Backdoor built in to widely used tax app seeded NotPetya outbreak

The third-party software updater used to seed last week’s NotPetya worm that shut down computers around the world was compromised more than a month before the outbreak. This is yet another sign the attack was carefully planned and executed. malware was spread through a legitimate update module of M.E.Doc, a tax-accounting application that’s widely used in Ukraine.

— source arstechnica.com

To avoid this kind of situation all softwares must be Free Software.

Debian Warns Of Hyper Threading Issue With Intel Sky/Kaby Lake CPUs

The Debian project is warning Intel Skylake and Kaby Lake users to disable Hyper Threading (HT) on their CPUs due to a possible issue affecting those with out-of-date microcode. Intel Skylake and Kabylake (6th and 7th gen CPUs) could “dangerously misbehave” when Hyper Threading is enabled. Users are advised to get an updated BIOS/UEFI while for some Skylake CPUs the updated Intel microcode packages available on Linux have a fix.

— source phoronix.com

When Apps Secretly Team Up to Steal Your Data

Imagine two employees at a large bank: an analyst who handles sensitive financial information and a courier who makes deliveries outside the company. As they go about their day, they look like they’re doing what they’re supposed to do. The analyst is analyzing; the delivery person is delivering. But they’re actually up to something nefarious. In the break room, the analyst quietly passes some of the secret financials to the courier, who whisks it away to a competing bank.

Now, imagine that the bank is your Android smartphone. The employees are apps, and the sensitive information is your precise GPS location.

Like the two employees, pairs of Android apps installed on the same smartphone have ways of colluding to extract information about the phone’s user, which can be difficult to detect. Security researchers don’t have much trouble figuring out if a single app is gathering sensitive data and secretly sending it off to a server somewhere. But when two apps team up, neither may show definitive signs of thievery alone. And because of an enormous number of possible app combinations, testing for app collusions is a herculean task.

A study released this week developed a new way to tackle this problem—and found more than 20,000 app pairings that leak data. Four researchers at Virginia Tech created a system that delves into the architecture of Android apps to understand how they exchange information with other apps on the same phone. Their system—DIALDroid—then couples apps to simulate how they’d interact, and whether they could potentially work together to leak sensitive information.

When the researchers set DIALDroid loose on the 100,206 most downloaded Android apps, they turned up nearly 23,500 app pairs that leak data. More than 16,700 of those pairs also involved privilege escalation, which means the second app received a type of sensitive information that it’s typically forbidden from accessing.

In one striking example, the study highlighted an app that provides prayer times for Muslims. It retrieves the user’s location and makes it available to other apps on the smartphone. More than 1,500 receiver apps, if installed on the same device, can get the location sent by the prayer-times app. Of those, 39 apps leak the location data to potentially dangerous destination.

Relatively small groups of unsecured apps were behind the enormous number of leaky connections. The 16,700 app pairs that exhibited privilege escalation all involved one of 33 sender apps. And the roughly 6,700 app pairs that leaked data without privilege escalation all involved one of 21 sender apps. Twenty sender apps appeared in both categories. The problematic apps came in various forms: from entertainment and sports to photography and transportation apps.

Collusive leaks aren’t always intentional—and it’s very difficult to tell when they are. But no matter the aim, leaks of sensitive information without a user’s permission carry potential for abuse.

Sometimes, only one app in a pairing may seem intentionally malicious. An app can take advantage of a security flaw in another app to steal data and extract it to a distant server, for example. Other times, both apps are poorly designed, creating an accidental data flow from one app to another, and then from the second to a log file.

The study found that smartphone location was more likely to be leaked than any other type of information. It’s easier to imagine how a user’s real-time location could be abused than, say, knowing what networks that person’s smartphone is connected to. But smaller details like network state can be used to “fingerprint” a device—that is, to identify it and keep track of what its user does over time.

When they analyzed the the final destination for leaked data, the Virginia Tech researchers found that nearly half of the receivers in leaky app pairs sent the sensitive data to a log file. Generally, logged information is only available to the app that created it—but some cyberattacks can extract data from log files, which means the leak could still be dangerous. Other more immediately dangerous app pairings send data away from the phone over the internet, or even over SMS. Sixteen sender apps and 32 receiver apps used permission escalation and extracted leaked data in one of those two ways.

— source theatlantic.com by Kaveh Waddell

Mastodon free social network

Mastodon is a free social network. A decentralized alternative to commercial platforms, it avoids the risks of a single company monopolizing your communication. Pick a server that you trust — whichever you choose, you can interact with everyone else. Anyone can run their own Mastodon instance and participate in the social network seamlessly.

https://mastodon.social/about

— source opensource.com by Seth Kenlon

WordCamp Kochi

For your kind information, the first WordCamp of South India, WordCamp Kochi 2017 will be held at Udyan Convention Centre, Kochi, on the 19th of February, 2017 (Sunday).

It is an event conducted by the WordPress Community, WordCamp Kochi will have talks by reputed speakers and WordPress experts from India, and all across the world. It is an event that covers topics on WordPress development, security, design, and more.

The WordCamp phenomenon has also made its presence felt in India. WordCamp Pune, WordCamp Udaipur, and WordCamp Mumbai are some of the other WordCamps that have been/are being held in India, in 2017.

WordCamp Kochi is for everyone who WordPress, and everyone who should use WordPress. The event brings together authors, artists, bloggers, business owners, consultants, designers, developers, entrepreneurs, marketers, non-profits, photographers, software professionals, web developers and more…

In short, there is something in WordCamp Kochi, for everyone!

WordCamp Kochi will have several informative, and entertaining sessions on several topics are revolving around WordPress, conducted by WordPress experts from India, and all across the world. The sessions are not only meant for a technical audience – they will be equally useful for you, whether you are a WordPress user or a WordPress developer.

Another highlight of WordCamp Kochi is the opportunity for networking.

We are expecting around 300 attendees from all across the world, at WordCamp Kochi. It will be an interesting opportunity for you to meet, connect, and network with some of the best WordPress professionals in the world.

So what are you waiting for, get you tickets confirmed — https://2017.kochi.wordcamp.org/tickets/

#WCKochi