We’ve discussed the need to cover up a webcam with tape for fear of those being compromised during VoIP sessions. This new vulnerability only needs to be able to hear a conversation to figure out what you are typing. The researchers were given the information on what keyboard and some information on typing style of the end user. From there, they were able to get 91.7% accuracy in figuring out what was being typed on the keyboard. This can happen during a regular Skype call without the need to plant any malware to compromise your target’s computer. Skype and other voice messengers are often left on for long periods of time since unlike phones VoIP doesn’t charge by the minute so there is no need to hang up. Multi-taskers may enter passwords or fill out forms while staying on Skype.
There are a few ways around this, such as using push to talk, a method which only sends audio when you hold a certain key down, preventing unnecessary sounds. Touch screen keys do not make the familiar keyboard sounds so those are safe from this method as well. I think using an external microphone as well, one not situated near the keyboard will lower the chances of this attack in general. Without a profile on the end user, the accuracy only drops to 42%, but I wouldn’t rely on this as it may eventually be possible to compare sounds against multiple profiles and pick the most accurate.
After KrebsOnSecurity covered vDOS for being a DDOS hack seller their site was hit with a historic DDOS. While DDOS mitigation has been discussed previously, this attack was nearly impossible to stop. The site was given pro-bono access to Akamai’s mitigation service but due to the size of the attack, Akamai had to sever ties. They predicted that protection of this one site would’ve cost millions of dollars and disruptive protection of their other clients. Diagnosis of the DDOS shows that a lot of attacks came from compromised IoT (internet of things) enabled devices. It was also the second largest DDOS that Akamai ever dealt with.
Google has stepped in with a new program called Google Shield. Its purpose is to prevent free speech from being silenced by malicious attackers. Google Shield protects news As this case proved it is cost-prohibitive to protect a small site from attacks so Google is trying to provide backup. Protection at a high level can cost $150,000 to $200,000 a year even if it is just a blog. The author fears of state sponsored actors also using this kind of DDOS power on individuals.
Sometimes aspiring Pokemon masters want that extra edge to their game and go looking for guides on how to play the game better. Looking in the Google Play Store may have led the players astray as one guide was secretly malware. Kaspersky was able to detect a trojan inside the app but said that multiple defenses made it difficult to reverse engineer to see how it fully works. One defense is that it delays any bad activity by two hours to try to thwart those who are trying to see what it can do. It also doesn’t do anything bad until it receives a respond from the server that is calling the shots. Once its determined its a desireable victim, it downloads files to attempt to root the phone and then grant itself root access. The Play Store reports half a million installs but Kaspersky claims they have only confirmed 6,000 infections live right now. Luckily the worst thing the app has done so far is install its own ads to make money.
The hacker may continue to publish under other psuedonyms for the next big gaming craze that might hit app stores. It is also worrying that hackers are trying to implement anti-virtual machine technology making it harder to create a testing environment that you can reset if things go wrong.
Alleged vDOS Proprietors Arrested in Israel
On some corners of the internet, you can pay for services that attack legitimate websites to try to disrupt their service. One of these sites, vDOS, was recently busted up by authorities in Israel. They arrested the alleged owners, two 18 year olds who have been running the site for four years. The site is accused of running DDOS attacks that earned the owners over half a billion dollars. They were found out through multiple sleuthing methods. They refered to each other on facebook by their hacker call signs. Their phone number was set up to receive texts from customer service notifications.
The database of who had been paying for the hacks also became publicly available. The data contains attempted DDOS’s that weren’t wiped from their logs. It shows what site was targeted by what username, when, and for how long.
Interestingly, after the site went down the site domain was hacked through a BGP hijack. The company responsible said it was in response to their servers being attacked by vDOS and hoping that would lessen the traffic. The company CEO said this was just a defensive maneuver but I would still classify this as offense.
It seems a lot of fighting is going on all the time on the internet and the only defense might be to stay educated on all the new ways hackers are attacking system. Sometimes, going on the offense may pay off too if done correctly.