Timesdelhi.com

January 18, 2019
Category archive

Hack

Decrypted Telegram bot chatter revealed as new Windows malware

in api/Australia/botnet/computing/Delhi/encryption/Hack/India/malware/microsoft windows/Pavel Durov/Politics/Security/security breaches/Software/Telegram/Twitter/United States/vietnam by

Sometimes it take a small bug in one thing to find something massive elsewhere.

During an investigation recent, security firm Forcepoint Labs said it found a new kind of malware that was found taking instructions from a hacker sending commands over the encrypted messaging app Telegram .

The researchers described their newly discovered malware, dubbed GoodSender, as a “fairly simple” Windows-based malware that’s about a year old, which uses Telegram as the method to listen and wait for commands. Once the malware infects its target, it creates a new administrator account and enables remote desktop — and waits. As soon as the malware infects, it sends back the username and randomly generated password to the hacker through Telgram.

It’s not the first time malware has used a commercial product to communicate with malware. If it’s over the internet, hackers are hiding commands in pictures posted to Twitter or in comments left on celebrity Instagram posts.

But using an encrypted messenger makes it far harder to detect. At least, that’s the theory.

Forcepoint said in its research out Thursday that it only stumbled on the malware after it found a vulnerability in Telegram’s notoriously bad encryption.

End-to-end messages are encrypted using the app’s proprietary MTProto protocol, long slammed by cryptographers for leaking metadata and having flaws, and likened to “being stabbed in the eye with a fork.” Its bots, however, only use traditional TLS — or HTTPS — to communicate. The leaking metadata makes it easy to man-in-the-middle the connection and abuse the bots’ API to read bot sent-and-received messages, but also recover the full messaging history of the target bot, the researchers say.

When the researchers found the hacker using a Telegram bot to communicate with the malware, they dug in to learn more.

Fortunately, they were able to trace back the bot’s entire message history to the malware because each message had a unique message ID that increased incrementally, allowing the researchers to run a simple script to replay and scrape the bot’s conversation history.

The GoodSender malware is active and sends its first victim information. (Image: Forcepoint)

“This meant that we could track [the hacker’s] first steps towards creating and deploying the malware all the way through to current campaigns in the form of communications to and from both victims and test machines,” the researchers said.

Your bot uncovered, your malware discovered — what can make it worse for the hacker? The researchers know who they are.

Because the hacker didn’t have a clear separation between their development and production workspaces, the researchers say they could track the malware author because they used their own computer and didn’t mask their IP address.

The researchers could also see exactly what commands the malware would listen to: take screenshots, remove or download files, get IP address data, copy whatever’s in the clipboard, and even restart the PC.

But the researchers don’t have all the answers. How did the malware get onto victim computers in the first place? They suspect they used the so-called EternalBlue exploit, a hacking tool designed to target Windows computers, developed by and stolen from the National Security Agency, to gain access to unpatched computers. And they don’t know how many victims there are, except that there is likely more than 120 victims in the U.S., followed by Vietnam, India, and Australia.

Forcepoint informed Telegram of the vulnerability. TechCrunch also reached out to Telegram’s founder and chief executive Pavel Durov for comment, but didn’t hear back.

If there’s a lesson to learn? Be careful using bots on Telegram — and certainly don’t use Telegram for your malware.

News Source = techcrunch.com

Fortnite bugs put accounts at risk of takeover

in computer security/cryptography/Delhi/fortnite/Gaming/Hack/hacking/India/Password/Politics/Prevention/Security/security breaches/software testing/spokesperson/vulnerability by

With one click, any semi-skilled hacker could have silently taken over a Fortnite account, according to a cybersecurity firm who says the bug is now fixed.

Researchers at Check Point say the three vulnerabilities chained together could have affected any of its 200 million players. The flaws, if exploited, would have stolen the account access token set on the gamer’s device once they’ve entered their password.

Once stolen, that token could be used to impersonate the gamer and log in as if they were the account holder, without needing their password.

The researchers say that the flaw lies in how Epic Games, the maker of Fortnite, handles login requests. Researchers said they could send any user a crafted link that appears to come from Epic Games’ own domain and steal an access token needed to break into an account.

Check Point’s Oded Vanunu explains how the bug works. (Image: supplied)

“It’s important to remember that the URL is coming from an Epic Games domain, so it’s transparent to the user and any security filter will not suspect anything,” said Oded Vanunu, Check Point’s head of products vulnerability research, in an email to TechCrunch.

Here’s how it works: the user clicks on a link, which points to an epicgames.com subdomain, which the hacker embeds a link to malicious code on their own server by exploiting a cross-site weakness in the subdomain. Once the malicious script loads, unbeknownst to the Fortnite player, it steals their account token and sends it back to the hacker.

“If the victim user is not logged into the game, he or she would have to login first,” said Vanunu. “Once that person is logged in, the account can be stolen.”

Epic Games has since fixed the vulnerability.

“We were made aware of the vulnerabilities and they were soon addressed,” said Nick Chester, a spokesperson for Epic Games. “We thank Check Point for bringing this to our attention.”

“As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others,” he said.

When asked, Epic Games would not say if user data or accounts were compromised as a result of this vulnerability.

News Source = techcrunch.com

Flaws in Amadeus’ airline booking system made it easy for hackers to change passenger records

in airline/American-Airlines/Business/Delhi/facial recognition/Hack/India/Politics/Security/spokesperson/Technology/Transportation by

You might not know Amadeus by name, but hundreds of millions of travelers use it each year.

Whether you’re traveling for work or vacation, most consumers book their flights through one of a handful of bespoke reservation systems used across the commercial aviation industry. Amadeus is one of the largest reservation systems, serving customers of Air France, British Airways, Icelandair, and Qantas and more. And each reservation system has to be able to talk to each other through the global distribution system backchannel.

Without these interconnected systems, most governments have no idea who’s coming and going.

Even in this day and age of passwords for everything and facial recognition at the departure gate, all that sits between you and someone rebooking a flight is a passenger’s surname and the booking reference on your ticket, known as the passenger name record — or PNR.

But these outdated and archaic passenger records systems needed to share travelers’ data internationally never considered security on the scale that’s needed today, and are woefully inadequate in keeping passenger records safe.

Israeli security researcher Noam Rotem knows all too well.

He found that any airline using Amadeus made it easy to edit and change someone’s reservation with just their booking reference number. No surname needed. In some cases, he didn’t even need to obtain someone’s booking number.

Rotem explained in a write-up, shared with TechCrunch before his public disclosure, that he could plug in anyone’s booking reference in a buggy web address on Israeli airline El Al’s website — in spite of being required to enter a surname on the website’s check-in page.

That not only lowers the bar for someone wanting to manipulate a person’s booking, such as changing seats and rerouting frequent miler numbers, said Rotem, but it’s also easy to obtain a person’s personal information, such as their phone number, and email and home addresses, from the airline.

How secure is the six-digit booking reference itself? History says that it’s still far too easy to obtain.

If your six-digit booking reference isn’t already on your boarding pass, ticket or luggage tag, you’ll still find it embedded in the barcode. That barcode, decrypted several years ago, can be easily read by most mobile barcode apps, making it easy for criminals to walk around the check-in area or departure’s lounge and scan a photo of your ticket when you’re not looking.

Worse, the average hacker wouldn’t have to leave their house. Dozens of people post their boarding passes — and their barcodes — to Twitter and Instagram every day, under the hashtags #boardingpass and #planetickets.

Some of the many boarding passes posted to Twitter and Instagram in a single day. (Image: TechCrunch)

But Rotem said that inherent weaknesses in how reservation systems generate passenger name record numbers in the first place made it easy to brute-force any Amadeus-linked airline website with a hacker’s own generated booking references.

Because Amadeus’ system didn’t limit how many requests could be processed at any given time, Romet could run a script generating booking references at random, which he says were “simply guessed,” then plugging them into the vulnerable web address and waiting for a positive response to return.In some cases, the script found booking references attached to real customers. Because parts of each Amadeus-generated booking references are sequential, it makes it easy to continue the attack on passengers with similar or the same surname. And, there were no rate limits, allowing the researcher to run as many requests each minute as he wanted, speeding up the process. (TechCrunch saw a short video of the script generating booking reference numbers, but didn’t verify any as logging in with someone else’s booking reference would be unlawful.)

A skilled attacker could, for example, use this technique to book their own flights or siphoning off accumulated air miles. A bored hacker, however, could wreak havoc on any number of passengers’ credit cards.

In all, Amadeus’ website claims it supports more than 200 airlines. We were curious how far the vulnerability went.

Using cookie data collected from El Al, TechCrunch was able to find dozens of other affected airlines using data collected by RiskIQ, a cyber threat intelligence firm, which scours the web for information. “During RiskIQ’s crawls, our crawlers act like the browser they are instructed to emulate, which means they will maintain cookies and other site-specific metadata,” said Yonathan Klijnsma, a threat researcher at RiskIQ.

We reached out to several of the larger airlines believed to be affected by the vulnerability, but nobody from Air France, British Airways, Icelandair, and Qantas commented when reached prior to publication.

When reached, Amadeus confirmed it was alerted to an issue and took “immediate action,” said a spokesperson. “We are working closely with our customers and we regret any disruption this situation may have caused.”

“We work with our customers and partners in the industry to address PNR security overall. The airline industry relies on IATA standards that were introduced to improve efficiency and customer service on a global scale. Because the industry works on common industry standards, including the PNR, further improvements should include reviewing and changing some of the industry standards themselves, which requires industry collaboration,” the statement added. “At Amadeus, we give security the highest priority and are constantly monitoring and updating all of our products and systems.”

Rotem suggested bot protection mechanisms and limits to how many requests can be submitted during a certain period of time could prevent automated attacks in the future, but that the underlying problems remain. That isn’t likely to change without an industry-wide effort to change how reservations are made.

In reality, we’re stuck with PNR for a while — and it’s a problem that’s not going away any time soon.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

News Source = techcrunch.com

Daily Crunch: Bing has a child porn problem

in Apps/Artificial Intelligence/Asia/Cloud/Delhi/Developer/Entertainment/Fundings & Exits/Government/Hack/Hardware/India/Politics/robotics/Social/Startups/TC by

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here:

1. Microsoft Bing not only shows child pornography, it suggests it

A TechCrunch-commissioned report has found damning evidence on Microsoft’s search engine. Our findings show a massive failure on Microsoft’s part to adequately police its Bing search engine and to prevent its suggested searches and images from assisting pedophiles.

2. Unity pulls nuclear option on cloud gaming startup Improbable, terminating game engine license

Unity, the widely popular gaming engine, has pulled the rug out from underneath U.K.-based cloud gaming startup Improbable and revoked its license — effectively shutting them out from a top customer source. The conflict arose after Unity claimed Improbable broke the company’s Terms of Service and distributed Unity software on the cloud.

3. Improbable and Epic Games establish $25M fund to help devs move to ‘more open engines’ after Unity debacle

Just when you thought things were going south for Improbable the company inked a late-night deal with Unity competitor Epic Games to establish a fund geared toward open gaming engines. This begs the question of how Unity and Improbable’s relationship managed to sour so quickly after this public debacle.

4. The next phase of WeChat 

WeChat boasts more than 1 billion daily active users, but user growth is starting to hit a plateau. That’s been expected for some time, but it is forcing the Chinese juggernaut to build new features to generate more time spent on the app to maintain growth.

5. Bungie takes back its Destiny and departs from Activision 

The creator behind games like Halo and Destiny is splitting from its publisher Activision to go its own way. This is good news for gamers, as Bungie will no longer be under the strict deadlines of a big gaming studio that plagued the launch of Destiny and its sequel.

6. Another server security lapse at NASA exposed staff and project data

The leaking server was — ironically — a bug-reporting server, running the popular Jira bug triaging and tracking software. In NASA’s case, the software wasn’t properly configured, allowing anyone to access the server without a password.

7. Is Samsung getting serious about robotics? 

This week Samsung made a surprise announcement during its CES press conference and unveiled three new consumer and retail robots and a wearable exoskeleton. It was a pretty massive reveal, but the company’s look-but-don’t-touch approach raised far more questions than it answered.

News Source = techcrunch.com

A simple bug makes it easy to spoof Google search results into spreading misinformation

in Delhi/digital media/Donald Trump/google search/Government/Hack/India/Internet/London/online advertising/Politics/search engine/search results/Security/United States/world wide web by

A bug that anyone can easily exploit in Google makes it easy to kick out manipulated search results that look entirely real.

The search manipulation bug was documented by Wietze Beukema, a London-based security specialist, who warned that a malicious user could use this bug to generate misinformation.

This is done by splicing together values from a Google search result’s “knowledge graph,” the cards that pop up in search results to supplement the search query with visuals and quick facts. Anything from countries, planets, tech news sites and more have cards that appear on the right-side of Google’s search results, displaying other nuggets of information at a glance.

In a blog post, Beukema explained that the short, shareable URL when entered into a Google search result could be chopped and added to the web address of any other search query.

So, when you’d search: “What is the capital of Britain,” you’d expect London to return. Actually, you can make it any value — such as Mars.

It also works if you search “Who is the US president?” You can just manipulate the result to read “Snoop Dogg.”

A bug makes it easy to put the contents of a knowledge card into a search result. (Image: TechCrunch)The manipulated search query doesn’t break HTTPS, so anyone can craft a link, send it in an email, tweet it out or share it on Facebook — and the recipient, one assumes, would be none the wiser. But that can be a real problem in an age of mistrust of internet companies after misinformation campaigns by nation-state actors.

Beukema warned that this search manipulation bug could be used to spread factually incorrect information, or even propaganda.

“Who is responsible for 9/11?” can be pointed to George Bush, a widely held conspiracy theory. “Where was Barack Obama born?” can be pointed to Kenya, another conspiracy theory largely propagated by his successor, Donald Trump, who later backtracked on the claim.

And even, “Which party should I vote for?” can be pointed to either the Republicans or the Democrats.

No wonder so many people think the election was rigged if they think they can click a button and have a search engine tell them who to vote for.

Beukema told TechCrunch that anyone can “generate normal-looking Google URLs that make controversial assertions,” which can “either look bad on Google, or worse, people will accept them as being true.”

He said that he first reported the bug to Google in December 2017, but the report was closed without the company taking any action.

“The ‘attack’ I described relies on this trust people have in Google and the facts it presents,” he said.

The bug is still active at the time of writing. In fact, it’s been known about for almost three years. Beukema simply brought the issue to light after first discovering the issue more than a year ago. But it’s already sparked interest from the hacker community. One developer, Lucas Miller, took just a few hours to build a Python script to automatically generate fake results based on search queries.

It’s a mystery why Google, despite claims of political bias (though no evidence to say it’s true), has taken so long to fix a basic weakness in its search results that would make the service far more trustworthy.

A Google spokesperson told TechCrunch that it was “working to fix” the issue.

News Source = techcrunch.com

1 2 3 10
Go to Top