Enlarge

The official Android app for the NBA's Golden State Warriors continuously listens in on users' private conversations without permission, according to a federal lawsuit that alleges the practice is a violation of privacy statutes.

The 15-page complaint filed in San Francisco federal court said the monitoring was part of beaconing technology integrated into the Golden State Warriors app. The beaconing is used to track users' precise locations so the app can provide content that's tailored to that locale. The app "listens to and records all audio within range" of a user's microphone, and when the app detects a unique audio signal, it is able to determine the user is in close proximity to a specific location associated with the signal. The beaconing technology, the complaint alleged, is provided by a Signal360, a developer of proximity-related products.

The lawsuit names the Golden State Warriors, Signal360, and app developer Yinzcam as defendants. It was filed on behalf of New York state resident Latisha Satchell, and the lawsuit seeks class action status so that other smartphone users who installed apps with similar behavior may also seek damages. It was filed on Monday, and its docket currently shows no hearings are yet scheduled on the matter.

Read 8 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Enlarge / Go ahead and click it. You know you want to.

Clickers gonna click. Despite mandatory corporate training, general security awareness, and constant harping about the risks of clicking on unverified links in e-mails and other documents, people have been, are now, and forever will click links where exploit kits and malware lurk. It's simply too easy with the slightest amount of targeted work to convince users to click.

Eric Rand and Nik Labelle believe they have an answer to this problem—an answer that could potentially derail not just phishing attacks but other manner of malware as well. Instead of relying on the intelligence of users, Rand and Labele have been working on software that takes humans completely out of the loop in phishing defense by giving clicks on previously unseen domains a time out, "greylisting" them for 24 hours by default. The software, a project called Foghorn, does this by intercepting requests made to the Domain Name Service (DNS).

Greylisting has been used in spam filtering for e-mails, where it deliberately delays e-mails delivered from previously unseen sources and sends temporary errors back to the sender for a few minutes or hours. Spam greylisting operates under the assumption that a real mail server will re-attempt delivery, while spambots likely will not.

Read 5 remaining paragraphs | Comments

 
RETIRED:Apple tvOS CVE-2016-4607 Multiple Memory Corruption Vulnerabilities
 
Apple iOS/WatchOS/tvOS Security Bypass and Memory Corruption Vulnerabilities
 
RETIRED: Apache Subversion CVE-2016-2167 Security Bypass Vulnerability
 
RETIRED:Multiple Huawei OceanStor Products CVE-2016-5722 Information Disclosure Vulnerability
 
RETIRED: Multiple Dell SonicWALL Products CVE-2016-2397 Remote Code Execution Vulnerability
 
Oracle Java SE CVE-2016-3498 Remote Security Vulnerability
 
RETIRED:Adobe Flash Player and AIR CVE-2016-4120 Unspecified Memory Corruption Vulnerability
 
Joomla JS Jobs Extension 'index.php' SQL Injection Vulnerability
 
Docker Local Denial of Service Vulnerability
 

A long time ago I wrote a diary[1] about malware samples which use online geolocalization services. Such services are used to target only specific victims. If the malware detects that it is executed from a specific area, it just stops. This has been seen in Russian malware"> $ wget https://www.maxmind.com/geoip/v2.1/city/me--2016-09-01 07:45:41-- https://www.maxmind.com/geoip/v2.1/city/meResolving www.maxmind.com (www.maxmind.com)... 2400:cb00:2048:1::6810:262f, 2400:cb00:2048:1::6810:252f, 104.16.38.47, ...Connecting to www.maxmind.com (www.maxmind.com)|2400:cb00:2048:1::6810:262f|:443... connected.HTTP request sent, awaiting response... 401 Unauthorized"> $ wget -O whereami.txt --referer=https://www.maxmind.com/en/locate-my-ip-address https://www.maxmind.com/geoip/v2.1/city/me--2016-09-01 07:47:11-- https://www.maxmind.com/geoip/v2.1/city/meResolving www.maxmind.com (www.maxmind.com)... 2400:cb00:2048:1::6810:262f, 2400:cb00:2048:1::6810:252f, 104.16.38.47, ...Connecting to www.maxmind.com (www.maxmind.com)|2400:cb00:2048:1::6810:262f|:443... connected.HTTP request sent, awaiting response... 200 OKLength: 1214 (1.2K) [application/vnd.maxmind.com-city+json]Saving to: whereami.txtwhere-am-i.txt 100%[==========================================================] 1.19K --.-KB/s in 0s2016-09-01 07:49:08 (17.1 MB/s) - where-am-i.txt saved [1214/1214]$ cat whereami.txt{country:{names:{pt-BR:Blgica,de:Belgien,en:Belgium,ja:,es:Blgica, \zh-CN:,ru:,fr:Belgique},geoname_id:2802361,iso_code:BE},location \{time_zone:Europe/Brussels,accuracy_radius:100,longitude:4.3333,latitude:50.6},traits: \{autonomous_system_organization:BELGACOM-SKYNET-AS,ip_address:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, \isp:Belgacom-skynet-as, organization:Belgacom-skynet-as,autonomous_system_number:5432},city: \{geoname_id:2790101,names:{en:Nivelles,de:Nivelles,ru:,zh-CN:, \fr:Nivelles}},postal:{code:1400},subdivisions:[{geoname_id:3337387, \names:{pt-BR: Valnia,fr:Wallonie,es:Valonia,en:Wallonia,de:Wallonische Region}, \iso_code:WAL},{iso_code:WBR,geoname_id:3333251,names:{pt-BR:Brabante Valo, \en:Walloon Brabant Province,de:Provinz Wallonisch-Brabant,es:Brabant Wallonie, \fr:Brabant Wallon}}],continent:{code:EU,names:{pt-BR:Europa,en:Europe, \de:Europa,ja:,es:Europa,fr:Europe,zh-CN:,ru:}, \geoname_id:6255148}}

You can see that its possible to locate me but also it reports informationlike the AS and the organization/ISP. Interesting strings like AV vendor names are searched by the malware but not only. If the network name contains strings like Data Center, VPS, Hosting or Shared, they are chances that the host running the malware is not an endpoint device.

If youre performing research or investigations, always use a dedicated xDSL or cable connection!

[1]https://isc.sans.edu/forums/diary/Victim+of+its+own+success+and+abused+by+malwares/20311/
[2]https://blogs.mcafee.com/mcafee-labs/macro-malware-adds-tricks-uses-maxmind-to-avoid-detection/
[3]https://www.maxmind.com/en/geoip2-services-and-databases

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
Internet Storm Center Infocon Status