FBI Director “very concerned” with smartphone encryption

With Apple, Google and other tech companies responding to users’ demands for privacy with further smartphone encryption options, not everyone is happy. FBI Director James Comey is “very concerned” about increased mobile OS encryption, according to TechSpot.

In a statement reported by The Huffington Post, Comey stated that while he understood the need for privacy, the added encryption and security added by tech giants could be a severe barrier to government access to devices in extreme circumstances – such as preventing an expected terror attack. “I am a huge believer in the rule of law, but I also believe that no one in this country is beyond the law. What concerns me about this is companies marketing something expressly to allow people to place themselves beyond the law,” he told reporters in Washington last week.

The statement comes off the back of both Apple and Android marketing devices based on their increased smartphone encryption options, as the public is increasingly concerned by what happens to their data in an increasingly connected world. Indeed, Wired states that both companies have promised that the newest versions of their software make it impossible for them to unlock encrypted phones, even when compelled to do so by government. But Comey believes that the balance of privacy and public safety is going too far the other way:

“I like and believe very much that we should have to obtain a warrant from an independent judge to be able to take the content of anyone’s closet or their smartphone. The notion that someone would market a closet that could never be opened – even if it involves a case involving a child kidnapper and a court order – to me that does not make any sense.”

Despite the assurances that devices are increasingly security-focused, it’s important to remember that even the most ‘secure’ device can have its vulnerabilities, as the privacy focused Blackphone discovered when it was hacked in just five minutes as the DEF CON security conference last month.

by We Live Security, ESET

What’s scamming this week? FBI, Tesco and Bank of Ireland

FBI1

ESET Ireland warns of FBI, Tesco and Bank of Ireland names abused by scammers in phishing emails sent to Irish mailboxes.

Another week, another variation of the old phishing scams hitting Irish mailboxes. This week the scammers are telling us Bank of Ireland wants us to update our account, Tesco wants to add €120 to our cards and FBI wants to pay us $5.9 million. Wow!

Dear customer,
We wish to inform you that access to your online account will soon expire. In order for this service to continue without any interruption, You are require to fill and confirm your details via the following link below:
Update Your Bank Of Ireland online account:- click here to update
After which your online account will then be automatically restored and you will be contacted by one of our bank employees.
With online banking , you have everything at your fingertips with a click .
With online banking , you have quick and easy access to your checking account. You can easily do transfers and standing orders with one click.
We are very pleased to be at your service
Sincerely,
Bank Of Ireland Customer Service.

 

So says the first phishing email. They’re basically telling us to go to their page and give them our online banking log in details, so they can do whatever they want with them. Bank of Ireland warns of these scams on their website, saying “Never respond to any unsolicited e-mail that asks you to validate your login / payment credentials no matter how reasonable the request looks.”

You have been selected to access the Tesco Survey and win a 120€ direct to your card.
Please click here and complete the form to receive your reward. Thank you.

 

The “Tesco” spam is even more straightforward, but like the one above just leads to a site that harvests people’s personal details and financial info. Tesco also offers some advice on staying safe online on their website, adding “Please remember we will never ask for your bank or security details.”

But my personal favourite this week is the FBI one. The gist of it is, that FBI is warning us “that you are among one of the individuals and organizations who are yet to receive their overdue payment from overseas which includes those of Lottery / Gambling, Contract and Inheritance. Through our Fraud Monitory Unit we have noticed that you have been transacting with some impostors and fraudsters” and that “The Cyber Crime Division of the FBI gathered information from the Internet Fraud Complaint Center (IFCC) on how some people have lost outrageous sums of money to these impostors”, and because those wicked fraudsters are out to get us, we should contact barrister James Henry of the Central Bank of Nigeria directly, with all our banking details, so he can transfer us $5.9 million that we are “owed”. Scammers trying to scam us by warning us of scammers. Cute, isn’t it?

Well, now you know. Don’t fall for their tricks and stay safe online.

Is FBI spying on Irish iPhone and iPad users?

Identification info on millions of iPhone and iPad users has been leaked to the internet, allegedly from FBI’s computers. Among them are also hundreds of Irish names.

The hacker group Anti-sec, a branch of the Anonymous movement, recently claimed it holds 12 million Apple device IDs (UDID), push notification IDs and names of iPhone and iPad users worldwide. There is supposed evidence that the data came from an FBI’s computer, though FBI have denied it. Of these 12 million, the hackers have made 1 million available to decrypt and have a look at, which we did. And to our surprise we have found a very large number of very Irish names on the list. And while most of those are likely to be American, there is also quite a noticeable presence of Irish spelled names such as Daithi, Ciaran or Ciara, Cathal, Padraig or Padraic, etc there, which Americans would be unlikely to use, combined with recognisable family names like Haggerty, Doyle, O’Byrne, Murphy, Lafferty, etc.

The information itself could theoretically be used to access iPhone and iPad apps from locations other than the owner’s device, so it depends on the sort of apps someone uses to determine what sort of damage that can cause to them. With some skill, attackers could retrieve the users’ geo-location, access their contact lists, log into their Facebook or Twitter, read their chats, etc.

But even more concerning than the potential abuse of leaked UDID’s is the fact that someone, whether that was FBI or anyone else, is collecting and storing lists of ID’s that should not be public knowledge. If Anti-sec got it from FBI or from other hackers, the fact remains, your name could be on the list, and your Apple device could be compromised without you knowing about it. And if that is the case, then there is definitely reason to be worried.

Since the leak, users worldwide have been scrambling to ascertain whether or not their devices have been compromised. In light of this, a number of sites have since popped up offering the user the ability to check their UDID against the leaked information. We strongly advise against this, as verifying just who is behind any such site and what they do with your UDID once you willingly give it to them is next to impossible.

Urban Schrott
IT Security & Cybercrime Analyst
ESET Ireland

Ciaran McHale
Tech Support Specialist
ESET Ireland

 

CyberThreats Daily: FBI nabs international “scareware” ring

Long a puzzling challenge, the FBI seems to be making strides in tackling international coordinated scams, in this case, scareware. Scareware, the practice of providing fake infection notifications to users’ computers, and then offering to sell solutions to problems that don’t exist, has been quite a boon as of late for fraudsters. FBI claims the current bust uncovered a ring which had bilked customers out of an estimated $72 million. Not bad for a little scammer work, very bad for unsuspecting customers.

What is interesting is manner in which the FBI was able to coordinate the bust with 7 other countries, a none-too-trivial feat. While they were able to seize 22 computers in the U.S., there were also 25 computers in France, Germany, Latvia, Lithuania, the Netherlands, Sweden, and the United Kingdom. The U.S. Justice Department made the announcement, noting that it was a coordinated effort between law enforcement in all the host countries, definitely not a one-man-band.

This follows trends we’ve been noting for some time. Scam operations of all different flavors rely heavily on a global distributed approach, not a single attack source. This makes law enforcement jump though amazing hoops to try to bring legally binding prosecution, especially trying to comply with local laws in all countries who may be involved, and not get the case thrown out for a single improper procedure, no trivial task. To add to the difficultly, tracking a complex operation realtime, which is likely to have a dynamic nature, will have resources (and evidence) moving seamlessly from one country to another. This means law enforcement would need incredibly fast response and tracking information to have any prospect of getting to the “smoking keyboard” before it sprints to another country and/or jurisdiction.

Understandably, the techniques aren’t forthcoming, and for good reason, for every one caught there are multiple others that they still hope to, so we’ll see what the half-life is of their current bag of tricks. As malware and attacks continually morph to avoid detection, techniques to pursue their makers must also, keeping law enforcement on its toes. Latvian authorities seized 5 bank accounts believed to be connected to the scam, giving a clue of where the nexus of the operation affecting an estimated 960,000 victims may have been.

Cameron Camp
ESET Research Systems Manager

Giving Cold Callers the Cold Shoulder

Yesterday I had a phone call. Well, several, of course, but this was yet another irritating cold call. If you’ve read some of my many blogs on the subject, you might think that it must have been yet another support desk scam, but it wasn’t.

The first question I asked was “who do you represent”: it turned out to be one of many companies in the UK that offers a service to people who feel they may have a claim against a mortgage lender or insurance provider. That’s not really my field, so I find it harder to distinguish between legitimate and less legitimate businesses in that field, and I can’t say that this wasn’t a legitimate call. Except that, like many people in many countries I’m subscribed to a “do not call” register.  In fact, the European Union’s Data Privacy Directive 2002/58/EC requires members states to enact legislation to control cold-calling, using either an opt-in or an opt-out model: for example:

And in the US, there is the National Do Not Call Registry at https://www.donotcall.gov/default.aspx, and an equivalent site for Australians is https://www.donotcall.gov.au/.

Hence my second question: “Are you in the UK?” Unfortunately, the answer was no. And therein lies a problem that goes beyond support scams. The telephone network, like the Internet, isn’t very good at recognizing national boundaries. Which is why I have a couple of rules of thumb when it comes to cold callers (apart from the fact that I don’t expect UK companies to contact me at all, which doesn’t mean it never happens). I don’t talk to cold-callers who withhold caller ID*. And I won’t do business with a company that uses offshore call-centres to avoid do-not-call registers.

*While Spanish telecom providers appear to be pretty relaxed about the extent to which businesses cold-call, at any rate on weekdays and Saturday mornings, there is at least an agreement between most of the major providers that callers are not allowed to withhold the number from which they call. And my colleague Josep Albors tells me that there is, in fact, a Spanish do-not-call list called Robinson’s List, which seems to be well in accordance with the EC directive. See: https://www.listarobinson.es/default.asp. Josep also tells me that the restriction on withholding caller-ID is working very successfully there.

And back in the US, the FCC is upping the penalties for those who spoof Caller ID for malicious purposes in accordance with the Truth in Caller ID Act (hat tip to Aryeh for that info). Not that these measures will impact on offshore scammers, but at least they make my rules of thumb just a little more effective.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

CyberThreats Daily: Win7 machines harder hit by infection as VXers change tactics

Win7 infection rates rose during the second half of 2010 even as malware hit rates on XP machines declined, according to official statistics from Microsoft.

The latest edition of Microsoft’s Security Intelligence Report shows an infection rate of four Win7 PCs per 1,000 in the second half of 2010, up from three Win7 PCs per 1,000 during the first half of 2010. The rise of more than 30 per cent contrasts with a drop of the infection rate, albeit from a much higher starting point, for older and less secure machines running Windows XP. Read more on The Register.

Getting a grip on Flash cookies: Adobe publishes Flash 10.3

Adobe has published version 10.3 of its Flash Player for all platforms. This version finally gives users control of their Flash cookies, but only if one of the currently supported web browsers is used: Firefox 4, Chrome 11, Internet Explorer 8 (or higher) and, soon, Safari. Full article on The H Security.

Magic Lantern: Shining a light on the AV numbers game?

“You don’t hear anything about the FBI’s Magic Lantern spyware – sorry, policeware – for years, and then suddenly it’s all over the place. Media-wise, at any rate: I don’t have any exciting news of an epidemic of electronic surveillance, but there seems to be a lot of interest in Computer and Internet Protocol Address Verifier (CIPAV) again… “ writes David Harley, ESET senior research fellow

Follow

Get every new post delivered to your Inbox.

Join 75 other followers