NEWS FROM THE LAB - January 2015


Thursday, January 29, 2015

Apple iOS 8.1.3 Terms and Conditions Posted by Sean @ 13:18 GMT

This may already be old news since everybody always reads the terms and conditions of the software they install, but we sometimes don't — and we think this section of iOS 8.1.3's terms to be of interest.


iOS 8.1.3 Terms, Privacy

Location Services part we kind of assumed.

iOS 8.1.3 Terms, zip code and location

But automatically including your zip code? New to us. We didn't notice that bit earlier.

Anyway… now you know.


Tuesday, January 27, 2015

Low Hanging Fruit: Flash Player Posted by Sean @ 17:13 GMT

Flash Player version is now available.

Flash Player Versions

In Windows, you can check what version you have installed via Flash's Control Panel applet.

Settings Manager, Flash Player

According to Adobe Security Bulletin APSA15-01, users who have enabled auto-update will have received the update starting on January 24th. Manual downloaders needed to wait a couple of days.

Adobe Bulletin CVE-2015-0311

We're not exactly sure why manual downloads were delayed, but whatever the reason, auto-updates are recommended.

And not only that, but more. At this point, we recommend enabling "click-to-play" options. Here's an example from Firefox with the "Ask to Activate" configured.

Firefox, Flash, Ask to Activate

Google Chrome also offers options in its "advanced" settings.

Why do we recommend click-to-play? Because Flash Player is currently the application most aggressively targeted by exploit kits.

Here are some stats from last week from which you can see that Angler, which was targeting a Flash Player 0-Day vulnerability, was leading the exploit kit market.


Exploit Kits, January 2015 FI


Exploit Kits, January 2015 DE

United Kingdom:

Exploit Kits, January 2015 UK

And Angler was number one in several other regions as well.

So, update your Flash Player, set it to auto-update, and configure click-to-play.

Updated to add on February 2nd:

There's another zero-day Flash Player vulnerability in-the-wild that's being actively exploited. Adobe has issued a security advisory and yet another update is in the works this week.

Meanwhile, seriously, consider click-to-play options! Here's how via How-To Geek. (A hat tip to @Bart for the link.)


Monday, January 19, 2015

USA's Double Standard: Don't Hack Like the USA Posted by Sean @ 14:23 GMT

Here's a list of companies allegedly hacked by the United States of America:

  •  RealTek
  •  JMicron
  •  C-Media

Hacked by the USA

And why did the United States hack three Taiwanese technology companies?

To steal digital certificates in order to sign drivers used by Stuxnet and Duqu.

Here's a company allegedly hacked by North Korea:

  •  Sony Pictures

Hacked by North Korea?

Now where do you suppose the DRPK got the crazy idea it was okay to hack companies and to steal data from?


From DER SPIEGEL: The Digital Arms Race: NSA Preps America for Future Battle


Thursday, January 15, 2015

Security and Military Experts Fall For "Open" Wi-Fi Posted by Sean @ 14:31 GMT

Seems like just about everybody will use "open" Wi-Fi — even Swedish security experts.

Open Guest

A case of do as I say, not as I do?

From Ars Technica: Activist pulls off clever Wi-Fi honeypot to protest surveillance state

A link to our own Wi-Fi experiment report can be found here.


Wednesday, January 14, 2015

The Conscience of a Hacker Posted by Sean @ 18:44 GMT

The Conscience of a Hacker — written just over 29 years ago.

The Conscience of a Hacker

It could have been written yesterday. Read the rest here.

More context here.


Thursday, January 8, 2015

One Definitive Prediction For 2015 Posted by Sean @ 18:51 GMT

As Carl Sagan used to say, extraordinary claims require extraordinary evidence. And recently, the public has been asked to believe one particularly extraordinary claim: that North Korea attacked Sony Pictures Entertainment and destroyed an incredible amount of its data. Thus far, there hasn't yet been any extraordinary evidence offered.

Much of the "evidence" that has been offered has mainly come from anonymous senior US officials most of whom are reportedly not actively involved in the FBI's investigation.

And the FBI itself? Well, Director James Comey's position can be summed up rather simply as… trust us. But many in the information security industry don't trust Comey's position, an attitude that he has reportedly attributed to "post-Snowden mistrust". He apparently fails to realize that in many circles mistrusting US government conclusions long pre-dates Edward Snowden.

Whomever hacked Sony Pictures Entertainment may never be known. But no matter, whomever is responsible, what's especially enlightening about this case is the US government's "trust us" stance. It demonstrates a continued lack of respect for the intelligence of US citizens and other people around the world.

Trust is an act of faith. But trust in government shouldn't require a leap of faith. Trust in extraordinary claims in the face of murky and what appears to be contradictory information… is simply a leap too far. And so, the Obama administration's rush to judge North Korea despite the lack of any real evidence brings us to our unfortunate prediction for 2015.

Prediction: Section 215 and Section 206 of the USA PATRIOT Act and Section 6001 of the Intelligence Reform and Terrorism Prevention Act will be reauthorized before their June 1, 2015 expiration date.

Post-Snowden, it appeared as though the controversial provisions might lack the political support needed to avoid sunset. But now, we are confident that Washington D.C. will act to protect itself from "nation state cyber-terrorism" and will renew them after all.

Don't expect reform in 2015. The violation of your digital freedom will continue. Within 144 days from now. Mark your calendars.


P.S. Bonus speculation!

You can track "cyber" related legislation at Keep an eye out for new Clipper chips and/or other backdoor mandates.


Wednesday, January 7, 2015

The Connections Between MiniDuke, CosmicDuke and OnionDuke Posted by Artturi @ 14:38 GMT

In September, we blogged about CosmicDuke leveraging timely, political topics to deceive the recipient into opening the malicious document. After a more detailed analysis of the files we made two major discoveries.

Based on emails that we found from VirusTotal, at least one European Ministry of Foreign Affairs has been targeted. Here is a redacted version of one of the emails:

Screenshot of malicious email

It’s heartwarming to see how kind the attackers are: when you open the email attachment, the Word document helps you enable macros by instructing you to click ‘Enable Content’.

Screenshot of exploit document

Once the victim enables macros the system gets infected with CosmicDuke, which brings us to our second discovery: in addition to the usual infostealer features, the CosmicDuke executables also install MiniDuke.

In our analysis released in July we mentioned that CosmicDuke seems to be connected to MiniDuke because both malware families use the same loader which has been exclusively used by the MiniDuke group. The CosmicDuke samples that infect the system with MiniDuke give us further evidence that the same actor is behind both malware families.

Looking at the targets of malware campaigns often helps us understand who might be behind the operations. In this sense, CosmicDuke is quite interesting. The malware has a distinctly dual nature: it targets people involved with illegal substances but also high-profile organizations like government agencies. This same kind of duality can also be seen in a related case, OnionDuke. When we first blogged about OnionDuke in November, we mentioned that OnionDuke is connected to MiniDuke through the use of shared command and control infrastructure. We also mentioned that OnionDuke appears to be used for two distinct purposes: in targeted attacks against high-profile targets such as government agencies and interestingly also in mass infection campaigns against Tor users and downloaders of torrent files. Further research has shown that not only can the victims of OnionDuke be clearly divided into two groups, but the versions of OnionDuke used and the command and control infrastructure used are also similarly divisible.

In the mass infection campaigns of OnionDuke, the attackers have used compromised web servers and free hosting providers for command and control. In these campaigns, the victim computer has been infected with a limited backdoor version of OnionDuke whose main purpose is to contact the C&C server to download and execute additional components. These downloaded components then perform tasks such as collecting system information and user credentials. On the contrary, in the attacks on high-profile targets, the C&C infrastructure used by OnionDuke has been solely owned and operated by the attackers. This infrastructure is also largely shared with known MiniDuke infrastructure. In these cases, the attackers have used a much more full-featured version of OnionDuke that doesn’t need to download any additional components to perform its tasks. Importantly, this division of tactics perfectly aligns with the division of victims.

We have shown a connection between MiniDuke, OnionDuke, and CosmicDuke. We have also observed an interesting duality in the uses of OnionDuke and CosmicDuke. The question then is: what does all this mean? Like Kaspersky pointed out in their excellent blog post, one explanation is that CosmicDuke is used as a “legal spyware” tool by law enforcement agencies – and interestingly Kaspersky observed “victims” involved with illegal substances only in Russia. Our data supports this observation. Moreover, none of the high-profile targets of CosmicDuke that we’ve seen have been from Russia – but what these targets have in common is that their interests aren’t exactly aligned with Russia. Likewise, similar distinctions hold true for OnionDuke suggesting it may be part of the same “collection” of spyware tools. Considering the victims of the law enforcement use case seem to be from Russia, and none of the high-profile victims are exactly pro-Russian, we believe that a Russian government agency is behind these operations.

Samples hashes:

“EU sanctions against Russia over Ukraine crisis“ .docm: 82448eb23ea9eb3939b6f24df46789bf7f2d43e3
“A Scottish ‘Yes’ to independence“ .docm: c86b13378ba2a41684e1f93b4c20e05fc5d3d5a3
32-bit dropper DLL: 241075fc1493172c47d881bcbfbf21cfa4daa42d
64-bit dropper DLL: 51ac683df63ff71a0003ca17e640bbeaaa14d0aa
CosmicDuke-MiniDuke combo: 7ad1bef0ba61dbed98d76d4207676d08c893fc13
OnionDuke limited backdoor: b491c14d8cfb48636f6095b7b16555e9a575d57f
OnionDuke full backdoor: d433f281cf56015941a1c2cb87066ca62ea1db37

Post by Timo (@TimoHirvonen) and Artturi (@lehtior2)