Author: Dan Goodin

Opening a new front in its campaign to defeat Islamic State terrorists, the US military has, for the first time, directed its Cyber Command to mount hacking attacks against ISIS computers and networks, The New York Times reported Sunday.

While US National Security Agency hackers have targeted ISIS members for years, its military counterpart, the Cyber Command, virtually conducted no attacks against the terrorist organization. The new campaign reflects President Obama's desire to bring the types of clandestine military hacking operations that have targeted Iran and other nations to the battle against ISIS. According to the NYT:

The goal of the new campaign is to disrupt the ability of the Islamic State to spread its message, attract new adherents, circulate orders from commanders and carry out day-to-day functions, like paying its fighters. A benefit of the administration’s exceedingly rare public discussion of the campaign, officials said, is to rattle the Islamic State’s commanders, who have begun to realize that sophisticated hacking efforts are manipulating their data. Potential recruits may also be deterred if they come to worry about the security of their communications with the militant group.

Defense Secretary Ashton B. Carter is among those who have publicly discussed the new mission, but only in broad terms, and this month the deputy secretary of defense, Robert O. Work, was more colorful in describing the effort.

“We are dropping cyberbombs,” Mr. Work said. “We have never done that before.”

The campaign began by installing several implants in the militants’ networks to learn the online habits of commanders. Now, Cyber Command members plan to imitate the commanders or alter their messages. The goal is to redirect militants to areas more vulnerable to attack by American drones or local ground forces. In other cases, officials said, US military hackers may use attacks to interrupt electronic transfers and misdirect payments.

An ongoing drive-by attack is forcing ransomware onto Android smartphones by exploiting critical vulnerabilities in older versions of Google's mobile operating system still in use by millions of people, according to research scheduled to be published Monday.

The attack combines exploits for at least two critical vulnerabilities contained in Android versions 4.0 through 4.3, including an exploit known as Towelroot, which gives attackers unfettered "root" access to vulnerable phones. The exploit code appears to borrow heavily from, if not copy outright, some of these Android attack scripts, which leaked to the world following the embarrassing breach of Italy-based Hacking Team in July. Additional data indicates devices running Android 4.4 may also be infected, possibly by exploiting a different set of vulnerabilities.

It's the first time—or at least one of only a handful of times—Android vulnerabilities have been exploited in real-world drive-by attacks. For years, most Android malware has spread by social engineering campaigns that trick a user into installing a malicious app posing as something useful and benign. The drive-by attack—which has been active for at least the past 60 days and was discovered by security firm Blue Coat Systems—is notable because it's completely stealthy and requires no user interaction on the part of the end user.

Two men who built and sold a banking trojan that infected more than 50 million computers around the world and caused almost $1 billion in losses have been sentenced to a combined 24 years in prison.

Aleksandr Andreevich Panin, the chief developer and distributor of SpyEye, received a sentence of nine years and six months in federal prison, according to a statement issued by the US Department of Justice. In underground forums where the trojan was sold, the 27-year-old Russian national went by the hacker aliases “Gribodemon” and “Harderman.” In 2010, prosecutors said, he received the source code to a crimeware platform dubbed ZeuS. From 2009 to 2011, he conspired with others to develop SpyEye, which is believed to have borrowed liberally from ZeuS.

Prosecutors said Panin conspired with Hamza Bendelladj, aka Bx1, an Algerian man who received a 15-year prison term during the same Wednesday sentencing in federal court in Atlanta. Prosecutors said Bendelladj transmitted more than one million spam e-mails containing SpyEye and related malware to computers in the United States. The feat infected hundreds of thousands of computers. Bendelladj also developed SpyEye add ons that automated the theft of funds from victim bank accounts and further spread malware, including SpyEye and Zeus. Authorities said he stole personal information from almost 500,000 people and caused millions of dollars in losses to individuals and financial institutions around the world.

New research into the "Rowhammer" bug that resides in certain types of DDR memory chips raises a troubling new prospect: attacks that use Web applications or booby-trapped videos and documents to trigger so-called bitflipping exploits that allow hackers to take control of vulnerable computers.

The scenario is based on a finding that the Rowhammer vulnerability can be triggered by what's known as non-temporal code instructions. That opens vulnerable machines to several types of exploits that haven't been discussed in previous research papers. For instance, malicious Web applications could use non-temporal code to cause code to break out of browser security sandboxes and access sensitive parts of an operating system. Another example: attackers could take advantage of media players, file readers, file compression utilities, or other apps already installed on Rowhammer-susceptible machines and cause the apps to trigger the attacks.

As Ars has previously reported, Rowhammer exploits physical weaknesses in certain types of DDR memory chips to reverse the individual bits of data they store. By repeatedly accessing small regions of memory many times per second, code can change zeroes to ones and vice versa in adjacent regions. These changes occur even though the exploit code doesn't access, and doesn't have access rights to, the adjacent regions. The bug took on the name Rowhammer, because when the code figuratively clobbers one or more rows of memory cells, it causes bitflips in a neighboring cell.

A US congressman has learned first-hand just how vulnerable cellphones are to eavesdropping and geographic tracking after hackers were able to record his calls and monitor his movements using nothing more than the public ten-digit phone number associated with the handset he used.

The stalking of US Representative Ted Lieu's smartphone was carried out with his permission for a piece broadcast Sunday night by 60 Minutes. Karsten Nohl of Germany-based Security Research Labs was able to record any call made to or from the phone and to track its precise location in real-time as the California congressman traveled to various points in the southern part of the state. At one point, 60 minutes played for Lieu a crystal-clear recording Nohl made of one call that discussed data collection practices by the US National Security Agency. While SR Labs had permission to carry out the surveillance, there's nothing stopping malicious hackers from doing the same thing.

The representative said he had two reactions: "First it's really creepy," he said. "And second it makes me angry. They could hear any call. Pretty much anyone has a cell phone. It could be stock trades you want someone to execute. It could be a call with a bank."

More than 3 million Internet-accessible servers are at risk of being infected with crypto ransomware because they're running vulnerable software, including out-of-date versions of Red Hat's JBoss enterprise application, researchers from Cisco Systems said Friday.

About 2,100 of those servers have already been compromised by webshells that give attackers persistent control over the machines, making it possible for them to be infected at any time, the Cisco researchers reported in a blog post. The compromised servers are connected to about 1,600 different IP addresses belonging to schools, governments, aviation companies, and other types of organizations.

Some of the compromised servers belonged to school districts that were running the Destiny management system that many school libraries use to keep track of books and other assets. Cisco representatives notified officials at Destiny developer Follett Learning of the compromise, and the Follett officials said they fixed a security vulnerability in the program. Follett also told Cisco the updated Destiny software also scans computers for signs of infection and removes any identified backdoors.

If your Windows computer is running Apple's QuickTime media player, now would be a good time to uninstall it.

The Windows app hasn't received an update since January, and security researchers from Trend Micro said it won't receive any security fixes in the future. In a blog post published Thursday, the researchers went on to say they know of at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.

"We’re not aware of any active attacks against these vulnerabilities currently," they wrote. "But the only way to protect your Windows systems from potential attacks against these or other vulnerabilities in Apple QuickTime now is to uninstall it."

The number of attacks that exploited previously unknown software vulnerabilities more than doubled in 2015 as hackers raced against security defenders to find effective ways to infect end users with malware, according to a recently released report.

The number of "zero-day" exploits—a term that was coined because affected software developers have zero days to release a patch that keeps users protected—reached an unprecedented 54, according to researchers at security firm Symantec. That number compared with 24 in 2014, 23 in 2013, and 14 in 2012. The increase was partly caused by the breach of Italy-based zero day broker Hacking Team, which spilled six closely guarded zero days into the public domain. It also came as Adobe and other developers significantly reduced the time it took to release patches that plugged zero-day holes.

"It is difficult to defend against new and unknown vulnerabilities, particularly zero-day vulnerabilities for which there may be no patch, and attackers are trying hard to exploit them faster than vendors can roll out patches," Symantec researchers wrote in the company's annual Internet Security Threat Report. The report went on to say that the Angler exploit kit, a package sold in Internet crime forums, was able to quickly integrate the growing number of zero days into its arsenal.

Go ahead and poo poo the overdone marketing of the Badlock vulnerability. With its fire-engine-red logo and a dedicated website that went live more than a month before the release of any patches, claims the risk was shamelessly hyped are justified. That said, Badlock represents a real and critical threat to virtually any organization that maintains a Microsoft network. Administrators who don't patch right away fail to do so at their own peril.

In a nutshell, Badlock refers to a defect in a security component contained in just about every version of the Windows and Linux operating systems. Known as the Distributed Computing Environment/Remote Procedure Call (DCE/RPC), it's used by administrators around the world to access the most valuable asset on any Windows network—the Active Directory, which acts as a network's digital security guard, allowing, for instance, an organization's CFO to log in to an accounting server, while locking out the janitor or the groundskeeper. Because Active Directories enforce security policies and contain password data and other crucial credentials, they are almost always the first asset hackers access once they gain a limited foothold into a targeted network.

By design, DCE/RPC is able to use a cryptographic system to protect connections between an admin's remote computer and the server running the Active Directory. In many ways, the system is analogous to the transport layer security protocol that protects connections between end users and the websites they visit. DCE/RPC ensures that parties are who they claim to be. It can also encrypt the data traveling between the parties. That way, anyone who happens to have access to the same corporate network—say, a rogue janitor or groundskeeper employed by the same organization—can't monitor or modify the crucial information inside the Active Directory.

A nasty piece of ransomware that took crypto-extortion to new heights contains a fatal weakness that allows victims to decrypt their data without paying the hefty ransom.

When it came to light two weeks ago, Petya was notable because it targeted a victim's entire startup drive by rendering its master boot record inoperable. It accomplished this by encrypting the master boot file and displaying a ransom note. As a result, without the decryption password, the infected computer wouldn't boot up, and all files on the startup disk were inaccessible. A master boot record is a special type of boot sector at the very beginning of partitioned hard drive, while a master boot file is a file on NTFS volumes that contains the name, size and location of all other files.