Geek Stuff

New Spear Phishing Campaign Pretends to be EFF

EFF's Deeplinks -

Google's security team recently identified a new domain masquerading as an official EFF site as part of a targeted malware campaign. That domain, electronicfrontierfoundation.org, is designed to trick users into a false sense of trust and it appears to have been used in a spear phishing attack, though it is unclear who the intended targets were. The domain was registered on August 4, 2015, under a presumably false name, and we suspect that the attack started on the same day. At the time of this writing the domain is still serving malware.

Electronicfrontierfoundation.org was not the only domain involved in this attack. It seems to be part of a larger campaign, known as “Pawn Storm”. The current phase of the Pawn Storm attack campaign started a little over a month ago, and the overall campaign was first identified in an October 2014 report from Trend Micro (PDF). The group behind the attacks is possibly associated with the Russian government and has been active since at least 2007.

The attack is relatively sophisticated—it uses a recently discovered Java exploit, the first known Java zero-day in two years. The attacker sends the target a spear phishing email containing a link to a unique URL on the malicious domain (in this case electronicfrontierfoundation.org). When visited, the URL will redirect the user to another unique URL in the form of http://electronicfrontierfoundation.org/url/{6_random_digits}/Go.class containing a Java applet which exploits a vulnerable version of Java. Once the URL is used and the Java payload is received, the URL is disabled and will no longer deliver malware (presumably to make life harder for malware analysts). The attacker, now able to run any code on the user's machine due to the Java exploit, downloads a second payload, which is a binary program to be executed on the target's computer.

We were able to recover the following samples of the malicious Java code from electronicfrontierfoundation.org.

Filename MD5 Sum SHA1 Sum App.class 0c345969a5974e8b1ec6a5e23b2cf777 95dc765700f5af406883d07f165011d2ff8dd0fb Go.class 25833224c2cb8050b90786d45f29160c df5f038d78f5934bd79d235b4d257bba33e6b3

The decompiled Java for App.class

The decompiled Java for App.class

The Go.class applet bootstraps and executes App.class, which contains the actual attack code. The App.class payload exploits the same Java zero-day reported by Trend Micro and then downloads a second stage binary, internally called cormac.mcr, to the user's home directory and renames it to a randomly chosen string ending in `.exe`. Interestingly, App.class contains code to download a *nix compatible second stage binary if necessary, implying that this attack is able to potentially target Mac or Linux users.

Unfortunately we weren't able to retrieve the second stage binary, however this is the same path and filename that has been used in other Pawn Storm attacks, which suggests that it is likely to be the same payload: the malware known as Sednit. On Windows, the Sednit payload is downloaded to the logged-in user's home directory with a randomly generated filename and executed. On running it hooks a variety of services and downloads a DLL file. The DLL file is executed and connects to a command and control server where it appears to verify the target and then execute a keylogger or other modules as may be required by the attacker.

Because this attack used the same path names, Java payloads, and Java exploit that have been used in other attacks associated with Pawn Storm, we can conclude that this attack is almost certainly being carried out by the same group responsible for the rest of the Pawn Storm attacks. Other security researchers have linked the Pawn Storm campaign with the original Sednit and Sofacy targeted malware campaigns–also known as “APT 28”–citing the fact that they use the same custom malware and have similar targets. In a 2014 paper the security company FireEye linked the “APT 28” group behind Sednit/Sofacy with the Russian Government (PDF) based on technical evidence, technical sophistication, and targets chosen. Drawing from these conclusions, it seems likely that the organization behind the fake-EFF phishing attack also has ties to the Russian government. Past attacks have targeted Russian dissidents and journalists, U.S. Defense Contractors, NATO forces, and White House staff. We do not know who the targets were for this particular attack, but it does not appear that it was EFF staff.

The phishing domain has been reported for abuse–though it is still active, and the vulnerability in Java has been patched by Oracle. Of course this is an excellent reminder for everyone to be vigilant against phishing attacks. Our SSD guide contains advice on how to improve your security, watch for malicious emails, and avoid phishing attacks such as this one.

Related Issues: SecurityState-Sponsored MalwareRelated Cases: Kidane v. Ethiopia
Share this:   ||  Join EFF

Learn FPGAs With a $25 Board and Open Source Tools

Slashdot -

An anonymous reader writes: Hackaday has a 3 part tutorial with videos of using open source tools with a cheap ($25) FPGA board. The board isn't very powerful, but this could be the 'gateway drug' to FPGAs for people who don't want to spend hundreds of dollars and install 100s of megabytes of software and license keys just to get their feet wet. The videos are particularly good--like watching them over their shoulder. As far as I know, this is the only totally open source FPGA toolchain out there.

Read more of this story at Slashdot.

Besieged Malaysian PM Doubles Down on Online Censorship Ahead of Anti-Corruption Rally

EFF's Deeplinks -

This weekend, tens of thousands of ordinary Malaysians will flood into the cities of Kuala Lumpur, Kota Kinabalu and Kuching, with satellite events held in solidarity around the world, to call for the resignation of Prime Minister Najib Razak. The rally, organized by Bersih 2.0, a non-partisan coalition of non-governmental organizations standing against political corruption and calling for electoral reform, comes in the wake of allegations that Razak siphoned off $700m of public money into his personal bank account.

Last month we reported that the Malaysian government had censored the website of the Sarawak Report, which first broke news of the corruption allegations. A few days later, the government also suspended the publication licenses of two print publications that ran the same exposé.

Today, the Malaysian Communication and Multimedia Commission (MCMC) went a step further, warning in a message on its Facebook page that it would be taking steps to block all websites promoting this weekend's rally on the ground that it could “threaten national security.” This threat extends to Malaysia's online news portals, which are the media outlets most free from government control. The blocking threat reneged on an earlier promise that there would be no such censorship, and drew immediate criticism from the opposition party and from civil society groups.

No sooner was it announced, then the crackdown was rolled out. Already, the Bersih 2.0 website is reportedly inaccessible from all three of Malaysia's mobile providers, with blocks from wired Internet providers likely to follow soon. Technology activists from the nonprofit Sinar Project have promoted the use of the censorship circumvention module of EFF's Surveillance Self-Defense as a way for Malaysians to overcome the blocks.

The rally, of course, will go ahead as planned. Even so, the citizens who take to the streets this weekend should take precautions to protect not only—and most importantly—their own physical safety, but also the security of their personal devices. As we have seen in the Arab world and elsewhere, censorship of the Internet is often the last resort of a corrupt government that is soon destined to fall—but not before claiming the freedom of many brave activists. EFF wishes Malaysians a safe, peaceful and powerful demonstration this weekend.

Related Issues: Free SpeechInternational
Share this:   ||  Join EFF

Canadian Nuclear Accident Study Puts Risks Into Perspective

Slashdot -

An anonymous reader writes: A Canadian Nuclear Safety Commission (CNSC) study has concluded that there would be no detectable increase in cancer risk for most of the population from radiation released in a hypothetical severe nuclear accident. The CNSC's study is the result of a collaborative effort of research and analysis undertaken to address concerns raised during public hearings on the environmental assessment for the refurbishment of Ontario Power Generation's (OPG's) Darlington nuclear power plant in 2012. The draft study was released for public consultation in June 2014. Feedback from the Commission itself and comments from over 500 submissions from the public, government and other organizations have been incorporated in the final version. The study involved identifying and modelling a large atmospheric release of radionuclides from a hypothetical severe nuclear accident at the four-unit Darlington plant

Read more of this story at Slashdot.

Google May Try To Recruit You For a Job Based On Your Search Queries

Slashdot -

HughPickens.com writes: If Google sees that you're searching for specific programming terms, they may ask you to apply for a job as Max Rossett writes that three months ago while working on a project, he Googled "python lambda function list comprehension." The familiar blue links appeared on the search page, and he started to look for the most relevant one. But then something unusual happened. The search results split and folded back to reveal a box that said "You're speaking our language. Up for a challenge?" Clicking on the link took Rossett to a page called "foo.bar" that outlined a programming challenge and gave instructions on how to submit his solution. "I had 48 hours to solve it, and the timer was ticking," writes Rossett. "I had the option to code in Python or Java. I set to work and solved the first problem in a couple hours. Each time I submitted a solution, foo.bar tested my code against five hidden test cases." After solving another five problems the page gave Rossett the option to submit his contact information and much to his surprise, a recruiter emailed him a couple days later asking for a copy of his resume. Three months after the mysterious invitation appeared, Rossett started at Google. Apparently Google has been using this recruiting tactic for some time.

Read more of this story at Slashdot.

The iBackpack has it all, but is it worth $200? [crowdfunding]

Liliputing -

A new connected wearable has recently appeared in the crowdfunding market. It’s called the iBackpack and it pretty much has everything. Built into the design is an external battery pack, four USB charging ports, a microUSB cord, a Bluetooth speaker, a GPS tracker with an anti-theft alarm, and a Wi-Fi hotspot. In an age where […]

The iBackpack has it all, but is it worth $200? [crowdfunding] is a post from: Liliputing

NASA Scientists Paint Stark Picture of Accelerating Sea Level Rise

Slashdot -

A NASA panel yesterday announced widely reported finding that global sea levels have risen about three inches since 1992, and that these levels are expected to keep rising as much as several more feet over the next century -- on the upper end of model-based predictions that have been made so far. From the Sydney Morning Herald piece linked above: NASA says Greenland has lost an average of 303 gigatons [of ice] yearly for the past decade. Since it takes 360 gigatons to raise sea level by a millimetre, that would suggest Greenland has done this about eight times over just in the last 10 years or so. "People need to be prepared for sea level rise," said Joshua Willis, an oceanographer at NASA's Jet Propulsion Laboratory in La Cañada Flintridge. "It's not going to stop."

Read more of this story at Slashdot.

Samsung Galaxy Tab S2 launches September 3rd for $400 and up

Liliputing -

Samsung unveiled a new line of premium Android tablets in July, and now they’re just about ready to go on sale. You’ll be able to purchase a Samsung Galaxy Tab S2 in the United States starting September 3rd… but you’ll need to pony up $400 or more because the Galaxy Tab S2 is one of the […]

Samsung Galaxy Tab S2 launches September 3rd for $400 and up is a post from: Liliputing

Former Apple CEO Creates an iPhone Competitor

Slashdot -

An anonymous reader links to Fast Company's profile of Obi Worldphone, one-time Apple CEO John Sculley's venture into smartphones. The company's first two products (both reasonably spec'd, moderately priced Android phones) are expected to launch in October. And though the phones are obviously running a different operating system than Apple's, Sculley says that Obi is a similarly design-obsessed company: "The hardest part of the design was not coming up with cool-looking designs," Sculley says. "It was sweating the details over in the Chinese factories, who just were not accustomed to having this quality of finish, all of these little details that make a beautiful design. We had teams over in China, working for months on the floor every day. We intend to continue that process and have budgeted accordingly." Obi is also trying to set itself apart from the low-price pack by cutting deals for premium parts. "Instead of going directly to the Chinese factories, we went to the key component vendors, because we know that ecosystem and have the relationships," Sculley says. "We went to Sony. It’s struggling and losing money on its smartphone business, but they make the best camera modules in the world."

Read more of this story at Slashdot.

A "Public Health" Approach To Internet of Things Security

Slashdot -

New submitter StewBeans writes: Guaranteeing your personal privacy in an era when more and more devices are connecting our daily lives to the Internet is becoming increasingly difficult to do. David Bray, CIO of the FCC, emphasizes the exponential growth we are facing by comparing the Internet we know today to a beachball, and the Internet of Everything future to the Sun. Bray says unless you plan to unplug from the Internet completely, every consumer needs to assume some responsibility for the security and overall health of the Internet of Everything. He says this might look similar to public health on the consumer side — the digital equivalent of hand washing — and involve an open, opt-in model for the rapid detection of abnormal trends across global organizations and networks.

Read more of this story at Slashdot.

FireStarter is an Amazon Fire TV home screen replacement (for now)

Liliputing -

Amazon’s Fire TV products make it easy to stream videos from Amazon, Netflix, Hulu, YouTube, and other sources to your TV. You can also install many third-party apps and games available from the Amazon Appstore. Want to install an app that’s not in Amazon’s store? No problem. The Fire TV and Fire TV Stick run Android, […]

FireStarter is an Amazon Fire TV home screen replacement (for now) is a post from: Liliputing

Docs: Responding To Katrina, FBI Made Cell Phone Surveillance Its Priority

Slashdot -

v3rgEz writes: There's a lot of lessons that the federal government should have learned in the aftermath of Katrina. Increased domestic surveillance, however, appears to be the one the FBI took to heart, using the natural disaster as a justification for ramping up its use of Stingray cell phone tracking throughout Louisiana after the storm, according to documents released under FOIA to MuckRock.

Read more of this story at Slashdot.

Open Source, Collaborative Rich-Text, Web-Based Editor Almost Available

Slashdot -

johanneswilm writes: Open source web-based editors such as CKEditor and TinyMCE have been available for more than a decade, and some closed source collaborative editors such as Google Docs have been available since 2007. Creating open source, collaborative, rich-text, web-based editors has proven difficult due to lack of standardization of the lower-level browser features. Now Marijn Haverbeke, the developer behind the popular CodeMirror has started such an editor, called Prosemirror, financed through a crowd-funding campaign. Meanwhile the W3C has installed a task force to rapidly standardize and fix the features needed in browsers to easily create richtext and semantic editors.

Read more of this story at Slashdot.

HP Spectre X2 12.5″ convertible with Core M Skylake on the way

Liliputing -

The HP Pavilion x360 isn’t the only 2-in-1 tablet form HP that’s getting a Skylake update. The folks at Notebook Italia also spotted evidence that HP plans to add a new model to the Spectre X2 line of Windows tablets with detachable keyboards. The new HP Spectre X2 is expected to feature a 12.4 inch display […]

HP Spectre X2 12.5″ convertible with Core M Skylake on the way is a post from: Liliputing

Kansas Secretary of State Blocks Release of Voting Machine Tapes

Slashdot -

PvtVoid writes: Wichita State University statistician Beth Clarkson has filed a lawsuit under Kansas' open records law to force the state to release paper tape records from voting machines, to be used as data in her research on statistical anomalies in voting patterns in the state. Clarkson, a certified quality engineer with a Ph.D. in statistics, has analyzed election returns in Kansas and elsewhere over several elections that indicate 'a statistically significant' pattern where the percentage of Republican votes increase the larger the size of the precinct. The pattern could be voter fraud or a demographic trend that has not been picked up by extensive polling. Secretary of State Kris Kobach argued that the records sought by Clarkson are not subject to the Kansas open records act, and that their disclosure is prohibited by Kansas statute.

Read more of this story at Slashdot.

Tech Nightmares That Keep Turing Award Winners Up At Night

Slashdot -

itwbennett writes: At the Heidelberg Laureate Forum in Germany this week, RSA encryption algorithm co-inventor Leonard Adelman, "Father of the Internet" Vint Cerf, and cryptography innovator Manuel Blum were asked "What about the tech world today keeps you up at night?" And apparently they're not getting a whole lot of sleep these days. Cerf is predicting a digital dark age arising from our dependence on software and our lack of "a regime that will allow us to preserve both the content and the software needed to render it over a very long time." Adelman worries about the evolution of computers into "their own species" — and our relation to them. Blum's worries, by contrast, lean more towards the slow pace at which computers are taking over: "'The fact that we have brains hasn't made the world any safer,' he said. 'Will it be safer with computers? I don't know, but I tend to see it as hopeful.'"

Read more of this story at Slashdot.

Deals of the Day (8-27-2015)

Liliputing -

The Asus Transformer Book T100 may be nearly two years old, but it’s still one of the best small 2-in-1 tablets on the market when you look at the performance-to-price ratio. The Transformer Book T100 gets long battery life, works in laptop or tablet modes, and has enough horsepower for most Windows tasks including editing documents, […]

Deals of the Day (8-27-2015) is a post from: Liliputing

UNC Scientists Open Source Their Genomic Research

Slashdot -

ectoman writes: The human genome specifies more than 500 "kinases," enzymes that spur protein synthesis. Four hundred of them are still mysteries to us, even though knowledge about them could spark serious medical innovations. But scientists at the University of North Carolina, Chapel Hill, have initiated an open source effort to map them all—research they think could pioneer a new generation of drug discovery. As members of the Structural Genomics Consortium, the chemical biologists are spearheading a worldwide community project. "We need a community to build a map of what kinases do in biology," one said. "It has to be a community-generated map to get the richness and detail we need to be able to move some of these kinases into drug facilities. But we're just doing the source code. Until someone puts the source code out there and makes it available to everybody, people won't have anything to modify."

Read more of this story at Slashdot.

AMD Unveils Radeon R9 Nano, Targets Mini ITX Gaming Systems With a New Fury

Slashdot -

MojoKid writes: AMD today added a third card to its new Fury line that's arguably the most intriguing of the bunch, the Radeon R9 Nano. True to its name, the Nano is a very compact card, though don't be fooled by its diminutive stature. Lurking inside this 6-inch graphics card is a Fiji GPU core built on a 28nm manufacturing process paired with 4GB of High Bandwidth Memory (HBM). It's a full 1.5 inches shorter than the standard Fury X, and unlike its liquid cooled sibling, there's no radiator and fan assembly to mount. The Fury Nano sports 64 compute units with 64 stream processors each for a total of 4,096 stream processors, just like Fury X. It also has an engine clock of up to 1,000MHz and pushes 8.19 TFLOPs of compute performance. That's within striking distance of the Fury X, which features a 1,050MHz engine clock at 8.6 TFLOPs. Ars Technica, too, takes a look at the new Nano.

Read more of this story at Slashdot.

Pages

Subscribe to debianHELP aggregator - Geek Stuff