Hackers experiment with Google's Go as a programming language for malware
September 24, 2012
Virus and malware creators say they are now experimenting with Google's Go as a potential programming language for creating malware and viruses.
The Encriyoko Trojan uses components written in Go, a compiled language developed by Google. It first emerged from the company more than three years ago. Once installed on a Microsoft Windows PC, the Trojan attempts to use the 'Blowfish' algorithm to encrypt all files matching various criteria including particular document types and a range of file sizes.
The exact key used to encrypt the data is either pulled from a particular file on the D: drive or is randomly generated. This renders the information useless to its owner if the cipher key cannot be recovered.
"Restoration of the encrypted files will be difficult, if not impossible," Symantec warns about the Trojan. The malware is circulating in the wild, and disguises itself as a tool to root Samsung Galaxy smartphones - a process that would otherwise allow customized operating systems to be installed on the phones.
It's possible that the unknown virus writers are simply using a programming language they've taken a liking to. "Go could also be more resilient to reversing attempts by researchers as it isn't really mainstream for now. The latter may be more a perception by the coders than in reality."
It goes without saying that Google needs to look into this very rapidly in order to prevent the potential creation of viruses and other malware that could severy impede systems and then propagate itself to multiple networks.
In other internet security news
The U.K.'s Government Communications Headquarters (GCHQ), the actual nerve center for eavesdropping police in England, has launched a new initiative to better persuade tech-savvy British citizens to help defend their own country against potential hackers and cyber attackers.
Government officials at the GCHQ are going after cyber crooks aged 16 and over who are not already working in computer security and could possibly guard the country's networks against the hacking ambitions of hostile states, cyber criminals and so-called script kiddies.
But the GCHQ must first triumph in a 'Balancing the Defense' game. The participants will analyse a fake government network for possible paths of intrusion, help determine the potential threats they face and suggest new ways to defend them, all while taking into account the increasingly budget-concious that is the U.K.
The GCHQ will have just one week, starting on October 1st to be briefed on the scenario and submit its report. "We hope that this competition will uncover those who have the vital mix of technical ability and business awareness to make tough decisions in the best interest of an organization," said Joen Karl, the architect of the competition.
"At the GCHQ, we are really committed in finding and developing the new cyber security skills in the U.K. and these are the skills sets that employers including ourselves are most interested in," he added in a statement.
This latest test is part of the Cyber Security Challenge program, which was started in 2010. Winners of Balancing the Defense program will be invited onto the next stage of the program, a face-to-face competition that will further whittle down the candidates.
Another virtual competition will follow, after which the remaining contenders will get a real-life challenge with an Aston Martin Racing team and the IT infrastructure the crew relies on.
The final few will reach a Masterclass and Awards weekend in March, where a "range of career enhancing prizes" will be on offer. The GCHQ people didn't specifically say that any employment post was waiting for anyone, mentioning bursaries, university courses and internships instead.
The eavesdropping collective may be a bit embarrassed to admit how much one of their crack specialists would earn, since another of its competitions, Can You Crack It?, yielded a job with a starting salary of just £ 25,000.
Then again, a number of GCHQ's code-cracking conundrums have had hidden solutions within the main puzzle for top-notch spy wannabes to crack and stand out from the humdrum candidates.
In other internet security news
The court case against Wikileaks founder Julian Assange may be on the brink of collapse following various claims from the defense team that the central piece of evidence used in the case does not contain Assange’s real and required DNA to proceed any further.
But it gets more complicated than just that. According to various details that have emerged in a 100-page police report submitted *after* witnesses were interviewed and forensic evidence had been examined, the condom submitted for evidence by one of the key alleged sexual assault victims does not contain Assange’s DNA.
Assange’s legal team have alleged that the lack of conclusive DNA evidence suggests that fake evidence may have been submitted and is calling the entire process into question.
The reason why we are publishing this news story today is that it is widely expected that the U.S. government and other countries could bring to trial Assange for the many thousands of leaks to the internet of sensitive information that could endanger the national security of those countries, beginning with the United States.
The Swedish prosecutor’s office has yet to publicly comment on the sexual rape report. Assange currently remains in the Ecuadorian Embassy in London after being granted asylum as he fights against the claims and extradition to Sweden.
Meanwhile, in Australia, and as a symbolic show of support, leaders of an Aboriginal group issued a passport to Assange. The Indigenous Social Justice Association is fighting for sovereignty within Australia and claimed that it wanted to forge solidarity with Assange, who has been largely unsupported by the Australian government.
The said passport, which isn't valid according to Australian laws, was issued to Assange’s estranged father. We will keep you posted on this important case since it is one that has been highly publicized over the past eigthteen months or so, and one that is sure to gain a lot of momentum going forward.
In other internet news
A prominent group of hackers has released large quantities of sensitive data from banks, government agencies and consulting firms and has promised even more data leaks in the near future.
"Team Ghost Shell's final form of protest this summer against the banks, politicians and for all the fallen hackers this year," wrote in a Pastebin post titled "Project Hell Fire" this weekend.
"With the help of it's various divisions, MidasBank & the newest branch, OphiusLab. One million accounts/records leaked. We are also letting everyone know that more releases, collaborations with Anonymous and others, plus two more projects are still scheduled for this fall and winter. It's only the beginning," wrote the site's blog post.
It's still unclear how much data was published and from how many organizations, but security firm Imperva analyzed the data and said some of the breached databases contain more than 30,000 records.
"It's hard to say with precision just how much data was stolen, but you can say this is a pretty significant breach," said Rob Rachwald, director of security strategy at Imperva.
Whoever stole that data mostly used SQL injection attacks, common attacks that are easy for Web sites to protect against.
The data includes administrator login information, usernames and passwords and files from content management systems, although it didn't appear to have much sensitive information in those files, Imperva said.
"There was some vulnerability with a content management system that they were able to exploit across multiple locations and download file upon file upon file," Rachwald said.
Team GhostShell also offered six billion databases from a Chinese mainframe that it claims contained technology from China, Japan and possibly other countries. More than 100 billion databases from a mainframe at an unnamed U.S. stock exchange mainframe and access points to three or four Department of Homeland Security servers were also offered.
"The sensitive information isn't that great but it may be good for street cred," the post says. The leak, like so many others, highlights some of the amazingly lax password practices people and companies follow. "The passwords show the usual '123456' common issue," the Imperva blog post said.
"But one law firm implemented an interesting password system where the root password, 'law321' was pre-pended with your initials. So if your name is Mickey Mouse, your password is 'mmlaw321'. Worse, the law firm didn't require users to regularly change the password either."
In other internet security news
A critical Java security vulnerability that first appeared earlier this week actually leverages two zero-day security holes within Java itself. This most recent revelation comes as it was discovered that Oracle knew about the security flaw as early as April of this year.
To be sure, Windows, Mac OS X and Linux desktops running multiple browser platforms are all vulnerable to outside attacks. Exploit code already in circulation first uses a security hole to gain access the restricted sun.awt.SunToolkit class before a second flaw is used to disable the Security Manager, and ultimately to break out of the Java sandbox.
Unpatched vulnerabilities to the so-called Gondvv exploit were introduced in Java 7.0, released in July 2011. All versions of Java 7 are also vulnerable but older Java 6 versions appear to be immune, at least for now.
This means that Mac OS X users who follow best practices and apply the latest version of software applications are actually more at risk of attacks.
As a result of these two security vulnerabilities in the most recent version of Java, potential hackers and attackers can spread viruses and malware simply by tricking users into visiting booby-trapped websites.
Worse, malicious code can be loaded onto vulnerable computers without user interaction. The zero-day exploit has already made its way into the infamous Blackhole Exploit kit.
"Due to the Java zero-day, Black Hole exploitation success rates increased from 10 percent to 25 percent," says Aviv Raff, chief technology officer at Seculert.
Modules to test for the exploit have also been folded into Metasploit, the widely used penetration testing framework. In addition, the Java exploit has already appeared in targeted attacks originating on Chinese-hosted domains, security researchers at FireEye warn. AlienVault has also spotted examples of active malfeasance.
Oracle, which has maintained the Java code since it acquired Sun Microsystems in 2007, has yet to issue an advisory note on the issue. In the absence of a security patch for a potent and already abused vulnerability, the best advice is to disable Java in all web browsers, the most obvious attack route.
Instructions on how to do this can be found in an advisory by the U.S. CERT and on F-Secure's website. Sean Sullivan, a security adviser at F-Secure, commented: "The perpetual vulnerability machine that is Oracle's Java Runtime Environment (JRE) has yet another highly exploitable vulnerability (Bulletin CVE-2012-4681). And it's being commoditised at this very moment. There being no latest patch against this, the only solution is to totally disable Java."
When you disable Java in Chrome, it's still possible to enable the technology for a specific site that users trust. This is a useful exception for banking sites and the like that require the use of Java. The site exception controls built into Chrome are explained in a Google knowledge base article on its site.
In other internet security news
We're starting to get some reports that a recent release of an app from Facebook may violate user's rights. Facebook is accused by a consumer lobby group of breaching Germany's privacy laws with the launch of its App Center last week.
To be sure, Facebook has been threatened with possible legal action if it fails to respond to the Federation of German Consumer Organizations within the next seven days.
The lobby group says that Facebook was farming out customer information without informing its users that their data was being used, according to the Associated Press.
Facebook has until September 4th, 2012, to resolve this matter, the group said, or else it could face potential litigation.
Data protection officials in Germany have been strong-arming Facebook for quite some time now. Most recently, Hamburg's data protection commissioner Dr Johannes Caspar confirmed earlier this month that his office had reopened its probe of Facebook's facial recognition technology, complaining that the network was building a massive biometric database of its users without obtaining permission.
The investigation had been suspended to allow time for the Irish data protection authority to conclude its talks with Facebook, whose European office is headquartered in Ireland.
Nevertheless, that probe had included an audit of the company's data policy. Come early autumn, the Irish district prosecutor will rule on whether Facebook should face legal action under existing EU privacy laws.
We spoke to a Facebook spokeswoman in Germany, who declined to comment, saying only that the company is "currently looking into the letter." We will update you when and if we hear more from Facebook.
On top of these privacy issues, Facebook has some serious security issues with its site. Cim Stordal, a fifteen years old teenager has discovered some critical security flaws in Facebook's programming code. When he's not in school, Cim spends part of his time playing the Team Fortress video game, shooting his Airsoft pellet gun, and working in a fish store in Bergen, Norway.
You can link to the Internet Security web site as much as you like.