Russian hackers use OAuth, fake Google apps to phish users

The Russian hacking group blamed for targeting U.S. and European elections has been breaking into email accounts, not only by tricking victims into giving up passwords, but by stealing access tokens too.

img 20170425 105827 01

It’s sneaky hack that’s particularly worrisome, because it can circumvent Google’s 2-step verification, according to security firm Trend Micro.

The group, known as Fancy Bear or Pawn Storm, has been carrying out the attack with its favored tactic of sending out phishing emails, Trend Micro said in a report Tuesday.

The attack works by sending out a fake email, pretending to be from Google, with the title “Your account is in danger.”

Trend Micro
An example of a phishing email that Fancy Bear has used.

The email claims that Google detected several unexpected sign-in attempts into their account. It then suggests users install a security application called “Google Defender.”

However, the application is actually a ruse. In reality, the hacking group is trying to dupe users into giving up a special access token for their Google account, Trend Micro said.

Victims that fall for the scheme will be redirected to an actual Google page, which can authorize the hacking group’s app to view and manage their email. Users that click “allow” will be handing over what’s known as an OAuth token.

Although the OAuth protocol doesn’t transfer over any password information, it’s designed to grant third-party applications access to internet accounts through the use of special tokens.

The OAuth protocol may have been designed for convenience, but security experts have warned it can be used for malicious effect. In the case of Fancy Bear, the hacking group has leveraged the protocol to build fake applications that can fool victims into handing over account access, Trend Micro said.

“After abusing the screening process for OAuth approvals, (the group’s) rogue application operates like every other app accepted by the service provider,” the security firm said.

Even Google’s 2-step verification, which is designed to prevent unwarranted account access, can’t stop the hack, according to Trend Micro.

Google’s 2-step verification works by requiring not only a password, but also a special code sent to a user’s smartphone when logging in. Security experts say it’s an effective way to protect your account.

However, the phishing scheme from Fancy Bear manages to sidestep this security measure, by tricking users into granting access through the fake Google security app.

“The target might be familiar with generic phishing emails, but not so much with OAuth abuse tricks,” Trend Micro said in its report. “Chances are significant that even well-educated targets get fooled.”

Google, however, said it takes many steps to protect users from such phishing attacks.

“In addition, Google detects and reviews potential OAuth abuse and takes down thousands of apps for violating our User Data Policy, such as impersonating a Google app,” the company said in a statement.

“Note that a real Google app should be directly accessed from a Google site or installed from the Google Play or Apple App stores,” it added.

According to Trend Micro, victims were targeted with this phishing attack in 2015, and 2016. In addition to Google Defender, Fancy Bear has used other apps under names such as Google Email Protection and Google Scanner. They’ve also gone after Yahoo users with apps called Delivery Service and McAfee Email protection.

screen shot 2017 04 25 at 11.00.59 amTrend Micro
The attack attempts to trick users into handing over access to their email through fake Google third-party applications.

“Internet users are urged to never accept OAuth token requests from an unknown party or a service they did not ask for,” Trend Micro said.

Although a password reset can sometimes revoke an OAuth token, it’s best to check what third-party applications are connected to your email account. This can be done by looking at an email account’s security settings, and revoking access where necessary.

Fancy Bear is most notorious for its suspected role in hacking the Democratic National Committee last year. However, the group has also been found targeting everything from government ministries, media organizations, along with universities and think tanks, according to Trend Micro.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.

Tencent adding five data centers to target cloud users outside China

Tencent Holdings has opened a data center in Silicon Valley on Tuesday, with four more planned outside China as part of its bid to grow its cloud business outside the country.

The proposed data centers in Frankfurt, Mumbai, Seoul and Moscow are targeted at Chinese companies looking to expand overseas and international companies expanding their businesses in China or other parts of the world, the Chinese internet giant said Tuesday. The centers are expected to go into operation this year.

China Forbidden

Rival Alibaba has also set up data centers outside China to expand its cloud business outside the country.

The new investment aims to meet growing demand worldwide for the company’s cloud services from online games and finance, video and other internet-related industries.

Tencent Cloud already operates over a dozen data centers across mainland China. It started its expansion outside the country in 2014 with a data center in Hong Kong, followed by centers in Singapore and Toronto. The company plans to expand both the Hong Kong and Silicon Valley data centers this year.

The company, which owns China’s large social network WeChat, reported in March that its cloud services revenue more than tripled year-on-year in 2016 as both the number of enterprise accounts and usage of existing accounts increased.

Starting from primarily serving game developers through its cloud services, Tencent has made deep inroads into other markets including online gaming, video broadcasting, internet finance, municipal service and enterprise.

The company believes that it has “a unique advantage” in its solid foundation of technologies in areas such as security, payment, big data analytics, photo processing mini programs and artificial intelligence. “Utilizing these technologies, Tencent cloud provides tailored solutions for various customers and industries,” Martin Lau, company president, said during an earnings call last month.

Tencent has also been making a number of strategic investments worldwide, including its acquisition of a 5 percent stake in car maker Tesla and its investment in Supercell, the Finnish developer of the mobile game Clash of Clans.

Huawei and Google supercharge Android with a new Raspberry Pi-like board

 

Prepare to run Android at blazing fast speeds on a new Raspberry Pi-like computer developed by Huawei.

3 img 9062

Huawei’s HiKey 960 computer board is priced at $239 but has some of the latest CPU and GPU technologies. Google, ARM, Huawei, Archermind, and LeMaker all played roles in developing the board.

The HiKey 960 is meant to be a go-to PC for Android or a tool to develop software and drivers for the OS. The board development was backed by Linaro, an organization that develops software packages for the Android OS and  ARM architecture.

Linaro CEO George Grey recently said it was sad that Android developers had to write code on x86 chips. He encouraged the organization’s members to build a superfast computer so developers could build ARM software on ARM architecture. Intel has scaled back Android support on x86 PCs and isn’t making smartphone chips.

The HiKey 960 can be used to create robots, drones, and other smart devices. But it’s mainly intended to be an Android PC or a tool for developers who want to write and test applications.

The board can deliver performance similar to the latest smartphone and tablets. It has a Huawei Kirin 960 octa-core chip, which has four high-performance ARM Cortex-A73 and four low-power Cortex-A53 cores. The Kirin 960 is also used in the Huawei Mate 9 smartphone, which started shipping late last year.

The HiKey 960 has 32GB of storage and 3GB of LPDDR4 RAM. The Mali-G71 GPU is capable of delivering 4K graphics and is based on ARM’s latest Bitfrost architecture. However, the board will only have HDMI 1.2a slot, which is a 1080p display output.

Other features include dual-band 802.11 b/g/n/ac Wi-Fi and Bluetooth 4.1. The board has a PCIe m.2 slot to add additional storage or wireless capabilities. It also has 40-pin and 60-pin expansion connectors and multiple high-definition outputs so cameras can be connected to the board.

It will ship in the U.S., European Union, and Japan in early May. It will later ship worldwide.

The board will also support multiple Linux versions in the future.

You can load Android 7.1 on the board, but you will need to be technically savvy and have knowledge of command-line operations. Instructions to load Android 7.1 are on Google’s website.

Webroot deletes Windows files and causes serious problems for users

Users of Webroot’s endpoint security product, consumers and businesses alike, had a nasty surprise Monday when the program started flagging Windows files as malicious.

The reports quickly popped up on Twitter and continued on the Webroot community forum — 14 pages and counting. The company came up with a manual fix to address the issue, but many users still had problems recovering their affected systems.

False positive detections cause headaches for system admins.

The problem is what’s known in the antivirus industry as a “false positive” — a case where a clean file is flagged as malicious and is blocked or deleted. False positive incidents can range in impact from merely annoying — for example, when a program cannot run anymore — to crippling, where the OS itself is affected and no longer boots.

The Webroot incident falls somewhere in the middle because it affected legitimate Windows files and sent them to quarantine. This is somewhat unusual because antivirus firms typically build whitelists of OS files specifically to prevent false positive detections.

“A folder that is a known target for malware was incorrectly classified as bad, and Facebook was classified as a phishing site,” Webroot said in an emailed statement. “The Facebook issue was corrected, and the Webroot team is in the process of creating a comprehensive fix for the false positive issue.”

The incorrect detection lasted for two hours, between 1PM and 3PM Mountain Standard Time in the U.S., and resulted in files being flagged as W32.Trojan.Gen. As suggested by the name, this is a generic detection signature intended to catch Trojan programs.

For now, Webroot has provided a solution on its community forum that involves logging into the Webroot online console and manually creating override rules for all of the erroneously blocked files.

Users then have to either wait for the endpoint client to poll the server and restore the files according to the new rules, which can take up to 24 hours, or manually trigger a forced polling for each client from the command line.

While this solution might work for home users or businesses with a relatively small number of computers, it creates problems for large environments, especially for managed services providers (MSPs).

“This is not a fix when you’re an MSP,” one user wrote on the forum.

“How am I supposed to do this across 3 GSMs [Webroot Global Site Manager deployments] with over 3 thousand client sites? Not good enough,” said another.

One user reported that he resorted to recovering the affected files using Windows’ Shadow Copy feature. Another one said that his MSP company is considering legal action because it might have to compensate its own customers for the downtime.

“We are not able to use recovery because most of the backup server cores are affected also,” he said. “Some of the servers are not yet up and we look like fools.”

Webroot representatives said on the company’s forum that the company is working on a universal solution that will also be suitable for MSPs.

FCC chairman to announce plans to repeal net neutrality

The chairman of the U.S. Federal Communications Commission is expected to announce plans to repeal the agency’s 2015 net neutrality rules on Wednesday.

Chairman Ajit Pai, a Republican, will likely announce a plan to reverse course on the 2-year-old regulations and end the agency’s classification of broadband as a regulated, common-carrier service. In a Wednesday speech, Pai will reportedly announce that he is scheduling a vote for the FCC’s May 18 meeting to begin the process of repealing the rules.

The FCC is moving toward a repeal of its net neutrality rules.

Pai has called the net neutrality rules a mistake that “injected tremendous uncertainty into the broadband market.” President Donald Trump, who appointed Pai as the FCC’s chairman, has also criticized the regulations.

The details of Pai’s plan are unclear, with several sources saying they have not yet seen the proposal. One plan under serious discussion has the broadband industry embracing self-regulation by promising not to block web traffic. Those promises would then be enforced by the Federal Trade Commission, not the FCC, similar to how the FTC now enforces privacy promises made by other companies.

ADVERTISING

Under FTC-style enforcement, the FCC or the FTC would not set any industrywide net neutrality rules, instead depending on broadband providers’ pledges to avoid blocking or slowing web traffic. A broadband provider could potentially decide to change its net neutrality policy after notifying customers.

Under the FTC, the agency would bring an enforcement action only after finding a broadband provider violated its net neutrality promises.

The FCC’s 2015 net neutrality, or open internet, rules reclassified broadband as a regulated, telecom-like service — as opposed to a lightly regulated communications service — as the foundation for regulations that prohibited broadband providers from selectively blocking or slowing web traffic and services.

The FCC received about 4 million public comments in the rulemaking proceeding leading up to its 2015 regulations, with the large majority of people supporting strong net neutrality rules.

Broadband providers and Republican lawmakers have opposed the rules, saying the reclassification adds unnecessary regulation that deters deployment and other investment in their networks.

There’s little evidence that the rules have hurt investment, however.  Broadband providers spent US$76 billion to upgrade their networks in 2015, the second highest total since 2001, according to USTelecom, a broadband trade group.

Net neutrality supporters say a repeal of the rules will give broadband providers more control over what websites customers visit and what web services they use. Broadband providers could slow traffic to services that compete with products they own or partner with, or they could charge websites for fast-lane access to customers, supporters fear.

Pai “is determined to give control of the internet to companies like Comcast, AT&T, and Verizon, no matter the cost to our economy and democracy,” Free Press CEO and President Craig Aaron said in a statement. “He’s continuing to ignore the mountains of evidence showing that the agency’s net neutrality rules are protecting internet users while spurring on investment and innovation.”

How to delete and disable location history in the Windows 10 Creators Update

Your devices scoop up all kinds of information about you to provide helpful services and deliver supposedly targeted advertising. Since the debut of Windows 10 this trend has also landed in full force on the PC. But what if you don’t want to participate in this cloud-based madness? A good start is to restrict your location information in Windows 10.

Here’s how to turn off location services in Windows 10 and delete your location history.

location

Some Windows Store apps in Windows 10 require your location to work correctly, while others would like it in order to tailor your experience. Before you turn off location services keep in mind that any location-specific services or apps will no longer be available to you.

If that’s okay with you, open the Settings app by clicking the Windows Start button and then selecting the cog icon in the lower left corner. In the Settings app go to Privacy > Location and turn off the slider labeled Location service.

locationapps

If restricting your location data systemwide is too extreme, Windows 10 lets you do it on a per-app basis. The feature only works for apps built with the Windows Store platform.

Scroll down in Settings > Privacy > Location, and toward the bottom of the screen is the heading Choose apps that can use your precise location. This is followed by a list of apps that want to use your location, each with a corresponding on/off slider. The only one you can’t change is Cortana, because the personal digital assistant requires your location to work. Other than that, you can restrict access to your location on a per-app basis.

historycleared

Next, it’s time to delete location history. You can do this regardless of whether you’ve turned off location services for your device. In Settings > Privacy > Location, scroll down to the sub-heading Location history. Click the Clear button in that section to erase your location history on your PC or tablet. Once the history has been cleared, a checkmark appears next to the Clear button.

That was easy enough, but we’re not done yet. Your location history is also stored on Microsoft’s servers. Below the Clear button, click the link labeled Manage my location info that’s stored in the cloud.

at will take you to the location section of your Microsoft Account’s privacy settings. On the right-hand side of this page look for the section called Clear location activity.

Under that heading is a button with the same title. Click Clear location activity and a pop-up appears asking you to confirm you choice, because you cannot undo this action. Click Clear and you’re done. If you want to be extra-sure, refresh the web page and you’ll see that the map it displays no longer shows any location data.

That’s all there is to clearing your location activity in the Creators Update. If you don’t want your location used at all, you should restrict your browser from asking for your location as well.

Cars will get superior digital vision with ARM’s camera chip

Cars are turning into computers with a unique set of requirements.

One of the more important components is a camera, which is a secondary feature in PCs. Cameras are aiding mirrors in allowing cars to self park, and they will serve as the eyes for autonomous cars, helping capture and analyze images.

The number of cameras on cars will only grow as drivers seek a better view of the vehicle’s interiors and exteriors. For car makers, the next big goal is to bring context and understanding to those images. Combined with data from radar, lidar, GPS, and other sensors, cameras can help cars and drivers make better decisions.

 p1170415

ARM has come up with a specialized camera chip for cars, with the goal of bringing context to images and improving driver and passenger safety. The Mali-C71 image signal processor will analyze every pixel from cameras onboard a car, and much like a human eye, read the image, and help make driving decisions.

For example, today’s cars are not good at identifying a person in view of the rear cameras when they are parking themselves. ARM’s chip will be able to identify a person and stop the car. That’s just the start — the chip will help identify people crossing the street as well as traffic signals and driving lanes in different lighting conditions.

The chip could also identify weather conditions, possibly with the help of information from GPS. That could help navigate safely through rough road conditions. A camera inside a car could also identify a drowsy driver and issue an alert.

A similar function could be performed by GPUs from companies like Nvidia that are targeting autonomous vehicles. But the ARM-based chips will be more power efficient, while GPUs are considered useful for more futuristic self-driving cars and may draw more power. Today’s cars don’t need full-blown GPUs for tasks like self parking.

The number of cameras in each car could exceed 10 in the coming years, and the reliance on them will only increase as cars go increasingly autonomous. The Mali-C71 supports up to four cameras in real-time. A car could have multiple Mali-C71s, and vehicles with the cameras installed could start appearing as early as next year.

The Mali-C71 is aimed at cars with drivers at the wheel, though it has features that could be used in autonomous cars. It can support images in a 4096 x 4096-pixel range.

Image signal processors aren’t new and exist on mobile chips even today. But the Mali-C71 is different because of multiple reliability features to ensure pixels are reliably tagged and to ensure there are no data errors. A small error could mean an accident.

The chip includes the features, image quality, and safety elements to be appropriately used in systems including simple backup cameras, multi-camera parking-assist systems, and even fully autonomous vehicles, an ARM spokeswoman said.

It can be used with ARM or other architectures, the spokeswoman said. Chips based on the ARM, x86, Power, and MIPS architectures are all vying for a spot in cars. So are specialized ASICs, real-time chips and FPGAs (field programmable gate arrays).

ONUG gets closer to making SD-WANs talk to each other

A group of networking engineers and vendors is making progress toward an API that would help enterprises merge SD-WANs from different vendors.

 

20151005 cisco hq sign3 100620822 orig

The Open SD-WAN Exchange (OSE) initiative was launched last year by the Open Networking User Group (ONUG) to solve a shortcoming of software-defined wide-area networks: They often can’t talk to each other. On Tuesday at the ONUG Spring 2017 conference in San Francisco, OSE will make public the work it’s done so far.

SD-WANs control links to branch offices and remote sites with software, which ultimately should eliminate proprietary hardware and dedicated routing schemes. They also allow companies to use regular broadband connections instead of more expensive MPLS (Multiprotocol Label Switching) services.

But most SD-WANs built with different vendors’ products can’t communicate with each other, said Snehal Patel, a member of ONUG’s board and a network architect at the retail company Gap.

That could be a problem after a merger or acquisition between two companies with separate SD-WANs. A lot of the agility and labor savings won through SD-WAN will be lost if the IT department has to go back to traditional networking to connect the two systems.

ONUG, a group of enterprise IT leaders advocating for technologies that better meet users’ needs, has been working on this issue for several years and launched the initiative to solve it at the ONUG Spring 2016 conference. IT executives from companies such as Gap, Bank of America, BNY Mellon and FedEx are working with vendors including Cisco Systems and Huawei Technologies.

SD-WANs can interpret and carry out policies for things like when a branch-office connection should switch from the internet to a private link to maintain performance. They’re based on industry standards, but vendors interpret those standards differently, so their network controllers can’t communicate policies and commands, Patel said.

Those controllers may someday talk directly to each other. But for now, OSE wants vendors to build a policy orchestration layer that can talk to all of them.

Developing the API is one part of this effort. It will define things like whether there needs to be a persistent connection between the controllers and the orchestrator and what happens if a controller loses contact with the orchestrator.

The group has already finished most of its work, according to OSE Co-Chair Steve Wood, a principal engineer at Cisco. It’s defined the requirements for the API, the architecture it will use, and other elements. OSE plans to publish the technical specifications during the summer for review by ONUG members, who include networking experts from hundreds of enterprises.

At last year’s spring conference, ONUG also launched three other initiatives, which have had different trajectories.

The Open Traffic Management Format group pushed for a way to bring together management data from different physical and virtual network devices so it could be analyzed together. This could help determine the effects of system failures. Another project, the Open Network State Format, would be for data about the current state of network devices, so big-data techniques could be used for better real-time management. Those two efforts have been merged into a Monitoring and Analytics initiative.

The other project, for an Open Interoperable Control Plane, didn’t fare so well. The OICP would work within data centers, connecting different parts of the infrastructure that are built on different architectures, such as OpenStack and VMware vCenter. Vendors and users met at workshops last year, but the effort is now on hold, according to Nick Lippis, co-founder and co-chairman of ONUG. He blamed stiff competition among vendors.

“On that one, we pushed the pause button, because the vendors don’t want to play with each other,” Lippis said.

Hipchat resets user passwords after possible breach

HipChat has reset all its users’ passwords after what it called a security incident that may have exposed their names, email addresses and hashed password information.

In some cases, attackers may have accessed messages and content in chat rooms, HipChat said in a Monday blog post. But this happened in no more than 0.05 percent of the cases, each of which involved a domain URL, such as company.hipchat.com.

img 20170424 170357 01

HipChat didn’t say how many users may have been affected by the incident. The passwords that may have been exposed would also be difficult to crack, the company said. The data is hashed, or obscured, with the bcrypt algorithm, which transforms the passwords into a set of random-looking characters. For added security, HipChat “salted” each password with a random value before hashing it.

HipChat warned that chat room data including the room name and topic may have also been exposed. But no financial or credit information was taken, the company said.

HipChat is a popular messaging service used among enterprises, and an attack that exposed sensitive work-related chats could cause significant harm.

The service, which is owned by Atlassian, said it detected the security incident last weekend. It affected a server in the HipChat Cloud and was caused by a vulnerability in an unnamed, but popular, third-party library that HipChat.com used, the company said.

No other Atlassian systems were affected, the company said. “We are confident we have isolated the affected systems and closed any unauthorized access,” HipChat said in its blog post.

This is not the first time the messaging service has faced problems keeping accounts secure. In 2015, HipChat reset user passwords after detecting and blocking suspicious activity in which account information was stolen from less than 2 percent of its users.

When breaches occur, security experts advise users to change their passwords for any accounts where they used the same login information. Users can consider using a password manager to help them store complex, tough-to-memorize passwords.

HipChat has already sent an email to affected users, informing them of the password reset.

In 2015, rival chat application Slack reported its own breach, and as a result rolled out two-factor authentication to beef up its account security. HipChat does not offer two-factor authentication.

Oracle plans ‘startup organization’ focused on cloud computing, AI and VR

Oracle is hiring people for a “new startup organization” inside its North America operation that will focus on key technology trends, including cloud computing, internet of things, artificial Intelligence, and augmented and virtual reality.

Oracle headquarters

The Solution Engineering organization the company is setting up will consist of Solution Engineering Centers in Reston, Virginia and Denver, Colorado.

The database and enterprise software company has previously indicated its interest in investing in some of these technology areas like machine learning and analytics.

It announced in September last year that it was investing in intelligent cloud applications, called Adaptive Intelligent Applications, “that automatically offer individualized recommended actions and streamline the tasks of business users such as human resource or finance professionals.”

Oracle also announced at OpenWorld last year tools for creating intelligent chatbots that integrate with its software.

Among the jobs listed for the new organization are the positions of director of the Denver and Reston units, who will each be responsible for managing an entire Solution Engineering Center, described as a “physical hub of solution engineers.” The company is also hiring solution engineers for the centers.

Oracle did not immediately comment on the posts and on how the new organization would operate as a startup. The new unit appears to be closely linked to the company’s immediate business goals with the director, for example, “measured on key metrics around revenue, pipeline, new innovations, talent development and customer success.”

Oracle is asking for hands-on experience in third-party cloud computing platforms like Amazon Web Services, Microsoft Azure and Salesforce from applicants for the position of solution engineers at the centers.

“The mission of the organization and these two centers is to build and engineer cutting-edge solutions for our customers around cloud computing, big data analytics, mobile computing, internet of things, cybersecurity,” according to the job listings, first spotted by Bloomberg.

“Additional trends we are considering to investing in are Artificial Intelligence, Augmented and Virtual Reality and many other exciting technology trends that interest us all. Our mission is simple, we build new and innovative technology solutions for real world problems that our customers face,” according to the posts, which did not provide details of how AR and VR would be used by Oracle in its products and services.