Archive

January 2019

Browsing

Lukas Stefanko, an IT security researcher at ESET has discovered 9 Android apps on Google Play Store spamming users with unwanted ads. One of the apps called “Remote control for TV and home electronics” has been installed by more than 5 million users while in total all 9 apps have been installed by 8 million users around the world. This is the second time in one week that adware apps have been found on Google Play Store.

According to Stefanko, none of the apps actually work and their sole purpose is to bombard users with ads to generate revenue for app developers. It is noteworthy that these apps have been developed by Tools4TV, an Android developer that has been active since 2015.

Embedded video

 

9 fake apps containing functionality found on Google Play with over 8 Million installs.

Unwanted code is hidden in “not working” apps that once launched, hide itself from user’s view and display ads.
All these apps are fake without any promised functionality.

In his tweet dated 

The unwanted code is hidden in “not working” apps that once launched, hide itself from user’s view and display ads. All these apps are fake without any promised functionality,

The current list of well known malicious apps on Google play store is as follow:

– Remote control
– TV remote controller
– TV remote controlling
– Remote for Air conditioner
– Remote for television for free
– Air conditioner remote control
– Universal TV remote controller
– Remote control for the car (prank)
– Remote control for TV and home electronics

This is the second time in a week that researchers have reported the presence of adware apps on the Play Store. Last week, the IT security researchers at Trend Micro revealed that there were 85 adware infected apps on the marketplace bombarding around 9 million Android users with full-screen unwanted ads.

All 85 apps (developed by two different Android developers “Alger games and Kodev”) were then removed by Google however it is unclear whether there is a connection between apps reported by Trend Micro and Lukas Stefanko. 

At the time of publishing this article, Google has booted out Tools4TV along with their apps from the Play Store. To protect yourself from malware and adware apps avoid installing unnecessary apps from Google Play Store or from a third-party marketplace.

We suggest sticking to trusted developers and brands and only download an app after going through its review section. Moreover, installing a reliable antivirus would also be helpful in thwarting impending attacks. Here is a list of 10 powerful antiviruses for Android, iPhone, Mac, and PC

Source: Hack Read

A new reminder for those who are still holding on to the Windows 7 operating system—you have one year left until Microsoft ends support for its 9-year-old operating system.
So it’s time for you to upgrade your OS and say goodbye to Windows 7, as its five years of extended support will end on January 14, 2020—that’s precisely one year from today.
After that date, the tech giant will no longer release free security updates, bug fixes and new functionalities for the operating system that’s still widely used by people, which could eventually leave a significant number of users more susceptible to malware attacks.

However, the end of  free support doesn’t end Windows 7 support for big business and enterprise customers. As always, Microsoft does make exceptions for certain companies that are willing to pay a lot of money to continue their support.

According to a ‘Death of Windows 7’ report from content delivery firm Kollective, as many as 43% of enterprises are still running the nine-year-old operating system, of which 17% didn’t know when Microsoft’s end of support deadline hit.

Millions of Users Are Still Using Windows 7

Want to know how popular Windows 7 is among users? Even after aggressively pushing Windows 10 installations since its release in 2015, its market share finally managed to overtake the user-favorite Windows 7 just by the end of last year.

Windows 7 was released in 2009 and, according to December 2018 stats from Netmarketshare, is currently running on about 37 percent of the world’s PC fleet, which is far ahead of its radically redesigned successor Windows 8 and 8.1 combined.

Microsoft stopped the mainstream support for Windows 7 in January 2015, but Windows users have continued to receive security updates and patches for known security issues as part of the company’s extended support, which runs for at least five years.

In March 2017, Microsoft also started blocking new security patches and updates for Windows 7 and Windows 8.1 users running the latest processors from Intel, AMD, Qualcomm, and others.

“For Windows 7 to run on any modern silicon, device drivers and firmware need to emulate Windows 7’s expectations for interrupt processing, bus support, and power states- which is challenging for WiFi, graphics, security, and more,” the company said.

“The lifecycle begins when a product is released and ends when it’s no longer supported. Knowing key dates in this lifecycle helps you make informed decisions about when to update, upgrade or make other changes to your software.”

Besides ending support for Windows 7 next year, Microsoft will also end support for MS Office 2010, Windows Server 2008/2008 R2, SQL Server 2008/2008 R2, Exchange 2010 and Windows Embedded 7 in 2020.

As for Windows 8, the operating system’s extended support is set to end on January 10, 2023.

What Should Affected Windows 7 Users Do?

If you and/or your business are still running Windows 7, you still have one year left to shift to the latest operating system.

Government agencies and big enterprises can still pay for expensive extended support to continue receiving security updates and patches from the company if they need more than a year to migrate to the newer version.

However, regular users should upgrade their operating system immediately to Windows 10 or a Linux distribution, rather than running an unpatched and increasingly vulnerable version of Windows operating system.

A British hacker whose cyberattacks took the nation of Liberia offline has been jailed for almost three years.

Daniel Kaye launched a series of attacks on Liberian cell phone operator Lonestar in October 2015, which became so powerful they knocked out the west African country’s internet the following year.
Kaye, 30, had been hired to carry out the attacks by a senior employee at rival operator Cellcom, Britain’s National Crime Agency said in a statement, although there is no suggestion that Cellcom was aware of the activity.
He pleaded guilty to creating and using a botnet, a series of computers connected in order to attack systems, and possessing criminal property last month. Kaye was sentenced on Friday at Blackfriars Crown Court in central London to two years and eight months in prison.
While living in Cyprus, Kaye used a botnet he had created to trigger repeated distributed denial of service (DDoS) requests on Lonestar, causing the company to spend around $600,000 in remedial action.
The additional impact of customers leaving the network caused the company to lose tens of millions of dollars in lost revenue, the NCA added.
Following his arrest in February 2017, Kaye was extradited to Germany, where he also admitted to attacks on Deutsche Telekom that affected around 1 million customers in November 2016.
“Daniel Kaye was operating as a highly skilled and capable hacker-for-hire,” Mike Hulett, Head of Operations at the NCA’s National Cyber Crime Unit, said.
“His activities inflicted substantial damage on numerous businesses in countries around the world, demonstrating the borderless nature of cyber crime,” he added. “The victims in this instance suffered losses of tens of millions of dollars and had to spend a large amount on mitigating action.”
Source: CNN
In the cybersecurity world today, with cybercriminals operating like a penetration tester in the way they scope out the network looking for vulnerabilities and weak entry points, those responsible for IT security will once again need to adjust their strategy and defenses. The Sophos 2019 Threat Report detailed how criminals are now “staking out” victims, moving laterally throughout the network, manipulating internal controls to reach their objectives with stealth. As endpoint protection has improved, so criminals are on the lookout for the next weak entry point. The focus can no longer be on protection and detection, but also intelligent and automated response that provides lateral movement protection to isolate an attack moving through the network. Sophos CISO Ross McKercher outlines the Top 5 Cybersecurity Predictions for 2019.
With cyber criminals constantly on the lookout for weak entry points, the cybersecurity focus needs to shift from protection and detection to intelligent and automated responses that isolate a cyberattack.
  1. Security teams will need more development and engineering skills

Security teams used to focus on firewalls and endpoints and many security professionals cut their teeth as system and network administrators. Nowadays infrastructure is defined by code, breaches are increasingly caused by weak applications and automation is essential for under-staffed teams. This is changing the skillset required by security pros. We now also need to have a deep understanding of applications and an ability to build automation into our tools and processes.

  1. Organisations will up their focus on software supply chains

Everyone relies a huge amount nowadays on Open-source libraries that are often maintained very informally by loose-knit communities that are easy to infiltrate. This used to be the domain of nation states but the criminals are getting in on the action.

  1. AppSec will continue to grow

We are getting better at protecting Endpoints and attackers are shifting their focus. Legacy applications will continue to be a fertile hunting ground!

  1. Threat Hunting really will be driven by ML

Bit of a cliché but ML will no longer be something that you just buy. Tools & techniques that were previously the domain of data science experts are getting easier to use. Won’t be long before larger SOC teams are using the tools directly rather than via models that are embedded in products.

  1. Zero-trust starts to become achievable

The tools, knowledge and technologies for achieving a true Zero-trust architecture are rapidly maturing. Maybe like nuclear fusion – 15 years away and always will be but 14 years after the Jericho forum declared the end of the network perimeter we are getting close the point where many enterprises have a realistic chance of keeping their clients off “trusted” networks, particularly non-technical employees.

Source: DataQuest

Let me guess. From a young age, you were attracted to spy movies. You are someone who wasn’t necessarily interested in school subjects, but probably did okay regardless. You learn concepts easily and quickly compared to others. You had a natural affinity for computers at a young age. Something about you is excited by the subversive blackhat hacking community, but actually, you’re a good person who doesn’t like the idea of ruining people’s lives or spending your life doing chin-ups with your morally questionable mate “Steve” in a high security prison.

So what’s the solution? Become an ethical hacker, so that you can do these illegal things without risk of jailtime, and get paid for it!

I should start with a disclaimer — I’m not an expert. I’ve only ever landed one hacking job, which is my current one — and I haven’t even been here long! But I did spend a lot of time in other sectors of IT wishing I was in security. As a result, I’ve read a lot of stuff and spoken to a lot of people. Basically, it all boils down to this:

There is no one-size-fits-all approach to getting your first infosec role. There was a recent Twitter hashtag that did the rounds, #MyWeirdPathToInfosec, where a whole bunch of infosec professionals revealed the paths they took to an eventual infosec role. They varied widely, some spent time in federal prison (not recommended), some were musicians, some scored an infosec role straight out of college, some were offered jobs after illegally hacking a company and then telling the company how they did it (also not recommended). This technique may have worked for some people in the 90s, now it will probably land you in jail.

The point is, don’t have tunnel-vision. Career opportunities often arise where you least expect.

A Little About My Path to Infosec

I remember my first experience with “hacking.” I was about 10 years old, and I discovered the ability to save webpages locally. I headed straight to Google, downloaded the home page, and edited my local copy in notepad.exe to contain the words “Luke was ‘ere!”. When I opened up the edited page, my stomach dropped. I thought I had defaced Google. How long until the FBI kick in my door? Should I tell my parents before they find out?

Back in myyy daaaay, there were no hacking challenge sites. In fact, there was barely any information out there, at least that I could find. My first resource was a website by Carolyn Meinel, titled “The Guides to (mostly) Harmless Hacking.” The guides were written in Comic Sans, the token font of that bad design genre that can only be found in the 90s and early 00s. These guides included such classics as “Telnet: the Number One Hacking Tool” and “How to Hack with Windows XP part I: The Magic of DOS.” They can still be found here.

Upon finishing school I scored my first job in IT and started a computer science degree, almost finished, dropped out, got made redundant, moved out of home, acquired Bachelor of Music, became a full-time musician, spent a couple of years performing on cruise ships, met my wife, lived in the UK, got married, moved back to Australia, and started working as a full-time web developer.

Throughout all this, my passion for hacking never really subsided, and development was never something I loved. I had a wonderful job with great people, but the actual tasks of my job weren’t sparking me. As it turns out, I was on a project which involved e-commerce and sensitive data, so my boss offered for me to take a security related course. I emailed the CEO of a local penetration testing firm and asked what the best security course was, and he recommended OSCP. So I did it!

Completing my OSCP was a turning point for me. I spent every spare moment of those 60 days learning as much as possible about the art of hacking. Even when I was exhausted, I had trouble sleeping because my brain wouldn’t stop thinking about the challenge boxes in the labs. That’s how I knew it should probably be my job, instead of development, which I had grown tired of. (I wrote a three-part blog series about the OSCP too, if you’re into that.)

Only a month or two after completing OSCP, I landed my first penetration testing job through a great infosec recruiter after solving a hacking challenge they posted online. You can read more about that story here.

Enough about me! Finally, we are at the bit you all came here to read. Some actionable tips on how to get your first job as a hacker:

Get Active in the White Hat Community

Contribute to open source tools, write your own, blog, start a podcast, go to hacker cons, connect with people on Twitter. You will learn a lot and it will introduce you to a whole network of lovely people who can help you. The infosec community on the whole are a friendly, tight-knit pack of smart, passionate people. If you’re reading this, there’s a good chance you will feel at home.

Email People You Respect

Are there people out there in your dream role? Email them and ask about your career path. The worst that will happen is that they don’t reply, the best that can happen is that you gain a mentor and some life-changing advice.

Be Trustworthy

You can have every hacking certification under the sun, but if you walk into the interview gloating about some illegal stunt you pulled, nobody will risk hiring you. The white hat community often deal with highly sensitive data — your employer and your clients need to be able to trust you.

On that note, when you’re in an interview and you don’t know the answer to a technical question, it’s better to say “sorry, I don’t know, but I will be sure to research that later!” than to try to bluff your way through an answer. The person interviewing you will be able to tell, and they are probably more interested in you being honest and genuine than correct. At this point in time, experienced security professionals are rare, so many companies are hiring less experienced staff with the right mindset and attitude, then putting them through training to learn the technical skills.

Get Certifications

Frankly, many certifications in this field aren’t a good indicator of someone’s technical ability. Having said that — you’re more likely to get a job if you have them. It shows that you’re invested in the craft, you have spent time/money skilling up, and you are interested. There are a few great certifications out there, and some that aren’t so good. If you’re not sure which ones are good, ask someone who knows!

Bug Bounties, CTFs and Challenge Sites

Have you been in a HackerOne/BugCrowd hall of fame? Found a RCE in a bug bounty? Did you do well in a CTF at a hacking conference? Are you highly ranked on hackthebox.eu? Put it on your CV! These things might seem like games, but they’re also proof that you’re passionate about the craft, and have some skills.

Don’t Be Afraid of Recruiters

Recruiters get a bad name for relentlessly calling you and using dodgy tactics to get the right contacts, but they’re not all like that. Finding a quality recruiter with good connections can make all the difference. When you are looking for a recruiter for a hacking gig, find one that specialises in infosec. A standard IT recruiter probably won’t know the right people.

Make Your Current Role a Security Role

Are you a developer? Find a bug in the application you develop, show it to your boss, ask permission to conduct more in depth security testing. Are you a sysadmin? Find a security hole in your network (you probably already know where to look), communicate the risk to your boss and ask for permission to conduct further testing. Whatever role you’re in — there’s a good chance you can make a name for yourself as the in-house security expert.

Now in your infosec interview/CV, you can say you were the in-house security expert, even though your official title was just “developer.” You can also fill out the “responsibilities” section of your role with some security related tasks.

Source: Medium

 

It’s time. We’ve rounded up all our best games of 2018, then followed that up with another bunch of games you might’ve missed. We’ve done plenty of retrospective to close out the year. Now it’s our chance to look ahead at a packed spring schedule (and beyond), rounding up all the games we’re most excited about for 2019.

That part is key: Most excited about. That means you’ll find some obvious picks here, like Metro Exodus. You’ll also find some smaller, more niche picks like Disco Elysium, Heaven’s Vault, and The Occupation. And it means this is not a comprehensive list. It’s just our favorites.

Sorry in advance if we cut your favorite game from the list.

Resident Evil 2 – January 25

The first major PC release of 2019 is Capcom’s Resident Evil 2 remake ($60 preorder on Humble), due to release at the end of January. It’s probably the safest possible bet Capcom could make after the bold first-person pivot of Resident Evil VII. The Resident Evil 2 remake brings back all the fans’ old favorites. Leon’s here! And Claire! And Ada Wong! And Raccoon City! Also, it’s been redone to use the over-the-shoulder camera from Resident Evil IV!

It’s like a mashup of everyone’s favorite Resident Evils. That’s less exciting (to me at least) than a proper Resident Evil VII follow-up, but it’ll be great to have this classic story playable on modern machines, and with mechanics befitting a 2019 video game. So long, fixed camera angles. Adios, tank controls. We can do better now.

The Occupation – February 5

The Occupation was supposed to release in October. Now it’s supposed to release in February. I don’t think anyone even announced a delay—it just slipped into the future as if the original date never existed, the perfect way to delay a game that’s about a corrupt government cracking down on civil liberties to keep citizens safe.

Delay or no, The Occupation‘s still one of my most anticipated games for 2019. The game takes place over four real-time hours, with characters and events sticking to a strict schedule. You play a journalist, trying to uncover the facts behind a deadly crime—but you need to make decisions about what leads to pursue and how to follow them. Do you meet with the government official you have an appointment with? Or perhaps blow them off and root through a colleague’s empty office?

I’ve played a lot of so-called “immersive sims” over the years, but none as ambitious as The Occupation. I hope the delay gave the team enough time to fine-tune the details.

Metro Exodus – February 15

Usually these lists become outdated because of delays, but not this time. The day after we recorded our 2019 preview video, Metro Exodus ($60 preorder on Humble) announced it was moving its release date up a week, from February 22 to February 15. That takes it out of competition with Anthem and puts it back up against Crackdown 3, as well as Far Cry: New Dawn.

Metro is the one I’m looking forward to most though. I loved the cramped corridor shooting of Metro 2033 and Last Light, and while I’m a bit less enamored with the idea of a pseudo-open-world Metro game I’m curious to see whether it works, guiding Artyom on some grand journey through the Russian countryside.

Far Cry: New Dawn – February 15

Metro Exodus ’s strongest competition, Far Cry: New Dawn ($40 preorder on Humble) releases the same day with a brighter and goofier take on the post-apocalypse. And you know what? I’m kind of looking forward to it. I think Far Cry’s serious numbered entries are mostly mediocre (especially Far Cry 5) but the gimmicky spin-offs like Blood Dragon and Primal are interesting experiments—even when they don’t quite work out.

So a post-apocalyptic Far Cry? One that’s set on the same map as Far Cry 5, but without all the political and religious overtones? It probably won’t break new ground for the series or for games as a whole, but it at least sounds like a decently fun time. And hey, Fallout 76 set the bar pretty low, so…

Anthem – February 22

Once upon a time February 22 was supposed to be the crowded day, but first Crackdown 3 dipped to February 15 and then Metro followed suit. Now only Anthem ($60 preorder on Origin) remains, BioWare’s take on a Destiny-style shooter—except maybe with a better story? That’s a pretty thin maybe, based on what I’ve seen so far, but I’m still holding out some hope. It is BioWare, after all.

We really don’t know though. BioWare’s been reticent about showing off Anthem’s story, instead focusing on how it plays. And I can say: It plays great. At our E3 demo I claimed Anthem plays “even smoother than Destiny,” which is high praise coming from me. Rocketing around in my little mech, strafing waterfalls and diving underwater, then exploding back out of a pool to shoot some nearby foes—it’s effortless.

But I loved the shooting in Mass Effect: Andromeda and not much else, so…well, I hope the story’s decent. Fingers crossed.

The Sinking City – March 21

Frogwares’s Sherlock Holmes series is the closest I’ve come to a gaming guilty pleasure. They’re low budget, often buggy, the cases you solve hit-or-miss, and the mechanics for finding a solution even more inconsistent. And yet they often rise above their station, delivering excellent character moments for Holmes and Watson, or seizing on a neat detective game gimmick (like Crimes and Punishments with its red herring endings).

Point being: I’m always interested in what Frogwares is up to, even if the results aren’t perfect. And with Cyanide’s 2018 Call of Cthulhu game a mess, that makes Frogwares’s Sinking City our best hope for a truly unsettling mythos experience. The cinematic trailer below gives me no idea whether this is mostly an action game or a detective game, but I’m at least excited to find out.

Sekiro: Shadows Die Twice – March 22

Dark Souls is dead. Long live Dark Souls. If you believe From Software, the Dark Souls series is finished forever. That doesn’t mean From Software is done making that style of game though.

Enter Sekiro: Shadows Die Twice ($60 preorder on Steam). It’s not a Souls game, but Sekiro takes those ideas—deliberate combat, pattern recognition, grand boss battles, impenetrable lore—and transposes them to Japan’s Sengoku period. It is, in so many ways, recognizable as a From Software game.

And yet it’s not afraid to deviate from Dark Souls as well. Exploration is more active, as your character has a grappling hook-arm that allows him to leap to rooftops and branches or swing across gaps. That, in turn, makes stealth a viable option—either bypassing enemies entirely or leaping down on them unawares for a quick kill.

Mortal Kombat XI – April 23

We don’t know much about Mortal Kombat XI yet. Announced in December at The Game Awards, all we’ve seen is a single CGI trailer of Dark Raiden fighting two Scorpions. That means uh…well, Dark Raiden and Scorpion are in the game. It also seems like the character customization elements of Injustice 2 will make it over to this latest Mortal Kombat.

But what will the campaign look like? That’s what I’m most curious to see. The seamless cinematic-driven campaigns of Mortal Kombat IX andX were great, but after four games (including the Injustices) it seems like it might be time for a shakeup. Rumors claim Mortal Kombat XI will include a full-on adventure mode with a map to explore, a la 2005’s Shaolin Monks, but we’ll see.

Rage 2 – May 14

I still find it hard to believe Bethesda’s funding Rage 2 ($60 on Amazon), a sequel to one of the all-time blandest games, but…well, Prey was great. Maybe another of Bethesda’s weird bets will pay off. After all, Rage 2 mashes up id’s shooting with Avalanche’s Mad Max driving, which certainly sounds like a winning combination.

The question is whether the story can pull its weight as well. Lest we forget, the first Rage played pretty well. It was just boring as hell. Rage 2 seems to be shifting towards a quirkier Borderlands-lite style of humor, which might help propel the action along…or might get old quick. It’s hard to tell.

Either way, I’m looking forward to Rage 2—and that’s a sentence I never thought I’d write a year ago.

Source: IT News