Jump to content

Search the Community

Showing results for tags 'backdoor'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 10 results

  1. Stealthy RotaJakiro Backdoor Targeting Linux Systems Previously undocumented and stealthy Linux malware named RotaJakiro has been discovered targeting Linux X64 systems. It has been undetected for at least three years, and operates as a backdoor. Four samples have now been discovered, all using the same C2s. The earliest was discovered in 2018. None of the samples were labeled malware by VirusTotal. The discovery was made by researchers at Chinese security firm Qihoo 360 NETLAB after their BotMon system flagged a suspicious ELF file. Investigation revealed the backdoor malware they named RotaJakiro, because, say the researchers, “the family uses rotate encryption and behaves differently for root/non-root accounts when executing.” The malware supports 12 functions, three of which involve specific plug-ins that are downloaded from the C2s. The researchers have not managed to access any of the plug-ins, so cannot comment on their purpose. However, the functions built into the malware can be categorized as collecting device information, stealing sensitive information, and managing the plug-ins. The researchers do not yet know how the malware spreads or is delivered. Each of the four samples found have the same four C2s embedded. These are news(.)thaprior(.)net, blog(.)eduelects.com, cdn(.)mirror-codes(.)net, and status.sublineover.net. All of them were registered in December 2015, suggesting the malware is possibly older than the confirmed three years. The stealthy nature of the malware is partly down to its rotation through various encryption algorithms while communicating with its C2 servers. “At the coding level,” say the researchers, RotaJakiro uses techniques such as dynamic AES, double-layer encrypted communication protocols to counteract the binary & network traffic analysis.” There are two stages to its C2 communication. The initial phase decrypts the C2 list, establishes a connection with the C2, encrypts and sends the online information, and receives and decrypts the information returned by the C2. The second stage is to verify the information received from the C2, and then ‒ if verified ‒ to execute any commands received. Persistence and process guarding are handled differently for infected root and non-root accounts. For process guarding on root accounts, a new process is automatically created when the service process is terminated. On non-root accounts, the malware generates two processes that monitor each other. If one is terminated, the other restores it. It isn’t yet clear whether the malware is designed for a specific category of target, nor what the long-term intention might be. However, the ability to download multiple plug-ins means that its potential for malicious activity should not be underestimated. The researchers note that there are internal similarities between RotaJakiro and the Torii IoT botnet discovered by Avast in 2018. Torii is a full-fledged bot. The second stage can execute commands from the C2 server, while the malware also includes simple anti-debugging techniques, data exfiltration, multi-level encryption of communication, and other capabilities. “Even though our investigation is continuing,” said Avast at the time, “Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before. Once it infects a device, not only does it send quite a lot of information about the machine it resides on to the C&C, but by communicating with the C&C, it allows Torii authors to execute any code or deliver any payload to the infected device. This suggests that Torii could become a modular platform for future use,” Avast concludes. Source: Stealthy RotaJakiro Backdoor Targeting Linux Systems
  2. Hidden database account discovered, no patches available yet, mitigations offered HP Device Manager, software that allows IT administrators to manage HP Thin Client devices, comes with a backdoor database user account that undermines network security, a UK-based consultant has warned. Nicky Bloor, founder of Cognitous Cyber Security, reports that an HP Inc programmer appears to have set up an insecure user account in a database within HP Device Manager (HPDM). He found that the account can be exploited to achieve privilege escalation and, in conjunction with other flaws, gain unauthorized remote command execution as SYSTEM. This is bad: if you can reach a vulnerable installation of this device manager on a network, you can gain admin-level control over its machine and the thin clients it controls. HPDM typically runs on a Windows-powered server, and directs multiple Windows clients. Bloor told The Reg on Tuesday he had been looking into the security of HPDM and spotted a series of weaknesses he was able to exploit. The most concerning of these, he said, was a backdoor database user account, which he identified by examining a log file included with the software. It appears this log file details operations performed on the device manager's PostgreSQL database during the software's development, revealing the existence of the hidden user account. "This was a privileged user account with a password consisting of a single space character," Bloor said. "The only reference to the user account was in a database log file included with the HP Device Manager software where log entries can be seen dating before I even installed the software." Bloor told us the log entries reveal a failed attempt to authenticate as the database user account used by HPDM. That's followed by a log entry associated with a new user account and what looks like the HP programmer trying to limit the backdoor user account from being used to create other new accounts, he said, as if the developer were trying to limit the security consequences of accessing the backdoor account. "Anyone with access to a server where HP Device Manager is installed could use this user account to gain complete control over the server," said Bloor, noting that this would qualify as local privilege escalation. "However, I managed to find additional vulnerabilities in HP Device Manager's default configuration that mean the vulnerability can be exploited remotely so that anyone who can connect to a server that's running HPDM can gain complete control of that server," he said. "From there, HPDM provides full administrative control over the HP thin clients in the environment." Bloor said this vulnerability is present in current versions of the HPDM software, and he's not sure which previous versions of software might be affected. He added that he contacted HP on August 3, 2020, to disclose details about the vulnerabilities, and asked the IT giant to confirm it understood the implications of the flaw, to propose how it intended to resolve the issue, and to provide a reasonable timeframe to implement the fix. HP was unresponsive, he said, until he explained that he planned to publish details in 30 days if the corporation continued to stonewall. At that point, he said, HP replied to say the industry standard for coordinated disclosure of vulnerabilities is 90 days and to ask for that much time to produce a fix, without answering any of Bloor's questions. That was on August 19, 2020. At that point, Bloor said, HP hadn't confirmed it had reviewed and understood the vulnerability reports, and hadn't proposed any mitigation nor resolution timeline. Bloor was not inclined to just wait around for HP. "I'm paid to help people secure their IT environments and applications, but I also don't have the time to waste chasing HP and hoping that someday in '90+ days' they will produce a patch that will help me to secure my clients' environments," he said. "The fix for the most severe part of the issue is trivial so 90+ days is a joke." To underscore how easy the issue is to fix, he described the process in a series of tweets. In an email to The Register on Tuesday night, HP acknowledged the security blunder – assigning it multiple vulnerability IDs: CVE-2020-6925 (weak cipher), CVE-2020-6926 (remote method invocation), and CVE-2020-6927 (elevation of privilege) – and said it has now published an advisory to alert customers. That CVE-2020-6926 flaw is a 9.9 out of 10 in terms of CVSS severity, by the way. Sysadmins are urged to update to HP Device Manager 5.0.4, or HP Device Manager 4.7 Service Pack 13 when it is available, to address the flaws. Source
  3. It was just code left over from a prototype, says hardware maker The Xplora 4 smartwatch, made by Chinese outfit Qihoo 360 Technology Co, and marketed to children under the Xplora brand in the US and Europe, can covertly take photos and record audio when activated by an encrypted SMS message, says Norwegian security firm Mnemonic. This backdoor is not a bug, the finders insist, but a deliberate, hidden feature. Around 350,000 watches have been sold so far, Xplora says. Exploiting this security hole is essentially non-trivial, we note, though it does reveal the kind of remotely accessible stuff left in the firmware of today's gizmos. "The backdoor itself is not a vulnerability," said infosec pros Harrison Sand and Erlend Leiknes in a report on Monday. "It is a feature set developed with intent, with function names that include remote snapshot, send location, and wiretap. The backdoor is activated by sending SMS commands to the watch." The researchers suggest these smartwatches could be used to capture photos covertly from its built-in camera, to track the wearer's location, and to conduct wiretapping via the built-in mic. They have not claimed any such surveillance has actually been done. The watches are marketed as a child's first phone, we're told, and thus contain a SIM card for connectivity (with an associated phone number). Parents can track the whereabouts of their offspring by using an app that finds the wearer of the watch. Xplora contends the security issue is just unused code from a prototype and has now been patched. But the company's smartwatches were among those cited by Mnemonic and Norwegian Consumer Council in 2017 for assorted security and privacy concerns. Sand and Leiknes note in their report that while the Norwegian company Xplora Mobile AS distributes the Xplora watch line in Europe and, as of September, in the US, the hardware was made by Qihoo 360 and 19 of its 90 Android-based applications come from the Chinese company. They also point out that in June, the US Department of Commerce placed the Chinese and UK business groups of Qihoo 360 on its Entities List, a designation that limits Qihoo 360's ability to do business with US companies. US authorities claim, without offering any supporting evidence, that the company represents a potential threat to US national security. In 2012, a report by a China-based civilian hacker group called Intelligent Defense Friends Laboratory accused Qihoo 360 of having a backdoor in its 360 secure browser [[PDF]]. In March, Qihoo 360 claimed that the US Central Intelligence Agency has been conducting hacking attacks on China for over a decade. Qihoo 360 did not immediately respond to a request for comment. According to Mnemonic, the Xplora 4 contains a package called "Persistent Connection Service" that runs during the Android boot process and iterates through the installed apps to construct a list of "intents," commands for invoking functionality in other apps. With the appropriate Android intent, an incoming encrypted SMS message received by the Qihoo SMS app could be directed through the command dispatcher in the Persistent Connection Service to trigger an application command, like a remote memory snapshot. Exploiting this backdoor requires knowing the phone number of the target device and its factory-set encryption key. This data is available to those to Qihoo and Xplora, according to the researchers, and can be pulled off the device physically using specialist tools. This basically means ordinary folks aren't going to be hacked, either by the manufacturer under orders from Beijing or opportunistic miscreants attacking gizmos in the wild, though it is an issue for persons of interest. It also highlights the kind of code left lingering in mass-market devices. In response to an inquiry from The Register, Xplora, which maintains its own backend infrastructure on AWS in Germany for the smartwatches it distributes, said it has taken steps to address the situation that include the release of a firmware patch. "Xplora takes privacy and any potential security flaw extremely seriously," the company said in an emailed statement. "Since being alerted, we developed a patch for the Xplora 4 that will eliminate this potential issue and we pushed it out prior to 8am CET on October 9." The company claims the security concern arises from code included in prototypes that isn't easily accessible. When the smartwatch was being designed, the company says, parents provided feedback indicating that they want to be able to contact their children in an emergency and to be able to obtain location imagery in the event of a kidnapping. Xplora included the snapshot and other features as part of a prototype test but decided not to implement them in the commercial release due to privacy concerns. "It is important to note that the potential flaw requires physical access to the X4 watch and the private phone number," Xplora's spokesperson said. "Even if this is activated, the only place the image would go is to Xplora’s server in Germany located in a highly-secure Amazon Web Services environment which is not accessible to third parties." The spokesperson said the company has conducted an audit since it was notified of the security report and found no evidence the security flaw was being exploited. Source
  4. Researchers link new malware attacks designed to install a backdoor onto compromised systems to Vietnamese-backed hacking operation OceanLotus. A newly discovered form of malware is targeting Apple MacOS users in a campaign which researchers say is tied to a nation-state backed hacking operation. The campaign has been detailed by cybersecurity analysts at Trend Micro who've linked it to OceanLotus – also known as APT32 – a hacking group which is thought to have links to the Vietnamese government. OceanLotus is known to target foreign organisations working in Vietnam including media, research and construction and while the motivation for this isn't fully understood, the aim is thought to be to using espionage to aid Vietnamese-owned companies. The MacOS backdoor provides the attackers with a window into the compromised machine, enabling them to snoop on and steal confidential information and sensitive business documents. The security company's researchers have linked it to OceanLotus because of the similarities in code and behaviour of the malware, compared with samples used in previous campaigns by the group. The attacks begin with phishing emails which attempt to encourage victims to run a Zip file disguised as a Word document. It evades detection by anti-virus scanners by using special characters deep inside a series of Zip folders. The attack could potentially give itself away if users are paying attention because when the malicious file is run, a Microsoft Word document doesn't appear. However, at this stage an initial payload is already working on the machine and it changes access permissions in order to load a second-stage payload which then prompts the installation of a third-stage payload - which downloads the backdoor onto the system. By installing the malware across different stages like this OceanLotus aims to evade detection. Like older versions of the malware, this attack aims to collect system information and creates a backdoor allowing the hackers to snoop on and download files, as well as upload additional malicious software to the system if required. It's thought that the malware is still actively being developed. "Threat groups such as OceanLotus are actively updating malware variants in attempts to evade detection and improve persistence," wrote researchers. To help avoid falling victim to this and other malware campaigns, Trend Micro urges users to be cautious about clicking links or downloading attachments from emails coming from suspicious or unknown sources. It's also recommended that organisations apply security patches and other updates to software and operating systems so malware isn't able to take advantage of known vulnerabilities which can be protected against. Source
  5. Senator Wyden puts surveillance nerve-center on blast It's said the NSA drew up a report on what it learned after a foreign government exploited a weak encryption scheme, championed by the US spying agency, in Juniper firewall software. However, curiously enough, the NSA has been unable to find a copy of that report. On Wednesday, Reuters reporter Joseph Menn published an account of US Senator Ron Wyden's efforts to determine whether the NSA is still in the business of placing backdoors in US technology products. Wyden (D-OR) opposes such efforts because, as the Juniper incident demonstrates, they can backfire, thereby harming national security, and because they diminish the appeal of American-made tech products. But Wyden's inquiries, as a member of the Senate Intelligence Committee, have been stymied by lack of cooperation from the spy agency and the private sector. In June, Wyden and various colleagues sent a letter to Juniper CEO Rami Rahim asking about "several likely backdoors in its NetScreen line of firewalls." Juniper acknowledged in 2015 that “unauthorized code” had been found in ScreenOS, which powers its NetScreen firewalls. It's been suggested that the code was in place since around 2008. The Reuters report, citing a previously undisclosed statement to Congress from Juniper, claims that the networking biz acknowledged that "an unnamed national government had converted the mechanism first created by the NSA." Wyden staffers in 2018 were told by the NSA that a "lessons learned" report about the incident had been written. But Wyden spokesperson Keith Chu told Reuters that the NSA now claims it can't find the file. Wyden's office did not immediately respond to a request for comment. The reason this malicious code was able to decrypt ScreenOS VPN connections has been attributed to Juniper's "decision to use the NSA-designed Dual EC Pseudorandom Number Generator." The company has yet to clarify exactly why it made that decision. Juniper did not respond to a request for comment. When former NSA contractor Edward Snowden leaked agency secrets in 2013, Reuters reported that years earlier security firm RSA, now part of storage biz EMC, had accepted a $10m contract with the NSA to use Dual Elliptic Curve, or Dual EC, encryption. RSA at the time denied some of the claims without disputing the existence of the contract. The NSA had been keen to see Dual EC adopted and worked with the US Commerce Department to promote it. But in 2007, two Microsoft researchers reported there were serious flaws with the Dual Elliptic Curve Deterministic Random Bit Generator that led it to produce weak cryptography. By 2014, US standards agency NIST withdrew support for Dual EC. Juniper at some point between 2008 and 2009 appears to have added Dual EC support to its products at the request of "a single customer," widely believed to be the NSA. After Snowden's disclosures about the extent of US surveillance operations in 2013, the NSA is said to have revised its policies for compromising commercial products. Wyden and other lawmakers have tried to learn more about these policies but they've been stonewalled, according to Reuters. The NSA also declined to provide backdoor policy details to Reuters, stating that it doesn't share "specific processes and procedures." The news agency says three former senior intelligence officials have confirmed that NSA policy now requires a fallout plan with some form of warning in the event an implanted back door gets discovered and exploited. The Register asked the NSA to comment. We've not heard back. Source
  6. Government Communications Headquarters (GCHQ), the UK’s counterpart to the National Security Agency (NSA), has fired the latest shot in the crypto wars. In a post to Lawfare titled Principles for a More Informed Exceptional Access Debate, two of Britain’s top spooks introduced what they’re framing as a kinder, gentler approach to compromising the encryption that keeps us safe online. This new proposal from GCHQ—which we’ve heard rumors of for nearly a year—eschews one discredited method for breaking encryption (key escrow) and instead adopts a novel approach referred to as the “ghost.” But let’s be clear: regardless of what they’re calling it, GCHQ’s “ghost” is still a mandated encryption backdoor with all the security and privacy risks that come with it. Backdoors have a (well-deserved) horrible reputation in the security community. But that hasn’t dissuaded law enforcement officials around the world from demanding them for more than two decades. And while the Internet has become a more dangerous place for average users, making encryption more important than ever, this rhetoric has hardly changed. What has changed is the legal landscape governing encryption and law enforcement, at least in the UK. 2016 saw the passage of the Investigatory Powers Act, which gives the UK the legal ability to order a company like Apple or Facebook to tamper with security features in their products—while simultaneously being prohibited from telling the public about it. As far as is publicly known, the UK has not attempted to employ the provisions of the Investigatory Powers Act to compromise the security of the products we use. Yet. But GCHQ’s Lawfare piece previews the course that the agency is likely to take. The authors lay out six “principles” for an informed debate, and they sound pretty noncontroversial. Privacy and security protections are critical to public confidence. Therefore, we will only seek exceptional access to data where there’s a legitimate need, that access is the least intrusive way of proceeding and there is appropriate legal authorisation. Investigative tradecraft has to evolve with technology. Even when we have a legitimate need, we can’t expect 100 percent access 100 percent of the time. Targeted exceptional access capabilities should not give governments unfettered access to user data. Any exceptional access solution should not fundamentally change the trust relationship between a service provider and its users. Transparency is essential. So far so good. I absolutely agree that law enforcement should only act where there’s a legitimate need and only when authorized by a court, in a way that evolves with the tech, that doesn’t have unrealistic expectations, that doesn’t enable mass surveillance, that doesn’t undermine the public trust, and that is transparent. But unfortunately, the authors fail to apply the principles so carefully laid out to the problem at hand. Instead, they’re proposing a way of undermining end-to-end encryption using a technique that the community has started calling the “ghost.” Here’s how the post describes it: Applying this idea to WhatsApp, it would mean that—upon receiving a court order—the company would be required to convert a 1-on-1 conversation into a group chat, with the government as the third member of the chat. But that’s not all. In WhatsApp’s UX, users can verify the security of a conversation by comparing “security codes” within the app. So for the ghost to work, there would have to be a way of forcing both users’ clients to lie to them by showing a falsified security code, as well as suppress any notification that the conversation’s keys had changed. Put differently, if GCHQ’s proposal went into effect, consumers could never again trust the claims that our software makes about what it’s doing to protect us. The authors of the Lawfare piece go out of their way to claim that they are “not talking about weakening encryption or defeating the end-to-end nature of the service.” Hogwash. They’re talking about adding a “feature” that would require the user’s device to selectively lie about whether it’s even employing end-to-end encryption, or whether it’s leaking the conversation content to a third (secret) party. Is the security code displayed by your device a mathematical representation of the two keys involved, or is it a straight-up lie? Furthermore, what’s to guarantee that the method used by governments to insert the “ghost” key into a conversation without alerting the users won’t be exploited by bad actors? Despite the GCHQ authors’ claim, the ghost will require vendors to disable the very features that give our communications systems their security guarantees in a way that fundamentally changes the trust relationship between a service provider and its users. Software and hardware companies will never be able to convincingly claim that they are being honest about what their applications and tools are doing, and users will have no good reason to believe them if they try. And, as we’ve seen already seen, GCHQ will not be the only agency in the world demanding such extraordinary access to billions of users’ software. Australia was quick to follow the UK’s lead, and we can expect to see similar demands, from Brazil and the European Union to Russia and China. (Note that this proposal would be unconstitutional were it proposed in the United States, which has strong protections against governments forcing actors to speak or lie on its behalf.) The “ghost” proposal violates the six “principles” in other ways, too. Instead of asking investigative tradecraft to evolve with technology, it’s asking technology to build investigative tradecraft in from the ground floor. Instead of targeted exceptional access, it’s asking companies to put a dormant wiretap in every single user’s pocket, just waiting to be activated. We must reject GCHQ’s newest “ghost” proposal for what it is: a mandated encryption backdoor that weakens the security properties of encrypted messaging systems and fundamentally compromises user trust. GCHQ needs to give up the ghost. It’s just another word for an encryption backdoor. Source : The EFF
  7. The FBI wanted a backdoor in Phantom Secure, an encrypted phone company that sold to members of the Sinaloa cartel, and which is linked to the alleged leaking of sensitive law enforcement information in Canada. Image: Screenshot from Instagram of Phantom PGP The FBI tried to force the owner of an encrypted phone company to put a backdoor in his devices, Motherboard has learned. The company involved is Phantom Secure, a firm that sold privacy-focused BlackBerry phones and which ended up catering heavily to the criminal market, including members of the Sinaloa drug cartel, formerly run by Joaquín "El Chapo" Guzmán. The news signals some of the tactics law enforcement may use as criminals continue to leverage encrypted communications for their own ends. It also comes as Canadian media reported that a former top official in the Royal Canadian Mounted Police (RCMP), who has been charged with leaking state secrets, offered to sell information to Vincent Ramos, Phantom's CEO. "He was given the opportunity to do significantly less time if he identified users or built in/gave backdoor access," one source who knows Ramos personally and has spoken with him about the issue after his arrest told Motherboard. A backdoor is a general term for some form of technical measure that grants another party, in this case the FBI, surreptitious access to a computer system. What exactly the FBI was technically after is unclear, but the desire for a backdoor was likely to monitor Phantom's clients. A second source with intimate knowledge of Phantom's operations told Motherboard "The FBI wanted a backdoor into Phantoms network." Motherboard granted several sources in this story anonymity to talk more candidly about a law enforcement investigation and internal Phantom deliberations. Phantom was part of the secure phone industry, where companies often strip the microphone and GPS functionality from a device, add encrypted email or messaging programs, and route communications through overseas servers. In early 2018, the FBI and its partners arrested Ramos and shut down the company in a large scale international operation. Ramos pleaded guilty to running a criminal enterprise that facilitated drug trafficking, and in May was sentenced to nine years in prison. Phantom's clients included serious organized crime groups around the world. Court filings in Ramos' case include testimony from an unnamed convicted drug trafficker from the Sinaloa drug cartel. A third source told Motherboard "He never gave law enforcement a backdoor into Phantom Secure. He did not do that." When pressed on whether the FBI still asked for access, the source, who worked directly on the case, said, "Basically that's all I want to say. He did not give law enforcement a backdoor into Phantom Secure." The FBI did not respond to a request for comment. One of the sources said Ramos did not have the technical knowledge to implement a backdoor though, and so the FBI asked Ramos to lure another Phantom member who could. Ramos declined, the source said. "The FBI wanted a backdoor into Phantoms network." The FBI's attempt to plant a backdoor into an encrypted phone network is an important episode in the Going Dark debate, in which law enforcement agencies say they are losing visibility into criminals' activities as groups increasingly use digital protections. The encryption itself used in end-to-end encryption is typically too robust to crack, so law enforcement agencies have to find a work around. That might include hacking a device directly—the end point—to install message reading malware. Or it could include trying to force a service provider to provide extra access to authorities. The Department of Justice famously tried to compel Apple to create a custom version of its iOS operating system that would lower protections on the phone used by one of the San Bernardino terrorists, so that authorities could then attempt to bruteforce the phone's passcode. The FBI also previously leaned on Microsoft to create a backdoor in its BitLocker encryption software, Mashable reported in 2013. One key difference between Phantom and other companies such as Apple or Microsoft, is that authorities say in court records that Phantom deliberately and explicitly catered to criminal behaviour, rather than just being incidental to a crime. In an undercover operation, the RCMP posed as drug traffickers and recorded Ramos saying, "We made it—we made it specifically for this [drug trafficking] too." But Phantom Secure started as a legitimate, privacy-focused phone company. "The idea was solely to provide a secure telecommunications system," Michael Pancer, Ramos' attorney, previously said in a phone call. "Then when individuals started to use this system to break the law, at some point it came to his [Ramos'] attention, and he has apologized to the court for allowing them to continue. But his intentions were certainly honorable when he started the network." "He was given the opportunity to do significantly less time if he identified users or built in/gave backdoor access." The FBI still gained valuable information on the Phantom network. After the FBI shut down the network, the agency briefly ran a portal that allowed customers to 'check' whether their email address was included in the list of impacted customers. It is unclear what the FBI did with any email addresses that were entered into this portal. The FBI did obtain information that led to other high profile investigations. Ramos' arrest revealed that someone tried to sell sensitive law enforcement information to the company, Global News reported this week. "While Ramos did not know the identity of the person allegedly brokering the RCMP information, Canadian investigators traced it to a list of suspects who had access to it," the outlet reported. That led to Cameron Ortis, a senior member of the Ottawa-based National Security Criminal Investigations unit of the RCMP. Ortis has been charged under the Security of Information Act, an espionage and foreign powers-focused piece of legislation. The source who knows Ramos personally said, "He respected the privacy of clients whoever it was." Source
  8. Senior bosses say it is impossible to create such a backdoor for one purpose and ‘not expect others to try and open it’. Facebook has hit back at Home Secretary Priti Patel’s calls for a “backdoor” into planned encryption across its messaging apps, saying it would be a “gift to criminals”. The social network is considering end-to-end encryption on Facebook Messenger and Instagram Direct – on top of WhatsApp, which is already encrypted – meaning no-one apart from the sender and recipient can read or modify the messages. In October, the Home Secretary and her counterparts in the US and Australia wrote to Facebook boss Mark Zuckerberg expressing concerns that the move could prevent child abusers and terrorists being caught. But in a response letter by two senior Facebook executives, the tech giant said it would be “simply impossible to create such a backdoor for one purpose and not expect others to try and open it”. “The ‘backdoor’ access you are demanding for law enforcement would be a gift to criminals, hackers and repressive regimes, creating a way for them to enter our systems and leaving every person on our platforms more vulnerable to real-life harm,” WhatsApp head Will Cathcart and Facebook Messenger head Stan Chudnovsky said in a joint letter. “People’s private messages would be less secure and the real winners would be anyone seeking to take advantage of that weakened security. That is not something we are prepared to do.” The response comes after the NSPCC warned Facebook risks becoming a “one-stop grooming shop” if it presses ahead with the plans. It found significantly fewer police instances of child abuse image and online child sexual offences on Facebook’s only end-to-end encrypted platform, WhatsApp, compared to the Facebook/Facebook Messenger and Instagram. Jay Sullivan, Facebook’s product management director for privacy and integrity in Messenger, appeared before the US Senate judiciary committee on Tuesday, arguing that people should be able to send private information without fears it will “fall into the hands of identity thieves or others with malicious intent”. “We understand that there are people who attempt to misuse our services and do,” he said in his opening statement. “This is why we’ll continue to be a leader in detecting, preventing, and responding to harm in our messaging services.” Source
  9. Tech giants speak out against GCHQ's idea for silently adding a spy to an encrypted messaging chat. Apple, Google, Microsoft, and WhatsApp have opposed a proposal by UK spy agency GCHQ to give spies access to end-to-end encrypted communications. Rather than add a backdoor or undermine encryption itself, technical whizzes from GCHQ and its cybersecurity unit, the National Cyber Security Centre (NCSC), suggested that service provides like Apple, Google, and Facebook could "silently add a law enforcement participant to a group chat or call". The proposed solution would be no more intrusive than the crocodile clip-style telephone interception used in the last century, the techies contended. The idea would allow a company like Apple to add a "ghost" user, a law enforcement agent, to a chat. Encryption would remain intact, but a chat or messaging group would be compromised by the addition of a ghost user. Despite the lack of a backdoor, the signatories think such a power could be harmful to users because it would break authentication systems and damage trust in mainstream identity systems. "The ghost proposal would create digital security risks by undermining authentication systems, by introducing potential unintentional vulnerabilities, and by creating new risks of abuse or misuse of systems," reads an open letter signed by more than 50 companies, civil rights organisations and security experts - including Apple, Google, Microsoft, and WhatsApp. The ghost proposal was floated by NCSC technical director, Ian Levy, and GCHQ technical director for cryptanalysis, Crispin Robinson. The pair put it out there to kick off a discussion about a possible answer to the seemingly unresolvable conflict between lawful intercept on traditional phone lines and encrypted messaging apps on smartphones. The open letter aims to explain the pitfalls of the ghost proposal to public-private key based encryption if it were to be put into practice. "The 'ghost key' proposal put forward by GCHQ would enable a third party to see the plain text of an encrypted conversation without notifying the participants. But to achieve this result, their proposal requires two changes to systems that would seriously undermine user security and trust," the letter reads. "First, it would require service providers to surreptitiously inject a new public key into a conversation in response to a government demand. This would turn a two-way conversation into a group chat where the government is the additional participant, or add a secret government participant to an existing group chat. "Second, in order to ensure the government is added to the conversation in secret, GCHQ's proposal would require messaging apps, service providers, and operating systems to change their software." In turn this would "change the encryption schemes used, and could "mislead users by suppressing the notifications that routinely appear when a new communicant joins a chat." The letter also draws attention to the damage it could inflict on authentication processes that users rely on to ensure they're communicating with the intended person. "Currently the overwhelming majority of users rely on their confidence in reputable providers to perform authentication functions and verify that the participants in a conversation are the people they think they are, and only those people. The GCHQ's ghost proposal completely undermines this trust relationship and the authentication process." The group warns that the ghost function would undermine the ability for service providers to prevent their own staff from viewing the content of messages. "By requiring an exceptional access mechanism like the ghost proposal, GCHQ and UK law enforcement officials would require messaging platforms to open the door to surveillance abuses that are not possible today." In response to the letter, the NCSC's Levy said: "We welcome this response to our request for thoughts on exceptional access to data - for example to stop terrorists. The hypothetical proposal was always intended as a starting point for discussion. "It is pleasing to see support for the six principles and we welcome feedback on their practical application. "We will continue to engage with interested parties and look forward to having an open discussion to reach the best solutions possible." Source
  10. Computer-maker's WebStorage software tied to malware attack from the BlackTech Group. Enlarge Jeremy Brooks / Flickr ASUS' update mechanism has once again been abused to install malware that backdoors PCs, researchers from Eset reported earlier this week. The researchers, who continue to investigate the incident, said they believe the attacks are the result of router-level man-in-the-middle attacks that exploit insecure HTTP connections between end users and ASUS servers, along with incomplete code-signing to validate the authenticity of received files before they're executed. Plead, as the malware is known, is the work of espionage hackers Trend Micro calls the BlackTech Group, which targets government agencies and private organizations in Asia. Last year, the group used legitimate code-signing certificates stolen from router-maker D-Link to cryptographically authenticate itself as trustworthy. Before that, the BlackTech Group used spear-phishing emails and vulnerable routers to serve as command-and-control servers for its malware. Late last month, Eset researchers noticed the BlackTech Group was using a new and unusual method to sneak Plead onto targets’ computers. The backdoor arrived in a file named ASUS Webstorage Upate.exe included in an update from ASUS. An analysis showed infections were being created and executed by AsusWSPanel.exe, which is a legitimate Windows process belonging to, and digitally signed by, ASUS WebStorage. As the name suggests, ASUS WebStorage is a cloud service the computer-maker offers for storing files. Eset published its findings on Tuesday. The abuse of legitimate AsusWSPanel.exe raised the possibility the computer-maker had fallen to yet another supply-chain attack that was hijacking its update process to install backdoors on end-user computers. Eventually, Eset researchers discounted that theory for three reasons: The same suspected update mechanism was also delivering legitimate ASUS WebStorage binaries There was no evidence ASUS WebStorage servers were being used as control servers or served malicious binaries, and The attackers used standalone malware files instead of incorporating their malicious wares inside ASUS’s legitimate software As the researchers considered alternative scenarios, they noted that ASUS WebStorage software is susceptible to man-in-the-middle attacks, in which hackers controlling a connection tamper with the data passing through it. The researchers made this determination because updates are requested and transferred using unencrypted HTTP connections, rather than HTTPS connections that are immune to such exploits. The researchers further noticed that the ASUS software didn’t validate its authenticity before executing. That left open the possibility the BlackTech Group was intercepting ASUS’ update process and using it to push the Plead instead of the legitimate ASUS file. The researchers also observed that most of the organizations that received the Plead file from ASUS WebStorage were using routers made by the same manufacturer. The routers, which Eset declined to identify while it’s still investigating the case, have administrator panels that are Internet accessible. That left open the possibility a MitM attack was being caused by malicious domain name systems settings being made to the routers or something more complex, such as tampering with iptables. Eset’s working theory then shifted from the BlackTech Group breaching ASUS’ network and performing a supply-chain attack to the attackers performing a MitM attack on ASUS’ insecure update mechanism. Indeed, as documented below in a screenshot of a captured communication during a malicious ASUS WebStorage software update, attackers replaced the legitimate ASUS URL with one from a compromised Taiwanese government website. Enlarge / A captured communication during a malicious update of the ASUS WebStorage software. In an email, Eset Senior Malware Researcher Anton Cherepanov said the captured communication isn't proof of a MitM. “It’s possible that attackers gained access to ASUS WebStorage servers and pushed XML with malicious link only to small number of computers," he wrote. That’s why we say it’s still possible. We can’t discount this theory.” But for the reasons listed above, he believes the MitM scenario is more likely. In all, Eset has counted about 20 computers receiving the malicious ASUS update, but that number includes only company customers. “The real number is probably higher if we consider targets that are not our users,” Anton Cherepanov, a senior malware researcher at Eset, told Ars. Once the file is executed, it downloads an image from a different server that contains an encrypted executable file hidden inside. Once decrypted, the malicious executable gets dropped into the Windows Start Menu folder, where it’s loaded each time the user logs in. It’s surprising that even after the serious supply-chain attack estimated to have infected as many as 1 million users, the company was still using unencrypted HTTP connections to deliver updates. Ars sent ASUS media representatives two messages seeking comment for this post. So far they have yet to respond. In a blog post sent over an unencrypted HTTP connection, ASUS reported a "WebStorage security incident" that reads: ASUS Cloud first learned of an incident in late April 2019, when we were contacted by a customer with a security concern. Upon learning of the incident, ASUS Cloud took immediate action to mitigate the attack by shutting down the ASUS WebStorage update server and halting the issuance of all ASUS WebStorage update notifications, thereby effectively stopping the attack. In response to this attack, ASUS Cloud has revamped the host architecture of the update server and has implemented security measures aimed at strengthening data protection. This will prevent similar attacks in the future. Nevertheless, ASUS Cloud strongly recommends that users of ASUS WebStorage services immediately run a complete virus scan to ensure the integrity of your personal data. The post doesn't say what those security measures are. It also makes no mention of Eset's finding that the service was abused to install malware. Until independent security experts say the site is safe to use, people would do well to avoid it. Source: Hackers abuse ASUS cloud service to install backdoor on users’ PCs (Ars Technica)
  • Create New...