it to be highly flexible, allowing the authors to easily begin collecting all kinds of information about the owner of any infected device. This makes identity theft a real possibility if the hackers were inclined to do so.

The most disturbing element of all this is that the malware seems heavily focused on apps and games designed for children. So if you’re a parent, it pays to check the apps that are installed on your child’s phone. What seems at first glance to be a harmless game could actually be displaying pornographic advertising while they’re playing.

The Check Point researchers had this to say about the discovery:

“Although for now this malicious app seems to be a nasty nuisance, and most certainly damaging on both an emotional and financial level, it nevertheless also has a potentially much wider range of malicious activities that it can pursue, all relying on the same common concept. Indeed, these plots continue to be effective even today, especially when they originate in apps downloaded from trusted sources such as Google Play.”

Just to be safe, double check the apps on your child’s phone!

Intel Chips Face Another Possible Vulnerability

Intel’s year isn’t getting off to a very good start. Just after the discovery of a pair of critical vulnerabilities that have been in their chipsets for more than a decade comes the discovery of yet another serious flaw that could impact millions of laptops around the world.

A Finnish data security firm called “F-Secure” just reported an issue with Intel’s Active Management Technology (AMT) that could allow a hacker to completely bypass the machine’s normal login procedure and take control of the target device in under a minute.

AMT is an admin-level feature that allows organizations to control and manage large numbers of PCs and workstations quickly and efficiently via remote. To take advantage of the flaw, a hacker would need physical access to the machine, which is its one saving grace. However, if they have that, they can take complete control even if a BIOS password has been set.

While other research teams have discovered AMT vulnerabilities in the past, this one deserves special attention for three reasons:

  • Once in control, the hacker could gain remote access to whatever network the machine is attached to at some later point.
  • It affects almost all intel laptops, and odds are that if you’re a business owner, there are a number of laptops with Intel chipsets connected to your network
  • It’s an incredibly easy flaw to exploit, requiring no code whatsoever.

F-Security Research Harry Sintonen had this to say about it:

“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

It should be noted that this flaw is in no way related to the Spectre and Meltdown vulnerabilities that have been reported on earlier, giving Intel a trio of nasty problems to deal with right at the start of the new year.

Use Of Bots Has Increased Fake Account Creations

The ThreatMetrix Cybercrime Report 2017 is out, and is a troubling read for anyone who has anything to do with data security.  As a fraud prevention company protecting nearly a billion and a half users around the world, they’re uniquely positioned to know, and their insights on the threat landscape is invaluable.

Their main finding is that hackers, scammers and fraudsters are moving away from using stolen debit and credit cards, given that these things have such a short shelf life.  On the face of it, that sounds like it might be a good thing, until you understand what they’re doing instead.

They’re making use of stolen identity data to create bogus accounts, then applying for lines of credit on their own.  Even worse, they’re taking full advantage of automation to speed the process along.  According to the report, the volume of global fraud attacks is up a mind blowing 100 percent in just two years, with 700 million incidents reported in 2017 alone.

Bots are coming to play an increasingly important role in the activity of the fraudsters, too.  Once a new, fraudulent account has been created, it’s handed off to a bot to test it and make sure it’s valid, which increases its value on the Dark Web.

How big of a problem are bots on the web these days?

According to the report, ThreatMetrix blocked 1.5 billion bot attacks last year, with some retailers reporting that more than 90% of their daily traffic is comprised of bots.

At the root, what’s driving this behavior are the increasingly common, large-scale data breaches that put  up to hundreds of millions of data records into the hands of fraudsters.  Until and unless the flow of data can be stopped, we can expect this type of activity to continue to increase.

No matter how you slice it, 2018 is going to be a very interesting and very busy year.

Mac Computers Battling New Malware For Hijacking DNS

It’s official, the first macOS malware of 2018 is here. Discovered by an independent security researcher and dubbed “OSX/MaMi,” the code is functionally similar to DNSChanger malware.

The researcher posted his findings on the Malwarebytes forum and none other than Patrick Wardle (an ex-NSA hacker) analyzed it, having this to say:

“OSX/MaMi isn’t particularly advanced – but does alter infected systems in rather nasty and persistent ways. By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads) or to insert cryptocurrency mining scripts into web pages.”

In addition to that, hooks were found in the software that would eventually allow it to:

  • Upload and download files
  • Execute commands
  • Generate simulated mouse events
  • Take screenshots

And more, although at present, these features are not yet active, which points to the malware as being a piece of code still very much in development.

At present, there are no anti-malware or antivirus programs capable of detecting this new strain. That, of course, will change in short order. However, for the time being, the best way to verify whether or not your machine is infected is to go through “System Preferences” and into the terminal app to check your DNS settings.

Two values you don’t want to see there are: 82.163.143.135 or 82.163.142.137.

If you’d rather not check manually, Patrick Wardle has created a free, open-source firewall for macOS called “Lulu,” which you can download from GitHub. This program was designed to block suspicious traffic and will prevent OSX/MaMi from stealing anything from your system.

As threats go, this one is relatively minor, but it’s still early in the year, and whomever is behind this piece of code will no doubt be making improvements on it. Stay tuned.

2 Million Credit Cards Stolen From Popular Sandwich Shop

By now, we’ve seen enough large-scale Point of Sale (POS) credit card thefts that patterns are beginning to emerge. Some companies follow the general arc of the narrative better than others, and deserve credit for doing so, but in the end, the story is about the same.

That’s certainly the case with Jason’s Deli. Recently, they discovered RAM-scraping malware on a number of their POS terminals. This has happened at a total of 164 of their locations, scattered across 14 states.

During the seven-month period before the malware was discovered, the company estimates that the credit card payment information of some two million customers was stolen. The data included credit and debit card numbers, expiration dates, the cardholder’s service and verification codes, and the cardholder’s name.

As is the case with most of these incidents, the company immediately contacted law enforcement and hired a third-party firm to assist with the forensic investigation, which is still ongoing.

Jason’s Deli’s handling of the aftermath of the incident has been well above average. However, the bottom line is that unless companies start paying increasing attention to data security, issues like these are going to continue to occur.

As a general rule, hackers prefer to go after the low-hanging fruit. There’s simply more money in attacking soft targets than hard ones. Your company doesn’t need bullet proof security in order to be safe from most hackers, it’s just got to be better than average. Although obviously, the better and more robust your digital security is, the safer you will be.

Unfortunately, this painfully obvious lesson seems to be falling on too many deaf ears. Until and unless that changes, we’ll continue reading about incidents like these. It’s costing business billions every year. Make sure your company isn’t next on the hackers’ hit list.

Blizzard Games Vulnerability Could Leave Gamers Open To Hacking

Do you play Blizzard online computer games such as World of Warcraft, Diablo III, Hearthstone, Starcraft II, or Overwatch?  If so, there’s a potential problem you need to be aware of.

Tavis Ormandy, a researcher on Google’s Project Zero team, recently discovered that the Blizzard Update Agent is vulnerable to hacking, via a technique known as “DNS Rebinding.”

The update agent is designed to accept commands to install, uninstall, change settings, update and  perform other maintenance related options. This means it has a lot of power and access to the system you’re playing the game on.

Unfortunately, because the update agent in use (JSON-RPC, port 1120) doesn’t include a validation step to check the identity of the server issuing commands, it’s possible for a hacker to insert himself into the middle of the process. This includes possibly injecting malicious commands and using the updater to hijack your machine.

Ormandy developed a proof of concept of the attack, and contacted Blizzard when he made the discovery.  The company was receptive for a time, but then suddenly and inexplicably ceased all communication.  Ormandy had this to say regarding the matter:

“Blizzard was replying to emails but stopped communicating on December 22nd.  Blizzard is no longer replying to any enquiries, and it looks like in version 5996, the Agent now has been silently patched with a bizarre solution. Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it’s in a blacklist.  I proposed they whitelist Hostnames, but apparently that solution was too elegant and simple.  I’m not pleased that Blizzard pushed this patch without notifying me or consulting me on this.”

Since Ormandy went public with his findings, Blizzard has been in contact again, stating that a more robust fix is in the works, one that will adopt the strategy of whitelisting hostnames. Meanwhile, Ormandy is continuing to test the exploit on other online games with a user base of over 100 million to see if others are also vulnerable.  If you’re an online gamer, be aware that you could be leaving the door unlocked for hackers.

Windows 10 Privacy Becoming More Transparent In Next Version

All companies collect data on their customers, but some are better than others when it comes to being upfront about what kinds of data are collected.  Over the past year, Microsoft has made many moves that have been well-received by their enormous user base.  They’ve become increasingly transparent and offer an unprecedented level of control to the users themselves.

Last year, the company took its first major step, adding a pre-installation/pre-update Privacy Setting screen that allowed users to choose between two settings, Basic or Full, where global data collection was concerned.

Not long after, the company also added a Privacy section to the web dashboard of every Microsoft account, which allowed users to do things like:

  • Exporting any of the data found on the dashboard
  • Deleting specific items to allow for more individualized control
  • Viewing and managing media consumption data, along with product and service activity

The most recent addition is the release of an app called “Windows Diagnostic Data Viewer,” currently available on the Windows Store.  Right now, the app is available only to Windows Insiders, but is slated for release to the general public in April or May of this year.

As the name of the app suggests, it will not allow users to delete or manipulate any of the data collected, but it will provide an in-depth view of what data is collected. This would, at the very least, give system administrators the option to explore methods of disabling selected features in a bid to mitigate data collection.

Although the company is providing more options and becoming increasingly transparent, it has no plans to stop collecting telemetry data, insisting that it is essential in terms of making incremental product improvements and rapidly solving bug reports.  Like it or not, data collection is here to stay.

Performance Issues Plague PC’s Updated With Spectre Patch

Recently a critical flaw was found inside every Intel chip made during the last decade.  The flaw makes two different exploits possible.  These exploits have been dubbed “Meltdown” and “Spectre.”

The flaws are incredibly severe, and make it possible for a hacker to gain complete, unfettered access to the targeted PC or laptop.  Although no instances of the exploit have yet been found in the wild, now that both are commonly known, it’s only a matter of time before that happens.

Based on that, and given the severity of the flaw, Intel scrambled to release an update, but here’s the catch:  The update would hurt system performance, lowering it by as much as 23%.

In the end, it didn’t matter.  To ignore the problem was simply not an option, so the company scrambled to get a fix ready and has since released it.  Unfortunately, the fix has proved to be even more problematic than was originally estimated.  In addition to degrading machine performance, it also interferes with a variety of maintenance activities and leads to an inordinate number of system reboots.

Initially, Intel advised its customers to proceed with the download in order to protect their systems, even in light of the performance degradation.  However, as the number of complaints have grown, the company reversed course and has now advised against downloading its latest update, asking users to wait for a revision to be published.

At this point, the company has not given an ETA on when the revised firmware update will be ready, but until it is, you’re placed in an awkward position.  Waiting for the update means exposing your company to risk, should a hacker target one of the machines on your network with the exploit.  Proceeding with the current firmware update means you’ll suffer performance issues, leaving you stuck between a rock and a hard place, at least for the short term.

Electronic Health Record Company “Allscripts” Hit By Ransomware

Another day, another high-profile ransomware attack.  This time, the victim was Allscripts, an EHR (Electronic Health Record) company that hospitals, pharmacies, and ambulatory centers around the country rely on.

The company’s data was thought to be safe on the cloud, but that proved not to be the case. Disruptions of services were felt by Allscripts clients around the country.

At this point, reports are sketchy, incomplete, and in many cases, contradictory.  According to Allscripts, the attack only impacted “a limited number” of applications, and that they were working to restore them.  The company’s statement continued with, “most importantly, to ensure our clients’ data is protected.  Although our investigation is ongoing, there is currently no evidence that any data has been removed from our systems.  We regret any inconvenience caused by this temporary outage.”

According to Twitter, where many of Allscripts’ customers have been talking about the issue, the problem goes much deeper. Some clients reported an inability to access critical patient data now stretching into its third day, with predictable impacts on health care delivery.

To complicate matters further, some heath care providers preemptively disconnected from Allscripts servers in a bid to protect their own networks.  Northwell Health, based out of New York, is an example.

In any case, as of the time of the writing of this piece, most, but not all of the disrupted services seem to have been restored. You can bet, based on the contradictory information surrounding the attack, that Allscripts’ handling of the incident will be discussed for a long while to come.  This will probably filed under “how not to handle a ransomware attack.”

The company’s communication was spotty and their business continuity plan seems to have failed them.  There are lessons here for all business owners.  Take heed.

iPhone Throttling Issue To Be Addressed In Upcoming Update

Recently, Apple found itself in hot water with its normally adoring user base. This happened when it became known that the company was intentionally throttling (slowing down) the speed of older iPhones.

The company’s intentions were good.  They clearly meant well.  The move was designed to even out performance in older equipment.  As cellphone batteries age, they tend to lose charge more quickly.  What was happening was that people with older equipment would drop from 20% battery to 0% in the blink of an eye, causing their old phones to simply shut down at inopportune moments.  Apple’s strategy was simply designed to help keep that from happening.

Well-intentioned or not, the company didn’t formally announce the change, and it was discovered by chance by security researchers.  Needless to say, the legions of people who still use older iPhones were not amused and the company has faced backlash from an angry user base since.

Apparently, the backlash got bad enough that they listened.  Apple just announced that as of the next OS update, version 11.3, the OS will include a toggle switch that will allow users to choose whether or not to throttle their  phones to extend battery life.

This is the latest in a series of moves the company has made to get back in the good graces of its users.  Previous efforts have included a public apology and an offer to reduce its fee for battery replacement to just $29.

This has been a PR disaster for the company.  It probably won’t hurt their bottom line much, but perception matters. While the company has been trying bravely to save face, the simple truth is that this was a self-inflicted and avoidable wound.

There’s a lesson here for businesses of all shapes and sizes.  Transparency matters, and if you’re going to do something that directly impacts large segments of your user base, be upfront about it and give them a viable choice.