The bot is called the Jolly Roger Telephone Company, and it’s the work of Roger Anderson, a veteran of the phone industry himself who had grown tired of the repeated harassment from telemarketers and robocallers. Anderson started out by building a system that sat in front of his home landlines and would tell human callers to press a key to ring through to his actual phone line; robocallers were routed directly to an answering system. He would then white-list the numbers of humans who got through.
Sometimes the Jolly Roger bot will press buttons to be transferred to a human agent and other times it will just talk back if a human is on the other end of the line to begin with.
The change to Safe Browsing will focus on detecting and warning users about content that tries to trick users into downloading a piece of software or taking some other action that they wouldn’t normally take. A common example of this is a fake or deceptive download button on a site that’s included in a dialogue box warning about out-of-date software.
Attackers often use malicious or deceptive ads that imitate legitimate download dialogues for software such as Adobe Flash or Microsoft’s Skype in order to trick users into downloading something else. That download could be a browser tool bar, malware, or some other unwanted software. To non-expert users, these ads or dialogue boxes can seem indistinguishable from authentic ones, which is exactly what fraudsters and attackers are counting on.
Trailrunner7 writes: The FBI and other law enforcement and intelligence agencies have warned for years that the increased use of encryption by consumers is making surveillance and lawful interception much more difficult, impeding investigations. But a new study by a group of experts at Harvard’s Berkman Center says those claims are largely overblown and that the IoT revolution will give agencies plenty of new chances for clear-channel surveillance.
“We argue that communications in the future will neither be eclipsed into darkness nor illuminated without shadow. Market forces and commercial interests will likely limit the circumstances in which companies will offer encryption that obscures user data from the companies themselves, and the trajectory of technological development points to a future abundant in unencrypted data, some of which can fill gaps left by the very communication channels law enforcement fears will ‘go dark’ and beyond reach,” the Berkman Center report says.
Steven Murdoch, a researcher at University College London’s Department of Computer Science, took a close look at MIKEY-SAKKE and its implementation in the Secure Chorus standard and concluded that not only does the standard support key escrow, but that it could be set up for use in mass surveillance.
But Ian Levy, director of cyber security and resiliency at GCHQ, said in a defense of MIKEY-SAKKE that the protocol is designed with specific security applications in mind, such as public safety or internal monitoring in an organization.
“For investigative or regulatory reasons, most Organisations will want the ability to monitor their employees. MIKEY-SAKKE makes this possible; the organisation can record the encrypted traffic and decrypt it if and when they need to. They don’t need to actively ‘man-in-the-middle’ communications, which they’d have to do with other systems. And ONLY the enterprise can do this, because only the enterprise has the key management server,” Levy said.
In an email, Murdoch said he’s happy to see GCHQ talking about the security of MIKEY-SAKKE publicly, but that the facts of his analysis haven’t changed.
“I think it is very positive sign that GCHQ are willing to engage in an open discussion about the security of MIKEY-SAKKE. GCHQ’s response includes clarifications and also describes some of MIKEY-SAKKE’s design motivations. It is interesting and welcome, but ultimately it doesn’t make a substantial change to my conclusions because the response focusses more the language used rather than any fundamental points,” Murdoch said.
The malware is the latest iteration of CenterPOS, a family of point-of-sale malware that researchers have been tracking for several months. CenterPOS has been seen infecting PoS devices in a number of small and medium-sized businesses, mainly in the United States. It has a number of different capabilities and gives the attacker the ability to use an infected device to scan the rest of the network for credit card information.
Trailrunner7 writes: Federal officials have indicted more than 50 people, including 15 former prison officials and 19 former inmates, in a long-running vishing and phone fraud scheme that was run through a Georgia prison.
Using cell phones smuggled into Autry State Prison by guards, the inmates would call victims, mostly in the Atlanta metro area, and inform them that they were warrants our for their arrest because they had failed to show up for jury duty. The callers would warn the victims that law enforcement officers were on the way and they were about to be arrested. Unless, of course, the victims could come up with some money to pay a fine and have the warrants erased.
Trailrunner7 writes: A week after a New York legislator introduced a bill that would require smartphone vendors to be able to decrypt users’ phones on demand from law enforcement, a California bill with the same intent has been introduced in that state’s assembly.
On Wednesday, California Assemblyman Jim Cooper submitted a bill that has remarkably similar language to the New York measure and would require that device manufacturers and operating system vendors such as Apple, Samsung, and Google be able to decrypt users’ devices. The law would apply to phones sold in California beginning Jan. 1, 2017.
The technique takes advantage of several weaknesses in the way that LastPass handles user logout notifications and the resulting authentication sequence. Sean Cassidy, the CTO of Seattle-based Praesidio, developed the attack and has released code for the technique, which he calls LostPass. In essence, the technique allows an attacker to copy much of the login sequence for a LastPass user, including the use of identical login dialogs and the ability to capture and replay two-factor authentication codes.
In order for LostPass to work, an attacker needs to get a victim to visit a malicious site where the LostPass code is deployed. The code will check to see if the victim has LastPass installed, and if so, use a CSRF (cross-site request forgery) weakness in LastPass to force the victim to log out of the app. The attacker using LostPass then will show the victim the notification telling her she’s logged out and when she clicks on it, will bring her to the login page the attacker controls. It will look identical to the authentic one.
Once the victim enters her credentials, they are sent to the attacker’s server, who can use the LastPass API to check their authenticity. If the server says that 2FA is set up on the victim’s account, LostPass will display a screen to enter the 2FA code, which the attacker will capture and use to log in to the victim’s account.
LastPass says Cassidy didn't contact him in November, as he claims, but Cassidy said he did and also gave the company all of the information in his ShmooCon talk well before he spoke.
Trailrunner7 writes: The U.K. government’s standard for encrypted voice communications, which already is in use in intelligence and other sectors and could be mandated for use in critical infrastructure applications, is set up to enable easy key escrow, according to new research.
The standard is known as Secure Chorus, which implements an encryption protocol called MIKEY-SAKKE. The protocol was designed by GCHQ, the U.K.’s signals intelligence agency, the equivalent in many ways to the National Security Agency in the United States. MIKEY-SAKKE is designed for voice and video encryption specifically, and is an extension of the MIKEY (Multimedia Internet Keying) protocol, which supports the use of EDH (Ephemeral Diffie Hellman) for key exchange.
“MIKEY supports EDH but MIKEY-SAKKE works in a way much closer to email encryption. The initiator of a call generates key material, uses SAKKE to encrypt it to the other communication partner (responder), and sends this message to the responder during the set-up of the call. However, SAKKE does not require that the initiator discover the responder’s public key because it uses identity-based encryption (IBE),” Dr. Steven Murdoch of University College London’s Department of Computer Science, wrote in a new analysis of the security of the Secure Chorus standard.
“By design there is always a third party who generates and distributes the private keys for all users. This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys,” Murdoch said by email.
He added that the design of Secure Chorus “is not an accident.”
The malware was on PoS systems in more than 300 Hyatt hotels around the world, including dozens in the United States, the company said. Hyatt officials disclosed the breach last month, but the details of what caused the incident just came out this week after the company completed the investigation. The breach affects people who used cards at the compromised hotels between mid-August and early December.
“The malware was designed to collect payment card data – cardholder name, card number, expiration date and internal verification code – from cards used onsite as the data was being routed through affected payment processing systems. There is no indication that other customer information was affected,” Hyatt said in its statement.
The malware has been around for a while, doing the things that banking Trojans do, which is stealing user credentials and then money. One of the ways that the malware accomplishes that is by intercepting SMS messages from banks that send one-time passwords as part of a two-factor or two-step verification scheme. The attackers behind the malware can use those OTPs in conjunction with the credentials Bankosy already has stolen to log into victims’ accounts.
“The malware starts a call intent with the destination number obtained from the C&C server to enable unconditional call forwarding on the target device.”
The New York bill is the latest entry in a long-running debate between privacy advocates and security experts on one side and law enforcement agencies and many politicians on the other. The revelations of the last few years about widespread government surveillance, especially that involving cell phones and email systems, has spurred device manufacturers to increase the use of encryption. New Apple iPhones now are encrypted by default, as are some Android devices.
Apple, Google, and the other major manufacturers have said that user privacy and security is their main concern. The bill that is now in committee in the New York State Assembly makes no equivocation about what it is designed to do.
“Any smartphone that is manufactured on or after January First, Two Thousand Sixteen, and sold or leased in New York, shall be capable of being decrypted and unlocked by its manufacturer or its operating system provider,” the bill says.
The vulnerability was discovered by Tavis Ormandy, a researcher who has spent quite a lot of time in the last few months looking for bugs in antivirus and anti-malware products. Ormandy discovered the vulnerability in Trend Micro’s password manager several months ago but it was disclosed in the last couple days after Google’s 90-day grace period for vendor responses expired.
“I spent a few minutes looking into how passwords are stored if the user is using the password feature, or if they’ve exported all their browser passwords to Trend Micro (you’re prompted to do that on installation, but it’s optional and you can decline). To be clear, you can get arbitrary code execution whether they’re using it or not, but stealing all the passwords from a password manager remotely doesn’t happen very often, so I wanted to document that,” Ormandy said.
Trailrunner7 writes: A new twist on the fake tech support scam has arisen that has victims wondering whether Dell has been hacked.There has been a recent rash of calls to Dell customers in which the caller says he is from Dell itself and is able to identify the victim’s PC by model number and provide details of previous warranty and support interactions with the company.
These are details that, it would seem, only Dell or perhaps its contractors would know. One person who was contacted by the scammers wrote a detailed description of the call, and said the caller had personal details that could not have been found online.
“He claimed to be from the Dell ‘R and D Department’. He claimed that my computer had detected a problem and notified Dell automatically. He knew that Dell recently replaced a battery for me, which was true, so that’s why I believed he was really from Dell. (This means they also hacked Dell!) He had me run come commands on the PC and he told me all devices on my IP address were compromised," one post on a Dell forum says.
The new protocol is based on the 802.11ah standard from the IEEE and is being billed as Wi-Fi HaLow by the Wi-Fi Alliance. Wi-Fi HaLow differs from the wireless signal that most current devices uses in a couple of key ways. First, it’s designed as a low-powered protocol and will operate in the range below one gigahertz. Second, the protocol will have a much longer range than traditional Wi-Fi, a feature that will make it attractive for use in applications such as connecting traffic lights and cameras in smart cities.
But, as with any new protocol or system, Wi-Fi HaLow will carry with it new security considerations to face. And one of the main challenges will be securing all of the various implementations of the protocol.
“While the standard could be good and secure, implementations by different vendors can have weaknesses and security issues. This is common to all protocols,” said Cesar Cerrudo, CTO of IOActive Labs, who has done extensive research on the security of a wide range of smart devices and smart city environments.