VMware Releases Updates for vCAC

Original release date: December 09, 2014

VMware has released security updates to address a critical vulnerability in vCloud Automation Center (vCAC), which could allow a remote attacker to take control of a vulnerable system.

US-CERT encourages users and administrators to review VMware Security Advisory VMSA-2014-0013 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


Hacked payment card service transmitted some data in plaintext

Charge Anywhere, a company that routes payment transactions between merchants and payment card processors, said that malicious software planted on its network may have accessed unencrypted sensitive cardholder data for almost five years.

In a statement, the company warned that some of the card data it sends or receives appears in plaintext, allowing attackers to copy it and use it in fraudulent transactions. Details including names, account numbers, expiration dates, and verification codes are known to be exposed for transactions that occurred this year from August 17 through September 24, although it's possible transactions dating back to November 5, 2009 may also have been accessed, the statement said. The disclosure came after company officials hired an unidentified security firm to investigate the breach.

"The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic," the release stated. "Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests."

Read 2 remaining paragraphs | Comments

“Unprecedented” cyberattack no excuse for Sony breach, pros say

The security company investigating the attack against Sony Pictures Entertainment has reportedly penned a letter that seemingly holds the entertainment firm blameless for the breach of its systems—a move that has opened up the investigating firm to criticism by security professionals.

The letter—to SPE’s CEO Michael Lynton from Kevin Mandia, the head of FireEye’s Mandiant, the incident response service the company hired to investigate the attack and restore its network—calls the attack “unprecedented in nature.” Mandia states that the attack would not have been detected by antivirus programs, and the attackers used non-standard strategies to cause damage to the company.

“In fact, the scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public,” Mandia states in the letter, which was leaked to media outlets. “The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”

Read 13 remaining paragraphs | Comments

Spyware Vendors Find New Ways to Deliver Mobile Apps

With mobile devices an essential part of our lives and privacy, we must protect that privacy against a form of mobile “spyware” that is openly sold and distributed and that threatens our privacy by secretly monitoring all of our activities on smartphones.

dnakajim-phonespy-1

In this context, spyware does not refer to Trojan malware that poses as legitimate games and tools while secretly stealing our private information. This type of spyware is usually called spy or monitoring apps to watch over our spouses, kids, or employees. Buyers of this kind of spyware will install it on their subjects’ mobile devices to monitor their activities and location. Most of these products claim that their software will remain undetected by those who are monitored. Yet how can we, or the developers, justify installing spyware without users’ knowledge and monitor all their private activities on smartphones?

dnakajim-phonespy-2

In September, we read reports that a seller of the spyware StealthGenie was indicted in the United States. The seller was criticized for supplying an app that could threaten a victim’s life and could be used, for example, by stalkers and domestic abusers. But similar kinds of spyware are still being distributed in markets and will continue to threaten our privacy.

Most spyware has the following features to remotely monitor and collect data about the target user’s private actions:

  • Recorded phone calls and call logs
  • Sent and received SMS messages
  • Contact information
  • Web browsing history and bookmarks
  • Photograph, video, and other documents
  • Current location
  • Account names for various services, including email addresses

Worse still, for devices that are “rooted” for Android or “jailbroken” for iOS, some spyware claims that they can monitor contacts and conversation data of SMS and messaging apps such as WhatsApp, Facebook, LINE, Skype, Viber, Kik, and so on.

It is rare to find these kinds of spyware apps on official markets for mobile apps. Some apps with similar functionality for antitheft or parental control are offered on official stores, and these can be used as spyware depending on circumstances. But spyware apps whose main use is to invade the target’s privacy are not published on official sites, probably because doing so would violate the official app markets’ policies.

Nonetheless, McAfee Labs has recently confirmed that spyware vendors are cleverly offering their products for Android devices via the official store. These vendors or their affiliates publish many free apps that download the spyware products or lead users to their product websites. Those who want to find spyware can get such products directly from the developers sites, but it seems that spyware vendors are seeking more sales opportunities by using popular app stores.

dnakajim-phonespy-3

Some of these apps simply redirect users to the sales site of the spyware product; others directly download the spyware and prompt users to install and register. In this manner, spyware vendors let users download and install their spyware products from external sites by publishing apparently harmless landing apps on the official store. Spyware installed from external sites are not listed in the My Apps list, so it is less likely that a target user will notice the installation if the initial landing apps were uninstalled by the monitoring person to hide their traces.

dnakajim-phonespy-4

Some of the installed spyware remove their application icons from home screen and app list to not be noticed by the target. And they start monitoring the target’s activities and sending the collected information to a remote server in the background. Other spyware also requires the DeviceAdmin privilege just after launch to make it difficult for victims to uninstall the app even if they notice suspicious behavior.

dnakajim-phonespy-5

Because much spyware is sold outside of the official store, they will not usually be installed unless the user enables installation from unknown sources. And even if these apps are installed, McAfee Mobile Security and other security software will detect them and alert users. However, although these countermeasures are effective when the device user accidentally installs malware, these defenses might not work as expected when another person with access to the device wants to monitor the user secretly and installs the app. The monitoring person could change the device’s security settings and even disable detection by security software.

Thus in addition to the usual defenses against malware, we should also observe the following:

  • Harden the device’s physical security. Never let anybody else use it. Make sure the device is locked with password, etc. to prevent someone else from changing the settings and installing any apps.
  • Carefully check changes made by someone else, no matter the reasons. Check whether any settings are changed or apps are installed. Most spyware hides from the target user by removing their icons from the home screen. Make sure to check the apps list from [Settings] – [Apps], or from apps list displayed by security software such as McAfee Mobile Security.
  • Carefully check the settings and apps on the device if it has been in someone else’s hands. Make sure that default settings are applied and look for any additional apps. It is desirable to factory reset the device and do initial settings yourself. Be careful also when buying a phone from any untrusted used-phone shop; shop staff might install apps for “free.”

There might be cases in which you want to use this kind of spyware as a monitoring tool to really protect someone you care about. First, get his or her consent. And you should be very careful about some points. The careless use of spyware can expose your loved one to danger. The information obtained through spyware must be accessible only to you and/or the monitored person; it is dangerous if you allow the spyware vendor to access the information. If the vendor is malicious, then all the privacy of your loved could be disclosed. Any information collected should be encrypted by a password that only you know, and only you should be able to decrypt it. Otherwise, even a benign spyware vendor could lose information due to a leak or security flaw. Much of the spyware we have seen transfers privacy and account authentication data as plaintext. If the monitored person were to use the phone on an unguarded public LAN with no appropriate security settings, all the private information could be snooped by a malicious observer.

Many of these spyware apps claim that their purpose is to protect spouses and kids, or to prevent employees inappropriate actions. However, if these apps are really intended for that purpose, then it would be reasonable to install them on the targets’ devices with their explicit approval and explain that their activities can be remotely monitored. Installing these apps publicly is a more effective way to prevent any unauthorized actions. Installing spyware secretly only opens the door to privacy invasion and potential cybercrime.

The post Spyware Vendors Find New Ways to Deliver Mobile Apps appeared first on McAfee.