APT28 — State Sponsored Russian Hacker Group

Nearly a decade-long cyber espionage group that targeted a variety of Eastern European governments and security-related organizations including the North Atlantic Treaty Organization (NATO) has been exposed by a security research firm.

The US intelligence firm FireEye released its latest Advanced Persistent Threat (APT) report on Tuesday which said that the cyber attacks targeting various organisations would be of the interest to Russia, and "may be" sponsored by the Russian government.

The Report entitled "APT28: A Window Into Russia's Cyber Espionage Operations" published by FireEye has "evidence of long-standing, focused operations that indicate a government sponsor - specifically, a government based in Moscow."

"Despite rumours of the Russian government's alleged involvement in high-profile government and military cyber attacks, there has been little hard evidence of any link to cyber espionage," Dan McWhorter, FireEye vice president of Threat Intelligence, wrote in a blog post discussing the report.

"FireEye's latest APT report sheds light on cyber espionage operations that we assess to be most likely to be sponsored by the Russian government, long believed to be a leader among major nations in performing sophisticated network attacks."

The cyber-espionage group believed to have been operating since at least 2007 in order to steal political and state secrets from businesses and foreign governments. The group launched a cyber attack on government in Georgia, Eastern Europe, as well as NATO and the Organisation for Security and Co-operation in Europe, according to the report.

Whereas the Russian cyber criminal groups are known for conducting massive cyber campaigns aimed at stealing money and financial information, but APT28 focuses on "privileged information related to governments, militaries and security organizations."

“This group, unlike the China-based threat actors we track, does not appear to conduct widespread intellectual property theft for economic gain,” FireEye stated in the report. “Nor have we observed the group steal and profit from financial account information.”

The security firm analyzed that the malware used by APT28 features a consistent use of the Russian language. Moreover, more than 96 percent of malware samples analyzed by the researchers were compiled between Monday and Friday, between 8AM and 6PM in the time zone paralleling working hours in Moscow and St. Petersburg. This regularity in the work suggests that the hackers were in Moscow, the report argues.

The APT28 group has constantly updated their software and made the resulting binaries difficult to reverse engineer. It used a downloader tool that FireEye dubbed "SOURFACE", a backdoor labelled "EVILTOSS" that gives hackers remote access and a flexible modular implant called "CHOPSTICK" to enhance functionality of the espionage software.

Infection is usually achieved via a spear phishing email with a relevant lure and the malware hidden in the attachment. The hacker group has also created a number of fake domains for UK-based defence events, including the Counter Terror Expo, as part of the operation to gather intelligence on attendees.

Together with the help of above mentioned tools, the group gained access to the file system and registry; enumerate network resources; create processes; log keystrokes; access stored credentials; execute shellcode, and encrypt exfiltrated data uploaded with an RSA public key.

“The coding practices evident in the group’s malware suggest both a high level of skill and an interest in complicating reverse engineering efforts,” the report stated.

In  another report , a top White House official has confirmed that Russian hackers have hacked into the unclassified White House computer networks. "we identified activity of concern on the unclassified Executive Office of the President network,".

Russia has been suspected of attacks on Ukraine too, including attempts to gain access to politicians’ mobile phone communications.

FBI Seize Silk Road 2.0 Servers; Admin Arrested

The authorities of the U.S. Federal Bureau of Investigation have announced that they have arrested "Silk Road 2.0" operator Blake Benthall, used the alias "Defcon" in California on Wednesday and charged him with conspiracy to commit drug trafficking, computer hacking, money laundering and other crimes.

Silk Road 2, an alternative to the notorious online illegal-drug marketplace that went dark in October of 2013, has been seized in a joint action involving the FBI, Department of Homeland Security, and European law enforcement.

"As alleged, Blake Benthall attempted to resurrect Silk Road, a secret website that law enforcement seized last year, by running Silk Road 2.0, a nearly identical criminal enterprise," Manhattan US Attorney Preet Bharara said in a statement. "Let’s be clear—this Silk Road, in whatever form, is the road to prison. Those looking to follow in the footsteps of alleged cybercriminals should understand that we will return as many times as necessary to shut down noxious online criminal bazaars. We don’t get tired."

The arrest comes almost a year after the arrest of a San Francisco man Ross William Ulbricht, also known as "Dread Pirate Roberts," — the alleged founder of the dark Web online drug bazaar "Silk Road" that generated $8 million in monthly sales and attracted 150,000 vendors and customers. At that time, FBI seized the notorious site, but the very next month, a nearly identical site, Silk Road 2.0, opened for business.

The Feds and the US Department of Justice claim 26-year-old Blake Benthall launched the notorious Silk Road 2.0 on Nov. 6, 2013, five weeks after the shutdown of the original Silk Road website and arrest of its alleged operator.

Benthall appeared Thursday afternoon in federal court before Magistrate Judge Jaqueline Scott Corley, where Assistant US Attorney Kathryn Haun told the judge that Benthall is a "severe flight risk," according to the San Francisco Chronicle.

Benthall is charged with conspiring to commit narcotics trafficking, conspiring to commit computer hacking, conspiring to traffic in fraudulent identification documents and money laundering. If convicted, he could be sentenced to life in prison.

Silk Road 2.0 operated much the same way as its predecessor did, it sold illegal goods and services on the Tor network and generates millions of dollars each month. As of September 2014, Benthall allegedly processed $8 Million in monthly sales, according to the FBI.

In order to maintain the the anonymity of buyers and sellers, Silk Road 2.0 offers transactions to be made entirely in Bitcoin, as well as accessed through The Onion Router, or TOR, which conceals Internet Protocol (IP) addresses enabling users to hide their identities and locations.

According to the FBI, it bought 1 kilogram of heroin, 5 kilograms of cocaine, and 10 grams of LSD from Silk Road 2.0, apparently from Benthall himself.

"The offerings on Silk Road 2.0 consisted overwhelmingly of illegal drugs, which were openly advertised as such on the site. As of October 17, 2014, Silk Road 2.0 had over 13,000 listings for controlled substances," reads the complaint.

"Silk Road 2.0 had over 13,000 listings for controlled substances, including, among others, 1,783 listings for 'Psychedelics,' 1,697 listings for'“Ecstasy,' 1,707 listings for 'Cannabis,' and 379 listings for 'Opioids,'."

Samsung 'Find My Mobile' Flaw Allows Hacker to Remotely Lock Your Device

The National Institute of Standards and Technology (NIST) is warning users of a newly discovered Zero-Day flaw in the Samsung Find My Mobile service, which fails to validate the sender of a lock-code data received over a network.

The Find My Mobile feature implemented by Samsung in their devices is a mobile web-service that provides samsung users a bunch of features to locate their lost device, to play an alert on a remote device and to lock remotely the mobile phone so that no one else can get the access to the lost device.

The vulnerability in Samsung’s Find My Mobile feature was discovered by Mohamed Abdelbaset Elnoby (@SymbianSyMoh), an Information Security Evangelist from Egypt. The flaw is a Cross-Site Request Forgery (CSRF) that could allow an attacker to remotely lock or unlock the device and even make the device rings too.

Cross-Site Request Forgery (CSRF or XSRF) is an attack that tricks the victim into loading a page that contains a specially crafted HTML exploit page. Basically, an attacker will use CSRF attack to trick a victim into clicking a URL link that contains malicious or unauthorized requests.

The malicious link have the same privileges as the authorized user to perform an undesired task on the behalf of the victim, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attack generally targets functions that cause a state change on the server but it can also be used to access victim’s sensitive data.

"In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website," Elnoby said.

The researcher has also provided a proof-of-concept (POC) video that will give you a detail explanation on How the researcher made the attack work on Samsung’s Find My Mobile feature.

According to the researcher, the first attack to remotely lock victim’s device is critical if exploited because the attackers are able to lock victim’s device with a lock code of their own choice, forcing the victim to do a recovery for the lock code with his Google Account.

The US-CERT/NIST identified the vulnerability in the Samsung Find My Mobile as CVE-2014-8346 and rated the severity of the flaw as HIGH, whereas the exploitability score of the flaw is 10.0.

"The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic," the security advisory issued by the NIST states.

New BlackEnergy Crimeware Enhanced to Target Linux Systems and Cisco Routers

Security researchers at Kaspersky Lab have unearthed new capabilities in the BlackEnergy Crimeware weapon that has now ability to hacking routers, Linux systems and Windows, targeting industry through Cisco network devices.

The antivirus vendor’s Global Research & Analysis Team released a report Monday detailing some of the new “relatively unknown” custom plug-in capabilities that the cyber espionage group has developed for BlackEnergy to attack Cisco networking devices and target ARM and MIPS platforms.

The malware was upgraded with custom plugins including Ciscoapi.tcl which targets The Borg's kit, and According to researchers, the upgraded version contained various wrappers over Cisco EXEC-commands and "a punchy message for Kaspersky," which reads, "F*uck U, Kaspersky!!! U never get a fresh B1ack En3rgy. So, thanks C1sco 1td for built-in backd00rs & 0-days."

BlackEnergy malware program was originally created and used by cybercriminals to launch Distributed Denial-of-Service (DDoS) attacks. The malware developer then added some custom plugins used to funnel banking information.

Most recently BlackEnergy malware was observed in alleged state-sponsored attacks targeting the North Atlantic Treaty Organization (NATO), Ukrainian and Polish government agencies, and a variety of sensitive European industries over the last year.

Now, the cyber espionage group has enhanced the malware program which also has the capabilities like port scanning, password stealing, system information gathering, digital certificate theft, remote desktop connectivity and even hard disk wiping and destroying.

In case if a victim knew of the BlackEnergy infection on their system, the attacker activates "dstr," the name of a plugin that destroys hard disks by overwriting them with random data. A second victim was compromised by using VPN credentials taken from the first victim.

Security researchers, Kurt Baumgartner and Maria Garnaeva, also came across BlackEnergy version that works on ARM and MIPS based systems and found that it has compromised networking devices manufactured by Cisco Systems.

However, the experts are not sure for the purpose of some plugins, including one that gathers device instance IDs and other information on connected USB drives and another that collects details on the BIOS (Basic Input/Output System), motherboard, and processor of infected systems.

"We are pretty sure that our list of [BlackEnergy] tools is not complete," the researchers wrote. "For example, we have yet to obtain the router access plugin, but we are confident that it exists. Evidence also supports the hypothesis that there is a decryption plugin for victim files."

Multiple unnamed victim companies in different countries were targeted with the latest BlackEnergy malware, including victims in Russia, Germany, Belgium, Turkey, Libya, Vietnam and several other countries.

Another Crimeware group, the Sandworm Team, believed to have used the BlackEnergy exclusively throughout 2014 at victim sites and included custom plugin and scripts of their own. Also last month, the Sandworm Team had targeted organizations across the world in an espionage campaign, and iSIGHT Partners revealed that the team used spear phishing as the major attack vector to victimize their targets.

Google Releases 'nogotofail' Network Traffic Security Testing Tool

Google introduced a new security tool to help developers detect bugs and security glitches in the network traffic security that may leave passwords and other sensitive information open to snooping.

The open source tool, dubbed as Nogotofail, has been launched by the technology giant in sake of a number of vulnerabilities discovered in the implementation of the transport layer security, from the most critical Heartbleed bug in OpenSSL to the Apple's gotofail bug to the recent POODLE bug in SSL version 3.

The company has made the Nogotofail tool available on GitHub, so that so anyone can test their applications, contribute new features to the project, provide support for more platforms, and help improve the security of the internet.

Android security engineer Chad Brubaker said that the Nogotofail main purpose is to confirm that internet-connected devices and applications aren't vulnerable to transport layer security (TLS) and Secure Sockets Layer (SSL) encryption issues.

The network security testing tool includes testing for common SSL certificate verification issues, HTTPS and TLS/SSL library vulnerabilities and misconfigurations, SSL and STARTTLS stripping issues, and clear text traffic issues, and more.

"Google is committed to increasing the use of TLS/SSL in all applications and services. But 'HTTPS everywhere' is not enough; it also needs to be used correctly," Brubaker wrote in a blog post.

"Most platforms and devices have secure defaults, but some applications and libraries override the defaults for the worse, and in some instances we've seen platforms make mistakes as well. As applications get more complex, connect to more services, and use more third party libraries, it becomes easier to introduce these types of mistakes."

Nogotofail tool, written by Android engineers Chad Brubaker, Alex Klyubin and Geremy Condra, works on devices running Android, iOS, Linux, Windows, Chrome OS, OS X, and “in fact any device you use to connect to the Internet.” The tool can be deployed on a router, a Linux machine, or a VPN server.

The company says it has been using the Nogotofail tool internally for "some time" and has worked with developers to improve the security of their apps before releasing it. "But we want the use of TLS/SSL to advance as quickly as possible," Brubaker said.

The Nogotofail tool requires Python 2.7 and pyOpenSSL>=0.13. It features an on-path network Man-in-the-Middle (MiTM), designed to work on Linux machines, as well and optional clients for the devices being tested.

The Pirate Bay's 3rd and the Last Founder Arrested After 4 Years On The Run

Fredrik Neij – known online as "TiAMO", third and the last founder of the popular file sharing website The Pirate Bay has been arrested driving across the border of Laos and Thailand.

The 36-year-old fugitive Fredrik Neij was convicted by a Swedish court in 2009 of aiding copyright infringement and now he has been arrested under an Interpol warrant after four years on the run.

The Pirate Bay allows users to share files, including copyrighted content such as movies and music, through peer-to-peer technology.

He fled the country after being released on bail and had been living in Laos with his wife and children since 2012. Neij was arrested on Monday while trying to cross a border checkpoint in Nong Khai province, about 385 miles northeast of Bangkok, with his wife, Police said.

"Mr. Neij will be transferred to the immigration headquarters in Bangkok on Wednesday where the Swedish embassy is expected to pick him up and bring him back to Sweden" WP reported.

According to Neij's travel records, he and his family have traveled to Thailand about 30 times since his passport was revoked by the Swedish Embassy in Bangkok in 2012.

His photo had been given to immigration police in Nong Khai. It might have been a coincidence, but unluckily Neij was wearing the same grey T-shirt while crossing the border that was in the photo.

"The immigration police officer who spotted him in the car recognized him, so he pulled his car over,” Regional immigration police commissioner Major General Chartchai Eimsaeng said.

Last week, Pirate Bay's first Founder Gottfird Svartholm, who used the alias "Anakata" on the Internet, was also found guilty of hacking by a Danish court and is now serving a three-and-a-half year sentence, while the second founder - Peter Sunde is serving the final days of an eight month sentence in Sweden.

Anyways, the awesome 'The Pirate Bay' website is of course still alive and Kicking!

AirHopper — Hacking Into an Isolated Computer Using FM Radio Signals

In order to secure sensitive information such as Finance, many companies and government agencies generally use totally secure computer systems by making sure it aren't connected to any network at all. But the most secure systems aren't safe anymore.

Security researchers at the Cyber Security Labs at Ben Gurion University in Israel have found a way to snoop on a personal computer even with no network connection.

STEALING DATA USING RADIO SIGNALS

Researchers have developed a proof-of-concept malware that can infiltrate a closed network to lift data from a machine that has been kept completely isolated from the internet or any Wi-Fi connection by using little more than a mobile phone’s FM radio signals.

Researcher Mordechai Guri, along with Professor Yuval Elovici of Ben Gurion University, presented the research on Thursday in the 9th IEEE International Conference on Malicious and Unwanted Software (MALCON 2014) held at Denver.

This new technology is known as ‘AirHopper’ — basically a keylogger app to track what is being typed on the computer or the mobile phone.

AirHopper is a special type of keylogger because it uses radio frequencies to transmit data from a computer, all by exploiting the computer's monitor display, in order to evade air-gap security measures.

"This is the first time that a mobile phone is considered in an attack model as the intended receiver of maliciously crafted radio signals emitted from the screen of the isolated computer," according to a releaseby Ben Gurion University.

HOW DOES AIRHOPPER WORK ?

The technology works by using the FM radio receiver included in some mobile phones. AirHopper is able to capture keystrokes by intercepting certain radio emissions from the monitor or display unit of the isolated computer.

The researchers can then pick up the FM signals on a nearby smartphone and translate the FM signals into the typed text.

LIMITATIONS

The technique is completely new, although it has some limitations. The team claims that textual and binary information can be gathered from a distance of up to 7 meters with an effective FM-bandwidth of 13-60 bps (bytes per second).

"AirHopper demonstrates how textual and binary data can be exfiltrated from physically a (sic) isolated computer to mobile phones at a distance of 1-7 meters, with effective bandwidth of 13-60 (bytes per second). Enough to steal a secret password."

This, according to researchers, is enough to steal a secret password. Therefore, in an effort to obtain secret data an attacker can infect a mobile phone of someone from the staff using AirHopper method worked in stealth mode, and then transmit the data.

VIDEO DEMONSTRATION AND POTENTIAL DANGER

Researchers have also provide the Proof-of-concept video, so you can Watch the demonstration video and find out if you should be worried or not.

According to the researchers, the Airhopper technique of data theft was developed by the University in order to protect against potential intrusions of its kind in the future.

"Such technique can be used potentially by people and organizations with malicious intentions and we want to start a discussion on how to mitigate this newly presented risk." said Dudu Mimran, chief technology officer of the Ben Gurion University’s cyber security labs.

Drupal SQL Injection Vulnerability leaves Millions of Websites Open to Hackers

One of the most popular content management systems, Drupal, is warning its users to consider their websites as compromised unless their sites were updated immediately with a security patch released on 15 October 2014.

Drupal is an open source software package which provides a Content management system (CMS) for websites including MTV, Popular Science, Sony Music, Harvard and MIT. Drupal is used to power roughly 1 billion websites on Internet, which puts Drupal in third place behind the juggernaut Wordpress and then Joomla.

Drupal’s security team has released a "public service announcement" on Wednesday for its users to warn them of the SQL injection attack revealed two weeks ago, compromising almost 12 million of the widely used Drupal 7 websites. Users are asked to immediately update their websites to Drupal 7.32 within seven hours of the announcement of the vulnerability.

"Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before October 15, 11pm UTC, that is seven hours after the announcement," the Drupal security announcement said.

The vulnerability became public on October 15 and, according to Drupal security team, shortly after the disclosure, attackers began exploiting it using "automated attacks." The most worrying part of the bug is that it allows a hacker to compromise a target website without the need of authentication and the attack leave no trace afterward.

The "highly critical" SQL injection vulnerability actually resides in the Drupal Core that’s designed specifically to help prevent SQL injection attacks. By exploiting the flaw in a vulnerable version of the Drupal CMS, hackers could steal personal information from the website or in some cases could install a backdoor on compromised systems to allow them remote access. In short, it can lead to a complete website compromise.

Moreover, Drupal security team also says that in some cases attackers may have actually installed a backdoor on compromised systems and then applied the patch for website admins in order to ensure that no other hacker can get access to the target site.

"Updating to version 7.32 or applying the patch fixes the vulnerability, but does not fix an already compromised website. If you find that your site is already patched but you didn't do it, that can be a symptom that the site was compromised — some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site."

In case, if an attacker have added any backdoor to a system upon which a vulnerable Drupal 7 is installed, then, according to the Drupal security team, you are recommended to take the sites offline, delete all their files and databases, restore them from backups made before Oct. 15 and then patch the sites before bringing them back online.

You can also follow below points to restore a vulnerable site:

• Take the website offline by replacing it with a static HTML page
• Notify the server's administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack
• Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)
• Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014
• Update or patch the restored Drupal core code
• Put the restored and patched/updated website back online
• Manually redo any desired changes made to the website since the date of the restored backup
• Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.

Users can download the latest and updated Drupal version 7.32 against the Highly critical vulnerability from the official Drupal website.

Hackers Can Steal $999,999.99 from Visa Contactless Payment Card

 

Security researchers from Newcastle University in the UK have found a way to steal larger amounts of money from people's pockets using just a mobile phone, due to a security glitch Visa’s contactless payment cards.

Contactless payment cards use a cryptoprocessor and RFID technology to perform secure transactions without a need to insert the card in a reader, even an NFC-equipped mobile device may also be used as a payment card. But there is a specified limits country-wise.

Contactless payment cards are meant to have a limit of £20 per purchase in UK, using which shoppers can buy things by simply tapping their card on a scanner, without having to type in a PIN. But exploiting a flaw in its protocol could allow cyber criminals to manipulate the cards to transfer up to $999,999.99 in foreign currency into a scammer’s account.

Researchers on Wednesday at the 21st ACM Conference on Computer and Communications Security, detailed the attack which rely on a “rogue POS terminal” running on a mobile device that could be pre-set to a large amount of money, a wireless transfer of up to 999,999.99 units in any currency.

"With just a mobile phone we created a POS terminal that could read a card through a wallet," Martin Emms, lead researcher of the project noted in a statement about the findings. "All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions."

"By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved."

The good news is that the research team haven’t tested how Visa’s system reacted to a rush of foreign currency transfers, and whether it would flag them up as a possible fraud or not.

But the experts are worried that the contactless payment cards system is insecure, and that cybercriminals would likely use the flaw to set up hundreds or thousands of fraudulent transactions in smaller amounts to evade detection.

"Our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system," Emms said.

In a report on the BBC, Visa Europe said that "we have reviewed Newcastle's findings as part of our continued focus on security and beating payments fraud" and that their research "does not take into account the multiple safeguards put into place throughout the Visa system", adding that it would be "very difficult to complete this type of transaction outside of a laboratory environment."

Visa Europe also said that the company is updating its protection to require more payment card transactions to be authenticated online, making this kind of attack more difficult to carry out.

Researcher Found TextSecure Messenger App Vulnerable to Unknown Key-Share Attack

 

Do you use TextSecure Private Messenger for your private conversations? If yes, then Are you sure you are actually using a Secure messaging app?

TextSecure, an Android app developed by Open WhisperSystems, is completely open-source and claims to support end-to-end encryption of text messages. The app is free and designed by keeping privacy in mind.

However, while conducting the first audit of the software, security researchers from Ruhr University Bochum found that the most popular mobile messaging app is open to an Unknown Key-Share attack.

After Edward Snowden revealed state surveillance programs conducted by the National Security Agency, and meanwhile when Facebook acquired WhatsApp, TextSecure came into limelight and became one of the best alternatives for users who want a secure communication.

"Since Facebook bought WhatsApp, instant messaging apps with security guarantees became more and more popular," the team wrote in the paper titled, "How Secure is TextSecure?".

The messaging app attracted a lot of attention lately and was downloaded by half a million users from the Google's Play Store. The research team explained a complete and precise document and analyze of TextSecure’s secure push messaging protocol.

"We are the first to completely and precisely document and analyses TextSecure's secure push messaging protocol," the team wrote.

"We show that if long-term public keys are authentic, so are the message keys, and that the encryption block of TextSecure is actually one-time stateful authenticated encryption [and] prove TextSecure's push messaging can indeed achieve the goals of authenticity and confidentiality."

According to the research team, TextSecure works on a complex cryptographic protocol which is the part of the CyanogenMod Android operating system — a popular open source aftermarket Android firmware that has been installed on about 10 million Android devices. But researchers discovered an Unknown Key-Share Attack (UKS) against the protocol.

The research was conducted by Tilman Frosch, Christian Mainka, Christoph Bader, Florian Bergsma, Jorg Schwenk and Thorsten Holz. For better understanding the UKS against the protocol, the team explained it via an example as follows:

"Bart wants to trick his friend Milhouse. Bart knows that Milhouse will invite him to his birthday party using TextSecure. He starts the attack by replacing his own public key with Nelson's public key and lets Milhouse verify the fingerprint of his new public key. This can be justified, for instance, by claiming to have a new device and having simply re-registered ... if Milhouse invites Bart to his birthday party, then Bart may just forward this message to Nelson who will believe that this message was actually sent from Milhouse. Thus, Milhouse believes that he invited Bart to his birthday party, where in fact, he invited Nelson."

The researchers also provided a mitigation strategy, which has already been acknowledged by TextSecure's developers, that prevents the UKS attack. The proposed method actually resolves the issue, making TextSecure's push messaging secure and achieves one-time stateful authenticated encryption.

Rootpipe — Critical Mac OS X Yosemite Vulnerability Allows Root Access Without Password

 

A Swedish Security researcher has discovered a critical vulnerability in Apple’s OS X Yosemite that gives hackers the ability to escalate administrative privileges on a compromised machine, and allows them to gain the highest level of access on a machine, known as root access.

The vulnerability, dubbed as "Rootpipe", was uncovered by Swedish white-hat hacker Emil Kvarnhammar, who is holding on the full details about the privilege escalation bug until January 2015, as Apple needs some time to prepare a security patch.

"Details on the #rootpipe exploit will be presented, but not now. Let's just give Apple some time to roll out a patch to affected users," Emil Kvarnhammar, IT specialist and hacker security company Truesec, tweeted from his twitter account.

By exploiting the vulnerability in the Mac OS X Yosemite, an attacker could bypass the usual safeguard mechanisms which are supposed to stop anyone who tries to root the operating system through a temporary backdoor.

 

ROOT ACCESS WITHOUT PASSWORD

Once exploited, hackers could install malicious software or make other changes to your computer without any need of a password.

Hackers could steal victims’ sensitive information such as passwords or bank account information, or if required, they could format the entire affected computer, deleting all your important data from the computer.

Kvarnhammar has also provided a video to explain his initial finding.

“It all started when I was preparing for two security events, one in Stockholm and one in Malmö,” Kvarnhammar says. “I wanted to show a flaw in Mac OS X, but relatively few have been published. There are a few ‘proof of concepts’ online, but the latest I found affected the older 10.8.5 version of OS X. I couldn’t find anything similar for 10.9 or 10.10.”

Kvarnhammar tested the vulnerability on OS X version 10.8, 10.9 and 10.10. He has confirmed that it has existed since at least 2012, but probably is much older than that.

INFORMED APPLE

Kvarnhammar contacted Apple about the issue but he initially didn’t get any response, and Apple silently asked him for more details. When he provided with the details, Apple asked TrueSec not to disclose until next January.

Kvarnhammar said, "The current agreement with Apple is to disclose all details in mid-January 2015. This might sound like a long wait, but hey, time flies. It's important that they have time to patch, and that the patch is available for some time."

HOW TO PROTECT

The full disclosure of the vulnerability would be made public in January, after Apple will provide a fix. Apple Yosemite OS X users are advised to follow the below steps in order to protect yourself from the exploitation of the Rootpipe:

• Avoid running the system on a daily basis with an admin account. An attacker that will gain control on this account will obtain anyway limited privileges.
• Use volume encryption Apple’s FileVault tool, which allows encryption and decryption on the fly, protecting your information always.

However, the best way to protect yourself from such security vulnerabilities is to ensure that the operating system running on your system is always up-to-date, and always be careful to the links and documents others send to you.

Google Launches User-Friendly 'Inbox' App, Alternative To Gmail

Google is offering its users a completely new and better experience of its mailing service. And in an effort to do this, the company has launched a new email service, an alternative to Gmail, called "Inbox" on Wednesday that aims to make email more useful and preview next-generation capabilities.

Inbox will not replace Gmail, the company's popular 10-year-old email product, instead it will sit next to its Gmail service and will provide users' better organize their emails with live alerts for appointments, flight bookings and package deliveries in a more user-friendly way.

"Years in the making, Inbox is by the same people who brought you Gmail, but it's not Gmail: it's a completely different type of inbox, designed to focus on what really matters," wrote Sundar Pichai, Google’s senior vice president of Android, Chrome and apps, in a blog post.

According to the company, the Inbox service was designed to deal with the problem of getting too much email, in which the important and most urgent messages get lost amidst junk messages and endless threads.

Inbox solves this problem and displays only real-time updates to emails - for example, showing the delivery status of items bought online, showing reminders in a more accessible way that allows users to more easily keep track of their important chores and appointments.

"With this evolution comes new challenges: we get more email now than ever, important information is buried inside messages, and our most important tasks can slip through the cracks—especially when we’re working on our phones," the company noted. "For many of us, dealing with email has become a daily chore that distracts from what we really need to do—rather than helping us get those things done."

Other Features Inbox Include:

• Organising custom message bundles - from bank statements and online shopping purchases to travel reservations, to reduce inbox clutter.
• Speed dialing a friend with a red + button.
• Pin items to come back and address.
• Marking tasks as done by swiping to right.
• Find travel docs, photos and other critical information without opening the email.

Video Demonstration:
You can also have a look to its video demonstration:

The tech giant has made the new Inbox app available on the Web as well as on Android smartphones and iPhones, but we have access to the limited release, as it is being distributed via Google's tried-and-true invite system.

The company sent out invitations to selected Gmail users to try out the new service, but users were allowed to email the company at inbox@google.com to get an invitation. Inbox app is available on Google Play Store and it also appears to be on the iOS App Store.