How secure is VOIP communication and how can you make it safer?

VOIP – voice over internet protocol – is a phone service you can use over the internet. This type of phone call has opened up a lot more opportunity for communication all around the world, as you can talk to people wherever they are as long as they have an internet connection.

Undoubtedly, it gets blocked by the authorities (because of the clash with traditional and expensive communication methods that earn them good money) but there are easy ways to unblock and enjoy the benefit of it. As for example the technology in discussion is blocked in most parts of the middle east, but you can easily unblock VOIP in middle east. Hence, the conclusion of this part is – VOIP blockage is a thing not to worry about at all.

Ok so moving on, as a reminder, it just needs an active Internet connection to enable one into talking to people around the globe. This makes VOIP an affordable and possibly the better deal when calling far out places like Thailand for people who need to make these types of calls, but there are some concerns that people are worried about before writing traditional phone calls off completely. One of those is safety and the idea that you are much more at risk from a range of different issues that you wouldn’t be with landlines.

Among these risks are things like spam, loss of privacy, voice phishing and network attacks, which all put you in danger of losing sensitive personal information. While it is possible that VOIP communication can be targeted by scammers, the same can also be said for landlines and smartphones. If there are people out there with the right equipment and knowledge then they’ll be able to target you, regardless of your method of communication.

Fortunately, there are steps you can take to ensure that most of the risks are negated. These include heightening the level of security on your equipment and adding safety features that improve standards.

By using WPA, WPA2 or IEE 802.11i, you will be enjoying the most secure service and making it very tough for anyone wanting to gain access to your personal information. These security standards also come with built-in encryption and authentication features, protection your privacy from any unauthorised individuals who want to access your network.

You can also pick up firewall software that has been designed especially for VOIP systems. This will take a look at your connection for any kind of sign that someone is trying to hack in.

Not only that, but it will also detect calls or calling patterns that seem unusual, and you’ll be alerted if there is any strange activity so that you can take the steps you need to stay protected. If there really are people trying to hack in then a firewall gives you the protection you need.

At the end of the day, there’s no such thing as a completely secure phone call, whether you’re using VOIP, a mobile or even a landline. If there are people who want to gain access to your connection then there are ways they will do it no matter what device you’re on.

However as you can see there are several different methods for keeping your privacy as safe and secure as you can, giving scammers the hardest possible time if they want to get hold of your details.

With VOIP and a high level of security you can really reap the benefits of the technology, combining it with reliability, simplicity and the fact that it’s so cost effective compared to traditional calls.

CISCO ASA Firewalls potentially vulnerable to attacks

It’s a bad period for IT manufacturers, recently the security community has discovered serious and anomalous  vulnerabilities affecting popular products like Juniper equipment and Fortinet Forti OS firewalls.

Now, it is now the turn of Cisco, the product line Cisco ASA firewall, a family of devices that is offered for sale as an appliance, blades or even virtual systems.

The Cisco ASA Adaptive Security Appliance is an IP router that acts as an application-aware firewall, network antivirus, intrusion prevention system, and virtual private network (VPN) server.

The part of this that is most pressing is that Cisco claims that there are over a million of these deployed.

Security experts David Barksdale, Jordan Gruskovnjak, and Alex Wheeler of Exodus Intelligence have discovered a critical buffer overflow vulnerability (CVE-2016-1287) that received a CVSS (Common Vulnerability Scoring System) score of 10.

“The algorithm for re-assembling IKE payloads fragmented with the Cisco fragmentation protocol contains a bounds-checking flaw that allows a heap buffer to be overflowed with attacker-controlled data. A sequence of payloads with carefully chosen parameters causes a buffer of insufficient size to be allocated in the heap which is then overflowed when fragment payloads are copied into the buffer. Attackers can use this vulnerability to execute arbitrary code on affected devices.” is the summary published by Exodus Intel.

It is quite easy for an attacker to exploit the vulnerability in CISCO ASA by sending crafted UDP packets to the vulnerable system. An exploit could allow the attacker to obtain full control of the system

The impact is serious considering that over a million of CISCO ASA firewall has been already deployed worldwide.

“A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” states the Advisory published by CISCO.

“The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.”

The Cisco ASA Software running on the following products may be affected by this vulnerability:

Cisco ASA 5500 Series Adaptive Security Appliances
Cisco ASA 5500-X Series Next-Generation Firewalls
Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Cisco ASA 1000V Cloud Firewall
Cisco Adaptive Security Virtual Appliance (ASAv)
Cisco Firepower 9300 ASA Security Module
Cisco ISA 3000 Industrial Security Appliance

If you have one of them patch it as soon as possible.

Hundreds of compromised WordPress sites serve TeslaCrypt ransomware

Administrators running websites based on the popular WordPress CMS must be aware of a spike in hacks that are resulting in the silent delivery of ransomware to the visitors.

According to the experts at the Heimdal Security, threat actors hacked WordPress-based sites to redirect victims to other domains hosting the Nuclear Exploit Kit.

People who visit the compromised WordPress sites using out-of-date versions of popular software, including Flash Player, Adobe Reader and Internet Explorer, can be infected with the Teslacrypt ransomware. The experts at Heimdal discovered that the attackers behind the current WordPress compromises were exploiting an unidentified vulnerability with obfuscated JavaScript. The code redirects victim to the domain chrenovuihren that serves an online ad that forces traffic to the site hosting Nuclear.

“Our team warns that a disproportionate amount of websites that employ the WordPress platform have been compromised by cyber criminals.  Hundreds of WordPress websites spreading malware. The attackers fed obfuscated Javascript code to these websites. The users who end up on the hacked websites are redirected on a domain called “chrenovuihren” via multiple servers.” states a blog post published by Heimdal Security.

It isn’t the first time that the Nuclear Exploit Kit is used to drop ransomware, in November it Kit has been used for the first time to serve the ransomware CryptoWall 4.0, meanwhile in the past criminal groups used it to serve instances of the CryptoWall 3.0.

The Heimdal Security researchers identified three IP addresses of Nuclear EK gateways:

159,203.24 [.] 40

164,132.80 [.] 71

162,243.77 [.] 214

The campaign relies on a number of domains to spread the malware, the domains are all subdomains of the chrenovuihren.

“The campaign makes use of several domains to deliver the malicious code, which is why active servers can quickly change depending on which IP as DNS lookup they use,” continues the post.

“We have already blocked more than 85 domains that are being actively used in this campaign, and the list will most likely increase.”

The bad news it the low detection rate for this threat, just 2 of 66 antivirus solutions on VirusTotal are able to detect the malicious agent.

This last campaign based on compromised WordPress-based websites comes a few days later another massive hacking campaign has been identified by experts at Sucuri, the researchers at Heimdal speculate the involvement of the same threat actors for both campaigns.

Website owners based on WordPress must protect their servers and let me share with you, once again, the following key recommendations to get protected against ransomware:

• Keep software and your operating system updated at all times
• Backup your data, do it often and in multiple locations
• Use a security tool that can filter your web traffic and protect you against ransomware, which traditional antivirus cannot detect or block.

Globalisation helps cyber crooks

Globalisation is giving cyber criminals an opportunity to launch attacks in vulnerable African countries as a springboard to international targets, says a security company.

According to Check Point, Namibia moved from second place to the most targeted country by cyber crooks in December.

Click to read more

Antivirus firm Malwarebytes is spending a significant effort to fix serious vulnerabilities in its defense solution

The Antivirus firm Malwarebytes is spending a significant effort to fix serious vulnerabilities in its defense solution that was reported by the experts at the Google’s Project Zero team. The experts at Project Zero discovered that updates for Malwarebytes Antivirus were not digitally signed or downloaded over a secure HTTP connection, opening the user to Man-In-The-Middle attacks. An attacker could manipulate the updates hacking the Antivirus solutions. Google Project Zero reported the vulnerabilities to Malwarebytes in November, waiting for 90 days before publicly disclosing the vulnerability.

The experts at Malwarebytes were not able to solve the problem in the 90-day period, so the researcher Tavis Ormandy published the details of the security issue. “Malwarebytes fetches their signature updates over HTTP, permitting a man-in-the-middle attack,” he explained in a blog post.

“Therefore, this scheme is not sufficient to prevent tampering, and the developer should sign them. There are numerous simple ways to turn this into code execution, such as specifying a target file in the network configuration, writing a new TXTREPLACE rule to modify configuration files, or modifying a registry key with a REPLACE rule.”

The Chief executive at MalwareBytes, Marcin Kleczynski, admitted the difficulties in solving the problem, preannouncing many other weeks to fix the problem. “In early November, a well-known and respected security researcher by the name of Tavis Ormandy alerted us to several security vulnerabilities in the consumer version of Malwarebytes Anti-Malware. Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities.

 At this time, we are still triaging based on severity.” he said in a blog post. The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. Based on the findings, we believe that this could only be done by targeting one machine at a time.” 

Kleczynski took the opportunity to launch the Malwarebytes Bug Bounty program which will help the company to early discover any flaw in their software and to “encourage other security researchers to responsibly disclose vulnerabilities in Malwarebytes software.”

“I’d also like to take this opportunity to apologise. While these things happen, they shouldn’t happen to our users.”

Dozens of games infected with Xiny available on the Google Play

Bad news for Android users, according to the security Doctor Web firm dozens of game apps in the Google Play Store have been infected with the Android.Xiny.19.origin Trojan. The malware could allow attackers to control the victim’s mobile device, by installing and running any kind of software (apk files), it also allows to display annoying advertisements.

“However, the main threat of Android.Xiny.19.origin lies in its capability to download and dynamically run arbitrary apk files upon cybercriminals’ command. However, the way it is carried out is rather unique.” states a blog post published by Doctor Web.

The malware collects information from the infected device and sends them back to the command and control server, it gathers the IMEI identifier, the MAC address, version and language of the operating system and the mobile network operator’s name.

Experts at Doctor Web discovered more than 60 games infected by the Android.Xiny distributed in the Official Android Google Play Store. The malicious app were apparently deployed by over 30 different that used different names, including Conexagon Studio, Fun Color Games and BILLAPPS.

“At first glance, these affected games look similar to numerous such-like applications; and they are games indeed, with just one difference—while a user is playing a game, the Trojan is performing its malicious activity.” states Doctor Web.

Another interesting feature implemented by the authors of Android.Xiny is that the malware hides malicious program in specially created images by using steganography.  Android.Xiny receives malicious images from the server and then retrieves the apk they contain.

The Android.Xiny malware is able to perform many other malicious operations without the user’s consent. The researchers noticed that despite it is not yet able to gain root privileges, it has the ability to download the proper exploit in order to gain root access to the device.

“Android.Xiny.19.origin can perform other malicious functions, such as to download and prompt a user to install different software, or to install and delete applications without the user’s knowledge if root access is available on the device.” continues the post.

“it can download a set of exploits from the server in order to gain root access to the device for covert installation or deletion of applications.”

Doctor Web has already reported the discovery to Google.

Unfortunately, the fact that the malware author chose the Google Play to distribute the malware is not a novelty, in January Lookout firm discovered 13 Android apps infected with the Brain Test malware and available for download on the official Google Store.

Department of Homeland Security 6 billion U.S. Dollar firewall not so effective against hackers

The National Cybersecurity Protection System (NCPS), also known as EINSTEIN, is a firewall run by the Department of Homeland Security. It’s goal: to detect and prevent nation-state hacks against the U.S. Government functions.

However, according to a sanitized version of a secret federal audit, EINSTEIN does an ineffective job. The audit was described in a ‘for official use only’ Government Accountability Office Report, which was sanitized (public version) and released on Thursday 28 January 2016.

In November 2015 the U.S. Senate Homeland Security and Governmental Affairs Committee suggested the then-confidential audit of EINSTEIN would prove the hacker surveillance system is not governmentwide.

The newly released audit strengthens their views and points out other misaligned objectives and technologies in the 6 billion U.S. Dollar EINSTEIN project (not acknowledged by DHA)

Gregory C. Wilshusen , GAO director of information security issues, and Nabajyoti Barkakati, director of the GAO Center for Technology and Engineering, said in the report:

“Until NCPS’ intended capabilities are more fully developed, DHS will be hampered in its abilities to provide effective cybersecurity-related support to federal agencies,”

The prevention feature of the system is only deployed at 5 of the 23 major nondefense agencies.

Therefore the U.S. Departments involved in the audit were the departments of Energy and Veterans Affairs, the General Services Administration, the National Science Foundation and the Nuclear Regulatory Commission. The audit report shows the following findings.

EINSTEIN does Not Cover Nation-State ‘Advanced Persistent Threats’

“The overall intent of the system was to protect against nation-state level threat actors,”

EINSTEIN did not protect against nation-state Ádvanced Persistent Threats'(APT) by foreign adversaries.

“EINSTEIN did not possess intrusion detection signatures that fully addressed all the advanced persistent threats we reviewed,”

In reaction to this DHS officials said EINSTEIN is only one technology of many that each department uses to protect its sensitive data. Every agency should keep its own IT and data safe, while DHS should provide the baseline protections and the big-picture perspective of security controls governmentwide.

EINSTEIN doesn’t Know Common Security Vulnerabilities

EINSTEIN works by sending out signatures of known attack patterns to 228 intrusion-detection sensors placed throughout the dot-gov network. These sensors analyze patterns in agency traffic flows to see if there is a match with any of the signatures.

“However, the signatures supporting NCPS’s intrusion detection capability only identify a portion of vulnerabilities associated with common software applications,”

5 client applications were reviewed – Adobe Acrobat, Flash, Internet Explorer, JAVA and Microsoft Office – and only 6 percent 0f all the security bugs tested were flagged (29/489 vulnerabilities).

According to the report a possible reason might be that EINSTEIN doesn’t sync with the standard national  database of security flows maintained by NIST (National Institute of Standards and Technology).

DHS officials claim in the report this was not required for the first draft of EINSTEIN, but ‘acknowledges this deficiency’ and plan to address it in the future.

EINSTEIN has no Way to Spot Unknown Zero Days until ‘Announced’

The report states “Regarding zero day exploits,” DHS officials stated “there is no way to identify them until they are announced,”. Once they are disclosed (sometimes with the help of intelligence community partners), DHS can mold a signature to the attack pattern and feed it into EINSTEIN.

Information Sharing with EINSTEIN is Often A Waste

“DHS’s sharing of information with agencies has not always been effective, with disagreement among agencies about the number of notifications sent and received and their usefulness,”

Regarding the reviewed departments, it did not receive 24 percent of the notifications DHS said it had sent in fiscal 2014. The ones that did often served no purpose. Of the 56 alerts communicated successfully, 31 were timely and useful, while the rest were too slow, useless, false alarms or unrelated to intrusion detection.

Besides this, the DHS has created metrics related to EINSTEIN, “None provide insight into the value derived from the functions of the system,” the auditors said.

Conclusion

The findings of the audit report show EINSTEIN MUST be changed to be effective against hackers and foreign adversaries, its primary goal. Otherwise, 6 billion U.S. Dollars is spent on a system not up for its job, resulting in a danger for national security.