Friday, November 20, 2015

Google Nexus 6P security teardown

This isn’t a review, we don’t do them, but if it were our conclusion would be that the Nexus 6P is not only the best Nexus that Google has thrown out there to date, and offers incredible value for money up against premium handsets from rivals including Apple and Samsung, but it ticks plenty of boxes on the security side of things as well. In fact, until the malware-eating SnapDragon 820 chip starts appearing in smartphones in 2016 the Nexus 6P would be our first choice for a secure Android stock experience. Instead of drooling over the gorgeous 2,560 x 1,440 resolution AMOLED screen with its 518ppi density or all-metal unibody design, we were more interested in determining how secure it is. Our teardown revealed there are four areas in which the Nexus 6P shines as far as security improvements to the Android family of smartphones are concerned, namely: biometrics, OS security updates, app permissions and encryption. So we took a closer look at each in turn...

Finding secure advantage in the explosion of exploit kit activity

According to the latest Infoblox DNS Threat Index, which measures the creation of malicious Domain Name Service (DNS) infrastructure, just four examples accounted for 96 percent of the total activity in the 'exploit kit' category during the third quarter of 2015. The exploit kits in the hit parade were Angler, Magnitude, Neutrino and Nuclear. This represents, quarter on quarter, a 75 percent increase in the creation of malicious domains by cyber-criminals unleashing exploit kits. So why did one security expert who spoke to suggest this explosion in exploit kit activity can be used to help harden your security posture?

George Osborne's understanding of cybersecurity is worrying

George Osborne said the word 'cyber' 134 times in his 45-minute speech to GCHQ earlier this week. They say that talk is cheap, but in this case it could turn out to be quite expensive. Not only does Osborne plan to double cybersecurity spending to £1.9 billion over the next five years, but the proposals he set out in his speech will be expensive in terms of protecting our data and our critical national infrastructure. If you include the Snooper’s Charter in all this, the government’s measures could ultimately could cost us our freedom.

Tuesday, November 10, 2015

Auto-rooting adware attacks on Android ecosystem

People ‘root’ their smartphones for many reasons, most commonly in order to have as much control over the device as possible. Now malware is getting in on the act, with Trojanised, auto-rooting adware attacks on Android phones, which installs itself as a system app that can survive a factory reset. IT Security Thing investigates. Predictive security specialist Lookout, which uses ‘machine intelligence’ to predict zero day attacks, has spotted a large number of auto-rooting adware infected apps in the wild. So far it has detected more than 20,000 samples in apparently legitimate, and hugely popular, applications such as Candy Crush, Facebook, Google Now, Okta 2FA, Snapchat, Twitter and WhatsApp. Before you start worrying too much, the apps themselves may appear totally legitimate but they have been repackaged by the threat actors and the malicious code squirted into them. They all appear perfectly normal from the user perspective, functionality is not impacted at all and the malware remains well hidden. This, in and of itself, is unusual. Most commonly this type of app-cloning malware only actually goes as far as cloning the name and the executable icon; when it is clicked upon it then installs the malicious payload but without the original app doing anything. If that sounds like even more reason to panic, you can still relax unless you are in the habit of downloading your apps from outside of the official Google Play app store.

Friday, November 06, 2015

Inside XCodeGhost iOS threat: weaponising Apple’s application development software

Earlier this year, XCodeGhost was behind the infiltration of the official Apple App Store by malware infected iOS apps. At the time it was pretty much exclusively a problem for users in China; that has changed with XCodeGhost now also hitting Western targets including the US. If that wasn’t bad enough news, the same researchers also reckon that a worrying variant called XCodeGhost S (the s standing for stealth) has managed to infect iOS 9 apps. So what is XCodeGhost/XCodeGhost S, how does it work and what should you do to avoid becoming a victim? IT Security Thing has been digging through the data to find out. Before we deal with the ‘what is XCodeGhost’ question, we need to establish what XCode is. The answer is pretty straightforward, XCode is a free integrated development environment (IDE) that comes with a host of development tools that make developing apps for iOS (and OS X for that matter) as easy as possible. If you want to know precisely what is included, then pop over to the Apple developer site for the full skinny on the latest version. What we are interested in, however, is a Trojanised version of the XCode IDE, which was made available for download through a popular Chinese cloud-based system. Now you might be asking yourself why any developer in their right mind would be thinking about downloading the IDE they are going to use to create apps for the iPhone from anywhere other than the official Apple store? It’s a pretty good question, and the answer highlights just how a lack of strategic security thinking can impact upon software from the earliest of stages in the development process.

What the hell do we do if password vaults aren't secure enough?

Only this week we have learned of a hacking tool which allows a threat actor to, under an admittedly rather strict set of prior requirements, to access and stealthily decrypt all the login credentials and secure notes stored within an instance of the KeePass program. Which leads us to ponder, what the hell are we supposed to do if password vaults just aren't secure enough anymore? The hacker tool in question, that targets KeePass, has been named KeeFarce and isn't actually as worrying as it may appear at first. We say this despite the fact that, in principle, a similar tool could be designed that could empty the contents of pretty much any password vault. The reason that we are not in a state of panic is simply that in order for KeeFarce to do what it does, it needs the target computer to have already been compromised. So it's a great tool for pen testers and hackers alike, but only if they already have access to the machine with KeePass installed. What's more, it needs that instance of KeePass to be open with the user logged in and the password database unlocked. Under those circumstances it's pretty much game over anyway, so not as big a deal that it can silently decrypt and copy your password database to a file for you to collect at your leisure. That said, as Ken Munro, senior partner at Pen Test Partners, points out: "Someone did all the hard work to make this attack vector very easy to implement. Its success rate, however, is directly related to how exploitable the target workstations are."