Login
Posted by Georgi Guninski on Jan 18
Minor firefox DoS - semi silently polluting ~/Downloads with files (part 2)Posted by Georgi Guninski on Sep 05
This is barely a DoS, but since Chrome has explicit protection
This week hasd been manic! Non-stop tickets related to the new HIBP domain subscription service, scrambling to support invoicing and resellers, struggling our way through some odd Stripe things and so on and so forth. It's all good stuff and there have been very few issues of note (and all of those have merely been people getting to grips with the new model), so all in all, it's happy days 😊
The FBI doesn't want to lose its favorite codified way to spy, Section 702 of the US Foreign Intelligence Surveillance Act. In its latest salvo, the agency's deputy director Paul Abbate called it "absolutely critical for the FBI to continue protecting the American people."…
Australian health insurance company Medibank will take all of its IT systems offline and close its branches over the weekend as part of its ongoing efforts to improve security and recover from a massive data security breach in October.…
A tool to automate the recon process on an APK file.
Slicer accepts a path to an extracted APK file and then returns all the activities, receivers, and services which are exported and have null permissions and can be externally provoked.
Note: The APK has to be extracted via jadx or apktool.
Why?
I started bug bounty like 3 weeks ago(in June 2020) and I have been trying my best on android apps. But I noticed one thing that in all the apps there were certain things which I have to do before diving in deep. So I just thought it would be nice to automate that process with a simple tool.
Why not drozer?
Well, drozer is a different beast. Even though it does finds out all the accessible components but I was tired of running those commands again and again.
Why not automate using drozer?
I actually wrote a bash script for running certain drozer commands so I won't have to run them manually but there was still some boring stuff that had to be done. Like Checking the strings.xml for various API keys, testing if firebase DB was publically accessible or if those google API keys have setup any cap or anything on their usage and lot of other stuff.
Why not search all the files?
I think that a tool like grep or ripgrep would be much faster to search through all the files. So if there is something specific that you want to search it would be better to use those tools. But if you think that there is something which should be checked in all the android files then feel free to open an issue.
Check if the APK has set the android:allowbackup to true
Check if the APK has set the android:debuggable to true.
Return all the activities, services and broadcast receivers which are exported and have null permission set. This is decided on the basis of two things:
FreshRSS 
android:exporte=true is present in any of the component and have no permission set.Intent-filters are defined for that component, if yes that means that component is exported by default(This is the rule given in android documentation.)Check the Firebase URL of the APK by testing it for .json trick.
myapp.firebaseio.com then it will check if https://myapp.firebaseio.com/.json returns something or gives permission denied.Check if the google API keys are publically accessible or not.
Duplicate.not applicable and will claim that the KEY has a usage cap - r/suspiciouslyspecific Return other API keys that are present in strings.xml and in AndroidManifest.xml
List all the file names present in /res/raw and res/xml directory.
Extracts all the URLs and paths.
git clone https://github.com/mzfr/slicer
cd slicerpython3 slicer.py -h
It's very simple to use. Following options are available:
Extract information from Manifest and strings of an APK
Usage:
slicer [OPTION] [Extracted APK directory]
Options:
-d, --dir path to jadx output directory
-o, --output Name of the output file(not implemented)
I have not implemented the output flag yet because I think if you can redirect slicer output to a yaml file it will a proper format.
python3 slicer.py -d path/to/extact/apk -c config.jsonThe extractor module used to extract URLs and paths is taken from apkurlgrep by @ndelphit
All the features implemented in this are things that I've learned in past few weeks, so if you think that there are various other things which should be checked in an APK then please open an issue for that feature and I'd be happy to implement that :)
If you'd like you can buy me some coffee:
With the recent demise of several popular “proxy” services that let cybercriminals route their malicious traffic through hacked PCs, there is now something of a supply chain crisis gripping the underbelly of the Internet. Compounding the problem, several remaining malware-based proxy services have chosen to block new registrations to avoid swamping their networks with a sudden influx of customers.
Last week, a seven-year-old proxy service called 911[.]re abruptly announced it was permanently closing after a cybersecurity breach allowed unknown intruders to trash its servers and delete customer data and backups. 911 was already akin to critical infrastructure for many in the cybercriminal community after its top two competitors — VIP72 and LuxSocks — closed or were shut down by authorities over the past 10 months.
The underground cybercrime forums are now awash in pleas from people who are desperately seeking a new supplier of abundant, cheap, and reliably clean proxies to restart their businesses. The consensus seems to be that those days are now over, and while there are many smaller proxy services remaining, few of them on their own are capable of absorbing anywhere near the current demand.
“Everybody is looking for an alternative, bro,” wrote a BlackHatForums user on Aug. 1 in response to one of many “911 alternative” discussion threads. “No one knows an equivalent alternative to 911[.]re. Their service in terms of value and accessibility compared to other proxy providers was unmatched. Hopefully someone comes with a great alternative to 911[.]re.”
Among the more frequently recommended alternatives to 911 is SocksEscort[.]com, a malware-based proxy network that has been in existence since at least 2010. Here’s what part of their current homepage looks like:
The SocksEscort home page says its services are perfect for people involved in automated online activity that often results in IP addresses getting blocked or banned, such as Craigslist and dating scams, search engine results manipulation, and online surveys.
But faced with a deluge of new signups in the wake of 911’s implosion, SocksEscort was among the remaining veteran proxy services that opted to close its doors to new registrants, replacing its registration page with the message:
“Due to unusual high demand, and heavy load on our servers, we had to block all new registrations. We won’t be able to support our proxies otherwise, and close SocksEscort as a result. We will resume registrations right after demand drops. Thank you for understanding, and sorry for the inconvenience.”
According to Spur.us, a startup that tracks proxy services, SocksEscort is a malware-based proxy offering, which means the machines doing the proxying of traffic for SocksEscort customers have been infected with malicious software that turns them into a traffic relay.
Spur says SocksEscort’s proxy service relies on software designed to run on Windows computers, and is currently leasing access to more than 14,000 hacked computers worldwide. That is a far cry from the proxy inventory advertised by 911, which stood at more than 200,000 IP addresses for rent just a few days ago.
Image: Spur.us
SocksEscort is what’s known as a “SOCKS Proxy” service. The SOCKS (or SOCKS5) protocol allows Internet users to channel their Web traffic through a proxy server, which then passes the information on to the intended destination. From a website’s perspective, the traffic of the proxy network customer appears to originate from a rented/malware-infected PC tied to a residential ISP customer, not from the proxy service customer.
These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they make it difficult to trace malicious traffic to its original source.
The disruption at 911[.]re came days after KrebsOnSecurity published an in-depth look at the long-running proxy service, which showed that 911 had a history of incentivizing the installation of its proxy software without user notice or consent, and that it actually ran some of these “pay-per-install” schemes on its own to guarantee a steady supply of freshly-hacked PCs.
More on SocksEscort in an upcoming story.
Further reading:
July 29, 2022: 911 Proxy Service Implodes After Disclosing Breach
July 28, 2022: Breach Exposes Users of Microleaves Proxy Service
July 18, 2022: A Deep Dive Into the Residential Proxy Service ‘911’
June 28, 2022: The Link Between AWM Proxy & the Glupteba Botnet
June 22, 2022: Meet the Administrators of the RSOCKS Proxy Botnet
Sept. 1, 2021: 15-Year-Old Malware Proxy Network VIP72 Goes Dark
Your smartphone comes with built-in location services, which are useful if you lose it or if you use an app that needs to know your location. But what if you don’t want your phone to be tracked? Can the phone be located if you turn off location services? The answer is yes, it’s possible to track mobile phones even if location services are turned off.
Turning off the location service on your phone can help conceal your location. This is important if you don’t want third parties knowing where you are or being able to track your movement. However, a smartphone can still be tracked through other techniques that reveal its general location.
This article explains how your phone can be tracked and what you can do to enhance your mobile security.
Whether you have an iOS or Android phone, there are ways it can be tracked even if location services are turned off. You may have used some of these yourself to find a lost or stolen phone. For example, the Find My iPhone app uses Bluetooth to help you find an iPhone even if it’s offline.
If you have an Android phone and the Find My Device app, you can log in to your Google account and use Google Maps to check your phone’s location history.
Here are four ways that your phone could be tracked:
The United States has more than 307,000 cell towers. When you use your phone, signals travel back and forth to the nearest cell tower. Cell carriers can calculate the general area of your phone by measuring the time it takes for a signal to travel back and forth.
Carriers use cell tower triangulation for a more accurate reading, which combines location data from three cell towers. This technology was developed to help 911 operators locate callers. It pinpoints the phone’s location within a 300-meter area.
A smartphone that has Wi-Fi enabled communicates with nearby Wi-Fi networks even if it’s not connected to one. Your device automatically scans Wi-Fi access points nearby and notes the signal strength.
When using public Wi-Fi, the provider commonly asks you to agree to location tracking. That Wi-Fi provider will then record your location whenever you’re in range of one of its hot spots.
To use public Wi-Fi while protecting your privacy, it’s a good idea to connect with a VPN like McAfee’s Safe Connect VPN. This software protects your data using bank-grade encryption to keep your online activity private. The VPN also keeps your IP address and physical location private.
Cell site simulators — otherwise known as stingrays— mimic cellphone towers. They trick your phone into pinging it, transmitting its location, and identifying information. Stingrays cause cellphones to connect to them rather than to legitimate cell towers by transmitting a stronger signal than that from the cell towers.
Law enforcement officers often use stingrays to locate and track the movement of potential suspects. While attempting to connect to a specific individual, stingrays connect data from all phones in the vicinity of the device.
A device that is infected with malware or spyware can track your location even if your location settings are turned off. Malware can also record your online activities, allow cybercriminals to steal personal information, or slow down your operating system.
To help protect your mobile device, consider getting a comprehensive security tool like McAfee Security for Mobile. It works for both Android and iOS devices and comes with an antivirus app that scans for threats and malware and blocks them in real-time.
While many reasons for tracking a phone’s location information are benign — such as seeing where a loved one might be — scammers and hackers may track phones in an attempt to steal personal data.
Luckily, some telltale signs can help you spot whether your phone is being tracked.
When your phone has spyware, the program continuously runs in the background and drains your battery. A battery that is losing power faster than normal is either due to an old battery or spyware.
Check your battery health to see if it is still strong. If you use an iPhone, follow these steps to check battery health. You’ll see a maximum capacity score that shows your battery power compared to when it was new. An older phone with a battery capacity of 75% could explain why your battery loses power throughout the day. If your battery capacity is 95% or 100% and it drains quickly, however, a virus could be to blame.
It’s a slightly different process to check the battery health on an Android device. Depending on the phone brand, you may need to download an app.
Using apps with high processing demands can cause your mobile device to heat up. A spyware app that tracks your device’s location will use GPS, which causes the phone to work harder and overheat. If you’re using your smartphone normally and it overheats, it could be a sign of malware.
If there are unfamiliar apps on your phone, someone may have tampered with it. The mystery app could be spyware.
If your phone launches activities that you didn’t initiate, an app might be running in the background. In some cases, malware needs to reboot your phone to install updates or change the phone’s settings.
A phone that automatically restarts lights up for no reason or makes noises during calls or texts could be infected with malware.
Here are answers to some common questions about phone tracking.
A phone that is turned off is difficult to track because it stops sending signals to cell towers. However, the service provider or internet provider can show the last location once it’s switched back on.
Even without cell service, Android devices and iPhones can be tracked. Your phone’s mapping apps can track your phone’s location without an internet connection.
The GPS works in two ways: It uses Assisted GPS or A-GPS when you have a data connection. This uses the locations of cellphone towers and known Wi-Fi networks to figure out where you are. It also uses data from GPS satellites for more precise information. The A-GPS needs data service to work, but the GPS radio can receive satellite information without data service.
Yes, your phone can be tracked when it’s in airplane mode. While it does turn off Wi-Fi and cellular services, airplane mode doesn’t turn off GPS (a different technology that sends and receives signals from GPS satellites). You’ll have to disable GPS on your device and turn on airplane mode to prevent your phone from being tracked.
Understanding how your phone can be tracked can help you protect your privacy. For greater peace of mind, though, it can help to have a mobile security tool like McAfee Security for Mobile to keep your Android or Apple device free from spyware.
Our all-inclusive mobile security tool safeguards your digital life by offering safe browsing, a secure VPN, and antivirus software. It actively protects you from malicious apps, like spyware, and unwanted visitors.
With a dedicated mobile security app, you can use your phone the way you want without worrying about cybercriminals tracking your information.
The post Can My Phone Be Tracked If Location Services Are Off? appeared first on McAfee Blog.
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about Trend Micro’s Cyber Risk Index (CRI) and its results showing increased cyber risk. Also, read about a data breach from IoT company Wyze that exposed information of 2.4 million customers.
Read on:
The 5 New Year’s Tech Resolutions You Should Make for 2020
Now is the perfect time to reflect on the past and think of all the ways you can make this coming year your best one yet. With technology playing such a central role in our lives, technology resolutions should remain top of mind heading into the new year. In this blog, Trend Micro shares five tech resolutions that will help make your 2020 better and safer.
Security Study: Businesses Remain at Elevated Risk of Cyber Attack
Elevated risk of cyber attack is due to increased concerns over disruption or damages to critical infrastructure, according to the Trend Micro’s latest Cyber Risk Index (CRI) study. The company commissioned Ponemon Institute to survey more than 1,000 organizations in the U.S. to assess business risk based on their current security postures and perceived likelihood of attack.
Parental Controls – Trend Micro Home Network Security Has Got You Covered
In the second blog of a three-part series on security protection for your home and family, Trend Micro discusses the risks associated with children beginning to use the internet for the first time and how parental controls can help protect them.
Cambridge Analytica Scandal: Facebook Hit with $1.6 Million Fine
The Cambridge Analytica scandal continues to haunt Facebook. The company has been receiving fines for its blatant neglect and disregard towards users’ privacy. The latest to join the bandwagon after the US, Italy, and the UK is the Brazilian government.
Why Running a Privileged Container in Docker is a Bad Idea
Privileged containers in Docker are containers that have all the root capabilities of a host machine, allowing the ability to access resources which are not accessible in ordinary containers. In this blog post, Trend Micro explores how running a privileged, yet unsecure, container may allow cybercriminals to gain a backdoor in an organization’s system.
IoT Company Wyze Leaks Emails, Device Data of 2.4M
An exposed Elasticsearch database, owned by Internet of Things (IoT) company Wyze, was discovered leaking connected device information and emails of millions of customers. Exposed on Dec. 4 until it was secured on Dec. 26, the database contained customer emails along with camera nicknames, WiFi SSIDs (Service Set Identifiers; or the names of Wi-Fi networks), Wyze device information, and body metrics.
Looking into Attacks and Techniques Used Against WordPress Sites
WordPress is estimated to be used by 35% of all websites today, making it an ideal target for threat actors. In this blog, Trend Micro explores different kinds of attacks against WordPress – by way of payload examples observed in the wild – and how attacks have used hacked admin access and API, Alfa-Shell deployment, and SEO poisoning to take advantage of vulnerable sites.
FPGA Cards Can Be Abused for Faster and More Reliable Rowhammer Attacks
In a new research paper published on the last day of 2019, a team of American and German academics showed that field-programmable gate array (FPGA) cards can be abused to launch better and faster Rowhammer attacks. The new research expands on previous work into an attack vector known as Rowhammer, first detailed in 2014
Emotet Attack Causes Shutdown of Frankfurt’s IT Network
The city of Frankfurt, Germany, became the latest victim of Emotet after an infection forced it to close its IT network. There were also incidents that occurred in the German cities of Gießen, Bad Homburgas and Freiburg.
BeyondProd Lays Out Security Principles for Cloud-Native Applications
BeyondCorp was first to shift security away from the perimeter and onto individual users and devices. Now, it is BeyondProd that protects cloud-native applications that rely on microservices and communicate primarily over APIs, because firewalls are no longer sufficient. Greg Young, vice president of cybersecurity at Trend Micro, discusses BeyondProd’s value in this article.
How MITRE ATT&CK Assists in Threat Investigation
In 2013, the MITRE Corporation, a federally funded not-for-profit company that counts cybersecurity among its key focus area, came up with MITRE ATT&CK, a curated knowledge base that tracks adversary behavior and tactics. In this analysis, Trend Micro investigates an incident involving the MyKings botnet to show how the MITRE ATT&CK framework helps with threat investigation.
TikTok Banned by U.S. Army Over China Security Concerns
With backlash swelling around TikTok’s relationship with China, the United States Army this week announced that U.S. soldiers can no longer have the social media app on government-owned phones. The United States Army had previously used TikTok as a recruiting tool for reaching younger users,
Mobile Money: How to Secure Banking Applications
Mobile banking applications that help users check account balances, transfer money, or pay bills are quickly becoming standard products provided by established financial institutions. However, as these applications gain ground in the banking landscape, cybercriminals are not far behind.
What security controls do you have in place to protect your home and family from risks associated with children who are new internet users? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Latest Cyber Risk Index Shows Elevated Risk of Cyber Attack and IoT Company Wyze Exposes Information of 2.4M Customers appeared first on .
Paul's Stories
A Guide To Network Vulnerability Management - Dark Reading - If you want the "training wheels" approach to vulnerability management, then you should read this article. However, the problem goes so much deeper, and this article doesn't even know what tool to use in order to scratch the surface. Sure, you gotta know what services are running on your systems, but it goes so much deeper than that. Environments, threats, systems and people all change, so howdo you keep up? How do you really find, and more importantly fix, the vulnerabilities in your environment?
Old Operating Systems Die Harder - Dark Reading - Okay, here is where you could make a lot of money. Create a company that can actually provide some real security to legacy operating systems. So many of our defenses fail if there is a vulnerability that doesn't have a patch. You can implement some security, but it doesn't really solve the true problem. Once an attacker is able to access the system, its game over. Unless, there is something that can really solve the problem, even thwart the exploit and/or shellcode. Technologies exist, but back-porting to legacy systems is not often done. And this is where we need the help.
Microsoft Disrupts ‘Nitol’ Botnet in Piracy Sweep - Microsoft takes down another botnet. Why is this news? Not-so-sure, as this should be the rule rather than the exception.
Blackhole Exploit Kit updates to 2.0 - Check this out, attackers are implementing security! Check this out, this exploit kit now sports: Dynamic URL generation, so there is no longer a standard URL pattern that could be used to identify the kit.IP blocking at the executable URL, so that AV companies can't just download your binary. This is meant to slow down AV detection. Use of Captcha in the admin panel login page, to prevent brute forcing unauthorized access. If legit defendersonly did all that, well, except for the CAPTCHA, which is useless.
Domino's Pizza says website hacked - One of the most useful things the Internet has ever given birth to, aside from access to free porn, is the ability to order pizza online. So back off! Oh, then there is this: "This is a very unfortunate event which has happened despite the security ecosystem that we have created around our online assets. Some security "ecosystem" you got there.
More SSL trouble - SSL is broken, again, Drink!
Apple unveils redesigned iPhone 5 with 4-inch display - I did not see any mention of improved security, but what a sexy device. Wireless now supports dual band n, which is awesome.
Google helps close 163 security vulnerabilities in iTunes - iTunes is a beast, I use it all the time and well at the end of the day its kind of a resource pig, but gets the job done. However, its pretty crappy software, tons of vulnerabilities, and new ones found by Google! Webkit was to blame for many...#Antivirus programs often poorly configured - New study finds AV is not configured correctly. No huge surprises there... Do weneed to make it easier to configure or are people just lazy or both?
Larry's stories
Who's your GoDaddy - [Larry] - Yup, GoDaddy dns was down for the count. This included their own authoritative DNS as well as for those for the hosted stuff. Of course, now folks are talking about DoS against root name servers, and OMG the sky is falling. Of course, a single Anonymous member took credit, and GoDaddy, said along the lines of "Ooops, we tripped on a cable and corrupted our routing tables". Who do you believe… In other notes, a leaf fell from a tree and an individual member from anonymous took credit.
What happens when your encryption is EOL-ed - [Larry] - Victorinox (the Swiss Army folks) are offering full refunds if you return the secure usb thumb drives. Why? As of September 15th the certificate will expire, and they have no intent on renewing and are stopping support for the software. If you don't get your data out of the encrypted volume before then, you'll allegedly lose it. So, what happens when we have something else like this that is significantly more mission critical, we have significant investment and no upgrade path. Choose wisely.
Judge rules WiFi Sniffing Legal - [Larry] - Basically it boils down that is you have an open network and the data is in the clear, you should be able to sniff it. Don't want someone to sniff it? Encrypt it - and yes, WEP would be sufficient for word of law here. So, why did the judge rule this way? Wireless is a shared medium. If you are not allowed to sniff traffic that is not destined to you, then how are you able to determine that the traffic on said network is destined for you? Ruling against it would make all WiFi networks illegal, just by nature of the technology.
ACTUAL Stego in the wild for "legitimate purpose" - [Larry] - I just put this story in for Darren to bust John's stones. But, it appears that Blizzard has been embedding information about the user via stegonaography into screenshots taken by the WoW clients.
Jack's Ruminations
Half of all Androids have Vulns? Also, water is wet. I'm surprised at this, I would have expected much higher. Android phones are at the mercy of their carriers for updates. And carriers are not noted for their mercy.
Chip and Pin, er, PWN Chip and pin research shows that this bandage for the fundamentally obsolete and insecure payment card systems. The EMV protocol has crypto issues, as in "programmers may not be using cryptographic random number generator algorithms to create UNs, and instead may be using counters, timestamps or homegrown algorithms that are not so random."
New FBI Facial Recognition program what could possibly go wrong? From the article "nabbing crooks after a crime is only part of the appeal. The technology also foreshadows upcoming security enhancements that will stop many offenses before they start". That "before they start" bit sounds pretty damned scary to me.
