Category: Blog

New InvisiMole Malware Turns Your System Into A Video Camera

Another week, another new threat.  This time, in the form of a new strain of malware that researchers are calling InvisiMole.  The new threat was discovered by researchers at ESET, who found it on a number of hacked computers in Russia and the Ukraine.

While the researchers have yet to trace the software back to the group that developed it, based on the available evidence, the campaign appears to be tightly targeted and highly selective.  Only a few dozen computers have been found to be infected, although all impacted systems are both high-profile and high-value.

As for the software itself, it’s a nasty piece of business capable of quietly taking control over an infected system’s video camera and capture audio. This allows them to both see and hear anything going on in the vicinity of the system.  Essentially then, InvisiMole turns your computer into a compromised Amazon Echo.

Based on the sophisticated design of the software and the fact that the researchers have yet to be able to trace it back to the source, it’s believed that it has been developed by (or at least in partnership with) an unknown state actor.  Although the current campaign is small and highly targeted, given its capabilities, InvisiMole could easily become a much more serious threat.

Even worse, it’s entirely possible that the original developers could lose control of the code, or that some other hacker group could reverse engineer it, causing it to spread far and wide.

Research into the software is still ongoing, and at this point ESET can’t say with certainty how the malicious payload is being delivered to target machines. Of course, at present, there is no antivirus software defense against it.  Stay on your guard.  You never know who might be watching.

Some Private Posts On Facebook May Have Been Exposed

<img class=”alignnone size-full wp-image-8011 alignleft” src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/facebook-post-resized.jpg” alt=”” width=”300″ height=”225″ />Facebook is in hot water again.  Recently, the company admitted that while testing a new feature on the site, they inadvertently made public the posts of more than fourteen million users.  The incident occurred between May 18th and May 22nd and occurred when Facebook was testing a new “Featured Posts” enhancement.

The goal was that users could selectively make posts visible to everyone.  Unfortunately, the error created a situation where any posts users in the test group made were automatically shared to everyone.  The company found and corrected the mistake on May 27th, but during the intervening span of days, any posts those users made were set to global visibility.  Facebook is currently in the process of contacting the impacted users and asking them to review any posts they made during the impact period.

Chief Privacy Officer Erin Egan had this to say: “To be clear, this bug did not impact anything people had posted before – and they could still choose their audience just as they always have.  We’d like to apologize for this mistake.”

Unfortunately, this is not the first time in the recent past that Facebook has gotten into hot water over the mishandling of user data.  Earlier this year, Facebook CEO Mark Zuckerberg had to testify before Congress when it came to light that the company acknowledged they had improperly shared private information pertaining to tens of millions of its users with Cambridge Analytica, which used the information in an attempt to influence the most recent presidential election.

Even if you’re not a member of the test group, if you use Facebook and made any posts between May 18th and May 27th when the company fixed the bug, it pays to review your posts just to make sure that their visibility has been properly set.

Are Lasers The Answer To Completely Wireless Computing And Charging?

Researchers at the University of Washington just might change the face of computers and computing forever.  It may seem like the stuff of science fiction, but based on their research, the day may soon be coming when computing devices are completely un-tethered, requiring no wires for either power or recharging.

The team was able to successfully charge a smartphone from across a room using nothing more than lasers.  Right now, their approach has an effective range of about forty feet.  Devices are detected by way of acoustic “chirps” which occur below the threshold of human hearing.  Once a target device is located, the laser charging system sends power to them using laser light, with no damage to the target device.

Right now, the power transfer is limited to just a couple of watts. However, the researchers don’t see any obstacles that would prevent scaling of the power transfer, meaning it could easily be modified to power PCs.

Wireless Power Transfer (WPT) is not a new idea.  In fact, it’s in use today in such things as smartphones and electric toothbrushes.  The problem, at least until now, has been a matter of range, which has been virtually nonexistent until the University’s game-changing experiments.

The big breakthrough wasn’t in sending power to a device via laser.  Scientists have known that was possible for quite some time.  The issue though, was that when lasers (or microwaves) were used to send power, they were invariably hazardous to humans in the area. In addition, they often fried the electronics they were attempting to power.  The research team seems to have solved for both of those problems.

While the technology is still quite some distance from being commercially available, this is a huge leap forward.  This could forever change the way we interact with our computing devices, and that change could come much sooner than anyone ever imagined.

Yahoo Messenger Will Shut Down In July

It’s the end of the line for Yahoo Messenger.  As of July, it will be no more, marking the end of an era.

The announcement comes just six months after AIM (the old AOL messaging program) was shut down.  The first major messaging programs from the early days of the internet will soon be a thing of the past.

Users will have six months to download their chat histories from Yahoo Messenger. If they  haven’t gotten what they need by then, they’ll lose their chance forever.

It probably won’t come as a major blow to most people.  Although it used to be one of the most popular and widely used communications programs, its popularity has slipped markedly in recent years, to the point that there’s little justification in continuing support for it.

The company had this to say on the matter:

“We know we have many loyal fans who have used Yahoo Messenger since its beginning as one of the first chat apps of its kind.  As the communications landscape continues to change over, we’re focusing on building and introducing new, exciting communications tools that better fit consumer needs.”

Currently, the company has no direct replacement for Messenger.  The closest match would be a group messaging app called “Yahoo Squirrel,” which is currently in beta.  Users interested in the new tool can request an invitation at squirrel.yahoo.com.

For the rest of us, Yahoo Messenger’s loss isn’t likely to cause problems from a business perspective. This, along with Microsoft’s retirement of the venerable MS Paint, serves as a reminder that the internet is growing up.  Many of the tools we’ve used and taken for granted for years are now fading away.  It’s a brave new world.

New Malware Takes Screenshots and Steals Your Passwords

Recently, a new strain of malware called “SquirtDanger” has been found by researchers at Palo Alto Networks Unit 42, and it’s a particularly nasty one for a couple of reasons.  First and foremost, the owner of the malware isn’t orchestrating campaigns himself, but rather, selling his product as a commodity on the Dark Web.

That has troubling implications because the malware is quite advanced, and since it’s being sold to a broad cross-section of hackers, odds are excellent that it will be used in numerous campaigns that could affect a number of industries.

As for the software itself, it gives the hackers who purchase it a vast array of tools. It communicates back to its controller every minute, giving the hackers who use the malware a tremendous amount of useable data.

Among other things, SquirtDanger can take live-action screen shots of an infected device, steal passwords, and send, receive, or delete files on the target system.  It can also swipe directory information and drain the contents of cryptocurrency wallets, making it something of a “Jack-of-All-Trades” malware.

Also, there’s no single attack vector being used to infect machines with SquirtDanger. According to the research team, the most common means of infection is that the malware is disguised as a piece of legitimate software and installs when the poisoned executable file is run.

Researchers from Unit 42 had this to say on the matter: “Being infected with any type of malware represents significant danger to an individual or victim. However, because of the large list of capabilities this malware family includes, it would certainly be very bad for the victim.”

At latest count, the researchers have discovered 1,277 unique SquirtDanger samples in the wild, tied to 119 unique command and control servers that were widely geographically dispersed.  Odds are, there are many more samples that have yet to be discovered.  Be on your guard, it doesn’t appear that this threat will abate anytime soon.

The U.S. Is The Most At Risk Nation For Cyber Attacks

Being “number 1” isn’t always a good thing.  Rapid7 has just published their third annual “National Exposure Index,” and unfortunately, the United States has the dubious honor of being the nation most at risk for a cyber attack on its core services.  The group’s methodology for ranking national exposure comes down to tracking the number of exposed services and comparing this number to the nation’s total allocated IP address space.

Ranked in this way, the top four most vulnerable countries are:

  • The United States
  • China
  • South Korea
  • The UK

All told, these four nations control more than 61 million servers listed on at least one of the points surveyed by Rapid7.

Drilling down a bit more deeply, the report also contained this chilling fact:

“There are 13 million exposed endpoints associated with direct database access, half of which are associated with MySQL.  Along with millions of exposed PostgreSQL, Oracle DB, Microsoft SQL Server, Redis, DB2, and MongoDB endpoints, this exposure presents significant risk of crucial data loss in a coordinated attack.”

Given that this year has already given us the largest DDOS attack in the history of the internet, Rapid7’s findings should not be taken lightly.  The risks are very real, which is why the company is so strongly committed to the publication of their annual report.

As they put it:

“…national internet service providers in these countries can use these findings to understand the risks of internet exposure, and that they, along with policymakers and other technical leaders, are in an excellent position to make significant progress in securing the global internet.”

A lofty goal indeed.  Unfortunately, although the data is illuminating, there are no quick or easy answers here, especially in the United States.  Thus far, the U.S. has struggled to put together a cohesive digital security policy at the national level, which seems unlikely to change at least in the near future.

Information On 48 Million People Leaked Through Massive File

File this one away under self-inflicted wounds.  It has recently come to light that a company called LocalBox left a massive data file vulnerable on a cloud server.  The data file was more than a terabyte in size and contained detailed psychometric profiles of more than 48 million people.

LocalBox describes itself as a combination of personal and business data search service, but most of their revenue comes from the creation of psychometric profiles created by mining data from a wide range of publicly available sources (social media, public records, and the like).  On the company’s website, they describe themselves as being “the First Global Customer Intelligence Platform to search, combine and validate deep business and people profiles – at scale.”

According to the UpGuard Cyber Risk Team, they got confirmation from Ashfaq Rahman (LocalBox’s co-founder) that the data file was placed on a mis-configured cloud-based storage system.  The misconfiguration left the file vulnerable. The file included names, dates of birth and physical addresses culled from sources including Twitter, LinkedIn, Facebook, Zillow (a popular real estate site), and more.

UpGuard researchers had this to say about the incident:

“In the wake of the Facebook/Cambridge Analytica debacle, the importance of massive sets of psychographic data is becoming more and more apparent.  This combination of information begins to build a three-dimensional picture of every individual affected–who they are, what they talk about, what they like, even what they do for a living–in essence, a blueprint from which to create targeted persuasive content, like advertising or political campaigning.  If the legitimate uses of the data aren’t enough to give pause, the illegitimate uses range from traditional identity theft, to fraud, to ammunition for social engineering scams such as phishing.

The data gathered on these people connected their identity and online behaviors and activity, all in the context of targeted marketing, (i.e., how best to persuade them).  Your psychographic data can be used to influence you.  It is what makes exposures of this nature so dangerous, and also what drives not only the business model of LocalBox, but of the entire analytics industry.”

Terrifying indeed.

Another Vulnerability Found In Intel CPU’s

More bad news for Intel. Yet another security flaw has been identified in the processors the company makes.  This one is so newly discovered that the full technical details have yet to be released.  Here’s what we know so far, from a recent Intel announcement:

“System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch…Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other process through a speculative execution side channel that infers their value.”

In simpler terms, what this means is that a hacker could use this exploit to gain partial cryptographic keys used by other programs running on the target computer.

While related to the recent Spectre and Meltdown security flaws, this one is different in two ways.  First, it’s not quite as severe as the formerly discovered flaws in scope or scale.  To make use of this, one would require an incredibly exotic attack that would simply be beyond the capabilities of most hackers.

Also, it should be noted that where Spectre and Meltdown impacted dozens of chipsets dating back more than a decade, the “Lazy FP State Restore” flaw only impacts chips beginning at Sandy Bridge.

The other key difference is that the flaw in this case, does not reside in the hardware.  That’s good news for businesses of all shapes and sizes, because it means that when Intel and their hardware vendors have a patch ready, it will be quick and relatively painless to install it.

Unfortunately, since the initial discovery of Spectre and Meltdown, a number of variants of those flaws have emerged, and now this new one.  It’s unlikely that this will be the last we’ve seen of these types of issues, so if you’re using Intel equipment, brace yourself.  There’s likely more to come.

WiFi Sync on iOS Vulnerable To TrustJacking

Owners of Apple devices have a new attack vector to worry about, called “TrustJacking.”  Symantec researchers recently stumbled across a pair of scenarios that take advantage of Wi-Fi syncing of various Apple devices. These are scenarios that also take advantage of the trust users have in the security of their own devices, allowing hackers to take complete control over those devices.

The flaw is a consequence of the way that iTunes Wi-Fi Sync is designed.  The vulnerability manifests when a device is connected and the user selects the “sync” feature. This creates an opening which could potentially allow a hacker to take complete control over the device.

The first issue manifests like this:  With the “sync” setting enabled, the device owner has access to both that device and a paired iPhone over a wireless connection, even after the device is disconnected from the syncing service.  That sets up part one.

Part two of the first scenario requires a bit of social engineering, where a hacker tries to trick the device owner to click on a malicious link that will install malware of the hacker’s choosing on the vulnerable system.

The second part of the second scenario targets users who are traveling.  A hacker could take control of a free airport charging station.  In order to make use of those free charging stations, users are required to trust the device.  As soon as that happens, the hacker controlling the charging station can remotely issue a command to connect to iTunes, and then enable the sync command.

Once those two steps are completed, even when the victim disconnects from the charging station, the hacker can still access the compromised device remotely, gaining access to most (if not all) of the user’s private information.

Unlike similar, recently discovered vulnerabilities in Apple products, this one distinguishes itself by allowing the hacker permanent access to the device, making it a dangerous vulnerability indeed.

Google Cracking Down On 3rd Party Browser Extension Installs

Malicious code can wind up on your PC or phone by any number of roads.  Companies do their best to guard the digital passes, but invariably, things get missed and the hackers find a way in.  It’s a constant battle, and sadly, one that the good guys are losing.

Recently Google has stepped up its efforts, this time by focusing on Chrome browser extensions installed by third parties.  By the end of the year, no extensions will be allowed on Chrome except for those acquired via the Web Store.

James Wagner, Google’s Product Manager for the Extensions Platform, had this to say on the topic:

“We continue to receive large volumes of complaints from users about unwanted extensions causing their Chrome experience to change unexpectedly – and the majority of these complaints are attributed to confusing or deceptive uses of inline installation on websites.”

It’s a thorny problem, but industry experts broadly agree that Google is taking the right approach here.  Beginning in September, Google plans to disable the “inline installation” feature for all existing extensions.  The user will instead be redirected to the Chrome Web Store where they’ll have the option to install the extension straight from the source.

Then, in December 2018, the company will remove the inline install API from Chrome 71, which should solve the problem decisively.

Of course, hackers being hackers will no doubt find a way around that, but kudos to Google for taking decisive action here.  While browser extensions aren’t a major attack vector, it’s troublesome enough that Google’s attention is most welcome.

It should be noted that one of the indirect benefits of Google’s plan is that it further bolsters the importance of user ratings of extensions.  They’re highly visible on the Web Store, so anyone who’s considering installing something has a good, “at-a-glance” way of telling whether the extension is good or a scam. That’s information they wouldn’t get had the extension been installed inline.

Again, kudos to Google!