Websites suck 0.1

Recently while cleaning out my house, I stumbled upon my old 486 with win 98. As any sane person, I stopped everything I was doing and rushed to see if my Tyrian 2000, Dune 2000 and Prehistoric were still there. (they were there, but that will be another story)

I did not have internet when my parents got that PC, thus I started trying to connect it to my network; a few minutes of fiddling around and it worked. Well, sort of worked, most web pages did not load, or if they did load they were broken.  Then I said to myself I wonder how much did websites evolve since that period. This was a catalyst that finally prompted me to write an article on a subject that kept bothering me, namely Modern Websites suck

A brief introduction to the article series

According to Http Archive the median page size (in June 2018) sits at 1.7 mb for desktop and 1.5 mb for mobile. I can almost hear you think Pff, that is nothing. It’s just a couple of mb. True, it’s far smaller than a mp3 song or an image taken with a modern smartphone.

To put in perspective those numbers, in 2011 the median page size was 500 kb for desktop and 200kb for mobile. This means a 226% increase in size for desktop and a 673% increase for mobile per page.

But we have to remember that this is per Page and not Per site. Just think of all those pages that your favorite news website has. Suddenly it does not seem that small, does it?chartAs it can be seen in the above graph, the median page site is now approaching the 2mb mark. But most pages are already hitting that 2mb threshold, some of them even hitting more than 3 mb.

A good example for the latter is the front page of  Youtube which has a size of 3.0 mb(according to Pingdom).  But wait… hasn’t the internet speed also gone up?  You have a fair point there dear reader, internet speed did go up.  According to Speedtest.net the global average for fixed broadband is 46.25 mbps Down and 22.47 mbps Up. Meanwhile for mobile we have 23.54 mbps Down and 9.28 mbps Up.

Sooooo, as I was saying, it takes only seconds to load those websites. True, for people who do have access to high speed internet. Furthermore, when speaking about mobile internet we have to take in account network coverage. There are areas where loading that 3mb page could take over 10 seconds.

What if I only want to check new sites. With that speed I am already aware that I cannot watch Youtube. According to Google you need an Internet connection with 500+ Kbps in order to watch Youtube. You could probably go down to 200 Kbps for seamless video playback on mobile for 360p or 480p videos.

Coming back to news sites:

bbc.com – 2.2mb (size varies +-0.2mb)

cnn.com – 2.3mb (size varies +-0.2mb)

time.com – 5 mb (size varies +-0.3mb) – yes, this one is huge

youtube.com – 3mb (size varies +-0.3mb)

As you can see all of these sites would take a lot of time to load for someone who has a connection of 500kbps. Factor in low reception and they become unusable.

 

 

Fake Cryptocurency

Riding on the back of the cryptocurrency hype, a malware is disguising itself as a fake cryptocurrency wallet. And it’s not just any type of malware, we are talking about a ransomware type of attack. Once it infects a target, it secretly encrypts the user’s files. (source Fortinet)

According to Investopedia there are 6 main cryptocurrencies: Litecoin (LTC), Ethereum (ETH), Zcash (ZEC), Dash, Ripple (XRP), Monero (XMR).  The site coinmarketcap is a good tool to find how many currency exist at a any given time; the current count is up to 1494.

The rush for cryptocurrency can be compared to California’s 1848 gold rush. Wanting to be a part of the Crypto-Rush, most people jump in the “waves” without doing any proper research And this is exactly the behavior on which certain entities rely in order to deliver malware to their targets.  Mark Beaumont wrote an article for the Guardian in which he explained his journey into the cryptocurrency world.

The attackers behind this campaign, lure in their victims by prompting them with a convincing Initial Coin Offering message. In order to get that cryptocurrency, the user has to download a wallet app package.  Once installed, the app will ask the user to set up a password in order to get access to SpriteCoin’s blockchain.

Unfortunately,  for the user, the app will start encrypting all files on the infected computer; the files will be assigned at .encrypt suffix. The ransom message will appear and ask for 0.3 monero in order to decrypt all the files.

What is even more sinister is the fact that during the decryption of the files, right after the user has paid the ransom, more malware is being downloaded to that computer. This malware can perform  web camera activation, key parsing, and certificate harvesting.

According to Fortinet “While have not yet fully analyzed this malicious payload, we can verify that it does have the capability to activate web cameras and parse certificates and keys that will likely leave the victim more compromised than before.”

These people are using social engineering in order to fool people into clicking and installing their malicious software. Most of the time they are exploiting the innate curiosity that is present in all of us. This article by David Bisson explains in detail how social engineering is used by certain parties in order to achieve their nefarious plans.

As always, do not assume that you are safe when being online. If something seems to good to be true, than most of the time it’s a scam.

 

Ghost Team – Facebook Credentials

And another series of Google Play apps have shown to contain malicious code. This time, we are talking about 53 apps, most of the were in aimed at the Asian market.

According to TrendMicro, the malware detected is ANDROIDOS_GHOSTTEAM, and it hid itself into Play Store apps that were containing a considerable amount of Vietnamese language. Furthermore, the Command and Control server pointed to a Vietnamese website.

Nevertheless, if it was installed on phones outside Vietnam, the app would detect that using geolocation and set its language to English.

As mentioned in previous articles on this blog, the malware is most of the time hidden in utility apps such as but not limited to: flashlight apps, QR code scanners, compasses, performance boosting apps and, the most important category, social media enhancing apps. Among these “enhancing apps” the most popular ones are video downloaders.

This idea was reiterated countless times on this blog, but I feel the need to remind you that; information means power. Especially when it comes to social media; most social media sites already have a profile created for each and any one of their users. Although we might think the get only what we share, there have been multiple cases in which companies tracked more that the user agreed to.

Malware evolves and becomes better and better, this one is no exception. This one has a feature that permits it to detect if it runs in a virtual machine.  According to TrendMicro:

“The payload disguises itself as “Google Play Services”, pretending to verify an app. If the unwitting user opens Google Play or Facebook, it displays an alert urging the would-be victim to install the fake Google Play Services. After installation, the payload will also prompt the user to activate/enable device administrator.”

Fortunately, it seems that there is no cyber-campaigns that are using these stolen credentials.

“As other cyberattacks and threats like the Onliner spambot showed, these credentials can be repurposed to deliver far more damaging malware or to amass a zombie social media army that can proliferate fake news or a cryptocurrency-mining malware. Facebook accounts, which can contain a wealth of other financial and personally identifiable information, are also peddled in the underground.”

Don’t forget that your phone knows almost everything about you. Take care of your phone, protect it against threats: run routine scans, install updates when prompted, double or triple check apps before installing, read comments posted for that particular app. And last, but not least, if an app provides features that seem to goo to be true, then almost certainly it’s fake.

 

Malware Hide’n’Seek

Blink once and your phone is infected.

Even though there are many of us who could spot a fake instantly, we have to remember that there are people who are not as tech savvy as us. Furthermore, there are people that might have just started using smartphones, my grandma, for example.

There was a time when one could identify really fast fake apps, but recently there have been more and more copies showing up on Google Play Store. One notable example was almost a perfect copy of WhatsApp.

On the 3rd of November 2017, in a reddit post a user informed everyone that there were two WhatsApps that apparently came from the same developer.

Two reddit users ( megared17  and dextergenius) took a closer look at the app.

The first one noticed that :

“There are extra bytes which are a Unicode space at the end of the fake one. VERY difficult to see if you don’t look closely.”  

And he provided the following screenshots for comparison:

Original WhatsApp
Fake WhatsApp

The second one went the extra mile, and even installed it:

“I’ve also installed the app and decompiled it. The app itself has minimal permissions (internet access) but it’s basically an ad-loaded wrapper which has some code to download a second apk, also called ‘whatsapp.apk'”

y9qAxbV
Details about the  fake app.

Furthermore, the app also does its best to hide from the user. It has no name and it uses a blank icon.

Here are more screenshots of the fake app posted by dextergenius:

9xvzk8n

This app was removed from the Google Play store, but not before tricking unsuspecting users into installing it on their phones.

To quote the Avast Blog:

“The harmful effects from these imitation apps can vary from a nonstop deluge of ads to stealing money and personal info, but they all have one thing in common: they are all entirely illegal. Publishing fake apps is called “scamming” and it is punishable by law.

 When you download these fake apps, you are in many cases putting money in the cyber-criminals’ pockets. Every click can be monetized, and the more money they make, the more resources they can use to create more fake apps, and the cycle continues. Instead we simply recommend: keep away from fake apps.”

Take care of you smartphone, it knows more that anyone about you. Install security software to protect your data. Use Two-Factor Authentication for all the apps that offer you that option

Internet of Threats

Internet of Things and Internet of Toys

With the rise of “smart speakers” such as Amazon Echo and Google Home, it was only a matter of time until kids toys would get the “smart treatment”. This is just on niche in the broad field IoT (internet of things); thus, a new IoT emerged, the so-called Internet of Toys.

According to Lanner Electronics

IoT is as much a concept and ideology as it is a technological undertaking. It seeks to take quite literally anything(ergo “thing” in IoT) , i.e printer, coffeemaker, shoes, light-bulbs, and breath new life and purpose into it by applying just the right amount of embedded, networked technology (the internet component in IoT).”

Yes, your read that right,  shoes that are connected to the internet. And that is not all, a short search reveals other “things” that can be connected to internet:

  1. Oven
  2. Plushies for children
  3. Doorbells
  4. Smart locks
  5. Air quality monitor
  6. Blood pressure monitor
  7. Gesture control
  8. Smart Cooker
  9. Smart bed mattress
  10. Kids smart watch
  11. Smart baby monitor

And the list can continue; do those things make their user’s life easier? Of course they do, and I am not saying they are not trying to achieve that. But just try to imagine all the different types of data that they are collecting.

In a recent article, we have talked about how VTech (a toy manufacturer) has settle for $650000 in case that involved breaching COPPA. Furthermore, although this is one of the worse case scenarios, we must remember that information means power. We already give up a lot of our privacy just by using a smartphones. How would a person fell having an IoT device installed in their house; one that is active 27/7, and is passively listening and following each every move that they make.

According to the FTC , VIZIO, which is a popular, high-quality, affordable smart TVs manufacturer had to pay a fine of $2.2 mil. This happen because it was found out that the same TVs were happily tracking what their users were watching. Furthermore, all that data was send back to their servers, and from there it was sold to advertisers.

“According to the complaint, VIZIO touted its “Smart Interactivity” feature that “enables program offers and suggestions” but failed to inform consumers that the settings also enabled the collection of consumers’ viewing data. The complaint alleges that VIZIO’s data tracking—which occurred without viewers’ informed consent—was unfair and deceptive, in violation of the FTC Act and New Jersey consumer protection laws.”

In 2016, The Norwegian Consumer Council said that:

” The internet-connected toys My Friend Cayla and i-Que fail miserably when it comes to safeguarding basic consumer rights, security, and privacy.” 

Furthermore, in their analysis of two IoT Toys, The Consumer Council revealed several serious issues:

Lack of security
With simple steps, anyone can take control of the toys through a mobile phone. This makes it possible to talk and listen through the toy without having physical access to the toy.This lack of security could easily have been prevented, for example by making physical access to the toy required, or by requiring the user to press a button when pairing their phone with the toy.

Illegal user terms
Before using the toy, users must consent to the terms being changed without notice, that personal data can be used for targeted advertising, and that information may be shared with unnamed 3rd parties.This and other discoveries are, in the NCC’s opinion, in breach of the EU Unfair Contract Terms Directive, the EU Data Protection Directive, and possibly the Toy Safety Directive.

Kids’ secrets are shared
Anything the child tells the doll is transferred to the U.S.-based company Nuance Communications, who specialize in speech recognition technologies. The company reserves the right to share this information with other third parties, and to use speech data for a wide variety of purposes.

Kids are subject to hidden marketing
The toys are embedded with pre-programmed phrases, where they endorse different commercial products. For example, Cayla will happily talk about how much she loves different Disney movies. Meanwhile, the app-provider has a commercial relationship with Disney.

Instead of a witty closing remark, I will leave you a list of interesting resources that eal with the Internet of Toys. I do hope they will help you, should you wish to find more about this subject.

Oh, and this awesome Video from Finn Myrstad of the Norwegian Consumer Council.

“LightsOut” malware found flashlight apps

Most of us do not install any android apps that do not come from Google’s Play Store. After all that is the only place from which we can 100% that the apps we download are safe, right?

Unfortunately, even Google’s official apps store can fall behind the latest cyber threats. On the 5th of January, Check Point research has identified 22 Flashlight apps (from Google Play Store) that had a malware hidden in them. Their findings show that the infected apps have been downloaded between 1.5mil and 7.5 downloads.

“LightsOut” embeds malicious code in seemingly legitimate flashlight and utility apps. This code can act in two ways:

  1. When the app is launched for the first time, the icon is hidden in order to make harder the process of getting rid of it.
  2. The app prompts the user with a checkbox and control panel. But these two are only a facade, in fact even if the uses chooses to hide the adds; the app will override that option.

We all know that most of these utility apps can be used for free, at the cost having some annoying apps appear here and there. It seems even after purchasing the paid version of the app, the adds would keep rolling.

Moreover, the adds will be displayed out of context. And since there is direct connection between the app and the adds, even if the user realizes what is happening; the app has already hid its icon.

The add would be triggered by actions that have no connection with the app, such as: charging the phone, ending a call, connecting/disconnecting from a WiFi connection, or locking your screen.

What is the aim of  “LightsOut”? To get as much revenue as possible form forcing users to interact with obtrusive adds that are triggered being trigger as often as possible.

Before downloading, a flashlight app, remember that almost all new android devices have that option already built-in. Swipe down to open the setting menu, and there should already be an option called “Torch”.  Although, it is not as fancy as the Flashlight apps, I am pretty sure you just want to use to look for your keys, and not power up a Rave Party.

 

 

 

VTech settles for $650,000

If you fancy technology and you have small children, then you might have heard about the company named VTech Electonics. The main focus of this article is VTechKids.com.

VTech is an electronic toy manufacturer based in Hong Kong, which, according to the FTC, has violated children’s privacy. On the 8th of January, the company agreed to settle and pay a fine of  $650,000. The money should be payed in the following 7 days.

Children’s privacy is ensured by the Children’s Privacy Act published in 1998.

All started in the year 2015 when a data breach leaked personal data of their users and the personal data of their children. According to  Vtech’s 2015 Statement,

“VTech Holdings Limited today announced that an unauthorized party accessed VTech customer data housed on our Learning Lodge app store database on November 14, 2015 HKT. Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products.”

[…]

“It is important to note that our customer database does not contain any credit card information and VTech does not process nor store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.”

On the bright side, in the same statement it has been mentioned that:

“In addition, our customer database does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).”

Nevertheless, personal information that included children’s first and last names, email addresses, dates of birth, and genders have been leaked.  Soon after, Motherboard did an interview with the person that stole data ( images, chat logs, and even audio files).

“Frankly, it makes me sick that I was able to get all this stuff.”Motherboard

Soon after the breach, the company altered their TOS:

“You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.” – VTech TOS – item no.7

Fast forward to 8th of January  2018, and according the FTC order, VTech has settled for a fine of $650.000.

According to the FTC’s complaint, VTech:

“The Complaint charges that Defendants participated in deceptive acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45, in the making of a deceptive statement relating to their collection, storage, and transmittal of covered information. The Complaint further charges that Defendants violated the COPPA Rule by failing to post a privacy policy for their Kid Connect online service providing clear, understandable, and complete notice of their information practices; failing to provide direct notice of their information practices toparents; failing to obtain verifiable parental consent prior to collecting, using, and/or disclosing personal information from children; and failing to establish and maintain reasonable procedures to protect the confidentiality,security, and integrity of personal information collected from children.”

 

Furthermore, VTech has to implement a data security program that will face biannual independent audits that will span over a period of 20 years.

In Monday’s announcement of the VTech settlement, the acting FTC Chairwoman Maureen K. Ohlhausen said:

“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data. Unfortunately, VTech fell short in both of these areas.”

Even though this was the first case against children’s privacy violations to be settled, since toys become more and more connected, I’m going to be it will not be the last one.

Can’t wait to see the a new app called “Smartphone Hide’n’Seek”.

Meltdown and Spectre

Now that we know what the Kernel is, and more importantly, what it does; we are going to talk a bit of Meltdown and Spectre.

Two papers (Meltdown and Spectre) have been published by researchers from various universities across the globe and several Google researchers. Both of them describe the way in which cyber-criminals could steal sensible information from our devices.

There are good new though, several patches have been deployed to mitigate this flaw. Unfortunately, drop in performance (from 5% to 30%) have been reported after the Microsoft patches have been installed. Furthermore, the deployment of patches for AMD processors has been halted by Microsoft. This is due to the many complaints that users could not boot their PCs after the patches.

The short but tech-savvy explanation is :

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information.

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

The short non tech-savvy explanation is as follows:

All starts with something called Speculative Execution. I know it might sound terrible, but bare with me.

Let’s say you are running a service that gathers information upon request from your clients.

For example:

A client comes to you at 10am in the morning and asks you to print for him a list of news that are related to cyber-security.  Your client does this daily for 5 days, the he has the exact same request, at exactly the same hour. Since we are “smart cookies”, we observe a pattern and we start printing the list before he arrives. We see the client is happy that he got his list faster this time. We continue doing this, the client is happy, we are happy.

But one day, he comes at 10 am and asks for 4 types of chocolate chip cookie recipes. We print what he asked us, and we throw away what we already printed.

Speculative Execution works similarly. If the calculations that were performed by the computer are not needed, they are being thrown away into a side-channel.

This information then arrives in an unsecured part of the cache memory that can be accessed through a side-channel. If we use the above-mentioned printing story, all the unwanted lists arrive in a trash bin that can be accessed by bad guys.

Why isn’t that data secured? The answer is simple, when Speculative Execution was invented, the devices were not connect to each-other.  Thus, there was no reason to secure something to which no external party would have access to. Unfortunately, this has never been addressed until now.

There are many patches that have been released, and Microsoft tries to mitigate the issues that might arise from the Intel Chip flaw. But, and there is a big BUT, systems that receive the update have been signalling a decrease in performance. This decrease in performance varies from 5% up to 30% in some cases.

Sources: SEI, Cyberus Tech Blog, Meltdownattack.com, Spectreattack.com

 

 

 

 

 

 

 

Just what is the Kernel?

This is a support article for the upcoming Meltdown and Spectre article – Disclaimer

It would seem that each year we have some sort of new software that is up to no good. This time, unfortunately, we are talking about a hardware flaw that is going to affect the way in which processors are going to be manufactured from now on.

But before we dive head on into the issue, there is a term that I would like to explain first.

I am fairly sure anyone that has read some basic things about hardware and software found the word ‘Kernel’ at one point.

Most of us know that there are two components when it comes to PCs/laptops/phones etc. You have the hardware – the thing that you can touch, and the software – the thing makes the software run. Fun fact! Anyone that got frustrated and hit the keyboard(or whatever hardware part was closer) was, most of the time, punishing the hardware for a software error.

What we don’t usually think about is how they are interconnected. Well, here is where the Kernel comes into play.

A kernel is nothing else than the Manager of your device. It is the magical code that tells an app when to start. (to be more precise, it’s the one that starts the process that is bound to that app)

Furthermore, it decides what resources (CPU, Memory, Devices) the application is allowed to use.

As you can see, that little thing has a lot of power in its hands. So, that means it should be one of the most secure things in our devices, right?

 

 

 

 

 

 

 

 

“Adult Swine” – found in apps for children

As always, the researchers at Checkpoint are shedding light on threat that was “lurking in the shadows” for some time now.

For people in a hurry, at the end of the article you can find the TL;DR and the list of apps.

On the 12th of January, Checkpoint has released information about 60 android apps that contained a malicious code hidden inside them. As adults we are all aware about the threats that exists on the internet. Most of us are able to clearly distinguish and identify them, but nowadays children focused apps become the main target of these attackers.

Over 60 apps have been identified to contain the ‘Adult Swine’ code. Although click-baiting and other types of practices have been around for years now, this new type of intrusive and, most of the time, inappropriate ads is one the rise.

Apps infected with “Adult Swine” could cause problems in three ways:

  1. Displaying ads from the web that are often highly inappropriate and pornographic.
  2. Attempting to trick users into installing fake ‘security apps’.
  3. Inducing users to register to premium services at the user’s expense.

Once installed, the app would connect to the their control server and provide several details about the phone on which it has managed to install itself. Moreover, once it connected to the C&C server, the app would hide its icon from the menus.

Offensive ads

The contents of the ads is offensive and, in most cases, pornographic. Furthermore, since it scans the apps that are running on the phone, the infected app will display the ads inside the same window.

The ads seem to come from two main sources:

  • From legitimate advertisers that did not give the consent for the ads to be used in such a way.
  • From a list of ads that the app has stored in library. As you would imagine, the library contains only offensive ads.

I feel the need to reiterate the idea that this is happening while the children are using the app that the code pretends to be.

Installing fake apps

Scareware is a name give to apps informing the user that their phone/device has been infected. Most of us know how to deal with this type of scams, but we must not forget that the targets here are out children.

After being prompted about the infection, the user is advised to install a ‘security app’ that will repair their device. You guess it, the ‘solution’ is just another malicious app.

Premium services

Although, I personally do not link my credit card to my phone, most of my friends are using this practice.  The thing that I find hilarious is that their reason for doing that is ‘It’s easier for me to buy things and order stuff online.’

Now, each of us are entitled to do exactly what they want with their hard earned money, but I do guess that many of us would not like to have it spent of useless apps and services.

But that is not it, even without your banking data the apps can still use other ways to trick people into buying apps or subscribing to unwanted premium services.

It works just like above-described ‘Scareware’ tactic. But in this case, the app tries to bait the user by informing him that he/she won a certain prize. In order to claim it, the user has to provide it with the phone number. Once the phone number is entered, the app will use it to register to premium apps and services for which the user will have to pay.

The good news is that Google has removed most of the apps that have been infected.

The bad new is that all these apps were available on a platform that is trusted by the majority of Android users.

TL:DR

Sixty apps that were aimed at children have been removed by Google from the Playstore. These apps were infected by a piece of code that is now know as ‘Adult Swine’.

The infected apps would display ads that were offensive, and often, pornographic. Furthermore, it also used ‘Scareware’ tactics to trick users in installing fake and malicious apps.

And finally, it would also use the ‘You won a prize, enter your details to claim the prize.’ tactic to trick user into disclosing their phone numbers. With this information, the app would subscribe the user to paid services and apps; resulting in users getting their accounts charged for services they did not want/did not subscribed to.

For the full list, please visit:  Checkpoint

App Name Minimum Downloads Maximum Downloads
Five Nights Survival Craft 1,000,000 5,000,000
Mcqueen Car Racing Game 500,000 1,000,000
Addon Pixelmon for MCPE 500,000 1,000,000
CoolCraft PE 100,000 500,000
Exploration Pro WorldCraft 100,000 500,000
Draw Kawaii 100,000 500,000
San Andreas City Craft 100,000 500,000
Subway Banana Run Surf 100,000 500,000
Exploration Lite : Wintercraft 100,000 500,000
Addon GTA for Minecraft PE 100,000 500,000
Addon Sponge Bob for MCPE 100,000 500,000
Drawing Lessons Angry Birds 50,000 100,000
Temple Crash Jungle Bandicoot 50,000 100,000
Drawing Lessons Lego Star Wars 50,000 100,000
Drawing Lessons Chibi 50,000 100,000