Computers

The Tech Corner is a technology news and advice column presented each week courtesy of Melvin McCrary at Georgia Computer Depot in Cedartown. 

Russia threatens to ban Facebook

Russian officials said they are considering a ban on Facebook for the start of 2018 unless the social network is willing to comply with the country's new privacy and user protection rules.

Russia previously banned LinkedIn for the same reason in November 2016. According to the country's new laws, Facebook must store data on Russian users on servers located in Russia, and not move information overseas.

"We will make sure the law is complied with, or the company will stop working in the Russian Federation," said Alexander Zharov, head of communications regulator Roskomnadzor — Russia's privacy watchdog — told Interfax yesterday.

Facebook has until the start of 2018. Twitter already caved in. Zharov says that Facebook will have to comply with the new law by the start of 2018, or it could be banned.

Roskomnadzor — Federal Service for Supervision of Communications, Information Technology and Mass Media — manages a list of banned sites that local ISPs must block. It has previously used this list to temporarily block other major websites such as Wikipedia, Reddit, or PornHub.

Zharov also said that Twitter has already agreed to the demands of Russian officials and has informed Roskomnadzor that it plans to move data on Russian users on Russian servers by mid-2018.

China blocks WhatsApp using GFW upgrade

Chinese officials began blocking WhatsApp in mid-July when they stopped files and images being sent and later blocked other calls.

Officials did not provide an official reason for the ban, but it may be related to WhatsApp adding support for encrypted conversations that China’s surveillance apparatus cannot break.

Tumblr facing ban in South Korea for pornographic content

South Korean officials said they were considering a ban on Tumblr after the company refused to remove pornographic content from its network.

Tumblr received 22,468 requests from the Korean government from January to June related to pornographic content hosted on its blogs but rejected all requests claiming it was based in the US, and had no physical presence in the country, and not subject to Korean laws.

He also pointed out that Tumblr is famous for its loose policies and that's one of the reasons why the social network is now filled with adult-themed blogs. KCSC said that around 10% of Tumbler’s entire content is of pornographic nature.

Internet Explorer bug leaks what users type in the address bar

Microsoft's Internet Explorer browser is affected by a bug that allows rogue sites to detect what the user is typing in his URL address bar.

This includes new URLs where the user might be navigating to, but also search terms that IE automatically handles via a Bing search. Users copy-pasting URLs for Intranet pages inside IE would likely see this bug as a big issue.

The bug, spotted by security researcher Manuel Caballero, poses a privacy risk, as it could be used in reconnaissance operations in targeted attacks, but also for data harvesting by online advertisers.

Caballero also discovered a bug in Internet Explorer that allows malicious code to persist and keep running in the browser's background even if the user has closed the malicious page's tab. This bug can cause the user's computer to slow down and cause premature wear of the user's processor.

In addition, Caballero has also discovered other security bugs in Microsoft’s Edge, some of which Microsoft addressed, but others didn't.

Sudden rise detected in Faceliker malware that manipulates Facebook

Cyber-security firms are reporting a surge in detections for Faceliker, a malware strain that can take over browsers and manipulate Facebook "likes" on the behest of a remote party in order to promote social media trends, fake news, and other content.

The malware is usually packed in browser add-ons, and specifically Chrome extensions. Users are lured to pages that promote these rogue extensions, either using email or Facebook Messenger spam.

Bleeping Computer's Lawrence Abrams observed a similar increase in rogue Chrome extensions during the same period, some of which come with even more malicious features, besides giving "likes" to predetermined Facebook stories.

While Faceliker is a generic term used to describe malware that gives Facebook likes, users should be aware that malware never stands still.

Most of today's browser hijackers, besides giving Facebook likes, are also equipped with the ability to steal passwords, promote content on other networks, or insert ads or popups on top of legitimate pages.

Facebook offers an activity log for all user accounts. Users who notice strange likes for content they don't usually "like" should search their browser for extensions they don't remember installing, scan their computer with a security product, or reach out for help to a professional.

Cloudflare now provides unmetered DDoS mitigation without extra costs

In a move that's bound to rock the DDoS mitigation industry, Cloudflare announced yesterday its intention to offer DDoS protection at no extra costs during a DDoS attack's peak.

This is a very bold move as most DDoS mitigation firms make a large portion of their profits via what's known as surge protection.

Not many customers can afford DDoS attack surge protection

Surge protection kicks in when a DDoS attack reaches its peak and the customer's protection plan cannot handle all the incoming traffic.

DDoS mitigation firms usually ask customers to pay extra fees for surge protection, or even kick customers off their network in rare cases when the company's network can't handle the full attack without affecting other customers.

If a company cannot afford the surge protection costs, the DDoS attack usually reaches its goal and takes down the targeted website.

Even in cases where the company mitigates the attack, the bill at the end of the month is enough to make many victims reconsider and think about giving in to ransom or censorship demands the next time they face a similar attack.

"The reality is that our network today is at such a scale that we are able to mitigate even the largest DDoS attacks without it impacting other customers," says Matthew Prince, Cloudflare CEO, who claims Cloudflare can handle DDoS attacks of up to 15 Tbps.

"So today, on the first day of our Birthday Week celebration, we make it official for all our customers: Cloudflare will no longer terminate customers, regardless of the size of the DDoS attacks they receive, regardless of the plan level they use," Prince adds. "And, unlike the prevailing practice in the industry, we will never jack up your bill after the attack."

"We call this Unmetered Mitigation. It stems from a basic idea: you shouldn't have to pay more to be protected from bullies who try and silence you online," Prince says.

Cloudflare's technical team published two blog posts explaining how No Scrubs and Gatebot — two of their in-house developed technologies — allow the company to now provide unmetered DDoS protection.

Proof-of-concept exploit code published for remote iPhone 7 WiFi hack

A Google security researcher has published proof-of-concept code for a vulnerability that can be exploited via a WiFi connection to take over iPhone 7 handsets.

"The exploit gains code execution on the Wi-Fi firmware on the iPhone 7," says Gal Beniamini, a member of the Google Project Zero security team.

"Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames, thus allowing easy remote control over the Wi-Fi chip," Beniamini says.

The exploit works remotely, no user interaction needed, and can be used to target any user attempting to connect to a rogue WiFi network.

Vulnerability now fixed in iOS, tvOS, Android

The researcher published the exploit code today after Apple released security updates for iOS last week. The issue affects all iOS versions but was fixed with the release of iOS 11.

While the demo code works on iPhone 7 devices, the vulnerability at the heart of the issue affects a broad range of products, such Android handsets, smart TVs running tvOS, and other devices with Broadcom WiFi chips.

Apple also released a fix for tvOS, and Google patched the vulnerability in Android at the start of the month via the Android Security Bulletin 2017-09-05 security patch level.

Beniamini said the bug — tracked as CVE-2017-11120 — affects Broadcom WiFi chips running firmware version BCM4355C0, and all devices where these WiFi chips and firmware are deployed. Beniamini discovered a similar Broadcom bug in April this year.

The issue is similar to Broadpwn, another vulnerability that affected Broadcom WiFi chipsets and that came to light over the summer.

Broadpwn works similarly to Beniamini's bug by allowing an attacker to execute code on remote devices without any interaction needed from the user.

Both Apple and Google issued patches for Broadpwn in mid-July, days before the security researcher who found the bug was scheduled to give a talk at the Black Hat USA 2017 security conference.

US plans to collect social media info from permanent residents, naturalized citizens

The US Department of Homeland Security (DHS) published documents on Monday that detail a plan for collecting extra information on all US immigrants, including not only permanent residents but also previously naturalized citizens.

According to a notice of modification to the 1974 Privacy Act System of Records, the DHS wants to collect extra information such as "social media handles, aliases, associated identifiable information, and search results."

The data will be used to expand the DHS' database on US immigrants with new information that would allow for easier tracking of immigrants, but also Americans who obtained official citizenship years or decades before.

Experts believe the DHS has taken this step as a direct consequence of the San Bernardino shooting that was carried out by Syed Farook and Tashfeen Malik. The latter was a former Pakistani citizen who obtained US citizenship after getting married to Farook, a Chicago native whose parents also emigrated from Pakistan.

The US believes that by gathering such data from immigrants it would be able to prevent similar future incidents.

The DHS would not require passwords from the targeted user group, but the collected information is more than enough to create accurate profiles on immigrants and their circle of friends.

In December 2016, US Customs started collecting similar social media details from foreigners from certain countries entering the US. This new DHS document is different because it covers people already in the US, some of whom have been living in the country for years.

The DHS notice, first spotted by BuzzFeed, is open to a comment period that ends in 22 days, on October 18, when the notice is scheduled to enter into effect.

The document's publication went largely unnoticed as President Trump signed a new travel ban into effect on the same day, setting new travel restrictions for people entering the US from Chad, Iran, Libya, North Korea, Somalia, Syria, Venezuela, and Yemen.

The new travel ban comes to replace a previous travel ban currently stuck in courts that was aimed at people traveling to the US from Iran, Syria, Libya, Somalia, Yemen, and Sudan.

First Android malware discovered using Dirty COW exploit

ZNIU is the name of the first in-the-wild Android malware that uses the Dirty COW vulnerability to infect users.

Dirty COW is a privilege escalation vulnerability in the Linux kernel that came to light last year, in October 2016. The vulnerability allows an attacker to elevate the privilege of attack code to "root" level and carry out malicious operations.

The Dirty COW bug existed in the Linux kernel code for nine years, since 2007. At the time of its discovery, Dirty COW was a zero-day and researchers said attackers used it against Linux servers. A patch was released immediately.

Dirty COW also affected Android devices

A few days later after its discovery, researchers found that Dirty COW could be used to root Android devices. This was because the Android OS is based on an earlier version of the Linux kernel, also susceptible to the Dirty COW exploit.

All versions of the Android OS were affected and Google released a patch for Android in November 2016.

ZNIU malware uses Dirty COW to root devices, plant backdoor

Yesterday, security researchers from Trend Micro published a report detailing a new malware family named ZNIU that uses Dirty COW to root devices and plant a backdoor.

Researchers say attackers use this backdoor to collect information on infected devices. The second stage of the attack happens only if the user is located in China. Attackers use the full control the backdoor grants them over the device to subscribe the user to premium SMS numbers that benefit a local company.

Trend Micro says it discovered more than 1,200 malicious apps that carry ZNIU available via various online websites. Most of the infected apps were gaming and pornography related.

The company says it detected about 5,000 users infected with the ZNIU malware, but the number could be bigger as the company had visibility only inside devices protected by its mobile security solution.

ZNIU made victims across 40 countries, but most were located in China and India.

At the technical level, ZNIU used a different Dirty COW exploit from the proof-of-concept code released by researchers last year.

This Dirty COW exploit code only works on Android devices with ARM/X86 64-bit architecture. When it infects Android phones with an ARM 32-bit CPU architecture, ZNIU would use the KingoRoot rooting app and the Iovyroot exploit (CVE-2015-1805) to gain root-level access instead of Dirty COW.

Apps infected with ZNIU never made it on the Google Play Store. To avoid exposing themselves to malware of any kind, users should avoid installing apps from anywhere outside the Play Store. The Play Store isn't perfect, but unlike most underground app stores it performs basic security scans.

Trend Micro's technical report on ZNIU's modus operandi is available here. A list with the package names of all infected apps is available here.

Hackers breached Deloitte, one of the "big four" accounting firms

Deloitte, one of the world's biggest accounting, auditing, and corporate finance consulting firms, has suffered a data breach.

The breach, according to a UK newspaper citing an inside source, took place in around October or November 2016 but was not detected until after six months, in March 2017.

The hackers allegedly broke in after managing to take over one of the email server admin accounts. The hack was facilitated because the admin user did not use two-factor authentication for the account.

"In a hack of this scale, criminals or spies will continue to reap dividends years down the road," Kenneth Geers, senior research scientist at Comodo told Bleeping Computer via email.

"The attack has gone on for at least six months, so the hackers may have been able to cover their tracks and/or install backdoors for future use," Geers added. "An admin username and password to a global email server is like a digital Swiss Army knife to corporate and client secrets. It is inexcusable for such an admin account not to have two-factor authentication."

Hackers accessed customer information, confidential emails

Over 244,000 Deloitte employees were using the email server. The company started an investigation into the hack but had never gone public with what happened.

The Guardian reported that hackers might have gotten their hands on confidential emails, IP addresses, business plans, architectural diagrams, and health information. Some email file attachments also contained usernames and passwords belonging to US companies and governmental agencies that had contracts with Deloitte.

A Deloitte spokesperson admitted to the security breach earlier today, after the news broke, but declined to confirm what the hacker stole.

Deloitte is said to be still investigating what areas of its networks hackers managed to access.

Investigative reporter Brian Krebs claims the company is playing down the severity of the breach.

Third hack at a financial institution this month

The company is one of the so-called "Big Four" accounting firms, together with Ernst & Young, KPMG, and PricewaterhouseCoopers. The Big Four provide accounting and other financial services to almost all major businesses across the globe.

The Deloitte hack is the third security breach at a major financial agency this month alone, after similar incidents at Equifax and the US Securities and Exchange Commission (SEC).

Avast publishes full list of companies affected by CCleaner second-stage malware

Last week, Avast published a full list of companies affected by the second-stage CCleaner malware, as part of its ongoing investigation into the CCleaner hack that took place last week.

Avast was able to compile this list of affected companies because, over the weekend, they were able to find a second server used by the attackers.

Last Friday, Avast published an update on its investigation of the CCleaner hack in which it said it managed to get its hands on the database of the server where the CCleaner malware was sending information about infected hosts.

Unfortunately, that server's database contained information for user infections between September 12 and September 16. Avast said that the database holding info on infected users crashed on September 10 after the server ran out of space.

Hackers installed a new server on September 12, which Avast, with the help of law enforcement, seized on September 15. The IP address of this main server was 216.126.225.148.

Avast finds second server holding backup database

Today, Avast said that after more digging around they were able to find a second server where hackers sent a backup of the original database before reinstalling the server and starting from scratch.

Avast said this second server was located at 216.126.225.163, on the same hosting provider as the first. ServerCrate, the hosting provider, provided support and made available the second server to Avast.

This means investigators now have a full list of infected hosts (except a 40-hour period when the server was down) affected by the CCleaner malware — both the first and second stage payloads.

646,536 computers confirmed as infected

Hackers compromised the CCleaner infrastructure in July, and between August 15 and September 12, the official CCleaner website offered a version of the app that was infected with malware.

Avast says that over 2.27 million users downloaded tainted versions of the CCleaner app in that time interval.

Based on data from the two C&C server databases, Avast says that 1,646,536 computers were infected with the Floxif first stage malware and reported back to the C&C server.

40 computers infected with second-stage payload

Based on a strict set of filters, Avast says that the C&C servers ordered the delivery of a second-stage malware (a potent backdoor) to only 40 of these 1.6 million computers.

Last week, Avast and Cisco said that only 20 computers were infected, meaning investigators found 20 more in the database backup.

Last week, investigators didn't reveal what companies were affected. In a table published today, Avast went public with this information, embedded below.