Per una serie tv così legata al mondo degli hacker e dell’informatica, l’arrivo di un videogioco era praticamente obbligatorio.
Ecco allora che dalla Gamescom, l’annuale fiera di Colonia dedicata al mondo videoludico, è arrivato l’annuncio ufficiale di Mr. Robot 1.51exfiltrati0n, un’app per Android e iOS che pesca a piene mani dall’universo dello show con Rami Malek e Christian Slater.
Il gioco, pubblicato da Telltale Games, riproduce in maniera fedele un’app di messaggistica istantanea sviluppata dalla Evil Corp., la multinazionale che nella serie tv rappresenta l’antagonista del gruppo di hacker fsociety, guidati proprio dal misterioso Mr. Robot.
Tra chat, scambi di file e informazioni segrete, i giocatori potranno dialogare con i personaggi della serie e scegliere di contribuire alla caduta della Evil.
Oppure mettere i bastoni tra le ruote agli hacker, facendo in piena libertà le proprie scelte: al centro della storia, infatti, c’è sempre il giocatore.
Mr.Robot 1.51exfiltration è già disponibile a circa 3,30 euro sia su smartphone Android che dispositivi iOS.
Per ricevere aggiornamenti sul gioco invece, basta seguire l’account twitter ufficiale @ecorpmessaging.
WhatsApp e Facebook sono e rimarranno due applicazioni separate sul nostro smartphone. Ma l’aggiornamento dei termini e dell’informativa sulla privacy dell’iconcina di messaggistica (comunicato qui) le avvicina molto. E porta le imprese all’interno delle chat. Il colosso di Mark Zuckerberg ha acquistato WhatsApp nel febbraio del 2014 con la promessa da ambo le parti di non mischiare servizi e dati, soprattutto in considerazione del fatto che il social network si basa sulla vendita di pubblicità mentre l’app verde è priva di annunci.
Adesso qualcosa è cambiato: una serie di informazioni relative a WhatsApp, come il nostro numero di telefono o gli accessi alle finestre di dialogo, verranno condivise con Facebook e con il resto del gruppo di Menlo Park. Instagram o Oculus, ad esempio. Come l’iconcina fondata da Jan Koum ha tenuto a sottolineare, non vengono coinvolti i contenuti degli scambi: la crittografia end to end introdotta in aprile impedisce a chiunque di vedere testi o fotografie in transito da un dispositivo all’altro.
Concretamente cosa vuol dire e cosa cambia per noi? Il social network da 1,7 miliardi di utenti potrà attingere (anche) a questi dati per inviarci messaggi pubblicitari sempre più mirati quando navighiamo sulla sua piattaforma o per consigliarci potenziali amici da aggiungere alla nostra cerchia. Potrà capitare di vedere fra i suggerimenti di Facebook il nome e il volto di una persona con cui si è appena entrati in contatto su WhatsApp. O di imbatterci sul social network nella pubblicità di un’azienda che conosce il nostro numero di telefono.
Non solo, anche l’applicazione di messaggistica da più un miliardo di utenti si sta per aprire direttamente alle imprese. L’intenzione non è di ospitare messaggi pubblicitari classici ma di consentire, ad esempio, alla banca di avvisarci di eventuali movimenti strani sul nostro conto, alla compagnia aerea di tenerci aggiornati sul ritardo del volo che stiamo per prendere o alla pizzeria di comunicarci che il pasto ordinato sta per arrivare. La novità verrà testata nei prossimi mesi, ed era stata annunciata a inizio anno, e sembra propendere per la creazione di chat ufficiali cui potremo decidere o meno di aderire - ma che saranno anche sfruttate per inviarci consigli su prodotti o servizi da acquistare in base alle nostre preferenze - e non dovrebbero interromperci durante le chiacchierate canoniche.
The recent disclosure of a set of vulnerabilities in the Android operating system that could potentially put over 900 million devices at risk may have been patched, but its threat remains.
The QuadRooter flaw, discovered by Check Point, could potentially give cyber attackers complete control over an Android device. The vulnerability was discovered in Qualcomm chips, which are used in smartphones and tablets made by Blackberry, LG, Google and more. This put up to 900 million devices at risk. The flaw was dubbed QuadRooter because there are four interconnected flaws which can be used to gain access to the “root” of the phone, the Guardian said.
Patches to fix the flaw were made available quickly, and Check Point released an app called QuadRooter Scanner on the Google Play store which checked whether a device was at risk.
However, new research has revealed that QuadRooter’s threat is still alive. Researchers at RiskIQ have found a number of malicious apps available for download on various app stores that claim to offer a fix for the flaw, but of course do nothing of the sort.
One of these, called Fix Patch QuadRooter by KiwiApps Ltd was found in the official Google Play store. Although it was removed from there it popped up in a number of unofficial app stores, along with a number of others. In total, 27 malicious apps related to QuadRooter have so far been found.
These have been found available for download in the official Google Play store, as well as others such as BingAPK, SameAPK, AppBrain, and AppChina. All these unofficial sources carry big risks to users and their devices.
These unofficial, third-party app stores are a dangerous place; a lack of quality control means many applications are malicious, containing malware that can steal personal data. While these app stores may seem convenient for users, especially in countries where official apps may not be available, users should stick with the official Google Play Store wherever possible.
Photo © ymgerman/Shutterstock.com
With all the frenzy around the Pokemon GO mobile game, it was only just a matter of time before attackers leveraged its popularity to spread ransomware. A new ransomware was recently discovered impersonating a Pokemon GO application for Windows. Detected by Trend Micro as Ransom_POGOTEAR.A, it appears to be like any other ransomware. However, a closer look revealed that its creators based it on Hidden Tear, an open-sourced piece of ransomware released last August 2015, with the intention of educating people.
The Pokemon GO ransomware developer designed it to create a “Hack3r” backdoor user account in Windows and is added to the Administrator group. The registry is tweaked to hide the Hack3r account from the Windows login screen. Another feature creates a network share on the victim’s computer, allowing the ransomware to spread by copying the executable to all drives. Once the executable is copied to removable drives, it creates an autorun file so the ransomware runs each time someone accesses the removable drive. The executable is also copied to the root of other fixed drives. This way, the Pokemon GO ransomware will run when the victim logs into Windows.
There are numerous indicators that the ransomware is still under development. One of them is that it has a static AES encryption key of “123vivalalgerie”. Additionally, the command & control server (C&C) uses a private IP address which means it cannot connect over the Internet.
Based on the language used by the ransom note, the Pokemon GO ransomware appears to target Arabic-speaking users, with an accompanying ransom screen that features a Pikachu image. In addition, the screensaver executable is also embedded with an image of “Sans Titre”, which is French for “Untitled”, suggesting a clue to the developer's origin.
The Hidden Tear ransomware isn’t new. In January 2015, Trend Micro discovered a hacked website in Paraguay that distributed ransomware detected as RANSOM_CRYPTEAR.B. According to the analysis, the website was compromised by a Brazilian hacker, and that the ransomware was created using a modified Hidden Tear code. Prior to this discovery, when the source code of Hidden Tear was made public for educational purposes, the creator was very specific about not using Hidden Tear as ransomware. Unfortunately, as expected, the following discovery of Ransom_CRYPTEAR.B and this current Pokemon-themed ransomware has shown that even with the best intentions, improper disclosure of sensitive information can lead to troublesome scenarios such as the mentioned discoveries.
To avoid ransomware, users are encouraged to regularly back up files and to have an updated security solution. Trend Micro solutions can protect users from the recent Pokemon Go ransomware. As the game is introduced in new regions, the Pokemon GO craze is expected to continue to gain momentum and cybercriminals will find ways to capitalize on it. In fact, in the month of July alone, malicious Pokemon Go apps were found tricking users into downloading them. This should remind users to remain vigilant of threats that may ride along the popularity of such games.
Visit the Threat Encyclopedia for step-by-step instructions on how to remove Ransom_POGOTEAR.A.
Authored by SaifAllah benMassaoud, Zahid Mehmood | Site vulnerability-lab.com
A vulnerability allowed remote attackers to determine which specific Facebook user ID is linked with a mobile phone number without secure approval. The vulnerability is located in the ctx and recover lwv parameters and /login/identify modules.
Facebook Bug Bounty #33 - Bypass ID user to linked Phone Number Vulnerability
Vulnerability Laboratory ID (VL-ID):
Common Vulnerability Scoring System:
Product & Service Introduction:
Facebook is a for-profit corporation and online social networking service based in Menlo Park, California, United States. The Facebook website was
launched on February 4, 2004 by Mark Zuckerberg, along with fellow Harvard College students and roommates, Eduardo Saverin, Andrew McCollum, Dustin
Moskovitz, and Chris Hughes. The founders had initially limited the website's membership to Harvard students; however, later they expanded it to
higher education institutions in the Boston area, the Ivy League schools, and Stanford University. Facebook gradually added support for students
at various other universities, and eventually to high school students as well. Since 2006, anyone age 13 and older has been allowed to become a
registered user of Facebook, though variations exist in the minimum age requirement, depending on applicable local laws. The Facebook name comes
from the face book directories often given to United States university students. After registering to use the site, users can create a user profile,
add other users as `friends`, exchange messages, post status updates and photos, share videos, use various applications (apps), and receive
notifications when others update their profiles. Additionally, users may join common-interest user groups organized by workplace, school, or other
topics, and categorize their friends into lists such as `People From Work` or `Close Friends`. In groups, editors can pin posts to top. Additionally,
users can complain about or block unpleasant people. Because of the large volume of data that users submit to the service, Facebook has come under
scrutiny for their privacy policies. Facebook, Inc. held its initial public offering (IPO) in February 2012, and began selling stock to the public
three months later, reaching an original peak market capitalization of $104 billion. On July 13, 2015, Facebook became the fastest company in the
Standard & Poor's 500 Index to reach a market cap of $250 billion. Facebook has more than 1.65 billion monthly active users as of March 31, 2016.
(Copy of the Homepage: https://en.wikipedia.org/wiki/Facebook )
Abstract Advisory Information:
Two independent vulnerability laboratory researchers discovered a bypass and validation vulnerability in the Facebook online service web-application & mobile api.
Vulnerability Disclosure Timeline:
2016-04-02: Researcher Notification & Coordination (SaifAllah benMassaoud & Zahid Mehmood)
2016-04-03: Vendor Notification (Facebook Whitehat Security Team)
2016-04-09: Vendor Response/Feedback (Facebook Whitehat Security Team)
2016-05-20: Vendor Fix/Patch (Facebook Developer Team)
2016-05-21: Security Acknowledgements (Facebook Whitehat Security Team - Bounty: 1500$)
2016-08-08: Public Disclosure (Vulnerability Laboratory)
Product: Mobile Web Application (API) 2016 Q2
Technical Details & Description:
The bypass user id web vulnerability has been discovered in the official Facebook online service web-application & mobile api.
The vulnerability allows remote attackers to determine which specific Facebook user ID is linked with a mobile phone number
without secure approval. The vulnerability is located in the `ctx" and `recover` `lwv` parameters and `/login/identify` modules.
Attackers can setup the privacy settings, who can look me up using a phone number? Set it to Friends Only, the attacker is able
to bypass that security approval to preview.
The security risk of the bypass user id vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
Exploitation of the vulnerability allows an attacker to determine which specific facebook user ID is linked with the mobile phone number.
Proof of Concept (PoC):
The bypass user id issue can be exploited by remote attackers to determine which specific Facebook user ID is linked to a mobile phone number.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open the following url with ssl
2. Type phone number in the box (Email, Phone, Username or Full Name)
Note: For example, i am attacking one of my test facebook IDs, where i turn on my privacy settings to `Who can look you up using the phone number you provided?`(Friends Only).
No one can see my profile name etc ... Type a number in the box (The facebook account you're attacking only has a mobile phone number added). In my case i used my test id and click on `Serach`
3. Now the attacker clicks to `No Longer have access to these?`
4. Type "New Email" Confirm "New Email"
5. Now `Fill in the form` with fake information and process to `Submit`
Note: You will receive a response from facebook to your email ibox that confirms the issue.
Solution - Fix & Patch:
The vulnerability was addressed by the facebook developer team during the updates 2016-05-20.
The security risk of the `./login/identify` bypass user id vulnerability is estimated as medium. (CVSS 3.5)
Credits & Authors:
SaifAllah benMassaoud & Zahid Mehmood - ( http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud )
Disclaimer & Information:
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: email@example.com - firstname.lastname@example.org - email@example.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or firstname.lastname@example.org) to get a ask permission.
Copyright A(c) 2016 | Vulnerability Laboratory - [Evolution Security GmbH]aC/
VULNERABILITY LABORATORY - RESEARCH TEAM