Monthly Archives: October 2017

Whole Foods Market resolves the cybersecurity incident

Whole Foods Market has resolved the incident previously announced on September 28, 2017, involving unauthorized access of payment card information used at certain venues such as tap rooms and full table-service restaurants located within some stores. These venues use a different point of sale system than the company’s primary store checkout systems, and payment cards used at the primary store checkout systems were not affected. Whole Foods Market learned of the unauthorized access on September 23, 2017. The company conducted an investigation, obtained the help of a leading cyber security forensics firm, and contacted law enforcement. Whole Foods Market replaced these point of sale systems for payment card transactions and stopped the unauthorized activity. Whole Foods Market apologizes to customers for any inconvenience or concern this may have caused.

The investigation determined that unauthorized software was present on the point of sale system at certain venues. The software copied payment card information—which could have included payment card account number, card expiration date, internal verification code, and cardholder name—of customers who used a payment card at these venues at dates that vary by venue but are no earlier than March 10, 2017 and no later than September 28, 2017.

The systems do not connect to these systems at Whole Foods Market. Transactions on have not been impacted.

Whole Foods Market has been working closely with the payment card companies. Payment card network rules generally state that cardholders are not responsible for fraudulent charges that are reported in a timely manner. Customers should promptly report any unauthorized charges to the bank that issued their card. The phone number to call is usually on the back of the payment card.


via:  cisomag

US introduces new bill to increase security of networked medical devices

A bill called the Internet of Medical Things Resilience Partnership Act was introduced on October 5, 2017, by Republican representatives David Trott and Susan Brooks. The bill calls for the US Food and Drug Administration (FDA) to set up a “working group” with representatives from other federal agencies, industry and academia to “develop recommendations for voluntary frameworks and guideline to increase the security and resilience of networked medical devices.”

Since 2014, the FDA has held three public workshops on cybersecurity and has issued final guidance on pre and post market cybersecurity.

“There are millions of medical devices susceptible to cyber-attacks and often times, we are wearing these networked technologies or even have them imbedded in our bodies”, Republican Brooks said.

“Bad actors are not only looking to access sensitive information, but they are also trying to manipulate device functionality. This can lead to life-threatening cyber-attacks on devices ranging from monitors and infusion pumps, to ventilators and radiological technologies”, he added.

Specifically, the “working group” would include representatives from FDA, the Department of Health and Human Services (HHS), Federal Trade Commission (FTC), Federal Communications Commission (FCC), National Institute of Standards and Technology (NIST) and the National Cyber Security Alliance.

On the industry side, the bill calls for at least three members from each of a number of private sector areas, including medical device manufacturers, healthcare providers, insurers, enterprise security firms, as well as hardware and software developers.

If passed, the bill would require FDA to submit a report to Congress within 18 months identifying current and developing cybersecurity standards, gaps where new or revised standards are needed and a plan to address those gaps.

It is yet to ascertained how the working group would fit in with FDA’s ongoing cybersecurity efforts, including its memorandum of understanding (MoU) with the National Health Information Sharing and Analysis Center (NH-ISAC) and the Medical Device Innovation, Safety and Security Consortium (MDISS).

Besides, the bill does not mention the Department of Homeland Security (DHS) in the list of working group representatives, despite the agency’s role in coordinating cybersecurity efforts through its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).


via:  cisomag

iPhone Apps With Camera Permissions Can Secretly Take Your Photos Without You Noticing

Are you a proud iPhone owner? If yes, this could freak you up. Trust me!

Your iPhone has a serious privacy concern that allows iOS app developers to take your photographs and record your live video using both front and back camera—all without any notification or your consent.

This alarming privacy concern in Apple’s mobile operating system was highlighted by an Austrian developer and Google engineer, Felix Krause, who detailed the issue in his blog post published.

The issue, Krause noted, is in the way Apple’s software handles camera access.

Apparently, there is a legitimate reason for many apps, such as Facebook, WhatsApp, and Snapchat, to request access to your camera, in an effort to take a photo within the app.

So, this permissions system is not a bug or a flaw instead it is a feature, and it works exactly in the way Apple has designed it, but Krause said any malicious app could take advantage of this feature to silently record users activities.

iPhone Apps Can Silently Turn On Cameras at Any Time

Krause explained that that granting camera permission could enable iOS app developers to access:

  • both the front and the back camera of your device,
  • photograph and record you at any time the app is in the foreground,
  • upload the recorded and captured content immediately, and
  • run real-time face detection to read your facial expressions

…and all without warning or alerting you in any way.

Since Apple only requires users to enable camera access one time when they are asked to grant blanket permission to an app and gives free access to the camera without requiring any LED light or notification, Krause explained that a malicious app could leverage this loophole to go far beyond its intended level of access to spy on users.



The researcher has even developed a proof-of-concept app only to demonstrate how a malicious app could abuse such permissions to silently take your pictures every second as you use the app, or even live stream video of your surrounding from your front and rear cameras without notifying you.

Krause said his “goal [to build the demo app] is to highlight a privacy loophole that can be abused by iOS apps.


Krause has also provided a short video demonstration of the issue, which shows the demo app taking photographs of the person using it every second. The app also included a facial recognition system to detect the person using it.

The researcher warned that such a rogue app could record “stunning video material from bathrooms around the world, using both the front and the back camera, while the user scrolls through a social feed or plays a game.

How to Protect Your Privacy?

There is a little user can do to protect them.

Krause recommended Apple to introduce a way to grant temporary permissions to access the camera, allowing apps to take a picture during a limited period of time, and then revokes it after that.

Another way is to introduce a warning light or notification to the iPhone that informs people when they are being recorded.
Most importantly, do not let any malicious app enter your smartphone. For this, always download apps from an official app store and read reviews left by other users about the app and its developer.

According to Krause, for now, the only practical way to protect yourself is to cover your camera, just like Facebook CEO Mark Zuckerberg and ex-FBI Director James Comey do.


via:  thehackernews

Encrypted chat app Signal goes down for some users

If you’re having problems with Signal, you’re not alone. On Friday, many users took to Twitter to report that beloved encrypted messaging app Signal was offline. While some users have been unable to access Signal’s servers since around 11AM PT, others have only seen delays in sending and receiving messages.



“Signal is back after a brief service interruption,” Open Whisper Systems wrote in a tweet at 12:21 PM PT. “We appreciate your patience as we added more capacity to resolve connection errors.”

On mobile, one Signal message I sent went through after 15 minutes, but the friend I sent it to didn’t seem to be having any trouble at all. Meanwhile, Signal on desktop completely stopped working, stalling out sent messages in what’s usually a lively group thread. Some of our New York-based team is seeing slight delays, but things look mostly up for the handful who sent a test message.

As things come back online, let us know if you have continued issues.


via:  techcrunch

Apple doubles down on wireless charging with its latest acquisition

Apple is doubling on wireless charging, the technology that debuted in this year’s iPhone 8 and iPhone X, after it scooped up New Zealand-based company PowerbyProxi in its latest piece of M&A.

Ten-year-old PowerbyProxi is a spinout of the University of Auckland and it is focused on developing wireless charging and power transfer products. That spans wireless control systems, wireless sensors and robotics, as well as areas more obviously suited to Apple such as wireless battery charging.

The deal, which was first reported by Stuff New Zealand, was confirmed by Apple in rare direct statement. Regular watchers of the Cupertino-based company will know all too well that it is usually rather non-specific when it makes acquisitions — see this recent deal for French company Regaind for a typical example.

“We want to bring truly effortless charging to more places and more customers around the world. Our Auckland team will be a great addition as Apple works to create a wireless future,” Apple told TechCrunch in a statement attributed to Dan Riccio, senior vice president of its hardware engineering division.

“The team and I are thrilled to join Apple. There is tremendous alignment with our values, and we are excited to continue our growth in Auckland and contribute to the great innovation in wireless charging coming out of New Zealand,” Fady Mishriki, founder and CEO of PowerbyProxi, added via an accompanying canned comment.

The deal is officially undisclosed but Stuff New Zealand reported that it could be above $100 million.

That would represent a good return for investors, which include New Zealand VC Movac and German industrial firm Darmstadt, who funneled a total of $9 million in capital into the startup. Another less predictable beneficiary is Samsung. The Apple nemesis backed PowerbyProxi via its Samsung Ventures unit some four years ago.

PowerbyProxi’s expertise — which includes over 50 staff and more than 300 patents — are sure to super charge Apple’s wireless efforts. The company’s first wireless charging pad, AirPower, is due for release next year while there will also be a wireless charging compatible version of its AirPods, too. You can bet that more Apple products will lose the wires in favor of wireless power options in the future.


via:  techcrunch

Fiber optic lines can double as earthquake detectors

You might not need an extensive sensor network or a host of volunteers to detect earthquakes in the future — in fact, the lines supplying your internet access might do the trick. Researchers have developed technology that detects seismic activity through jiggling in fiber optic lines. Laser interrogators watch for disturbances in the fiber and send information about the magnitude and direction of tremors. The system can not only detect different types of seismic waves (and thus determine the seriousness of the threat), but spot very minor or localized quakes that might otherwise go unnoticed.

Fiber-based detection isn’t strictly new, but it previously centered around acoustic sensing that required wrapping them in cement, sticking them to a surface or otherwise making sure they contact the ground (to make it easier to spot impurities in the signal). That’s not necessary with the new method — you can use existing fiber lines housed in plastic pipes. It should be considerably easier and cheaper to implement these detectors.

There are plenty of challenges to making this a reality. It’s limited by the size of the fiber network, so it could miss rural areas that don’t have much if any fiber. And the current proof of concept is a relatively modest 3-mile loop around Stanford University. It could be a much more daunting prospect to run a sensor network across an entire city, let alone cross-country. This could still be far more affordable than rolling out dedicated sensors, however, and the sheer precision of using fiber (every part of the line counts) could provide earthquake data that hasn’t been an option before.


via: Stanford

Googles ‘ADVANCED PROTECTION’ locks down accounts like never before

When it comes to the eternal tradeoff between digital security and convenience, most tech firms focus their efforts on the vast majority of people who choose a painless user experience over a paranoid one. But Google is adding a set of features specifically targeted at those who prefer the latter. You can now lock down your account to a degree that no other major tech firm has ever offered directly to users, convenience be damned.

Google announced the launch of a new “advanced protection” setting for Google accounts, which makes it harder than ever for hackers to break into your sensitive data on Gmail, Google Drive, YouTube or any other Google property. The opt-in, ultra-secure mode is intended for truly high-risk users, including those who face the threat of state-sponsored, highly resourced cyberespionage. Think politicians and officials, high net-worth individuals, activists, dissidents, and journalists.

As such, it’s a strict and unforgiving system, designed to reinforce every possible weak link that hackers could use to hijack your account. Logging in from a desktop will require a special USB key, while accessing your data from a mobile device will similarly require a Bluetooth dongle. All non-Google services and apps will be exiled from reaching into your Gmail or Google Drive. Google’s malware scanners will use a more intensive process to quarantine and analyze incoming documents. And if you forget your password, or lose your hardware login keys, you’ll have to jump through more hoops than ever to regain access, the better to foil any intruders who would abuse that process to circumvent all of Google’s other safeguards.

“This is basically an extremely heavy-duty way of locking down an account,” says Joseph Lorenzo Hall, the chief technologist for the Center for Democracy and Technology. “Even for people with very limited technology chops, this is a way for them to have an extremely protected profile.”

The Advanced Protection rollout comes in the wake of a series of sophisticated hacking campaigns that have targeted Gmail and focused on the accounts of journalists, activists, and political opponents of the Russian government. Most public of those was the Kremlin-backed intrusion that hit the Gmail account of Hillary Clinton campaign manager John Podesta and led to WikiLeaks trickling out his emails for weeks, with far-reaching political reverberations.

“There is an overlooked minority of our users that are at particularly high risk of targeted online attacks,” reads a blog post about the new feature from Google’s security team. “For example, these might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety.”

Or, as CDT’s Hall puts it, “If John Podesta had been able to turn this on sometime last year, the world might be a very different place.”

Of all its tightened security measures, Advanced Protection’s biggest day-to-day change for most users will likely be its requirement that they use a physical piece of hardware with every login. Users will have to buy their own so-called Universal Second Factor or U2F keys—one USB key for their desktop that costs around $20, and one Bluetooth-LE-enabled key for mobile that’s closer to $25. Google says it supports any keys approved by the FIDO Alliance, a group that manages identity and authentication protocols.

Those devices represent a significant step up from the purely digital two-factor authentication that has become the Silicon Valley standard. That added layer of protection sends temporary login codes to users via SMS, or generates them with a smartphone app like Google Authenticator. Requiring a U2F token instead of that code makes impersonating a user far more difficult. Unlike one-time codes, those tokens can’t be intercepted on the carrier network, or obtained by hacking someone’s smartphone. More importantly, the hardware-enabled login isn’t vulnerable to phishing sites that spoof Google’s login page, and then use a stolen code and password to immediately hijack the user’s account. The U2F key performs its own authentication step with Google’s site to check it’s legit, and only then supplies a key that logs the user in with no need to type a code.

Google has supported those U2F keys for the last three years. But Advanced Protection uses a stricter implementation than Google has offered in the past: Onlythose physical keys—along with a password—will unlock your account. If you lose them, you can’t use a printed out backup code in your wallet, or ask for one to be sent to you. Instead, you’ll have to go through an account recovery process that Google says will be far more stringent and labor-intensive than the one used for normal users when they click “forgot password?”

Google hasn’t shared the details of what that process entails. But the CDT’s Hall, whom Google briefed on the details, says it will include a “cooling-off” period that will lock the account for a period of time while the user proves his or her identity via several other factors. That slowed-down, intensive check is designed to make the account-recovery process a far less appealing backdoor into victims’ data.

Account recovery purgatory isn’t the only user-experience sacrifice Advanced Protection requires. At launch, it only works when you visit Google properties in Chrome. It delays the receipt of attachments and other files by roughly 60 seconds, as it performs a more-rigorous-than-usual scan for malware. And it bans all non-Google apps from accessing your Gmail or Google account, blocking you from exporting your email into any other software like the iOS mail client, Outlook, or Thunderbird.

Hall says all of that means Google needs to communicate clearly to users that Advanced Protection’s security requires a real change in their habits—namely keeping very careful track of two physical slices of silicon—but that its draconian restrictions will reap worthwhile security gains. “If this results in people getting locked out of important accounts all the time, it won’t be used very much,” he warns. “The messaging around this has to be really clear that once you turn it on, it’s a real ‘thou shall not pass.'”

In exchange for those inconveniences, Advanced Protection would in theory protect against some of the most insidious recent attacks on Gmail. The relatively convincing phishing scheme that hooked John Podesta almost certainly would have failed. And even a more clever scheme, like the Google Docs phishing emails last May that tricked users into installing a third-party application that hijacked their accounts, might be stymied; Advanced Protection’s restrictions on non-Google software’s access to Gmail would have prevented it.

All of that means Advanced Protection offers a powerful new bargain for those who truly need it. Your retired uncle whose hacked account has been sent you spam intermittently for years may find the cure worse than the disease. But if having your email penetrated represents a career or even life-ending event, protecting it is probably worth carrying a couple more keys in your pocket.


via:  wired

Canada’s ‘super secret spy agency’ is releasing a malware-fighting tool to the public

‘This is something new for CSE,’ says the agency, which is trying to shed its old reputation.

The secretive headquarters of the Communications Security Establishment (CSE) is at a complex in Ottawa.

The secretive headquarters of the Communications Security Establishment (CSE) is at a complex in Ottawa. (Sean Kilpatrick/Canadian Press)

Canada’s electronic spy agency says it is taking the “unprecedented step” of releasing one of its own cyber defense tools to the public, in a bid to help companies and organizations better defend their computers and networks against malicious threats.

The Communications Security Establishment (CSE) rarely goes into detail about its activities — both offensive and defensive — and much of what is known about the agency’s activities have come from leaked documents obtained by U.S. National Security Agency whistleblower Edward Snowden and published in recent years.

But as of late, CSE has acknowledged it needs to do a better job of explaining to Canadians exactly what it does. Today, it is pulling back the curtain on an open-source malware analysis tool called Assemblyline that CSE says is used to protect the Canadian government’s sprawling infrastructure each day.

“It’s a tool that helps our analysts know what to look at, because it’s overwhelming for the number of people we have to be able to protect things,” Scott Jones, who heads the agency’s IT security efforts, said in an interview with CBC News.

‘Super secret spy’ reputation

On the one hand, open sourcing Assemblyline’s code is a savvy act of public relations, and Jones readily admits the agency is trying to shed its “super secret spy agency” reputation in the interest of greater transparency.

But on the other, the agency is acknowledging that, given the widening range of digital threats affecting Canadians and Canadian businesses, it believes it has a more public role to play in cyber defence than it has in the past.

“This is something new for CSE,” he says. It’s a fact not lost on longtime agency observers.

“They’re pushing the envelope in a way they haven’t quite before,” said Bill Robinson, an independent researcher who has studied CSE’s activities for more than two decades, and recently joined the University of Toronto’s Citizen Lab as a fellow. “It’s a big a change, a sea change for them in that way.”

The step may be unprecedented for CSE, but not for its partners in the Five Eyes — an intelligence-sharing alliance involving Australia, Canada, New Zealand, the United Kingdom and the United States.

Both the NSA and the U.K.’s Government Communications Headquarters (GCHQ) have maintained active projects on the code sharing repository GitHub in recent years.

‘A gift’ for companies

Assemblyline is described by CSE as akin to a conveyor belt: files go in, and a handful of small helper applications automatically comb through each one in search of malicious clues. On the way out, every file is given a score, which lets analysts sort old, familiar threats from the new and novel attacks that typically require a closer, more manual approach to analysis.

“There’s only so many ways you can hide malware within a Word document,” said John O’Brien, who leads the development of the tool, which first started in 2010. “So by looking for the hallmark of that type of an attack, that can give us an indication that there’s something in here that’s just off.”

Cybersecurity researcher Olivier Bilodeau says although there is overlap between Assemblyline and existing tools, CSE’s contribution is that it has cobbled together many of the tools that malware researchers already use into one platform, like a Swiss Army Knife for malware analysis that anyone can modify and improve. And it has demonstrated that Assemblyline can scale to handle networks as large as the government’s. 

Bilodeau — who leads cybersecurity research at the Montreal security company GoSecure, and has developed a malware research toolbox of his own — says those attributes could make it easier for large organizations such as banks to do more of the kind of specialized work that his company does.

“They usually spend a lot of time fighting the malware, but not a lot of time investing in malware fighting infrastructure,” he said. “So this is definitely a gift for them.”

Spying on spies

The possibility that CSE’s own tool could be used to detect spy software of its own design, or that of its partners, is not lost upon the agency.

“Whatever it detects, whether it be cybercrime or [nation] states, or anybody else that are doing things — well that’s a good thing, because it’s made the community smarter in terms of defense,” said Jones.

Nor does he believe that releasing Assemblyline to the public will make it easier for adversaries to harm the government, or understand how CSE hunts for threats — quite the opposite, in fact.

“We believe that the benefits far outweigh any risks and that we can still use this to be ahead of the threat that’s out there.”




LokiBot Banking Malware Triggers Ransomware if User Tries to Remove It

A new variant of Android banking malware known as LokiBot triggers ransomware capabilities if a victim attempts to remove it from their infected device.

The malware, which bears the same name as a Windows info-stealer that can exfiltrate credentials from over 100 software tools, is making its rounds as a kit sold on hacking forums. Interested parties can purchase a full license with updates for $2,000 in Bitcoin.

LokiBot comes with a host of features enabling attackers to prey on suspecting users with Android 4.4 or higher. They can use the malware to read and send a victim’s SMS messages, a capability which they can abuse to send out spam email and try to infect additional users. If successful, they can upload the victims’ browser histories to the command and control (C&C) server or conduct an overlay attack on targeted banking apps.

The baddie also comes with several unique features. First, it’s capable of starting a user’s web browser and opening a web page. Second, it can display notifications under the guise of legitimate applications with the intent of conducting an overlay attack.

Perhaps the most intriguing element of LokiBot is its ransomware capabilities. SfyLabs researchers Wesley Gahr, Pham Duy Phuc, and Niels Croese elaborate on this functionality:

“This ransomware triggers when you try to remove LokiBot from the infected device by revoking its administrative rights. It won’t go down without a fight and will encrypt all your files in the external storage as a last resort to steal money from you, as you need to pay Bitcoins to decrypt your files.”

The ransomware tells a victim that law enforcement has locked their device “for viewing child pornography.” It then asks them to pay between $70 and $100 to regain access of their phone. Fortunately, the user can disable the locker by booting into Safe mode and removing the LokiBot admin and app.

Screen shown when the ransomware locks the phone. (Source: SfyLabs)


The malware’s ransom-based last resort is supposed to encrypt victims’ files with AES. It fails in that regard, however, because it automatically decrypts the encrypted file after deleting the original file and writes back to itself. In so doing, it simply renames the affected files; victims don’t lose any of their data.

Of course, other mobile ransomware and hybrid malware won’t make the same mistake.

Users can protect themselves against such threats by exercising caution around suspicious links and email attachments. They should also be careful to download apps from only trusted developers on Google’s Play Store and to read the requested permissions carefully. If a request seems inconsistent with the app’s functionality, users should forego installation.


via: tripwire

How to Block Ransomware Using Controlled Folder Access on Your PC

Microsoft has released a new feature called “Controlled Folder Access” that helps Windows users protect their data against ransomware.

First announced in June 2017, Controlled Folder Access is an option in Windows Defender Security Center that went live in mid-October. Its purpose is to protect files contained in designated folders against unauthorized changes. Users can therefore activate Controlled Folder Access in order to prevent ransomware from encrypting their files and changing those documents’ file names.

Microsoft explains the feature as follows:

“Controlled folder access monitors the changes that apps make to files in certain protected folders. If an app attempts to make a change to these files, and the app is blacklisted by the feature, you’ll get a notification about the attempt. You can complement the protected folders with additional locations, and add the apps that you want to allow access to those folders.”

To enable Controlled Folder Access, Windows users should select Start > Settings (the gear symbol). They should then choose Update & security > Windows Defender. At that point, they should open the security center of Microsoft’s native malware protection program, view their “Virus & threat protection” settings, and turn on “Controlled folder access.”

Source: Microsoft

Once they’ve activated the feature, users can click the “Protected folders” sub-option and add any folders to which they’d like to restrict access. They should then follow up by selecting “Allow an app through Controlled folder access.” This course of action lets users whitelist certain applications that they know regularly use their protected folders.

In the event an unapproved application like crypto-malware attempts to make changes to one of the protected folders, Windows displays an alert message in the Windows Notifications sidebar. It also logs the activity in its events log.

A warning message displayed by Windows Defender Security Center through its Controlled folder access feature. (Source: Bleeping Computer)

Controlled Folder Access is an excellent way for users to protect themselves against ransomware. But it should not be the only way. Regardless of the OS they’re using, people should invest some time in preventing a ransomware infection by following these strategies. They should also back up their critical data on a regular basis just in case they fall victim to an attack.


via:  tripwire