Monthly Archives: July 2014

New Crypto-Ransomware Emerge in the Wild

One of the recent triumphs against cybercrime is the disruption of the activities of the Gameover ZeuS botnet. Perhaps what makes this more significant is that one major threat was also affected—the notorious CryptoLocker malware.

However, this disruption hasn’t deterred cybercriminals from using file-encrypting ransomware. In fact, we saw new crypto-ransomware variants that use new methods of encryption and evasion.

Cryptoblocker and its Encryption Technique

Just like other ransomware variants, the Cryptoblocker malware, detected as TROJ_CRYPTFILE.SM, will encrypt files for a specific amount. However, this particular variant has certain restrictions. For one, it will not infect files larger than 100MB in size. Additionally, it will also skip files found the folders C:\\WINDOWS, C:\\PROGRAM FILES, and C:\PROGRAM FILES (X86).

And unlike other ransomware variants, Cryptoblocker will not drop any text files instructing the victim on how to decrypt the files. Rather, it displays the dialog box below. Entering a transaction ID in the text box will trigger a message stating that the “transaction was sent and will be verified soon.”

Figure 1. Dialog box

Another distinction is that its encryption routine. This malware does not use CryptoAPIs, a marked difference from other ransomware. CryptoAPIs are used to make RSA keys, which were not used with this particular malware. This is an interesting detail considering RSA keys would make decrypting files more difficult. Instead, we found that  the advanced encryption standard (AES) is found in the malware code.

A closer look also reveals that the compiler notes were still intact upon unpacking the code. This is highly interesting as compiler notes are usually removed. This is because this information could be used by security researchers to detect (and thereby block) files from the malware writer. The presence of the compiler notes would suggest that perhaps the bad guy behind Cryptoblocker is new to the creation of ransomware.

Based on feedback from the Trend Micro Smart Protection Network, the US is the top affected country, followed by France and Japan. Spain and Italy round up the top five affected countries.

Figure 2. Countries affected by Cryptoblocker

Critroni and the Use of Tor

The Tor network has gained a lot of attention due to its association with cybercrime. Cybercriminals have been using the network to mask their malicious activity and hide from law enforcement agencies.

We recently came across one variant, detected as TROJ_CRYPCTB.A and known as Critroni or Curve-Tor-Bitcoin (CTB) Locker, which uses Tor to mask its command-and-control (C&C) communications. After encrypting the files of the affected machine, the malware changes the computer’s wallpaper to the image below:

Figure 3. Wallpaper displayed

It also displays a ransom message. Users must pay the ransom in Bitcoins before the set deadline is done. Otherwise, all the files will permanently remain encrypted.

Figure 4. Ransom message

According senior threats researcher Jamz Yaneza, this malware uses the elliptic curve cryptography in comparison to using RSA or AES. To put this into context, the Bitcoin ecosystem relies on one elliptic curve cryptographic schemes, the Elliptic Curve Digital Signature Algorithm (ECDSA).

This isn’t the first time we have seen ransomware take advantage of the anonymity offered by the Tor network. In the last weeks of 2013, ransomware variants called Cryptorbit asked their victims to use the Tor browser (a browser pre-configured for Tor) for ransom payment. We also came across Android ransomware that uses Tor for its C&C communications.

BAT_CRYPTOR.A Uses Legitimate Apps

Last June, we reported about POSHCODER, a ransomware variant that abuses the Windows PowerShell feature to encrypt files. We recently spotted yet another ransomware that, like POSHCODER, uses legitimate apps for its encryption routine.

Detected as BAT_CRYPTOR.A,   this variant uses the GNU Privacy Guard application to encrypt files.  However, based on our analysis, the malware will still execute its encryption routines even if the system does not have GnuPG. As part of its infection chain, the dropper malware will drop a copy of GnuPG to use for encryption. The said routine is written in batch file.

The malware will delete the %appdata%/gnupg/*, which is the directory wherein generated keys are saved. It will then generate new keys using Two keys will be generated, one public (pubring.gpg) and the other, private (secring.gpg).

The public key pubring.gpg will be used to encrypt the files on the system. The private key, which can decrypt the files, is left on the affected system. However, this key is also encrypted (using the key, making encryption difficult. The newly-encrypted private key will be renamed to KEY.PRIVATE.

BAT_CRYPTOR.A renames encrypted files with the file name {file name and extension}.paycrypt@gmail_com. In the ransom note, users are instructed to contact an email address for details on how to decrypt their files.

The Importance of Caution

These ransomware variants prove that despite significant takedowns, cybercriminals will continue to find ways to victimize users. Users should remain cautious when dealing with unfamiliar files, emails, or URL links. While it might be tempting to pay the ransom for encrypted files, there is no guarantee that the cybercriminals will decrypt the ransomed files. Users can read other security practices the blog entry, Dealing with CryptoLocker.



Via: trendmicro

London Transport Network Finally Opening Up To Contactless Mobile Payments

London has had a dedicated contactless payment travelcard, called Oyster, for over a decade — offering a smarter alternative to paper ticketing that can hold a balance and cap daily and weekly travel costs. But change is coming. From September, London’s public transport network will be accepting contactless bank cards for payment, after conducting a trial with some 3,000 customers since this April.

It will also be possible to pay to travel around London using select mobile devices that contain an NFC chip and a compatible mobile payment app that’s been linked to your bank account. This means mobile users will finally be able to tap in and out of the public transport network using just their handset — more than six years after Transport for London (TfL) ran a trial of mobile payment technology. This future was always going to be a long time coming, with so many players involved in the ‘value chain’. But it looks like the train is finally moving out of the sidings.

Those wanting to be able to ditch their Oyster and use a mobile handset for travel payments will need a device with an NFC chip, which currently excludes any iOS devices. They will also need a compatible Visa, MasterCard or Amex mobile payment app. Carrier EE has been touting its compatible Cash on Tap app, although this is only being offered to users of its 4G network who own select 4G Android handsets.

Currently contactless bank cards are already accepted by TfL as an alternative to its Oyster cards on London buses, replacing cash as a payment option earlier this month. But from September 16 the whole TfL network will accept them, along with compatible mobiles.

The expanded contactless rollout will bring the same daily and weekly price capping features offered by the Oyster system to other payment methods, so users paying with bank cards or mobile apps won’t pay more than they should. TfL says it will bill users’ bank or credit card accounts once per day to ensure the capping feature works. Registered customers will be able to view their usage and payment history via an online TfL account.

Taking the Oyster card out of the loop and linking payments directly to travelers’ bank accounts is a clear way for TfL to cut queues for tickets and tops ups. Which it really needs to do, given the Mayor of London has committed to closing almost all ticket offices on the Tube network by 2015 — although the sweetener for that is longer Tube running hours.

One visible and rather unfortunate aspect of the technology transition from contactless travelcards to contactless bank cards is the need for TfL to warn Tube users of the risk of so-called “card clash”. Aka when a user has multiple contactless cards in the wallet they touch on the ticket reader — meaning the system is forced to choose between signals, with the risk being that it takes payment from a card the user didn’t intend. TfL has been warning Tube users not to store multiple contactless cards in the same wallet they use for travel. So much for hipsters’ single, minimalist wallets then.

Also looming on London’s horizon: a rollout of 5G mobile technology. A commitment to rolling out the next generation of cellular tech in the UK capital by 2020 will be included in a Mayor of London infrastructure investment plan, being published on Wednesday.

The Telegraph reports that the network rollout will be in collaboration with the University of Surrey where the UK has a 5G research center. The center was established back in 2012, backed by £35 million in financial backing — £11.6 million of which came from government.


Via: techcrunch

Apple Updates Retina MacBook Pros With Better Specs

Apple has updated its Retina MacBook Pro line, with new Haswell processors that edge their predecessors (also Haswell) by small amounts (200MHz), and with new base RAM for the low-end 15-inch model that doubles the amount of memory it carries within from 8GB to 16GB.

The Retina MacBook Pro update is similar to the MacBook Air update Apple issued earlier this year, in that it improves what’s under the hood but doesn’t introduce any sweeping changes to the Retina MacBook Pro line. Apple last updated the Retina MacBook Pro in October of last year, when it introduced new Haswell and Crystal Well processors from Intel to the line, and improved battery life to 9 hours for the 13-inch version and 8 hours for the 15-inch model.

Price points for the new 13-inch Retina MacBook Pros remain the same, the larger models are now $100 cheaper. Apple still ships the 15-inch laptops with NVIDIA’s GeForce GT-750M, which is now nearly two years old. But you’ll get better value on that base 15-inch thanks to the improvement in the stock RAM configuration (which also isn’t upgradeable after the fact, so that’s a considerable advantage).

Apple shipped 4.4 million Macs in the latest quarter, which was up 18 percent from a year ago and a new record for the company for Macs sold during the quarter ending in June. Apple’s Mac line has gained market share across the PC category (which shrank by 2 percent last year according to IDC) in 32 of the last 33 quarters, so people are clearly happy with what they’re doing with machines like the Retina MacBook Pro, which got a price drop for entry-level models in October, too.


Via: techcrunch

1,000,000 lost credit cards = £150,000 fine

A UK travel company has been fined £150,000 by the Information Commissioner’s Office (ICO) for leaking more than 1,000,000 credit card records.

Here’s what seems to have happened.

Imagine you’re a web developer.

You’ve been told to knock together a quick database system, for internal use only.

The software needs to keep track of a car parking business that your employer operates, but it won’t store customer data or be customer-facing.

You might take a path something like this:

  1. It’s internal only, and won’t have any personally identifiable information (PII), so you might as well code now, secure it later.
  2. It’s internal only, and pretty basic, so it’s not going to get budget for its own server, so you might as well dump it in a corner of the main database server.
  3. It’s simple enough that it works, so everyone uses it.

That’s when the trouble starts, thanks to the last part of Item 1, “secure it later.”

Because of Item 3, you get lumped with Item 4:

  1. It’s internal only, but people need to use it from home.

So you knock up a quick authentication page and open it to the outside word via a “secret” URL.

You reason that the crooks first have to work out where to connect and then to crack a password, and even if they do, they’ll not get much more information than how much your parking spaces cost, which they could probably find out by phoning for a quote anyway.

Back in real life, of course, a crook does eventually work out where to connect (a bit of Wi-Fi sniffing might do it), has a poke around, and quickly realises he doesn’t need to login at all.

He finds can use SQL injection, where he sends a query with a database command hidden in it, and tricks the server so it doesn’t use the command as a search term (which would be harmless), but actually runs it as a command (which is not harmless at all).

From there, the crook can give himself access to the database administration console, and since your cark park application is on the same server as your main e-commerce site, he can help himself to all the data in it.

To wit: 1,163,996 credit card numbers dating all the way back to 2006, of which 733,397 have already expired, but 430,599 are current.

I’ve made up the details (except for the numbers – there really were more than 1,000,000 credit card records spilled), but that’s probably roughly what happened at Think W3 and its subsidiary, Essential Travel Ltd.

We know this because the ICO explained the reasons for its £150,000 fine, concluding that the company violated what is the UK’s Seventh Privacy Principle.

There are eight Privacy Principles altogether, requiring that personal information is:

  1. Fairly and lawfully processed.
  2. Processed for limited purposes.
  3. Adequate, relevant and not excessive.
  4. Accurate and up to date.
  5. Not kept for longer than is necessary.
  6. Processed in line with your rights.
  7. Secure.
  8. Not transferred to other countries without adequate protection.

Interestingly, the company wasn’t taken to task under Principle Five, which deals with the timely deletion of redundant data, such as as long-expired credit card numbers.

Presumably the ICO felt that Principle Seven was the more important one, and wanted to make a very blunt point.

Here it is: “Secure it later” isn’t soon enough.


Via: sophos

Amazon Launches A 3D Printing Store With Customizable Goods

Amazon has launched a new store for 3D-printed goods, which include items that can be customized to change their size, color, material and even aspects of their design. The store covers a range of types of products, including jewelry, electronics, toys and games, home decor and kitchen supplies, and items are supplied by a number of partners including Mixee, Scupteo and 3DLT.

Amazon is touting this as the debut of a new way for the ecommerce giant to offer even more specialized inventory that can better cater to specific customer tastes. “The introduction of our 3D Printed Products store suggests the beginnings of a shift in online retail – that manufacturing can be more nimble to provide an immersive customer experience,” said Amazon Marketplace Sales director Petra Schindler-Carter, in a press release announcing the new storefront.

Along with the launch of the store, Amazon is introducing a new personalization tool for customizing some of the 3D-printed designs, which opens up a widget that lets you choose from a number of basic designs, pick the color and finish of your plastic/metal material, and preview what it will look like with a 360-degree 3D preview. You can also tweak individual aspects of the design with some items, including thickness and other dimensions.

Prices on items vary, but the most affordable tend to fall into the $30 range, and they go upwards from there depending on size and material.

The introduction of the store does indeed mark a potential turning point in the sale of online goods – it means the largest online retailer in the English-speaking world is endorsing a means of direct production and selling that could change how future products are conceived and planned. One-offs and small runs are much more affordable via 3D printing, so theoretically the sky’s the limit on the range of things customers could order, provided 3D printing technology keeps evolving.

It’s worth noting that Amazon only sells a set catalogue of 3D-printed items so far – it hasn’t yet offered a way for customers to upload their own design and have them printed as does Shapeways, for instance. Amazon likely wants to maintain some kind of quality control and not have to concern themselves with educating customers about the ins and outs of 3D printing custom designs, however – and this doesn’t necessarily mean that refinements in the process wouldn’t open the door to this kind of thing in the future.



Via: techcrunch

Can’t Manage A Standing Desk? Meet Cubii, The Sitting Exerciser

Sitting down — and the sedentary lifestyle it encourages — is killing you, slowly but surely. The problem is, standing desks aren’t for everyone. Making the switch is a big deal. I love mine but it took a week of pain and suffering to go from seat to feet, and it still feels pretty tough on calves and soles after a full day-long standing stretch.

So here’s a third way: Cubii is a sitting exerciser that’s been designed to fit under an office desk so those who are stuck in their office chairs can push its pedals while they work and get some exercise, rather than being entirely sedentary.

The Cubii is a pretty simple elliptical trainer but the design has been tweaked so the trajectory of the pedals keeps the user’s knees low enough not to bang the underside of the desk.

It also includes a Bluetooth radio and there’s a companion app — so your underdesk mileage can be quantified. Top marks for tapping the zeitgeist there, Cubii.

Cubii’s Chicago-based makers took to Kickstarter to raise funds to get their device to market and have now crowdfunded their way past their original target of $80,000, with five days left on their campaign.

The  early bird Kickstarter price for Cubii was $279. It’s now stepped up to $299, with an estimated shipping date of January next year — just in time for your New Year’s fitness revolution.

There’s not a whole lot else to say about the Cubii, since it’s not hugely innovative. Arguably it fills a fitness hole for those who can’t manage the transition to a standing or walking desk. Or for people who have other health issues that make standing all day a no-no.

I do take issue with Cubii’s claim that standing desks are prohibitively expensive. Sure they can be, if you want something super fancy with lots of bells and whistles. Or you can spend $19 on an Ikea Lack coffee table, saw its legs down to size and put it on top of your existing desk — for a shoestring standing desk, like mine.

Oh, and another fringe benefit of a standing desk: loads of underdesk storage space. In my experience it’s a great place to keep boxes of unused gadgets.

Or even better, why not switch to a Walking Desk.


Via: techcrunch

Microsoft Says It Isn’t Abandoning Xbox Music, Promises It Will Suck Less Shortly

During Microsoft’s earnings call, CEO Satya Nadella indicated that his company would “streamline” its work in music and video. That was interpreted in some cases to imply that Microsoft was walking away from Xbox Music, its beleaguered Spotify competitor.

Not so, it turns out. Today Microsoft’s Joe Belfiore tweeted that Xbox Music was not dead, and that the company will release an update to the service soon:

Xbox Music has had a rocky past. In fact, on the Windows Phone subreddit, there is a dedicated thread for issues with the service. I’ve never had much of a good experience with the product.

Microsoft recently killed off its premium content for Xbox. That was pretty non-core to its business model. But offering music to consumers who buy into your platform is pretty par for the course in the current tech scene. So Microsoft has two options: Buy Spotify or make Xbox Music workable. It appears to have chosen the latter.


Via: techcrunch

Microsoft brings two open source tools to Azure

Packer and OpenNebula are the latest open source technologies to find a home on the Microsoft Azure cloud service.

Following through on promises from new CEO Satya Nadella, Microsoft continues to add support for non-Microsoft technologies, allowing them to run well on the company’s Azure cloud hosting platform.

“There are a wide variety of platforms and technologies that developers and IT managers like to use. We’re just trying to assure that regardless of your choice, it will work well on Azure ” said Doug Mahugh, a technology evangelist for Microsoft Open Technologies, a subsidiary that develops software and tools for non-Microsoft platforms.

“Our decisions about where to invest are very much driven by what is popular with developers,” he said.

The company has partnered with two organizations that offer popular open source programs for managing cloud resources — Packer and OpenNebula. Microsoft is releasing drivers that will make it easy to use the programs on Azure, as well as with Microsoft server software for in-house deployments.

At Microsoft’s Worldwide Partner Conference last week, Nadella said Microsoft was shifting its emphasis from Windows and devoting more resources to cloud services that can be used on any platform.

Packer is increasingly being used by system administrators to create and then manage the operations of virtual machine images. Running from any OS, Packer assembles and configures the necessary components for a virtual machine and can create identical copies to run on different platforms, such as Linux and Windows.

Packer can also work with popular open source configuration tools such as Chef and Puppet to automate the procedures of rolling out many virtual machines at once.

“Packer has been so popular lately that we heard from people that they want it see it on Azure,” Mahugh said.

Microsoft is also adding support for the OpenNebula cloud management software. OpenNebula could be a key technology for companies interested in running hybrid clouds, a model in which some operations run on a public cloud like Azure and others run in-house, perhaps on a private cloud.

“Some telecommunications companies and service providers are already pretty invested in OpenNebula to run virtual data centers. We want those people to see Azure as a good fit for setting up more virtual data centers,” Mahugh said.

This is not Microsoft’s first move to ensure open source technologies work well with Azure. Recently, the company started work on drivers to make the much discussed open source Docker virtualization technology work efficiently on Azure as well.


Via: infoworld

Vysk QS1 Is An Otterbox For The Privacy Freak

Last weekend, NSA whistleblower Edward Snowden called on developers to design products that protect users’ privacy and Constitutional rights, saying he plans to promote such technologies. But Vysk Communication’s CEO Victor Cocchia has been working on developing protecting phones from hackers and eavesdroppers since 2012, long before Snowden addressed the Hope X conference.

Although the QS1 phone case looks like an Otterbox defender case or bulky charging case, it does more than just protect your screen. With the flip of a switch, you can secure calls, messages and pictures from the iPhone 5/5s or Samsung Galaxy 5 you already have using the case’s encryption processor.

Unlike other privacy technology on the market, the case also allows you to block your phone’s camera and jam your phone’s microphones. It will be available at Best Buy this fall for $229.99 and can be preordered online now.

The case has two modes — Private Call Mode and Lockdown Mode. Private Call Mode allows users to use the Vysk QS app to make private calls to other subscribers over Vysk’s network. You have to pay a $10 monthly subscription fee for this service, but Cocchia says these calls will never be recorded and no metadata — such as call history — will ever be stored. The service also allows you to encrypt your messages, voicemails and pictures.

On Lockdown Mode, the phone’s camera and microphones physically are blocked by the case. The case has its own microphone and a headset option.

On Saturday, Snowden told developers that phone encryption was just a “first step.” He has said in the past that the NSA has the ability to access your phone even when it’s shut off. It seems the QS1 could be the start of the technologies Snowden was predicting.

Cocchia says right now, everyone else interested in phone privacy develops phone encryption software.

“It’s not that their encryption is bad or anything like that,” Cocchia said. “It’s just that software can be hacked. … A million pieces of malware are created each month.”

Earlier this month, the Wall Street Journal reported on the release of Blackphone, a $629 Android phone that offers encrypted phone calls and messages, as well as FreedomPop, a service that provides an $8/month added security for Android phones. But the Journal noted both of these technologies are “incomplete.”

Cocchia said the utility for such a phone case goes beyond the needs of those concerned about government surveillance. It also could have benefits for professionals trying to protect trade secrets.

He said government agencies, other governments, journalists and businessmen have expressed interest in his technology.

Although this case may take users’ privacy a step farther by allowing them to block their cameras and microphones, is it really worth more than $200 plus a monthly fee? Its price may make it more competitive than Blackphone, and Cocchia emphasized people want to use the phones they already have.

But these features only work when switched on. Although some users may see this as an asset because it allows you to still use your phone to play Angry Birds or access Google Maps when you’re not as concerned about having a secure line, it leaves room for error. People who are serious about privacy generally avoid such snafus by keeping their sensitive work on a separate phone.

Additionally, for calls and messages to be encrypted over the phone’s network, both callers need to be using the Vysk subscription service. That presents a huge limitation, although Cocchia said the service can generate an untraceable number for calls that are to non- subscribers.

As Snowden said on Saturday, spies are interested in collective communications, not just one individual’s. No case or software on the market can do much to protect against that, but the QS1 might be a start.



via:  techcrunch

Germany’s Anti-NSA Tools: Typewriters and Classical Music

German politicians are considering reverting to old-school forms of communication to thwart U.S. surveillance efforts.

Patrick Sensburg, the head of the Germany’s NSA Inquiry Committee, said in a TV interview Monday that officials have discussed conducting internal communications by typewriter to keep American eyes off of sensitive documents.

“In fact, we already have [a typewriter], and it’s even a non-electronic typewriter,” Sensburg said, according to a translation by Ars Technica.

Tensions have been high between the US and Germany after whistleblower Edward Snowden revealed extensive NSA monitoring of German officials in June 2013, including reports that the organization had been tapping Chancellor Angela Merkel’s mobile phone for years. Germany’s NSA Inquiry Committee was founded in March to investigate the extent of the spying.

Earlier this month, relations worsened when Germany arrested an agent in its intelligence service accused of selling secret documents to the United States. After the arrest, a top CIA official was expelled from Berlin in an unprecedented response to the allegations. German politicians have been exploring a variety of creative methods to combat the spying.

The Guardian translated a report from Die Welt that said German officials are revolutionizing the way they communicate in light of the spying revelations.

“Above all, people are trying to stay away from technology whenever they can,” wrote Die Welt, as translated by the Guardian. “Those concerned talk less on the phone, prefer to meet in person. More coffees are being drunk and lunches eaten together. Even the walk in the park is increasingly enjoying a revival

In addition to switching to typewriters, politicians are now trying other ways to ensure privacy, including playing classical music over sessions of parliament.

“Unlike other inquiry committees, we are investigating an ongoing situation. Intelligence activities are still going on, they are happening,” Sensburg said Monday, according to The Local, an English-language site about Germany. “And of course we have to keep our internal communication secure, send encrypted emails, use encrypted telephones and other things, which I’m not going to say here of course.”

Germany is not the first country to switch to low-tech: Russia bought 20 electric typewriters last year to keep inside communications more private, according to the Moscow Times.

“Any information can be taken from computers,” a Russian member of parliament said of the switch. “[F]rom the point of view of keeping secrets, the most primitive method is preferred: a human hand with a pen or a typewriter.”



Via: mashable