Got an account on a site like Github? Hackers may know your e-mail address

LAS VEGAS—If you have an account on Github, StackExchange, or any one of countless other sites, there's a good chance hackers can identify the e-mail address you used to register it. That's because Gravatar, a behind-the-scenes service that says it works with millions of sites, broadcasts the information using cryptography that in many cases is trivial to crack.

People have been warning about the privacy risk posed by Gravatar, short for Globally recognized avatar, since at least 2009. That's when a blogger showed he was able to crack the cryptographic hashes that the service uses to uniquely identify its users. Gravatar, it turned out, derived the hashes with the user's e-mail address, and the blogger was able to translate about 10 percent of the more than 80,000 user IDs he harvested. Now, a researcher has upped the ante by using a more advanced cracking technique to de-anonymize participants advocating racial hatred and other extreme topics in online forums hosted in France.

Speaking at the PasswordsCon conference in Las Vegas Wednesday, security researcher Dominique Bongard said he identified 45 percent of the e-mail addresses used to post comments he found in France's most well-known political forum, which he declined to mention by name. His job was made easier by Gravatar's use of the MD5 hash function, which is designed to generate hashes quickly and with a minimum of computing resources. Had Gravatar used bcrypt or another "slow" algorithm, his task would have taken considerably longer. In a country such as France, where there can be severe legal penalties for voicing extreme opinions, extracting the e-mail addresses isn't without its consequences.

Read 5 remaining paragraphs | Comments


Trusting iPhones plugged into bogus chargers get a dose of malware

The Mactans charger uses a BeagleBoard for its computational power.
Billy Lau, Yeongjin Jang, and Chengyu Song

Plugging your phone into a charger should be pretty safe to do. It should fill your phone with electricity, not malware. But researchers from Georgia Institute of Technology have produced fake chargers they've named Mactans that do more than just charge your phone: they install custom, malicious applications onto iPhones.

Their bogus chargers—which do, incidentally, charge the phone—contain small computers instead of mere transformers. The iPhone treats these computers just as it does any other computer, but instead of just charging, it responds to USB commands. It turns out that the iPhone is very trusting of USB-attached computers; as long as the iPhone is unlocked (if only for a split second) while attached to a USB host, then the host has considerable control over the iPhone.

The researchers used their USB host to install an app package onto any iPhone that gets plugged in. iOS guards against installation of arbitrary applications with a strict sandboxing system, a feature that has led to the widespread practice of jailbreaking. This attack doesn't need to jailbreak, however.

Read 6 remaining paragraphs | Comments


NSA director addresses Black Hat, says there have been “zero abuses” of data

NSA Director General Keith Alexander.

LAS VEGAS—At the Black Hat security conference today, National Security Agency (NSA) Director Keith Alexander defended the NSA's data collection programs and described at a high level what data is collected and how it's used.

His presentation covered two programs, both revealed by Edward Snowden: telephone metadata collection and a program of collecting from the computer industry data relating to foreign nationals, of which PRISM is a component. According to Alexander, the phone metadata collection, authorized under FISA section 215, was both limited and tightly controlled. The NSA collects only the time and date of a call, the phone numbers involved in a call, the duration of a call, and the service provider that captured the information. Notably, he said that names, address information, and location information were not captured. Nor was any conversation data collected, such as the contents of voice calls or text messages.

While this data was collected, Alexander said that access to the information was tightly restricted. Free-for-all queries weren't permitted. Instead, numbers had to be individually approved by one of 22 people at the NSA, and only 35 analysts within the agency were authorized to run queries on those numbers. In 2012, he said that fewer than 300 numbers were added to the list.

Read 7 remaining paragraphs | Comments


Japanese One-Click Scammers Abuse Mobile Traffic Exchange Service

McAfee has been monitoring and reporting extensively on one-click-fraud malware for Android in Japan this year. These attacks, primarily on Google Play, have become more active recently. We have found about 400 fraudulent apps in July alone. We consistently report these issues to Google, which promptly revokes the apps, but the scammers never stop uploading the malware.

The scammers host many one-click-fraud websites, and the Android applications trick users into visiting the sites and paying a service fee. In typical cases, the sites request users to pay money for service registration after several clicks. In other cases, users are required to make a phone call to the service for authentication and registration, after which the scammer calls them back or sends SMS messages to their numbers to request payment if the users refuse to pay a service fee.

Today we found an application on Google Play that can lead users to those fraudulent websites in a different way. In this application, a mobile “traffic exchange service” redirects users to a selected website that has been registered as a member of the service. A traffic exchange service allows site owners to secure visitors by buying traffic or in exchange for leading users to other members’ sites.




The application displays a link button with the fixed URL “http://mobile.p[BLOCKED]” at the top of the screen, and the user is redirected to one of the registered websites by clicking on the link.




It seems this is just a harmless application and published by a non-Japanese developer targeting worldwide users. It is not clear whether this application is developed with malicious intent, but we have confirmed that Japanese users are redirected with a very high probability to one-click-fraud sites hosted by the scammers. This might be because the service is aware of the location/language of visitors or the scammers might be buying or exchanging a substantial amount of traffic to increase the visit count for their own sites. At least this shows that the one-click scammers have registered their fraudulent sites in the traffic exchange service and are abusing the mechanism by expecting many mobile users in Japan will visit their sites.








This traffic exchange service itself seems a legitimate one, though it is known that the service is often used to generate free traffic to adult sites. Therefore, we cannot easily detect and block the use of this kind of service in an application as malicious activity. Users should be always careful about sites they are redirected to and also should know how one-click-fraud scammers deceive their visitors. If you reach such sites accidentally, simply ignore the service registration notice and payment request.

McAfee registers such malicious websites in our URL reputation database immediately so that McAfee Mobile Security can block web access.