VB2015 paper: Will Android Trojans, Worms or Rootkits Survive in SEAndroid and Containerization?

VB2015 paper: Will Android Trojans, Worms or Rootkits Survive in SEAndroid and Containerization?

Google‘s Android operating system may have a bit of a bad reputation when it comes to security, but it’s worth noting that recent versions of the operating system have been hardened a lot.

In a paper presented at VB2015, Sophos researchers Rowland Yu and William Lee look at two recent security enhancements, Security Enhancements for Android (SEAndroid) and containerization, and ask whether they will be able to stop future malware targeting Android. Based on how existing Android malware gets onto the operating system, they conclude that these enhancements won’t be sufficient to keep either current or future malware out.

You can read their paper “Will Android Trojans, Worms or Rootkits Survive in SEAndroid and Containerization?” here in HTML format or here as a PDF, and find the video on our YouTube channel, or embedded below.

SEAndroid-fig1.jpg

If you’re interested in Android malware, don’t forget to read Rowland Yu’s VB2014 paper “Android packers: facing the challenges, building solutions”, or watch him discuss Android malware at RSA next month.

[]

Original Post: https://www.virusbulletin.com/blog/2016/02/vb2015-paper-will-android-trojans-worms-or-rootkits-survive-seandroid-and-containerization/

NXP LS1012A Is A Tiny IoT Chip With Built-In Security Features

NXP announced the LS1012A processor, which the company claimed is the smallest and lowest power 64-bit chip that comes with multiple built-in hardware security features.

The LS1012A chip is powered by a single-core 64-bit Cortex-A53 CPU, which makes it one of the most powerful IoT-focused chips around, and yet the chip is contained in that small 9.6 x 9.6 mm package.

NXP said that the LS1012A is the first chip small enough to be integrated directly onto the printed circuit board of an HDD, which means it enables the existence of “Ethernet drives” that have the same form factor as existing HDDs. These sort of drives can be used in data centers that employ
object-based file architectures that work across networks of intelligent HDDs.

At 2,000 CoreMark of performance, the chip consumes about 1 W of power. It has a Packet Forwarding Engine for acceleration of IP packet processing to reduce CPU load and power consumption. It also includes support for peripherals such as USB 3.0, PCIe, 2.5 Gbps Ethernet, and SATA3.

“The groundbreaking combination of low power, tiny footprint and networking-grade performance of NXP’s LS1012 processor is ideal for consumer, networking and Internet of Things applications alike,” said Tareq Bustami, senior vice president and general manager of NXP’s Digital Networking division.

“This unique blend of capabilities unleashes embedded systems designers and developers to imagine and create radically innovative end-products across a broad spectrum of high-growth markets,” he added.

One of the main selling points of the chip is its security features, which include built-in hardware root of trust, crypto acceleration, secure debug, secure manufacturing (the firmware is protected against malicious manufacturing employees), and an ARM TrustZone, where the cryptographic master keys are stored.

The software development kit supports Linux. NXP also offers “application solution kits” based on OpenWrt, the popular open source Linux-based embedded operating system. It’s typically used for routers, but it can also be used for IoT gateways and networked storage. The company said it supports other third-party operating systems, tools and development boards, too.

The development tools will include the full software development kit with Yocto support, CodeWarrior for the 64-bit ARMv8 toolchain, and a reference development board. NXP’s LS1012A chip will be available in April 2016, but you can order it now.

Source:
http://www.tomshardware.com/news/nxp-ls1012a-smallest-iot-chip,31249.html

Another Flash Zero-Day Found: How to Protect Yourself

For the third time in two weeks, online criminals have won the race to find a new flaw in Adobe Flash Player. Security researchers didn’t know this flaw existed until the criminals were already exploiting it to infect Web browsers, most prominently to launch malvertising attacks staged from the popular website Daily Motion.

Adobe says the flaw affects Flash Player in Microsoft Internet Explorer and Mozilla Firefox browsers on Windows, OS X and Linux; the company promises to have a patch for it later this week. Meanwhile, people may want to disable Flash in these browsers to minimize the risk of attack.

Flaws that security researchers only discover once attackers have already exploited them are called zero-days, because the “good guys” have zero days to prepare a patch.

In this case, it was Tokyo-based security company Trend Micro that first noticed the exploit appearing on Daily Motion, possibly as a result of site infection by the Angler browser exploit kit, a package of cobbled-together browser attacks that cybercriminals use to install malware on people’s computers.

“It is likely that this was not limited to the Dailymotion website alone, since the infection was triggered from the advertising platform and not the website content itself,”  wrote Trend Micro’s Peter Pi in a company blog post. 

Browser exploit kits are bundles of various exploits for known flaws in widely used Web browsers. When embedded or linked to in a Web page, an exploit kit will systematically try every attack at its disposal until it finds one that penetrates the visitor’s specific Web browser and operating system. Once the security hole is created, more malware — again tailored to the visitor’s OS — can be injected to infect the computer. Last month, security researcher Kafeine discovered an earlier Adobe Flash zero-day in the Angler exploit kit.

This third zero-day flaw affects Adobe Flash Player 16.0.0.296 and earlier versions on Windows and OS X; and Adobe Flash Player 11.2.202.440 and earlier versions on Linux, according to Adobe’s security bulletin.

The ads that were compromised to exploit this flaw seem to be down, according to Trend Micro, but until the flaw is patched, users may want to disable Adobe Flash in their browsers, or set it to click-to-run. Click-to-run disables the default automatic playing of Flash-based Web content,  ensuring that only content you specifically select (such as a YouTube video) will run in your browser.

To enable click-to-run on Firefox, click the Menu button in the upper right-hand corner (denoted by three horizontal lines). Then click Add-Ons to see a list of your browser’s add-ons. Change the settings of Adobe Flash, Adobe Flash Player or Adobe Shockwave Flash — the names may vary — from Always Activate to Ask to Activate.

To do so on Google Chrome, click the Menu button (also in the upper right, also denoted by three horizontal lines). Click Settings, then Show Advanced Settings. Scroll down to the Privacy section and click Content Settings. This will launch a pop-up window. In this window, scroll to the Plug-Ins section, and select Click to Play.

To do so on Internet Explorer 9, 10 and 11, click the gear icon in the top-right corner, then click Manage Add-Ons, which will launch a pop-up window. Click Toolbars and Extensions in the window’s left-hand navigation menu. In this right-hand results window, right-click Shockwave Flash Object, which will launch another pop-up window. Under the form field labeled “You have approved this add-on to run on the following websites,” click Remove all sites. (If there’s an asterisk in the form field, it means that all sites have been approved; you want to get rid of the asterisk.)

 

 

Source: Toms Guide

http://www.tomsguide.com/us/flash-zero-day-malvertising,news-20392.html

APPLE: A MESSAGE TO OUR CUSTOMERS

Last week Apple’s CEO Tim Cook released a letter to its customers concerning a demand made to Apple from the FBI. Read his message below.

-Jeff

Original post can be found here: http://www.apple.com/customer-letter/

February 16, 2016A Message to Our Customers

The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.

This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.

Answers to your questions about privacy and security

The Need for Encryption

Smartphones, led by iPhone, have become an essential part of our lives. People use them to store an incredible amount of personal information, from our private conversations to our photos, our music, our notes, our calendars and contacts, our financial information and health data, even where we have been and where we are going.

All that information needs to be protected from hackers and criminals who want to access it, steal it, and use it without our knowledge or permission. Customers expect Apple and other technology companies to do everything in our power to protect their personal information, and at Apple we are deeply committed to safeguarding their data.

Compromising the security of our personal information can ultimately put our personal safety at risk. That is why encryption has become so important to all of us.

For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe. We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business.

The San Bernardino Case

We were shocked and outraged by the deadly act of terrorism in San Bernardino last December. We mourn the loss of life and want justice for all those whose lives were affected. The FBI asked us for help in the days following the attack, and we have worked hard to support the government’s efforts to solve this horrible crime. We have no sympathy for terrorists.

When the FBI has requested data that’s in our possession, we have provided it. Apple complies with valid subpoenas and search warrants, as we have in the San Bernardino case. We have also made Apple engineers available to advise the FBI, and we’ve offered our best ideas on a number of investigative options at their disposal.

We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.

The Threat to Data Security

Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution. But it ignores both the basics of digital security and the significance of what the government is demanding in this case.

In today’s digital world, the “key” to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.

The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.

The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.

We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.

A Dangerous Precedent

Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority.

The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.

The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.

Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.

We are challenging the FBI’s demands with the deepest respect for American democracy and a love of our country. We believe it would be in the best interest of everyone to step back and consider the implications.

While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.

Sizing cybercrime: incidents and accidents, hints and allegations

Cybercrime is big. But how big is it really? In a paper presented at VB2015 and together with the presentation video published on our website today, ESET researcher Stephen Cobb looks at previous studies that attempt the size of cybercrime and asks why we need such data and what can be done better.

Sizing cybercrime: incidents and accidents, hints and allegations

How big is cybercrime?

Various attempts have been made to measure the size of cybercrime around the world, or in individual countries, but how reliable are the methodologies used, and what do they actually measure?

In the paper “Sizing cybercrime: incidents and accidents, hints and allegations” presented at VB2015 in Prague, ESETresearcher Stephen Cobb looked at the available literature on the issue and tried among other things to answer these questions.

You can read Stephen’s paper here in HTML-format, or download it here as a PDF, and find the video on our YouTube channel, or embedded below.

cobbsizingcybercrime.png

[]

Posted by   Virus Bulletin on   Feb 11, 2016

https://www.virusbulletin.com/blog/2016/02/vb2015-paper-sizing-cybercrime-incidents-and-accidents-hints-and-allegations/

Security vendors should embrace those hunting bugs in their products

Security vendors should embrace those hunting bugs in their products

Security software is software too — and it will have flaws.

Last week, I was interviewed for the Risky Business podcast. I really enjoyed the experience, not just because I’ve long been a fan of the show, but also because we discussed a subject I really care about: the security of security products.

If you follow the security news, you will have noticed that several researchers (with Google‘s Tavis Ormandy most prominent among them) are currently hunting for vulnerabilities in anti-virus and other security products. After disclosing the vulnerabilities to the relevant vendors in a responsible manner, they write about their findings on Twitter and on various blogs.

The media loves these stories, and “Security product actually makes you less secure!” is a headline that’s hard to resist. Which is fair enough. After all, the last thing you want is for your security product to be used as a means for attackers to gain access to your system.

Still, we shouldn’t forget that security software is software: it’s written by humans who make mistakes, or who simply haven’t had the time (or the incentive) to check whether old code actually follows today’s secure coding practices.

And thus the only right response for security vendors is to embrace the work of Tavis and others. In my VB2015 opening address, I urged security vendors to seriously consider setting up bug bounty programs, if only to make it absolutely clear that they don’t pretend their software is without flaws. Several vendors have set up such programs; other may follow soon, or are at least making it easy to report bugs to them.

Of course, when speaking to affected vendors, one does realise that often the exploitability of vulnerabilities is overstated, that other mitigations may have already been in place, or at least that the flaw in question was patched within days. There have even been cases where a researcher has simply misunderstood the purpose of a specific function. That feels, and probably is, unfair, but it’s only the same as what other software vendors have had to deal with for years.

Of course, not working for a vendor makes it easier for me to write these things. But even those who do work for vendors, despite the occasional grumble, do really appreciate the work of Ormandy and others. As is so often the case in security, it’s by working together that we get the best results.

As for the Risky Business podcast, the weekly show is a great way to get a summary of the week’s security news and to listen to thought-provoking interviews with leading security experts. You won’t regret listening to it.

[]

[] Posted on 02 February 2016 by Martijn Grooten[]

https://www.virusbtn.com/blog/2016/02_01.xml

VB2015 paper: Effectively testing APT defences

VB2015 paper: Effectively testing APT defences

Simon Edwards discusses how to test the potentially untestable.

Like the term or loathe it, APTs have given rise to a new generation of security products that protect against these more targeted and sometimes more advanced threats. Often, such products come with bold claims about how they are able to fend off such threats in ways that traditional security products can’t.

At VB2015, Simon Edwards (Dennis Technology Labs) presented a paper, written together with Richard Ford (Florida Institute of Technology) and Gabor Szappanos (Sophos), on how to effectively test such technologies.

You can read the paper, “Effectively testing APT defences”, here in HTML-format, or download it here as a PDF, and find the video on our YouTube channel, or embedded below.

Are you interested in presenting your research at the upcoming Virus Bulletin conference (VB2016), in Denver 5-7 October 2016? The call for papers is now open.

[]Posted on 27 January[] 2016 by Martijn Grooten.

https://www.virusbtn.com/blog/2016/01_27.xml

Windows 10 Is Now a “Recommended Update” That’s Automatically Downloaded

Microsoft isn’t forcing Windows 7 and 8.1 users to upgrade to Windows 10, but they are pushing it on them pretty aggressively. Windows 10 is now automatically downloaded to all Windows 7 and 8.1 machines as a “recommended update” with the Windows Update tool—whether you want it or not.

Microsoft already made a similar push for Windows 10 last fall, but now they are pushing Windows 10 even harder. The change is meant to make the transition to Windows 10 easier for those who still haven’t upgraded, but the automatic download can be frustrating for some users. The download is at least a few gigabytes in size, so if you have a capped data connection, or have no interest in upgrading ever, the automatic download just ends up using data and taking space. Fortunately, we’ve covered the ways you can block the download and save yourself the trouble, or you can always disable automatic Windows updates entirely.

 

Source: LifeHacker

 

http://lifehacker.com/windows-10-is-now-a-recommended-update-thats-automati-1756691457