INDIATRIKS

Android Tool Designed to Steal Information from PCs

noreply@blogger.com (Unknown) — Mon, 01 Jul 2013 17:00:00 +0000

Security researchers from F-Secure have managed to locate an interesting Android hack tool identified as HackTool:Android/UsbCleaver.A, allows anyone to steal sensitive information from a PC by connecting an Android phone to it.

The hacker must install an application called USB Cleaver on his/her Android device. Once executed, the app downloads additional files from a remote server.

These files are actually various utilities designed to retrieve certain pieces of information from a Windows computer.

When the Android device is connected to the Windows PC, it automatically starts collecting browser passwords, the Wi-Fi password and network information.

The app allows the user to select what type of information should be harvested. The gathered information is copied into a folder from the Android device’s SD card.

Fortunately, there’s a simple way for users to protect themselves against such hack tools. That’s because the app creates an autorun.inf file that triggers the automatic gathering of information.

Linux 3.10 Is Out With a New Method of SSD Caching

noreply@blogger.com (Unknown) — Mon, 01 Jul 2013 08:30:00 +0000

Linux 3.10 was released by Linus Torvalds last night, bringing with it a new method of SSD caching and some upgrades to the Radeon graphics driver.

The two most significant changes in Linux 3.10 are the aforementioned SSD caching "and support for the newer Radeon graphics cores' video decoder," Leemhuis wrote. "The Radeon driver in the Linux kernel now offers interfaces for interacting with the Unified Video Decoder on Radeon HD 4000 and later HD graphics cards. An open source UVD driver which uses this interface will be included in the next major revision to Mesa 3D (version 9.2 or 10.0). The kernel now supports the graphics chip on the recently released Richland processor family, otherwise known as A4, A6, A8, and A10 series APUs. Linux can also now address Radeon Hainan GPUs."
Other changes allow newer Intel GPUs to be overclocked. Systems with Intel GPUs can also now wake from standby faster.

Beware of Unpatched Backdoor in Atlassian Crowd Authentication Service

noreply@blogger.com (Unknown) — Sun, 30 Jun 2013 19:16:00 +0000

Over 25,000 companies from all over the world rely on Atlassian’s solutions, including organizations from the automotive, consulting, education, engineering, entertainment, government, health and other industries.

According to the advisory published by Command Five, Crowd users should update their installations as soon as possible because an exploit for a vulnerability discovered in 2012 has become widely available.

The security hole can be leveraged by an attacker to retrieve data and files from the Crowd server by crafting entity URLs. In addition, the flaw can be leveraged for denial-of-service (DOS) attacks.

“If a hacker uses the vulnerability to retrieve a file containing credentials, they can then authenticate with the Crowd server directly, or use the exploit again to bypass trusted proxy/remote address validation as described above,” the advisory reads.
“Successful exploitation of this vulnerability can (but does not necessarily) lead to a hacker taking full control of an organization single sign on service, potentially resulting in a catastrophic security event. Regardless, successful exploitation is likely to enable high velocity lateral movement within the targeted organization,” researchers explain.

However, the patched vulnerability is not the main concern. Command Five says there is at least one critical vulnerability in Crowd that hasn’t been patched.

The flaw can be exploited by an unauthenticated remote attacker to take full control of any Crowd server they can connect to.
Cyber criminals can compromise application credentials, user credentials, data storage, configured directories and dependent secure systems.

Diet spam campaign have moved to Instagram

noreply@blogger.com (Unknown) — Sun, 30 Jun 2013 09:30:00 +0000

The messages that make the rounds on Instagram show pictures of fruit. The pictures are accompanied by a bogus BBC News message which promotes an “exclusive offer” for a fruit diet.

In some cases, the spammers continue to trick users by claiming that the diet has been recommended by Dr. Oz.
Unfortunately, the Instagram spam run appears to be highly successful. One of the links has been clicked more than 35,000 times already.

“Earlier today a small portion of our users experienced a spam incident where unwanted photos were posted from their accounts. Our security and spam team quickly took actions to secure the accounts involved, and the posted photos are being deleted,”

Facebook, which owns Instagram, has told Gigaom.Instagram has started resetting the passwords of the impacted users.

Security expert Janne Ahlberg has been closely monitoring the evolution of the miracle diet spam campaign. Over the weekend, he reported that spam messages were spotted not only on Twitter, but on Facebook, Tumblr and Pinterest as well.

Facebook Is Working On Mobile News App Reader

noreply@blogger.com (Unknown) — Mon, 24 Jun 2013 10:30:00 +0000

According to the Wall Street Journal, Facebook is working on a service that include iPhone users provides news . The business newspaper relies on unnamed sources to come. Organization itself from Facebook Reader news would bundling both users and publishers.

Facebook would already more than a year working on the service. Reader would look like Flipboard, the app that collects news based on the user preferences. The social network refused to comment to the Journal. Facebook would like to increase with Reader. Its attractiveness to advertisers in the mobile segment.

According to anonymous sources, Mark Zuckerberg personally oversee the project and in contrast to the development of other services is deliberately taken the time to a full-fledged news service to make it as good as possible to work on both smartphone and tablet Reader. Initially targeted at Apple's iOS as a platform.

Spying Software Found on Chinese Devices

noreply@blogger.com (Unknown) — Mon, 24 Jun 2013 09:00:00 +0000

According to Reuters, several pieces of spying software have been identified on several devices owned by Chen, including an iPhone and an iPad he had received shortly after his arrival to the US from the wife of activist Bob Fu, the man who runs the Christian group called ChinaAid.

After fleeing to the US last year in May, Chinese activist Chen Guangcheng was given a fellowship at the New York University. Now that the period of his fellowship has come to an end, some interesting aspects of the story have come to light.

The presence of the spyware has been brought to light by NYU professor Jerome Cohen and another individual familiar with the incident.
While some say that the devices were plagued with spy software right from the start, others point the finger at the NYU for installing the applications.
Among the spy applications, technicians found one that secretly turned the devices into a tracking system, and a password-protected program that uploaded data to a remote server.

Anonymous Social Networking With Your Real Friends : Unface.Me

noreply@blogger.com (Unknown) — Sun, 23 Jun 2013 18:00:00 +0000

The world has changed, and it is important for us to face certain realities i.e; there’s a greater reliance on technology,this has led to significantly less face-to-face interactions,even when such interactions occur, rarely are they wholly honest conversations and this leaves most of us desperately resorting to the web to engage in anonymous discussion boards or to create alias Twitter accounts just to be heard.

The general idea behind unface.me: engage in anonymous and truthful discourse with people you already know. This is done by connecting your Facebook account to an unface.me alias (“AlterEgo”) that you create, and then interacting with other users from your current network of friends who also have AlterEgos.

How can this be used toward forming better relationships? Well, for one thing, it will allow users to be completely honest about themselves. A lot of topics are difficult to talk about (such as one’s mental health) and have potential professional consequences (not getting hired because of a history of depression). Unface.me can give people this medium for expressing their emotions or thoughts honestly, without fear of people knowing their true identity.

This anonymity also allows for the changing of personal behaviors and the development of overall empathy. As people learn sensitive things about their friends, they may become more socially aware of and self-identifying with the daily struggles of others, and thereby change their day-to-day behaviors or interactions with them. So, the result? Closer bonds with those around us.
We don’t have to sacrifice honesty in the age of social media. If Dan Humphrey was able to pull off complete anonymity for five years and end up with a closer set of friends, why shouldn’t we?

Try out unface.me for yourself.........!

Facebook Issue May Have Leaked Your Email and Phone Number

noreply@blogger.com (Unknown) — Sun, 23 Jun 2013 05:30:00 +0000

Facebook just published a data breach notification on its security blog.
You might not immediately notice that from the title of the article, which announces itself as an "Important Message from Facebook's White Hat Program."
The cloud (bad pun intended) is that Facebook's systems made the fault possible in the first place.

What Facebook seems to be admitting to, in Friday's breach notification message, is that it was careless with the aggregated data accumulated from contact list uploads.
The problem, says Facebook, lay in its Download Your Information (DYI) feature, which exists so you can suck down everything you've previously entrusted to the social networking giant.

DYI improves availability, because it allows you to make your own off-site backup of everything you've stored on Facebook. It improves transparency, because it acts as a record of everything you've uploaded to Facebook over the years.But there was a bug in DYI, of the data leakage/unauthorised disclosure sort.
Apparently, DYI was capable of letting you download more than you'd uploaded in the first place.

U.S. is Spying on China,Stealing ‘Millions’ of Texts : Edward Snowden

noreply@blogger.com (Unknown) — Fri, 21 Jun 2013 18:50:00 +0000

Former NSA contractor Edward Snowden revealed on Saturday that the U.S. is tapping into Chinese mobile carriers to access customers’ text messages.
It’s not just a few messages, either. Snowden told the South China Morning Post that millions of Chinese text messages are being harvested by the U.S.

“China should set up a national information security review commission as soon as possible,” Snowden told the paper.
Chinese mobile users sent over 900 billion text messages in 2012, according to government statistics, so if Snowden’s claims are true, the United States’ surveillance isn’t too extensive in the grand scheme of things. (Chinese officials likely won’t see the situation in that light though.)

The reveal will make an already rocky relationship between the U.S. and China even more tumultuous. President Obama and China’s new president Xi Jinping have already had several conversations about cybersecurity relations, and both leaders are also kicking off a series of regular talks between the two countries.

Android Ransomware

noreply@blogger.com (Unknown) — Thu, 20 Jun 2013 15:55:00 +0000

These days, fake Antivirus programs that run under Windows look just as good as real, valid antivirus tools. They'll run a scan for free—a fast one, since there's no actual scanning going on. However, to remove the imaginary malware found by the scan, you'll have to pay up. In a recent blog post, Symantec researcher Joji Hamada reported that this type of malware has come to Android, and it's even more aggressive than the typical Windows fake antivirus. Symantec calls the malware sample featured in this post Android.Fakedefender, because it installs as a trial version calling itself Android Defender.

The typical Windows-based fake antivirus programs attempt to scare the user into paying for a registered version by displaying frightening scan results, hence the name scareware. They work hard to look just like a valid antivirus, to the point that some even offer tech support. It's not uncommon for victims to express outrage when a legitimate security product removes the fake one: "Hey, that's my antivirus! I paid for that!"

Porn Discovered :

In what may be an attempt to discourage you from seeking help, the fake antivirus reports that it has detected malware attempting to steal pornographic content from the phone. How embarrassing! At this point, you can't delete the fake antivirus and can't launch any other apps. The only way to recover, short of a hard reset, is to purchase the full version. It's effectively holding your phone for ransom. Hamada didn't state whether paying the ransom actually unlocks the phone.

F-Secure's Mikko Hypponen has gone on record stating that the biggest threat for Android users is losing your phone, not malware. Hamada begs to differ, pointing out that malware like this is really, really hard to remove once it gets a foothold. He advises running mobile security software to keep threats like this from installing in the first place.

Sweet Orange Exploit Kit

noreply@blogger.com (Unknown) — Thu, 20 Dec 2012 02:30:00 +0000

Malware is a business; people make their living writing and distributing it. Exploit kits are an effective and streamlined methodology of distributing malware; they allow the Bad Guys to distribute payloads at a higher level than we have seen in the past. For this reason we've seen exploit kits grow in popularity over the last few years.

BlackHole is the most famous and the most utilized exploit kit these days, but that doesn’t mean there aren’t others that have the potential to compete with it. One of them is the Sweet Orange exploit kit, which is presumably capable of some impressive things.

Developers of Sweet Orange boast that their creation has a small footprint, a high infection rate, and the ability to drive 150,000 unique daily visitors to a website.

They claim that around 10% to 25% of those who land on the malicious website will be infected, meaning that at least 15,000 bots should be added to the botnet each day.

So far, experts have managed to identify 45 different IP addresses and 367 domains utilized by Sweet Orange, which makes the 150,000 unique daily visitors forecast sound valid.

MyBB Security Release

noreply@blogger.com (Unknown) — Sat, 15 Dec 2012 12:08:00 +0000

The SQL Injection vulnerability, which affected all MyBB versions, affected the post editing section. The second flaw allowed brute-force access because the CAPTCHA system was not effective.

An issue which prevented the editor from working in Firefox 16 and newer versions of the web browser has also been addressed.

Users are advised to immediately update their installations, but not before backing up their forum files and databases.

Those who identify similar vulnerabilities are advised to responsibly disclose them to the vendor via their contact page or via the Private Inquiries forum.

Facebook and Walmart Offer $1,000 Christmas Gift Cards Scam

noreply@blogger.com (Unknown) — Sat, 15 Dec 2012 05:04:00 +0000

On Facebook Some posts, claiming that the social media network has partnered up with Walmart and they’re giving away free $1,000 (764 Euro) gift cards.

“Hey friends, I got a $1000 Gift Card from WALMART as a Christmas Gift! Get it right away! -> bil.ly,” the malicious Facebook posts read.

Users who fall for it and click on the link are taken to a website where they’re presented with instructions on how to provide their authentication tokens.

Then they’re asked to install a bogus Walmart Facebook app and participate in all sorts of surveys.

By doing what the scammers ask of you, you’re actually allowing them to post on your Facebook timeline. Furthermore, by participating in the surveys, you’re helping them make a profit.

If you did make the mistake of installing the Facebook application, then you could be spamming the message to your friends. Clean up your newsfeed and profile to remove references to the scam. (click the “x” in the top right hand corner of the post).

Trojan Upclicker: Using a Mouse To Evade Automated Analysis

noreply@blogger.com (Unknown) — Fri, 14 Dec 2012 16:03:00 +0000

We came across another sample, called Trojan Upclicker, that went one step further: using a mouse to evade automated analysis.

Per the code in Figure , the function SetWinodwsHookExA is called with 0Eh as a parameter. Per MSDN the parameter 0Eh is used to hook a mouse. Pointer fn is the pointer to the hooked procedure in the code.

The Trojan analyzed by FireEye, Upclicker, is interesting because the malicious code is executed only after the user clicks the left mouse button and releases it.
Upclicker establishes malicious communication only when this particular action is performed.

Trojan Upclicker establishes malicious communication only when the left mouse button is clicked and released. Since, in sandboxes, there is no mouse interaction, the malicious behavior of Upclicker remains dormant in a sandbox environment.
When the code runs, it waits 300,000 milliseconds, or five minutes, before executing the DecryptCode subroutine. It then waits 20 minutes and executes the ModifyRegistry subroutine. After executing the Network_main subroutine, it waits another 20 minutes.

Automated threat analysis systems only spend a small amount of time on one file so they may not detect the code as malware.

Carberp : Trojan-Spy.AndroidOS.Citmo

noreply@blogger.com (Unknown) — Fri, 14 Dec 2012 15:46:00 +0000

For a long time, only two families of such malware have been known: ZeuS-in-the-Mobile (ZitMo) and SpyEye-in-the-Mobile (SpitMo). ZitMo and SpitMo work together with their Windows ‘brothers’. Actually, without them, they would look like trivial SMS spy Trojans. It is necessary to mention that during the last two years such attacks have been observed only in some European countries like Spain, Italy, Germany, Poland and few others.

In order to gain access to online banking accounts, the attackers need to get a hold not only of the victim’s username and password, but also of the mobile Transaction Authentication Number (mTAN) that’s used for two-factor authentication.

But when the mobile version of Carberp Trojan appeared ,such attacks became real in Russia as well. There is no secret that online banking is becoming more and more popular in Russia; and banks are very active in promoting online banking with various authorization methods.
Carberp for Windows works in a similar way to the ZeuS Trojan. If a user tries to login into his online banking account using a machine infected by Carberp, the malware will modify the transaction so that user credentials are sent to a malicious server rather than a bank server.
In addition to the login and password, cybercriminals still need mTANs in order to confirm any money transfer operation from a stolen account. That is why one of the Carberp modifications (we call it Trojan-Spy.Win32.Carberp.ugu and we've added detection for it on 11th of December) alters the online banking web page on the fly, inviting the user to download and install an application which is allegedly necessary for logging into the system. And the user can get this link via SMS message by entering his phone number or by scanning a QR-code .

The CitMo Android Trojan works in almost the same way as ZitMo. It is able to hide particular SMS messages and resend them to the attacker's command server. Some versions of ZitMo resend SMS messages to particular cell phone numbers in addition to various web servers. Known versions of CitMo and the Windows module of Carberp (Trojan-Spy.Win32.Carberp.ugu) work only with the remote server ‘bersta***.com’.

California Department of Health Care Mistakenly Publishes Details of 14,000 People

noreply@blogger.com (Unknown) — Thu, 13 Dec 2012 11:48:00 +0000

State of California has mistakenly published thousands of Social Security numbers on the Internet.
The list includes Medi-Cal providers in 25 California counties, including Amador, Calaveras, Colusa, Nevada, Placer, Sutter, Tuolumne and Yuba.

The information, belonging to Medi-Cal providers working for In-Home Supportive Services, had been posted on the Medi-Cal website for a period of nine days before someone noticed the error.

Individuals from 25 countries are affected by the breach. Those impacted will be receiving notification letters and they’re being offered one year of free credit monitoring services.

Additional measures are being deployed to avoid such incidents from occurring in the future.

The confidential information was available on the state's Medi-Cal website for anyone to see for a period of nine days, before the mistake was discovered and the numbers removed.Social Security numbers are a key ingredient for identity theft.

This is the second time in the past 5 months when In-Home Supportive Services providers are affected by a data breach. Last time, a total of 750,000 people were exposed by a breach at the Department of Social Services.

Internet Explorer Can Track Your Mouse Cursor

noreply@blogger.com (Unknown) — Wed, 12 Dec 2012 16:37:00 +0000

Internet Explorer can track your mouse anywhere on the scree,even when you aren’t browsing

A new Internet Explorer vulnerability has been discovered that allows an attacker to track your mouse cursor anywhere on the screen, even if the browser is minimized. All supported versions of Microsoft’s browser are reportedly affected: IE6, IE7, IE8, IE9, and IE10.

Explorer can track your mouse movements anywhere on the screen,even if the Internet Explorer window is minimized. The vulnerability is particularly troubling because it compromises the security of virtual keyboards and virtual keypads.. And Microsoft, which was informed of the massive potential security hole over two months ago, has no plans to fix it. Which means that as you explore the web, the web can explore you right back.

Internet Explorer’s event model populates the global Event object with some attributes relating to mouse events, even in situations where it should not. Combined with the ability to trigger events manually using the fireEvent() method, this allows JavaScript in any webpage (or in any iframe within any webpage) to poll for the position of the mouse cursor anywhere on the screen and at any time—even when the tab containing the page is not active, or when the Internet Explorer window is unfocused or minimized. The fireEvent() method also exposes the status of the control, shift and alt keys.

Affected properties of the Event object are altKey, altLeft, clientX, clientY, ctrlKey, ctrlLeft, offsetX, offsetY, screenX, screenY, shiftKey, shiftLeft, x and y.

A demonstration of the security vulnerability may be seen here: iedataleak.spider.io/demo.

For the data to be useful, the attacker would have to know what website you are currently using. Given that it’s already being used by advertisers, however, this can’t be particularly hard to achieve. They can take note of where they place their malicious ads, and an attacker would of course know the layout of the malicious page they design, or the legitimate one they hijack for such a scheme.

Joomla And WordPress Bulk Exploit serving Fake Antivirus Malware

noreply@blogger.com (Unknown) — Wed, 12 Dec 2012 07:18:00 +0000

Many Joomla and some WordPress sites exploited and hosting IFRAMES pointing to bad places :

Fake antivirus threats display a fraudulent scanning result to intimidate users into “purchasing” the fake antivirus program.WordPress and Joomla exploits have existed for years, and cybercriminals have thus been exploiting them for a long time. Yet the situation may have gotten slightly more serious as of late, as there appears to be a bulk exploit tool being used in the wild, targeting sites running both popular content management systems, and having them serve up fake antivirus malware to visitors.

The biggest pain is around Joomla users, particularly with extensions which greatly increase the vulnerability footprint and the one thing helping WordPress is the really nice feature of 1-button upgrades (and upgrades which don't tend to break your website.

The IFRAMES seem to have rapidly changing FQDN's that it is using but the common element is /nightend.cgi?8. Two of the bad IPs that seem to be frequent offenders are 78.157.192.72 and 108.174.52.38. Ultimately it pulls FakeAV software to do it's badness.

In other words, if you use WordPress or Joomla, get on the latest version as soon as possible. It’s unclear how widespread this attack is, but there is no excuse for using an insecure release of your content management system.

Make sure all your software is up-to-date and kept that way on a regular basis.

Gmail Phishing Scam

noreply@blogger.com (Unknown) — Wed, 12 Dec 2012 06:49:00 +0000

Another phishing scam that relies on the old “account update” theme is currently making the rounds, attempting to trick Gmail users into handing over their usernames and passwords.

Image credits: Hoax Slayer
users who click on the links contained in the email are taken to a site that almost perfectly replicates the Gmail sign-in page.

Once they provide their usernames and passwords, victims are presented with a second phishing page on which they’re requested to enter their phone numbers, which are allegedly needed for verification purposes.

In the final part of the scheme, users are asked to provide an alternate email address.

Cybercriminals are leveraging the fact that it’s not difficult for internauts to click on a link and log in to their Gmail accounts. This is why it’s important for users to be suspicious of any notification that claims to come from Gmail, Facebook or any other popular website.

The message is not from Gmail and the claim that users will lose their accounts if they do not verify their information is a lie. The email is a phishing scam designed to steal login information for Gmail and other webmail accounts as well as trick victims into divulging their phone numbers to Internet criminals.

Beware Of Malware Receipt From Australian Power & Gas

noreply@blogger.com (Unknown) — Tue, 11 Dec 2012 19:30:00 +0000

Australian Power & Gas Payment Receipt carry a piece of malware that’s disguised as a harmless-looking PDF file.

Australian users should beware of emails entitled “Approved Payment Receipt” that purport to come from the “team” at Australian Power & Gas.

Example :

Subject: Approved Payment Receipt
Australian Power & Gas Payment Receipt
Dear Customer,
We have recently received a credit card payment from you, for your Australian Power & Gas account. This payment has been successfully processed and receipt details are shown below in the attached file.
Transaction Details
Payment Time: Tue, 11 Dec 2012 07:43:54 +0900
Reference One: 2404390362
Reference Two: 01600833
Payment Receipt Number : 3530928186
Note: This payment will appear on your credit card statement with the merchant reference `Australian Power & Gas`.
Kind Regards,
The team at Australian Power & Gas

Australian Power & Gas representatives are aware of this spam campaign and they’ve even issued an alert on Facebook to warn their customers about it.

The .zip file attachment harbours a malicious .exe file. Running the .exe file can install malware on the user's computer. If you receive one of these bogus emails, do not open any attachments or click on any links that it contains.

Hack Windows 8 To Get Free Games

noreply@blogger.com (Unknown) — Tue, 11 Dec 2012 16:00:00 +0000

A Nokia engineer who has previously pointed out security holes in Microsoft’s Windows 8 has now posted a detailed step-by-step explanation of how to hack Windows 8 games.

Unfortunately his site is down now :

Angel shows how to hack Windows 8 in not one, not two, and not even three ways … but no less than five different ways, showing users how to:

get free in-app purchases by modifying encrypted IsoStore files
crack trial apps and get paid versions for free
remove in-app ads from free games
reduce the cost of in-game paid items
unlock paid levels by a script-injection techniques

#1: Compromising in-apppurchases by modifying IsoStore

The Win8 gameSoulcraftis atop game on Androidand is subjectively one of best examples of its genre onWindows 8. It’s a basic RPG where you play an archangelbattling the forces of evil in stylish 3D. You’ve got acharacter, its got equipment and you pay with gold withgold to buy better equipment. The gold has to bepurchased for real money using the platform’s in-app purchase. For example on Android here are the prices forgold:I’ve spent 20$+ on game gold forSoulcraft THDon myGoogle Nexus 7 so far. So I asked myself how does thatgame’s gold data gets stored on Windows 8, and whetheror not we can change it.Quick refresher from theprevious articleall Windows 8apps are stored on your local HD at:

C:\Program Files\WindowsApps

So for example all the assemblies for Soulcraft onWindows 8 will be stored at:

C:\ProgramFiles\WindowsApps\MobileBitsGmbH.SoulCraft_0.8.5.3_neutral__n3knxnwpdbgdc

Also, all IsoStore files are stored at:

C:\Users\<username>\AppData\Local\Packages\

So on my machine Soulcraft’s IsoStore is at:

C:\Users\Justin\AppData\Local\Packages\MobileBitsGmbH.SoulCraft_n3knxnwpdbgdc\LocalState

When opening up these files in Notepad we can see someof these files are encrypted while others are not. So now the question becomes, can we decrypt the AccountData.xml file, edit the amount of gold ourcharacter has and simply run the game? Well, as it turnsout the answer is “Yes”. Normally encrypted files are badnews if you’re trying to tamper with apps. But we shouldremember this is all running on the local machine. Wehave the algorithm used for encryption, we have the hashkey and we have the encrypted data. Once we have all of those it’s pretty simple to decrypt - anything.

UsingdotPeek/ILSpy/ JustDecompileit’s possible to reverse engineer most of the Soulcraft source code andfind out how the AccountData.xml gets stored and how tochange it. Let’s assume we’ve done that and we knowwhich classes and assemblies are used to decrypt, editand encrypt this XML file. We’ll start off by create a newWin8 app and reference the appropriate DLLs from theSoulcraft game.

Next, since these assemblies read files from IsoStore we’llcopy the encrypted game files to our own App2 IsoStore. Now we’ve staged a new app with the proper assembliesand populated IsoStore with Soulcraft’s Data. The nextstep is to reverse engineer the assemblies and figure outthe correct calling order for methods. For example thiscode would load up AccountData.xml, edit the amount of gold and save it again.Here’s the before and after of the XML file:

Copying the file back to Soulcraft’s IsoStore and startingSoulcraft we can see a first level character with1,000,000 gold. At this point some of you must be thinking “so what? it’sfake game money”. True, but this fake in-game moneywould be worth over a thousand dollar on Android andiOS. Without a secure storage location for game state, wecan’t be surprised that 3rd party cracking will arise tomake consumers avoid in-app purchases.

#2: Cracking trial apps to paidversions for free

One of the top revenue streams for Windows 8developers is by shipping paid apps. At the same timeconsumers tend to be loss averse and are afraid to “lose”money on apps. The solution to that are Trial apps. Paidapps can offer a free version with limited functionality oron a time limited basis. That works fine unless consumersattempt to manipulate this tentative status-quo bycracking trial apps. To emphasize the impact of thisproblem we can look at the Windows Phone ecosystemwhere

45% of paid apps offer trials.

Let’s have a look atMeteor Madness. It’s a cool arcadeasteroid shooter game. Meteor madness costs 1.5$USDand offers a free trial with limited functionality. It alsohappens to beopen sourceso you can go check that outtoo. When downloading the app as a trial we can see that itoffers the options to buy the game and locks some gameoptions. Note the “Buy now” rock at the bottom left andthe locked “Arcade” game rock on the top right.

In the previous section we’ve seen there’s a fundamentalproblem when storing game data on Windows 8. Storingencrypted data locally, alongside with the algorithm andthe algorithm key/hash is a recipe for security incidents.One of the problems with allowing offline execution of trial apps is that it mandates the “

trial flag

” to be storedlocally. And as we’ve seen, if it’s stored locally, we canfind it, read it and modify it.Specifically the License for Windows 8 apps is stored inthe following file:

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\WSLicense\tokens.dat

When we open this file up in Notepad we can find thelicense for Meteor Madness and where it says it’s a trialpurchase. Also, in the same file we can see there are other appsinstalled. Such as free apps, paid apps and preinstalledapps. Here for example if the “

Full

” installation of Bing. An educational WinForms app named

WSService_crk

loads this file into memory, shows the License XMLs andmodifies it as a “Full Preinstalled” license. There’s a lot going on here other then simply reading and modifyingfiles.

WSService_crk

has to decrypt the file, re-encryptit and then store it. All of that is documented with

WSService_crk

as it’s distributed with full source code. When opening up

WSService_crk

on my machine showsthe following list of installs apps.

WSService_crk

can then show the current license andeven modify it from a Trial to a Full Preinstalled License. When running Meteor Madness now we can see that it nolonger has any trial app functionality limitations.

#3: Removing in-app ads fromgames by editing XAML files

Another way developers monetize their apps is throughin-app advertising. Developers often take the path of least resistance and it’s quite easy to add ads to yourapp. If apps are popular and the viewcounts are racking up it could become quite profitable. As a resultconsumers don’t have to pay for some great titles andsuccessful developers can get paid. That all works prettywell unless opportunistic consumers choose to keep thefree app but disable ads. To emphasize the importance of mobile app ads let’s mention that some3rd partyestimatesput the field at over 10B in overall yearlyrevenue. One app that is now (surprisingly) advertising supportedon Windows 8 is Microsoft’s Minesweeper. As we’ve seen previously the executable of all Windows 8apps can be located easily. Minesweeper is installedlocally at:

C:\ProgramFiles\WindowsApps\Microsoft.MicrosoftMinesweeper_1.1.0.0_x86__8wekyb3d8bbwe

In that folder we can find the file

MainPageAd.xaml

under the

\Common\AdsModule\View

folder. Alongsidewith other in-app ads used by Minesweeper.

We can make this ad disappear by simply adding the

Visibility=”Collapsed”

property to the aforementionedroot user control. After we’ve made this small change, when we run theMinesweeper app we won’t be able to see the adanymore. By simply editing XAML files we can hide away in-appsads from Windows 8 ads.

#4: Reducing the cost of in-gameitems by editing game data files

Most games out there are composed of two distinctivepieces: a game engine and game data files used by theengine. For more on this dichotomy you can read thisgreat articleBattle for Wesnothfrom the creativecommons book The Architecture of Open SourceApplications. Let’s look at a real world example in theform of the windows 8 gameUltraviolet Dawn. The gameis my all time favourite ipad game is a cool 2D spaceshooter. Like other games players start-off with a certainamount of in-game currency and can buy items to improve their spaceship. If we go back to the dichotomy we’ve heard about earlierthen we can see how it applies to Ultraviolet Dawn. There’s a game engine that knows about “store items”and there’s going to be a list somewhere of what theyare. So one thing we could do is take advantage of Windows 8 on-disk storage and modify the game’s datafiles. As we’ve previously seen executables for windows 8apps can be located and modified. Specifically,Ultraviolet’s Dawn can be found here:

C:\ProgramFiles\WindowsApps\8DF9EE77.UltravioletDawn_1.0.0.37_x86__dd4ev9dvfndxm

We can open up the “

res_store_items.txt

” file and edit theprice of in-game items. In our example we’ll edit all theweapons to be free. When we run Ultraviolet Dawn again we can see the priceof items in the store is now 0.

We’ve just shown that using the simplest tools we can edit game files to compromise the experience of Windows8 games.

#5: Compromising In-apppurchase items by injectingscripts into the IE10 process

Even though we’ve already shown that in-app purchasesare comprisable I’d like for us to see an example of thatwith Windows 8 HTML & JS apps. Up until now we’ve seenexamples of C# and C++ apps, so let’s see that withWinJS apps. Let’s have a look at the massively popularand successful WInJS Windows 8 gameCut the Rope. Thegame follows a freemium model where the first few levelsare free and additional levels cost 4.99$ to unlock. As we know by now executables for Windows 8 gamescan be found on the local disk. Specifically

Cut the Rope

executeables can be found at:

C:\ProgramFiles\WindowsApps\ZeptoLabUKLimited.CutTheRope_1.1.0.9_neutral__sq9zxnwrk84pj

If we open up the

default.js

file in the

folder we can seethe following code that obviously governs the in-apppurchasing logic. We can see there areIS_PAID_FULL_VERSION and SIMULATE_PURCHASES

variables set to false. One wonder what happens if wechange those values to true. We don’t really have to understand the specifics but wecan see there’s an

if-else

condition that determines in-app purchases. We can’t directly change Javascript filesas that’ll corrupt the Javascript package and Windows 8will refuse to open the app. So instead of changing thefiles on the local disk, we can inject JS scripts at runtimeinto IE10 process. Visual Studio 2012 has a built-in debugging mechanismfor any installed Windows 8 app. Even if that wasn’t therewe could still easily inject scripts to IE10, but since it isthere we can use that familiar tool. Let’s use VS2012 to“

Debug Installed App Package

”. (Here are the Jacascriptdocs,C# docs and C++ docsto those unfamiliar with the feature) Next we’ll choose to Debug

Cut The Rope.

Make sure tocheck the “Stop at first Statement” checkbox since we’lluse it to navigate to

default.js

After we click start we can see we’re debugging the

Cut the Rope

app. This is the important bit, we’ve now got thefull force of VS2012 Javascript runtime debugging in aWin8 store app. This first breakpoint will always be thesame file at the same row: the first row of the

base.js

filefrom the WinJS framework. Using a smart combination of “Step over” and using theSolution Explorer we can set the following breakpointafter setting the variables we’ve previously seen. Stepping over this deceleration we can then see thefollowing values in our Locals window. And now using the Immediate Window we can executeany javascript we’d like. For the purpose of this demowe’ll set SIMULATE_PURCHASES=true. We could havesaved some time by setting IS_PAID_FULL_VERSION=true,but I’d like for us to see this runtime behaviour.

Now when we click the purchase button we can seeWindows 8 in-app purchase simulator. We’ll tell it that thepurchase was successful. And now we can see all game levels are unlocked. We’ve just shown how to inject arbitrary javascript into aWin8 store bought WinJS IE10 app and we’ve affected in-app purchase items inventory.

Open Redirect Vulnerability Identified in Meebo

noreply@blogger.com (Unknown) — Tue, 11 Dec 2012 12:58:00 +0000

An open-redirect vulnerability Identified in the popular instant messaging platform Meebo.

Open-redirect vulnerabilities can be leveraged by cybercriminals to lure their victims to arbitrary domains. The user believes that he/she is visiting a legitimate, reputable site, when they’re actually seamlessly redirected to a malicious one.

The security hole has been reported to Google, which bought Meebo back in June, but the search giant’s security team told the expert that “the security benefits of a well-implemented and carefully monitored URL redirector tend to outweigh the perceived risks.”

They’ve pointed him to the bug bounty page where they explain why such URL redirection vulnerabilities are not included in their reward program.

“Some members of the security community argue that open redirectors are a security issue,” reads the section on URL redirection.

“The common argument in favor of this view is that some users, when presented with a carefully crafted link, may be duped into thinking that they will be taken to a trusted page - but will be not be attentive enough to examine the contents of the address bar after the redirection takes place.”

It continues, “On the other hand, we recognize that the address bar is the only reliable security indicator in modern browsers; and consequently, we think that any user who could be misled by a URL redirector can also be tricked in other ways, without relying on any particular trusted website to act as a relying party.

No Email Day 12-12-12

noreply@blogger.com (Unknown) — Tue, 11 Dec 2012 11:00:00 +0000

Tomorrow is No Email Day: Ignore your inbox and do something more useful instead

Looking at your ever-growing inbox and looking for a reason to ignore it? Tomorrow you have that excuse, as it will be the second annual No Email Day.

NO EMAIL DAY by Paul Lancaster from Paul Lancaster

A year ago, UK-based Paul Lancaster declared a No Email Day and managed to get coverage for it everywhere from The Next Web to the Wall Street Journal. It’s easy to see why, too. Honestly, does anyone like email? I can’t remember the last time I didn’t view my inbox as a chore.
So what do you do on No Email Day? Simple – ignore your email. Don’t look at your inbox at all and see what else you can achieve. As Lancaster wrote in his original manifesto last year (embedded below), ”If you do need to contact someone on this day, emails should be strictly off limits – replaced instead by real life, face-to-face interaction, picking up the phone or perhaps even writing a letter (remember those) Better still, if you can spend time away from work to be inspired and re-connect with the offline world.”

Of course, it might be a bit naive to believe that it’s possible to get by entirely without email, even for a day. Here at The Next Web we’d miss important news tips we need to share with you, and we can hardly walk down the corridor to chat to the entrepreneurs and investors with communicate with every day – they’re based in all sorts of places around the world.

Then of course, once you come back to your email the following day you might have to spend the whole morning catching up with people wondering why you didn’t reply to their urgent missive.
Still, No Email Day is a useful reminder that there’s more to life than your unread messages count. Do you dare ignore your email completely for 24 hours?

Fake Hotels Awaiting Unwary Guests

noreply@blogger.com (Unknown) — Tue, 11 Dec 2012 04:40:00 +0000

Cyber-criminals have prepared some dirty tricks for tourists looking for a room over the holidays. And it’s not the same old reception RATs, banking Trojans, wrong hotel transactions and social media baits. Now, they’ve created their own fake hotels and are awaiting unwary guests.

The fake websites usually leverage the names and reputations of famous brands. For instance, if the legitimate company’s domain is sheratonskyline.com, the crooks will likely set up their site on a domain that looks something like sheraton-skyline.com.

Most major companies have purchased all the variations of their domain names to protect themselves against typosquatters, but it’s likely that hotels haven’t taken such fraud sites into consideration.

Unlike phishing sites, these fraud websites aren’t promoted via email or social media spam. Instead, they’re kept secret to ensure that the domain will not be seized by authorities.

Also, such scammy webpages don’t necessarily replicate the design of the genuine hotel.

Users are advised to rely on common sense and a decent security solution to protect themselves against such threats.

The simplest way to identify fake hotel sites is by typing their names into a search engine followed by the words “scam” or “fraud.” In many cases, you’ll find professional advisories or posts published by other users.

Exforel Backdoor Implemented At Network Driver Interface Specification level

noreply@blogger.com (Unknown) — Mon, 10 Dec 2012 20:21:00 +0000

Security researchers have identified a variant of the Exforel backdoor malware, VirTool:WinNT/Exforel.A, that’s somewhat different from other malicious elements of this kind.

The NDIS-level backdoor used by VirTool:WinNT/Exforel.A is much more low-level and stealthy than that used by traditional backdoors – there is no connecting/listening port so it is more difficult to notice. The backdoor traffic is completely invisible to user-mode applications.

Functionalities:

Uploading files
Downloading files
Executing files
Routing TCP/IP packets

This sample appears to be used for a specific attack targeting a certain organization.