‘Dead’ Mobile Apps Come Back to Haunt You

Feeling spooked? It may be because a ‘dead’ mobile app has come back to haunt you…

Termed “dead” or “stale,” these waning apps introduce a multitude of security vulnerabilities to a workplace environment, and thus have been coined one of the biggest mobile security risks facing enterprises today.

For some background, a ‘dead’ app is one that was rejected from an official app store. ‘Stale’ apps are either apps that haven’t been updated or have been abandoned by their developers, and as a result are no longer compliant with updated systems and protocols.

Regardless of their names, these apps give cybercriminals the opportunity they need to steal sensitive information, embed malware on a network and generally wreak havoc on businesses. And it doesn’t help that, due to their nature, they’re also difficult to fight back against.

Mainly, this is because dead apps are hard to anticipate. App Stores are under no obligation to notify users that they removed an app from the store (or detail why they did). This removal also impedes a developer’s ability to issue bug-fixing updates to their apps in the wild.

Stale or abandoned apps are also hard to predict. Developers can take on new projects without any notification to the user, leaving older projects and apps to wane.

Both situations allow risky apps and vulnerabilities to linger on a user’s device, giving hackers the window they need to break in.

For example, hackers could use these apps to launch phishing attacks against unsuspecting users. A successful attack could then grant hackers access to sensitive information or allow them to install additional malware.

The lesson to be learned here? You can’t let your guard down, even with your own mobile device.

So how can we protect our devices and our workplaces from hackers? Well, here are a few tips:

  • Stay on top of updates to your mobile apps. All apps have bugs, vulnerabilities, or problems, which is why developers issue updates to them on a continual basis. If you haven’t noticed an update to one of your apps in a few months, it could be an indication that app is ‘dead.’ Do a quick search in the app store and if it’s no longer listed, you’d be wise to remove it from your phone.
  • Delete unused apps. Spring-cleaning should extend to your mobile device, too! Sometimes we download apps just to check them out. That’s fine. But once you’re done – remove them from your device, and your cloud environment. This will cut down on potential vulnerabilities and make device management that much easier.
  • Use comprehensive security. Every device you own should have safety precautions installed on it. McAfee® Mobile Security is free for Android and iOS users, and offers a variety of protections to help keep unwanted people out of your devices. 

As always, to keep up with the latest security threats, make sure to follow @IntelSec_Home on Twitter and like us on Facebook.

lianne-caetano

An Irrelevant Thesis

This week The Diplomat published an article by Dr Greg Austin titled What the US Gets Wrong About Chinese Cyberespionage. The subtitle teases the thesis: “Is it government policy in China to pass on commercial secrets obtained via cyberespionage to civil sector firms?” As you might expect (because it prompted me to write this post), the author’s answer is “no.”

The following contains the argument:

“Chinese actors may be particularly adept in certain stages of economic espionage, but it is almost certainly not Chinese government policy to allow the transfer of trade secrets collected by highly classified intelligence sources to its civil sector firms for non-military technologies on a wide-spread basis.

A U.S. influencing strategy toward China premised on the claim that this is China’s policy would appear to be ill-advised based on the evidence introduced so far by the United States in the public domain.” (emphasis added)

I find it interesting that the author concedes theft by Chinese government actors, which the Chinese government refuses to acknowledge. However, the author seeks to excuse this activity out of concern for the effect it has on US-China ties.

One aspect of the relationship between China and the US worries the author most:

“There are many ways to characterize the negative impact on potential bilateral cooperation on cyberspace issues of the “lawfare” being practised by the United States to discipline China for its massive cyber intrusions into the commercial secrets of U.S. firms. One downside is in my view more important than others. This is the belief being fostered by U.S. officials among elites in the United States and in other countries that China as a nation is a “cheater” country…”

Then, in a manner similar to the way Chinese spokespeople respond to any Western accusations of wrongdoing, the author turns the often-heard “Chinese espionage as the largest transfer of wealth in history” argument against the US:

“In the absence of any Administration taxonomy of the economic impacts of cyber espionage, alleged by some to represent the largest illicit transfer of wealth in human history, one way of evaluating it is to understand that for more than three decades it has been U.S. policy, like that of its principal allies, to undertake the largest lawful transfer of wealth in human history through trade with, investment in and technology transfer to China.”

(I’m not sure I understand the cited benefits the US has accrued due to this “largest lawful transfer of wealth in human history,” given the hollowing out of the American manufacturing sector and the trade imbalance with China, which totaled over $82 billion in 1Q15 alone. It’s possible I am not appreciating what the author means though.)

Let’s accept, for argument’s sake, that it is not “official” Chinese government policy for its intelligence and military forces to steal commercial data from private and non-governmental Western organizations. How does accepting that proposition improve the situation? Would China excuse the US government if a “rogue” element of the American intelligence community or military pursued a multi-decade campaign against Chinese targets?

Even if the US government accepted this “Chinese data theft by rogue government actor” theory, it would not change the American position: stop this activity, by whatever means necessary. Given the power amassed by President Xi during his anti-corruption crackdown, I would expect he would be able to achieve at least some success in limiting his so-called “rogue actors” during the 2+ years since Mandiant released the APT1 report. As Nicole Perlroth reported this month, Chinese hacking continues unabated. In fact, China has introduced new capabilities, such as the so-called Great Cannon, used to degrade GitHub and others.

Similar to the argument I made in my post What Does “Responsibility” Mean for Attribution?, “responsibility” is the key issue. Based on my experience and research, I submit that Chinese computer network exploitation of private and non-governmental Western organizations is “state-integrated” and “state-executed.” Greg Austin believes the activity is, at worst, “state-rogue-conducted.” Stepping down one rung on the state spectrum of responsibility ladder is far from enough to change US government policy towards China.

Note: In addition to the article in The Diplomat, the author wrote a longer paper titled  China’s Cyberespionage: The National Security Distinction and U.S. Diplomacy (pdf).

I also plan to read Dr Austin’s new book, Cyber Policy in China, which looks great! Who knows, we might even be able to collaborate, given his work with the War Studies department at KCL.

Say ‘Hello’ to Facebook’s New Android App

Hola, Ciao, Bonjour, Gutentag, Nihao – Hello!

Do you ever receive phone calls from unknown numbers, prompting you to stare at your phone skeptically as it buzzes next to you? Or, perhaps you decide to pick up a call only to be blindsided by telemarketers or your crazy Aunt Linda.

Facebook is out to change this experience with its new Android app, Hello.

By making use of data that is shared publicly with Facebook, Hello is able to solve the mystery of who’s calling your phone.

This means that if you share your phone number publicly with Facebook, anyone with Hello installed will know you’re the one calling – even if you aren’t friends on the social networking site. If you don’t want your number shared publicly, you can change your privacy settings on Facebook and opt to just share your number with those who are your friends on the social networking site.

Conversely, blocking unwanted callers through the app is easy. So you can finally say goodbye to those awkward conversations with old high school acquaintances looking for a job.

Another great feature is the ability to search for people or businesses on Facebook and call them in one fell swoop.

Use multiple phones? No problem. Hello allows you to connect your account to any phone number so people will still know it’s you even if you’re calling from two different numbers.

The app is especially useful for those with limited minutes, as being able to determine who’s calling allows you to decide what calls to spend your minutes on and which ones to send straight to voicemail.

Currently available to Android users in the US, Brazil and Nigeria, Facebook will be widening the app’s availability to additional countries in the coming weeks.

If you chose to share your mobile number with Facebook, be sure to check your privacy settings and make sure it’s only visible to those you trust. And don’t forget – treat your mobile phone as you would your most prized possession, by protecting it! McAfee® Mobile Security is available free for both Android and iOS, and offers a variety of protections to help keep unwanted eyes from spying on your devices.

Have you used Hello? Tweet us @IntelSec_Home or like us on Facebook to share your thoughts!

lianne-caetano

Dyre Botnet Using Malicious Microsoft Word Macros

The Dyre group, a major malware spam producer, has changed their initial malware dropper to utilize Microsoft Word document macros instead of the usual executable types, such as .exe files contained in a .zip.

Dyre’s Hedsen spambot, responsible for the bulk of Upatre emails we’ve been tracking, now uses a template to send infected-macro Word files as spam attachments in hopes that the end user will click the attached .doc file and infect their system. This is a noticeable change in behavior for this particular spambot.

As always, users should disable Macros in Office documents, and avoid the temptation to open suspicious attachments.

VIPRE detects the infected .doc as LooksLike.Macro.Malware.gen!d1 (v).

An example spam message using the new infected macro technique.

An example spam message using the new infected macro technique.

The infected .doc file, which also suggests you enable Macros once it is opened.

The infected .doc file, which also suggests you enable Macros once it is opened.

 DETAILS

This particular spambot is now using the following URLs to generate and deliver its infected payload:

The spammer gets the Template letter (which also includes the base64 attachment of the .doc) from:

  • hxxps://109.236.83[.]205/action.php?get_letter

The spammer gets the sender field from:

  • hxxps://109.236.83[.]205/action.php?get_sender

The spammer gets its email target list from:

  • hxxps://109.236.83[.]205/action.php?action=get_mails

Macro doc MD5:

  • 6162c6b0abc8cab50b9d7c55d71e08fe

The macro pulls additional code of websites from:

  • ezzylab[.]com/content-el/6612536153.txt
  • pilsudskiego175[.]pl/modules/mod_araticlws/6612536153.txt

The macro determines which URL to download from:

  • ezzylab[.]com/content-el/lns.txt
  • pilsudskiego175[.]pl/modules/mod_araticlws /lns.txt

As of this post, the macro is downloading from:

  • hxxp://209.193.86[.]41/erwtwgw.exe
  • hxxp://184.164.97[.]60/erwtwgw.exe

The Upatre md5 is:

  • 20357c95962d1cda36eeb7386ea31aea

Upatre reports to its Command and Control at

  • 91.211.17.201

It downloads Dyre though https from:

  • 173.248.22.227/wheel11.png
  • 69.9.204.114/wheel11.png
  • 73.175.203.173/wheel11.png
  • 69.9.204.16/wheel11.png
  • 69.9.204.31/wheel11.png
  • 67.206.97.238/wheel11.png
  • 69.9.204.36/wheel11.png
  • 38.124.111.30/wheel11.png
  • 38.124.72.230/wheel11.png
  • 67.206.96.30/wheel11.png
  • 208.80.80.111/wheel11.png
  • 69.8.48.175/wheel11.png
  • 216.245.211.242/wheel11.png
  • 67.219.169.161/wheel11.png

The Dyre MD5 is:

  • 512b7bac1ce4cf63dd9bb6dbe7f16f20

Credit: Matthew Mesa – ThreatTrack Security Labs Researcher

Share via email Share

What Year Is This?

I recently read a manuscript discussing computer crime and security. I’ve typed out several excerpts and published them below. Please read them and try to determine how recently this document was written.

The first excerpt discusses the relationship between the computer and the criminal.

“The impersonality of the computer and the fact that it symbolizes for so many a system of uncaring power tend not only to incite efforts to strike back at the machine but also to provide certain people with a set of convenient rationalizations for engaging in fraud or embezzlement. The computer lends an ideological cloak for the carrying out of criminal acts.

Computer crime… also holds several other attractions for the potential lawbreaker. It provides intellectual challenge — a form of breaking and entering in which the burglar’s tools are essentially an understanding of the logical structure of and logical flaws inherent in particular programming and processing systems. It opens the prospect of obtaining money by means that, while clearly illegal, do not usually involve taking it directly from the till or the cashier’s drawer…

Other tempting features of computer crime, as distinct from other forms of criminal activity, are that most such crimes are difficult to detect and that when the guilty parties are detected not much seems to happen to them. For various reasons, they are seldom intensively prosecuted, if they are prosecuted at all. On top of these advantages, the haul from computer crime tends to be very handsome compared with that from other crimes.”

The second excerpt describes the attitudes of corporate computer crime victims.

“The difficulties of catching up with the people who have committed computer crimes is compounded by the reluctance of corporations to talk about the fact that they have been defrauded and by the difficulties and embarrassments of prosecution and trial. In instance after instance, corporations whose assets have been plundered — whose computer operations have been manipulated to churn out fictitious accounting data or to print large checks to the holders of dummy accounts — have preferred to suffer in silence rather than to have the horrid facts about the frailty of their miracle processing systems come to public attention.

Top management people in large corporations fear that publicity about internal fraud could well affect their companies’ trading positions on the stock market, hold the corporations up to public ridicule, and cause all sorts of turmoil within their staffs. In many cases, it seems, management will go to great lengths to keep the fact of an internal computer crime from its own stockholders…

The reluctance of corporations to subject themselves to unfavorable publicity over computer crimes is so great that some corporations actually seem willing to take the risk of getting into trouble with the law themselves by concealing crimes committed against them. Among independent computer security consultants, it is widely suspected that certain banks, which seem exceptionally reluctant to admit that such a thing as computer fraud even exists in the banking fraternity, do not always report such crimes to the Comptroller of the Currency, in Washington, when they occur, as all banks are required to do by federal law. Bank officers do not discuss the details of computer crime with the press… [A] principal reason for this kind of behavior is the fear on the part of the banks that such a record will bring about an increase in their insurance rates.”

The third excerpt talks about the challenges of prosecuting computer crime.

“In addition to the problems of detecting and bringing computer crimes to light, there are the difficulties of effectively prosecuting computer criminals. In the first place, the police, if they are to collect evidence, have to be able to understand precisely how a crime may have been committed, and that usually calls for the kind of technical knowledge that is simply not available to most police departments…

Another difficulty is that not only police and prosecutors but judges and juries must be able to find their way through the mass of technical detail before they can render verdicts and hand down decisions in cases of computer crime, and this alone is a demanding task. In the face of all the complexities involved and all the time necessary to prepare a case that will stand up in court, many prosecutors try to make the best accommodation they can with the defendant’s lawyers by plea bargaining, or else they simply allow the case to fade away unprosecuted. If they do bring a case to trial, they have the problem of presenting evidence that is acceptable to the court.

The fourth excerpt mentions “sophistication” — a hot topic!

To somebody looking at the problem of computer crime as a whole, one conclusion that seems reasonable is that although some of the criminal manipulators of computer systems have shown certain ingenuity, they have not employed highly sophisticated approaches to break into and misuse computer systems without detection. In a way, this fact in itself is something of a comment on the security of most existing computer systems: the brains are presumably available to commit those  sophisticated computer crimes, but the reason that advanced techniques haven’t been used much may well be that the haven’t been necessary.”

The fifth excerpt briefly lists possible countermeasures.

“The accelerating incidence of computer-related crimes — particularly in the light of the continuing rapid growth of the computer industry and the present ubiquity of electronic data-processing systems — raises the question of what countermeasures can be taken within industry and government to prevent such crimes, or, at least, to detect them with precision when they occur…

In addition to tight physical security for facilities, these [countermeasures] included such internal checks within a system to insure data security as adequate identification procedures for people communicating with the computer… elaborate internal audit trails built into a system, in which every significant communication between a user and a computer would be recorded; and, where confidentiality was particularly important, cryptography…”

Now based on what you have read, I’d like you to guess in which decade these excerpts were written? By answering the survey you will learn the publication date.

Loading…

I’ll leave you with one other quote from the manuscript:

The fact is, [a security expert] said, that “the data-security job will never be done — after all, there will never be a bank that absolutely can’t be robbed.” The main thing, he said, is to make the cost of breaching security so high that the effort involved will be discouragingly great.