Thousands Of Facebook Accounts Have Been Compromised Because Of A Malware Masquerading As Stress Relieving Paint

Tens of thousands of Facebook accounts have become targets of a malware concealed in the form of a paint program for relieving stress. Researchers from the security firm, Radware, showed some very interesting things about how this program operates. The ‘Relieve Stress Paint’ is available via a domain that uses a Unicode representation and shows up  in search engines and emails.

Harmless Paint Program Not So Harmless

The researchers suspect that the program is probably being promoted via spam emails. When it gets installed, the malware appears to be a harmless paint program that changes colors, line sizes etc. However, what’s happening behind the scenes is actually of consequence. It copies data from Chrome which includes cookies and saved Facebook passwords.

lebanonRelated Researchers Discover Spyware Campaigns Operating From A Government Building In Lebanon

Malware

Every time a target restarts their computer or opens the program, the ‘Stresspaint’ as dubbed by Radware, copies the Facebook credentials. This stolen data is then sent to a command-and-control server. The researchers managed to access this command server and found that over 40,000 computers had been compromised because of this malware. As a results thousands of Facebook accounts became targets. Any payment details tied to the account, contact details of friends, pages managed by the account etc. were also compromised.

Malware Threat To Users All Around The World

The command interface also had a section where the victims’ Amazon account credentials were seen. The section was,however,empty and the researchers believe that the code for this section was probably not enabled. Another variant of this malware was also indicated in the control panel. Now you must be wondering why any antivirus did not detect such a malware. The answer is simple. The malware was designed to be undetectable. The copying process took less than a minute so antiviruseses did not detect it. The malware was basically just copying cookies and passwords by querying the copies of original cookies and LoginData files. Very simple, but very lethal.

download-play-store-3Related Several Flashlight Apps in Play Store Found to Harbour Malware

Malware

It is not known what the attackers did with these details. It is speculated that it must have been sold on criminal forums, used for identity theft or for making payments on e-commerce sites. If anyone has been infected by this malware, then they should immediately change their passwords and check the security and login section for any unrecognized computers or login activity. Multifactor authentication is always a good idea but it isn’t clear whether this could have stopped the attackers or not. Since cookies were also stolen, there is a possibility that the cookies allowed the attackers to break this protection too.

Facebook officials wrote in a statement: “We are investigating these malware findings and we are taking steps to help protect and notify those who are impacted.”

Submit

Anker EverCam is a Truly Wireless Security Camera System Done Right with a Year of Battery Life

Anker’s Eufy arm has announced a new security system called the EverCam with a ton of exciting features for home security enthusiast. Best of all: it’s truly wireless.

The EverCam is a Complete Security System that is Truly Wireless and Easy to Set up and Use

At this point in time there are a ton of security camera systems available that claim to do one thing or the other. While that’s good and all, but EverCam makes everything a whole lot simpler by giving up on cables and pesky mounts altogether if you are looking to cover the indoor or outdoor environment.

anker-deals-spectrum-soundcore-miniRelated Anker Deals: Heavy Discounts on Roav and Bluetooth Speakers with Deals Starting at Just $14.89

See, the EverCam was made with one thing in mind: to be truly wireless. Anker’s Eufy has achieved that in a remarkable way by allowing the camera to stick to any metallic surface using magnets. But of course, if you wish to keep things even more robust you can go for a mount that keeps the camera in place using a single screw. That’s not the coolest thing though: the camera has a built-in 13,400mAh battery that can keep on recording video for a full year before requiring a charge. That footage is recorded in 1080p with a wide, 140-degrees field of view.

The camera connects to a hub which in turn connects to your WiFi network in order to keep track of the footage. That footage is recorded on a 16GB microSD card that is absolutely encrypted using AES 128-bit. Though 16GB does not sound like much but Eufy claims that is enough for a year’s worth of footage and once the storage runs out it will start overwriting the older footage. But of course, if you don’t want to overwrite anything at all then you can just pay $2.99 for cloud storage services to keep everything in tact.

Since this is a ‘smart’ security system therefore you have the option to view a live feed of what’s happening straight from the mobile app. Thanks to AI features, the camera does not constantly record everything in order to save storage. The camera is smart enough to start recognizing faces and will send you a notification if a heat source is detected thanks to the built-in infrared sensor. And yes, you can set the camera to kick into action whenever motion is detected. Also, the camera is fully weatherproof with an IP66 rating, which means you can keep it outdoors without worrying about anything.

The Eufy EverCam is currently a Kickstarter project and will hopefully see the light of day soon. A single camera will set you back $299 whereas a pair will cost you $499. It’s a little pricey, but the promises here are very, very high. You can head over to this link for more details.

Submit

Several Android Manufacturers Have Been Caught Lying About Security Patches According to Researchers

One of the many reasons for Android to be deemed as insecure is because of an irregular update cycle. The update system on the platform has continued to be a mess despite Google’s best efforts to improve security and make updates more accessible to everyone. In the end, it falls upon the individual manufacturer, which can often be challenging for many companies. A new report sheds light on findings that are far worse than we thought. Several manufacturers only pretended to stay on par with updates without actually putting any work into it.

A report from Security Research Lab, who have spent two years keeping tabs on Android security updates presented their findings, and it’s pretty discomforting. Google has been putting together monthly security patches for the Android operating system, to patch any vulnerabilities they find in the operating system. And, the company has made it easy for users to keep tabs on which security patch they’re on.

marcher-malware-android-securityRelated 42 Android Phones That Bring Banking Trojan Out of the Box

Very often, just the date was moved forward

The researchers took the time to check and ensure that the patches applied to a device actually lined up with those dates and several Android OEMs failed big time in that regard. Across several instances, a “patch gap” was found, with devices showing a specific date for security updates, but missing “as many as a dozen” of the patches from that update. The researchers tested 1,200 devices from a dozen manufacturers to gather these results over 2017. The results were shocking, with devices from industry giants such as Google, Samsung, Motorola, HTC and ZTE up on the list.

As expected flagships didn’t struggle much here, but the same can’t be said about everyone else. Google’s own Pixel 2 and Pixel 2 XL devices were found to be safe, but top-tier flagships from just about everyone else was missing patches from time to time.

android-ios-shareRelated iOS Continues to Top Security Charts – Android World Sees Only Two Brands That Managed Somewhat Decent Scores

The problem here lies in more than just neglecting updates. It stems from the practice employed by some OEMs, who don’t update devices for a bit and then update their devices later on. Technically, there’s nothing wrong with that but what’s really happening is that in some cases, OEMs are changing the security update date on the device without actually installing the associated patches, effectively lying to customers.

Devices running MediaTek chips were affected the most

A few vendors didn’t install the patches at all, and just moved the date forward, which can only be described as “deliberate deception,” but thankfully found that it wasn’t widespread. In most cases, the missing patches were accidentally missing from updates. It doesn’t excuse the behaviour but is somewhat understandable as there are a lot of patches in each update. Another possible cause could be the chipset of a device, with MediaTek powered devices missing an average of 9.7 patches, while Qualcomm was at just 1.1.

Android Security Patches

It is still a huge problem, as it makes it nearly impossible for users to tell the level of security on a device. The firm is releasing an update to its Android app, Snoopsnitch, which checks to ensure your device has as many patches as it is supposed to. Google cites that one possible cause for the findings could have been due to testing with uncertified devices, which are held to a lower security standard. Further, the missing patches could be due to a specific phone not offering an affected feature. It could also be due to an OEM removing the affected feature rather than patching it.

These missing patches may not be the end of the world for Android security, as “hacking” Android is far more complicated than just exploiting missing security patches. It is upon manufactures to ensure that the vulnerabilities, if any, are patched in a timely and complete fashion.

Source: Wired

Submit

Apple Announces Privacy Tools Well Ahead Of EU’s Adoption Of The GDPR In May; Will Allow Users A Consolidated Set Of Data Access Features

Facebook’s irresponsibility over letting Cambridge Analytica blatantly collect and manipulate user information brings into light a lot of long-ignored questions. Prior to this breach, general conversational concern around the social networking giant’s data collection was often dubbed as conspiracy mongering. However, in the aftermath, things now look to change. At the forefront is the European Union.

Its General Data Protection Regulation (GDPR) Act is all set to replace the 1995 Data Protection Directive. The GDPR is built to address today’s data security concerns, as technology is far more pervasive than it was in the 90s. To that end, Apple’s also unveiled new privacy tools before the regulation comes into effect two months from now, on the 25th of May. Take a look below for the details.

Apple Outlines Latest Privacy Tools Ahead Of GDPR Adoption Across The European Union; Will Now Grant Users The ‘Right To Data Portability’ As Defined Under The GDPR

Before we get into the details, it’s important to understand that the tools Apple is providing are already available to its users – except for account deactivation. The latest move aims to consolidate them under one category and improve users’ ability to monitor and access data collection by Apple for the purposes of storage and methodology.

Apple will introduce the tools on the Apple ID login page, allowing users to deactivate/delete accounts, request a copy of all their data held by Apple or ask Cupertino to make corrections. Right now, it’s possible to carry out all of these save deactivation via filling out online forms or calling AppleCare.

This consolidation will cater to the GDPR’s more stringent data regulations. The act deals more severely with any violations. Depending on the violation, companies can be fined either €10 or €20 million if it’s greater than either 2% or 4% of their revenues. It also gives regulating bodies the authority to conduct periodic data audits or issue written warnings for the first cases of noncompliance.

These measures from Apple follow CEO Tim Cook’s latest take on Facebook’s Cambridge Analytica scandal. According to Mr. Cook, while it will benefit Apple to monetize user data, the company is taking the moral high ground. While this sounds noble, we don’t expect the monetization restraint to continue in the future. After all, Apple itself is eager to replace revenue lost from decreasing iPhone sales. Thoughts? Let us know what you think in the comments section below and stay tuned. We’ll keep you updated on the latest.

Submit

Apple Fixes a Bunch of Security Flaws with iOS 11.3 Inc/ a Bug That Allows Apps to Log Keystrokes

Apple has today released iOS 11.3 to iPhone, iPad and iPod touch. Among other features, today’s update brings battery controls for users. But features aside, the company has also fixed several security issues, including a bug that enabled malicious apps to gain elevated privileges.

The company has addressed another critical security issue with iOS 11.3 where an attacker with physical access to the device can disable Find My iPhone without having to enter iCloud password. Other notable bugs that have been addressed include:

Clock

Impact: A person with physical access to an iOS device may be able to see the email address used for iTunes

Description: An information disclosure issue existed in the handling of alarms and timers. This issue was addressed through improved access restrictions.

CoreFoundation

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

CoreText

Impact: Processing a maliciously crafted string may lead to a denial of service

Description: A denial of service issue was addressed through improved memory handling.

File System Events

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

Files Widget

Impact: File Widget may display contents on a locked device

Description: The File Widget was displaying cached data when in the locked state. This issue was addressed with improved state management.

Find My iPhone

Impact: A person with physical access to the device may be able to disable Find My iPhone without entering an iCloud password

Description: A state management issue existed when restoring from a back up. This issue was addressed through improved state checking during restore.

iCloud Drive

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

Kernel

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed with improved memory handling.

Kernel

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

Kernel

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

Mail

Impact: An attacker in a privileged network position may be able to intercept the contents of S/MIME-encrypted e-mail

Description: An inconsistent user interface issue was addressed with improved state management.

NSURLSession

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

PluginKit

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

Quick Look

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

Safari

Impact: Visiting a malicious website by clicking a link may lead to user interface spoofing

Description: An inconsistent user interface issue was addressed with improved state management.

Safari Login AutoFill

Impact: A malicious website may be able to exfiltrate autofilled data in Safari without explicit user interaction.

Description: Safari autofill did not require explicit user interaction before taking place. The issue was addressed through improved autofill heuristics.

SafariViewController

Impact: Visiting a malicious website may lead to user interface spoofing

Description: A state management issue was addressed by disabling text input until the destination page loads.

Security

Impact: A malicious application may be able to elevate privileges

Description: A buffer overflow was addressed with improved size validation.

Storage

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with additional validation.

System Preferences

Impact: A configuration profile may incorrectly remain in effect after removal

Description: An issue existed in CFPreferences. This issue was addressed through improved preferences cleanup.

Telephony

Impact: A remote attacker can cause a device to unexpectedly restart

Description: A null pointer dereference issue existed when handling Class 0 SMS messages. This issue was addressed through improved message validation.

Web App

Impact: Cookies may unexpectedly persist in web app

Description: A cookie management issue was addressed through improved state management.

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

WebKit

Impact: Unexpected interaction with indexing types causing an ASSERT failure

Description: An array indexing issue existed in the handling of a function in javascript core. This issue was addressed through improved checks

WebKit

Impact: Processing maliciously crafted web content may lead to a denial of service

Description: A memory corruption issue was addressed through improved input validation

WebKit

Impact: A malicious website may exfiltrate data cross-origin

Description: A cross-origin issue existed with the fetch API. This was addressed through improved input validation.

WindowServer

Impact: An unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled

Description: By scanning key states, an unprivileged application could log keystrokes entered into other applications even when secure input mode was enabled. This issue was addressed by improved state management.

macOS High Sierra Reveals Encryption Passwords in Plaintext – Recent Version Also Affected

Apple’s latest macOS High Sierra is once again in the news for another APFS bug. The operating system has seen a number of security problems since its release and it appears the episode isn’t going to end anytime soon. From giving root access to attackers to exposing passwords in cleartext using the password hint feature, the OS continues to be affected some major security bugs.

In a latest report, Sarah Edwards, a forensics expert, has revealed that macOS High Sierra is logging encryption passwords for APFS-formatted external drives in plaintext. This information is stored in on-disk, non-volatile log files. While this bug may not be as simple as the root access issue, it does reveal passwords in plaintext with a simple Terminal command.

“It may not be noticeable at first (apart from the highlighting I’ve added of course), but the text “frogger13” is the password I used on a newly created APFS formatted FileVault Encrypted USB drive with the volume name ‘SEKRET’,” Edwards wrote explaining the screenshot shared below. “The newfs_apfs command can take a passphrase as a parameter using the mostly undocumented ‘-S’ flag. However when run without parameters, it will show it.”

Latest High Sierra version also appears to be affected by this Mac security bug

Whenever a user creates a new APFS volume with an encryption password, the Disk Utility.app will log the password in the unified OS log. The bug works on even the latest version of macOS High Sierra and affects versions between 10.13 to the recent 10.13.3. However, it needs to exploited in different ways on different versions. “This is still vulnerable on current versions of macOS 10.13.3 when encrypted an ALREADY EXISTING unencrypted APFS volume (versus, creating a NEW volume),” she wrote.

If exploited, it could allow an attacker to get access to the encryption password of encrypted APFS external volumes, including hard drives and USB drives.

It should be noted that this latest Mac security bug affects only those who own external storage devices and use APFS formatting. While that ensures that not everyone is affected, it does add into the list of several bugs reported in the OS so far. Here’s a video showing how the bug works on two different versions. For more technical details, head over to the original post.

Submit

iOS Camera Features A QR Code Parser Bug

iOS has come a long way. From an old-school interface to postmodern, it featured numerous layout as well as internal changes. However, the platform has not always been free from bugs and issues. In addition to this, Apple usually starts working on fixing these bugs as soon as they are discovered. With the launch of iOS 11, there was a boatload of bugs crawling in the operating system, probably more than any other iOS release to date. However, while the company is making the platform more stable as we speak, new bugs are being found on the other end. Now, the iOS camera app features a QR code URL parser bug. So let’s dive in to see some more details on the matter.

iOS Camera Contains A QR Code Parser Bug

iOS 11 camera app has the ability to not only automatically scan QR codes but interpret them as well. Previously, you needed third-party apps to perform the same purpose, so it’s good that the functionality has arrived in the stock firmware. The bug involves scanning a QR code that contains a URL. Once you scan the QR code, you will receive a notification carrying the hostname where Safari will redirect you to.

When the hostname is added that compliments the URL, there doesn’t seem to be an issue. However, a QR code can be constructed that contains a specific hostname in the notifications but opening another link in Safari. Check it out below:

As can be seen, Safari will access the “infosec.rm-it.de” URL with facebook.com set as the hostname. However, it redirects Safari to open another link. It can be said that the URL parser of the camera app does not detect the hostname in the link like Safari which leads to a different hostname being displayed in notifications. The issue was reported to Apple at the end of December of last year and it has still not been fixed. We will let you guys know if there is an update to the story.

This is all for now, folks. What are your thoughts on the iOS camera QR code URL parser bug? Let us know in the comments.

Source: Infosec

Submit

Apple Acknowledges Siri Bug That Lets Virtual Assistant Read Out Hidden Notifications, Fix Coming Soon

Previously, we reported a bug in iOS 11 that allowed Siri to read messages out loud without unlocking the phone. The operation was possible even though you have set your notifications hidden on the lock screen. This would allow anyone to read your messages, whereby breaching the security code which has always been the main concern to Apple. Now, Apple has acknowledged the existing and persisting privacy-related issue on iPhone and iPad and is working on a fix which will be released soon. So let’s dive in to see some more details on the matter.

Apple Acknowledges Siri Bug That Reads Your Messages Out Loud

As we have mentioned earlier, Apple has acknowledged the issue and is working on a fix which will be released in the form of an iOS update. The company said in a statement that “We are aware of the issue and it will be addressed in an upcoming software update.” While iOS 11.3 is said to arrive sometime in the coming weeks, the company will probably fix the issue sooner in a minor supplementary update.

This is not the first time that iOS has given room to potential bugs that might allow unauthorized people to gain control or breach your private data. However, we have also experienced that Apple fixes its bugs and loopholes pretty quickly, patching whatever vulnerability or exploit which is present in the operating system.

iOS security flaw on iPhone

The issue was reported yesterday by a Brazilian outlet Mac Magazine in which it detailed that hidden notifications on an iPhone or iPad can be unveiled using nothing but your voice command. The procedure is not even hard to perform and does not require the assistance of someone who is a bit more tech-savvy than the rest of us.

All it takes is the initiation of Siri and a command that reads: “Hey Siri, read my notifications”. Whether your notifications are from Skype, Facebook Messenger or even WhatsApp, your messages would be read out loud. Probably, the issue seems to affect messaging notifications. The temporary solution revolves around disabling your notifications on the lock screen, so anyone with unauthorized access to your iOS device can access it.

There will be more to the story, so be sure to stay tuned in for more details. As for now, share your views regarding the Siri bug in the comments section below.

Source: MacRumors

Submit

Windows 10 Receives Another Batch of Cumulative Updates Ahead of Patch Tuesday

Microsoft is rolling out new cumulative updates to the Windows 10 Fall Creators Update, Creators Update, and the Anniversary Update today. As mentioned in our earlier coverage, we haven’t been receiving cumulative updates on Patch Tuesday since the Meltdown and Spectre bug vulnerabilities were first disclosed.

It isn’t clear why the Redmond tech giant continues to push updates out of the schedule it used to follow and when we will be back to the stable times when there was only one day fixed in a month to deal with new updates. But, until that happens, make sure to install these latest updates on your Windows 10 machines as they bring fixes to a number of bugs.

What’s fixed in Windows 10 Fall Creators Update build 16299.334 (KB4089848)

  • Addresses issue with a GDI handle leak in the Windows Ribbon control.
  • Addresses issue where users can’t select OK after entering credentials in command line on Windows Server version 1709.
  • Addresses issues where Bluetooth devices fail to receive data after a restart.
  • Addresses issue where, during BitLocker decryption or encryption of a drive, files protected with the Encrypting File System (EFS) may become corrupted.
  • Addresses issue where the server may occasionally encounter an error during file transfer. The error is “Stop D1 in tcpip!TcpSegmentTcbSend”.
  • Addresses issue where an iSCSI RESET might trigger a cluster failover.
  • Addresses issue in MPIO where pass-through SCSI requests might lead to a stop error if the disk is pending removal.
  • Addresses issue where processing of group policies may fail, and policies may be removed as a result. This occurs if the length of the Windows Defender Firewall policy rule exceeds 260 characters.
  • Addresses issue caused by a new privilege in Windows Server 2016 and Windows 10 version 1709 named “Obtain an impersonation token for another user in the same session”. When applied using Group Policy to those computers, gpresult /h fails to generate reporting data for any setting configured by the Security Configuration Engine (SCE) extension. The error message is “Requested value ‘SeDelegateSessionUserImpersonatePrivilege’ was not found”. The Group Policy Management Console fails to show the privilege in the Settings tab for a GPO where the setting has been configured.
  • Addresses issue where errors may occur when accessing WebDAV files or folders on a SharePoint site if the file or folder name contains multibyte characters.
  • Addresses issue where the Remote Desktop License report gets corrupted when it exceeds the 4 KB size limit.
  • Addresses issue where an Azure point-to-site VPN connection that uses IKEv2 may fail when the user’s device contains a large number of trusted root certificates.
  • Addresses rendering issue in Microsoft Edge for PDF documents with backgrounds created using various third-party publishing tools.
  • Addresses issue where a media platform stops responding when changing cameras rapidly on a device.
  • Addresses issue where a media platform stops responding, which affects media playback in Microsoft Edge, Internet Explorer, and Microsoft PowerPoint.
  • Addresses issue with spatial audio when used in connection to Dolby Atmos for Headphones.
  • Addresses issue where a credential prompt that requires administrative privileges appears when a standard user account performs the first logon to a Windows 10 device that has been deployed using Windows Autopilot.
  • Addresses issue where tiles in the Start menu aren’t preserved when upgrading from Windows 10 version 1607 to Windows 10 version 1709.
  • Addresses issue with Spell Check and custom dictionaries.
  • Addresses issue with the press and hold feature when using a pen in Tablet mode.
  • Addresses issue with editing web password fields using a touch keyboard.
  • Addresses issue where some Bluetooth card readers don’t work after a restart.

For changelog of Windows 10 Creators Update Build 15063.994 (KB4088891) and Windows 10 Anniversary Update Build 14393.2155 (KB4088889), head over to this link. To manually download these updates, head over here and search using the KB number, i.e. KB4088891 for version 1703, KB4088889 for version 1607, and KB4089848 for the FCU.

Submit

Google, Facebook, and Twitter Are All Losing Their Top Security Executives

Amid growing attention on information security with Facebook’s Cambridge Analytica scandal attracting headlines every single day since the last weekend, it appears several high profile security chiefs are abandoning ships. Twitter and Google are the latest tech companies to see their security executives leaving.

Twitter spokesperson confirmed that Michael Coates, who joined the platform in 2015 as the company’s chief information security officer, is leaving. Coates also tweeted about it last night.

The move has apparently nothing to do with the Facebook scandal as it was known internally for about three weeks.

But he isn’t the only high-ranking information security executive leaving, as Facebook, Twitter and Google all appear to be in the same situation. Just hours before Coates confirmed his departure, Michael Zalewski, director of information security engineering at Google, announced his own departure from Google after about 11 years with the company. [He isn’t Google’s chief security officer, but a prominent executive who led the Google Vulnerability Reward Program.]

Earlier in the week, the NYT reported that Facebook’s chief security officer, Alex Stamos, was planning to leave the social networking giant in August. It was later clarified that Stamos’ departure was also planned before the Cambridge Analytica scandal. Stamos is one of the most well-respected security executives who often has to push the company executives for more pro-user policies. He has had problems with both Yahoo – his former employer – and Facebook leadership over policies that could hurt user privacy. He left Yahoo after the company approved a secret email search tool for the US government.

While all these three departures appear to be unrelated to the Cambridge Analytica scandal, they do arrive at a time when all eyes are on information security and data protection. With US and UK governments calling for legislation to regulate tech companies and users demanding more transparency over how their personally identifiable data is shared with third party companies they have never heard about before, it seems Silicon Valley’s top security executives aren’t in for any more of this fun.

Submit