UPDATE Firefox and Tor to Patch Critical Zero-day Vulnerability

The critical Firefox vulnerability being actively exploited in the wild to unmask Tor users has been patched with the release of new browser updates.

Both Mozilla and Tor Project has patched the vulnerability that allows attackers to remotely execute malicious code on Windows operating system via memory corruption vulnerability in Firefox web browser.

Tor Browser Bundle is a repackaged version of the open-source Mozilla Firefox browser that runs connections through the Tor anonymizing network configured to hide its user's public IP address.

However, the exploit code released by an unnamed online user was currently being exploited against Tor Browser users to leak the potentially identifying information of Tor users.

"The security flaw responsible for this urgent release is already actively exploited on Windows systems," an official of the anonymity network wrote in an advisory published on Wednesday. 

"Even though there is currently...no similar exploit for OS X or Linux users available, the underlying [Firefox] bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately."

Soon after the Tor Project released the updated version of its browser, Mozilla also posted a blog post that said the company has also released an updated version of Firefox that patched the underlying vulnerability.

The vulnerability, assigned CVE-2016-9079 and rated critical, also affects Mozilla's Thunderbird e-mail application and the Firefox Extended Support Release (ESR) version used by the Tor Browser.

The attack code exploiting the underlying vulnerability initially circulated Tuesday on a Tor discussion list by an admin of the SIGAINT privacy-oriented public email service.

"The exploit took advantage of a bug in Firefox to allow the attacker to execute arbitrary code on the targeted system by having the victim load a web page containing malicious JavaScript and SVG code," said Mozilla security official Daniel Veditz. 

"It used this capability to collect the IP and MAC address of the targeted system and report them back to a central server. While the payload of the exploit would only work on Windows, the vulnerability exists on Mac OS and Linux as well."

Firefox and Tor users are strongly recommended to update their web browsers to the latest Firefox version 50.0.2 and Tor Browser 6.0.7, respectively, as soon as possible.

Meanwhile, people using both Tor and mainstream versions of Firefox can set the Firefox security slider to "High" in order to protect themselves from the attack.

Doing so would render the exploit moot, Georg Koppen, Tor Browser Team Lead, told The Hacker News in an email, although the setting will prevent many websites from working as expected.

"Apart from that we are currently working on sandboxing techniques that have [the] potential to mitigate this kind of attack," Koppen added. "They are, alas, not ready for the stable series yet. We plan to ship prototypes with the next planned alpha releases."

For more details about the critical Firefox vulnerability, you can head on to our previous article, Firefox Zero-Day Exploit to Unmask Tor Users Released Online.

Recommanded : Rule 41 — FBI Gets Expanded Power to Hack any Computer in the World

Rule 41 — FBI Gets Expanded Power to Hack any Computer in the World

Hacking multiple computers across the world just got easier for the United States intelligence and law enforcement agencies from today onwards.

The changes introduced to the Rule 41 of the Federal Rules of Criminal Procedure by the United States Department of Justice came into effect on Thursday, after an effort to block the changes failed on Wednesday.

The change grants the FBI much greater powers to hack into multiple computers within the country, and perhaps anywhere in the world, with just a single warrant authorized by any US judge (even magistrate judges). Usually, magistrate judges only issue warrants for cases within their jurisdiction.

That's the same the FBI did in its 2015 investigation into child pornography site Playpen, in which the agency hacked into some 8,700 computers across 120 different countries.

The Supreme Court approved the changes to Rule 41 in April, allowing any U.S. judge to issue search warrants that give the FBI and law enforcement agencies authority to remotely hack computers in any jurisdiction, or even outside the United States.

Democratic Senator Ron Wyden attempted three times to block changes to Rule 41 that potentially risks people using Tor, a VPN, or some other anonymizing software to hide their whereabouts, but the efforts were blocked by Republican Senator John Cornyn of Texas.

The rule change should take effect on 1st December, today, barring surprises.

On the one hand, privacy advocates and legal experts have described the rule change as the extensive expansion of extraterritorial surveillance power that will allow agencies like the FBI to carry out international hacking operations with a lot less of a hassle.

On the other hand, the DOJ argued that the changes to the rule will help investigate modern internet criminals, allowing investigators access computers whose locations are "concealed through technological means," like the Tor anonymity network or VPNs (Virtual Private Networks), and devices used in botnets that have become powerful cyber weapons.

Assistant Attorney General Leslie Caldwell highlighted these concerns in a blog post published last week, saying if a criminal suspect is using Tor or VPN to hide its real location, it becomes tough for investigators to know his/her current location.

"So in those cases, the Rules do not clearly identify which court the investigators should bring their warrant application to," Caldwell said.

But what would happen if the FBI hacks the botnet victims, rather than the perpetrators? Or what if the government abuses this power to target nation states?

In a speech, Wyden said that the changes to Rule 41 amounted to "one of the biggest mistakes in surveillance policy in years," giving federal investigators "unprecedented authority to hack into Americans' personal phones, computers, and other devices," Reuters reports.

Other critics worry that the changes to Rule 41 would give the FBI unfettered ability to hack innocent users whose electronic devices have been infected with botnet malware without their knowledge, or anyone who keeps their identities private online.

To this concern, Caldwell argued that investigators accessing the devices of botnet victims "would, typically, be done only to investigate the extent of the botnet," or in order to "obtain information necessary to liberate victims’ computers from the botnet."

Caldwell further argued that the rule change would not allow the FBI to conduct "Mass Hacking;" in fact, failing to implement the rule change "would make it more difficult for law enforcement to combat mass hacking by actual criminals."

Recommanded : Hackers Steal Millions From European ATMs Using Malware That Spit Out Cash

Cyber Attack Knocks Nearly a Million Routers Offline

Mirai Botnet is getting stronger and more notorious each day that passes by. The reason: Insecure Internet-of-things Devices.

Last month, the Mirai botnet knocked the entire Internet offline for a few hours, crippling some of the world's biggest and most popular websites.

Now, more than 900,000 broadband routers belonging to Deutsche Telekom users in Germany knocked offline over the weekend following a supposed cyber-attack, affecting the telephony, television, and internet service in the country.

The German Internet Service Provider, Deutsche Telekom, which offers various services to around 20 Million customers, confirmed on Facebook that as many as 900,000 customers suffered internet outages on Sunday and Monday.

Millions of routers are said to have vulnerable to a critical Remote code Execution flaw in routers made by Zyxel and Speedport, wherein Internet port 7547 open to receive commands based on the TR-069 and related TR-064 protocols, which are meant to use by ISPs to manage your devices remotely.

The same vulnerability affects Eir D1000 wireless routers (rebranded Zyxel Modem) deployed by Irish internet service provider Eircom, while there are no signs that these routers are actively exploited.

According to Shodan search, around 41 Million devices leave port 7547 open, while about 5 Million expose TR-064 services to the outside world.

According to an advisory published by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploit code every 5-10 minutes for each target IP.

An intercepted packet showed how a remote code execution flaw in the <NewNTPServer> part of a SOAP request was used to download and execute a file in order to infect the vulnerable device.

Security researchers at BadCyber also analyzed one of the malicious payloads that were delivered during the attacks and discovered that the attack originated from a known Mirai's command-and-control server.

"The unusual application of TR-064 commands to execute code on routers has been described for the very first time at the beginning of November, and a few days later a relevant Metasploit module had appeared," BadCyber wrote in a blog post. "It looks like someone decided to weaponize it and create an Internet worm based on Mirai code."

It all started early October when a cyber criminal publicly released the source code of Mirai, a piece of nasty IoT malware designed to scan for insecure IoT devices – mostly routers, cameras, and DVRs – and enslaves them into a botnet network, which is then used to launch DDoS attacks.

The hacker created three separate exploit files in order to infect three different architectures: two running different types of MIPS chips and one with ARM silicon.

The malicious payloads open the remote administration interface and then attempt to log in using three different default passwords. After this is done, the exploit then closes port 7547 in order to prevent other attackers from taking control of the infected devices.

"Logins and passwords are obfuscated (or "encrypted") in the worm code using the same algorithm as does Mirai," the researchers say. "The C&C server resides under timeserver.host domain name, which can be found on the Mirai tracker list."

More in-depth technical details about the vulnerability can be found on ISC Sans, Kaspersky Lab, and Reverse Engineering Blog.

Deutsche Telekom has issued an emergency patch for two models of its Speedport broadband routers – Speedport W 921V, Speedport W 723V Type B – and currently rolling out firmware updates.

The company recommends its customers to power down their routers, wait for 30 seconds and then restart their routers in an attempt to fetch the new firmware during the bootup process.

If the router fails to connect to the company's network, users are advised to disconnect their device from the network permanently.

To compensate the downtime, the ISP is also offering free Internet access through mobile devices to the affected customers until the technical problem is resolved.

Recommanded : Microsoft Shares Telemetry Data Collected from Windows 10 Users with 3rd-Party

Microsoft Shares Telemetry Data Collected from Windows 10 Users with 3rd-Party

Cyber security is a major challenge in today's world, as cyber attacks have become more automated and difficult to detect, where traditional cyber security practices and systems are no longer sufficient to protect businesses, governments, and other organizations.

In past few years, Artificial Intelligence and Machine Learning had made a name for itself in the field of cyber security, helping IT and security professionals more efficiently and quickly identify risks and anticipate problems before they occur.

The good news is that if you are a Windows 10 user, Microsoft will now offer you a machine learning based threat intelligence feature via its inbuilt Windows security service, which will improve the security capabilities available on Windows 10 devices.

But, the bad news is that it is not free.

The company is offering this "differentiated intelligence" feature on its newly added service to Windows 10, dubbed Windows Defender Advanced Threat Protection (WDATP), which helps enterprises detect, investigate, and respond to advanced attacks on their networks.

This becomes possible after Microsoft recently signed a deal with FireEye that integrates the security vendor's iSIGHT Threat Intelligence into Windows Defender Advanced Threat Protection.

As part of the partnership, Microsoft will give FireEye access to all the telemetry data from every device running Windows 10, Australian website ARN reports.

"FireEye has invested in nation-state grade threat intelligence, and we are strategically partnering with industry leaders to operationalize this high-quality intel," Ken Gonzalez, FireEye's Vice President of Corporate Development, said in the official press release.

"By working with Microsoft, we’re able to offer differentiated threat intelligence within WDATP and together help make organizations more secure."

It's no secret that Windows 10 collects all sorts of usage information on users and sends them back to Microsoft, which then uses this telemetry data to help identify security issues, fix problems and improve the quality of its operating system.

This telemetry data includes information on the device running Windows 10, a list of installed apps, crash dumps, and other statistics from devices powered by its latest operating system.

However, this Microsoft's data mining capability also raised some privacy concerns among Windows users.

This newly-signed deal with FireEye is the first time that Microsoft has publicly agreed to share telemetry data of Windows 10 users with a third-party, which is definitely worrying for many users.

At this moment, the official press release says nothing about Microsoft providing FireEye with access to data collected from Windows 10 users.

Microsoft has yet to comment on this matter.

Hackers Steal Millions From European ATMs Using Malware That Spit Out Cash

ATM hackers who long relied on tactics of stealing payment card numbers and online banking credentials to steal millions are now targeting the bank itself to steal cash directly from the machines.

Earlier this year, a gang of cyber criminals infected several ATMs with malware in Taiwan and Thailandthat caused the machines to spit out millions in cash, and the gang members then stood in front of the infected ATMs at the appointed hour and collected the money.

Now, the FBI has warned U.S. banks of the potential for similar ATM jackpotting attacks, saying that the agency is "monitoring emerging reports indicating that well-resourced and organized malicious cyber actors have intentions to target the U.S. financial sector."

ATM jackpotting is a technique used to force automated teller machines to spit out cash.

According to Russian cyber security firm Group-IB, cyber crooks have remotely infected ATMs with malware in more than dozen countries across Europe this year, which forces machines to spit out cash.

The world's two largest ATM manufacturers, Diebold Nixdorf and NCR Corp., said they were aware of the ATM attacks and had already been working with their customers to mitigate the threat.

The cyber criminals have been targeting ATMs for at least five years, but the latest hacking campaigns mostly involved small numbers of ATMs due to the fact that hackers required physical access to the machines to collect cash.

Group-IB did not name the banks targeted in the campaign but said the victims were located in Armenia, Bulgaria, Estonia, Georgia, Belarus, Kyrgyzstan, Moldova, Spain, Poland, the Netherlands, Romania, the United Kingdom, Russia, and Malaysia.

Both Diebold Nixdorf and NCR said they had already provided banks with information on how to thwart the attack, Reuters reported.

"We have been working actively with customers, including those who have been impacted, as well as developing proactive security solutions and strategies to help prevent and minimize the impact of these attacks," said Owen Wild, NCR's global marketing director for enterprise fraud and security.

The disclosure of the new campaign comes months after two large ATM hacks, wherein hackers stole $2.5 Million from Taiwan's First Bank and $350,000 from Thailand's state-owned Government Savings Bank.

While Group-IB believes the attacks across Europe were conducted by a single criminal group, dubbedCobalt, the FBI believes the malicious software used in the attack could be linked to the Russian ATM gang known as Buhtrap, the Wall Street Journal reported.

However, citing the tools and techniques used by both groups, Group-IB believes that Cobalt is linked to Buhtrap, which stole 1.8 Billion rubles ($28 Million) from Russian banks between August 2015 and January 2016.

How to free up space with storage tools in Android 7.1

Squeezing out enough storage space is one of the ever-present struggles of smartphone life. Android 7.1 brings some integrated tools to handle this all in one spot. To check out what’s here, go to Settings > Storage.As with previous versions of Android, you’ll see a breakdown of storage used by category.

However, check out a new tool by selecting Manage Storage at the top of the list. You’ll see an option for Smart Storage, which when toggled on will automatically remove backed up photos and videos when your phone's storage is almost full. If you have a Pixel (the first phone with Android 7.1), you get free storage at full resolution. 

Then, if you select Free up now you get more specific options for removing items. Since these items look for apps or photos that haven't been used in a long time, you may not see a ton of suggestions right away, especially if you have a new Pixel or just reset your device with Android 7.1. 
Finally, you can get more specific details about which apps and other elements of your phone are the main storage culprits. 

From the shared storage menu you can touch on any of the categories, like apps, images, or videos. This will let you know what’s using up the most room.
Also, touch the overflow menu and go directly to Free up space if you know you want to start right away on some purging.

How to add a Hibernate option to the Windows 10 Start menu

At the end of every day do you still dutifully close every file and program window before shutting down your PC? That’s the standard way to handle things, but for quite a few versions of Windows, Microsoft also offered the ability to use Sleep and Hibernate modes instead of just a regular shut down.
In Windows 10, however, Microsoft decided not to include hibernate with the rest of the shut down options under Start > Power by default. The good news is it’s easy to put the option back.

Why hibernate?

 Hibernation is kind of a mix between a traditional shut down and sleep mode primarily designed for laptops. When you tell your PC to hibernate, it saves the current state of your PC—open programs and documents—to your hard disk and then turns off your PC. Then when it’s time to start it up again all your previous work is ready and waiting for you.
Unlike sleep mode, it doesn’t use any power, but it does take longer to start up again.

Setting it up 

To add Hibernate to Start > Power, click on the Cortana/search box in the taskbar and type power options. The first result you see should be a Control Panel setting of the same name. Click on that.

Once the Control Panel opens, select Choose what the power buttons do from the left-hand navigation panel.

Then at the top of the next screen click on the link that says Change settings that are currently unavailable.

Now scroll down to the bottom and under Shutdown settings click the checkbox next to Hibernate. Next, click Save changes and you’re done.

 Go to Start > Power and you should now see Hibernate among all the rest of the shut-down options.