Critical 'Port Fail' Vulnerability Reveals Real IP Addresses of VPN Users

A newly discovered flaw affecting all VPN protocols and operating systems has the capability to reveal the real IP-addresses of users' computers, including BitTorrent users, with relative ease.

The vulnerability, dubbed Port Fail by VPN provider Perfect Privacy (PP) who discovered the issue, is a simple port forwarding trick and affects those services that:

• Allow port forwarding

• Have no protection against this specific attack

Port Forwarding trick means if an attacker uses the same VPN (Virtual Private Network) as the victim, then the real IP-address of the victim can be exposed by forwarding Internet traffic to a specific port.

"The crucial issue here is that a VPN user connecting to his own VPN server will use his default route with his real IP address, as this is required for the VPN connection to work," Perfect Privacy wrote in a blog post on Thursday.

Port Fail affects all VPN protocols including…

• OpenVPN
• IPSec

…as well as applies to all operating systems, posing a huge privacy risk.

How Does 'Port Fail' Work?

A successful IP address leak attack requires an attacker to be on the same VPN network as the victim and to know the victim's VPN exit IP address, which could be discovered by tricking a victim into visiting a website control controlled by the attacker.

For example, an attacker with port forwarding enabled can see the request from the victim's actual IP addresses by tricking the victim into opening an image file.

The same attack is possible for BitTorrent users, but, in this case, there is no need for the attacker to redirect the victim to their page.

In this case, the attacker only with the activated port forwarding for the default BitTorrent port, can expose the real IP-address of a VPN user on the same network.

Affected VPN Providers

The flaw affected various large VPN providers. Perfect Privacy tested nine VPN providers out of which five were found to be vulnerable to this flaw and were alerted last week.

VPN providers including Private Internet Access (PIA), Ovpn.to and nVPN have fixed the issue before publication.

However, the company warned, "other VPN providers may be vulnerable to this attack as we could not possibly test all."

Read More

Make It Harder for People to Find You on Facebook

With close to one-and-a-half billion people currently on Facebook, keeping a low profile can be tricky. It's in the site's best interest to make it easy for you to make connections with family, friends, and acquaintances. However, if you want to make it more difficult for people to track you down, there are ways to do it.

From the desktop website, dive into the Settings entry from the toolbar menu, then click through on the Privacyheading on the left. Under the Who can look me up? section you'll find three options that are of use to us here. By clicking on the Edit links to the right, it's possible to stop people who aren't already your friends looking you up via your email or phone number.

There's also the option to hide yourself from public search engines. Turn this off, and your Facebook profile won't appear the next time someone Googles or Bings your name on the open web-unfortunately you can't hide yourself from the search tools inside Facebook, unless you use an alternative or abbreviated name or something like that.

What you can do is limit the information Facebook has on you. Click the Update Info button on your profile, and remove references to workplaces, educational establishments, and places you've lived. This will make it harder for someone to locate you on Facebook, particularly if you've got a common name and are likely to get lost in a long list of search results.

Finally you can go back to the Privacy page and turn off the option that allows anyone with a Facebook account to contact you. Limit this to Friends of friends, and you won't have to pretend to ignore that old classmate of yours who's bombarding you with messages. He or she won't be able to reach you in the first place.

Read More

The Rise of "Onion-Layered" Attacks , IBM Says

"Onion-layered" security incidents have been on the rise throughout 2015, according to the IBM X-Force Threat Intelligence Quarterly report for Q4 2015.

Released this week, IBM’s report (PDF) cites four key trends that have been observed this year, with onion-layered and ransomware attacks joined by attacks coming from inside an organization and by an increased management awareness of the need to address security threats proactively.

IBM explains that onion-layered security incidents involve a second, more damaging attack hidden behind a visible one. Usually, these attacks are carried by two actors, namely a script kiddie, an unsophisticated attacker launching highly visible attacks which can be easily caught, and a more sophisticated stealthy attacker who might expand their grip of the victim’s network without being detected for weeks or even months.

"As the name suggests, an 'onion-layered' security incident is one in which a second, often significantly more damaging attack is uncovered during the investigation of another more visible event," the report said.

Such attacks demand large amounts of resources and time to investigate and mitigate, IBM says, given that stealthy attackers use sophisticated tools, are careful to cover their tracks, and use anti-forensic techniques to remain undetected. IBM also notes that anti-virus software alerts about malware on Internet-facing servers, unexpected reboots of servers and other unusual behavior, suspicious log records, and frequent user lockouts are signs that stealthy attackers have infiltrated a network.

Undetected attacks could prove highly damaging to companies, especially if the cybercriminals behind them manage to get hold of valuable data.  

“While the recovery of systems compromised by script kiddie attacks might take only a few days of an operation team’s time and effort, the job of finding a root cause, then fully understanding and remediating the work of the stealthy attackers could take months,” IBM said. Meanwhile, an undetected attacker could roam the network undetected, ultimately trying to gain access to the client’s crown jewels.

Earlier this year, Corero Network Security warned that distributed denial-of-service (DDoS) attacks were being leveraged to circumvent cybersecurity solutions, disrupt service availability and infiltrate victim networks.

"The danger in partial link saturation attacks is not the ‘denial of service’ as the acronym describes, but the attack itself," Corero said. "The attack is designed to leave just enough bandwidth available for other sophisticated multi-vector attacks with data exfiltration as the main objective, to fly in under the radar, while the distracting DDoS attack consumes resources."

Based on investigations conducted by Mandiant/FireEye throughout 2014, the median number of days that attackers were present on a victim’s network before being discovered was 205 days.

IBM provided fundamental advice, suggesting that organizations keep systems updated and increase their visibility into the network, as well as build an internal security operations center, create operational procedures, and ensure an appropriate level of logging, in addition to periodically performing penetration testing exercises.

Read More

Subtitle Hack: 200 Million Devices Are Vulnerable, Download Fix For VLC, Kodi, Etc.

A simple but malicious subtitle file can be used to gain control of your PC, TV or smartphone. Check Point researchers have spotted vulnerabilities in VLC, Kodi, Stremio, and Popcorn Time in the way these media players handle subtitle files. As of now, fixes have been released for the media players.

According to a blog post published by Check Point security, a subtitle file could be modified to create a new attack vector and compromise the devices such as PCs, mobile devices, TVs, etc running vulnerable media players. Once compromised, the attacker can perform remote code execution, steal data, use the device as a pawn in a DDoS attack, and more.The researchers say, delivering a cyber attack when subtitles are loaded onto a media players is a “completely overlooked technique”.Most of the people download subtitles files from repositories on the web without giving a second thought, treating them as no more than innocent text files.The researchers say that attackers can upload a malicious subtitle on a repository and manipulate the rankings to put their results on the top. This could result in an increase in manual download counts and automatic download counts (by media players).They also note that subtitles aren’t considered as a threat in comparison to traditional attack vectors which are well-known to security companies and users. That’s the reason a malicious code hiding in a subtitle file could easily sneak through filters deployed by antivirus software.The actual vulnerability lies in the way the media players handle subtitle files. One aspect that contributes to the complexity of the whole thing is a large number of subtitle formats each having its own set of features. Currently, there are around 25 subtitle formats in circulation.Different media players have their own method of parsing and combining different subtitle formats in order to enhance user experience. As a result, the researchers were able to find distinct vulnerabilities in affected media players.The list of affected media players includes VLC, XBMC Kodi, Popcorn Time, and Stremio. However, the researchers don’t exclude the possibility of the exploit existing on other media players. 

The researchers haven’t published further details as the developers are currently investigating the vulnerability.Each of the affected media players has millions of users with VLC topping the list. The last release of VLC (June 5, 2016) has been downloaded more than 170 million times. In total, the researchers estimated that around 200 million devices running the affected media players are exposed to the attack.

Download Subtitle Hack Fix:

Check Point researchers contacted the developers of the affected media players in April 2017. Thankfully, the security patches have been released.

In the case of VLC, the attacker can leverage memory corruption bug. The media player had four vulnerabilities (CVE-2017-8310, CVE-2017-8311, CVE-2017-8312 and CVE-2017-8313) which have been fixed by VideoLan.

A fix for VLC is available as the latest version 2.2.5.1 which is present on the VideoLan’s website. The same is the case of Stremio.

The developers of Popcorn Time and Kodi have created a fix, but it’s not released for public yet. For Popcorn Time, you can download the fix manually using this link provided by the researchers. Head over to GitHub where you can find a source code fix for XBMC Kodi.

Read More

All Android Phones Vulnerable to Extremely Dangerous Full Device Takeover Attack

Researchers have discovered a new attack, dubbed 'Cloak and Dagger', that works against all versions of Android, up to version 7.1.2.

Cloak and Dagger attack allows hackers to silently take full control of your device and steal private data, including keystrokes, chats, device PIN, online account passwords, OTP passcode, and contacts.

What's interesting about Cloak and Dagger attack?

The attack doesn't exploit any vulnerability in Android ecosystem; instead, it abuses a pair of legitimate app permissions that is being widely used in popular applications to access certain features on an Android device.

Researchers at Georgia Institute of Technology have discovered this attack, who successfully performed it on 20 people and none of them were able to detect any malicious activity.

Cloak and Dagger attacks utilise two basic Android permissions:

• SYSTEM_ALERT_WINDOW ("draw on top")
• BIND_ACCESSIBILITY_SERVICE ("a11y")

The first permission, known as "draw on top," is a legitimate overlay feature that allows apps to overlap on a device's screen and top of other apps.

The second permission, known as "a11y," is designed to help disabled, blind and visually impaired users, allowing them to enter inputs using voice commands, or listen content using screen reader feature.

Scary Things Hackers Can Do to Your Android (Demo)

Since the attack does not require any malicious code to perform the trojanized tasks, it becomes easier for hackers to develop and submit a malicious app to Google Play Store without detection.

Unfortunately, it’s a known fact that the security mechanisms used by Google are not enough to keep all malware out of its app market.

If you are following regular security updates from The Hacker News, you must be better aware of frequent headlines like, "hundreds of apps infected with adware targeting play store users," and "ransomware apps found on play store."

Just last month, researchers uncovered several Android apps masqueraded as an innocent "Funny Videos" app on Play Store with over 5,000 downloads but distributed the 'BankBot banking Trojan' that steal victims' banking passwords.

Here's what the researchers explained how they got on the Google Play Store to perform Cloak & Dagger attacks:

"In particular, we submitted an app requiring these two permissions and containing a non-obfuscated functionality to download and execute arbitrary code (attempting to simulate a clearly malicious behavior): this app got approved after just a few hours (and it is still available on the Google Play Store)." researchers say.

Once installed, the researchers say the attacker can perform various malicious activities including:

• Advanced clickjacking attack
• Unconstrained keystroke recording
• Stealthy phishing attack
• Silent installation of a God-mode app (with all permissions enabled)
• Silent phone unlocking and arbitrary actions (while keeping the screen off)

In short, the attackers can secretly take over your Android device and spy on your every activity you do on your phone.

Google Can’t Fix It, At Least Not So Fast

University researchers have already disclosed this new attack vector to Google but noted that since the issue resides in the way Android OS has been designed, involving two of its standard features that behave as intended, the problem could be difficult to resolve.

"Changing a feature is not like fixing a bug," said Yanick Fratantonio, the paper's first author. "System designers will now have to think more about how seemingly unrelated features could interact. Features do not operate separately on the device."

As we reported earlier, Google gives "SYSTEM_ALERT_WINDOW" ("draw on top") permission to all applications directly installed from the official Google Play Store since Android Marshmallow (version 6), launched in October 2015.

This feature that lets malicious apps hijack a device's screen is one of the most widely exploited methods used by cyber criminals and hackers to trick unwitting Android users into falling victims for malware and phishing scams.

However, Google has planned to change its policy in 'Android O,' which is scheduled for release in the 3rd quarter this year.

So, users need to wait for a long, long time, as millions of users are still waiting for Android Nougat (N) from their device manufacturers (OEMs).

In other words, the majority of smartphone users will continue to be victimised by ransomware, adware and banking Trojans at least for next one year.

Temporary Mitigation

The easiest way to disable the Cloak and Dagger attacks in Android 7.1.2 is to turn off the "draw on top" permission by heading on to:

Settings → Apps → Gear symbol → Special access → Draw over other apps.

The universal and easiest way to avoid being hacked is always to download apps from Google Play Store, but only from trusted and verified developers.

You are also advised to check app permissions before installing apps. If any app is asking more than what it is meant for, just do not install it.

Read More

3 Nigerian Scammers Get 235-Years of Total Jail Sentence in U.S.

You may have heard of hilarious Nigerian scams. My all time favourite is this one:

A Nigerian astronaut has been trapped in space for the past 25 years and needs $3 million to get back to Earth, Can you help?

Moreover, Nigerians are also good at promising true love and happiness.

But You know, Love hurts.

Those looking for true love and happiness lost tens of millions of dollars over the Nigerian dating and romance scams.

These criminals spend their whole day trolling the online dating sites for contact emails and then send off hundreds of thousands of fraudulent emails awaiting the victim's response.

A US federal district court in Mississippi has sentenced such three Nigerian scammers to a collective 235 years in prison for their roles in a large-scale international fraud network that duped people out of tens of millions of dollars.

The three Nigerian nationals were part of a 21-member gang of cyber criminals, of which six, including Ayelotan, Raheem, and Mewase, were extradited from South Africa to the Southern District of Mississippi in July 2015 to face charges in the case.

• Oladimeji Seun Ayelotan, 30, faces up to 95 years in prison
• Rasaq Aderoju Raheem, 31, faces up to 115 years in prison
• Femi Alexander Mewase, 45, faces up to 25 years in prison

A federal jury found all of them guilty of offenses involving mail fraud, wire fraud, credit card fraud, identity theft, and theft of government property, the US Department of Justice announced Thursday.

Also, Ayelotan and Raheem were found guilty of conspiracies to commit bank fraud and money laundering, which is why they have been given longer prison sentences.

Until now, the justice department has charged a total of 21 suspects in this case: 12 defendants have already pleaded guilty to charges related to the conspiracy while 11 have been sentenced to date.

The gang has been operating since 2001 and ran a variety of online scams, including romance scams, where the criminals used the false identity of love-struck girlfriends on a dating site to establish a romantic relationship with unsuspecting victims.

Once the gang members gained the victim's trust and affection, they would convince them to carry out their money laundering schemes and launder money from other rackets via MoneyGrams and Western Union, or resend electronics and other goods bought with stolen credit cards to countries where they could be sold for a profit.

The gang members were arrested by South African police in a joint operation with U.S. Immigration and Customs Enforcement's Homeland Security Investigations (HSI) and the U.S. Postal Inspection Service in December 2015.

However, Nigerian scams will never die, and you could be their next victim.

Read More

Indian Hackers Leaks 1.7 Million Snapchat User Data

Snapchat is going through one of its worst weeks in a while. First the ratings of its app took a nose dive in the fallout of its CEO’s alleged comment calling Indians poor ( read more about it here ) and now, reports are coming in that a hacker group has released details of around a million accounts.

White Hat Hackers

According to reports coming in, the leak contains user details of approximately 1.7 million accounts. The group that has leaked the details seems to be a white hat hacker group. White hat hackers usually hack into software systems to find loopholes that can be exploited and then report them for a reward. From the reports so far, we gather this particular group is considered to be one of the top white hat hacking groups around.

The report alleges that this data was acquired a while ago and has only now been released as a retaliation to Evan Spiegel’s comments. However, Snapchat is yet to officially confirm that any breach has taken place nor has there been any external confirmation of a breach whatsoever. Therefore, take this news with a pinch of salt for now.

The Controversy over the comments

Meanwhile Snapchat is still reeling over the comments which people have take offence to. It should be noted however, that these comments are only attributed to Evan Spiegel. There is no evidence that he’s actually said it, with the company officially denying it as well. The app has still faced the brunt through #BoycottSnapchat and #Uninstall_Snapchat trending on twitter over the weekend and the app ratings hitting the lowest possible in India & 2 out of 5 in the US.

Source: Indiatimes

Read More