KRACK Attack: 41% of Android Devices Affected And Easy To Hack

The website krackattacks.com is now live and provides details on the recently known WPA2 exploit proof-of-concept known as KRACK (Key Reinstallation Attack).

The KRACK attack works on all modern protected WiFi networks against both WPA1 and WPA2, and against cipher suites including WPA-TKIP, AES-CCMP, and GCMP). The list of products affected by some variant of attack includes Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and more.

It can allow attackers to steal information such as credit cards, passwords, chat messages, email, photos, etc. An attacker might also be able to inject and manipulate data.

While almost every supported device and OS is at the risk of being attacked, it appears some operating systems could have far worse consequences, namely, Android and Linux. The wpa_supplicant is the WiFi client commonly used on Linux and Android (6.0 and above).

“Our attack is especially catastrophic against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux,” wrote the researcher Mathy Vanhoef on the website. He found the vulnerabilities accidentally while he was working on another paper.
Around 41% of Android devices are affected due to a devastating attack vector variant developed by the researcher which makes it “trivial to intercept and manipulate traffic sent by these Linux and Android devices.”

Sadly, we still don’t have WPA3, but any possible fix for the KRACK attack would be backward-compatible with previous WPA implementations. And contrary to what one might assume, changing passwords won’t do much better than satisfying oneself. Vanhoef suggests a more rigorous inspection of the security protocols to deal with such problems.

Various vendors were notified about the problem as early as July, so we might expect updates for end-user devices, if not networking hardware. In fact, according to Vanhoef, the access points and routers might not require security updates as their attack primarily targets clients.

For routers, he suggests disabling functionalities such as client mode and 802.11r (fast roaming). Home users advised to update their WiFi compatible devices including computers and smartphones.

You can read about KRACK attack in detail on the website.

Hack These Apps And Earn $1,000 — Bug Bounty Program Launched By Google And HackerOne

Google has announced a bug bounty program called ‘Google Play Security Reward Program’ to detect flaws in Android apps. Security experts have the chance to win $1,000 by finding vulnerabilities in the apps included in the program.

When a hacker finds vulnerabilities in an app, they have to report to the app developer. Once the issue is resolved, the hacker can claim the monetary reward from Google. Also, the hacker who reports a bug first will be rewarded, and duplicates are not encouraged. However, the program is limited to remote-code-execution vulnerabilities, i.e., if any execution of code occurs without the user’s permission such as phishing attacks or monetary transactions through UI manipulation.

Google has only invited developers who have expressed interest in fixing bugs, so, the apps under the program are few. All apps that are developed by Google are under this program.

Moreover, eight popular apps that are included in the bug bounty program are Line, Dropbox, Alibaba, Duolingo, Headspace, Mail.Ru, Snapchat, and Tinder. More apps might be added to the list upon developer’s consent. Interested developers have to contact their Google Play partner manager to opt in.

Earlier, Google had successfully hosted bug bounty program for their Pixel devices, websites, Chrome browser, and Chrome OS. Do you think these programs will address Android’s security issues? Share your views in the comments.

Anti Ransomware Feature Introduced In Windows 10 With Fall Creators Update

With the rise of ransomware attacks like WannaCry, Petya, and Bad Rabbit, Windows 10 Fall Creators Update has brought “Controlled Folder Access” which can stop ransomware exploits in a computer by blocking unauthorized access to folders.

Controlled Folder Acess comes as a part of Windows Defender Exploit Guard and blocks malicious executable files, scripts, and DLLs from accessing folders when Controlled Folder Acess is enabled. When a blacklisted program attempts to open or change folders and the files therein, the user gets notified of the unauthorized access.

The new ransomware protection feature is enabled by default in common folders in C:/users/public. Users can add additional folders to block access to them. Also, you can specify trusted applications that will get whitelisted to access your protected folders without asking for permission.

Moreover, the new ransomware protection feature comes with an audit mode which will let you simulate the conditions when Controlled Folder Access is enabled without actually enabling it. Administrators can use this to view event log to see the impact it will have on their organization.

“Ransomware attacks grow more and more sophisticated every day. To keep you safe, we are continually improving Windows to protect against ransomware and other threats. Windows 10 is the safest version of Windows yet. Controlled folder access is designed to help reduce the risk of ransomware attacks, keeping your user and businesses data safe,” says Tanmay Ganacharya, Principal Group Manager at Windows Defender Research.

Users can enable Controlled Folder Access through the Windows Defender Security Center Application in Windows 10 by opening the Virus & Threat protection Settings. A click on a toggle button will activate controlled folder access. Users of enterprise environment can also activate it from PowerShell, Group Policy, or configuration service providers for MDM.

Although this feature can prevent ransomware from taking over your data, it adds a layer of protection only to your files. It is advisable to use an updated anti-virus protection and to stay updated on such threats to take necessary precautionary measures.

Bad Rabbit Ransomware Uses NSA’s “EternalRomance” Exploit, Petya Connection Also Found

Earlier this week, a new, widescale ransomware campaign was spotted by security solution firms. Named Bad Rabbit, this malware is spreading as a disguised Adobe Flash Player installer. After the installation, the files are encrypted and the victim is asked to pay the ransom.

As per Cisco Talos, Bad Rabbit appears to be based on DoublePulsar backdoor-based Nyetya malware, which is based on the popular  Petya ransomware. As per the findings, the major portions of Rabbit’s code have also been rewritten.

The early reports suggested that there wasn’t any use of NSA-developed exploits in this attack. However, Talso suggests that Bad Rabbit uses an exploit named EternalRomance to bypass security over SMB file-sharing connections. The said exploit was published in the ShadowBrokers leak. It’s worth noting that Microsoft has patched the said exploit in March.

The EternalRomance implementation overwrites a kernel’s session security context and enables an attacker to launch remote services. It also allows the arbitrary data read/write into kernel memory.

It has also been found out that the build toolchain for Bad Rabbit is very similar to Nyetya’s. Also, the evasion techniques in Nyetya and Bad Rabbit also share a similar and advanced level of understandings of the exploits used.

It’s worth noting that notorious WannaCry ransomware was the first malware attack that used NSA’s EternalBlue exploit. It was followed by NotPetya ransomware that used EternalBlue and EternalRomance exploits.

You can read the detailed finding by Cisco Talos in their blog post.

Did you find this update on Bad Rabbit ransomware helpful? Don’t forget to share your views with us.

Your Windows Login Details Can Be Stolen By Hackers Without User Interaction

From time to time, the security researchers continue to make us realize that Windows operating system is full of loopholes that can be exploited by hackers to steal our data. One such vulnerability was patched by Redmond in recent patch Tuesday.

This patch deals with a dangerous attack that could help an attacker to steal Windows NTLM password hashes remotely and freeze the vulnerable machine.

It’s worth noting that the issues related to Microsoft NTLM architecture are widely known. However, such an exploitation attempt demands user intervention or traffic interception. In the latest attack vector, no user interaction is required, and the task is completed remotely.

To carry out this Windows NTLM attack, the notorious actor needs to put a malicious SCF file in a publicly shared Windows folder. Having a public folder with no password protection is common in almost all Windows environments.

Once it’s done, a mysterious bug helps the attacker collect target’s NTLM password hash and upload it the pre-configured server. There are many free software available which could be later used to crack the hashes and gain access to the computer.

This Windows NTLM attack was exposed by Juan Diego, a Columbia-based security researcher. He reported the issue to Microsoft long back in April, and it got patched after 148 days in the form of security advisory ADV170014.

To patch this flaw, Microsoft has changed two registry keys to disable NTLM on the system. However, as these keys are available only on Windows 10 and Windows Server 2016, these are the only versions that are being patched.

It should also be highlighted that the cause of the hack still remains unexplained. Talking to Bleeping Computer, Diego said that Microsoft has been very secretive about the underlying trigger.

The users are advised to apply this patch as it’s expected to fix other pass-the-hash exploits as well. Also, don’t share folders without passwords, it’s not worth the risk.

Did you find this story on Windows NTLM attack and exploitation helpful? Don’t forget to share your views with us.

What Is The Difference Between Google Chrome And Chromium Browser?

Short Bytes: Google Chrome is a web browser developed and maintained by tech giant Google. Chrome uses the open source web browser Chromium’s source code and adds a bunch of features developed by Google and some nonfree components.

Chromium is an open-source web browser developed and maintained by The Chromium Project. The git rolling release web browser was first introduced in 2008 and its different parts are released under different free software licenses which include BSD License (for the portion written by Google) and MIT License, LGPL, etc for other portions.

Google Chrome, also released in 2008, is a proprietary web browser developed and maintained by Google. The reason why Chrome and Chromium are tied to each other is that Chome borrows Chromium’s source code. You can differentiate Chrome and Chromium by looking at their logo, Chrome is colorful and Chromium is blue. However, that’s not the only difference between Chrome and Chromium.

Difference between Chrome and Chromium:

Automatic Updates

Chrome uses GoogleUpdate on Windows (GoogleSoftwareUpdateAgent and GoogleSoftwareUpdateDaemon on Mac) to automatically update to the latest version. It is not available for Chromium. On some Linux distributions, updates are made available via package repositories. Google Update is also used for other applications like Google Earth.

Usage tracking and crash reporting

Unlike Chromium, Google has added the crash reporting and send usage statistics options. Chrome sends data to Google servers. It includes general data like information about your device and OS, Chrome settings, visited websites having malware, search queries, etc. This allows Google to suggestions, results, and ads that are relevant to you.

Crash reporting and usage tracking can be disabled from Chrome’s settings.

Chrome Web Store

On Google Chrome, the functionality to add extensions outside the Chrome Web Store is disabled on all Windows and Mac Channels. However, the extensions can be added via developer mode.

Media Codec support

Chromium’s HTML5 audio/video codec support is limited to what is available as non-proprietary codecs like Theora, Vorbis, WebM, VP9, etc. In the case of Chrome, it adds support for some non-free stuff like AAC, MP3, and H.264 (now free).

Non-optional tracking

Google Chrome installer includes a randomly generated token. The token is sent to Google after the installation completes in order to measure the success rate.

Google also uses the RLZ identifier to track a user while Google search and using the address bar. The RLZ identifier stores information – in the form of encoded strings – like the source of chrome download and installation week. It doesn’t include any personal information and it’s used to measure the effectiveness of a promotional campaign. Chrome downloaded from Google’s website doesn’t have the RLZ identifier. The source code to decode the strings is made open by Google.

Sandbox

Both Chrome and Chromium have Sandbox support. It is always enabled in the case of Google Chrome. For Chromium, some Linux distributions may disable the Sandbox feature.

Adobe Flash Plugin

Although, this difference between Chrome and Chromium doesn’t matter much as Adobe Flash is being phased out for the newer HTML5. Google Chrome supports a Pepper API version of Adobe Flash which gets updated automatically with Chrome. Since it’s not open source, Chromium doesn’t support it out of the box like Google Chrome.

Also Read: How To Use These Simple Google Search Tricks And Search Like A Boss

Chrome Vs Chromium: Which one is better?

It’s hard to decide which one to choose between the open source Chromium and feature rich Google Chrome. For Windows, it is better to use Google Chrome as Chromium doesn’t come as a stable release. And that applies for MacOS too.

In the case of Linux, known for its love for free and open source software, Chromium might be a better option. But you’ll have to live with the fact that it doesn’t update automatically, lacks Adobe Flash plugin and other media codecs. However, various Linux distributions may offer a modified Chromium adding various missing features. In fact, Chromium is now being considered as the default web browser in the many distros on the likes of Mozilla Firefox.

Google Chrome is also available for Linux and it is a good option if you are fine with some closed source cheese spread on your open bread.

Download Chrome and Chromium

You can download Chrome from the official download page provided by Google using this link:

• www.google.com/chrome

Supported platforms: Windows, MacOS, Linux, Android, iOS

You can download Chromium using this official download page:

• https://download-chromium.appspot.com/

Supported Platforms: Windows, Mac, Linux, Android

Beware Of Fake WhatsApp Apps On Play Store — Millions Have Already Downloaded Them

One of the biggest differences between Android and iOS ecosystems, when it comes to security, is the level of scrutiny applications need to face before being listed on their online app stores. While Google continues to keep taking steps like Play Protect to improve in this department, the Play Store is brimmed with fake apps.

On Play Store, there are tons of apps that whose developers are employing foul practices to gain downloads. One particular app, named “Update WhatsApp,” mimicked WhatsApp to trick users by making them believe that they were updating an existing application.

Different users on Reddit and Twitter pointed out that instead of being a chat app, Update WhatsApp was an ad-scrapper app that aimed to earn clicks and fraudulent revenue.

Later, according to Motherboard, the app’s developer changed its name to “Dual Whatsweb Update” and changed its icon. Further down the line, the app was removed from Google Play, and the developer account was suspended for violating the policies.

It’s very easy to fall for the fake app. The only difference between the name of the developer of a real and fake app is some Unicode character. While on a PC the difference becomes obvious, but the Android users become easy targets.

While this particular one app might have been removed from Play Store, a number of other apps continue to exist (see picture at the top). So, users are advised to be more cautious while downloading apps.

TorMoil: This Tor Browser Flaw Can Leak Your Real IP Address — Update It Right Now

Acritical Tor browser flaw was recently found by Filippo Cavallarin, CEO of We Are Segment security firm. Dubbed TorMoil, this flaw can lead to the leakage of users’ real IP address.

For the time being, the segment hasn’t disclosed the complete details of the exploit as all the users aren’t updated yet. Once a proper fix is available to all users, the details will be shared.

However, we do have some information about TorMoil. Due to a Firefox bug in handling file:// links, it’s possible that Mac and Linux users can compromise their security. It’s worth noting that this flaw doesn’t affect Windows and Mac users.

After clicking on a specially crafted file:// URL, the user could be redirected to a webpage for directly connecting the machine to the remote host, bypassing Tor browser.

With the help of Mozilla engineers, Tor team has created a fix, which has patched the leak partially. “We developed an additional fix on Tuesday, October 31, plugging all known holes. We are not aware of this vulnerability being exploited in the wild,” the team added.

In case you’re a Tor browser user on Linux or Mac, you are advised to update your software as soon as possible to prevent the IP address leak. To fix this issue, Tor Browser 7.0.9 has been released for Linux and Mac.

Did you find this story on Tor browser flaw helpful? Don’t forget to share your views with us.