Category: Hackers


Any GSM phone vulnerable to new scam: researcher

Filed under: Cybersecurity, Exploit, GSM, Hackers, Mobile, Security, Tablets, Technology, Telecom, Wireless by Ryan Boese — 3 Comments
December 27, 2011

A well-known expert on mobile phone security says a vulnerability in a widely used wireless technology could allow hackers to gain remote control of phones, instructing them to send text messages or make calls.

They could use the vulnerability in the GSM network technology, which is used by billions of people in about 80 percent of the global mobile market, to make calls or send texts to expensive, premium phone and messaging services in scams, said Karsten Nohl, head of Germany’s Security Research Labs.

Similar attacks against a small number of smartphones have been done before, but the new attack could expose any cellphone using GSM technology.

“We can do it to hundreds of thousands of phones in a short timeframe,” Nohl told Reuters in advance of a presentation at a hacking convention in Berlin on Tuesday.

Attacks on corporate landline phone systems are fairly common, often involving bogus premium-service phone lines that hackers set up across Eastern Europe, Africa and Asia. Fraudsters make calls to the numbers from hacked business phone systems or mobile phones, then collect their cash and move on before the activity is identified.

The phone users typically don’t identify the problem until after they receive their bills and telecommunications carriers often end up footing at least some of the costs.

Even though Nohl will not present details of attack at the conference he said hackers will usually replicate the code needed for attacks within a few weeks.

Source: Reuters

Tags: , , , , , , , , , , ,
Comment

Windows Phone SMS attack discovered, reboots device and disables messaging hub

Filed under: Cybersecurity, Exploit, Hackers, Microsoft, Security, Technology, Telecom, Windows, Windows Phone 7, Wireless by Ryan Boese — Leave a comment
December 13, 2011

Microsoft’s range of Windows Phone devices suffer from a denial-of-service attack that allows attackers to disable the messaging functionality on a device.

The flaw works simply by sending an SMS to a Windows Phone user. Windows Phone 7.5 devices will reboot and the messaging hub will not open despite repeat attempts. We have tested the attack on a range of Windows Phone devices, including HTC’s TITAN and Samsung’s Focus Flash. Some devices were running the 7740 version of Windows Phone 7.5, others were on Mango RTM build 7720. The attack is not device specific and appears to be an issue with the way the Windows Phone messaging hub handles messages. The bug is also triggered if a user sends a Facebook chat message or Windows Live Messenger message to a recipient.

The flaw appears to affect other aspects of the Windows Phone operating system too. If a user has pinned a friend as a live tile on their device and the friend posts a particular message on Facebook then the live tile will update and causes the device to lock up. Thankfully there’s a workaround for the live tile issue, at initial boot up you have a small amount of time to get past the lock screen and into the home screen to remove the pinned live tile before it flips over and locks the device.

Both Apple and Google have suffered from SMS bugs with their iOS and Android devices. Security researcher Charlie Miller discovered a flaw in the iOS 3.0 software that allowed attackers complete control over an iPhone at the time. Android-based phones also suffered in the SMS attack, but attackers could only knock a phone offline rather than gain full access. The attack described in this article does not appear to be security related. It appears, from our limited testing, that the bug is related to the way Windows Phone handles messages.

Khaled Salameh discovered the flaw and reported it to us on Monday. WinRumors is in the process of disclosing the bug directly to Microsoft privately in co-operation with Khaled. At this stage there doesn’t appear to be a workaround to fix the messaging hub apart from hard resetting and wiping the device. Please see the video below for a demonstration.

 

 

Source: WinRumors

Tags: , , , , , , , , , , , , , , , , , , , ,
Comment

Skype flaw reveals users’ location, file-downloading habits

Filed under: Cybersecurity, Exploit, GPS, Hackers, Internet, Security, Skype by Ryan Boese — Leave a comment
December 2, 2011

Researchers have found a flaw in Skype, the popular Voice-over-Internet-Protocol service which allows users to make video phone calls and internet chat with their computers. The vulnerability can expose your location, identity and the content you’re downloading. Microsoft, which owns Skype, says they are working on the problem.

The issue was uncovered earlier this year by a team of researchers from Polytechnic Institute of New York University (NYU-Poly), MPI-SWS in Germany and INRIA in France and included Keith Ross, Stevens Le Blond, Chao Zhang, Arnaud Legout, and Walid Dabbous. The team presented the research in Berlin recently at the Internet Measurement Conference 2011 in a paper titled “I know where you are and what you are sharing.”

The researchers found several properties of Skype that can track not only users’ locations over time, but also their peer-to-peer (P2P) file-sharing activity, according to a summary of the findings on the NYU-Poly web site. Earlier this year, a German researcher found a cross-site scripting flaw in Skype that could allow someone to change an account password without the user’ consent.

Even when a user blocks callers or connects from behind a Network Address Translation (NAT) — a common type of firewall — it does not prevent the privacy risk,” according to a release from NYU-Poly.

The research team tracked the Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period and found that callers using VoIP systems can obtain the IP address of another user when establishing a call with that person. The caller can then use commercial geo-IP mapping services to determine the other user’s location and Internet Service Provider (ISP).

The user can also initiate a Skype call, block some packets and quickly terminate the call to obtain an unsuspecting person’s IP address without alerting them with ringing or pop-up windows. Users do not need to be on a contact list, and it can be done even when a user explicitly configures Skype to block calls from non-contacts.

The research also revealed that marketers can easily link to information such as name, age, address, profession and employer from social media sites such as Facebook and LinkedIn in order to inexpensively build profiles on a single tracked target or a database of hundreds of thousands.

“We feel the implications are very severe,” Ross told CSO. “For example, a high-school hacker, or anyone with basic programming and hacking skills, could track, for example, all the Congressmen in the United States, or the employees of a company. The attack can be used by blackmailers, stalkers, or journalists looking for a racy story about a politician.”

Skype and Microsoft Corp. were informed of the researchers’ findings and The New York Times reports that Skype is aware of the issue.

“We value the privacy of our users and are committed to making our products as secure as possible,” Adrian Asher, Skype’s chief information security officer, said in a statement. “Just as with typical Internet communications software, Skype users who are connected may be able to determine each other’s IP address. Through research and development, we will continue to make advances in this area and improvements to our software.”

Source: NetworkWorld

Tags: , , , , , , , ,
Comment

BlackBerry, iPhone, Gmail users at risk: WikiLeaks

Filed under: Android, Apple, Blackberry, Cybersecurity, Exploit, Google, Hackers, Internet, Mobile, RIM, Security, Technology, Telecom by Ryan Boese — Leave a comment
December 2, 2011

WikiLeaks is out with yet another explosive expose. It has released 287 files of numerous companies containing details of mass surveillance.

Speaking in London, WikiLeaks founder Julian Assange said more than 150 organisations worldwide were selling information obtained by monitoring people’s mobile phones and computers.

“Today, we release over 287 files, documenting the reality of the international mass surveillance industry. An industry which now sells equipment to dictators and democracies alike, in order to intercept entire populations. 9/11 has provided a license for European countries, for United States, Australia, Canada, South Africa and others to develop spying systems that affect all of us,” Assange said.

He added that iPhone, Blackberry and Gmail users were at risk.

The whistleblower website has in the past released classified US documents on the Iraq and Afghan wars as well as controversial details of US diplomatic cables.

 

 

Source: IBNLive Tech

Tags: , , , , ,
Comment

Dropbox drops a critical update, software wide open to hackers

Filed under: Applications, Cybersecurity, Exploit, Hackers, Security, Software, Windows by Ryan Boese — Leave a comment
November 10, 2011

Today sees Dropbox release a security update that plugs up a serious security vulnerability in the client software.

Prior to this update, all a third party needed to do to gain access to someone’s Dropbox account was to copy the Dropbox configuration files from one PC to another. These configuration files could be copied directly from the PC or extracted from a system backup. Once in possession of these files, the third-party had total access to the Dropbox account even if the user changed their password. The only way to revoke access was to unlink the rogue system from the account using the account setting page over on the Dropbox website.

Dropbox version 1.2.48 fixes this serious vulnerability. However, because the client software can take several weeks to auto update, you have to carry out the procedure manually.

If you’re a Dropbox user I strongly urge you to install this update immediately!

Source: ZDNet

Tags: , , , , ,
Comment

Adobe Abandons Mobile Flash Development

Filed under: Adobe, Android, Computers, Cybersecurity, Exploit, Flash, Hackers, Malware, RootKit, Security by Ryan Boese — 3 Comments
November 9, 2011

Latest Update: Adobe confirmed it will cease Flash development on mobile devices in a press release published Wednesday morning.

In an abrupt about-face in its mobile software strategy, Adobe will soon cease developing its Flash Player plug-in for mobile browsers, according to an e-mail sent to Adobe partners on Tuesday evening.

And with that e-mail flash, Adobe has signaled that it knows, as Steve Jobs predicted, the end of the Flash era on the web is coming soon.

The e-mail, obtained and first reported on by ZDNet, says that Adobe will no longer continue to “adapt Flash Player for mobile devices to new browser, OS version or device configurations,” instead focusing on alternative application packaging programs and the HTML5 protocol.

“Our future work with Flash on mobile devices will be focused on enabling Flash developers to package native apps with Adobe AIR for all the major app stores,” the quoted e-mail says.

In the past, Adobe has released software tools for mobile developers that create a single platform programmers can use to make applications that work across three major mobile platforms: Android, iOS and the BlackBerry OS. While it’s seemingly easier than learning all of the native languages for each operating system, some developers have claimed a loss in app performance when coding in a non-native language that then gets translated into other languages.

The move indicates a massive backpedaling on Adobe’s part, a company who championed its Flash platform in the face of years of naysaying about its use on mobile devices. Despite Flash’s near ubiquity across desktop PCs, many in the greater computing industry, including, famously, Apple Computer, have denounced the platform as fundamentally unstable on mobile browsers, and an intense battery drain. In effect, Flash’s drawbacks outweigh the benefits on mobile devices.

Flash became a dominant desktop platform by allowing developers to code interactive games, create animated advertisements and deliver video to any browser that had the plugin installed, without having to take into account the particulars of any given browser. However, with the development of Javascript, CSS, and HTML5, which has native support for video, many web developers are turning away from Flash, which can be a resource hog even on the most advanced browsers.

Apple made its biggest waves in the case against Flash in April of last year, when Steve Jobs penned a 1,500-word screed against the controversial platform, describing it as a technology of the past. Jobs and Apple disliked the platform so intensely, it has since been barred from use on all iOS devices.

Despite attempts to breathe life into Flash on other mobile devices — namely, Android and BlackBerry OS — Adobe has failed to deliver a consistently stable version of the platform on a smartphone or tablet. In WIRED’s testing of the BlackBerry PlayBook in April, Flash use caused the browser to crash on a consistent basis. And when Flash was supposed to come to tablets with Motorola’s Xoom, Adobe was only able to provide an highly unstable Beta version of Flash to ship with the flagship Android device.

“Adobe has lost so much credibility with the community that I’m hoping they are bought by someone else that can bring some stability and eventually some credibility back to the Flash Platform,” wrote software developer Dan Florio in a blog post on Wednesday morning.

The drastic reversal in Adobe’s mobile plans comes in the wake of the company cutting 750 jobs on Tuesday, a move prompted by what Adobe labeled “corporate restructuring.”

An Adobe representative did not immediately respond to a request for comment.

Source: Wired

Tags: , , , , , , ,
Comment

Apple security expert finds apps-software bug

Filed under: Apple, Applications, Cybersecurity, Exploit, Hackers, iPhone, Software, Tablets, Telecom by Ryan Boese — Leave a comment
November 7, 2011

A software flaw in Apple Inc’s iPhones and iPads may allow hackers to build apps that secretly install programs to steal data, send text messages or destroy information, according to an expert on Apple device security.

Charlie Miller, a researcher with Accuvant Labs who identified the problem, built a prototype malicious program to test the flaw. He said Apple’s App Store failed to identify the malicious program, which made it past the security vetting process.

There is as yet no evidence that hackers have exploited the vulnerability in Apple’s iOS software. But Miller said his test demonstrated that there could be real malware in the App Store.

“Until now you could just download everything from the App Store and not worry about it being malicious. Now you have no idea what an app might do,” Miller said.

Miller said he proved his theory by building a stock-market monitoring tool, InstaStock, that was programed to connect to his server once downloaded, and to then download whatever program he wants.

Apple did not respond to requests for comment.

Miller, who in 2009 identified a bug in the iPhone text-messaging system that allowed attackers to gain remote control over the devices, said that he had contacted the company about the vulnerability.

“They are in the process of fixing it,” he said.

Miller is scheduled to present his detailed research at the SyScan ’11 security conference in Taiwan next week.

 

 

Source: Reuters

Tags: , , , , , , , , ,
Comment

Smartphone scams: Owners warned over malware apps

Filed under: Android, Applications, Cybersecurity, Droid, Exploit, Hackers, Internet, Malware, Mobile, Trojan, WiFi by Ryan Boese — Leave a comment
November 6, 2011

Get Safe Online says that there has been an increase in smartphone malware as the market has grown.

Criminals are typically creating Trojan copies of reputable apps and tricking users into installing them.

Once on the phone, the app can secretly generate cash for criminals through premium rate text messages.

Get Safe Online, a joint initiative between the government, police and industry, said it was concerned that users of smartphones, such as Android devices, were not taking steps to protect their devices.

Get Safe Online said fraudsters are designing apps which generate cash secretly in the background without the owner realising until their monthly bill.

A typical scam involves an app designed to send texts to premium rate services without the user knowing.

Apps can appear to be bona fide software or sometimes masquerade as stripped down free versions of well-known games.

Rik Ferguson, a hacking researcher with internet security firm Trend Micro, said: “This type of malware is capable of sending a steady stream of text messages to premium rate numbers – in some instances we’ve seen one being sent every minute.

“With costs of up to £6 per message, this can be extremely lucrative. The user won’t know this is taking place, even if they happen to be using the device at the same time, as the activity takes place within the device’s back-end infrastructure.”

Online banking

Another major security firm, Symantec, recently warned in its annual threat assessment that Android phones were at risk and that it had found at least six varieties of malicious software.

Minister for Cyber Security Francis Maude said: “More and more people are using their smartphone to transmit personal and financial information over the internet, whether it’s for online banking, shopping or social networking.

“Research from Get Safe Online shows that 17% of smartphone users now use their phone for money matters and this doesn’t escape the notice of criminals.”

Tony Neate, head of Get Safe Online, urged people to check their phone’s security.

“Mobile phones are very personal. I have talked to people who are never more than a yard away from their mobile phone. Because of that attachment, they start to think that they are in a way invincible.

“It’s the end user that picks up the tab – it’s your phone that incurs the costs. Whether you have pay-as-you-go or a monthly account, that money is going to come from the account and go to the criminal.”

Source: BBC News

Tags: , , , , , , , ,
Comment

Security expert warns hackers can attack Android

Filed under: Android, Applications, Cybersecurity, Exploit, Hackers, Internet, Security, Technology, Telecom, Wireless by Ryan Boese — Leave a comment
August 12, 2011

A mobile security expert says he has found new ways for hackers to attack phones running Google Inc’s Android operating system.

Riley Hassell, who caused a stir when he called off an appearance at a hacker’s conference last week, told Reuters he and colleague Shane Macaulay decided not to lay out their research at the gathering for fear criminals would use it attack Android phones.

He said in an interview he identified more than a dozen widely used Android applications that make the phones vulnerable to attack.

“App developers frequently fail to follow security guidelines and write applications properly,” he said.

“Some apps expose themselves to outside contact. If these apps are vulnerable, then an attacker can remotely compromise that app and potentially the phone using something as simple as a text message.”

He declined to identify those apps, saying he fears hackers might exploit the vulnerabilities.

“When you release a threat and there’s no patch ready, then there is mayhem,” said Hassell, founder of boutique security firm Privateer Labs.

Hassell said he and Macaulay alerted Google to the software shortcomings they unearthed.

Google spokesman Jay Nancarrow said Android security experts discussed the research with Hassell and did not believe he had uncovered problems with Android.

“The identified bugs are not present in Android,” he said, declining to elaborate.

It was the first public explanation for the failure of Hassell and Macaulay to make a scheduled presentation at the annual Black Hat hacking conference in Las Vegas, the hacking community’s largest annual gathering.

They had been scheduled to talk about “Hacking Androids for Profit.” Hundreds of people waited for them to show up at a crowded conference room.

Hassell said in an interview late on Thursday the pair also learned — at the last minute — that some of their work may have replicated previously published research and they wanted to make sure they properly acknowledged that work.

“This was a choice we made, to prevent an unacceptable window of risk to consumers worldwide and to guarantee credit where it was due,” he said.

A mobile security researcher familiar with the work of Hassell and Macaulay said he understood why the pair decided not to disclose their findings.

“When something can be used for exploitation and there is no way to fix it, it is very dangerous to go out publicly with that information,” the researcher said. “When there is not a lot that people can do to protect themselves, disclosure is sometimes not the best policy.”

Hassell said he plans to give his talk at the Hack in The Box security conference in Kuala Lumpur in October.

Ryan:  If you are running an Android phone, two must have apps for your phone are:  Lookout Mobile Security for Android & Advanced Task Killer.

Source: Reuters

Tags: , , , ,
Comment