Monthly Archives: November 2014

As of Tuesday, a tool created by Google to test network traffic security has been open sourced.

The technology, called “nogotofail,” is meant to “provide an easy way to confirm that devices and applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations,” Android security engineer Chad Brubaker wrote on Google’s security blog that day.

Nogotofail is able to test any internet-connected device, Brubaker explained, including those running Android, iOS, Linux, Windows, Chrome OS and OSX.

With the move, Android Security Team, which developed nogotofail, opens the source code of the technology “so anyone can test their applications, contribute new features, provide support for more platforms, and help improve the security of the internet,” Brubaker said.

Via: scmagazine

Scoot over, OneDrive for Business. Today Microsoft and Dropbox announced a partnership that will see Dropbox better support Microsoft’s Office suite, and the latter better integrate into the product stack of the storage firm.

The news comes after Box, another enterprise-facing storage firm, integrated with Office 365, Microsoft’s Office-as-a-service solution, and OneDrive improved its product mix with unlimited storage.

The deal has four main parts: Quickly editing Office docs from the Dropbox mobile app, accessing Dropbox docs from Office apps, sharing Dropbox links of Office apps, and the creation of first-party Dropbox apps for Microsoft’s mobile offerings.

Surprised? Hold it in. Microsoft can still sell Office 365, without pushing OneDrive, or OneDrive or Business, allowing it to vend a service option to the myriad companies and individuals that use Dropbox. Both companies, reached on the phone, were impressed by how large Drobpox is — 80,000 paying businesses, and hundreds of millions of users. Not that Microsoft wouldn’t prefer that OneDrive was bigger, it just isn’t.

As such, Microsoft can’t leave out Dropbox: It’s the defacto cloud storage play, and Microsoft wants to sell into the cloud space; if Office 365 is going to be the cloud play for productivity, what choice did it have?

Let’s talk about king-making. Box had to integrate on its own. This deal is much more. Both companies vociferously declined to comment on if either party was paying either party, so presume that Microsoft is paying the smaller firm. Windows Phone apps don’t spring from the mists. Microsoft is knighting Dropbox. If you use Office, and are in a large corporation, and want to snag a popular cloud storage option, you now have an option.

If Office 365 revenues are going to replace tradtional Office sales receipts, there is little option. Microsoft can buy Dropbox — a very fine idea, poisoned by the specter of aQquantives past — of it can partner with a firm that it is trying to kill, which is likely cheaper. Here we are.

Keep in mind that drunk venture capitalists in Silicon Valley will tell you that Dropbox is profitable after enough beers. Maybe. But at least for now it has a powerful new, short-term friend. Microsoft doesn’t like to lose.

Via: techcrunch

Cops can force you to unlock your phone with your fingerprint, but not with your passcode, according to a judge in the US state of Virginia.

The question of whether a phone passcode is constitutionally protected has been batted around for a while, with varying outcomes.

It surfaced again in this case, which involves an Emergency Medical Services captain by the name of David Baust who was charged in February with trying to strangle his girlfriend.

According to The Virginia Pilot, there might be footage recorded on video equipment in Baust’s bedroom that shows the couple’s fight.

If there is, the video could be on his mobile phone, and prosecutors want the judge to force Baust to unlock his phone so they can get at it.

Courts have held, however, that passcodes are protected by the Fifth Amendment, which prohibits forced self-incrimination.

That’s kept defendants from being forced to cough up passcodes, given that they are knowledge stored in our heads.

But as privacy and legal experts have been saying ever since Apple introduced Touch ID, biometric information such as fingerprints are like our DNA samples or our voice imprints: they don’t reveal anything that we know, meaning they don’t count as testimony against ourselves.

Internet and privacy lawyer Marcia Hoffman, writing for Wired, explained it a year ago:

A communication is “testimonial” only when it reveals the contents of your mind. We can’t invoke the privilege against self-incrimination to prevent the government from collecting biometrics like fingerprints, DNA samples, or voice exemplars. Why? Because the courts have decided that this evidence doesn’t reveal anything you know. It’s not testimonial.

Take this hypothetical example coined by the Supreme Court: If the police demand that you give them the key to a lockbox that happens to contain incriminating evidence, turning over the key wouldn’t be testimonial if it’s just a physical act that doesn’t reveal anything you know.

However, if the police try to force you to divulge the combination to a wall safe, your response would reveal the contents of your mind — and so would implicate the Fifth Amendment. (If you’ve written down the combination on a piece of paper and the police demand that you give it to them, that may be a different story.)

Virginia Circuit Court Judge Steven C. Frucci agreed with that logic.

He ruled this week that giving police a fingerprint is akin to providing a DNA or handwriting sample or an actual key, which the law permits, while a passcode requires the defendant to divulge knowledge, which the law protects against.

The ruling doesn’t clear the road for the prosecutors, however, given that Baust’s phone may well be protected by both a passcode and Touch ID.

In fact, this ruling doesn’t mean it’s open season on Touch ID-enabled iPhones.

If Touch ID hasn’t been used for 48 hours, a passcode, in addition to a fingerprint, is required in order to unlock a device. The same thing goes for using the device after restart.

Prosecutors were still considering whether to appeal the judge’s decision as of Thursday.

Via: nakedsecurity

We regularly write about “bots”, or “zombies,” malicious programs that let cybercriminals take over your computer from afar.

Some malware is pre-programmed for one specific criminal act, such as ransomware that scrambles your data and demands a fee to get it back.

But most bots or zombies are kitted out with a wide range of “features.”

Any of these can be controlled across the internet by a crook.

Common crimeware functions built into bots include:

• Logging your keystrokes to steal online usernames and passwords.
  
• Searching through your files for interesting data to steal.
  
• Tricking you into clicking on ads to generate pay-per-click revenue.
  
• Posting “recommendations” for your friends on your social networks.
  
• Acting as a proxy, or relay, and charging rent to other crooks so they can use your internet connection to cover their tracks.
  
• Mapping out your network from the inside to assist with future attacks.
  
• Attacking other people’s websites, making you look like the crook.
  
• Sending out spam, often in vast quantities.
  
• Updating the running malware to add new features and stay ahead of your defences.
  
• Downloading more malware at the whim of the crook who is in control.
  

→ The last function, downloading more malware, is the reason why it is difficult to give an exhaustive list of what might have happened to your computer while it was infected. The controlling crook, known as a bot-herder or botmaster, can add and remove other malware programs at will.

The reason why a zombie can do all of these things without you realising is, quite simply, that you could do any or all of them yourself if you wanted.

You can (and probably often do) send email; browse websites; use social networks; download programs; search your files; and more.

Of course, you don’t actually do these things: you invite software to do them on your behalf.

So, once a zombie is running on your computer – whether you were reckless, incautious or merely unfortunate to get infected – it, too, can do any of these things on your behalf, even though you never meant to invite it to do so.

How crooks control your computer

We still haven’t explained how a crook sitting on the other side of the world can choose which of these “features” to run, and when.

After all, you probably have a router and a firewall that block all inbound network connections by default.

If you start up a web server like IIS or a mail server like Exchange on your home network, the chances are that neither of them will work straight away: you will need to make a series of deliberate changes in your firewall configuration.

In short, outsiders can’t easily connect into your network by default, even if you want them to.

So, how do botmasters connect to your computer to control the malware on it?

The answer is staggeringly simple: the crooks don’t call you and tell you what to do.

You call them and ask for instructions.

Just like Windows Update, which connects to Microsoft’s servers to check for patches.

And just like your webmail, which gets pulled down by your browser when you’re logged in, rather than pushed to your computer by a mail-sending server.

A good firewall and anti-virus combination can still protect you, of course, by keeping track of what connections your computer makes, and which programs make them, and what gets downloaded.

But most remote control malware these days regularly “calls home” to fetch its instructions on what to do next, so blocking inbound network connections only is not enough to neutralise a running zombie.

Of course, the “call home” system means the crook can’t tell your computer to start spamming right now, but that is of little consequence, because most bots check in for new commands every few minutes anyway.

After all, if your computer is going to be sending 100,000 spams over the next 24 hours, those few minutes waiting to get started will make no difference to the outcome.

On the other hand, the crook doesn’t have to keep trying to contact your computer if he doesn’t get through the first time, for example because you’re asleep and so is your laptop.

The next time you turn it on, it will get busy with all its outstanding tasks automatically, including catching up on its backlog of spam sending.

Botnet Command-and-Control

The process by which bots fetch their what-to-do-next instructions is known as command-and-control (abbreviated CnC, or sometimes C2), and the places bots connect to are known, unsurprisingly, as CnC servers.

Bots that use the same CnC network, and can therefore be controlled simultaneously by a single botmaster, make up a botnet, short for “robot network.”

In years gone by, many botnets used an instant messaging protocol called IRC (Internet Relay Chat) for CnC, but that has fallen out of favour these days.

Few companies still use IRC, so many organisations have simply placed a blanket ban on it, forcing the botmasters to try different CnC tricks.

Unfortunately, there are lots of options, including the obvious and unexceptionable technique of using HTTP, the same protocol that regular websites use.

When your browser sends a web request, it might go something like this:

→ GET /index.html HTTP/1.1

→ Host: example.com

← <html><body>

← This is a real web page

← </body></html>

A zombie, on the other hand, might do this:

→ GET /instructions HTTP/1.1

→ Host: example.com

← SPAM

← E1=duck@example.com

← E2=swan@example.org

← E3=ibis@example.test

← SUBJ=Hey, $NAME, need cheap pills?

← TEXT=No prescription needed for our meds.

Or the zombie might use HTTPS, encrypted HTTP, making the content of its CnC messages harder to spot on the way out or back in to your network.

The important thing is that many bots use regular-looking network traffic in order to try to blend in with what regular users are doing with regular software.

We’ve even seen bots that read their instructions from special Twitter messages, or from posts on the social network Reddit.

What to do?

Defence in depth, both in your anti-virus and your firewall, can still protect you, even though no inbound connections are used.

For example, to function fully, a zombie needs to:

• Infect your computer.
  
• Connect to its CnC servers.
  
• Download its instructions.
  
• Transmit its results, such as emailing spam or sending back stolen data.
  

If you can block any or all of these, you will limit the crooks, or thwart them entirely.

Clearly, however, the best protection of all is not to get infected in the first place.

And if you do get infected, the best defence is to find and eliminate the zombie malware altogether.

In other words, the best way to kill a botnet is by killing the bots themselves.

So why not Kill a Zombie today?

Kill a Zombie with the free Sophos Virus Removal Tool

This is a simple and straightforward tool for Windows users. It works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.

It does its job without requiring you to uninstall your incumbent product first. (Removing your main anti-virus just when you are concerned about infection is risky in its own right.)

Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.

Other free tools to protect you from bots

• Sophos UTM Home Edition

All the features of our commercial UTM for use on a spare computer or in a virtual machine. You get web filtering, email filtering, virus scanning, intrusion prevention, CnC traffic detection, a web application firewall and a full-on Virtual Private Network (VPN) solution for up to 50 computers or mobile devices at home.

• Sophos Anti-Virus for Mac Home Edition

A standalone version of our business grade anti-virus for OS X. You get real-time (on access) malware prevention, web filtering, scheduled scans, malware cleanup and more, plus it keeps itself up-to-date automatically.

Via: sophos

Attackers intruded on unclassified White House computer networks in recent weeks, unidentified White House officials told the Washington Post.

The newspaper’s sources said that no damage has been detected, and the classified network apparently wasn’t attacked.

One White House official told the paper that users have had to deal with temporarily disrupted services:

In the course of assessing recent threats, we identified activity of concern on the unclassified Executive Office of the President network. We took immediate measures to evaluate and mitigate the activity. . . . Unfortunately, some of that resulted in the disruption of regular services to users. But people were on it and are dealing with it.

Fingers are pointing at Russia, given circumstantial evidence, including recent reports of cyber-espionage campaigns launched by Russian operatives thought to be working for the government.

One such was Sandworm: a zero-day exploit that was transmitted via Powerpoint files and that took advantage of a previously unpatched Windows vulnerability.

Sources told the Washington Post that the nature of the target – i.e., a government network – is consistent with a state-sponsored campaign.

The breach was discovered 2-3 weeks ago.

Mitigation included staffers having to change their passwords and intranet or VPN access being temporarily shut off.

Sources told the paper that the email system, apart from some minor delays, didn’t go down.

The attack is hardly surprising. In fact, it’s par for the course, a source told the paper:

On a regular basis, there are bad actors out there who are attempting to achieve intrusions into our system. This is a constant battle for the government and our sensitive government computer systems, so it’s always a concern for us that individuals are trying to compromise systems and get access to our networks.

Via: nakedsecurity