Friday, January 30, 2015

RSS Feed Full Text Parser with Regex Filter

RSS Feed Full Text Parser with Regex Filter

WhatsApp Web has privacy holes that could expose user photos

Posted: 30 Jan 2015 12:39 PM PST

WhatsApp mobile app privacyWhatsApp has just rolled out a new service called WhatsApp Web that allows users to sync the messaging app between their mobile devices and desktop, but the new web client has a couple of privacy pitfalls that show it's not really ready for its close-up.

The problems with the web client, which were reported to us by Indrajeet Bhuyan, a 17-year-old security blogger, undermine privacy settings that work just fine on the WhatsApp mobile app.

According to Bhuyan, in some situations users of WhatsApp Web can see photos they're not supposed to view and which they wouldn't see on the mobile app.

In the WhatsApp mobile app, you can delete a photo from your device after sending it and the recipient will see only a blurred out version of the photo.

But Bhuyan reported that a photo sent from his mobile device and then deleted was still visible without the blurring in the web client.

As WhatsApp noted in a 21 January 2015 blog post announcing the new service, WhatsApp Web "mirrors conversations and messages from your mobile device," and all messages "live on your phone."

But since photos deleted from your phone are still showing up in the web client, we can infer that the mobile and web apps are not syncing properly.

The second problem, says Bhuyan, is that your profile photo may remain visible on WhatsApp Web even after you've used the feature in the mobile app to restrict your photo to contacts only.

Ironically, this seems to be the reverse of various mobile-versus-web problems we've written about before, where it was the mobile version that fell short of the security offered by its web-based equivalent.

Both of these bugs seem like they could have or should have been caught before WhatsApp Web was released - as though WhatsApp rushed this product out the door without enough testing.

A few other issues with WhatsApp Web make me think it wasn't quite ready and could have waited: so far the web client only works in Chrome, and it isn't available yet for users of the iOS mobile app (due to "Apple platform limitations," WhatsApp says).

WhatsApp, which has more than 500 million users worldwide and was purchased by Facebook in 2014 for a mind-boggling $19 billion, has run afoul of regulators and privacy advocates for its past sloppy behavior.

We applauded WhatsApp when it rolled out end-to-end encryption to protect users' private messages.

But this latest privacy bungle has me, in the shorthand of chat initialisms, SMH (translation - shaking my head).

Image of WhatsApp on Android courtesy of Twin Design /

IsAnybodyDown's Craig Brittain banned from the 'revenge porn' business

Posted: 30 Jan 2015 07:13 AM PST

IsAnybodyDown logoCraig Brittain, the owner of 'revenge porn' website IsAnybodyDown, has been given a firm slap on the wrist by the Federal Trade Commission and ordered not to post nude photos anywhere online again - unless he has been given explicit permission to do so.

He was also ordered to permanently delete all the naked pictures he had collected via his website but, in what appears to be a somewhat lenient agreement with the FTC, he avoided having to pay a fine, despite having made around $12,000 off the back of his victims' humiliation.

A release posted by the FTC yesterday said Brittain acquired nude photos of women via a raft of deceptive means.

In one ruse he posed as a woman on a Craigslist forum and offered to swap photos, supposedly of himself, in exchange for snaps of other women. He then posted those on his IsAnybodyDown website without their permission or knowledge.

According to the FTC's complaint, Brittain also solicited further photos from visitors to his website by offering $100 to users who sent in snaps along with personal information such as names, locations, Facebook profiles and phone numbers which he then published.

Brittain's collection methods ultimately proved quite successful - the FTC says he acquired photos of more than 1000 people.

Women who discovered their images on Brittain's site had little success in getting them removed by contacting IsAnybodyDown directly.

The FTC notes how he very rarely responded to removal requests, despite some women alerting him to the fact that they were attracting attention from strangers who had seen their photos and contact information on his site.

The successful removal of the material was far more likely through specialised sites such as "Takedown Hammer" and "Takedown Lawyer" which could have content removed in return for a fee ranging between $200 and $500. Though not proven, the FTC alleged that both of the sites were in fact owned and operated by Brittain himself.

FTC's Bureau of Consumer Protection director Jessica Rich said:

This behavior is not only illegal but reprehensible. I am pleased that as a result of this settlement, the illegally collected images and information will be deleted, and this individual can never return to the so-called 'revenge porn' business.

While it might be seen that Brittain has got off lightly, the FTC consent order has at least effectively put a permanent end to Brittain's revenge porn days.

Should he ever be caught posting naked photos online again without consent, the order mandates that he will be issued with a civil penalty of $16,000 for each and every violation.

The lasting effects of his actions are not likely to be positive for Brittain, as noted by ex-federal prosecutor Ken White:

Craig Brittain is now subject to a permanent and relationship-and-career-debilitating stigma. Employers, lenders, landlords and others won't necessarily pick up internet drama. But you can bet that they'll pick up on an FTC consent order.

White also confirmed that Brittain will have to inform the FTC of any employment changes for the next 10 years and will have to hand over all details of any new web ventures he becomes involved in, including the site's privacy policy and any complaints filed against it.

The consent order will last 20 years and Brittain will be monitored throughout its duration.

Does size matter? It does if you're French...and a chess-loving hacker!

Posted: 30 Jan 2015 04:56 AM PST

Old-school computer programmer Olivier Poudade is a French hacker (in the upbeat sense of the word) whose involvement in low, low level coding goes way, way back.

Going as Baudsurfer, he was part of an online community called RSI (Red Sector Inc.), which established what is now claimed as Canada's first ever BBS, right back in early 1985.

For those who've only ever known the internet and the World Wide Web, a BBS is a Bulletin Board System.

That's a sort-of text-mode website, with news, comments, forums, downloads and more, that you access using a modem on your telephone line.

Unlike the modern internet, where you pay a local company for local access, and from there "fan out" at little or no extra cost to servers all over the world, BBSes were mano a mano affairs.

Each BBS had its own modems and telephone lines that you called up directly, so that local BBSes were cheaper to use than long-distance ones, and much, much cheaper than overseas ones.

Around that time, other aspects of the home computing scene were a bit different, too.

In the UK, for example, the influential and popular ZX81 (sold as the short-lived Timex Sinclair 1000 in the USA) came out of the box with just 1KB of RAM.

Nevertheless, in 1983, the source code of a chess program was published for the ZX81:

And if that sounds amazing, consider that 1KB was all the RAM that the ZX81 had, leaving just 672 bytes for the chess playing code.

There were certain simplifications, of course.

The program could only play with the white pieces, and you had to prepare two different versions of the game, one for "Queen's Pawn Moved" and the other for "King's Pawn Moved."

In fact, bought copies of the game came on a cassette tape, with the Queen's Pawn version on one side of the tape and the King's Pawn version on the other.

And you couldn't castle, for example.

Castling is a special and important move in chess, available only once to each player in each game.

When castling, your king and a rook effectively jump over each other, swapping places in order to shield the king and bring the rook out of its corner and into play.

Because of its significance to chess, and the fact that almost all games include the move, you can argue that a program that omits it isn't actually playing chess at all, in the same way that a Scrabble game without blank tiles wouldn't be Scrabble at all.

But a lot of complexity and size (not to mention many bugs) in programming arise from dealing with special cases, and with just 672 bytes to play with, castling had to fall away.

Many years later...

Fast forward almost exactly 25 years, and Olivier Poudade, aka Baudsurfer, thinks he's cracked the record.

He set a target of 512 bytes - the size of a boot sector.

After many iterations, and the help of Aussie anti-virus and machine code expert Peter Ferrie, he delivered BootChess:

You can quite literally write it to the first sector of a USB key, a hard disk or a floppy disk, boot up, and you're playing.

BootChess is your operating system, your run-time libraries and your application suite, all in one.

Forget GHOSTs (no room), or Heartbleeds (no network) or Shellshocks (no terminal).

It's Chess, or nothing:

Actually, Poudade's next challenge is to squeeze BootChess just a little bit more, so that it leaves enough space to be a regularly-formatted, bootable boot sector as well as a chess game.

That way, after playing the game, it could proceed with a normal bootstrap.

The contest

I know exactly what you're thinking!

What happens if you pit BootChess against 1K ZX Chess?

Sadly, that's not possible, because both programs can only play with the white pieces.

(Like 1K Chess, BootChess has a hard-coded first move, set to e2-e4, or "King's Pawn Moved," as seen above.)

But I did pit BootChess against Oscar Toledo Gutiérrez's Toldeo Picochess.

Where BootChess fits into 512 bytes of machine code, Picochess fits into 1024 bytes of C source code:

That's a similarly spectacular achievement - even when redundant characters and comments are stripped from BootChess's assembly language, you end up with close to 3KB of source code.

What happened?

Chess master Tim Harding is supposed to have said, of 1K ZX Chess, that although it was the work of a genius to make the program fit into the available space, its playing ability was "so appalling that it would be hard to make it beat you."

Sadly, the same is true of BootChess.

Where Picochess actually managed to develop a few pieces in the course of 12 moves, coming out swinging with a bishop and a queen, BootChess managed little more than advancing several pawns, mostly by one square, and wasting a bishop. (That's not a phrase you hear often.)

BootChess then proceeded to throw away the game by making an illegal move, failing to notice it was in check.

The bottom line

Apologies to our diehard security readers: there isn't an obvious security angle here.

Except, of course, that this shows how much you can do in apparently impossibly small amounts of memory, if you are willing to make practicable simplifications, and if you don't care about correctness.

This is a trick used to good effect by crooks when they have only a tiny hole into which to squeeze an exploit.

Their code doesn't have to win reliability awards; it doesn't even have to work all the time.

It just has to work when it runs on your computer, and that's you pwned...

Phát hiện biến thể ransomware Critroni “thân thiện hơn”

Các nhà nghiên cứu bảo mật đã xác định chủng mới của ransomware Critroni, còn được gọi là CTB-Locker, cho phép một khoảng thời gian dài để trả tiền chuộc, cũng như cung cấp các tập tin được giải mã miễn phí.

Các phiên bản trước của phần mềm độc hại này yêu cầu thực hiện thanh toán trong 72 giờ, hoặc phí tổn sẽ tăng lên. Ngoài ra, thử nghiệm miễn phí của dịch vụ giải mã không tồn tại trong các phiên bản trước đó; điều này nhằm đảm bảo nạn nhân phục hồi dữ liệu đầy đủ nếu tiền chuộc được trả.

Các nhà khai thác Critroni th mô hình kinh doanh mi

Trong các phiên bản mới, được phát hiện vào tháng 1/2015, thời gian gia hạn được thiết lập đến 96 giờ, trong khi 5 tập tin có thể được giải mã. Rõ ràng, cách tiếp cận mới được thiết kế để phát triển số lượng nạn nhân trả tiền chuộc.

“Phân tích các biến thể tiết lộ một tính năng trước đó không hề thấy ở các biến thể CTB Locker – cơ hội giải mã các tập tin miễn phí. Mô hình freemium (chiến lược giá: cung cấp một sản phẩm miễn phí nhưng tính giá các tính năng độc quyền) này được phát hiện trong phần mềm độc hại CoinVault, nhưng biến thể CTB Locker này tăng mức tiền cược bằng cách cho phép các nạn nhân chọn 5 tập tin, chứ không phải chỉ là một, để được giải mã”, Trend Micro cho biết trong một bài đăng blog.

Tuy nhiên, có một nhược điểm, các nhà nghiên cứu bảo mật chỉ ra rằng tiền chuộc đã tăng lên đến 3 BTC (tiền ảo Bitcoin – tương đương 700 USD hoặc.610 Euro). Trong các mẫu từ tháng 7/2014, Critroni đòi hỏi 0,2 BTC (tương đương 46 USD hoặc 41 Euro).

Có vẻ như trên danh sách các cải tiến có sẵn trong loại biến thể mới, thông điệp chuộc được bản địa hoá, vì văn bản có thể được hiển thị bằng các ngôn ngữ khác ngoài tiếng Anh, với các biến thể ở Hà Lan, Đức, và Ý đã được ghi nhận.

S dng các email độc hi để phát tán mi đe da

Trend Micro đã quan sát thấy rằng phần mềm độc hại được phát tán thông qua các tin nhắn email bằng các ngôn ngữ khác nhau tự xưng là thông báo quan trọng. Chúng cung cấp một file đính kèm có chứa malware downloader, trong đó lưu trữ hai lần. Một khi các tập tin bị thực thi, nó tiến tới tải Critroni từ các trang web bị xâm nhập, có trụ sở tại Pháp.

Các nhà nghiên cứu đã xác định rằng các thông điệp độc hại được gửi tự động từ các hệ thống là một phần của Cutwail spam botnet.

Như một biện pháp bảo vệ, các nhà nghiên cứu khuyến khích xác minh địa chỉ của người gửi có vẻ khả nghi và không mở file không rõ nguồn gốc.

Nếu bị nhiễm ransomware mã hóa dữ liệu trên máy tính, không nên trả tiền chuộc để khuyến khích hành vi gian lận như vậy. Giữ sao lưu thường xuyên, ít nhất là cho các tập tin quan trọng nhất, đảm bảo chúng phục hồi trong trường hợp bị nhiễm loại malware này.


Facebook và Instagram “sập” do cấu hình sai, không phải bị tấn công


Facebook cho biết Facebook và Instagram đã dừng hoạt động trọng khoảng thời gian một giờ do một vài cấu hình sai chứ không phải do bị tấn công.

Việc Facebook và Instagram bị sập đã gây náo loạn một số bộ phân người dùng trên Twitter bàn tán và đưa ra nguyên nhân vụ việc. Sau một giờ gián đoạn thì Facebook đã hoạt động lại bình thường. Facebook phủ nhận bất kì vụ tấn công nào xảy ra. “Vào tối ngày hôm nay (giờ địa phương) rất nhiều người đã gặp khó khăn trong việc truy cập Facebook và Instagram. Đây không phải do bất kì vụ tấn công nào mà là do chúng tôi đã thay đổi một vài cài đặt trên hệ thống. Chúng tôi đã nhanh chóng khắc phục vấn đền và các dịch vụ quay trở lại 100% công suất.”.

New Bitmap Image

Rất nhiều trang truyền thông cho rằng nhóm hacker Lizard Squad đứng đằng sau vụ việc sau khi nhóm này đăng tải một tweet khẳng định Facebook đã sập. Người dùng Facebook châm biếm Twitter với các bình luận gắn hashtag #FacebookDown.




A quick fix for your slow Chrome browser

Posted: 30 Jan 2015 10:54 AM PST

chrome-paint-dry.jpgIs using Chrome like watching paint dry? This tweak might help. Screenshot by Rick Broida/CNET

Calling all Chrome users: Does your browser seem slow of late? I may have a solution for you.

First, a little back-story. I run a Samsung Series 9 Ultrabook with a Core i5 processor and Windows 8.1. I've had it about 18 months, and I know from years of experience that, over time, PCs slow down.

Usually I point the finger at Windows, because whenever I've taken the drastic step of wiping my hard drive and reinstalling the OS from scratch, I get a blissfully speedy system again. For a while.

But in the past few months, I've noticed that my Web browser, Google Chrome, has really gotten slow. (I can't be positive, but I think the timing coincided with Microsoft's required update to Windows 8.1 from Windows 8, which happened in October. That's my conspiracy-theorist explanation.)

Although Chrome itself would open quickly, tabs seemed to take forever to load. When I opened a new tab and typed in an address (or even clicked a bookmark), there was often a delay of several seconds before anything would happen -- I'd just be staring at a blank tab for what seemed an eternity.

Needless to say, I tried removing most of my Chrome extensions, even the ones that seemed like they couldn't possibly impose a performance hit (like my beloved OneTab). I tried deleting my browsing history, cached files and other behind-the-scenes detritus. Nothing helped.

This got aggravating to the point where I thought, "Well, maybe it's time for an upgrade." Which is ridiculous because this laptop has all the horsepower I need. It's just the browser that's killing me.

I even went so far as to spend a day working in Firefox, just for sake of comparison. And you know what? Huge difference. So the problem wasn't Windows, necessarily -- it was Chrome.

OK, enough history, now for the fix: After some research and experimentation, I tweaked one setting that made Chrome run considerably faster. Your mileage may vary, of course, but this is worth a try:

chrome-menu-and-settings.jpg Screenshot by Rick Broida/CNET

Step 1: Click the Menu button (top-right corner of the browser, below the Close button), then click Settings.

Step 2: Scroll down and click "Show advanced settings," then scroll down further until you find the System section.

chrome-disable-hardware-acceleration.jpgDisabling hardware acceleration may give Chrome a big performance boost. Screenshot by Rick Broida/CNET

Step 3: Clear the check box next to "Use hardware acceleration when available."

Step 4: Shut down Chrome and restart it.

Again, I can't say for certain this will solve your Chrome performance issues, but it made a noticeable difference on my system.

Whether it's successful or not, hit the comments and let your fellow Chrome users know the results! And if you've found other ways to get the browser back up to speed, share those as well.

How to take dreamy long exposure photos

Posted: 30 Jan 2015 09:06 AM PST

stpaulslong.jpg Andrew Hoyle/CNET

Fast shutter speeds are great at freezing action in place, but slow the speed right down and watch as movement in a scene turns to smooth, abstract forms. Long exposure photography is a great technique to play with and lends itself particularly to clouds moving across landscapes, waves crashing onto rocky shores, or busy night-time city streets.

It doesn't even require expensive kit or hours of training to get started. Read through this guide to find out how you can create your own slow shutter masterpieces.

The minimum kit you'll need

  • A camera that offers full manual control over shutter speed, aperture and ISO speeds.
  • A sturdy tripod.

camerasetup1.jpg Andrew Hoyle/CNET

Handy extras

  • A remote shutter release allows you to take a photo without touching the camera, which can help reduce blur. If you don't have one, then setting the self timer for 2 seconds will achieve the same result.
  • Neutral density filters, such as the Big Stopper by Lee Filters, are crucial if you want to take long exposures in the middle of the day. They act like sunglasses for the lens, reducing the amount of light coming into the camera, letting you expose a photo for over a minute without it looking completely white and washed out.

towerlong.jpg Andrew Hoyle/CNET

Find your location

Long exposure photos have the most impact when they combine both moving and still subjects, so think about where you can combine those. Clouds moving over buildings and cityscapes provide brilliant fodder for dramatic shots, so head into town, get in amongst the buildings and point your camera upwards. Clouds streaking over wide landscapes also look particularly dramatic.

nightlondon-3.jpg Andrew Hoyle/CNET

City streets at night are fantastic locations to experiment with, as car headlights will turn into long, winding streaks of light, twisting through the streets, when captured with slow shutter speeds. Position yourself near a busy junction -- safely away from traffic, of course -- and see what you can catch.

Set up your equipment

Set up your tripod so it's nice and stable. Make sure it's positioned so it can't be knocked by passersby, and not on a surface that is likely to shake or vibrate due to traffic or wind. Keep in mind that even the slightest wobble -- when exaggerated over a minute -- can result in a very blurry shot. A strong wind can cause a lot of camera shake, so position yourself as a barrier to reduce the amount of wind destroying your lovely photos.

Frame your shot and set your lens to manual focus -- particularly if you're shooting in the dark. Many cameras allow you to zoom into the scene using the LCD display, which is handy to make sure you've got the best focus on your subject. If you're using dark neutral density filters, slot these in place after you've set up your scene.

bulbsettings.jpg Andrew Hoyle/CNET

Choose the right settings

The main setting you need to change to capture long exposures is the shutter speed. The slower the shutter speed, the longer the sensor is exposed to light, resulting in more movement being captured. How long you choose will depend on how fast your subjects are travelling and how much ambient light there is.

If you're shooting car headlight trails at night, for example, start out with a shutter speed of 2 to 3 seconds -- as the cars are moving fast, you won't need to keep the shutter open long to capture the movement. Clouds tend to move more slowly across the sky, so shutter speeds of 20 seconds or more may be necessary here.

If you're shooting for longer than 30 seconds then you'll need to switch to bulb mode, which allows you to keep the shutter open for as long as you keep your finger held down on the shutter. This is typically only a feature you'll find on dSLRs and you'll definitely need to use a remote shutter release -- holding your finger on the camera for that length of time will shake it and cause blur in the final image.

bulbsettings-2.jpg Andrew Hoyle/CNET

Using a narrow aperture -- f/12-f/22 -- will restrict the amount of light allowed in so is a good way of shooting long exposures in low, but not quite black light. Keep your ISO speed at the minimum your camera will allow -- typically 100 or 200 -- as this will help keep image noise to a minimum.

If your camera allows it -- and most do -- shoot in raw format. Not only do raw images capture greater detail in the dark and light areas of an image, they allow you to select the white balance after having taken the shot.

Take your shot

If your dSLR has a mirror lock up function, use it. When taking a photo, a dSLR's mirror has to physically flip up out of the way to allow light to strike the sensor instead of being bounced into the viewfinder. This movement, although tiny, is enough to add a small amount of blur to long exposure photos. Using mirror lock up moves the mirror out of the way before the photo starts to be captured.

mirrorlock.jpg Andrew Hoyle/CNET

If you have a remote shutter release, use that to avoid shaking the camera. Alternatively, set the self timer to 2 seconds so you don't have to touch the camera when the shot is taken. Always review your shots on the LCD display to ensure they're exposed sufficiently and zoom in to check that you've focused properly.

Process your shots

Processing isn't a critical step, but it's certainly worth experimenting with. Although you should always make sure your shot is properly exposed and composed in camera -- no amount of editing can rescue a badly composed shot -- the sometimes abstract results from long exposure photos often lend themselves to a bit of tinkering with in post.

Night-time shots, particularly car headlights streaking through dark city streets, are naturally high contrast so often work well in black and white. There are no strict rules to processing, so it's always good to spend some time having a play with colour balance sliders, contrast and even cross processing.

citylong.jpg Andrew Hoyle/CNET

Thursday, January 29, 2015

Wi-Fi Direct Flaw Exposes Android Devices to DoS Attacks

Researchers from Core Security have identified a vulnerability that can be remotely exploited for denial-of-service (DoS) attacks against certain Android devices.

The vulnerability is an uncaught exception (CVE-2014-0997) that could cause devices to reboot. According to the security firm, an attacker can leverage this flaw when the targeted Android phone is scanning for devices using Wi-Fi Direct, the standard that allows devices to connect with each other without having to go through an access point.

“An attacker could send a specially crafted 802.11 Probe Response frame causing the Dalvik subsystem to reboot because of an Unhandle Exception on WiFiMonitor class,” Core Security wrote in an advisory published on Monday.

The vulnerability has been successfully reproduced on a Nexus 4 and a Nexus 5 running Android 4.4.4, on an LG D806 and a Samsung SM-T310 running Android 4.2.2, and on a Motorola RAZR HD with Android 4.1.2 installed. Other devices might also be affected, but the flaw does not impact Android 5.0.1 and Android 5.0.2.

Researchers informed Google of the vulnerability in late September 2014. In mid-October, the Android security team told Core Security that the issue was classified as “low severity.” The security firm does not agree with this classification, but Google seems to maintain its position.

The Android security team says it currently does not have a timeline for releasing a fix.

Until the flaw is addressed, Core Security advises users to avoid utilizing Wi-Fi Direct or update their Android installations to a version that is not vulnerable.

Earlier this month, Google announced that it’s no longer patching vulnerabilities affecting older versions of the WebKit component. The search giant has decided not to patch flaws in the pre-KitKat WebKit because the company believes it’s no longer practical.

While some experts have condemned Google for exposing hundreds of millions of devices to cyberattacks, others believe this move will reduce the negative impact of Android fragmentation.

"Lookout doesn't have hard data to confirm or deny this hypothesis, but it is our belief that the majority of devices in the world are either on an upgrade path to 4.4 or later, or they are generally not receiving updates at all. Therefore, the likely exposure to this policy change will likely not be very large, as in the former case, you're in the clear, and in the latter case, you would be vulnerable either way,” Jeremy Linden, security product manager at Lookout, told SecurityWeek.

“We certainly believe the changes made by Google to allow upgrades to WebKit (as well as other components of the OS) outside of OEM/carrier pushes are very positive changes that reduce the impact of Android fragmentation for security issues,” Linden said.

Waterbug Threat Group Targeted Systems in Over 100 Countries: Symantec

Symantec has published a new whitepaper detailing the activities of a threat group dubbed by the security firm “Waterbug.”

Waterbug is the attack group previously known for cyber espionage campaigns leveraging toolkits such as Turla (also known as Snake or Uroburos) and Epic Turla (also known as Wipbot or Tavdig).

The group is believed to be active since at least 2005. Its activities became known back in 2008 when one of the pieces of malware associated with it, the notorious Agent.BTZ, was used in an attack aimed at the United States military.

According to Symantec, Waterbug successfully compromised more than 4,500 systems across over 100 countries, targeting government institutions, research and education facilities, embassies, and other high-profile organizations.

The group uses two techniques to infect targeted devices with malware: spear phishing emails containing malicious attachments, and a vast distribution network comprised of at least 84 compromised websites.

One of the spear phishing emails spotted by Symantec in December 2013 carried a harmless-looking PDF document designed to exploit an Adobe Reader zero-day in combination with a Windows vulnerability in order to distribute Trojan.Wipbot.

The distribution network, dubbed by the security firm “Venom,” is used for watering hole attacks designed to target certain users.

“These compromised websites are located in many different countries and were used in a watering-hole style operation in which the attackers monitored and filtered visitors to those websites and focused on the ones of interest for further action. The collection of compromised websites acted like a drag net designed to gather potential targets of interest,” Symantec said in the report.

The compromised websites are mainly located in France, Germany, Romania and Spain. Roughly half of these sites belong to government organizations, and publishing and media companies. What many of the websites have in common is the use of the content management system (CMS) TYPO3, and the fact that they reside on the same net block linked to certain hosting providers, Symantec noted.

In addition to Trojan.Wipbot, the attackers have also distributed Trojan.Turla, which they use to collect and exfiltrate data from infected machines.

Researchers have identified four variants of Trojan.Turla: SAV, FA, ComRAT, and Carbon. The threats, previously detailed by other security companies, use shared components.

In its report, Symantec has pointed out that the use of zero-days, the sophisticated malware, the large network of compromised websites, and the nature of the targets indicate that Waterbug is a state-sponsored group. While the company has not named any country, other security firms believe the threat might have Russian roots.

The complete whitepaper on Waterbug is available online.

It's Okay to Fail - Security is a Problem That Can't be Solved

It’s okay to fail. This may sound radical, but I would argue that the information security community isn’t failing enough. Or rather, we as a community are failing passively on a continual basis, rather than failing actively. The difference between passive and active failing is key. Allow me to elaborate.

Consider the famous, though often misattributed quote: "The definition of insanity is doing the same thing over and over and expecting it to come out different." Although this statement was not made in reference to information security, its relevance to our field is striking. Pundit after pundit, expert after expert, thought leader after thought leader, conference after conference, and so on paint a dire picture regarding the state of information security. The threat landscape is imposing. The risk to organizations is real. The consequences are increasingly severe.

IT Security FailureWhile there are clearly exceptions, most information security professionals hear the message loud and clear. We know that we face serious challenges that we need to overcome. We know that we face formidable problems that we need to solve. We know that the status quo is not working. Additionally, leaders and executives outside of the security profession are increasingly beginning to grasp and grapple with the gravity of the situation. True, there is still a long way to go until awareness is where it needs to be, but more and more, we as a community have the world’s attention and focus. The question is, what will we do with this attention and focus?

Will we squander our newfound attention and focus by ridiculing those who don’t yet understand? Will we fail to eloquently articulate and communicate our constructive suggestions for improvement? Will we continue to insist that every non-traditional, outside-the-box approach is folly? Or will we realize that for decades, conventional wisdom and the status quo have led us to the same results. Not surprisingly, the same approaches that have always led to disappointment continue to lead to disappointment. This is passive failure, and passive failure is not okay.

What’s missing from the hype and hysteria is action. There is plenty of talk out there, but unfortunately, there is very little action. Or to be more precise, there is far too little practical, hands-on material that security professionals can leverage as part of an effective action plan. I would argue that it’s no longer enough to stand up and speak only about the challenges and problems in the information security realm in the name of raising awareness. In my opinion, any talk also needs to spell out constructive steps for action. Practical, tangible, realistic approaches raise far more awareness than Fear, Uncertainty, and Doubt (FUD) ever have.

Will every idea, approach, technique, and methodology suggested or proposed work effectively? No, of course not. But I would argue that by doing nothing other than trying the same old approaches repeatedly, we merely continue our passive failure. Isn’t it time to try some different approaches? How will we know what might help us address challenges and solve problems if we never try anything new? This is active failure, and this is how progress is made in other professions, most notably science. If at first you don’t succeed, try, try again.

Now, am I saying that we should just throw caution to the wind and try every idea, approach, technique, and methodology we can possibly think of? No, of course not. We need to be scientific and methodical about how we approach the challenges and problems of security. It’s okay to take risks, but it’s not okay to take stupid risks.

As I’ve discussed in previous SecurityWeek pieces, “security” is not a problem that can be solved. It’s too broad, vague, and ambiguous a topic. Rather, like any formidable challenge or problem, the topic needs to be broken down into smaller problems that are solvable.

In my pieces (in SecurityWeek and elsewhere), I’ve always tried to present logical, rational, constructive steps for improving an organization’s security posture. I am not alone – there are others who do this as well. I may not always succeed in eloquently articulating my message, but I am trying to walk the walk. Many people have noticed this and have provided me kind feedback. I am grateful to have had an opportunity to help some people through my writings. If I list out the common themes of some of my pieces, I am hoping that it illustrates this point, as well as provides some reference, at least as a starting point, for the reader looking for action:

• Breaking security down into enumerable and achievable risks, goals, and priorities (“Is Security an Unsolvable Problem?”)

• Including additional context around alerting to facilitate better decision making and increased efficiency (“Security Operations: Moving to a Narrative-Driven Model”)

• Working towards improved information sharing, despite obstacles and resistance (“Understanding The Challenges In Information Sharing”)

• Tips and tricks to help with “Integrating Actionable Intelligence

• Leveraging more relevant alerting (“Throw Out The Default Ruleset”)

• Capturing relevant event information before it disappears (“The Event Horizon: Examining Enterprise Security Blind Spots”)

• Remembering that “Not All Intrusions Involve Malware

• The importance of performing root cause analysis (“Root Cause Analysis: Stop Playing Whack-a-Mole”)

• Gearing up to face the challenges of tomorrow (“Will Technology Replace Security Analysts?”)

• Considering the differing value of different data sources to security operations and incident response (“Incident Response: Focus on Big Value, Not Big Data”)

• Including the business case and expected outcome with your information security arguments (“The ‘So What?’ Factor of Information Security”)

• Keeping the signal-to-noise ratio high enough to provide value (“Security Operations, What is Your Signal-to-Noise Ratio”)

• What you do with your security budget is just as important as how large your security budget is (“Is Budget A Good Security Metric?”)

• The importance of asking the right questions (“Always Answer a Question with a Question”)

• Remembering that both collection and analysis are equally important (“Collection and Analysis: Two Sides to the Coin”)

The past few decades in the information security field have been dominated by passive failure. Clearly, not every new idea has merit, but those ideas that come about scientifically and methodically have tremendous potential to improve the state of security. Only through active failure can we as a community progress. We as security professionals can once again look to science as a model. It’s time to break the box wide open.

17-Year-Old Found Bugs in WhatsApp Web and Mobile App

Last week, the most popular mobile messaging application WhatsApp finally arrived on the web — dubbed WhatsApp Web , but unfortunately it needs some improvements in its web version.

An independent 17-year-old security researcher Indrajeet Bhuyan reported two security holes in the WhatsApp web client that in some way exposes its users’ privacy. Bhuyan called the first hole, WhatsApp photo privacy bug and the other WhatsApp Web Photo Sync Bug.

Bhuyan is the same security researcher who reported us the vulnerability in the widely popular mobile messaging app which allowed anyone to remotely crash WhatsApp by sending a specially crafted message of just 2kb in size, resulting in the loss of conversations.

Whatsapp Photo Privacy Bug

According to him, the new version of WhatsApp Web allows us to view a user’s profile image even if we are not on the contact list of that user. Even if the user has set the profile image privacy setting to "Contacts Only," the profile picture can be viewed by out of contacts people as well.

Basically, if we set the profile image privacy to Contacts Only, only the people in our contact list are able to view our profile picture, and nobody else. But, this is not in the case of WhatsApp Web. You can watch how this works in the video demonstration below:

WhatsApp Web Photo Sync Bug

The second security hole points out the WhatsApp Web Photo Syncing functionality. Bhuyan noticed that whenever a user deletes a photo that was sent via the mobile version of WhatsApp application, the photo appears blurred and can’t be viewed.

However, the same photo, which has already been deleted by the user from mobile WhatsApp version, can be accessible by Whatsapp Web as the photo does not get deleted from its web client, revealing the fact that mobile and web clients of the service are not synced properly. You can also watch the video demonstration on this as well:

This is no surprise, as WhatsApp Web introduced just a couple of days before and these small security and implementation flaws could be expected at this time, as well as some other bugs could also be revealed in the near future.

However, the company will surely fix the issues and will definitely make its users’ messaging experience secure. As partnered with Open Whisper Systems, WhatsApp recently made end-to-end encryption a default feature on Android platform, stepping a way forward for the online privacy of its users around the world.

Wednesday, January 28, 2015

Security Experts Unite to Rewrite Proposed Cyber Laws

It didn't take long for information security professionals to take to Twitter, blogs, and social media to blast the latest White House proposals for cybersecurity legislation. A small group of civic-minded professionals are calling on the industry to stop complaining and actually do something about it.

New laws, and fixing existing laws, are important and necessary. In the days leading up to the State of the Union speech, President Obama unveiled a series of proposals for new cybersecurity laws which would protect user data, such as requiring organizations to disclose data breaches within 30 days of discovery and protecting students from aggressive data collection by educational apps and services. The proposals also called for updates to existing laws to give law enforcement more authority over cybercrimes. Information security professionals agree on the basic tenets, such as encouraging information sharing, letting law enforcement prosecute cybercrime, and protecting user privacy, J.J. Thompson, CEO and founder of Rook Security, told SecurityWeek.

Cybersecurity Laws Poorly Written, Experts Say"We all agree with the principles, but the current proposals are currently not set up for success," he said.

The problem lies in the fact that the proposals contain problematic language which, if left in the final legislation, would "gut our capability to respond" to data breaches and other security threats, Thompson said. The wording is vague in some areas, overly broad in others, and would result in security professionals unable to "use half of our toolset," he said. For example, a proposed change in the law around computer and cell phone spying devices would make it unlawful to manufacture, distribute, possess, or advertise "electronic communication intercepting devices." The change would limit what tools defenders can use to detect and respond to attacks, even tools such as intrusion prevention systems and packet sniffers, he said. Considering these tools are standard among Fortune 500 companies, the use of these tools would put practically all of them in violation of the law.

"If any InfoSec pro is positive about the new legislative proposal, I’ve not seen it," Jeremiah Grossman, founder and CTO of WhiteHat Security wrote on Twitter last week.

The proposals were clearly not written with much input from the information security industry or by someone who understands information security, Thompson said. To address this knowledge gap, he put the text of the White House proposal on GitHub and called on industry counterparts to make revisions and to rework the proposal into a workable alternative. Members of Congress are interested in seeing something better than what the White House currently has on the table, he said.

Giving the lawmakers a better starting point will make it more likely the final law, if passed, will be something the industry can work with.

In many areas, it is clear the writers did not use the correct terms. For example, in a section discussing data breaches, there is mention of the breached company having to conduct a risk assessment. However, it's clear that the section is actually referring to forensics, noted Thompson. Without the right verbiage, organizations would wind up doing the wrong thing just to stay compliant with the letter of the law, and there will be no improvements in security and privacy, he said.

Then there is the section for modernizing the Computer Fraud and Abuse Act where the phrase "intentionally accesses a protected computer without authorization" could be "argued six ways by any infosec pro worth their salt," Thompson said. Each one of these words are problematic, starting with the difficulty in proving intent, the question of what constitutes access, and what exactly it means for a computer to be protected.

"The proposals aren't broken, but the wording doesn't help," Thompson said. "It makes it harder to do our jobs."

The laws proposed by the White House neglected to place the burden of protecting data and users on companies, Gabriel Gumbs, managing director of research and products at WhiteHat Security, told SecurityWeek. The rewrite effort would introduce corporate accountability as part of the breach notification process. "It would be in the best interest of all for the White House to take seriously this re-write initiative and solicit further contribution from the information security community," Grumbs said.

Thompson decided to use GitHub's collaboration features because it's a platform many people are already familiar with. Getting involved with writing legislation can be a difficult—and intimidating—effort, but looking at the repository and pulling changes are things that may be easier to ask of information security professionals, he said.

Thompson is already working with a group of like-minded information security experts who have expressed interest in the effort, but he would like to see more people check out GitHub and get involved. Putting the project on GitHub makes the rewrite transparent and gives anyone concerned about the proposed legislation a chance to fix the problem.

"Does anybody really care, or do they just want to complain?" Thompson said.

Ultra-secure Blackphone Vulnerability lets Hackers Decrypt Texts

The makers of ultra secure BlackPhone titled by Silent Circle as, "world’s first Smartphone which places privacy and control directly in the hands of its users ," have recently fixed a critical vulnerability in the instant messaging application that allows hackers to run malicious code on the handsets.

BlackPhone was also hacked last year at the BlackHat security conference, but the interesting factor about the recent hack was that the attackers only needed to send just a message on a targeted phone number in order to compromise the device.

The vulnerability was first discovered and disclosed by Mark Dowd, a principal security researcher at the Australia-based consultancy firm Azimuth Security. Dowd discovered the issue late in 2014, but waited to disclose it until Blackphone got their patches and fixes in place.

The flaw actually resides in Silent Text application — the secure text messaging application bundled with the BlackPhone handsets, which is also freely available as Android App on Google Play Store.

Exploiting the vulnerability would have allowed hackers to perform following tasks:

  • Decrypt messages and read messages

  • Read and steal contacts

  • Monitor geographic locations of the phone

  • Write code or text to the phone's external storage

  • Enumerate the accounts stored on the device

"Successful exploitation can yield remote code execution with the privileges of the Silent Text application, which runs as a regular Android app, but with some additional system privileges required to perform its SMS-like functionality such as access to contacts, access to location information, the ability to write to external storage, and of course net access," Dowd said.

The vulnerability occurred due to a component known as libscimp — the BlackPhone implementation of the Silent Circle Instant Messaging Protocol (SCIMP) which runs on the Extensible Messaging and Presence Protocol (XMPP) — that contained a type of memory corruption flaw known as a type confusion vulnerability.

SCIMP is used by the creators of BlackPhone in an effort to create a secure end-to-end encryption channel between people sending text messages. It also handles the transportation of the encrypted data through the channel.

Now, this SCIMP implementation supplied with SilentText contains a type confusion vulnerability, typically allowing attackers to "directly overwrite a pointer in memory (either partially or in full), which when successfully exploited can be used to gain remote, unauthenticated access to the vulnerable device."

Dowd has given a solid technical description on his blog, so you may refer his blog post for more detailed explanation about the critical vulnerability.

The vulnerability has since been patched, but it is a powerful reminder for those who, no doubt, did a lot of things right to provide strong encryption to its users, but in this era of more complex software and advanced hacking, there is no such guarantee that your product can not be hacked.