Daily Archives: July 6, 2018

Firestarter: It’s a GDPR Thing

Posted under: Firestarter

Mike and Rich discuss the ugly reality that GDPR really is a thing. Not that privacy or even GDPR are bad (we’re all in favor), but they do require extra work on our part to ensure that policies are in place, audits are performed, and pesky data isn’t left lying around in log files unexpectedly.

Watch or listen:


- Rich (0) Comments Subscribe to our daily email digest

CPU Side-Channel Information Disclosure Vulnerabilities

On January 3, 2018, researchers disclosed three vulnerabilities that take advantage of the implementation of speculative execution of instructions on many modern microprocessor architectures to perform side-channel information disclosure attacks. These vulnerabilities could allow an unprivileged local attacker, in specific circumstances, to read privileged memory belonging to other processes or memory allocated to the operating system kernel.

The first two vulnerabilities, CVE-2017-5753 and CVE-2017-5715, are collectively known as Spectre. The third vulnerability, CVE-2017-5754, is known as Meltdown. The vulnerabilities are all variants of the same attack and differ in the way that speculative execution is exploited.

To exploit any of these vulnerabilities, an attacker must be able to run crafted code on an affected device. Although the underlying CPU and operating system combination in a product or service may be affected by these vulnerabilities, the majority of Cisco products are closed systems that do not allow customers to run custom code and are, therefore, not vulnerable. There is no vector to exploit them. Cisco products are considered potentially vulnerable only if they allow customers to execute custom code side-by-side with Cisco code on the same microprocessor.

A Cisco product that may be deployed as a virtual machine or a container, even while not directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable. Cisco recommends that customers harden their virtual environments, tightly control user access, and ensure that all security updates are installed. Customers who are deploying products as a virtual device in multi-tenant hosting environments should ensure that the underlying hardware, as well as operating system or hypervisor, is patched against the vulnerabilities in question.

Although Cisco cloud services are not directly affected by these vulnerabilities, the infrastructure on which they run may be impacted. Refer to the “Affected Products” section of this advisory for information about the impact of these vulnerabilities on Cisco cloud services.

Cisco will release software updates that address these vulnerabilities.
 
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel
Security Impact Rating: Medium
CVE: CVE-2017-5715,CVE-2017-5753,CVE-2017-5754

CPU Side-Channel Information Disclosure Vulnerabilities: May 2018

On May 21, 2018, researchers disclosed two vulnerabilities that take advantage of the implementation of speculative execution of instructions on many modern microprocessor architectures to perform side-channel information disclosure attacks. These vulnerabilities could allow an unprivileged, local attacker, in specific circumstances, to read privileged memory belonging to other processes.

The first vulnerability, CVE-2018-3639, is known as Spectre Variant 4 or SpectreNG. The second vulnerability, CVE-2018-3640, is known as Spectre Variant 3a. Both of these attacks are variants of the attacks disclosed in January 2018 and leverage cache-timing attacks to infer any disclosed data.

To exploit either of these vulnerabilities, an attacker must be able to run crafted or script code on an affected device. Although the underlying CPU and operating system combination in a product or service may be affected by these vulnerabilities, the majority of Cisco products are closed systems that do not allow customers to run custom code and are, therefore, not vulnerable. There is no vector to exploit them. Cisco products are considered potentially vulnerable only if they allow customers to execute custom code side-by-side with Cisco code on the same microprocessor.

A Cisco product that may be deployed as a virtual machine or a container, even while not directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable. Cisco recommends that customers harden their virtual environments, tightly control user access, and ensure that all security updates are installed. Customers who are deploying products as a virtual device in multi-tenant hosting environments should ensure that the underlying hardware, as well as operating system or hypervisor, is patched against the vulnerabilities in question.

Although Cisco cloud services are not directly affected by these vulnerabilities, the infrastructure on which they run may be impacted. Refer to the “Affected Products” section of this advisory for information about the impact of these vulnerabilities on Cisco cloud services. 

Cisco will release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180521-cpusidechannel


Security Impact Rating: Medium
CVE: CVE-2018-3639,CVE-2018-3640

UK Financial Regulators Cracking Down on Banks’ IT Failures

Financial regulators have ordered British banks and other financial services firms to provide a detailed plan for responding to IT outages and cyber-attacks. The Bank of England (BoE) and the Financial Conduct Authority (FCA) published a joint discussion paper on Thursday, asking firms to report on their exposure to risk and incident response processes. Firms […]… Read More

The post UK Financial Regulators Cracking Down on Banks’ IT Failures appeared first on The State of Security.

CIS Releases 2017 Year in Review

Original release date: July 06, 2018

The Center for Internet Security (CIS) has released its 2017 Year in Review. CIS is home to the Multi-State Information Sharing and Analysis Center (MS-ISAC), an NCCIC partner focused on cyber threat prevention, protection, response, and recovery for U.S. state, local, tribal, and territorial government entities. The review highlights CIS's role in improving cyber defense and MS-ISAC's advances in membership, monitoring, cyber education, and information sharing with partners.


This product is provided subject to this Notification and this Privacy & Use policy.


Apple Releases Security Update for Boot Camp

Original release date: July 06, 2018

Apple has released a security update to address vulnerabilities in Wi-Fi for Boot Camp 6.4.0. An attacker could exploit these vulnerabilities to obtain access to sensitive information.

NCCIC encourages users and administrators to review Apple’s security page for Wi-Fi Update for Boot Camp 6.4.0 and apply the necessary update.


This product is provided subject to this Notification and this Privacy & Use policy.


RSA USA 2019

RSA 2019 | Moscone Center, San Francisco

2019 RSA

San Francisco | March 4-8, 2019 | Moscone Center

Join LookingGlass Cyber at Booth #2327 in the South Hall!

Reserve a Demo

Not all threats are created equal, so managing your organization’s security posture can be a difficult task if the right tools and technologies aren’t available to you.

LookingGlass’ holistic solutions portfolio equips your team with the tools and data to solve your toughest security challenges. Visit us at our booth #2327 in the South Hall to learn more.

Need to step away from the hectic expo floor? Get a personal, in-depth demo tailored to your security needs with one of our security experts at the LookingGlass meeting suites. Your time is valuable so let us know what works for your schedule and book your time slot now.

Reserve a Demo

Moscone Center

747 Howard Street
San Francisco, CA 94103

Monday, March 4, 2019

Meet us at Booth #2327
in the South Hall

The post RSA USA 2019 appeared first on LookingGlass Cyber Solutions Inc..

Most LokiBot samples in the wild are “hijacked” versions of the original malware

Hacker himself got hacked. It turns out that most samples of the LokiBot malware being distributed in the wild are modified versions of the original sample, a security researcher has learned. Targeting users since 2015, LokiBot is a password and cryptocoin-wallet stealer that can harvest credentials from a variety of popular web browsers, FTP, poker and email clients, as well as IT

Threat Roundup for June 29 to July 6th


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we've observed this week — covering the dates between June 29 and July 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, it will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive, and is current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this roundup are:

  • Win.Malware.Separ-6598261-0
    Malware
    Separ is spyware that has been delivered via several different spam campaigns. The malware establishes persistence to survive system reboots, and it's able to collect sensitive information by capturing login attempts via a web browser. It disables the Windows firewall if present, propagates and invokes scripts during runtime, and relies on FTP to upload any collected data.
     
  • Win.Malware.Daqc-6598201-0
    Malware
    Daqc is a trojan that collects sensitive information from the infected host and exfiltrates pieces of the collected data over time to a command and control (C2) server. It drops several database files and locks files to properly manage the data it has collected or is queued to collect at a future time.
     
  • Win.Malware.Tspy-6598050-0
    Malware
    Tspy is a trojan with several functionalities. It establishes system persistence to survive reboots. It also contacts domains related to remote access trojans (RATs) but are also known to be hosting C2 servers that send additional commands to the malware. The samples are often packed and contain anti-debug features intended to delay manual analysis.
     
  • Win.Malware.Fareit-6597973-0
    Malware
    Fareit is a trojan with a significant history associated with malware distribution. It is mainly an information-stealer and malware downloader network that installs other malware on infected machines.
     
  • Win.Malware.Razy-6596077-0
    Malware
    Razy is oftentimes a generic detection name for a Windows trojan. Although more recent cases have found it attributed to ransomware that uses the .razy file extension when writing encrypted files to disk, these samples are the former case. They collect sensitive information from the infected host, format and encrypt the data, and sends it to a C2 server.
     
  • Win.Malware.Zusy-6596071-0
    Malware
    Zusy is a trojan that uses Man-in-the-Middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user access a banking website, it displays a form to trick the user into submitting personal information.
     

Threats

Win.Malware.Separ-6598261-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: lodhgyuuuf
Mutexes
  • 716BCAD1::WK
  • DILLOCREATE
  • 4C0::DA783779D0
IP Addresses
  • 198.23.57.8
Domain Names
  • ftp.freehostia.com
Files and or directories created
  • ZREA.vbs
  • nimiki09.vbs
  • enikiol03.bat
  • enikiol02.bat
  • BReader.exe
  • %AppData%\Local\4Adobe\4low
  • %AppData%\Adobe\Adobe INC\AadobeRead\BReader.exe
  • %AppData%\Adobe\Adobe INC\AadobeRead\Adobeta.exe
  • %AppData%\Adobe\Adobe INC
File Hashes
  • 09ebe700700a0e5e49d994093786f6c1bc9d3c400edc94b31693ef5961250d81
  • 12e2ba4b4a310edf9cd97405541565e20d9ea6259d86d96a36fc8b676babb228
  • 14c4a3fd18cad81c55ff4aa192803b748d8810900602c89c26114eb80c9db988
  • 198f46e81e496d6bbe573c21eff095f102d0afa877a51d3de30a2b21f90ed179
  • 21d006b8f12a6b2e3126f3a6cef4f621c314a9dc21be6ffe51950f816f6a88c9
  • 273436ba78c9973251e48bc2eb7771ded5ce3f9183d798d4663672f54ffeb2e2
  • 2b05da4dbfe7ffb80c08383d75e79cc93cf22b6b4a4ad1964f360d1a77a2e9ae
  • 2d8fb96ba74ce2f9f9e8030c4c62606d1fea677cd845f96ee8191250d76f1943
  • 354cf3031b2679f885969746afef780bb1765b0f32613afb6490d5e60b7fe6bc
  • 3ed4b85af6b20e6c2a2b1dba1f76f9e2fae9e8664a0b21cfc77b75fc7b585168
  • 3ef31d4a0bccee0994a4ee525b679da1fd2664f3d96d20371297f6f6645a2ced
  • 3f735ba16d51af841f5a48c9be5a2cb004df275c71cbbdd3497bfe34460f9c93
  • 403d91b31d44acb4a67b5b0dd7679971bedc722244f1b705adfa095632d18cf3
  • 47cd0d0181ae2d2fee85ca67b26fb4366fd44e0391f4c81e7aee2de82de2e87c
  • 4c76b5e7ad6242df21d5dc2094d4dbf6d7ab551d2055844ddb0188d410a02dbd
  • 54ad6cdb5dbdbc93f70e0e69d3e98503e96ae407de19c0d1fb3f4e0d3147e0e5
  • 5c36e8d71fa4060e98d3c6274d7332af963e0f41e3d2eef9eb0b5d96554cb94b
  • 5e43fa2988b68c9c066fe804167a9a0a0e82537359771060f894ee295c1164b4
  • 61540809d55eaa23ba0ac82ff4b530823c93fbc8e7097ccaeb8329e0eb1e48c1
  • 6d7019e4f1e02713046fedb121d15c9a423b8502e792ff42c7896c3b4d9f826d
  • 6f13c5e83ae42cbb755a44c3c45075043983d0eba2846b63442471577bdf6a98
  • 6f9c0cb13cb611de6697837c7dcdcc2899d8497e55258a2a26a41b26e5e7a8de
  • 7115ea1ab97a7187b2a1bb6936fe3df44bc754ec06f70c9f880d9787e605ea60
  • 76a98ee8f9ff749ea39acd024859ea991b2b43e79e37cb131a1a53be614bd753
  • 79789706985bcb5afeffed63805994cbe09966da0544e18a0a059a57064d7039

Coverage


Screenshots of Detection

AMP


ThreatGrid




Umbrella




Win.Malware.Daqc-6598201-0


Indicators of Compromise


Registry Keys
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • necter7.ru
Files and or directories created
  • %AppData%\mvsh\sghbn.exe
  • %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\mvsh.vbs
  • %AppData%\D282E1\1E80C5.lck
File Hashes
  • 00c8e16c0153a40945b77692bbc28d765e6fc1a5d7100ff67dc7d4a3cf7c250c
  • 011e0b204c466885b489a18062a763a3eab681d1f6d3ddc7584ad89429935664
  • 0681fbcb805b64a7a85ad6883e8c66af4d1cbd0cbc983e8c7c57868885c8eddb
  • 0a0c092a8a390432b9b31b8d7cc9b4780fad2b8878d0bcfdda09f7f9322b1004
  • 1bc4781824a84300edc2f1fa97e42cddce96b273c09fda794f9e30a44ae4c6d5
  • 273c7bc44acc510531dafb34a25aa0463ce28c262c360596f2387f0b3067c0fe
  • 2a63210f0832f22ff67bc5333c3e2f8e327c6353920d6d687c1dec8558e50a83
  • 2a9be0b39fc7f3cd3214ba6854699e6857ba853b175b98d0fe10e151dbce9f4e
  • 2ce787599acee9837624bfa274d04e659ac1fba27a200e451d8369025a3c3b02
  • 331dd1d9b1f53c72bb628913a0d173eb701cdf68de713c1b94bcfef1be8be8f1
  • 36dcfa6c8cb09c85d25b9cfc4ff655a6b7d4ad77b4f75107734e956b2c0c4c52
  • 4278d609c70419e054b5d514e847f05d9e854a6f67c8ca4a17ce02f14d18980e
  • 43957c1ffbb1ae837e2fe6d97603fa0c686f131beebe5c8c17e9c384bd2e5d9d
  • 46a603905dda179887be97eb0894c408613857261d275056d46aa174d1063888
  • 49560519bd1ad245ebcf596fa867db44f5460a4b6e952393c222169fae3458c1
  • 5309ac8962997edc05e88bc99f259d4a0788f08ed0ab92bfeb2075410a0f53ce
  • 60140f334d05733c9e80ec951bbf57d2355e7421197806f3e5373d87feebaca8
  • 69079ab9bf5475c7f561a849a191228e7583c7000f56623f4c2824399ab5fadf
  • 748374631d589f14126473dee5faabbb03de6f436be9ba1f4e9db4a43ad5f335
  • 7ce2a8377d841c6c35b4af7b97df7e1edf41d519026090439b0fce83ed94237e
  • 7f2167ad8d2c8523477e5c89bff7e43c4aaa63bb67738c99f3dcf699f5d23878
  • 87e4364c1075f01bbb5d2e71532eafa03319925cc76a81175f1939e865d73a22
  • 8ded9c78e10011fcc6fd9c7501b54510d64be29ea7a9512018d22a43f9e3b5be
  • 8f6841a0f19f1626723f297a3ada097342ff10b6f4242e48e3b14c8528381de9
  • 9cd31bad005306e5586bd20d5c027d15bd2bdc0f904f3f839309a25c30ffe417

Coverage


Screenshots of Detection

AMP


ThreatGrid




Umbrella




Win.Malware.Tspy-6598050-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • 3749282D282E1E80C56CAE5A
IP Addresses
  • 31.220.56.187
Domain Names
  • N/A
Files and or directories created
  • \PC*\MAILSLOT\NET\NETLOGON
  • %AppData%\D282E1\1E80C5.lck
  • %AppData%\D282E1
File Hashes
  • 014e34668fdca31f2a599d3fc772fa60893b2790227fe283b6ed73fe207ab091
  • 09df166cabf8e547ba597ece2efac55626fc5148dceacfa85da87bcb4753376e
  • 2b6b2a20912a1d906b374ab10fb6c4ae4d0b3509b5f22543357372ec58e0ebed
  • 3be01ef8167c8be00af7e4c5d6fff6a7429cf31094074fbe9cf2565b4cb67d5b
  • 3f3ff0bfd3eb8ea896a5eaf39c95799124d5e48c892428a1c33395b53fb99d34
  • 4ba249143540292a58750d78c60baaf1903b0bdb4b39447a7cc75e933ba4d360
  • 4ebbaeb26cc27b394e81fd2c361fc21d8ec2bcebd120d2e23b3ab8de09c6de89
  • 4fc79ecb69c7fca766f4da8fbe6c20d35cf45c56fa79dd2599a086683f495c12
  • 51ee89debd42065508888bd475221990c00213e711b9f835768b6c10ff69526b
  • 5548a1dd962ff1c290b39ca973922fe0f4b6906a9ee89504ee935ba71cf41138
  • 572b052bb1eda202ebb968e4c652ccd6b5dc3bb749c3cea41620f095a1ac5192
  • 5a14367912fffeae4298445fb401777c000e8b3fb30bfd148156107b10225b01
  • 617aeefe2f7f063a48b968dc4f08d1ba11165f08a220e802b23ef7dfa80c5e40
  • 66d4fc50ab34bafc66090beccca49fb1cdc59051201f9908836e8ef0b212957a
  • 68b943af3db8015deaf948718711ce477934ded7b26818bc284541744005b89e
  • 6ebd3a5c153e185cbf3aac1e4e8724cece65990726bd75cb3182e40510a27db3
  • 807f1c87820ce553653f29c4cd4aa6bdb12007bdddfb78cc7646a61b7be52a52
  • 80e118cfbd1c4af5658bea2f9d0ab233f015e0add74ca766fde4b9f208db462c
  • 86579c2189c128a9c858acfeb60139323fe01398cee2de6d2fa7e4ef92e937a5
  • 8aca4e49934582ff2db33c822b0d4d32d2623638485df2d8069dcf5572c0d931
  • 90f20d1e2b755846fae5465a086b93937a641cfb4a3337794d5c6dab6f927ea5
  • a2c8af1f4b90fbd2db57433f99f8680df4b529e5580c7d951a48effe8b0783a5
  • aba1625cf886e5ec14860510648e77b4df66b81f6b01ca5627ee376f1c6e203b

Coverage


Screenshots of Detection

AMP


ThreatGrid




Win.Malware.Fareit-6597973-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
    • Value Name: J2UXTX7H4BT
Mutexes
  • AE7ED74491CA89C0FD1212B015FD0F24
  • 922ORSE7XC24WH0Z
  • 8-3503835SZBFHHZ
IP Addresses
  • 98.124.199.96
  • 50.97.212.250
  • 38.18.228.192
  • 23.247.23.36
Domain Names
  • www.understandinggod.faith
  • www.ethmined.com
  • www.yyphg8.com
  • www.dariomatamoros.com
  • www.ecomepiphany.com
  • www.enarhcxx.com
  • www.ferertya.com
  • www.rgpclaw.com
  • www.starcarpetcleaningpros.com
  • www.available2.info
Files and or directories created
  • %LocalAppData%\Temp\rhvh0.exe
  • %AppData%\922ORSE7\922logrv.ini
  • %AppData%\922ORSE7\922logri.ini
  • %AppData%\922ORSE7\922logim.jpeg
  • %AppData%\922ORSE7
File Hashes
  • 06700dc880f285572c711fc4adfce57045158ed481d2effca8f4bd07a46ebc6e
  • 24e59d09af4f3ff5fb90ad6468c6e5a03dff284cf28b09f63602e59c17c96c70
  • 2ddc6c4ecf32333927cc32169eb0c291ff3265ff979b6436ce8650072214b58b
  • 328261b4d00e03b8ff7572b1e24b5caf5216579007105761a71207eb31a052d9
  • 466d77d24f1efc960036ec58173872a99a91eb5862bf11079de7dacdfe149926
  • 4706ebc86e7d1e2a179ceeed68948948b1dc864d41b0362e5c69796a674e8429
  • 49cba36aadf7d8d9fae0b76aa465a0d0dc8d24ce4b5325acd6850140d632872a
  • 56d6c66c01fc39a1522a0faa2dbc8d63df17b058fe5bc61a042a727fb156a16d
  • 5c3b4262b04a7b092481019181967ecd4dfe7428845c5f2320fea0960e321f64
  • 5e0c32b0a8425ea362554fa58dfea23c6410aec3c02200ba9fa5ebf04a2f6853
  • 6324c7d1a57f57b9407c78cfdcfd0c60115389b56953ccbd0cc450d616cd6be3
  • 6630e3c3efa79e74d3974abca99c7b6b2260e271b17e87875d3939425c649705
  • 7ff5dc962d9d73109f54ab6dfc7b3242f560f8758fb683070a5ce8a3d3d5bfd5
  • 9d070ad80ebdd96767fef1b1478037125726f70602924bb400128db3765ab8b8
  • a14660359321c5cc109e2ea0cd8effa8efb913d035c7d2aa85a9d7fb72914e0d
  • ab6550747aa04bd64e002fb84f2fb1a9c3d267328f9b4475c31b5e8e41a2197b
  • b6aae639a221efc5c4fb234e554e6123e27e19e90180f22826902d1a61a55eda
  • c37614c78fca54274fdc1d6958ddae14a833791eac9ca1fe2eb6d86f27589936
  • c47de79387cae47c50619e921a182de369f4552a44f447f30777d6dc4dde12de
  • c50019481f97c3b97b4155f06484e90ed2980583efd9146a981f598301802134
  • cb10d039bd219f5fce8ee71a0e447ee1f7a59413613db2efb898314159912a7e
  • d259365b6e3d0f313b5dd634600869f68b3460a4e8acac6f0306ff152cd44340
  • d56c7bb7b58cc99668118ef277a62b85161360546500c12e5ea2f721b456d65f
  • d6e9ec4bea5aff79aead3c25e17f3708aabb9aaf797f9752d10d4e84a7f87151
  • dba3edee7d56ed9cce110b3a172e607639dcb18901a78c8d5721c4f21acd43cd

Coverage


Screenshots of Detection

AMP


ThreatGrid




Umbrella




Win.Malware.Razy-6596077-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Mutexes
  • WmiApRpl_Perf_Library_Lock_PID_968
  • Windows Workflow Foundation 4.0.0.0_Perf_Library_Lock_PID_968
  • ServiceModelOperation 3.0.0.0_Perf_Library_Lock_PID_968
  • PerfNet_Perf_Library_Lock_PID_968
  • Outlook_Perf_Library_Lock_PID_968
IP Addresses
  • 107.180.26.90
Domain Names
  • asli-id.com
Files and or directories created
  • %LocalAppData%\Temp\Ph4.exe
  • %AppData%\K-Mart Corp\K-Mart Corp.exe
  • %AppData%\K-Mart Corp
File Hashes
  • 058f2a286b9dbce25b14efa7a4321505d443a97c11d773024b2e222c54894dfc
  • 0931d88de9c4a7af4484d1a2285f001512c83a721d6e7d9177d6fa3c9c2ff494
  • 0c1609585500a71c55999ca82ff617cf209e09ef640d35d8b334bc0949e1f5c1
  • 0d4b4e859ba805e854df7f44c31745e554275b9c36997c0516b5acad4a29c739
  • 232b077e1df7e90f39f92200c9424918eff1c34d2adf98befb28a2cc664e133c
  • 2f670ff3dd609f23f4c7213a20e5f87e01d1895c08045b7ff70b746b11d7797e
  • 32d5a8609132a6619c27d5da066d6cd0c01ede44e23ae88b3e1a94c31264a2b0
  • 385ebc30d9bf602ce39b8b2d7d09787fd859fca5391f7e282f9a57fb1a7792fc
  • 3b65e590fbd2be761a6cbe540c680d63358dddfc838acd3164a1580dfa3782c6
  • 3f0ce29604df46a478183cba3fe075ac92fbc70221b7163833c9bab62b216aae
  • 40b9d27d3e3e78e52c5df9a060126d0111e6337e86e50962cce38c814ce0c365
  • 419c206b2701529e1475fafde37adad222eceef28a5b6b0ba1e34232ec3e95bd
  • 447ab1be7b297d6b592cbad8f6c35cb269e25c817d6900726fd131234427b898
  • 5cd16c9b64a18d8b8852c0e113b3347e630518e2c034ee8ecdf11c048a5e82fd
  • 5d97798b9fbc7692c9dbcfb0643da0de491b36e2e0cf51060254a2dd6238ea62
  • 608b6dad966c287cdb214acc6883a7bbbb2a0bb12f0dae2a4eaea451186aa899
  • 61ac9dae3f72b71a6128af5207f00d2e48243423596fde881811e5525a53d509
  • 63d3cf1bbf4e3352033506d7feccd4366361b0ccccf6efc7d1bde38593f396dc
  • 6cba1c23e95028056557db02a25d81a6882ca381f44153b338a8fb028f5a81d1
  • 72f3289960744faf657f7f84e98d8f1da3576451aa23f3813e00fcf956920cb1
  • 73f6dee570c360d0b2c6b4f1669aadbe1fda320838f80c8ffa030ba3b6f61738
  • 751269d78fdf8e244295d87a76a839b15672f5d0e6e7bc62cdd31f1deb5c0fa5
  • 75bdd5417105c495fd111bcaafcbed1f37a1e77c64d788f5884df5018c82a4e6
  • 760a2cb6fae52b26406a38e6a93952d2162c27c6712842c8d125685b2b540264
  • 79cd4f4accadc3edcfa90b11b19e56fa4a6a6a5150c3e2f9a467154523ff1870

Coverage


Screenshots of Detection

AMP


ThreatGrid




Umbrella




Win.Malware.Zusy-6596071-0


Indicators of Compromise


Registry Keys
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: internat.exe
Mutexes
  • Sandboxie_SingleInstanceMutex_Control
  • Frz_State
IP Addresses
  • 47.74.230.86
  • 176.9.193.212
Domain Names
  • ffmovne.top
Files and or directories created
  • %LocalAppData%\Temp\Non-resident RunPE Loader(1).exe
  • %LocalAppData%\Temp\flashplayer30_xa_install(2).exe
  • %LocalAppData%\Temp\upd63bc908e.bat
  • %LocalAppData%\Adobe\83474DC8-60A7-4AE9-9182-F2D369E40051
  • %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\bookmarks-2017-10-03.wyz
File Hashes
  • 00c8d056d3fef3bba3eb185bd837c1fd051376a7e22356a4a82f38f8974cc387
  • 0662906a29d782593e50f6e39dadcf45219ab7265c920406460b77c3501c5413
  • 0744a0cf29c89debc833f46ff72954a860a3e01e1c7b22655e82c5b54bde1158
  • 0864a2254013f1a9d642fe0bf2ecc7ab04933660e2dcf2198e348115b743b422
  • 09df2594832182d1a80285cae34d488db1bed8206e962d20a5f59e78439a70f1
  • 0d16cfb1916b5c969b8ffada7ccbcbbdabe8d479ad713f57f939c47b42150bd5
  • 0eb0e116cd371b7b2b8464056f386a67894525ac7f195d76e45dad6d03ba5c60
  • 18fccd80b2d4b1052db0ce9873204c9a607faae9b69a89013f12423ce01b2aec
  • 1956f981e134f4f3967f6e6c4c5ba5890cf06589e3556466a19c63105fd8b0e1
  • 19e65a425ba57b23ba1238d268335396b245d1393527411a61b46ddfb1a50531
  • 1a42b7494191af666910b9b1c60af40eacd06e7444dd8e01bc4d932134622269
  • 1bdb9eb3a95b52e1833ee7d48c69b3d07134d91c71214637d7a3947582ee5ea0
  • 1f918795596a888660a6ea88157fb86c38c533e4d57a6105801c80abd5ea0008
  • 207b7eab5d6d8bb1e91e188a4c7e6a9d60b5312c5505a0183918b81e83aa63fb
  • 21a48b04e16128278123f694574009104f2d5a8364c38de4cdd52259bf1ee1dc
  • 23cea222de3f0a61da1046f08c77063edb20d9d89add0ab77849909f853d9cf9
  • 23f20614cf3dae1ecfd6291f90cca1645ab4784d449e642dd170cd3e552b24ee
  • 2c224bb1f73819ab08c1a79f553cb348ab9d460fe16ce5950c81d77cba801ada
  • 2cbc5d0f6342db2c3a1af4fc943c69c986b73bd4ed36b69cbbbe89d40c00179c
  • 323e82e0a8fe16b671aab982297a8e22358fdf6aff8d1a6d19f6f401ea24a024
  • 32f0012d9609b9e4bd78838e7f53d4d929174e64ba898ea1b5cd747771ec3862
  • 35a6fe0d09b87c7098e5acd2e23ad034ae7205816a27fd292d940e2b5fb31c57

Coverage


Screenshots of Detection

AMP


ThreatGrid




Umbrella



Kenya Considers Data Protection Bill

On July 3, 2018, a draft bill (the “Data Protection Bill”) was introduced that would establish a comprehensive data protection regime in Kenya. The Data Protection Bill would require “banks, telecommunications operators, utilities, private and public companies and individuals” to obtain data subjects’ consent before collecting and processing their personal data. The Data Protection Bill also would impose certain data security obligations related to the collection, processing and storage of data, and would place restrictions on third-party data transfers. Violations of the Data Protection Bill could result in fines up to 500,000 shillings (USD 4,960) and a five-year prison term. According to BNA Privacy Law Watch, while the Data Protection Bill is a “private member’s bill,” the Kenyan government “is working on a separate data-protection policy and bill to be published this week,” with the goal of consolidating the two proposals.

Can we trust our online project management tools?

How would you feel about sharing confidential information about your company on Twitter or Facebook? That doesn’t sound right, does it? So, in a corporate life where we keep our work calendars online, and where we work together on projects using online flow-planners and online project management software, it might pay off to wonder whether the shared content is safe from prying eyes.

What are we looking at?

From the easy-to-use shared document on Google Drive to full-fledged Trello boards that we use to manage complicated projects—basically everything that uses the cloud as a server is our subject here. When evaluating your online project management tools, it is important from a security standpoint to have an overview of:

  • Which online project management platforms are you using?
  • Which data are you sharing on which platforms?
  • Who has access to those data?

Once you know this, you can move on to the main question:

  • Is the data that should stay confidential shielded well enough?

What are the risks?

The risks of using online project management tools are made up of several elements. Once again, a list of questions will help you gage this, including:

  • How secure is the platform you are using?
  • Do the people that have access to the data need to have access? And are they given access to see all the information that is shared, or just a portion?

As you can see, we are not just worrying about outsiders getting ahold of information. Sometimes, we must keep secrets, even from our own co-workers. Not every company has an open salary policy, for example, so the information how much everyone makes might not be allowed outside of HR.

But the threat of a breach is the most important one. Having the competition know about the latest project your design team is working on can be deadly in some industries. And of course, any project that contains customer data and is not secured can be breached by a cybercriminal. Knowing this, it’s our job to help you find the safest possible tool to perform your job.

Does it make sense to share online?

Are we sharing information online because we need to do it online or just because we can? Sometimes being the cool kids that use an online project management platform that has all the bells and whistles is more a matter of convenience than it is strictly necessary. But if you are:

  • employing remote workers
  • cooperating between offices around the world
  • heavily relying on a BYOD strategy

then online tools maybe the only way to realize your project management goals.

Every ounce of prevention

What you don’t share can’t get lost. And control over what you do share (and with whom) is adamant.

  • Limit the amount of privileged information you are sharing. Make sure that only the information needed for the project is being shared with the appropriate team members.
  • Change the login credentials at a regular interval, and do this in a non-predictable way. Going from “passwordMay” to “passwordJune” at the end of the month will not stop nosy co-workers from digging. Do not post the new credentials on the platform, either.
  • Use 2FA where and if possible to enhance login security.
  • Update and patch the software as soon as possible. This limits the risk of anyone abusing a published vulnerability in the platform.
  • Keep tally of who is supposed to have access at all times, and check this against the connected devices when and if you can.

Breach management

Hardening your online tools against breaches is usually in the hands of toolmakers themselves—the software provider or the cloud service provider with whom you’ve partnered. Therefore, it makes sense to look into the project management tool’s reputation for security, as well as its ability to serve your company’s needs. While you can’t control the security of the tool itself, you can limit the consequences of a mishap, should it occur, by doing the following:

  • Don’t try to keep it a secret when credentials have been found in the wrong hands. Making participants aware of the situation helps them to change passwords and follow up with other appropriate actions.
  • Make sure there are backups of important data. Someone with unauthorized access may believe in burning the bridges behind them.
  • In case of a breach, try your best to find out exactly how it happened. Was there a vulnerability in the tool? Did a team member open up a malicious attachment? This will assist you in preventing similar attacks.

Controlling the risks

Working in the cloud can be useful for project management, but sometimes we need a reminder that there are risks involved. If you set up an online project management tool or other cloud-based project, it’s good to be aware of these risks and give some thought to the ways you can limit them.

When you’re working on a project for your company—whether it’s leading a team or participating in the project’s development—it’s important to make data losses as rare as possible, to learn from your mistakes, and to handle breaches and other security incidents responsibly.

Stay safe out there!

The post Can we trust our online project management tools? appeared first on Malwarebytes Labs.

Survey identifies three types of consumer attitudes to data privacy

Leveraging customer data is the lifeblood of today’s digital economy, but regulations like the EU’s GDPR threaten to make it difficult to mine this precious “ore.” Businesses still have a few options at their disposal, if they are to continue to sell their services – and stay competitive.

A poll of 11,474 consumers commissioned by market intelligence consortium DMA has revealed that 51% are more than happy to hand over their personal data to businesses that can offer a clear benefit in exchange.

The report – Global data privacy: What the consumer really thinks – places these 51% into a category called “data pragmatists,” a group described as those who exchange their data as long as there’s a clear benefit.

Another important demographic is the “data unconcerned” (26%), described by the surveyors as those who do not mind how and why their data is used. The remaining 23% are the so-called “data fundamentalists,” or those who never share their data for any reason.

Countries with the most data pragmatists include Spain (59%), USA (58%) and Singapore (57%), while data fundamentalists are mostly found in Australia (27%), The Netherlands (26%), and Germany (26%). However, these countries also house a sizeable proportion of data-unconcerned folk (Netherlands 35%, Germany 34%, Argentina 29%).

“We are in a new era of data privacy,” said Chris Combemale, Group CEO of DMA. “Questions have been raised about whether major data breaches and increased talk about the value of our personal data is impacting consumer anxiety over how their information is used. In fact, our research shows that even though consumers are more aware than ever and have concerns about their online privacy, the majority will continue to share their personal information if they trust the organisation and gain something in return.”

Respondents further revealed that they place great importance on transparency (86%), simple terms and conditions that they can properly interpret and understand (84%), and flexible privacy policies (82%).

On a global level, 83% of consumers would like more control over their data, and 49% named “trust” as the most important factor when deciding whether to hand over their data to an organization.

“Globally, the majority of consumers are pragmatists – willing to share their data so long as there is a benefit. Trading data is a common desire amongst consumers and data as a commodity will become more important for companies in the years to come,” reads the report. “However, ensuring that your organization is transparent, with its customers in how data is used and stored, together with putting them in control of their own data, is key to building trust with consumers and making them comfortable with data sharing. This can build a solid platform for the future of data economy, bringing benefit to consumers and businesses alike.”

Happy National Fried Chicken Day!

Today is National Fried Chicken Day. How are you celebrating?

At Verisign, we did a quick search on NameStudioTM, our easy-to-use, domain name suggestion tool to see what interesting .com and .net domain names were available to register today … and here are some of our favorites!

AVAILABLE .COM AND .NET DOMAIN NAMES*

.COM

southernstylebirds.com
deepfryfun.com
fantasticfried.com
happyfryday.com
hotchickenfried.com
roosterfeast.com
eatspicywings.com
ultimatechickenfry.com
deliciousbirds.com
biscuitsandchicken.com

.NET

southernstylebirds.net
deepfryfun.net
fantasticfried.net
happyfryday.net
hotchickenfried.net
roosterfeast.net
eatspicywings.net
ultimatechickenfry.net
deliciousbirds.net
biscuitsandchicken.net

 

What’s yours?

Tell us what great .com and .net domain names you’ve found on NameStudio here.

And check back soon to see what day we’re celebrating next. Better yet, subscribe to the Verisign blog to have the posts delivered directly to your inbox.

Happy National Fried Chicken Day!


*Available as of July 6, 2018

The user is solely responsible for ensuring that the registration of any domain name listed herein or based on NameStudio domain search data does not violate any third-party trademarks or other intellectual property.

The post Happy National Fried Chicken Day! appeared first on Verisign Blog.

Zero-Day Coverage Update – Week of July 2, 2018

The General Data Protection Regulation (GDPR) has been up and running for a couple of months now and your organization is compliant. It’s time to take a little break – well, not so fast! Late last week, the State of California passed a new data privacy law called the California Consumer Privacy Act of 2018. Set to go in effect on January 1, 2020, it is being regarded as the strongest digital privacy policy in the United States. While it’s not as comprehensive as GDPR, there is opportunity for additional revisions to the law since it was passed by the legislature just in time to withdraw the proposed law from the November ballot. Had the initiative ended up on the ballot, any amendments to the existing text would be next to impossible. There will be much more discussion on this as the deadline gets closer. In the meantime, you can check to see if your organization is GDPR compliant by visiting www.trendmicro.com/gdpr.

Zero-Day Filters

There are 29 new zero-day filters covering eight vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website. You can also follow the Zero Day Initiative on Twitter @thezdi and on their blog.

ABB (4)

  • 32331: ZDI-CAN-6144: Zero Day Initiative Vulnerability (ABB Panel Builder 800)
  • 32332: ZDI-CAN-6143: Zero Day Initiative Vulnerability (ABB Panel Builder 800)
  • 32334: ZDI-CAN-6142: Zero Day Initiative Vulnerability (ABB Panel Builder 800)
  • 32336: ZDI-CAN-6136: Zero Day Initiative Vulnerability (ABB Panel Builder 800)

Advantech (3)

  • 32353: ZDI-CAN-6300: Zero Day Initiative Vulnerability (Advantech WebAccess Node)
  • 32354: ZDI-CAN-6301: Zero Day Initiative Vulnerability (Advantech WebAccess Node)
  • 32356: ZDI-CAN-6302: Zero Day Initiative Vulnerability (Advantech WebAccess Node)

Delta (1)

  • 32348: ZDI-CAN-6322: Zero Day Initiative Vulnerability (Delta Industrial Automation PMSoft)

Foxit (4)

  • 32343: ZDI-CAN-6332: Zero Day Initiative Vulnerability (Foxit Reader)
  • 32345: ZDI-CAN-6330: Zero Day Initiative Vulnerability (Foxit Reader)
  • 32346: ZDI-CAN-6329: Zero Day Initiative Vulnerability (Foxit Reader)
  • 32347: ZDI-CAN-6326: Zero Day Initiative Vulnerability (Foxit Reader)

LAquis SCADA (1)

  • 32351: ZDI-CAN-6319: Zero Day Initiative Vulnerability (LAquis SCADA)

Microsoft (2)

  • 32350: ZDI-CAN-6080: Zero Day Initiative Vulnerability (Microsoft Windows)
  • 32352: ZDI-CAN-6081: Zero Day Initiative Vulnerability (Microsoft Windows)

Quest (2)

  • 32342: ZDI-CAN-6075: Zero Day Initiative Vulnerability (Quest KACE Systems Management)
  • 32355: ZDI-CAN-6095: Zero Day Initiative Vulnerability (Quest KACE Systems Management)

WECON (12)

  • 32257: ZDI-CAN-5956: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32319: ZDI-CAN-5924: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32323: ZDI-CAN-5938: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32324: ZDI-CAN-5931: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32325: ZDI-CAN-5929,5930: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32326: ZDI-CAN-5928: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32328: ZDI-CAN-5925,5926: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32329: ZDI-CAN-5927: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32330: ZDI-CAN-6062: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32333: ZDI-CAN-6063,6065: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32335: ZDI-CAN-6064: Zero Day Initiative Vulnerability (WECON LeviStudioU)
  • 32339: ZDI-CAN-6067: Zero Day Initiative Vulnerability (WECON LeviStudioU)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

The post Zero-Day Coverage Update – Week of July 2, 2018 appeared first on .

This Week in Security News: Security and Safety on Social Media

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, California lawmakers passed a new online privacy bill guaranteeing more control over user data. Also, Typeform announced a breach involving the customer names, email addresses, Twitter credentials, and more.

Read on to learn more. 

Summer Vacation Plans? Be Safe When Connecting!

Even a simple QR scan on your smartphone or insertion of a USB stick into your laptop can open you up to unexpected threats.

Malicious Macro Hijacks Desktop Shortcuts to Deliver Backdoor

Despite being around for decades, cybercriminals are still using malicious macro to deliver malware, albeit in more creative ways to make them more effective. The threat actors behind a recent case used macro in a more roundabout way, with a macro that searches for specific shortcut files in the user’s system, which it replaces with one that points to its downloaded malware. 

Down but Not Out: A Look Into Recent Exploit Kit Activities

Exploit kits may be down, but they’re not out. While they’re still using the same techniques that involve malvertisements or embedding links in spam and malicious or compromised websites, their latest activities are making them significant factors in the threat landscape again. 

How ransomware democratized cyber weapons, warfare

At any given moment, there are between 190-200 countries in the world. For now, nine countries have nuclear capabilities (although Israel will neither confirm nor deny). According to the Arms Control Association, there are about 14,500 nuclear warheads. Russia and the United States have 90 percent of the total arsenal. 

Big Tech Plans to Fight Back Against California’s Sweeping New Data Privacy Law

Tech companies are pushing back on the new California data privacy law that forces companies to tell consumers what personal data they store, why they’re storing and with whom they’re sharing it. 

The Safety of Your Data On Social Media

Social media can be a fantastic way to engage with various communities, stay in touch with family & friends, and to expand your perspective. Unfortunately, there are down sides as well. 

AI Tips Off Regulators to Possible EU Data Privacy Faults

Some of the world’s largest technology companies might be breaking the European Union’s new data privacy law, according to an analysis of their policies conducted by artificial intelligence software. 

Check Your Accounts: Typeform Announces Breach, Affected Organizations Pile Up

Online survey and data collection firm Typeform announced on June 27 that an unknown attacker gained access to their server and downloaded customer data backed up on June 3. 

Adidas Warns U.S. Online Shoppers to be on Alert After Data Breach

Adidas placed a warning to its millions of online U.S. shoppers that their personal information may have been accessed during a suspected data breach. 

California Lawmakers Unanimously Pass Online Privacy Bill

California lawmakers passed a new data privacy law that gives consumers more control over their data and insight into businesses’ data collection and sharing practices. 

LTE Wireless Connections Used by Billions Aren’t as Secure as We Thought

Researchers are publicly identifying weaknesses in the Long Term Evolution mobile device standard used that allow attackers to send nearby users to malicious websites and fingerprint the sites they visit. 

Linking the Enterprise to Social Media Security

Committing to social media security can mitigate some of the platform’s threats without closing off the opportunities it brings.

Did you know that social media platforms automatically place filters on your photos or videos? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Security and Safety on Social Media appeared first on .

European Parliament Calls for Suspension of EU-U.S. Privacy Shield Unless U.S. Can “Fully Comply”

On July 5, 2018, the European Parliament issued a nonbinding resolution (“the Resolution”) that calls on the European Commission to suspend the EU-U.S. Privacy Shield unless U.S. authorities can “fully comply” with the framework by September 1, 2018. The Resolution states that the data transfer mechanism does not provide the adequate level of protection for personal data as required by EU data protection law. The Resolution takes particular aim at potential access to EU residents’ personal data by U.S. national security agencies and law enforcement, citing the passage of the CLOUD Act as having “serious implications for the EU, as it is far-reaching and creates a potential conflict with the EU data protection laws.”

The Resolution also cites recent revelations surrounding Facebook and Cambridge Analytica, both Privacy Shield-certified companies, as “highlight[ing] the need for proactive oversight and enforcement actions,” including “systematic checks of the practical compliance of privacy policies with the Privacy Shield principles,” and calls on EU data protection authorities to suspend data transfers for non-compliant companies.

The Resolution comes on the heels of the FTC’s recent settlement with California company ReadyTech for alleged misrepresentations in its privacy policy about the status of the company’s Privacy Shield certification. The Resolution is nonbinding, and the European Commission, through its spokesperson, reportedly has stated that a suspension of the framework is not warranted at this time.

Optimizing Lifted Bitcode with Dead Store Elimination

Tim Alberdingk Thijm

As part of my Springternship at Trail of Bits, I created a series of data-flow-based optimizations that eliminate most “dead” stores that emulate writes to machine code registers in McSema-lifted programs. For example, applying my dead-store-elimination (DSE) passes to Apache httpd eliminated 117,059 stores, or 50% of the store operations to Remill’s register State structure. If you’re a regular McSema user, then pull the latest code to reap the benefits. DSE is now enabled by default.

Now, you might be thinking, “Back it up, Tim, isn’t DSE a fundamental optimization that’s already part of LLVM?” You would be right to ask this (and the answer is yes), because if you’ve used LLVM then you know that it has an excellent optimizer. However, despite LLVM’s excellence, the truth is that, like any optimizer, LLVM can only cut instructions it knows to be unnecessary. The Remill dead code eliminator has the advantage of possessing more higher-level information about the nature of lifted bitcode, which lets it be more aggressive than LLVM in performing its optimizations.

But every question answered just raises more questions! You might now be thinking, “LLVM only does safe optimizations. This DSE is more aggressive… How do we know it didn’t break the lifted httpd program?” Fear not! The dead store elimination tool is specifically designed to perform a whole-program analysis on lifted bitcode that has already been optimized. This ensures that it can find dead instructions with the maximum possible context, avoiding mistakes where the program assumes some code won’t be used. The output is a fully-functioning httpd executable, minus a mountain of useless computation.

What Happens When We Lift

The backbone of Remill/McSema’s lifted bitcode is the State structure, which models the machine’s register state. Remill emulates reads and writes to registers by using LLVM load and store instructions that operate on pointers into the State structure. Here’s what Remill’s State structure might look like for a toy x86-like architecture with two registers: eax and ebx.

struct State {
  uint32_t eax;
  uint32_t ebx;
};

This would be represented in LLVM as follows:

%struct.State = type { i32, i32 }

Let’s say we’re looking at a few lines of machine code in this architecture:

mov eax, ebx
add eax, 10

A heavily-simplified version of the LLVM IR for this code might look like this:

The first two lines derive pointers to the memory backing the emulated eax and ebx registers (%eax_addr and %ebx_addr, respectively) from a pointer to the state (%state). This derivation is performed using the getelementptr instruction, and is equivalent to the C code &(state->eax) and &(state->ebx). The next two lines represent the mov instruction, where the emulated ebx register is read (load), and the value read is then written to (store) the emulated eax register. Finally, the last three lines represent the add instruction.

We can see that %ebx_0 is stored to %eax_ptr and then %eax_0 is loaded from the %eax_ptr without any intervening stores to the %eax_ptr pointer. This means that the load into %eax_0 is redundant. We can simply use %ebx_0 anywhere that %eax_0 is used, i.e. forward the store to the load.

Next, we might also notice that the store %ebx_0, %eax_ptr instruction isn’t particularly useful either, since store %eax_1, %eax_ptr happens before %eax_ptr is read from again. In fact, this is a dead store. Eliminating these kinds of dead stores is what my optimization focuses on!

This process will go on in real bitcode until nothing more can be forwarded or killed.

So now that you have an understanding of how dead store elimination works, let’s explore how we could teach this technique to a computer.

As it turns out, each of the above steps are related to data-flow analyses. To build our eliminator, we’re going to want to figure out how to represent these decisions using data-flow techniques.

Building the Eliminator

With introductions out of the way, let’s get into how this dead code elimination is supposed to work.

Playing the Slots

The DSE pass needs to recognize loads/stores through %eax_ptr and %ebx_ptr as being different. The DSE pass does this by chopping up the State structure into “slots”, which roughly represent registers, with some small distinctions for cases where we bundle sequence types like arrays and vectors as one logical object. The slots for our simplified State structure are:

After chopping up the State structure, the DSE pass tries to label instructions with the slot to which that instruction might refer. But how do we even do this labelling? I mentioned earlier that we have deeper knowledge about the nature of lifted bitcode, and here’s where we get to use it. In lifted bitcode, the State structure is passed into every lifted function as an argument. Every load or store to an emulated register is therefore derived from this State pointer (e.g. via getelementptr, bitcast, etc.). Each such derivation results in a new pointer that is possibly offsetted from its base. Therefore, to determine the slot referenced by any given pointer, we need to calculate that pointer’s offset, and map the offset back to the slot. If it’s a derived pointer, then we need to calculate the base pointer’s offset. And if the base pointer is derived then… really, it’s just offsets all the way down.

And They Were Slot-mates!

The case that interests us most is when two instructions get friendly and alias to the same slot. That’s all it takes for one instruction to kill another: in Remill, it’s the law of the jungle.

To identify instructions which alias, we use a ForwardAliasVisitor (FAV). The FAV keeps track of all the pointers to offsets to the state structure and all the instructions involving accesses to the state structure in two respective maps. As the name implies, it iterates forward through the instructions it’s given, keeping a tally if it notices that one of the addresses it’s tracking has been modified or used.

Here’s how this information is built up from our instructions:

Each time the FAV visits an instruction, it checks if updates need to be made to its maps.

The accesses map stores the instructions which access state offsets. We’ll use this map later to determine which load and store instructions could potentially alias. You can already see here that the offsets of three instructions are all the same: a clear sign that we can eliminate instructions later!

The offsets map ensures the accesses map can get the right information. Starting with the base %state pointer, the offsets map accumulates any pointers that may be referenced as the program runs. You can think of it as the address book which the loads and stores use to make calls to different parts of the state structure.

The third data structure shown here is the exclude set. This keeps track of all the other values instructions might refer to that we know shouldn’t contact the state structure. These would be the values read by load instructions, or pointers to alloca’d memory. In this example, you can also see that if a value is already in the offsets map or exclude set, any value produced from one such value will remain in the same set (e.g. %eax_1 is excluded since %eax_0 already was). You can think of the exclude set as the Do-Not-Call list to the offset map’s address book.

The FAV picks through the code and ensures that it’s able to visit every instruction of every function. Once it’s done, we can associate the relevant state slot to each load and store as LLVM metadata, and move on to the violent crescendo of the dead code eliminator: eliminating the dead instructions!

You’ll Be Stone Dead In a Moment

Now it’s time for us to pick through the aliasing instructions and see if any of them can be eliminated. We have a few techniques available to us, following a similar pattern as before. We’ll look through the instructions and determine their viability for elimination as a data-flow.

Sequentially, we run the ForwardingBlockVisitor to forward unnecessary loads and stores and then use the LiveSetBlockVisitor to choose which ones to eliminate. For the purpose of this post, however, we’ll cover these steps in reverse order to get a better sense of why they’re useful.

Live and Set Live

The LiveSetBlockVisitor (LSBV) has the illustrious job of inspecting each basic block of a module’s functions to determine the overall liveness of slots in the State. Briefly, live variable analysis allows the DSE to check if a store will be overwritten (“killed”) before a load accesses (“revives”) the slot. The LiveSet of LSBV is a bitset representing the liveness of each slot in the State structure: if a slot is live, the bit in the LiveSet corresponding to the slot’s index is set to 1.

The LSBV proceeds from the terminating blocks (blocks ending with ret instructions) of the function back to the entry block, keeping track of a live set for each block. This allows it to determine the live set of preceding blocks based on the liveness of their successors.

Here’s an example of how an LSBV pass proceeds. Starting from the terminating blocks, we iterate through the block’s instructions backwards and update its live set as we do. Once we’re finished, we add the block’s predecessors to our worklist and continue with them. After analyzing the entry block, we finish the pass. Any stores visited while a slot was already dead can be declared dead stores, which we can then remove.

In order to avoid any undefined behaviour, the LSBV had a few generalizations in place. Some instructions, like resume or indirectbr, that could cause uncertain changes to the block’s live set conservatively mark all slots as live. This provides a simple way of avoiding dangerous eliminations and an opportunity for future improvements.

Not To Be Forward, But…

Our work could end here with the LSBV, but there are still potential improvements we can make to the DSE. As mentioned earlier, we can “forward” some instructions by replacing unnecessary sequences of storing a value, loading that value and using that value with direct use of the value prior to the store. This is handled by the ForwardingBlockVisitor, another backward block visitor. Using the aliases gathered by the FAV, it can iterate through the instructions of the block from back to front, keeping track of the upcoming loads to each slot of the State. If we find an operation occurs earlier that accesses the same slot, we can forward it to cut down on the number of operations, as shown in the earlier elimination example.

Doing this step before the LSBV pass allows the LSBV to identify more dead instructions than before. Looking again at our example, we’ve now set up another store to be killed by the LSBV pass. This type of procedure allows us to remove more instructions than before by better exploiting our knowledge of when slots will be used next. Cascading eliminations this way is part of what allows DSE to remove so many instructions: if a store is removed, there may be more instructions rendered useless that can also be eliminated.

A DSE Diet Testimonial

Thanks to the slimming power of dead store elimination, we can make some impressive cuts to the number of instructions in our lifted code.

For an amd64 Apache httpd, we were able to generate the following report:

Candidate stores: 210,855
Dead stores: 117,059
Instructions removed from DSE: 273,322
Forwarded loads: 840
Forwarded stores: 2,222
Perfectly forwarded: 2,836
Forwarded by truncation: 215
Forwarded by casting: 11
Forwarded by reordering: 61
Could not forward: 1,558
Unanalyzed functions: 0

An additional feature of the DSE is the ability to generate DOT diagrams of the instructions removed. Currently, the DSE will produce three diagrams for each function visited, showing the offsets identified, the stores marked for removal, and the post-removal instructions.

DOT diagrams are produced that show eliminated instructions

Still Hungry for Optimizations?

While this may be the end of Tim’s work on the DSE for the time being, future improvements are already in the pipeline to make Remill/McSema’s lifted bitcode even leaner. Work will continue to handle cases that the DSE is currently not brave enough to take on, like sinking store instructions when a slot is only live down one branch, handling calls to other functions more precisely, and lifting live regions to allocas to benefit from LLVM’s mem2reg pass.

Think what Tim did was cool? Check out the “intern project” GitHub issue tags on McSema and Remill to get involved, talk to us on #binary-lifting channel of the Empire Hacking Slack, or reach out to us via our careers page.

Tim is starting a PhD in programming language theory this September at Princeton University, where he will try his hand at following instructions, instead of eliminating them.

Wisconsin County Reveals Phishing Attack Most Likely to Blame for Data Breach

A county in Wisconsin revealed that a phishing attack was most likely to blame for a data breach of some service recipients’ personal information. On 22 June, Manitowoc County posted a statement about the incident to its website. County officials wrote that they first learned of the attack on 24 April. Upon discovery of the […]… Read More

The post Wisconsin County Reveals Phishing Attack Most Likely to Blame for Data Breach appeared first on The State of Security.

Dejan Lovren’s social media account hacked

Credits: Reuters
Dejan Lovren who can currently be seen playing for Croatia in this summer’s World Cup has been winning many hearts, however, it has now been announced that a fan hacked into Lovren’s social media accounts to get private information.

Lovren was made aware of the hack when private documents were being circulated by the hacker to other footballers using Lovrens contacts list. The other footballers reported this and Lovren reported the hack to the police. The police then arrested 22-year-old Peter Doswell from the Scottish Borders for the hack.

About 150 family videos belonging to the Liverpool defender's family, an image of his identity card, financial details, eight text documents related to property purchase and a letter from his club bearing his address were found on the computer of Peter Doswell of Selkirk.

Peter Doswell also accessed private details of Lovren's Liverpool teammates Adam Lallana and Emre Can. He had then sent messages on their personal social media accounts and mobile phones asking them personal questions.

Doswell, a Liverpool fan who was said to have a low IQ, pleaded guilty at Selkirk sheriff court to knowingly cause a computer to perform a function with intent to secure unauthorised access to a program or data. This offence was committed at his home in April last year.

His lawyer Mark Harrower described it as an "unusual case" and said his client was "not an experienced hacker."

There were phishing software and hacking tools found on the culprit’s computer through which he hacked accounts. He suggested a third party was involved given the level of expertise required but that Doswell had gone along with it and had carried out some of the actions himself.

According to reports, Doswell has been a part of similar hacks in the past and is not new to hacking celebrities specifically targeting footballers.

Doswell was ordered to carry out 225 hours unpaid work and put under supervision for 27 months.

US is the most vulnerable nation to attacks; White House working on executive order for agency CIOs

US is the most vulnerable nation to attacks; White House working on executive order for agency CIOs

Enterprises are not the only ones at risk when it comes to cyberattacks. Government institutions can also fall victim to a nation-state attack at any time. Digital frameworks are still very vulnerable and, quite surprisingly, the US has been declared the most vulnerable nation by Rob Knake, the official in charge of the country’s cybersecurity policy during Barack Obama’s administration.

“We are going to be less reactive to incoming cyberattacks because we have more to lose and we’re in a democratic society that is going to force government to take certain responses,” Knake said at the Council on Foreign Relations. “That’s not true of China, Russia, Iran or North Korea.”

While the Obama administration allegedly carried out the famous Stuxnet attack on Iran’s nuclear program, it has been accused of introducing a rather laid-back approach to cyber policy. The Donald Trump administration wants to release an executive order to redefine the role of agency CIOs, as part of an IT modernization strategy.

The bizarre twist is that the executive order they’re working on will not include CIO authorities in the Defense Department, although Congress has been pushing to redefine CIO authority and responsibilities to make them more strategic and aggressive. According to the Defense Authorization Bill signed this year by President Donald Trump, the CIO has to be appointed by the president and confirmed by the Senate. It’s still unclear why the Defense Department has not been included.

Former officials have anonymously commented on the executive order which, in their opinion, brings few additions to other plans that have been presented in the past 15 years.

By enforcing the executive order, the administration’s goal is to enhance “the management and oversight of federal IT by designating the chief information officer of each covered agency as the primary point of responsibility and accountability for management of IT resources within that agency. The agency chief information officer should be the key strategic advisor to the agency head concerning the use of IT to accomplish the agency’s mission, reduce cybersecurity risks, and improve efficiency,” the draft EO states.

“Consistent with statute, the agency chief information officer should play a central role in all annual and multi-year planning, programming, budgeting, acquisition, and oversight processes related to IT. As such, the agency chief information officer should establish an enterprise wide technology roadmap and govern its execution. This requires the latitude to operate across agency component organizations and to drive the enterprise wide consolidation and modernization of the agency’s IT portfolio.”

The hunter becomes the hunted: How cyber counterintelligence works

Corporate cybersecurity is one of the biggest headaches for any company. Not just because data and information about their clients, users, or providers may be put at risk. Competitiveness can also be seriously damaged by the loss of confidential internal information.

We always think that cyberattacks against businesses are carried out by third parties with no direct relationship to the company, with the sole purpose of selling that information. But, what about when the cybercriminal is from a rival company, or even a country’s government? And what about when the cyberattack aims to steal information that will directly endanger the business model and the projects of the company that is the victim of the attack?

This is where we start to see a practice that, while not widespread, is beginning to become more significant among larger companies: cyber counterintelligence.

What is cyber counterintelligence?

Counterintelligence takes as a jumping off point one basic premise: if someone is going to attack your company, the best defense is a good offense. This is why, instead of acting preventively or reactively, this kind of company prefers to change things up, and catch the cybercriminal as they take their first steps.

This strategy can be carried out in several ways:

1.- Leaving their doors “open”. A company may leave an access point apparently deactivated or unprotected. This way, the cybercriminal will find this gap, and think that they are getting right to the core of the company and all its information.

2.- Fake information If the cybercriminal takes advantage of this gap, it is likely that they will find apparently confidential information. What they don’t know is that that the door wasn’t that “open” after all, and the information they’ve found isn’t that confidential. What has actually happened is that the company has tricked them, leaving fake documents for them to find.

3.- Keep them busy while they’re stealing However, as long as the cybercriminals think they are out of sight and have access to information, they will snoop around as they please. What they don’t know is that, all the while, the company that is apparently experiencing a cyberattack is actually watching, obtaining information about the attacker in order to take possible measures against them.

The drawbacks of counterintelligence

It may seem like counterintelligence promises to be the perfect solution to avoid endangering a company’s cybersecurity. But the truth is that there are several drawbacks:

1.- It isn’t available to everyone. If a company wants to carry out cyber counterintelligence, it must have a team dedicated to the task. And it goes without saying that that is something that only large budgets can afford.

2.- The possibility of failure. If a company decides to “play” at counterintelligence, it must be willing to accept the rules: it could lose. Because the cybercriminals may be aware that they’re being watched, and so, while they pretend to be acting where they can be monitored, they’re actually getting in through another entrance.

3.- Legal conflicts. Counterintelligence is no trifling matter: at times is can entail breaking some laws, meaning that any company that carries it out could become involved in some serious legal problems.

4.- Diplomatic conflicts. In some cases, cyberattacks between companies occur when two companies from different countries are competing for the same project or the same contract. When this happens, cyber counterintelligence can cause a diplomatic clash with the government of the country where the rival company is based.

As such, companies that really want to protect their company’s cybersecurity must use less delicate, more secure methods. One example of this is Panda Adaptive Defense, a solution that not only acts both preventively and reactively, but also stops unauthorized access and protects companies from any kind of breach in their cybersecurity. Thanks to continuous monitoring of all the processes on the corporate network, Panda Adaptive Defense is able to stay ahead of cybercriminals, activating its protection systems before the attack happens.  Our advanced cybersecurity solution guarantees a higher level of protection, without the need to use riskier techniques like counterintelligence.

The post The hunter becomes the hunted: How cyber counterintelligence works appeared first on Panda Security Mediacenter.

A Bunch Of Robots – Application Security Weekly #22

This week, Keith is joined by James Wickett from Signal Sciences to interview Thomas GX, CEO of Yelda and Founder of CommitStrip! In the news, Keith and James talk GitHub Hackers, Ticketmaster breach, Sniffing network traffic, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode22

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Is Article 13 about to ruin the Internet?

European lawmakers were set to vote on changes on the 5th July that will dramatically increase Internet regulation. Perhaps the biggest proposed change is the introduction of Article 13 which is intended to improve copyright protection.

Under the terms of Article 13, any Internet platform that hosts “large amounts” of user-uploaded content is expected to monitor every submission. This means identifying and removing any content that infringes copyright.

Blocking copyright infringement is good…

Content creators – like musicians and filmmakers – rely on their work to provide an income. When people reuse that content, the original creator loses out. Some people would say that it is no different to stealing food from your local supermarket.

Obviously protecting copyright is incredibly important to these people. And it is for their protection that Article 13 has been created.

…but auto-blocking isn’t

According to the latest statistics, 60 hours of videos are uploaded to YouTube every minute. It would be physically impossible to employ people to check each film for copyright infringements (unlicensed clips or background music). Instead, content platform owners like Facebook, Flickr and YouTube will need to develop an automated system to analyse content as it is uploaded.

The problem is that automated systems tend to be pretty poor. YouTube has tried content scanning in the past – Content ID – which was notorious for creating false positives, blocking perfectly legitimate movies in the process.

A more sinister future?

Some Internet experts are concerned about the longer term implications of Article 13, suggesting that the new regulations could be misused. They believe that the law creates a new surveillance framework that could be easily subverted by totalitarian governments to curb free speech.

Internet blackouts and bans on sites that are perceived as anti-government are already a regular occurrence in Turkey, Iran and China. These experiences suggest that the fear of government interference is not entirely unwarranted.

Linking to sites could be expensive

Have you ever shared a link to a news article on your Facebook page? Another update to the regulation – Article 11 – defines a new tax on platforms for linking to news articles. In future, Facebook could be charged because you share a link to a BBC News story.

With millions of pages being shared every day, Facebook will face a huge bill for the activities of their users. In order to protect their profits, Facebook may ban links to news websites, or even charge users for the service.

Decision time

The proposed changes have already passed scrutiny and will be approved (or denied) by MEPs today. Article 13 (and other amendments) will then be written into law and applied by all member states in due course. Importantly firms based outside the European Union will be expected to adhere to the new regulations.

Unfortunately, it is almost impossible to plan for the new regulation because the European Union has not specified exactly how the link tax or copyright filter will work. Should Articles 11 and 13 become law, the way you use the web may change forever.

Download Panda FREE VPN

The post Is Article 13 about to ruin the Internet? appeared first on Panda Security Mediacenter.

Weekly Update 94

Presently sponsored by: Matchlight by Terbium Labs: Know when your exact data appears on the dark web. Contact us for a demo today.

Weekly Update 94

It's a week of tweets! I only wrote the one short blog post this week, but I spent a heap of time on the Twitters arguing with people instead so... that's something? But seriously, there was a huge amount of discussion around HTTPS in particular and some very vocal opinions around its usefulness (or lack thereof), which frankly, had myself and many others tearing their hair out. I'll prepare some great demos over the next few days to illustrate the problems which just seem to be going over the heads of many people. It'll be a fun blog post 😃

For now though, here's this week's update which talks through many of the issues covered in those tweets not just as it relates to HTTPS, but also beer, MD5 password hashes, giving another party access to your Gmail (hint: it actually gives them access to your Gmail!) and my 8th MVP award which landed this week.

Weekly Update 94
Weekly Update 94
Weekly Update 94

References

Given most of these are just tweets, I'm going to embed them here then bullet point the other things further down:

  1. China's massive DDoS cannon against GitHub (this was distributed by exploiting unencrypted traffic)
  2. It's year 8 for MVP! (this program has been a pivotal part of what I do and it's great to remain a part of it)
  3. Gold Security is sponsoring my blog this week (big thanks to those guys for their ongoing support!)

Password-Guessing Was Used to Hack Gentoo Linux Github Account

Maintainers of the Gentoo Linux distribution have now revealed the impact and "root cause" of the attack that saw unknown hackers taking control of its GitHub account last week and modifying the content of its repositories and pages. The hackers not only managed to change the content in compromised repositories but also locked out Gentoo developers from their GitHub organisation. As a result