All the benefits end here unfortunately.
Interface is cluttered and badly-organised.
The whole configuration is bloated with all the wrong features.
Noticeable performance impact.
The number of users infected with stalkerware went up by almost 60% in 2019, from 40,386 in 2018, to 67,500 this year, Russian antivirus maker Kaspersky said today in its yearly mobile malware threats report.
The number went up in 2019 despite the fact that Google set off on a concerted effort to remove all stalkerware-like apps from the Play Store at the end of 2018.
This shows that despite stalkerware apps not being available on the official Android app store, many abusers are now going to great lengths to side-load (install) these apps from unofficial sources, such as manually downloading the app from its website and secretly installing it on a victim's handset.
Kaspersky's numbers, however, don't go back years, so we don't have a full picture of how this ecosystem evolved.
The antivirus vendor only began detecting and marking stalkerware apps in the spring of 2018, after pressure from Eva Galperin, the Electronic Frontier Foundation's director of cybersecurity.
Other vendors followed in Kaspersky's footsteps, and most are now members of the Coalition Against Stalkerware, a multi-industry group specialized in fighting the harmful effects of this kind of apps.
The term stalkerware (also known as spouseware) refers to a certain type of apps, many of which also have legitimate use cases, but are also often abused to spy or stalk victims.
Unfortunately, the DNS API that allows DNS lookups is only available for Firefox, so Chrome users are out of luck and cannot take advantage of this feature. [....]
Uncloaked first-party trackers
Both Firefox and Chrome are affected.A vulnerability is a flaw in a software program that can potentially allow a hacker, also known as an attacker, to gain access to the device running the vulnerable software, or other connected devices. This Security Bulletin describes a vulnerability in a McAfee program, and provides ways to fix the issue or minimize its impact.
A group of researchers at Ruhr-Universität Bochum and NYU Abu Dhabi have discovered a new attack on 4G and 5G mobile networks that can be used to impersonate users.
Called IMP4GT (IMPersonation attacks in 4G NeTworks), the attack demonstrates that the currently used mutual authentication method, where the smartphone and the network verify their identities, is not a reliable security feature in Long Term Evolution (LTE). The authentication is established on the control plane and does not feature integrity protection of the user plane.
By exploiting the missing integrity protection for user data, IMP4GT allows an attacker to impersonate a user towards the network and vice versa. Furthermore, a reflection mechanism of the IP stack mobile operating system can be abused to build an encryption and decryption oracle and inject arbitrary packets and to decrypt packets, the researchers reveal.
In IMP4GT attack, the researchers explain in a whitepaper (PDF), the impersonation can be conducted on either the uplink direction (the attacker poses as the user towards the network, using the victim’s identity to access IP services) or the downlink direction (the attacker establishes a TCP/IP connection to the phone, bypassing the LTE network’s firewalls).
“This attack has far-reaching consequences for providers and users. Providers can no longer assume that an IP connection originates from the user. Billing mechanisms can be triggered by an adversary, causing the exhaustion of data limits, and any access control or the providers’ firewall can be bypassed,” the researchers say.
Security researchers have discovered a new critical vulnerability in the OpenSMTPD email server. An attacker could exploit it remotely to run shell commands as root on the underlying operating system. OpenSMTPD is present on many Unix-based systems, including FreeBSD, NetBSD, macOS, Linux (Alpine, Arch, Debian, Fedora, CentOS).
Bug present since late 2015
Tracked as CVE-2020-8794, the remote code execution bug is present in OpenSMTPD's default installation. Proof-of-concept (PoC) exploit code has been created and will be released tomorrow, February 26.
The operators of the DoppelPaymer Ransomware have launched a site that they will use to shame victims who do not pay a ransom and to publish any files that were stolen before computers were encrypted.
A new extortion method started by the Maze Ransomware is to steal files before encrypting them and then use them as leverage to get victims to pay the ransom.
If a ransom is not paid, then the ransomware operators release the stolen files on a public 'news' site to expose the victim to government fines, lawsuits, and the risk of the attack being classified as a data breach.
Soon after starting this tactic, other ransomware families including Sodinokibi, Nemty, and DoppelPaymer have stated that they would begin this practice as well.
DopplePaymer launches public leak site
Today, the operators of the DoppelPaymer Ransomware have followed in Maze's footsteps and launched a site called 'Dopple Leaks' that will be used to leak files and shame non-paying victims.
Closing WordsThe conclusion
For Brave with its default settings we did not find any use of identifiers allowing tracking of IP address over time, and no sharing of the details of web pages visited with backend servers. Chrome, Firefox and Safari all share details of web pages visited with backend servers. For all three this happens via the search autocomplete feature, which sends web addresses to backend servers in realtime as they are typed. In addition, Firefox includes identifiers in its telemetry transmissions that can potentially be used to link these over time. Telemetry can be disabled, but again is silently enabled by default. Firefox also maintains an open websocket for push notifications that is linked to a unique identifier and so potentially can also be used for tracking and which cannot be easily disabled. Safari defaults to a poor choice of start page that leaks information to multiple third parties and allows them to set cookies without any user consent. Safari otherwise made no extraneous network connections and transmitted no persistent identifiers, but allied iCloud processes did make connections containing identifiers.
From a privacy perspective Microsoft Edge and Yandex are qualitatively different from the other browsers studied. Both send persistent identifiers than can be used to link requests (and associated IP address/location) to back end servers. Edge also sends the hardware UUID of the device to Microsoft and Yandex similarly transmits a hashed hardware identifier to back end servers. As far as we can tell this behaviour cannot be disabled by users. In addition to the search autocomplete functionality that shares details of web pages visited, both transmit web page information to servers that appear unrelated to search autocomplete.
Any cut-and-paste data temporarily stored to an iPhone or iPad’s memory can be accessed by all apps installed on the specific device – even malicious ones. That data can then reveal private information such as a user’s GPS coordinates, passwords, banking data or a spreadsheet copied into an email.
Shedding light onto the potential harm of this scenario is German software engineer, Tommy Mysk, who is trying to raise awareness around what he believes is an Apple vulnerability. To illustrate his concerns, Mysk created a rogue proof-of-concept (PoC) app called KlipboardSpy and an iOS widget named KlipSpyWidget.
Both are designed to illustrate how any app installed on an iOS device can act maliciously and access clipboard data and use it to spy or steal sensitive personal information. To highlight and demonstrate his concerns, Mysk told Threatpost he focused on photos taken by a device’s camera that contain time and GPS metadata that could be used to pinpoint a user.
“A user may unwittingly expose their precise location to apps by simply copying a photo taken by the built-in Camera app to the general pasteboard,” the developer wrote in a technical blog post outlining his research on Monday.
“Through the GPS coordinates contained in the embedded image properties, any app used by the user after copying such a photo to the pasteboard can read the location information stored in the image properties, and accurately infer a user’s precise location. This can happen completely transparently and without user consent,” he wrote.
Apple, in response to his research, said it didn’t consider its implementation of cut-and-paste as a vulnerability, rather a basic function of most operating systems and applications that run on them, Mysk told Threatpsot. Apple did not return Threatpost’s request for comment for this story.
Networking hardware vendor Zyxel today released an update to fix a critical flaw in many of its network attached storage (NAS) devices that can be used to remotely commandeer them. The patch comes 12 days after KrebsOnSecurity alerted the company that precise instructions for exploiting the vulnerability were being sold for $20,000 in the cybercrime underground.
Based in Taiwan, Zyxel Communications Corp. (a.k.a “ZyXEL”) is a maker of networking devices, including Wi-Fi routers, NAS products and hardware firewalls. The company has roughly 1,500 employees and boasts some 100 million devices deployed worldwide. While in many respects the class of vulnerability addressed in this story is depressingly common among Internet of Things (IoT) devices, the flaw is notable because it has attracted the interest of groups specializing in deploying ransomware at scale.
KrebsOnSecurity first learned about the flaw on Feb. 12 from Alex Holden, founder of Milwaukee-based security firm Hold Security. Holden had obtained a copy of the exploit code, which allows an attacker to remotely compromise more than a dozen types of Zyxel NAS products remotely without any help from users.
The first UK safety tests of 5G base stations has found radiation levels are at "tiny fractions" of safe limits.
The rollout of ultra-fast 5G mobile connectivity has sparked some fears the new transmission masts could be dangerous to humans. But Ofcom, the UK regulator, found no identifiable risks in its first tests since 5G technology was deployed. The highest result they found for the 5G band was 0.039% of the recommended exposure limit.
Those limits are set by the International Commission on Non-Ionizing Radiation Protection (ICNIRP) - non-ionizing meaning the type that does not damage DNA and cells. "The emissions at each site were a tiny fraction of the maximum levels set out in international guidelines," an Ofcom spokesman said. The tests covered 16 locations in 10 cities across the UK where 5G-enabled mobile base stations had been set up, and measured the strength of the electromagnetic field (EMF).
Public Health England acknowledges adding 5G to the existing technologies used could cause "a small increase in overall exposure to radio waves". "However, the overall exposure is expected to remain low relative to guidelines and, as such, there should be no consequences for public health," it says in its official guidance.
The World Health Organization, meanwhile, classified radio frequency radiation as a "possible carcinogenic". That puts it in the same category as pickled vegetables or talcum powder but not as dangerous as alcohol or processed meat.
so why the hell a security function quite important like this is not set au auto-start if the user enable it in the first place....silly Microsoft said:Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service Startup type to Automatic by using the Sevices snap-in. Try either of these methods instead:
sc.exe config appidsvc start= auto
A new backdoor malware called Mozart is using the DNS protocol to communicate with remote attackers to evade detection by security software and intrusion detection systems.
Typically when a malware phones home to receive commands that should be executed, it will do so over the HTTP/S protocols for ease of use and communication.
Using HTTP/S communication to communicate, though, has its drawbacks as security software normally monitors this traffic for malicious activity. If detected, the security software will block the connection and the malware that performed the HTTP/S request.
In the new Mozart backdoor discovered by MalwareHunterTeam, the malware uses DNS to receive instructions from attackers and to evade detection. [.....]
The ServiceNow Security Operations integration with Microsoft Graph Security API enables shared customers to automate incident management and response, leveraging the capabilities of the Now Platform’s single data model to dramatically improve their ability to prioritize and respond to threats generated by all Microsoft Security Solutions and custom alerts from Azure Sentinel.“RSA is excited to showcase the RSA SecurID and RSA NetWitness integrations with Microsoft Security products. Our integrations with Microsoft Defender ATP, Microsoft Graph Security API, Azure AD, and Microsoft Azure Sentinel, help us to better secure access to our mutual customer’s applications, and detect threats and attacks. We’re excited to formalize the long-standing relationship through RSA Ready and MISA to better defend our customers against a world of increasing threats.”
—Anna Sarnek, Head of Strategic Business Development, Cloud and Identity for RSA
Microsoft is pleased to welcome NetMotion, a connectivity and security solutions company for the world’s growing mobile workforce, into the security partner program. Using NetMotion’s class-leading VPN, customers not only gain uncompromised connectivity and feature parity, they benefit from a VPN that is compatible with Windows, MacOS, Android and iOS devices. For IT teams, NetMotion delivers visibility and control over the entire connection from endpoint to endpoint, over any network, through integration with Microsoft Endpoint Manager (Microsoft Intune).“ServiceNow is pleased to join the Microsoft Intelligent Security Alliance to accelerate security incident response for our shared customers. The ServiceNow Security Operations integration with Azure Sentinel, via the graph security API, enables shared customers to automate incident management and response, leveraging the capabilities of the Now Platform’s single data model to dramatically improve their ability to prioritize and respond to threats.”
—Lou Fiorello, Head of Security Products for ServiceNow
Expanded partner strategy for Microsoft Defender Advanced Threat Protection (ATP)“NetMotion is designed from the ground up to protect and enhance the user experience of any mobile device. By delivering plug-and-play integration with Microsoft Endpoint Manager, the mobile workforce can maximize productivity and impact without any disruption to their workflow from day one. For organizations already using or considering Microsoft, the addition of NetMotion’s VPN is an absolute no-brainer.”
—Christopher Kenessey, CEO of NetMotion Software
Learn more“Extending Azure DDoS Protection capabilities to Microsoft Intelligent Security Association will help our shared customers to succeed by leveraging the global scale of Azure Networking to protect their workloads against DDoS attacks”
—Anupam Vij, Principal Product Manager, Azure Networking
Play Protect certified devices go through a rigorous security review and compatibility testing process, performed by Google, to ensure user data and app information are kept safe. They also come from the factory with our Google Play Protect software, which provides protection against the device being compromised.
This has been our long-standing approach to user security and privacy and is applied consistently across all device manufacturers.
Because of the government restrictions described above, new Huawei device models made available to the public after May 16, 2019 have not been able to go through this security process nor will they have Play Protect preloaded. As a result, they are considered “uncertified,” and will not be able to utilize Google’s apps and services.
In addition, sideloaded Google apps will not work reliably because we do not allow these services to run on uncertified devices where security may be compromised. Sideloading Google’s apps also carries a high risk of installing an app that has been altered or tampered with in ways that can compromise user security.
To check if your device is certified, open the Google Play Store app on your Android phone, tap “Menu” and look for “Settings.” You will see if your device is certified under “Play Protect certification.” You can learn more on android.com/certified.
Invite links for WhatsApp and Telegram groups that may not be intended for public access are available through simple lookups on popular web search engines.
Both companies took some steps to protect the privacy of their users but more effort is necessary to make the links completely non-discoverable via public searches, thus allowing anyone to find them and join the group.
The issue was signaled on Friday by Jordan Wildon, multimedia journalist at Deutsche Welle, who warned that the lapse allowed the discovery of some unexpected, even groups for illegal activities.
Jane Wong, a mobile app reverse said that her Google search revealed around 470,000 results for WhatsApp invite links, allowing anyone to join the groups and access to members' phone numbers.
In all fairness, the privacy of these links is the responsibility of the admins generating them. By sharing them on the surface web - the internet that is indexed by conventional search engines - is a sure way to have them indexed by public search services.
Google's public search liaison Danny Sullivan explained that this is normal behavior, the same as when "a site allows URLs to be publicly listed."
Using special search parameters, several users discovered that Telegram channels were in the same situation. It is unclear whether the admins made the invite links discoverable knowingly or in error. Regardless, some very unsavory results are not difficult to find.
Last week, some Samsung smartphone owners saw a strange “1/1” push notification on their phones. The notification came from an app called Find My Mobile, a proprietary tool that allows you to connect with your device should it get lost or stolen. Turns out, this notification was the result of a Samsung data breach.
This goes against what Samsung claimed shortly after news of the notification started making the rounds in the media. The company called the errant notification the result of “an internal test” and there would be “no effect on your device.” However, that doesn’t appear to be the case anymore.
According to a statement provided to The Register, the notification stemmed from a Samsung data breach that resulted in “a small number of users being able to access the details of another user.” Here’s the text provided by The Register:
All the popular browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, Internet Explorer, Opera, Vivaldi, Waterfox, SeaMonkey, UC Browser) are on the list of targets along with more than 20 other solutions, which are robbed of cookies, history, and autofill information.
Hot cryptocurrency apps like Electrum, Ethereum, Exodus, Jaxx, and Monero, are of interest, searching for their wallet files in the default locations. However, Raccoon also can scan the system to grab wallet.dat files regardless of where they are stored.
From the email client software category, Raccoon looks for data from at least Thunderbird, Outlook, and Foxmail.
In a report today CyberArk researchers say that this infostealer relies on the same procedure to steal the data: locate and copy the file with the sensitive info, apply extraction and decryption routines, and placing the info in a text file ready for exfiltration.
Additional capabilities in the malware include collecting system details (OS version and architecture, language, hardware info, enumerate installed apps).
Attackers can also customize Raccoon's configuration file to snap pictures of the infected systems' screens. Additionally, the malware can act as a dropper for other malicious files, essentially turning it into a stage-one attack tool.
This type of malware is not necessarily used for immediate benefits as it is useful for increasing permissions on the system or for moving to other computers on the network.
"After fulfilling all his stealing capabilities, it gathers all the files that it wrote to temp folder into one zip file named Log.zip. Now all it has to do is send the zip file back to the C&C server and delete its trace" - CyberArk