Bringing down the Net?

Security expert Bruce Schneier recently talked about how someone is learning how to take down the internet. We have seen lots of companies talk about attacks on their infrastructure, breaches, hacking and stealing accounts, etc. As per the companies, it seems name of the attacks are made out to seem like probing for ways to get into networks and do harm.

It reminds me of the US’s Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.
– Bruce Schneier

Continue reading Bringing down the Net?

Advertisements

Mac like mouse scrolling in Windows

If you’ve ever used a Mac computer you quickly start getting a feel for the natural scrolling system that makes it more natural, scroll up to move the page up and scroll down to move the page down just as you would if you were moving piece of paper on your desk.

Back when the mouse was king, scrolling down to move the page up made sense because the scroll-bar would move down; basically it mimicked the movement of the marker in the bar. With the advent of touch screens and two finger scrolling on Macs, it made perfect sense to move toward natural scrolling; but many complain that on a computer it doesn’t make sense nor does it feel natural. I personally beg to differ, it feels quite natural to me; I think of the scroll pad as a flat version of the screen, like with the dual screens on a Nintendo DS or having a small tablet surface. Now that I have been using natural scrolling for a while I can see how the old way is actually counter-intuitive and needs to change.

I’ve gotten so used to it at work that I had to change my mouse wheel scroll settings in Windows to be the same and now I’m sharing it with you so you can start to be more natural with your scrolling.

Open Notepad, Notepad++, or any other text editor. No, Microsoft Word will not work.

Type in the following lines for Windows 7:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\HID\VID_045E&PID_00F9&MI_01&Col02\7&319870ac&0&0001\Device Parameters]
"FlipFlopWheel"=dword:00000001

Type in the following lines for Windows 10:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\HID\VID_045E&PID_00F9&MI_01&Col02\7&319870ac&0&0001\Device Parameters]
"FlipFlopWheel"=dword:00000001
"ForceAbsolute"=dword:00000000
"Migrated"=dword:00000001
"HScrollPageOverride"=dword:00000000
"HScrollUsageOverride"=dword:00000000
"HScrollHighResolutionDisable"=dword:00000000
"VScrollPageOverride"=dword:00000000
"VScrollUsageOverride"=dword:00000000
"VScrollHighResolutionDisable"=dword:00000000
"FlipFlopHScroll"=dword:00000000
  • Click File → Save As
  • Choose Desktop as the location to save and name the file InvertMouse.reg

Go to your desktop and double-click the InvertMouse.reg file to make the entry into the registry then restart your computer.

Now if mice makers would start to use the Magic Mouse technology or Apple would allow their mice to be used on other OS systems.

Massive WordPress Plugin Vulnerability

Sucuri disclosed a large malware campaign targeting and compromising over 100,000 WordPress sites, and growing by the hour. It was named SoakSoak due to the first domain used in the malware redirection path (soaksoak.ru).

According to Sucuri, the malware uses a vulnerability in a slideshow plug-in called Slider Revolution. The Slider Revolution team has known about the vulnerability since September, but it looks like they failed to fix it before the security hole got crammed with steaming hot malware. Continue reading Massive WordPress Plugin Vulnerability

Home Depot is latest to confirm Data Breach

The home improvement retailer confirms its customers’ payment card data was breached in an incident that is believed to have begun in April, likely compromising millions of card accounts.

One of North America’s largest retailers has confirmed that it was successfully compromised in a months-long campaign by attackers, resulting in what is believed to be the compromise of millions of customer payment cards.

In a long-awaited statement issued late Monday, Home Depot acknowledged that its payment card-processing system was breached, affecting payment card data belonging to customers of stores in the U.S. and Canada.

The Atlanta-based home improvement retailer said its investigation is focusing on April 2014 forward, indicating that the breach event may have been months long, spanning from April through August or early September.

“While the company continues to determine the full scope, scale and impact of the breach, there is no evidence that debit PIN numbers were compromised,” Home Depot said in the statement. It did not reveal the number of payment card accounts that may have been compromised.

It first learned of the breach via reports from banking partners and law enforcement on the morning of Sept. 2, according to the statement, and began its investigation immediately.

The company said that following the discovery of the breach, it has taken “aggressive steps to address the malware and protect customer data,” which included hiring security vendors Symantec Corp. and FishNet Security Inc. to investigate the breach.

Investigative security journalist Brian Krebs was first to report the Home Depot breach a week ago after multiple banks informed Krebs that they had identified stolen card data purportedly originating from Home Depot retail locations for sale on a popular black market website.

Krebs reported Sunday that a source close to the Home Depot investigation revealed that the breach was at least partially caused by a new variant of the Kaptoxa or BlackPOS point-of-sale malware used in last December’s massive Target Corp. data breach, causing speculation that the same attacker or group of attackers may be behind both breaches.

While Home Depot said there is no evidence that customers’ debit and PIN numbers were compromised, Krebs reported late Monday that banks have seen a spike in debit card fraud. He wrote digital criminals are using the data stolen from Home Depot to contact banks in an effort to reset customers’ debit card PIN numbers and in turn withdrawn cash from ATMs using fabricated debit cards.

Early indications suggest the Home Depot breach may dwarf the Target data breach, particularly if a four-plus-month breach event affected nearly all of the retailer’s more than 2,200 stores across the U.S. and Canada.

By comparison, the Target breach that resulted in the compromise of some 40 million payment cards reportedly only occurred during a three-week period last year and affected just under 1,800 stores. That breach played a role in a string of bad financials results for the company, including $146 million in breach-related expenses outside of insurance coverage, and culminated in the ousting of Target CEO Gregg Steinhafel and other long-time executives.

Original Article

 

Thousands of Apple devices being infected with AdThief malware

Security researcher Axelle Apvrille recently published a paper about AdThief, a malware aimed at hijacking ad revenue from a reportedly 75,000 infected devices. First discovered in March 2014, and also known as “spat,” the malware, which comes disguised as a Cydia Substrate extension, was found to replace the publisher ID of publishers with the one of the malware creator, effectively attributing all ad revenue to him.

iOS/AdThief!tr
iOS/AdThief!tr hijacks advertisement revenues and redirects them to accounts owned by the attackers.

A publisher ID is used to identify a publisher’s account on an ad platform, which helps track revenue generated by said publisher. By being able to swap the publisher’s publisher ID with his own, the malware creator was able to hijack revenue from about 22 million ads. In effect, when clicking on an ad, an infected user would generate ad revenue for the attacker instead of the developer of the application or website.

  • Infected devices: ~75k
  • Total activate times: ~22m
  • Daily activate times (around 3/20/2014): ~22k

The malware was designed to target ad kits from 15 ad networks, including Google-owned AdMob and Google Mobile Ads, both representing a large share of mobile advertising at least here in the US. Other American companies targeted by AdThief are AdWhirl, MdotM, and MobClick. The remaining targeted ad networks were all from China or India.

TARGETED ADKITS

A list of mobile adkits targeted by the malware is provided in a report: YouMi, Vpon, MobClick, Umeng, AdSage/MobiSage, MdotM, InMobi, Domob, AdWhirl, AdsMogo, Google Mobile Ads SDK, AderMob, Weibo, MIX SDK and Poly SDK. The majority of these are Chinese, four are based in the US, and two in India.

In his report, Xiao remarks that Weibo is a popular social network in China, but is unable to attribute MIX SDK and Poly SDKmore precisely. In fact, Sina Weibo, introduced in 2013, is an advertisement SDK, so that solves one mystery.

MIX SDK can be attributed to GuoHeAD. It probably refers to the GuoHe MIX platform for cross-promotion of mobile games. This is also backed up by the name of a source file found in the malware: /Volumes/MacOsStore/Project/IOS/SpAd/SpAd/AD_GuoHe.xm.

Finally, Poly SDK is not a new adkit: it corresponds to AderMob. This is confirmed when downloading the AderMob iOS SDK.

Hijacked advertisements in iOS/AdThief

AderMob http://adermob.renren.com/ China
AdMob and Google Mobile Ads http://www.admob.com/ USA
AdsMogo http://www.adsmogo.com/en China
AdSage/MobiSage http://www.adsage.com/mobiSage China
AdWhirl http://www.adwhirl.com USA
Domob http://domob.cn China
GuoHeAD http://www.guohead.com China
InMobi http://www.inmobi.com India
Komli Mobile http://www.komlimobile.com/index India
MdotM http://www.mdotm.com USA
MobClick http://www.mobclix.com USA
UMeng http://www.umeng.com China
Vpon http://vpon.com China
Weibo http://us.weibo.com China
YouMi http://www.youmi.net China

Implementation details of adkit hooks found in iOS/AdThief.A!tr

Adkit source Filename Typical class names
AderMob AD Ader.xm AderSDK*
AdMob and Google Mobile Ads SDK AD AdMob.xm GAD*
AdsMogo AD AdsMongo.xm AdMoGo*
AdSage ? MobiSageAd*
AdWhirl AD Adwhirl.xm AdWhirl*
Domob AD DoMob.xm DM*
GuoHeAD AD GuoHe.xm MIXView*
InMobi AD InMobi.xm IMAd*
Komli Mobile AD KomliMobile.xm APIManager*
MdotM AD MDotM.xm MdotM*
MobClick ? MobClick*
UMeng AD UMeng.xm UMUFP*
Vpon AD Vpon.xm VponAdOn*
Weibo AD Weibo.xml DXAdHWB*_
YouMi AD Youmi.xm YouMi* – delegated to Google Ads

Conclusion

iOS/AdThief is a technical and malicious piece of code which hijacks revenue from 15 different adkits. It is built on top of the Cydia Substrate platform, available for jailbroken devices, which provides it with an easy way to modify advertisement SDKs. With Substrate, the malware needs only to focus on the call and implementation of each hook.

At first, the identification of every adkit the malware targets was difficult because the code mentions only class names used by each adkit SDK. However, the fact that the malware author did not strip out debugging information helped us to identify all 15 adkits. In particular, this is how support for Komli Mobile and GuoHeAD was detected.

Links

  • Get the bulletin here
  • Read Claud Xiao’s report here