Tuesday, May 2, 2017

PCs with Intel Server Chipsets, Launched in Past 9-Years, Can be Hacked Remotely


Monday, May 01, 2017 Swati Khandelwal



A critical remote code execution (RCE) vulnerability has been discovered in the remote management features on computers shipped with Intel processors for nearly a decade, which could allow attackers to take control of the computers remotely.

The RCE flaw (CVE-2017-5689) resides in the Intel's Management Engine (ME) technologies such as Active Management Technology (AMT), Small Business Technology (SBT), and Intel Standard Manageability (ISM), according to an advisory published Monday by Intel.

These features allow a systems administrator to remotely manage large fleets of computers over a network (via ports 16992 or 16993) in an organization or an enterprise.



Since these functions are present only in enterprise solutions, and mostly in server chipsets, the vulnerability doesn't affect chips running on Intel-based consumer PCs.

According to the Intel advisory, this critical security vulnerability was discovered and reported in March by security researcher Maksim Malyutin of Embedi, and could be exploited in two ways:

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel AMT and ISM. However, Intel SBT is not vulnerable to this issue.
An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel AMT, ISM, and SBT.

How Bad is this Vulnerability
In short, a potential attacker can log into a vulnerable machine's hardware and silently perform malicious activities, like tampering with the machine, installing virtually undetectable malware, using AMT's features.

The PC's operating system never knows what's going around because AMT has direct access to the computer's network hardware. When AMT is enabled, any packet sent to the PC's wired network port will be redirected to the Management Engine and passed on to AMT – the OS never sees those packets.



These insecure management features have been made available in various, but not all, Intel chipsets for nearly a decade, starting from Nehalem Core i7 in 2008 to this year's Kaby Lake Core, with a higher degree of a flaw for users on Intel vPro systems.

Fortunately, none of these Management Engine features come enabled by default, and system administrators must first enable the services on their local network. So, basically if you are using a computer with ME features enabled, you are at risk.

Despite using Intel chips, modern Apple Mac computers do not ship with the AMT software and are thus not affected by the flaw.


Affected Firmware Versions & How to Patch
The security flaw affects Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel's AMT, ISM, and SBT platforms. However, versions before 6 or after 11.6 are not impacted.

Intel has rated the vulnerability as highly critical and released new firmware versions, instructions to detect if any workstation runs AMT, ISM, or SBT, a detection guide to check if your system is vulnerable, and a mitigation guide for those organizations that can not immediately install updates.

The chipmaker is recommending vulnerable customers install a firmware patch as soon as possible.

"Fixing this requires a system firmware update in order to provide new ME [management engine] firmware (including an updated copy of the AMT code). Many of the affected machines are no longer receiving firmware updates from their manufacturers, and so will probably never get a fix," CoreOS security engineer Matthew Garrett explained in a blog post. "Anyone who ever enables AMT on one of these devices will be vulnerable."

"That's ignoring the fact that firmware updates are rarely flagged as security critical (they don't generally come via Windows Update), so even when updates are made available, users probably won't know about them or install them."You can head on to Intel advisory for further details.

Hacker leaks 'Orange is the New Black' Season 5 after Netflix refused to Pay Ransom



The Dark Overlord (TDO) posted links to the first 10 episodes of the upcoming season of "Orange Is the New Black" show to a piracy website after Larson Studios and Netflix failed to fulfill the group's ransom demand.

According to Netflix's website, the season 5 of "Orange Is the New Black" show is scheduled to debut June 9 and supposed to run 13 episodes. But TDO claimed that only the first 10 episodes were available at the time the group gained access to the show.


On Saturday, the group headed on to Twitter and posted links to a Pastebin page, GitHub profile, and the Pirate Bay torrent site sharing Episode 1 of "Orange Is The New Black" season 5 show.

At the time of writing, the Pastebin (web archive) and GitHub links went down, but the Pirate Bay torrent file remained up, and users have downloaded and shared its content.

10 out of 13 "Orange Is The New Black" Season 5 Episodes Leaked Online


Following the release of Episode 1, TDO posted links to Pastebin and a second torrent file, hosted on The Pirate Bay, which includes episodes 2 through 10 of the season 5 of "Orange Is The New Black."

According to the Pastebin post, the group released 10 episodes of the show because Netflix didn't pay a ransom demand.

Here's what the TDO's statement posted on Pastebin (web archive) stated:
"It didn't have to be this way, Netflix. You're going to lose a lot more money in all of this than what our modest offer was. We're quite ashamed to breathe the same air as you. We figured a pragmatic business such as yourselves would see and understand the benefits of cooperating with a reasonable and merciful entity like ourselves. And to the others: there's still time to save yourselves. Our offer(s) are still on the table - for now."
In an interview with the DataBreaches.net, the hacking group revealed it managed to steal "hundreds of GBs [gigabytes] of unreleased and non-public media" from the servers of Larson Studios, an ADR (additional dialogue recorded) studio based in Hollywood in late 2016.

The Dark Overlord Demanded 50 BTC


While the group did not reveal its attack method nor how much ransom it demanded, according to a copy of a contract allegedly signed between TDO and Larson, the hacking group asked for 50 BTC ($70,422) by January 31.

But after the studio stopped responding to the group's email requests in January, TDO turned to Netflix, which also did not pay the ransom either, eventually forcing the group to release the first 10 episodes of season 5 of "Orange Is The New Black" after two months.

Netflix said in a statement that it was "aware of the situation. A production vendor used by several major TV studios had its security compromised, and the appropriate law enforcement authorities are involved."

The Dark Overlord Threatens to Leak More Shows to the Internet


After releasing all the 10 episode of the unreleased show, TDO threatened to leak other unreleased shows and movies from several other studios in its possession.

The Dark Overlord tweeted"Who is next on the list? FOX, IFC, NAT GEO, and ABC. Oh, what fun we're all going to have. We're not playing games anymore."

The hacking group provided a list of unreleased shows and movies (some are released on their scheduled date) it stole from different studios, which includes:
  • A Midsummers Nightmare – TV Movie
  • Bill Nye Saves The World – TV Series
  • Breakthrough – TV Series
  • Brockmire – TV Series
  • Bunkd – TV Series
  • Celebrity Apprentice (The Apprentice) – TV Series
  • Food Fact or Fiction – TV Series
  • Hopefuls – TV Series
  • Hum – Short
  • It's Always Sunny in Philadelphia – TV Series
  • Jason Alexander Project – TV Series
  • Liza Koshy Special – YoutubeRed
  • Lucha Underground – TV Series
  • Lucky Roll – TV Series
  • Making History ) – TV Series
  • Man Seeking Woman – TV Series
  • Max and Shred – TV Series
  • Mega Park – TV Series
  • NCIS Los Angeles – TV Series
  • New Girl – TV Series
  • Orange Is The New Black – TV Series
  • Portlandia – TV Series
  • Steve Harveys Funderdome – TV Series
  • Story of God with Morgan Freeman – TV Series
  • Superhuman – TV Series
  • The Arrangement – TV Series
  • The Catch – TV Series
  • The Middle – TV Series
  • The Stanley Dynamic – TV Series
  • The Thundermans – TV Series
  • Undeniable with Joe Buck – TV Series
  • X Company – TV Series
  • Above Suspicion – Film
  • Handsome – Film
  • Rebel In The Rye – Film
  • Win It All – Film
  • XXX Return of Xander Cage – Film
The Dark Overlord is a known hacking group that was responsible for cyber attacks on Gorilla Glue and Little Red Door, an Indiana Cancer Services agency. The group also put 655,000 healthcare records lifted from 3 separate data breaches up for sale on the dark web.

Insecure Apps that Open Ports Leave Millions of Smartphones at Risk of Hacking



The University of Michigan team says that the actual issue lies within apps that create open ports — a known problem with computers — on smartphones.

So, this issue has nothing to do with your device's operating system or the handset; instead, the origin of this so-called backdoor is due to insecure coding practices by various app developers.


The team used its custom tool to scan over 100,000 Android applications and found 410 potentially vulnerable applications — many of which have been downloaded between 10 and 50 Million times and at least one app comes pre-installed on Android smartphones.

Here I need you to stop and first let's understand exactly what ports do and what are the related threats.

Ports can be either physical or electronic in nature. Physical ports are connection points on your smartphones and computers, such as a USB port used to transfer data between devices.

Electronic ports are those invisible doors that an application or a service use to communicate with other devices or services. For example, File Transfer Protocol (FTP) service by default opens port 21 to transfer files, and you need port 80 opened in order to connect to the Internet.

In other words, every application installed on a device opens an unused port (1-to-65535), can be referred as a virtual door, to communicate for the exchange of data between devices, be it a smartphone, server, personal computer, or an Internet-connected smart appliance.

Over the years, more and more applications in the market function over the Internet or network, but at the same time, these applications and ports opened by them can be a weak link in your system, which could allow a hacker to breach or take control of your device without your knowledge.

This is exactly what the University of Michigan team has detailed in its research paper [PDF] titled, "Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications."

According to the researchers, the major issue is with the apps like WiFi File Transfer, which has been installed between 10 million and 50 million times and allows users to connect to a port on their smartphone via Wi-Fi, making it easy to transfer files from a phone to a computer.

But due to insufficient security, this ability of the apps is apparently not limited to merely the smartphone's owner, but also malicious actors.

However, applications like WiFi File Transfer pose fewer threats, as they are designed to work over a local network only, that requires attackers to be connected to the same network as yours.

On the other hand, this issue is extremely dangerous in the scenarios where you connect to a public Wi-Fi network or corporate network more often.

To get an initial estimate on the impact of these vulnerabilities, the team performed a port scanning in its campus network, and within 2 minutes it found a number of mobile devices potentially using these vulnerable apps.
"They manually confirmed the vulnerabilities for 57 applications, including popular mobile apps with 10 to 50 million downloads from official app marketplaces, and also an app that is pre-installed on a series of devices from one manufacturer," the researchers say.

"The vulnerabilities in these apps are generally inherited from the various usage of the open port, which exposes the unprotected sensitive functionalities of the apps to anyone from anywhere that can reach the open port."
No doubt, an open port is an attack surface, but it should be noted that port opened by an application can not be exploited until a vulnerability exists in the application, like improper authentication, remote code execution or buffer overflow flaws.

Besides this, an attacker must have the IP address of the vulnerable device, exposed over the Internet. But getting a list of vulnerable devices is not a big deal today, where anyone can buy a cheap cloud service to scan the whole Internet within few hours.

However, smartphones connected to the Internet via wireless network behind a router are less impacted by this issue, because in that case, attackers would need to be on the same wireless network as the victim.

To prove its point, the team of researchers has also demonstrated various attacks in a series of videos, posted below:

1. Using an app's open ports to steal photos with on-device malware

2. Stealing photos via a network attack

3. Forcing the device to send an SMS to a premium service

The team says these vulnerabilities can be exploited to cause highly-severe damage to users like remotely stealing contacts, photos, and even security credentials, and also performing sensitive actions such as malware installation and malicious code execution.

The easiest solution to this issue is to uninstall such apps that open insecure ports, or putting these applications behind a proper firewall could also solve most of the issues.

Source Code for CIA’s Tool to Track Whistleblowers Leaked by Wikileaks


Friday, April 28, 2017 Swati Khandelwal





Wikileaks has just published a new batch of the Vault 7 leak, exposing the documentation and source code for a CIA project known as "Scribbles."

Scribbles, a.k.a. the "Snowden Stopper," is a piece of software allegedly designed to embed 'web beacon' tags into confidential documents, allowing the spying agency to track whistleblowers and foreign spies.

Since March, as part of its "Vault 7" series, the Whistleblowing website has published thousands of documents and other confidential information that the whistleblower group claims came from the US Central Intelligence Agency (CIA).



The CIA itself described Scribbles as a "batch processing tool for pre-generating watermarks and inserting those watermarks into documents that are apparently being stolen by FIO (foreign intelligence officers) actors."


Here's How Scribbles Tool Works:
Scribbles is coded in C# programming language and generates a random watermark for each document, inserts it into the document, saves all processed documents in an output directory, and creates a log file that identifies the watermarks inserted into every document.

This technique works exactly in the same way as the "tracking pixel" works, where a tiny pixel-sized image is embedded inside an email, allowing marketers and companies to keep track of how many users have seen the advertisement.

Using this tool CIA inserts a tiny uniquely generated file, hosted on a CIA-controlled server, to the classified documents "likely to be stolen."



So, every time the watermarked document is accessed by anyone, including potential whistleblowers, it will secretly load an embedded file in the background, which creates an entry on the CIA's server, containing unique information about the one who accessed it, including the time stamp and his/her IP address.

"It generates a random watermark for each document, inserts that watermark into the document, saves all such processed documents in an output directory, and creates a log file which identifies the watermarks inserted into each document," Scribbles' user guide manual reads.

Scribbles Only Works with Microsoft Office Products
The user manual also specifies that the tool is intended for off-line preprocessing of Microsoft Office documents. So, if the watermarked documents are opened in any other application like OpenOffice or LibreOffice, they may reveal watermarks and URLs to the user.

According to the documentation, "the Scribbles document watermarking tool has been successfully tested on…Microsoft Office 2013 (on Windows 8.1 x64), documents from Office versions 97–2016 (Office 95 documents will not work!) [and]...documents that are not be locked forms, encrypted, or password-protected."However, since the hidden watermarks are loaded from a remote server, this technique should work only when the user accessing the marked documents is connected to the Internet.

WikiLeaks notes that the latest released version of Scribbles (v1.0 RC1) dated March 1, 2016, which indicates it was in use up until at least last year and seemingly meant to remain classified until 2066.

More technical details of Scribble can be found in the User Guide.

So far, Wikileaks has revealed the "Year Zero" batch which uncovered CIA hacking exploits for popular hardware and software, the "Dark Matter" batch which focused on hacking exploits the agency designed to target iPhones and Macs, the "Marble" batch, and the "Grasshopper" batch that reveal a framework, allowing the agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.

New MacOS Malware, Signed With Legit Apple ID, Found Spying On HTTPS Traffic


Thursday, April 27, 2017 Swati Khandelwal


Many people believe that they are much less likely to be bothered by malware if they use a Mac computer, but is it really true? Unfortunately, No.

According to the McAfee Labs, malware attacks on Apple's Mac computers were up 744% in 2016, and its researchers have discovered nearly 460,000 Mac malware samples, which is still just a small part of overall Mac malware out in the wild.

Today, Malware Research team at CheckPoint have discovered a new piece of fully-undetectable Mac malware, which according to them, affects all versions of Mac OS X, has zero detections on VirusTotal and is "signed with a valid developer certificate (authenticated by Apple)."



Dubbed DOK, the malware is being distributed via a coordinated email phishing campaign and, according to the researchers, is the first major scale malware to target macOS users.

The malware has been designed to gain administrative privileges and install a new root certificate on the target system, which allows attackers to intercept and gain complete access to all victim communication, including SSL encrypted traffic.

Just almost three months ago, Malwarebytes researchers also discovered a rare piece of Mac-based espionage malware, dubbed Fruitfly, that was used to spy on biomedical research center computers and remained undetected for years.


Here's How the DOK Malware Works:
The malware is distributed via a phishing email masquerading as a message regarding supposed inconsistencies in their tax returns, tricking the victims into running an attached malicious .zip file, which contains the malware.

Since the malware author is using a valid developer certificate signed by Apple, the malware easily bypasses Gatekeeper -- an inbuilt security feature of the macOS operating system by Apple. Interestingly, the DOK malware is also undetectable in almost all antivirus products.



Once installed, the malware copies itself to the /Users/Shared/ folder and then add to "loginItem" in order to make itself persistent, allowing it to execute automatically every time the system reboots, until it finishes to install its payload.

The malware then creates a window on top of all other windows, displaying a message claiming that a security issue has been identified in the operating system and an update is available, for which the user has to enter his/her password.

Once the victim installed the update, the malware gains administrator privileges on the victim's machine and changes the victim system's network settings, allowing all outgoing connections to pass through a proxy.

According to CheckPoint researchers, "using those privileges, the malware will then install brew, a package manager for OS X, which will be used to install additional tools – TOR and SOCAT."


DOK Deletes itself after Setting up Attacker's Proxy
The malware then installs a new root certificate in the infected Mac, which allows the attacker to intercept the victim’s traffic using a man-in-the-middle (MiTM) attack.

"As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings," the researchers say.

"The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim's traffic and tamper with it in any way they please."According to researchers, almost no antivirus has updated its signature database to detect the DOK OS X malware, as the malware deletes itself once it modifies proxy settings on the target machines for interceptions.

Apple can resolve this issue just by revoking the developer certificate being abused by the malware author.

Meanwhile, users are always recommended to avoid clicking links contained in messages or emails from untrusted sources and always pay extra attention before proving your root password.

Twitter expands live broadcasting portfolio with sports, news shows, and music concerts

Twitter expands live broadcasting portfolio with sports, news shows, and music concerts

Image: Reuters
Twitter Inc is expanding its live broadcasting portfolio with 12 new offerings that include WNBA games, a 24-hour Bloomberg News network and a show about gadgets from the tech news website The Verge, the company said on Monday. Twitter, which has struggled to win a major share of online advertising, planned to present its plans at a conference in New York City organized by the Interactive Advertising Bureau, a digital ad trade group.
Shares of the San Francisco-based company jumped 6.4 percent earlier on Monday to close at $17.54 after the Wall Street Journal reported on plans for the Bloomberg News network, pleasing some investors who had wanted more exclusive live content on Twitter. The WNBA women’s basketball league will live-stream a regular-season game weekly on Twitter starting this month and continuing through the 2017, 2018 and 2019 seasons, Twitter said in a statement.
Other new sports-related programs will include a 360-degree video of the 17th hole at the PGA’s Players Championship golf tournament this month, and a weekly, live Major League Baseball show that has highlights and commentary. Twitter is already showing one Major League game a week this season. Music-promoter Live Nation Entertainment Inc will stream some concerts, beginning this month with a show by Grammy-winning country performers Zac Brown Band, Twitter said.
BuzzFeed News will broadcast a morning show on Twitter for an audience “that wakes up hungry” for trending tweets, and video news start-up Cheddar will stream an “opening bell” show each morning from the New York Stock Exchange. Terms of the various deals were not disclosed. Twitter Chief Operating Officer Anthony Noto said in a statement: “Adding these 12 new live deals tonight is a testament to the success of our only-on-Twitter experience, combining high quality streaming video with our only-on-Twitter conversation.”
Reuters, a unit of Thomson Reuters Corp, competes with Bloomberg News in providing financial news and data. Twitter suffered a setback last month when it lost a deal to live-stream National Football League games to Amazon.com Inc.
Reuters
Publish date: May 2, 2017 2:21 pm| Modified date: May 2, 2017 2:21 pm

Researchers develop robotic drill that can perform surgeries in as little as 2.5 minutes

Researchers develop robotic drill that can perform surgeries in as little as 2.5 minutes

Image: University of Utah
A computer-driven automated drill that could perform a type of complex cranial surgery 50 times faster — decreasing operating time from two hours to 2.5 minutes — has been developed by researchers, including one of Indian-origin. A translabyrinthine surgery is performed to expose slow-growing, benign tumours that form around the auditory nerves. For such complex surgeries, surgeons typically use hand drills to make intricate openings, adding hours to a procedure and may also increase the risks of loss of facial movement.
However, the new automated machine replaces hand drills to produce fast, clean, and safe cuts, reducing the time the wound is open and the patient is anesthetised, thereby decreasing the incidence of infection, human error, and surgical cost. “I was interested in developing a low-cost drill that could do a lot of the grunt work to reduce surgeon fatigue,” said A.K. Balaji, Associate Professor at the University of Utah in the US.
The drill, which could play a pivotal role in future surgical procedures like hip implants, was developed from scratch to meet the needs of the neurosurgical unit, as well as developed software that sets a safe cutting path, the researchers said in the paper reported in the journal Neurosurgical Focus. First, the patient is imaged using a CT scan to gather bone data and identify the exact location of sensitive structures, such as nerves and major veins and arteries that must be avoided. Surgeons use this information to programme the cutting path of the drill.
In addition, the surgeon can programme safety barriers along the cutting path within 1 mm of sensitive structures. If the drill gets too close to the facial nerve and irritation is monitored during surgery, the drill automatically turns off.
Publish date: May 2, 2017 1:51 pm| Modified date: May 2, 2017 1:51 pm

Alleged OnePlus 5 camera samples leaked online; hint at a dual camera setup

Alleged OnePlus 5 camera samples leaked online; hint at a dual camera setup

After the launch of Samsung Galaxy S8 and Xiaomi Mi 6, everyone is eagerly waiting for the launch of the successor to the OnePlus 3T. According to previous reports, it is expected the OnePlus will launch the OnePlus 5 instead of the OnePlus 4.
The Chinese smartphone maker has not issued any statements for the launch of the upcoming flagship. However, despite the lack of clarity from OnePlus, the Internet is full of rumors about the OnePlus 5. According to a previous report, the device was spotted on a Chinese device certification website, hinting at a nearing launch date. The report was followed by a controversial render leaked by India Today.
According to the latest report, alleged photos taken with the cameras on the OnePlus 5 have leaked out. True-tech, was the first one to leak the photos online. According to the report on True-tech, the website sourced the image from an anonymous leaker. The report clarifies that it can’t provide any proof that these photos are the real deal or just clever editing of the metadata. The report includes a link to a .zip archive with full resolution images for users to download and examine for themselves.
The report suggests that the OnePlus 5 will feature a dual-camera on the back because some of the images have enhanced depth-of-field.
True-tech also suggests that the depth-of-field may have been added via software. The report goes on to add that the two sensors on the rear camera might both be 16 MP units.
We downloaded the images to examine the images and the EXIF data for ourselves. The images were unimpressive even though they seemed to have been shot in decent lighting conditions. Focus was also off in some images. The EXIF data seems to suggest that the OnePlus 5 will come with Android Nougat 7.1.1 out of the box.
We can expect the smartphone to launch soon as June 2017 marks one year since the launch of the OnePlus 3, the last major upgrade by OnePlus in terms of hardware. The OnePlus 3T was a minor upgrade, so it doesn’t count.
There is no official word on when we can expect OnePlus to launch the OnePlus 5.
The OnePlus 5 is expected to pack in a Qualcomm Snapdragon 835, 8 GB RAM and 2K AMOLED display panel with an effective resolution of 2048×1080 with a 5.5-inch screen.
Publish date: May 2, 2017 1:16 pm| Modified date: May 2, 2017 1:16 pm

Microsoft expected to take on Chromebook and iPad in upcoming education-centric event

Microsoft expected to take on Chromebook and iPad in upcoming education-centric event

Image: Microsoft
Microsoft is gearing up for its next major event of the year. The event has been tagged #MicrosoftEDU, and judging by the name, we’re expecting to see a number of education-centric products and services from the company.
When it comes to education and education products, it’s safe to assume that the primary market in most cases has always been the US and, to some extent, Europe. This area has been Apple’s domain for a long time, but Google’s Chromebooks have been steadily eating into the market.
Chromebooks are cheaper than Apple’s iPads and more flexible. Given their laptop form factor, they’re also more comfortable to type on than an iPad.
Microsoft doesn’t currently have a compelling offering at this level. Its services and software, such as Office 365 and software development tools, are available, but there’s no device to use these on.
Keeping this in mind, and the fact that Microsoft has been developing an ARM-friendly version of Windows 10, we’re expecting to see a Chromebook-like device from the company today. The device is expected to fully support UWP (Universal Windows Platform) apps.
Given Microsoft’s increasing focus on cloud-services, we’re expecting to see some sort of cloud-service offerings specifically targeting the education space, this includes Office365 and OneDrive.
Unfortunately, nobody is expecting to see an update to the Surface line or Windows Phone.
Here’s how you get updates
The event is scheduled for 7:00 PM India time and will be streamed live from here. Be sure to tune into tech2 at 7:00 PM as well since we will also be hosting a live blog for the event.
Publish date: May 2, 2017 10:38 am| Modified date: May 2, 2017 10:38 am

Related Posts Plugin for WordPress, Blogger...