Data breaches, phishing, or malware? Understanding the risks of stolen credentials

New research from Google:

In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016–March, 2017, we identify 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums. Using this dataset, we explore to what degree the stolen passwords—which originate from thousands of online services—enable an attacker to obtain a victim’s valid email credentials—and thus complete control of their online identity due to transitive trust. Drawing upon Google as a case study, we find 7–25% of exposed passwords match a victim’s Google account. For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user’s historical geolocations and device profiles helps to mitigate the risk of hijacking. Beyond these risk metrics, we delve into the global reach of the miscreants involved in credential theft and the blackhat tools they rely on. We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s.


Ransomware app hosted in Google Play infects unsuspecting Android user

Ars Technica:

In 2012, Google unveiled a cloud-based scanner dubbed bouncer that was billed as a way for the company to detect malicious apps before they were made available in Play. Five years later, discovery of malicious apps like Charger are a regular occurrence. Google makes little reference to the tool these days.

Android: a new bag of hurt found each week.



The Subtle Ways Your Digital Assistant Might Manipulate You

From Wired:

Amazon’s Echo and Alphabet’s Home cost less than $200 today, and that price will likely drop. So who will pay our butler’s salary, especially as it offers additional services? Advertisers, most likely. Our butler may recommend services and products that further the super-platform’s financial interests, rather than our own interests. By serving its true masters—the platforms—it may distort our view of the market and lead us to services and products that its masters wish to promote.

But the potential harm transcends the search bias issue, which Google is currently defending in Europe. The increase in the super-platform’s economic power can translate into political power. As we increasingly rely on one or two head butlers, the super-platform will learn about our political beliefs and have the power to affect our views and the public debate.

The discussions about algorithmic bias often have an almost science fiction feel to them. But as personal assistant platforms are monetized by platforms by inking deals with advertisers and designing secretive business practices designed to extract value from users, the threat of attitude shaping will become even more important. Why did your assistant recommend a particular route? (Answer: because it took you past businesses the platform owner believes you are predisposed to spend money at.) Why did your assistant present a particular piece of news? (Answer: because the piece in question conformed with your existing views and thus increased time you spent on the site, during which you were exposed to the platform’s associated advertising partners’ content.)

We are shifting to a world where algorithms are functionally what we call magic. A type of magic that can be used to exploit us while we think that algorithmically-designed digital assistants are markedly changing our lives for the better.


1 million Google accounts compromised by Android malware called Gooligan

From Ars Technica:

Researchers say they’ve uncovered a family of Android-based malware that has compromised more than 1 million Google accounts, hundreds of them associated with enterprise users.

Gooligan, as researchers from security firm Check Point Software Technologies have dubbed the malware, has been found in at least 86 apps available in third-party marketplaces. Once installed, it uses a process known as rooting to gain highly privileged system access to devices running version 4 (Ice Cream Sandwich, Jelly Bean, and KitKat) and version 5 (Lollipop) of Google’s Android operating system. Together, the vulnerable versions account for about 74 percent of users.

Update: In a separate blog post also published Wednesday morning, Android security engineer Adrian Ludwig said he and other Google officials have worked closely with Check Point over the past few weeks to investigate Gooligan and to protect users against the threat it poses. He said there’s no evidence data was accessed from compromised accounts or that individual users were targeted. He also said Google has been using a service called Verify Apps to scan individual handsets for signs of Gooligan and other Ghost Push apps. When detected, device owners receive a warning and installations are halted.

“We’ve taken many actions to protect our users and improve the security of the Android ecosystem overall,” Ludwig wrote. “These include: revoking affected users’ Google Account tokens, providing them with clear instructions to sign back in securely, removing apps related to this issue from affected devices, deploying enduring Verify Apps improvements to protect users from these apps in the future and collaborating with ISPs to eliminate this malware altogether.”

While Google is taking this threat seriously – which is a good thing! – there is the problem where handsets shipping without the Google Play Store will remain vulnerable to this and other kinds of malware, unless those other app stores also try to warn users. Even Google’s warning system is, really, some chewing gum to cover up a broader security issue: a huge majority of Android phones have an outdated version of Android installed and will likely never see operating system or security updates. These vulnerabilities will continue, unabated, until Google actually can force updates to its partners. And history says that’s not likely to happen anytime soon.


More than 400 malicious apps infiltrate Google Play

Ars Technica:

One malicious app infected with the so-called DressCode malware had been downloaded from 100,000 to 500,000 times before it was removed from the Google-hosted marketplace, Trend Micro researchers said in a post. Known as Mod GTA 5 for Minecraft PE, it was disguised as a benign game, but included in the code was a component that established a persistent connection with an attacker controlled server. The server then had the ability to bypass so-called network address translation protections that shield individual devices inside a network. Trend Micro has found 3,000 such apps in all, 400 of which were available through Play.

“This malware allows threat actors to infiltrate a user’s network environment,” Thursday’s report stated. “If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard.”

BYOD: a great cost-saving policy. Until it leads to an attacker compromising your network and potentially exfiltrating business-vital resources.


Google’s latest IM client, Allo, isn’t ready for prime time

Ars Technica:

It’s no secret that Hangouts was poorly supported inside Google, so will Allo be any different? I’ve heard that Google Hangouts was never given resources because Google felt it would never be a money-maker. In instant messaging, you talk to your friends and send pictures back and forth, and an ad-powered Google service is never involved. With Allo, that changes because the Assistant is a gateway to search. Every question to the Assistant is a Google Search, with in-app answers coming for questions and links to generic Web searches for everything else. With search comes the possibility for ads, both from the generic search links and in the carousels that answers often provide. I’ve yet to see an advertisement inside Allo, but since it seems possible for Allo to make money, maybe it will receive more support than Hangouts did.

Setting aside the basic privacy issues of Google having access to unencrypted, plaintext, chats you have with friends and colleagues, the fact that Google is apparently unwilling to support its own products if they can’t be used to empower Google advertising is just gross. Google has impressively wasted the skills and talents of a generation of developers: imagine what might exist, today, if people were empowered to write software absent the need to data mine everything that is said for advertising purposes?


Google rebuilt a core part of Android to kill the Stagefright vulnerability for good

Google rebuilt a core part of Android to kill the Stagefright vulnerability for good:

Android’s security team patched the initial bug within weeks, but it inspired a wave of new attacks on the way Android processes audio and video files. The first copycat bugs were reported just days after the first patch, with more serious exploits arriving months later. The most recent Android patch report, released today, patches three separate vulnerabilities in Android’s media-processing function, including one critical flaw that could be used for remote code execution.

Now, Android is rebuilding that system from the ground up. When Android 7.0 Nougat began rolling out to phones last month, it came with a rebuilt media playback system, specifically designed to protect against the Stagefright family of attacks. In a post today, Android’s security team revealed new details on exactly how Nougat security has changed and what the team learned from last year’s string of bugs.

The vulnerability is more fully and truly patched! Hurray!

A shame that few users will ever receive an update to the new version of Android, let alone the patches in the previous (version 6) of Android. The best/easiest way for most users to ‘update’ an Android-based mobile phone is to throw their current phone in the trash and buy a new one…and even then, the phone they buy will likely lack recent patches. Heck, they’ll be lucky if it has the most recent operating system!

This stands directly in contrast to iOS. Apple can push out a global patch and there are remarkably high levels of uptake by end-users. Google’s method of working with handset manufacturers and carriers alike puts end-users are greater and greater risk. They’re simply making available dangerous products. They’re behaving worse than Microsoft in the Windows XP days!

New York DA Wants Apple, Google to Roll Back Encryption

New York DA Wants Apple, Google to Roll Back Encryption:

[Manhattan District Attorney Cyrus Vance Jr.] said that law enforcement officials did not need an encryption “backdoor,” sidestepping a concern of computer-security experts and device makers alike.

Instead, Vance said, he only wanted the encryption standards rolled back to the point where the companies themselves can decrypt devices, but police cannot. This situation existed until September 2014, when Apple pushed out iOS 8, which Apple itself cannot decrypt.

“Tim Cook was absolutely right when he told his shareholders that the iPhone changed the world,” Vance said. “It’s changed my world. It’s letting criminals conduct their business with the knowledge we can’t listen to them.”

Vance cited a recording of a telephone call made from New York City’s Riker’s Island jail to an outside line. In the call, a defendant in a sex-crimes case tells a friend about the miraculous powers of the new smartphone operating systems.

“Apple and Google came out with these softwares that can no longer by encrypted by the police,” the defendant allegedly said, mixing up encryption with decryption. “If our phones [are] running on iOS 8 software, they can’t open my phone. That might be another gift from God.”

Correct me if I’m wrong but if you’re able to quote the conversation they had about the encryption of the device, then isn’t it the case that law enforcement can, in fact, listen in to at least some of these supposedly sophisticated criminals? Regardless of their adoption of consumer-grade (i.e. incredibly common) tools and security protocols?

But more to the point: it has never been the case that government agencies have been able to compel, or access, all of the information they might find useful in the course of their investigations. That’s normal. Government agencies enjoyed incredible access to persons’ information for the course of a decade or so, as technology companies matured into firms that took the security and privacy of their customers seriously. Asking for the industry to return to a less-mature state is bad for everyone.

Finally: while domestic agencies might be worried about the situations where they cannot access the data at rest on the device, you can be sure that governmental staff who are abroad are very happy that they can use their devices with the knowledge that even foreign state actors will be challenged in accessing the data at rest which is stored on their smartphones. American (and Canadian) law enforcement agencies are understandably pushing for greater access to information but, by the same token, their success would mean that their compatriots in China, Brazil, France, Israel, and other friendly and unfriendly states would be able to lawfully gain entry to foreign agents’ devices. I’m pretty sure that diplomatic staff and military personel abroad are pleased that such an attack vector has been narrowed by Apple’s actions.