Meet PINLogger, the drive-by exploit that steals smartphone PINs

Enlarge (credit: Harrison Weber)
Smartphones know an awful lot about us. They know if we’re in a car that’s speeding, and they know when we’re walking, running, or riding in a bus. They know how many calls we make and receive each day and the precis…

Enlarge (credit: Harrison Weber)

Smartphones know an awful lot about us. They know if we're in a car that's speeding, and they know when we're walking, running, or riding in a bus. They know how many calls we make and receive each day and the precise starting and ending time of each one. And of course, they know the personal identification numbers we use to unlock the devices or to log in to sites that are protected by two-factor authentication. Now, researchers have devised an attack that makes it possible for sneaky websites to surreptitiously collect much of that data, often with surprising accuracy.

The demonstrated keylogging attacks are most useful at guessing digits in four-digit PINs, with a 74-percent accuracy the first time it's entered and a 94-percent chance of success on the third try. The same technique could be used to infer other input, including the lock patterns many Android users rely on to lock their phones, although the accuracy rates would probably be different. The attacks require only that a user open a malicious webpage and enter the characters before closing it. The attack doesn't require the installation of any malicious apps.

Malicious webpages—or depending on the browser, legitimate sites serving malicious ads or malicious content through HTML-based iframe tags—can mount the attack by using standard JavaScript code that accesses motion and orientation sensors built into virtually all iOS and Android devices. To demonstrate how the attack would work, researchers from Newcastle University in the UK wrote attack code dubbed PINLogger.js. Without any warning or outward sign of what was happening, the JavaScript was able to accurately infer characters being entered into the devices.

Read 12 remaining paragraphs | Comments

ComputerCOP: the dubious “Internet Safety Software” given to US families

245 police agencies in 35-plus states distribute a security program that’s not so secure.

This post originally appeared on the Electronic Frontier Foundation's website. The author, Dave Maass, is a media relations coordinator and investigative researcher for EFF.

For years, local law enforcement agencies around the country have told parents that installing ComputerCOP software is the “first step” in protecting their children online.

Police chiefs, sheriffs, and district attorneys have handed out hundreds of thousands of copies of the disc to parents for free at schools, libraries, and community events, usually as a part of an “Internet Safety” outreach initiative. (You can see the long list of ComputerCOP outlets here.) The packaging typically features the agency’s official seal and the chief’s portrait, with a signed message warning of the “dark and dangerous off-ramps” of the Internet.

Read 45 remaining paragraphs | Comments

New iOS flaw makes devices susceptible to covert keylogging, researchers say

Proof-of-concept app in Apple’s App Store sent keystrokes to remote server.

Researchers said they have identified a flaw in Apple's iOS that makes it possible for attackers to surreptitiously log every touch a user makes, including characters typed into the keyboard, TouchID presses, and adjustments to the volume control.

The vulnerability affects even non-jailbroken iPhones and iPads running iOS versions 7.0.4, 7.0.5, and 7.0.6, as well as those running on 6.1.x, researchers from security firm FireEye wrote in a blog post published Monday night. They said attackers could carry out the covert monitoring using an app that bypasses Apple's stringent app review process. The app uses multitasking capabilities built into iOS to capture user inputs. The blog post explained:

We have created a proof-of-concept "monitoring" app on non-jailbroken iOS 7.0.x devices. This “monitoring” app can record all the user touch/press events in the background, including touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server, as shown in Fig.1. Potential attackers can use such information to reconstruct every character the victim inputs.

Note that the demo exploits the latest 7.0.4 version of iOS system on a non-jailbroken iPhone 5s device successfully. We have verified that the same vulnerability also exists in iOS versions 7.0.5, 7.0.6 and 6.1.x. Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and then conduct background monitoring.

iOS apps can surreptitiously record all user touch/press events in the background and send them to a remote server. Attackers can use such information to reconstruct every character the victim inputs.
FireEye

Shortly before the blog post went live, FireEye published a separate brief that was quickly removed. According to an RSS reader cache that preserved the earlier post, part of it said: "FireEye successfully delivered a proof-of-concept monitoring app through the App Store that records user activity and sends it to a remote server. We have been collaborating with Apple on this issue."

Read 4 remaining paragraphs | Comments

John McAfee says he infected laptops with malware, spied and stole passwords from Belize officials

John McAfee claims he gave Belize officials cheap laptops that had been deliberately pre-infected with keylogging spyware, and ran a team of 23 women to seduce and spy on his intended targets.

John McAfee claims he gave Belize officials cheap laptops that had been deliberately pre-infected with keylogging spyware, and ran a team of 23 women to seduce and spy on his intended targets.