InfoSec links August 19, 2014

Visit the Wrong Website, and the FBI Could End Up in Your Computer - Kevin Poulsen - Wired

The FBI’s use of malware is not new. The bureau calls the method an NIT, for “network investigative technique,” and the FBI has been using it since at least 2002 in cases ranging from computer hacking to bomb threats, child porn to extortion. Depending on the deployment, an NIT can be a bulky full-featured backdoor program that gives the government access to your files, location, web history and webcam for a month at a time, or a slim, fleeting wisp of code that sends the FBI your computer’s name and address, and then evaporates.

Scientists reconstruct speech through soundproof glass by watching a bag of potato chips - Jacob Kastrenakes - The Verge

While a bag of chips is one example of where this method can be put to work, MIT has found success with it elsewhere, including when watching plant leaves and the surface of a glass of water. While the vibrations that the camera is picking up aren't observable to the human eye, seemingly anything observable to a camera can work here. For the most part the researchers used a high-speed camera to pick up the vibrations, even using it to detect them on a potato chip bag filmed 15-feet away and through a pane of soundproof glass. Even without a high-speed camera though, researchers were able to use a common digital camera to pick up basic audio information.

Android Backdoor disguised as a Kaspersky mobile security app - Vigi Zhang - SecureList

Most email phishing attacks tend to target PC users, but this time the attackers have turned their attention to mobile platforms. We think it's a new trend in spreading virus. Mobile security is related to user privacy. In most cases, a mobile device is more important than PC for users. It contains user contacts, text messages, photos and call logs. And mobile security is generally considered to be a weak point. So, most people will believe these phishing emails and are likely to install the fake mobile security app.

This post first appeared on Exploring Information Security.

InfoSec links July 24, 2014

"Severe" password manager attacks steal digital keys and data en masse - Dan Goodin - ars technica

I’ve never liked the idea of putting my passwords in the cloud and that’s essentially what you’re doing with these web based password managers. The fact that research has determined them to be vulnerable does not sway me to put my passwords online.

Automobile Industry Accelerates Into Security - Kelly Jackson Higgins - Dark Reading

Automobile security is about to become a major thing. Unlike a computer, if a car is hacked it could mean life or death for someone. I’ve read several articles recently that give encouraging signs that some automobile makers are taking car security seriously.

Security Firm Manages To Access Deleted Data On Used Android Devices - Red Orbit

iPhone users carry on. According to this article, old Android phones do not exactly wipe the drive when a reset to factory defaults is initiated. Apparently, all that does is delete or erase the index file, so the phone can’t find the old data. Forensic tools on the other hand are very capable of finding the old data. Great if you realize you need something; not so great if you don’t need anything. The workaround is to enable encryption on the device, then do a factory reset. Encrypting the drive will make it so that when the index file is deleted the data becomes unreadable because the encryption key is lost.

This post first appeared on Exploring Information Security.

How to capture traffic from a mobile app

when I switched to the iPhone 5s several weeks ago, I knew I wanted to keep my old Android phone to play around with for infosec purposes. A couple weeks I finally got an opportunity to do exactly that. We had an app that we needed to find out where information input into the app was being sent. The original idea was simple: setup a wireless network for just the device to connect to and wireshark the traffic. I had another idea though: run some sort of PCAP capture app from the device to collect the outgoing traffic.

The Method

  1. Download WiFinspect from Google Play

  2. Root the phone

  3. Run the capture

  4. Export the capture from the phone

Download WiFinspect from Google Play

There are several apps out there that do PCAP capture as well as other “security” type of functions. I decided on WiFinspect because the app is part of a dissertation at the University of Birmingham. The app requires root access to run the PCAP capture and a few other functions. To do that you have to root the Android device. Which is essentially the same thing as jailbreaking an iPhone.

Root the phone

I’m not going to go through the whole process step-by-step because I found a video that does a great job of that. These are the instructions for a HTC 3D Evo, if you have another phone a simple Google search should get you your own instructions:

Run the capture

Open WiFinspect. Next click ‘Network Sniffer’ then Start Sniffing. At this point you can close the app and go to the application and start poking around in it.

Once you’re done go back to the WiFinspect and select ‘Stop Sniffing.’

 

Retrieve the capture

I was using my old HTC 3D Evo, so all I had to do was simply plug the device up to my computer and select the option to use it as a disk drive. I then opened Windows Explorer and navigated to the Removable Disk drive that appeared under Computer. In there the WiFinspect app had created a folder ‘Wi-Fi Probe’ and in there was the PCAP I needed to analyze. Just drag and drop that PCAP onto the computer you’ll be using Wireshark.

This post first appeared on Exploring Information Security.

World Cup scams out in full force

It’s the time again when the greatest soccer teams in the world collide to determine a champion. The 2014 World Cup is this summer and with it comes 90-minutes of intense soccer action, patriotism, flopping, hacktivism, scams and spam. The World Cup is big news and because of it scammers, spammers and criminals will take advantage of the event to get you to click on malicious links or sign up for services you don’t want. They do this by offering free tickets, prizes and various other free things. Be wary of clicking on links both here at work and on home on your computing devices. Nothing is ever free, especially on the internet and if you decide to explore one of these malicious links or scams you’re likely to end up with something other than free access to one of the greatest sporting events in the world.

For more on the subject I would highly recommend eSecurity Planet’s article How to Avoid FIFA World Cup Cyber Threats by Jeff Goldman. The article is not only good advice for handling scams during the World Cup, but any other big events scammers and criminals are likely to take advantages of.

Also, for Android users, be wary of World Cup apps. Several apps have been found to contain malware on them that steals data, pushes ads or runs up premium service charges. For more on that check out the Security Affairs blog and the Fake Versions of World Cup 2014 Apps targeting Android users post.

 


 This post first appeared on Exploring Information Security.