Information Security News
For at least the past six months, a popular remote management app available in the official Google Play Store has opened tens of millions of Android users to code-execution and data-theft attacks when they use unsecured networks, researchers said Thursday.
AirDroid, which has been downloaded 10 million to 50 million times from the official Google Play Store, uses a static and easily detectable encryption key when transmitting update files and sensitive user data, according to a blog post published by security firm Zimperium. Attackers who are on the same network can exploit the weakness to push fraudulent updates or view potentially sensitive user information, including the international mobile equipment identity and international mobile subscriber identity designations that are unique to each phone.
"A malicious party on the same network as the victim can leverage this vulnerability to remotely gain full control of their device," Simone Margaritelli, principal security researcher at Zimperium's zLabs, told Ars. "Moreover, the attacker will be able to see the user's sensitive information such as the IMEI, IMSI, and so forth. As soon as the update, or fake update, is installed the software automatically launches the updated [Android app file] without ever verifying who built it."
First a disclaimer: This methodworks for a home network, maybe a small business network. I do describe how to do this using a specific vendors equipment. This isnt an endorsement of the vendor.
Back in the 100 BaseT days, it was pretty easy to make your own tap. You could essentially just connect the network cables transmit line to the receive pins of a output plug, and all it took was four network plug, a punch down tool and a bit of wire. Sadly, with Gigabit Ethernet, both pairs are used to transmit and receive. Tapping this type of network is a bit more tricky and requires more sophisticated circuitry.
You can buy some relativelycheap Taps, but often a simple switch is cheaper, and provides similar capabilities. To monitor just a single network segment, a simple switch like this may be perfectly acceptable, and with port-based VLANs, you can even aggregate multiple segments." />
There are three possible spots to connect a sensor:
So how do we monitor traffic in both networks, the LAN and the WAN segment? There are a couple of options here:
If you are using a homemade Linux deviceor PF Sense, then it is pretty easy to install tools like snort or even bro on the device as well. Again: We are talking home network here. But even in a home network, I find that this type of setup quickly runs out of steam, in particular, if you are using less than state-of-the-art hardware.
You will need a network card for each segmentand one more for a management network. In the diagram this would require at least three (LAN, DMZ + management) or even four (LAN, DMZ, WAN + management) . Finding a small / low-cost system with more than two network cards is challenging. But luckily, with some port-based VLAN trickery, our cheap monitor switch can be coerced into aggregating multiple networks.
I am using the Netgear GS105Ev2 switch. This is a 5 port switch that offers port-based VLANs and port mirroring, the two features I am going to use here. Other switches that provides these two features should work as well. This switch currently sells for about $45.
First, figure out which port you would like to use how. In my example, I am using:
Port 1 to manage the switch
Port 2,3,4 to connect to the different network segments
Port 5 to connect to the sensor (and remember that the monitoring interface of the sensor has no IP address, but is just listening)
First, lets configure the mirror feature. We define ports 2,3,4 as source" />
Next, lets define the VLANs. Setting up port-based VLANs is CRITICAL since we do not want to shortcut" />
So how bad is it? Does it work at all?
It does work pretty well. I still have to measure the exact throughput. The admin interface for the switch does become unresponsive pretty quickly, but well, once it is set up, you dont need to touch it anymore. There are better switches with more buffer memory that you can often get on eBay for not much more money. I am having a hard time finding real gigabit taps for less than a few hundred dollars on eBay. But you may get lucky. Many of the taps that you find around this same price are typically actually just switches that are preconfigured with a monitoring port.
Let me know if it works for you, or if you have better ideas to monitor multiple gigabit network segments. If you are just interested in using a switch as a tap, there are a couple of videos on YouTube walking you through the setup.
[Update, 3:00 PM EDT: This story has been updated with additional details from The Shadowserver Foundation and Europol.]
A botnet that has served up phishing attacks and at least 17 different malware families to victims for much of this decade has been taken down in a coordinated effort by an international group of law enforcement agencies and security firms. Law enforcement officials seized command and control servers and took control of more than 800,000 Internet domains used by the botnet, dubbed "Avalanche," which has been in operation in some form since at least late 2009.
"The operation involves arrests and searches in five countries," representatives of the FBI and US Department of Justice said in a joint statement issued today. "More than 50 Avalanche servers worldwide were taken offline."
by Sean Gallagher
A new variant of Shamoon, the malware that wiped hard drives at Saudi Aramco and other energy companies in 2012, has struck multiple organizations in Saudi Arabia in a new campaign that researchers call a "carefully planned operation." The new variant, which is almost identical to the version used in the 2012 attacks, has replaced the message it previously displayed—which included an image of a burning American flag—with the photo of the body of Alan Kurdi, the 3-year-old Syrian refugee boy who drowned as his family tried to cross from Turkey to Greece.
Bloomberg reports that digital forensics by Saudi officials indicated that the attacks were launched from Iran. Several Saudi government agencies were among the organizations attacked.
New versions of Shamoon, also known as Disttrack, have been detected by multiple information security companies, including McAfee, Symantec, Palo Alto Networks, and FireEye. It isn't yet clear how the malware's "dropper" has gotten into the networks it has attacked. But once on a victim's Windows system, it determines whether to install a 32-bit or 64-bit version of the malware. According to a report from Symantec, the latest Shamoon attack was configured to automatically start wiping the disk drives of computers it had infected at 8:45am local time on November 17.
by Andrew Cunningham
With Thanksgiving behind us, the holiday season in the US is officially underway. If you're reading Ars, that can only mean one thing: you'll be answering technical questions that your relatives have been saving since the last time you visited home.
This year in addition to doing the regular hardware upgrades, virus scans, and printer troubleshooting, consider trying to advise the people in your life about better safeguarding their security and privacy. Keeping your data safe from attackers is one of the most important things you can do, and keeping your communications and browsing habits private can keep that data from being used to track your activities.
This is not a comprehensive guide to security, nor should it be considered good enough for professional activists or people who suspect they may be under targeted surveillance. This is for people who use their phones and computers for work and in their personal lives every single day and who want to reduce the chances that those devices and the accounts used by those devices will be compromised. And while security often comes at some cost to usability, we've also done our best not to impact the fundamental utility and convenience of your devices.