Categories
Internet Security Mobile Phones Uncategorized

“TROJAN LOAPI” HUNTS PORNOGRAPHIC LOVERS!!!

Add Your Heading Text Here

Share it:

It seems virus writers are yet to give up on developing on different kinds of unpleasantness to frustrate android users who are fond of downloading adult-rated android application and anti-virus application from third-party stores as well as Google playstore onto their devices.

 A Trojan horse or Trojan is another kind of malware usually disguised as legitimate software. Hackers use trojans to gain access to users’ systems.

Unlike other trojans, this particular one is programmed to overheat your device as a result of the prolonged operation of the processor at maximum load. In addition, it can turn your phone into a zombie and hijack it to use in DDoS attacks against Web resources as well as sign up users to paid services secretly.

HOW TROJAN LOAPI OPERATES:

Users attract the Loapi Trojan by clicking on an ad banner or by downloading a fake AV or adult-content app . As stated earlier,  fake av or adult-content app are common vehicles used by Loapi to gain access to user’s devices.

After installation of fake apps, Loapi asks for administrator rights . Notification to grant Loapi administrator right appears on the user’s device screen until the user finally accepts Loapi administrator demands.

If the user later tries to deny Loapi of administrator rights, it locks the screen and closes the settings frame.

Furthermore, if the user tries to download apps to protect his device against malware and trojan, Loapi declares them to be malware and orders their removal.

Loapi heavily relies on frustrating users in order to prevent them from downloading legitimate anti-virus apps to wipe out other similar trojans.

HOW TO AVOID TROJANS:

  •     Deactivate installation of apps from unknown sources. In Settings go to Security and ensure that the Unknown sources checkbox is not selected.
  • Get a reliable and proven AV for Android and regularly scan your device with it because Google playstore is safe too. Doing so adds another layer of security.

#ISA_informs

#ISA_ltd

Categories
Uncategorized

What Do You Know About “Janus” Vulnerability?

Add Your Heading Text Here

Share it:

Janus vulnerability is the latest technique in town used by attackers to modify android apps without affecting android application signatures.

This vulnerability is caused by the way android handles apk installation for application leaving

You need basic knowledge in android application development in order to understand Janus vulnerability very well.

          Janus vulnerability does not affect apk signature scheme v2. It only affects apk signature signing scheme v1. Also it does not affect Android Oreo and Nougat but affects Android Marshmallow and beneath.

Due to the lack of file integrity checking during apk installation, attackers utilize this opportunity to include

SUGGESTED SOLUTIONS AGAINST JANUS:

  •    Android developers should always
  •    Upgrade your device OS(if possible)
  •    Be extra careful when downloading application as well as updating apps.

#ISA_informs

#ISA_ltd 

Categories
Uncategorized

Predictions for 2018: Cyberthreats in the banking sector

Add Your Heading Text Here

Share it:

Knowing what the future holds for you or your organisation allows you to make specific preparations for challenges ahead. In cybersecurity, threats seem to evolve every year. For instance, the year 2017 witnessed a series of ransomware such as wannacry and NotPetya.

The most devastating among them is wannacry. Wannacry relied on EternalBlue to affect thousands of corporate servers with vulnerable Microsoft’s Server Message Block (SMB) protocol.

As we gradually usher ourselves into a new year, companies have strong ambitions to improve and secure data infrastucture from automated ransomware and the likes. On the flip side, cybercriminals are in the business of developing advance and subtle forms of attacks to overcome your firewalls, DNSSEC, and other security perimeters on your network.

Our security engineers researched and analyzed two major potential threats companies and even start-ups might encounter in 2018. Some of these threats might  come to pass due to certain changes developers and security engineers aim to implement to minimize cybercrime.

  • Fraud – as a – Service Model:    Similar to how your organisation purchase third-party software for specific task, cybercriminals  such as script kiddies and those in need of quick cash-outs also purchase trojans, customized ransomware from the deep web.  Thus, don’t expect cybercriminals to waste hours searching for flaws in your systems via scanners. Fraud-as-a-Service model is an advance way of phishing attacks likely to populate in 2017
  •   Malicious Web Mining:    Hackers have recently discovered a new way of benefiting from a vulnerable website or a web portal. Have you heard of crypto mining? Crypto mining simply means reaping new cryptocoins by means of lengthy and complex calculations. Malicious miners do not encrypt user data or other related essentials but consumes victims’ computing power and electricity.  Apart from consuming victim’s computing power and electricity, hackers do not need to infect websites or web portals with malware. Instead hackers upload scripts to vulnerable website that forces victims’ computers to mine money straight into their cryptowallet.

Stay alert and fix any vulnerable spots before the year 2018 arrives!!!

#ISA_informs

#ISA_ltd 

Categories
Uncategorized

Application Threat Model: Proxy Attacks and Prevention

Add Your Heading Text Here

Share it:

Now it’s time to fix our attention on proxy attacks. However, before we delve into proxy attacks and prevention methods, let’s resolve the difference between Reverse Proxy and Forward Proxy.

Reverse Proxy:  is usually placed between a client and a web server. It receives initial HTTP connection requests, acting like the actual endpoint(web server). The reverse proxy serves as a gateway between users and  application web server.

Forward Proxy: usually sits between a client and a web server.Unlike reverse proxy, it regulates outbound traffic according to preset policies. In addition, it disguises a client’s IP address and blocks malicious traffic

For this article, we are going to look at how attackers can attack reverse proxy and how developers and application security engineers could make it difficult for attackers to achieve their malicious aims. The following are common types of attacks against reverse proxy:

  •      Cache Poisoning
  •     HTTP Response Splitting
  •    Cross-User Defacement 

Let’s briefly examine how cache poisoning works.

Cache Poisoning: Cache poisoning is quite possible because of web content caching.

 Caching web content improves web content on performance on the server-side and client-side(i.e user-side) . However, the HTTP protocol used in caching mechanism performs integrity check on the server-side only.  This specific flaw allows cache poisoning.

  •  Attackers search for and exploits flaws in the code, allowing them to place illegitimate headers in the HTTP header field
  • Attackers deletes out legitimate cached content from the cache server.
  • The attacker sends a specially crafted request to the cached server.
  • Users requesting for commonly retrieved content receives malicious content until the cache entry is flushed.

 Preventing Cache Poisoning:

  •           Make use of DNSSEC : DNS Security Extensions (DNS Security Extensions (DNSSEC) are a set of Internet Engineering Task Force standards created to address vulnerabilities in the Domain Name System (DNS) and protect it from online threats.
  •         Limit the number of recursive queries to the DNS

#ISA_informs

#ISA_ltd

Categories
Uncategorized

FIVE LESSONS GLEANED FROM ONEPLUS DEVICE ROOT EXPLOIT

Add Your Heading Text Here

Share it:

Many mobile devices manufactured under the OnePlus brand by China’s BBK Electronics are vulnerable to compromise via a factory-installed app called EngineerMode that acts as a backdoor providing root access to affected devices.

      A factory app is an app that is developed and pre-installed by mobile carriers and OEMS.

At this time, the exploit is beneficial to an attacker with physical access to a OnePlus device or an owner who intends to by-pass security limitation set by OnePlus in order to have  privilege access.

OnePlus develops its own customized version of the Android operating system, called OxygenOS, for their branded devices.  OnePlus mistakenly left a diagnostic app, EngineerMode to test the production build of the OxygenOS operating system.

Unfortunately, OnePlus left behind  system-signed .apk and a native library with a SHA256 hash of the password that was easily reversed.

Since the incident of OnePlus Root Exploit,  our security engineers came together and outlined five practical lessons mobile users could take heed from in order to protect themselves from mobile vulnerabilites and root exploits.

  •     Don’t trust OEM’s or Mobile Device Carriers. Hire android security researcher to assess your device if you can afford.

Original Equipment Manufacturer is abbreviated as OEM. An Original Equipment Manufacturer is a company that produces parts and equipment that may be marketed by another manufacturer. A mobile carrier is a service provider that supplies connectivity services to mobile phone and tablet subscribers.

  •      Avoid side-loading mobile applications and be extra careful when download apps on Google playstore.
  •       Always have effective mobile anti-virus solution installed on your mobile device . 

Effective mobile anti-virus solution make it difficult for hidden malware apps to escalate their malicious motives. However, mobile anti-virus solution is not a complete solution to malware eradication

  •         For android users, uncheck “install from other or unknown sources”. via device administration settings.
  •     Finally, hope that none of these pre-installed applications on your devices do not have backdoor embedded.

#ISA_informs

#ISA_ltd 

Categories
Uncategorized

Application Threat Model: Protecting User’s Account

Add Your Heading Text Here

Share it:

Last week, we begun with the first major part of Application Threat Model series for both web/mobile developers, security engineers as well as other stakeholders interested in securing data and protecting sensitive resources from hackers.

We emphasized briefly on how web/mobile developers can secure login page as well as make it difficult for attackers to by-pass authentication. Securing login page is the first and most important step for every company interested in creating effective and practical application threat model.

Eventually, we outlined common attacks such as sql injection attackers may rely on to by-pass authentication put in place by application security engineers and web/mobile developers.

Furthermore we suggested limited solutions for developers just to make it difficult for attackers to by-pass authentication.

This week we are going to throw light on how developers, security engineers and CIO’s could create effective and practical threat model template for web/mobile application. This is just a continuation of application threat model series.

                                                       

                                                      Importance of Protecting User’s Account 

Developers and Security Engineers need to attach a great deal of importance to user’s account on web/mobile portals. When user’s account is compromised, it affects business reputation.

How then can developers and security engineers secure user’s account? Below is an example of a less common attacks hackers can use to compromise users account’s on the client-side.

  • IDOR attacks

There many other attacks apart from IDOR. However, we will focus briefly only on Insecure Direct Object Reference for now.

IDOR Attacks:

Insecure Direct Object Reference allows attackers to manipulate references to gain access to unauthorized data.It is impossible to say what the potential impact of IDOR is, as it varies. Depending on what kind of data or file the attacker may get hold of, attacker can manipulate user’s balance sheet, transfer money from user’s account and so on.

Solution:

We strongly recommend  developers to check the access before using a direct object reference from an untrusted source.The user needs to be authorized for the requested information before the server provides it.

This is just a brief solution of how developers and security engineers could rely on application threat model template to predict type of attacks attackers can use to attack web/mobile applications and how developers/Security Engineers can use secure applications against these attacks.

You can research ahead to find out about other attacks against user’s accounts.

Next week,  we shall move onto the next part of our application threat model series focusing on proxy and code logic attacks. Thanks!

#ISA_informs 

#ISA_ltd 

Categories
Uncategorized

Application Threat Model Series [Part 1] : Securing the Main Entry

Add Your Heading Text Here

Share it:

This week we are going to focus on how companies could generate effective application threat model  to secure web applications facing the internet or on the public domain. Threat Model simply means how a web application could be attacked from an attacker’s perspective. For the first part of this series, we will start from the client side by placing emphasis on the main entry to web application which is the login page.

In real-world scenario, anybody seeking to protect his resources focuses on the main entrance. Likewise web developers interested in securing users’ data from attackers focuses on the login page primarily. Attackers attack login page of web application via the following attacks:

  • Sql Injection
  • Brute Force(or Password Guessing Attacks)
  • Default Password
  • Phishing
  • User-name Enumeration

Five Steps to Secure Your Login Page

  • To prevent sql injection, advise your developers to use prepared statements with parameterized queries.
  • To prevent brute forcing, lock out accounts after defined number of incorrect password attempts. Recover locked accounts after a specified duration. In addition, include a complex CAPTCHA to make it difficult for attackers using computerized means to brute force login page.
  • Don’t dare use default passwords. It is basic wisdom not to do so.
  • To prevent phishing, create a daily or monthly awareness program on dangers of web phishing attacks. It is difficult and tricky to escape from phishing attacks. Thus,  we have program purposely for phishing attacks and prevention. You can contact us on our website for further details.
  • To prevent user-name enumeration, prevent attackers from probing your site whether a user-name exists or not. You can  prevent user-name enumeration by allowing users to sign or log in with email addresses instead of usernames. Allowing user-name enumeration makes it easy attackers to implement bruteforcing attacks.

Although these steps could help secure web application from the above-mentioned attacks, there are other ways attackers could by-pass web authentication. Thus, we suggest that developers should put in place detection measures to capture or log malicious attempts.

Logging malicious attempts helps you to know which technique attackers  tried to by-pass your login page and how you can secure your  web application against such attacks.

In our next series, we shall focus on attacks against user’s accounts and how developers and application security engineers could make it difficult for malicious users to access user’s account.

#ISA_info

#ISA_ltd 

Categories
Uncategorized

CYBER-SECURITY: PROTECTING YOUR BUSINESS

Add Your Heading Text Here

Share it:

Cyber is the characteristic of the culture of computer, information technology and virtual reality. Without Security, the information technology and virtual reality cannot exist.
Cybersecurity has taken the world by storm. Though it has been in existence for years, some parts of the world are now experiencing the heat that comes with cyber attacks and needs to put security in place to protect vital information.  

What is Cybersecurity?

It is the protection of network, computers, programs and data from attack, damage or unauthorized access through processes and best practices. 

Security includes both cybersecurity and physical security. Best practices and processes should not be the daily norms of a company which is coming to work on time and achieving goals for the day, week, month or yearly.

For security professionals, the threat landscape is becoming unwieldy. What strategies can they use to gain control?

Security professionals have a laundry list of to-do in an increasingly sophisticated threat environment. Bots and Ransomware on rampage, new devices to protect and the insider threats and leaks. Protecting your business is more than a full-time job.

Business will come crumpling down if proper processes and best practices are not put in place to safeguard datum or data. The old ways of securing network perimeter has to stop and a modern lens of cybersecurity should be put on.

Solid threat intelligence plans to smoke out the risk around mobile and IoT connected devices as well as securing cloud base files and apps should be giving maximum security.

Research by a 2016 Ponemon Institute survey reveals nearly 400 respondents, and companies indicated that data breach could cost an enterprise $4 million a year.

The same study indicated attacks have become 29% more costly since 2013. “With security professionals having all kinds of assets outside firewall: clouds, mobile and remote workers, traditional perimeter-based security alone won’t cut it anymore.” says Dmitri Alperovitch, co-founder and chief technology officer at CrowdStrike Inc.

Security as we know is not 100% but if the attackers are apt, security professionals should not make it easy for their systems to be breached by the attacker.  

Jerry Amarteifio, System Security Engineer

#ISA_informs

#ISA_ltd 

Categories
Uncategorized

Bad Rabbit Ransomware on the Rise!!!

Add Your Heading Text Here

Share it:

This year the infosec industry has witnessed series of ransomware such as Petya and Wannacry. This class of ransomware really affected corporate companies with unpatched systems. Companies spent billions to resolve affected systems. However, there is another ransomware known as Bad Rabbit, affecting those who are fond of visiting phished websites  packed with fake adobe flash installer as well as those who have downloaded fake adobe flash installers on infected websites from attackers behind Bad Rabbit.

Unlike Petya and Wannacry, Bad Rabbit does not rely on vulnerabilites to affect victims. Instead it relies on victims inability to determine whether the adobe flash installer is a legitimate one or a phished one. Thus, Bad Rabbit method of attacking victims is not quite complex as compared to Petya and Wannacry.

The criminals behind the Bad Rabbit attack are demanding 0.05 bitcoin as ransom from affected websites, companies and users of adobe flash. 0.05 bitcoin is $280 at the current exchange rate.

But it is possible to avoid Bad Rabbit.  We have gathered three tried and tested ways to help companies, owners of websites, users of adobe flash to escape the Bad Rabbit Infection.

                                                    

                                                   THREE WAYS TO AVOID PAYING $280     

  • Back up your data. And back it up well.
  • For companies with wider network, turn off your WMI services to prevent malware from spreading.
  • Block the execution of files c:\windows\infpub.dat and c:\Windows\cscc.dat
  • Finally, don’t pay the ransom if you have applied the above three solutions.

#ISA_informs

#ISA_ltd 

Categories
Uncategorized

How to Use Google Dorks to Find IDOR EndPoints

Add Your Heading Text Here

Share it:

Most security researchers often focus on flaws such as sql injection, cross-site scripting, cross-site request forgery, weak encryption and so on. The above mentioned flaws are quite easy to exploit. However, there is one particular flaw which could help security researchers to chain one flaw to another flaw.

This article basically shows security researchers how to use google dorks to find IDOR endpoints on mobile and web applications.

A google dork is a query or search string that uses advanced search operators to find information that is not readily available on a mobile or web application. The mechanism of google dork is quite similar to how regular expression works.  Both relies on custom search operation to get the work done. *Please Google Dorks is not Regex*

Mind you google dorks is not suitable for pentesters or security researchers only. Terrorist could use this same search query operators to find subtle information on the internet. Thus, Google Dorks has pros and cons.

Below is an example of a google dork query to search for  banking sites located in Ghana . The following search query simply looks for banks in Ghana ending with “.com.gh”.

site:.com.gh inurl:”bank”   

Now let’s see how google dorks could help security researchers search for IDOR endpoints on web or mobile applications.

IDOR simply means Insecure Object Reference.  A web or mobile application vulnerable to IDOR attacks could allow an attacker to access other users accounts through his own account, reset passwords of other users, delete other user accounts and so on by manipulating or supplying a userid or gid.

If you have considerable knowledge in object-oriented programming, you should have a clear idea of IDOR attacks.  

www.test.com/getuser?id=123456

Endpoints such as password_settings, reset_password, account_settings, login and could be vulnerable to IDOR.  Now let’s briefly find out how we can use google dorks to find a one or two  IDOR endpoints .

site:.com.gh inurl:”login”

The above search query will display login endpoints of several web and mobile portals. If you really want to make it specific, you can include another search operator such as “intext” . The following google dorks simply tells google to search for banks in Ghana with login endpoints.

site:.com.gh inurl:”login” intext:”Bank”

This search query also shows web and mobile portals with password settings endpoint.

site:.com.gh inurl:”password”

Google immediately displays  login endpoints of several banks in Ghana. The next is to find a proxy of your choice. I recommend Burp Suite for web and mobile or Charles Proxy for mobile. Finally, intercept and manipulate userids of outgoing requests.

The above examples reveals why google dorking is not just another information gathering tool but it could also be used to find specific endpoint to implement IDOR attacks.

 #ISA_informs

#ISA_ltd