I work in the field of Information Security (InfoSec), specifically website security. With that in mind, it’s but one very small piece of a very large pie. Security is complex,...
The CVE-2015-7645 has been fixed with Adobe Flash Player 220.127.116.11. Spotted in the wild (2015-10-13) in APT28's exploit kit by TrendMicro, this exploit was already reported 2 weeks before (2015-09-29) to Adobe by Natalie Silvanovich.
I reported the Flash 0-day (CVE-2015-7645) two weeks before it was found in the wild https://t.co/nYeAWRG5jO— Natalie Silvanovich (@natashenka) 16 Octobre 2015
It has now made its way to Exploit Kit
Angler EK :
CVE id confirmed by by Anton Ivanov ( Kaspersky )
|Angler EK successfully exploiting Flash 18.104.22.168|
Another sample : bea824974f958ac4efc58484a88a9c18
One more from the Poweliks instance : 0d72221d41eff55dcfd0da50cd1c545e
Not replayable fiddler sent to VT
a9d5a9a997954f5421c94ac89d2656cd Vawtrak ( < that one was not expected in that infection path)
|Angler EK exploiting Flash 22.214.171.124 on Windows 10 (build 10240) through Edge|
Nuclear Pack which has been playing with landing URI pattern lately has integrated it
|CVE-2015-7645 in Nuclear Pack on 2015-10-30|
Out of topic payload : 0b3de2a8d838883e10a1d824d20fe95c Kelihos Loader (harsh02)
|Magnitude trying to exploit CVE-2015-7645|
No payload but the actor behind that thread would like to see you Cryptowalled. Update might come.
Without surprise as Spartan is the work of the coder of Nuclear Pack.
Note : old version of Chrome <= 43.0.257 and Firefox < 38 seems to be falling as well
Spartan pushing Pony and Alphacrypt via CVE-2015-7645
Sample in that pass : 1c074c862d3e25ec9674e6bd62965ad8 (another one: 66f34cd7ef06a78df552d18c729ae53c )
(out of topic payload : Pony: 29c940f9d0805771e9c7ec8a5939fa25 (126.96.36.199 /myadvert/autoget.php) and Cryptowall 74ebff4acc4ad9c2a2e665ff293c02e6 NB earlier today drops were Pony and Alphacrypt )
Fiddler sent to VT
Most probably appeared 2015-10-16
|Necurs being dropped by Neutrino via CVE-2015-7645|
Read More :
Adobe Flash: Type Confusion in IExternalizable.writeExternal When Performing Local Serialization - 2015-09-29 - Natalie Silvanovich
New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries - 2015-10-13 - Feike Hacquebord - Brooks Li - Peter Pi - TrendMicro
Latest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques - 2015-10-16 - Peter Pi - TrendMicro
Post Publication Reading :
Neutrino Exploit Kit – One Flash File to Rule Them All - 2015-12-28 - Daniel Chechik and Anat Davidi - Spiderlabs/Trustwave
When you log into Facebook, you could see this this message warning you that a government-backed entity of some sort is trying to get into your account:
This isn’t the site’s first attempt to use its gatekeeping power to address security concerns. Facebook detects malware on your computer and if it finds any, you’re directed to one of several free online scanners — including our free online scanner — to clean your PC before you can log in.
What’s new about this warning is that it suggests a culprit — a government, which could possibly even be your government. It’s remarkable how accepted the idea is that state-backed organizations are carrying out cyber attacks so regularly that there’s a Facebook prompt specifically dedicated to the threat. But it’s indicative of the times we live in.
F-Secure Labs has warned about cyber threats from state-backed actors for years.
“We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts,” Facebook’s Chief Security Officer Alex Stamos explained in a post announcing the new prompt.
Our Security Advisor Sean Sullivan calls the feature a “good first step.”
“Facebook is widely used among human rights advocates and attorneys,” he told TrustedReviews. “When advocates report being targeted, I suspect that Facebook’s security team is readily able to cross-reference IP addresses which interact with and target various accounts. And so Facebook is then able to draw connections between people that might benefit from such notifications.”
Some in the media have spread some alarm about the feature.
Russia Today — an English-language media outlet sponsored by the Russian government — framed the feature as an attempt to get your phone number. The article features several references to the NSA, alluding to the revelations former contractor Edward Snowden began releasing in 2013. (This is ironic given F-Secure Labs’ recent report on The Dukes, which makes the case that the Russian government is involved with or abetting cyber attacks of its own that extend beyond surveillance into actual espionage.)
So does Facebook just want your phone number?
“The feature doesn’t require a phone number,” Sean told me. “If you have an Android phone, iPhone, or an iPod touch – you can simply use the Facebook app to generate the approval codes.”
The suspicions being raised by non state-sponsored media could be tied to Facebook’s constant efforts to get you to offer it your mobile phone number to activate security features.
Our Chief Research Mikko Hypponen often points out that by pairing your profile with your phone number, websites can unlock a treasure trove of demographic data about you that makes you even more valuable to sell to advertisers. We cannot say for sure that Facebook does this. If you have a spare day or two, you can read through Facebook’s Terms and Policies to find out.
“Both Facebook and Twitter (and other sites) often ask me for my phone number for the sake of ‘security,'” Sean told me. “And while yes, it does offer some security enhancements, in the name of transparency, I wish they also mentioned the other uses.”
Be aware that if you want to use two-factor authentication to secure your account but don’t want to give the site your number, you do have options.
It’s good to be suspicious about sharing your phone number, but it’s also smart to be doubly suspicious when privacy concerns are being stoked by an arm of the Russian government.
In the past few years, Facebook — which used to be constantly ridiculed for its privacy and security concerns — has really stepped up its game in simplifying its privacy settings, preventing spam and controlling the spread of bad links. This is another promising step from a security team that seems eager to both protect its users and to make us all aware of the growing threat of state-backed attacks.
In the post on the UK focused Shifu I illustrated malvertising traffic to Angler.
The traffer group behind this activity is the same exposed by BelchSpeak from Invincea in many tweets (explaining the addition of code to spot Invincea Sandbox) FoxIT in june, Malwarebytes in September, or Trendmicro 2 weeks ago.
As it's easier to have a name to share/talk about stuff i'll use "VirtualDonna Traffers" to refer to them (virtualdonna .com is one of the domains they used that got some attention)
Earlier this year they were using https bit.ly,
|2015-07-11 - bit.ly as https url shortener|
|2015-07-11 - tiny url as https url shortener|
or goo.gl url shortener
|2015-06-12 - goo.gl as https url shorterner|
and switched to their own https redirector behind cloudflare around the middle of September ( naotsandhap.eu
|Two pass here : same source (Dailymotion), same country (Australia), same Traffer for same customer |
(how/why? same payload : Reactorbot srvdexpress3 .com)
Different Legit part of the chain
https gives the traffer the ability to kill the referer chain (making it more difficult to figure out where the Exploit Kit landing spotted in the traffic is coming from).
Once discovered a way to Sig this is to flag the ssl certificate being used.
Those days they are using a DoubleClick https open redirect.
VirtualDonna Traffers exploiting an https open redirect by Doubleclick in its chain to Angler EK
GB - 2015-10-15
Out of topic Payload in that pass : Shifu - 695d6fbd8ab789979a97fb886101c576 beaconing to nyctradersacademy .com
Doubleclick has been informed about the issue.
Post Publication Readings :
The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK - 2015-12-15 - Proofpoint
Let’s Encrypt Now Being Abused By Malvertisers - 2016-01-06 - TrendMicro
October is National Cyber Security Awareness Month in the US, and European Cyber Security Month in Europe. Basically, institutions in these two countries have decided that it’s time for people to get serious about cybersecurity. And they’re right to do it – according to F-Secure’s Business Security Insider blog, there was 81 cyberattacks every minute in 2014.
So hacking is a serious business for these attackers. And one security measure that experts would like to see used more widely is two-factor authentication.
Two-factor (or multi-factor) authentication refers to using more than one piece of information to safeguard access to accounts. Many popular services, such as Facebook and Twitter, offer it to users. However, very few services require it. It’s really more of an option for people interested in having a little bit of extra security for their accounts. A recent survey from Google points out that 89 percent of security experts use two-factor authentication for at least one of their online accounts.
But it’s less popular amongst non-experts. Only 62 percent of non-expert respondents to Google’s survey used two-factor authentication. Other studies indicate that two-factor authentication may be even less popular, with one recent consumer survey finding that 56 percent of respondents were unfamiliar with two-factor authentication.
Although two-factor authentication has been around for ages, it’s starting to become offered by many online services. Passwords are currently the standard in account security, but adding in two-factor authentication adds an extra layer of security. It basically means anyone that gets access to your password will essentially only have “half a key” to your account.
So why don’t more people use it? After all, nearly 80 percent of people are open to alternatives to traditional passwords. One reason might be that it’s too difficult or inconvenient. But the widespread use of mobile devices is making this much easier. Email and SMS messages seem to be easiest and the most popular, with one study finding almost 90 percent of participants using two-factor authentication did so by receiving a code through SMS or email, which they could then enter into a website to confirm their identity.
Another reason could be availability. It’s up to companies and organizations providing online accounts to offer two-factor authentication to customers. This website provides a pretty good list of different online services offering two-factor authentication, so it’s a pretty handy resource. You can also use the site to send tweets to companies not offering two-factor authentication (so don’t hesitate to send a message if you want someone providing you with a service to improve their account security features).
If you crunch the numbers provided by the site, you can get an idea about how common two-factor authentication is for different kinds of services:
- Cryptocurrencies: 96%
- Identity Management: 93%
- Cloud Computing: 77%
- Gaming: 69%
- Hosting/VPS: 69%
- Email: 65%
- Domains: 65%
- Developers: 63%
- Communication: 62%
- Backup and Sync Services: 60%
- Investing: 38%
- Banking and Financial Services: 35%
- Health: 30%
- Finance: 28%
- Education: 25%
- Entertainment: 7%
So two-factor authentication is definitely more prominent in some industries than others. F-Secure Security Advisor Sean Sullivan says that it’s definitely worth choosing services offering two-factor authentication, especially for important accounts that you use daily, or contain really sensitive information.
“You should figure out what accounts are critical and focus on securing those by using strong, unique passwords and two-factor authentication,” he says. “Lots of companies will offer a monthly or periodic two-factor authentication check, which requires you to enter a code you receive via SMS into a pre-defined phone or computer. It’s really worth having a primary email account with one of these services, as you can centralize information there instead of spreading it around, which makes it easier to stay in control of your accounts.”
Next time you’re thinking about setting up an online account somewhere, you may want to circle back to whether or not they offer two-factor authentication. With the number of devices expected to explode as the Internet of Things becomes more and more popular, it only makes sense to consider whether you’re information is as secure as you’d like.
[ Image by momentcaptured1 | Flickr ]
This week’s ruling by the European Court of Justice striking down the 2000 “Safe harbor” agreement between the European Union and and the United States was celebrated as vindication by privacy activists, who saw the decision as a first major international consequence of the Snowden revelations detailing the extraordinary extent of mass surveillance being conducted by the U.S. and its allies.
“The safe harbor agreement allowed U.S. companies to self-certify they abided by EU-strength data protection standards,” Politico’s David Meyer reported. “This gave them a relatively simple mechanism to start legally handling Europeans’ personal data.”
That simple mechanism did not abide by the Commissions own privacy standards, the Court decided.
“The court, by declaring invalid the safe harbor which currently permits a sizeable amount of the commercial movement of personal data between the EU and the U.S., has signaled that PRISM and other government surveillance undermine the privacy rights that regulates such movements under European law,” the EFF’s Danny O’Brien wrote.
A new Safe Harbor agreement is currently being negotiated and the Court’s ruling seems designed to speed that up. But for now many companies — especially smaller companies — and users are now in a sort of a legal limbo.
And that legal limbo may not be great news for your privacy, according to F-Secure Security Advisor Sean Sullivan, as it creates legal uncertainty that could easily be exploited by government spy agencies and law enforcement.
“Uncertainty is their bread and butter,” he told me.
To Sean, this ruling and the urge to break the old agreement without a new one yet in place represent an “old world” view of the Internet where geography was key.
The U.S. government has suggested that it doesn’t need to respect borders when it comes to companies like Microsoft, Facebook and Google, which are headquartered in the U.S. but do business around the world. Last month, the Department of Justice said it could demand Microsoft turn over Hotmail data of any user, regardless where s/he lives.
“The cloud doesn’t have any borders,” Sean said. “Where stuff is located geographically is kind of quaint.”
You can test this out by using an app like Citizen Ex that tests your “Algorithmic Citizenship.” Sean, an American who lives in Finland, is identified as an American online — as much of the world would be.
What Europe gave up in privacy with Safe Harbor was, to some, made up for in creating a cohesive marketplace that made it easier for businesses to prosper.
Facebook and Google warned that the U.S.’s aggressive surveillance risked “breaking the Internet.” This ruling could be the first crack in that break.
Avoiding a larger crackup requires a “new world” view of the Internet that respects privacy regardless of geography, according to Sean. He’s hopeful that reform comes quickly and democratically in a way that doesn’t require courts to force politicians’ hands.
The U.S. showed some willingness to reform is surveillance state when it passed the USA FREEDOM Act — the first new limitations on intelligence gathering since 9/11. But more needs to be done, says the EFF. The digital rights organization is calling for “reforming Section 702 of the Foreign Intelligence Surveillance Amendments Act, and re-formulating Executive Order 12333.”
Without these reforms, it’s possible that any new agreement that’s reached between the U.S. and Europe might not reach the standards now reaffirmed by the European Court of Justice.
Cybersecurity professionals are the new guardians of big changes in the organization. Such professionals must practice business resiliency and adaptability, because they are now so integrated with digital business decisions that leaders cannot tell where business ends and cybersecurity begins.
The digital explosion and the race to the edge have achieved what previous waves of technology evolution have failed to do — to integrate cybersecurity professionals and business leaders into effective teams for the protection and safety of the organization.
Src: Gartner Says Cybersecurity Professionals Are the New Guardians of Digital Change - Yahoo Finance
I’m normally sympathetic to technology recruiters, but some are just hopeless. These, I have no sympathy for. An the SEO spammers, no sympathy for any of them. Every now and then, one is so obnoxious that I feel compelled to respond, and as a community service I’m sharing templates I use for responding to the worst of them.
For the recruiters:
[Dude/Dudette], I hate to be an ass, but really- digging up an ancient resume and throwing names at the wall to see if any stick- this is why recruiters like you and your ilk are loathed. As someone who spends a lot of time trying to help folks develop and advance their technology and security careers this shit really pisses me off.
I'm not interested in moving at this time, but not being a fool I would entertain appropriate offers. That means a minimum of [INSERT LARGE NUMBER HERE] plus options or equity, a maximum of [SMALL AMOUNT OF TIME HERE] hours per week dedicated to direct company work, support of my [LARGE NUMBER] of hours per week for community development and engagement, plus research time. Oh, and support of my [TRAVEL, SPEAKING, DRINKING, ETC.] schedule.
The one I use for SEO is specific to Security BSides, but feel free to adapt as appropriate for your needs:
I'm sorry [SEO SCUMBAG'S NAME HERE], but we're a global community of technology and security experts, many of us have been in the field since pre-Web days... and none of us has ever heard of you or your firm. We have a globally recognized and respected brand and have drawn several thousand participants to hundreds of events around the world without your help.
In fact, perhaps you would be interested in contracting with some of our technology, social media, and marketing experts to help build your brand- at competitive consulting rates, of course. If not, please remove this, and every other Security BSides affiliated email from your lists.
Yes, I can be a bit of an ass, but it is occasionally justified.