Daily Archives: July 9, 2018

How to save data

Our smartphones are latched to us at all times and we constantly spend time online. From using applications to searching the web, we spend at least a few hours a day connected to the internet. But at what cost? While wifi becomes more and more accessible, using data is still the go-to for many people on the go.

While some data plans are unlimited, many are restricted to 3-20 GB of data. When it comes to saving data, there are a few things to take into account. We’ll show you which apps are killing your data plan, how much data you really need and tips to keep your data usage down.

Now that you are an expert on how to save data, take a few minutes to update your settings and reflect on what apps you can cut down on. Remember to use safe, private wifi when you can, and to toggle off cellular data for apps that are rarely used. These tips can save you money on your cellular bill and battery life for your devices.

Sources:
Ting | Confused | Tech Walla | Lifehacker | CNET | Digital Trends | Whistle Out | Time | Apple | iMore |

The post How to save data appeared first on Panda Security Mediacenter.

Women in Information Security: Roxy Dee

Last time, I had the pleasure of speaking with Rebecca Herold. She’s a long time cybersecurity industry veteran and the founder of SIMBUS, LLC. This time, I got to talk with Roxy Dee. As a professional in vulnerability management, she knows that it takes a lot more work than just patching. She also has a […]… Read More

The post Women in Information Security: Roxy Dee appeared first on The State of Security.

Patch Tuesday, July 2018

July's Patch Tuesday is here with patches for 53 CVEs and the standard roll up of patches for critical remote code execution vulnerabilities in Adobe Flash. Of those 53 CVEs patched, 17 are rated "Critical", 34 are rated "Important" and...

Apple Releases Multiple Security Updates

Original release date: July 09, 2018

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review Apple security pages for the following products and apply the necessary updates:


This product is provided subject to this Notification and this Privacy & Use policy.


The 111 Million Record Pemiblanc Credential Stuffing List

Presently sponsored by: Matchlight by Terbium Labs: Know when your exact data appears on the dark web. Contact us for a demo today.

The 111 Million Record Pemiblanc Credential Stuffing List

One of the most alarming trends I've seen in the world of data breaches since starting Have I Been Pwned (HIBP) back in 2013 is the rapid rise of credential stuffing attacks. Per the definition in that link, it simply means this:

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.

This form of attack relies on a combination of people reusing the same password across services and then the services themselves allowing automated attacks like this to happen. The first part of that is a simple fix we all have control of as individuals but is extremely hard to address as service operators: people need to stop reusing passwords. Go and get a password manager (I use 1Password), generate random strings for passwords, job done. (Of course, use 2 factor authentication everywhere you can too.)

The second part of the problem - services allowing this to happen - is much more nuanced because what we're saying here is "someone comes to your website with the correct username and password but they're not the legitimate owner of the credentials therefore you should keep them out". This is a hard problem and I'm enormously sympathetic to organisations on the receiving end of these highly automated attacks; there's a lot of support burden that falls back to them after someone has their account taken over due to an attack of this nature and they can be held liable for it. Earlier this year, the FTC in the USA brought a case against an organisation that was the target of a credential stuffing attack and they had this to say:

The FTC's message is loud and clear: If customer data was put at risk by credential stuffing, then being the innocent corporate victim is no defence to an enforcement case.

This is the primary reason I created the Pwned Passwords service last year so that website operators could block people from using passwords that have previously appeared in breaches. That service now receives over 9 million requests a day with many more querying the downloadable data set. It's a simple yet effective tool.

But onto the topic at hand:

I've just loaded 111 million email addresses found in a credential stuffing list called "Pemiblanc" into HIBP.

I had multiple different supporters of HIBP direct me to this collection of data which resided on a web server in France and looked like this:

The 111 Million Record Pemiblanc Credential Stuffing List

That site has now been taken down and the data no longer accessible, but per the image above you can see the files dating it around early April. The "USA" folder above contained a loosely organised set of files filled with email address and password pairs:

The 111 Million Record Pemiblanc Credential Stuffing List

That one file alone had millions of records in it and due to the nature of password reuse, hundreds of thousands of those at least will unlock all sorts of other accounts belonging to the email addresses involved.

The data was predominantly located in the "USA" folder although it's difficult to know just how much of it actually belongs to American owners. The domains on the email addresses in the image above tell us nothing about the geographic nature of where the owners are based; the reality of it is that this data will likely be from all over the world as it's likely cobbled together from multiple different data breaches. There were other folders in the data set, for example one named "test_split_40" with the first 40 rows containing email addresses all beginning with "bushsucks" followed by various things which, allegedly, Bush sucks.

There are other (much larger) credential stuffing lists already in HIBP, for example the Exploit.in and Antipublic lists I wrote about last year which contained more than a billion records between them. As such, I'm always cautious that I'm not just loading in the same data re-branded as something else. The Pemiblanc list contained 6.8 million email addresses that I've never seen in HIBP before. Of the ones that already were in the system, many were in those aforementioned lists from last year but a substantial number weren't, they were from other data breaches. There were also 50 million passwords that weren't already in the Pwned Passwords list which, given I had over 500 million in there already, is a substantial number (and yes, I do plan to release a V3 of this shortly including these new ones). So in short, there was sufficient new material in this list to justify loading the data.

Edit: I've just released V3 of Pwned Passwords and noted in there that the actual number of unique Pemiblanc passwords was 3.3M. The 50M number was calculated in error due to the presence of control characters (tabs and line returns) that appeared during the data import.

This blog post will be referenced when I make the data live in a moment and inevitably the same 2 questions will come up from people who find themselves pwned:

Which site leaked my account information and what can I do about it?

The answer to the first question is simply "I have no idea". There's nothing in the data to indicate sources short of me trying to imply it from the email address or password and even then, the reality is that these lists are constructed from many different data breaches - there will be no single source. But I do have the answer to the second question:

Go and get a password manager and make all your passwords strong and unique.

The entire value proposition of credential stuffing lists goes away when people do this and the impact of a data breach is constrained to that single site rather than putting all your accounts at risk. I first wrote about password managers 7 years ago when I concluded that the only secure password is the one you can't remember and that advice is more important today than ever before.

Lists like this serve as a reminder of how our data is abused and why good password hygiene is so important. There are always a small number of people who are upset after a list such as this is loaded into HIBP because they don't have information about what the password is (I never store this against an account in HIBP) nor the site it originally came from. But for the vast majority of people, it's awareness value and hopefully, it's the push they need to go and get that password manager. And just because I know people will ask, here are all the reasons I don't make passwords available via HIBP.

The entire 111 million records are now searchable in HIBP.

Edit (10 Jul): I'm working to fast-track V3 of Pwned Passwords which includes this data so that everyone has a way of checking their specific passwords against the service. You'll be able to check one-by-one using the existing web interface, in bulk if you want to script it against the API, from directly within 1Password 7 on the desktop against all stored passwords or via any other service integrating with the API. It will take a day or 2, but I'm on it.

Edit (13 Jul): All passwords from this incident are now searchable in Pwned Passwords. You can check them one by one on the website, script it out using the API or if you're a 1Password user, check them all in the Watchtower feature in V7 on the desktop.

Optimizing A Monitoring System: Three Methods for Effective Incident Management

Picture this: You’ve just returned from a well-deserved vacation and, upon opening up your security monitoring system you’re faced with the prospect of analyzing thousands of events.

This isn’t an imaginary scenario, the security monitoring world (actually monitoring in general) is full of anomalies that trigger events. These may represent a real problem or just a slight difference in someone’s day-to-day behavior that might trigger such alerts.

Regardless of the cause, it forces you to sift through large numbers of incidents to figure out which are high priority and which aren’t.

In this post, we’ll highlight three effective methods that can be used to alleviate this problem, based on real-world examples.

Real Value Incidents

The biggest questions in the monitoring world are which anomalies should trigger an incident. One of the challenges the security operations team is facing is to find relevant and meaningful incidents, there are too many false positives. To answer this question, we need to also ask ourselves how we define an incident. Well, that depends on the system domain. The actual decision requires high-level knowledge of the domain and may require the use of complex algorithms that, based on the definition, will highlight what is really interesting.

For example, in the insider threat domain, a system identifies that a user has performed an action on a database for the first time. This is an anomaly since it never occurred before, but is it a real security incident? In order to answer this question, we have to classify the user as well as the database and correlate these two. This allows insights you wouldn’t get at face value.

Grouping of Incidents

Once the real-value incidents are identified, one way of reducing the number of incidents that need to be managed is by grouping them into narratives to describe a specific phenomenon that security engineers can handle as one. Although each individual incident is valid, when grouped together, an even larger, more manageable narrative appears that can be dealt with as one – the sum is greater than its parts.

The two types of groupings:

  1. By incident type. For example, ‘a service account was abused by multiple users’.
    This implies that this service account is accessible to a community, which is bad practice. Handling of this phenomenon can be to change the permission of this account.
  2. Grouping of different types of incidents that represents a certain narrative. For example, a user has abused a specific database account, accessed several application tables and accessed a large number of files. This implies that the user may be compromising the data of the enterprise. Handling this could mean assessing the user and their behavior.

An Imperva CounterBreach customer data example shows how grouping reduces the number of events to deal with. The number of incidents continuously grows whereas the number of groups slows down until it stops.

Figure 1: 13 groups instead of 377 incidents

Incident Priority Scoring

Traditional prioritization of security incidents is usually done by classification into severities (critical, high, medium, low). This type of classification doesn’t provide a clear decision on what should be done first. Let’s say there are 10 incidents classified as critical. All of them must be treated immediately, but which should be first?

The suggested solution is to set a priority score for each incident on a range of 0 to 100. Different criteria within the incident add scores — different calculation methods can be used — and the priority score is the end result.

Example: The traditional severity for incident ‘Excessive Database Record Access’ is high as this implies data theft.

Two incidents of this type are raised which, at first glance, might be treated with the same urgency, but are they really the same?

Let’s now look more closely at the details:

  1. A human user has accessed 105000 records in a database in a production environment.
  2. A human user has accessed 100000 records in a regular database in a staging environment.

The details clearly indicate that the first incident should be treated prior to the second as it one as it poses a greater threat.

Using the new method:

  • Incident type: excessive database record access = 70.
  • Number of records accessed > 100000 – Add +5.
  • Database is in a production environment – Add +10.

Based on the above, the first incident’s final priority score is 85 whereas the second incident’s final priority score is 70.

Scoring can be done on groups as well

Deciding on the score criteria and values is a fundamental factor of whether the ordering of the incidents guides to the correct prioritization. It requires in-depth knowledge of the subjects being monitored.

Applying the described methods

Each of these methods reduces the number of incidents you need to deal with, however, is best to implement all.

As seen in our examples, the number of incidents with real value may still be high, especially if you have a big amount of coverage. Grouping incidents can dramatically reduce the number of issues to deal with, but you will still want to know which incidents or groups of incidents to handle first. Setting scores takes care of that.

Conclusion

Security monitoring systems provide a very important layer of protection, however, when the number of incidents raised increase it becomes harder to manage and more time-consuming. It may even lead to abandoning a system altogether.

Focusing on the important stuff (real value incidents), providing the big picture (grouping incidents) and defining a clear priority (incident priority scoring) allows a faster, more effective investigation. As such, the real value of monitoring is achieved. Imperva CounterBreach addresses all of these requirements, get in touch and let’s see where we can help.

Cisco IOS and IOS XE Software Bidirectional Forwarding Detection Denial of Service Vulnerability

A vulnerability in the Bidirectional Forwarding Detection (BFD) offload implementation of Cisco Catalyst 4500 Series Switches and Cisco Catalyst 4500-X Series Switches could allow an unauthenticated, remote attacker to cause a crash of the iosd process, causing a denial of service (DoS) condition.

The vulnerability is due to insufficient error handling when the BFD header in a BFD packet is incomplete. An attacker could exploit this vulnerability by sending a crafted BFD message to or across an affected switch. A successful exploit could allow the attacker to trigger a reload of the system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-bfd

This advisory is part of the March 28, 2018, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 20 Cisco Security Advisories that describe 22 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.


Security Impact Rating: High
CVE: CVE-2018-0155

IDG Contributor Network: The quantum computing cyber storm is coming

As technologies advance, they can solve a lot of problems. Radio linked our continent-wide nation with nearly-instant communications. Electric lights made it so we could keep working long after the sun went down. Computers, and later the Internet, created a myriad of new opportunities and entire industries that most of us owe our livelihoods to today.

But as wonderful as technological advancements are, they can also be disruptive, shaking up the status quo and sometimes instantly making the ways in which we live and conduct business obsolete. The more revolutionary the technology, the greater the disruption.

Of all the currently emerging technologies, quantum computing is probably near the top of the list when it comes to revolutionary potential. The disruption that will follow in its wake, especially for established technologies like encryption, could be nothing short of a Category 5 mega storm.

To read this article in full, please click here

Cisco NX-OS Software NX-API Privilege Escalation Vulnerability

A vulnerability in the NX-API management application programming interface (API) in devices running, or based on, Cisco NX-OS Software could allow an authenticated, remote attacker to execute commands with elevated privileges.

The vulnerability is due to a failure to properly validate certain parameters included within an NX-API request. An attacker that can successfully authenticate to the NX-API could submit a request designed to bypass NX-OS role assignment. A successful exploit could allow the attacker to execute commands with elevated privileges.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxos-nxapi

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection.


Security Impact Rating: High
CVE: CVE-2018-0330

A week in security (July 2 – July 8)

Last week, we tracked back a large mining operation from their Coinhive shortlink, we took a look at online project management tools, we described a new macro-less technique to distribute malware, and talked about a Mac malware that targets crypto-mining users.

Other news:

  • Huawei enterprise comms kit has a TLS crypto bug. (Source: The Register)
  • The Pentagon is building a dream team of tech-savvy soldiers. (Source: Wired)
  • Some computer science academics ran an experiment to find out whether your phone is secretly listening to you. (Source: Gizmodo)
  • Chrome and Firefox pull stylish add-on after a report it logged browser history. (Source: Bleeping Computer)
  • A downloader that decides how to infect the victim: with a cryptor or with a miner. (Source: SecureList)
  • Macro-based malware campaign replaces desktop and Quick Launch shortcuts to install backdoor. (Source: SCMagazine)
  • Homeland Security subpoenas Twitter for data breach finder’s account. (Source: ZDNet)
  • Ex-NSO employee caught selling stolen phone hacking tool for $50 Million. (Source: The Hacker News)
  • A handful of giant companies are centralizing control of the internet. (Source: BuzzxFeed News)
  • Eight arrested in Africa-based cybercrime and business email compromise conspiracy. (Source: DataBreaches.net)

Stay safe, everyone!

The post A week in security (July 2 – July 8) appeared first on Malwarebytes Labs.

20 Information Security Tips for Hospitals

Encryption, monitoring data access, and ensuring there's a recovery plan in place: In this week's Data Protection 101 we countdown 20 information security tips designed to help hospitals better safeguard sensitive patient data.

WordPress Arbitrary File Deletion Vulnerability Plugged With Patch 4.9.7

On Jun 26 an arbitrary file deletion vulnerability in the WordPress core was publicly disclosed, the vulnerability could allow an authenticated attacker to delete any file and in some cases execute arbitrary code.

WordPress is a free, popular, and open-source content management system currently powering over 30% of the known web. WordPress’s massive popularity makes it a desirable target for cybercriminals.

Who were affected

The vulnerability was fixed in version 4.9.7 of WordPress, released on July 5. In order to successfully exploit this issue, the attacker would have needed to gain access to edit and delete media files which can be achieved by taking over an Author account or by targeting sites that expose the media functionality through various plugins.

Vulnerability impact

Attackers can leverage the way the WordPress installation mechanism works, to gain arbitrary code execution on the hosting server by deleting the wp-config.php file, triggering the installation process and allowing the attacker to reconfigure the site and take over the admin account.

The vulnerability can also be used to disable some security restrictions through the deletion of .htaccess files that could be enforcing some kind of restrictions, or index.php files that prevent directory listing.

The attacker can also take down the site by deleting one of the WordPress core files, causing an internal error on every request.

Breakdown

wp-admin/post.php

The code above is used to modify the media posts metadata.

As seen in the code the “thumb” property is set to $_POST[‘thumb’] that can contain any value the attacker wants, next, the wp_update_attachment_metadata function takes the $newmeta object and store it as a serialized object.

The reason the vulnerability requires the attacker to have authenticated user privileges is due to the cross-site request forgery (CSRF) protection enforced through the check_admin_referer function.

wp-includes/post.php

The purpose of the code above is to delete the media file thumbnail when the attachment is deleted, the function failed to sanitize the previously set thumb value, resulting in a second-order arbitrary file deletion vulnerability.

Imperva customers protected

Imperva SecureSphere and Incapsula WAF customers are protected from this attack due to our zero-day and path traversal rules. We also published a new dedicated security rule to provide maximum protection against possible mutations of this attack.

Cars Are Just Primitive Exoskeletons

The “carriage” form-factor is ancient.

So even though today we say “car” instead of carriage, we should know that to augment a single person’s travel with a giant opulent box is primitive thinking, and obviously doesn’t scale well to meet modern transit needs. Study after study by design experts have shown us how illogical it is to continue to build and use cars:

Fortunately, modern exoskeletons are more suited (no pun intended) to the flexibility of both the traveler and those around. Rex is a good example of why some data scientists are spending their entire career trying to unravel “gait” in order analyse and improve the “signature” of human movement. They discuss here how they are improving mobility for augmentation of a particular target audience:

This is an early-stage and yet it still shows us how wrong it is to use a car. When I expand such technology use to everyone I imagine people putting on a pair of auto-trousers to jog 10 miles at 20 mph to “commute” while exercising, or to lift rubble off people for 12 hours without breaks after an earthquake, or both.

We already see this class of power-assist augmented travel in tiny form-factors in the latest generation of electric bicycles, like the Shimano e8000 motor. It adds power as a cyclist pedals, creating a mixed-drive model:

For what it’s worth, the “gait” (wobble) of bicycles also is super complicated and a rich area of data science research. Robots fail miserably (nice try Yamaha) to emulate the nuance of controlling/driving two-wheels. Anyone saying driverless cars will reduce deaths isn’t looking at why driverless cars are more likely than human drivers to crash into pedestrians and cyclists. Any human can ride a bicycle, but to a driverless car this prediction tree is an impenetrable puzzle:

Unlike sitting in a cage, the possibilities of micro-engines form-fitted to the human body are seemingly endless, just like the branches in that tree. So it makes less and less sense for anyone to want cages for personal transit, unless they’re trying to make a forceful statement by taking up shared space to deny freedom to others.

What is missing in the above sequence of photos? One where cars are completely gone, like bell-bottom trousers, because they waste so much for so little gain, lowering quality of life for everyone involved.

Floating around in a giant private box really is a status thing, when you think about it. It’s a poorly thought out exoskeleton, like a massive blow-up suit or fluffy dress that everyone has to clean up after (and avoid being hit by). Here’s some excellent perspective on the stupidity of carrying forward the carriage design into modern transit:

Rapstatus tells us cars still get a lot of lip service so I suspect we’re a long way from carriages being relegated to ancient history, where they belong.

Nontheless I’m told new generations have less patience for carriages, and so I hope already they visualize something like this when people ask them if they would get in a car to get around…

Does the Rise of Crypto-Mining Malware Mean the End of Ransomware?

Crypto-mining malware activity grew significantly in the first quarter of 2018, according to new research, suggesting that threat actors are finding this tactic to be more lucrative than traditional ransomware attacks due to the increasing popularity and value of digital currencies.

But this shift doesn’t signal an end to the threat of ransomware — rather, it points to an evolution toward more targeted attacks against specific organizations and industries, such as healthcare, that are most vulnerable and store particularly valuable data.

Cybercriminals Shift Tactics Amid Cryptocurrency Gold Rush

In short, this new trend shows that cybercriminals follow the money. Amid the rising popularity of cryptocurrencies like bitcoin, Monero and Etherium, threat actors have embraced crypto-mining schemes as a way to generate illicit financial gains with the least amount of effort, in the shortest time possible — and at a relatively low risk of discovery.

According to McAfee Labs Threats Report: June 2018, researchers observed more than 2.9 million samples of crypto-mining malware in the first quarter of 2018 — a 629 percent increase from just 400,000 samples in the last quarter of 2017.

“Cybercriminals will gravitate to criminal activity that maximizes their profit,” said Steve Grobman, chief technology officer (CTO) at McAfee, in a June 2018 press release. “With the rise in value of cryptocurrencies, the market forces are driving criminals to crypto-jacking and the theft of cryptocurrency. Cybercrime is a business, and market forces will continue to shape where adversaries focus their efforts.”

Troy Mursch, the security researcher behind the website Bad Packets Report, noted that the industry is seeing so many JavaScript-based crypto-miners because most modern browsers run JavaScript. This means that nearly every web user is a target of malicious crypto-jacking attacks.

Alternatively, attackers can maximize their computing power by infecting a server or other network asset with crypto-mining malware. This tactic makes enterprise networks particularly lucrative targets for crypto-jacking campaigns. Also, browser-based crypto-mining doesn’t require attackers to craft an exploit — and the action usually goes undetected so users might not know they’ve been infected for some time.

Why Ransomware Is Down but Not Out

These characteristics of crypto-mining could explain why some attackers have moved away from traditional ransomware. Victims also know when they’ve suffered a ransomware infection and can respond accordingly, which demotivates potential attackers.

But the fact that opportunistic attackers are leaving ransomware behind doesn’t mean the threat is over and done — it’s merely changing. For instance, threat intelligence provider Recorded Future noted that ransomware attack campaigns are becoming more targeted in nature. This is evident in ransomware actors’ penchant for going after healthcare, an industry in which resource deprivation can threaten people’s lives and trigger urgent responses. According to insurance company Beazley Group, healthcare targeting accounted for 45 percent of all ransomware attacks in 2017.

Attackers are also beginning to leverage the mere threat of high-profile ransomware to extract payment. Action Fraud, the U.K.’s cybercrime reporting center, detected one such scam campaign warning users that they had been infected with WannaCry. In actuality, the emails simply aimed to scare recipients into sending a bitcoin payment, limiting the necessity of even distributing malicious software to obtain its gains.

How Companies Can Defend Against Crypto-Mining Malware

Amid the growth of crypto-mining malware and the ongoing evolution of ransomware, enterprises can defend themselves against crypto-mining malware by investing in an endpoint security solution and creating a patch management program.

Because ransomware relies on suspicious emails and software vulnerabilities for distribution, users can guard against its primary attack vectors by following best security practices. Organizations can further defend themselves by regularly updating antivirus software and training employees to refrain from engaging fraudsters over email.

The post Does the Rise of Crypto-Mining Malware Mean the End of Ransomware? appeared first on Security Intelligence.

Hack the PinkyPalace VM (CTF Challenge)

Hello friends! Today we are going to take another boot2root challenge known as PinkyPalace. The credit for making this vm machine goes to “Pink_panther” and it is another boot to root challenge in which our goal is to gain root access to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let’s do an nmap scan for port enumeration.

nmap -sV -p- 192.168.1.137

Nmap scan shows us the following ports are open and the corresponding services are running:

 nginx web server on port 8080 
 a squid proxy on port 31337 
 a ssh daemon  on port 64666 

As port 8080 is running nginx, we try to enumerate the webserver but it returns a 403 forbidden code.

Now we know that the target machine is running squid server so we try to parse any request that go through it. We use foxyproxy addon to setup a proxy connection in our browser.

After setting up our proxy we try to open the webserver, we find that the server is probably configured to allow access from localhost. As when we try to access it via server’s IP address we still get a forbidden response.

We enumerate the directories by pivoting our connection through the squid proxy and find a directory called littlesecretes-main/.

dirb http://127.0.0.1:8080 /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -p 192.168.1.137:31337

We open the link that was discovered by the dirb scan, it opens up a page that asks for username and password. We tried to check for sql injection using sqlmap and find that the page is vulnerable to sql injection.

Now we enumerate the users and password using sqlmap and find 2 users and the hashes of there password.

sqlmap --proxy=http://192.168.1.137:31337 –data="user=hacking&pass=articles&submit=Login" -u http://127.0.0.1:8080/littlesecrets-main/login.php --level=5 --risk=3 --dump users

We use the site https://hashkiller.co.uk/md5-decrypter.aspx to decrypt the hash we found in the sqlmap dump. The password for the user pinkymage was decrypted.

We were unable to login through the web server using these credentials. So we used them to login through ssh.

ssh pinkymanage@192.168.1.137 -p64666

While enumerating the target machine we find a file called “note.txt” in /var/www/html/littlesecrets-main/ultrasecretadminf1l35/, we open the open and find a hint to search for RSA key. We tried to search for hidden files in the directory and find a hidden file called “.ultrasecret”.

When we take a look at the content of the hidden file; we find a base64 encoded string and when we decrypted it we find that it was a RSA Key.

We tried to decrypt and save the file in the current directory but we don’t have write permissions for the directory. So we decrypt the hidden file and save it in our home directory of user pinkymanage as id_rsa.

Now we move to the home directory for the user pinkymanage and give the RSA key its appropriate permissions. Then we login as user pinky through ssh.

chmod 600 id_rsa
ssh -i id_rsa pinky@localhost -p64666

After logging in as pinky we find two files one executable with suid bit set called “adminhelper” and another text file called “note.txt”. We open the note.txt and find

Now we download the file to our system using base64 to convert the hex strings in the file into base64 encrypted strings

Now we decrypt the file into our system as save it as file admin.

We open the file in our sytem and find a strcpy function in line main+42; as strcpy is vulnerable to buffer overflow. We will try to exploit this vulnerability.

To exploit buffer overflow, first we need to overwrite the adjacent memory locations and find the EIP offset. We use pattern_create.rb script to generate a 78 bytes long string.

./pattern_create.rb -l 78

Now we run the file with the string we generated as our argument and find that we were able to overwrite the EIP.

To find the EIP offset we used the pattern_offset command, and find the EIP offset to be 72.

./pattern_offset.rb -q 356341346341 -l 78

There are no binary defences like NX or ASLR but there is PIE. So we can’t use the ROP tricks, but we can use Shellcode Injection. We overwrite the EIP with the address of our shellcode which was stored in the kernel environment. This spawns a tty shell as root user.

Now we move to root directory and find a file called “root.txt” inside it. We take a look at the content of the file and find the congratulatory flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack the PinkyPalace VM (CTF Challenge) appeared first on Hacking Articles.

Timehop admits attacker stole 21 million users’ data

Timehop, a popular app that reminds you of your social media posts from the same day in past years, is the latest service to suffer a data breach. The attacker struck on July 4th, and grabbed a database which included names and/or usernames along with email addresses for around 21 million users. About 4.7 million of those accounts had phone numbers linked to them, which some people use to log in with instead of a Facebook account.

Via: The Register

Source: Timehop

IDG Contributor Network: GDPR: Where are we now?

By now, the General Data Protection Regulation, or GDPR, is in full effect. Users see its impact each time a website asks for permission to collect cookies and in each notification email about updated privacy policies. Companies are being inundated with inquiries about personal information as users are getting smarter about protecting their data in today’s data economy.

Who’s benefitting?

In today’s data-rich world, users are experiencing the fruits of data transparency, thanks to GDPR. The regulation has forced companies large and small to divulge what user data is collected and what is done with it. As a result, users can now choose whether they’re comfortable with it and opt out if they’d like. While the majority of users will opt-in, so they can use their beloved social media apps or read their favorite news publication, at least they now have a warning and are armed with the truth.

To read this article in full, please click here

Everybody and their mother is blocking ads, so why aren’t you?

This post may ruffle a few feathers. But we’re not here to offer advice to publishers on how to best generate revenue for their brand. Rather, we’re here to offer the best advice on how to maintain a safe and secure environment.

If you’re not blocking advertisements on your PC and mobile device, you should be! And if you know someone who isn’t blocking ads, then forward this post to them. Because in this two-part series, we’re going to dispel some of the myths surrounding ad blocking, and we’ll cover the reasons you should be blocking ads on your network and devices.

We’ll then follow-up in Part 2 of this series by discussing common tools and configurations to help get the most of your browsing experience.

You’ve heard the talk and seen the messages in online banners. You’re aware of the disputes and the provocation from publishers and advertisers that ad blocking is a morally unconscionable act whose users deserve outright banishment from the web. Maybe you’ve been swayed by the pleas from website owners and have empathy towards the fragile budgetary constraints of your favorite sites. Or maybe you don’t understand the risks associated with online tracking and advertising and think that if you don’t click ads you’ll be fine.

Don’t be fooled. Ad blocking provides a vital security layer that not only severs a potential vector for online malvertising attacks, but also blocks privacy-invading tracking plugins from collecting and harvesting your personal information. Not only that, but blocking online ads and trackers has the added benefit of conserving bandwidth and battery life, boosting website response times, and generally improving the overall user experience. So using an ad blocker not only protects your device, but also provides better a better overall user experience. What’s not to love?

It’s all a bunch of hullabaloo!

Advertisers, publishers, and website owners despise talk of blocking the pesky advertisements that appear on their webpages—especially the ads that more aggressively vie for attention (and thus pay the website owners’ bills). We’ve all seen them. We’re talking about the ads that auto-play commercials or news clips as soon as the page is loaded. Bright, flashy popups, and page overlays that have to be clicked before seeing the desired content. Even the sponsored results that appear in search listings.  They are everywhere!

Hundreds of billions of ad impressions occur each month, and digital ad revenue for online advertising is estimated to top $237 billion in 2018. With so many impressions to be served, it’s no wonder that website operators are clearing space and making way for advertisers to clutter the website landscape.

Search listing shown inside Google

And we get that ad impressions are the lifeblood of many website operators and publishers who rely on clicks as the primary mechanism to create revenue. Some may even argue that ‘clicks create jobs’.

But let’s face it. In most cases, ads suck! Advertisers like to push the notion of “acceptable ads,” “non-intrusive advertising,” and “reasonable number of impressions,” but this is rhetoric designed to sway the opinion of an impressionable society—and it’s all a bunch of poppycock if you ask me.

Most people don’t like advertisements. They never have. That’s why VCRs became popular back in the `80’s. The devices allowed users to set up recordings and then skip commercials at their convenience later. It’s why DVRs became mainstream years ago, and why people flock to streaming services like Netflix now. It’s even the reason why people skip the first few minutes of a movie.

Ads diminish the overall user experience by forcing the attention of the consumer elsewhere, and creating a delay or nuisance in the ability to ingest the preferred content. A website’s “sponsored” listings often consume much more of the page landscape than actual content, which causes more time to be spent searching for desired items. This can lead to consumers paying more than would have been paid with a non-sponsored competitor. And then there are the ads that are purposefully obnoxious or play reoccurring sounds in a small box in the corner of the window. These are all just terrible to endure.

If it were a matter of simply not enjoying the content, then this point would be debatable. But, online advertisements pose a threat and provide an infection vector for malicious actors to launch targeted malware attacks. This can turn even the most reputable websites into potential delivery systems for malware authors.

Malware can be delivered inside that ad

Advertisements allow for fun little flashy ads that can play games and ask quizzes, but at the same time this functionality poses great risk to consumers.

Malvertising has the ability to affect even the most careful of users due to the nature of how advertisements are designed to automatically run code when they are loaded. Attackers may (and do) attach craftily hidden exploit code to otherwise innocuous looking ads for well-known products and then submit these ads for publication to known and reputable websites.

Don’t be fooled by this Best Buy ad. It’s not real!

While many of the large ad networks perform due diligence and scan for such malicious content prior to publication, there are dozens, if not hundreds of ad networks to which a criminal can submit their malicious code. And not all of those companies possess the same standards as their multi-billion dollar counterparts. Taking into account the speed and nature of the real-time bidding process for online ads (a fascinating process that deserves a post unto its own) it’s not surprising that bad ads can get past even the most well-intentioned ad networks.

$5.00 and 10 minutes is all it takes with this ad network.

Consider for a moment this blog post released by Google earlier this year, which sheds some light on the number of malicious ads that were blocked through the ad ecosystem. In the post, Google stipulates that 3.2 billion ads were removed in 2017 for violating advertising policies. That translates to 100 advertisements for every single second, of every day, for the entire year! Of these ads, 79 million were pushing malware-laden websites. And that’s in addition to the more than 320,000 publishers that were blacklisted, and over 1 million websites and apps that were removed or blocked.

That’s a lot of bad ads!

Setting aside Google’s ability to block malicious content as it appears on their network, some may contend that with so much bad stuff out there, some things are bound to slip through the cracks every once in a while.

And, lest we forget, there are a plethora of other website, news, and advertising companies without the means or desire to police the content. Malicious actors can launch highly-targeted campaigns, which may only be visible to no more than a small handful of people, and which can often fly under the radar of security mechanisms and systems. Who out there wants to be the guinea pig and offer up their computer to the attackers when such lapses occur?

Don’t track me, bro

We’re all familiar with the Cambridge Analytica scandal involving the collection of approximately 87 million Facebook records. The highly-publicized event has led to insolvency proceedings against the company (though Cambridge Analytica may have been recently resurrected under the name Data Propria). People were outraged in part because the company had covertly collected and stored information on large swaths of the population without their consent. But what those same people may not understand is that Cambridge Analytica is not alone in this practice.

There are numerous organizations ranging from small one and two person operations, all the way up to mega-million dollar corporations that are involved in the process of collecting and selling consumer data. Data brokers, data warehouses, and data exchange platforms all provide tools and services to not only collect information, but also sort and organize the information in a manner that allows advertisers to target specific groups of users.

Online data broker offering “data that is only seconds old”

Few of these organizations have the express consent from users to harvest and store their information, and many lack even the most basic of security protocols to protect and maintain the information after it’s collected.

Consider the recent database exposure surrounding data broker, Exactis.  The company has recently been accused of having a poorly=secured server, which compromised nearly 340 million individual records containing everything from addresses, telephone numbers, and email addresses, to more than 400 different data points for habits, interests, and hobbies. All sorts of other personal details are tracked, harvested, and stored in these databases; everything from age all the way down to a person’s clothing size and shopping history. Do you smoke, drink, or enjoy gambling? That’s in there, too.

Exactis has over 3.5 billion records, with information on most of us

And who exactly is Exactis? The company claims to be a leading compiler and aggregator of business and consumer data. The information collected by the company is used for customer profiling and to assist marketers in identifying descriptive traits and customer segments to help better understand behavior. This information can then be used to direct targeted advertising to specific groups.

The company website claims to possess 3.5 billion records on 218 million individuals and 110 million households. When asked where the information originated, Night Lion Security founder Vinny Troia was quoted as saying, “It seems like this is a database with pretty much every US citizen in it. I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.”

While we may not know for certain, it’s probably a safe assumption that at least some of those records are obtained through the use of online trackers, and services that run silently in the background, tracking and logging your behavior each time you browse online.

Why do we continue to tolerate this sort of illicit data collection? Don’t be like Steve Huffman, the Reddit CEO who allowed himself to be targeted by a Facebook advertisement for the purpose of an employment solicitation.  Instead, use an ad blocker, which not only blocks the targeted trackers that are compromising your personal information and divulging your secrets to the highest bidder, but will also prevent the targeted ad from being shown, thus, reducing your exposure to infection and solicitation.

No, it’s not morally unconscionable to use an ad blocker

Despite the notices, pleas from website owners, and the position from advertisers and publishers that ad-blocking will destroy the internet as we know it, there are no laws against using an ad blocker to prevent objectionable content from appearing on any device that you own or use.

In a long-followed case that transcended all the way to the German Supreme Court, European publisher Axel Springer was defeated in a years-long battle against Adblock Plus publisher Eyeo, after failing to persuade the court that the ad blocker violated competition law and was engaging in legally-dubious business policies. (Their business model allowed for unblocking ads deemed as “acceptable,” as well as those who paid for such distinction.)

The court ruling puts an end to Springer’s quest of having ad blocking deemed illegal. The ruling also vindicates users continued use of blocking software to prevent unwanted or objectionable content from being shown.

Americans are likely to have equally strong, if not stronger, ad blocking protections than our German friends.

When searching through dockets and filings provided by Justia.com, Eyeo, the parent company of AdBlock Plus, shows not a single case which the company has been required to defend due to its practice of blocking advertisements. And really, it’s almost a bit of a stretch to envision an American jury being persuaded by the argument of advertisers having the right to display content, but consumers not possessing the right to block said content when they don’t approve.

Therefore, with no laws preventing the use of an ad blocker, and with the counter argument simply reduced to the corporate mantra of “maximizing profits,” consumers are free to choose the security policy that best fits their needs.

Convinced yet?

We’ve seen that ads not only diminish the user experience of ingesting content, but that they also pose a substantial risk to consumers.

The potential for malvertising to successfully deploy a nasty payload to your machine, which may compromise your system and jeopardize your financial security, is real. Worse yet, these types of attacks don’t even require user interaction and can execute merely by visiting the page.

And if the threat of financial ruin is of no concern, then the privacy-invading act of data harvesting should be.

The array of data collectors and data brokers out there is mind boggling, and they are all struggling to associate your actions and behaviors to groups and other individuals for no other purpose than to create targeted ads and increase profits. The information collected by these organizations may be poorly secured and is a potential gold mine for any cybercriminal.

And if the moral conviction of blocking the advertisements of your favorite websites has thus-far prevented the adoption of ad-blocking technology, then the knowledge of an ever-growing advertising ecosystem and the lack of laws preventing ad-blocking mechanisms should ease those concerns. Yes, we all want to generate revenue for our brand, but personally I’d rather not help do that at the sake of potential identity theft, or worse, having my PC compromised by a malware attack originating from a rogue advertisement on a popular website.

Coming up 

In Part 2 of this series, we’re going to have a look at some of the common ad-blocking utilities and how to configure those tools to fit the needs of the individual user. We’ll show how to navigate user-friendly settings that are simple enough to use on Grandma’s computer. We’ll also take a deep dive into some more advanced configurations and tools that may require a shift in user mind-set, usage, and understanding before fully realizing the benefits such configurations provide.

We’ll cover blocking ads on both mobile and PC devices, as well as configuring a network solution to block ads throughout your entire environment.

So stay tuned to the Malwarebytes blog, or follow this post and we’ll update it with links once available.

The post Everybody and their mother is blocking ads, so why aren’t you? appeared first on Malwarebytes Labs.

Stolen D-Link Certificate Used to Digitally Sign Spying Malware

Digitally signed malware has become much more common in recent years to mask malicious intentions. Security researchers have discovered a new malware campaign misusing stolen valid digital certificates from Taiwanese tech-companies, including D-Link, to sign their malware and making them look like legitimate applications. As you may know, digital certificates issued by a trusted certificate

Looking For Secure VPN Services? Get a Lifetime Subscription

PRIVACY – a bit of an Internet buzzword nowadays, because the business model of the Internet has now shifted towards data collection. Today, most users surf the web unaware of the fact that websites and online services collect their personal information, including search histories, location, and buying habits and make millions by sharing your data with advertisers and marketers. If this is

Zero Day Initiative: A 1H2018 Recap

When the Zero Day Initiative (ZDI) was formed in 2005, the cyber threat landscape was a bit different from what we see today. Threats were a little less sophisticated, but there was one thing that we saw then that we still see now: the shortage of cybersecurity professionals and researchers. The team decided that with ZDI, they could augment the internal team with the expertise of external researchers. In addition, ZDI would promote responsible vulnerability disclosure to affected vendors and protect our customers ahead of a vendor patch. As you probably suspected, the launch of ZDI was met with skepticism, with people saying things like “the ZDI is promoting hacking by creating a market for vulnerabilities” and “they’re going to fail,” but the team was determined to make this program work.

Fast forward to 2018. Now in its thirteenth year (coming up on July 25), the ZDI manages the largest vendor-agnostic bug bounty program in the world with over 3,500 external researchers complementing the internal team’s efforts. The surge of over 500 new registered researchers in the first half of 2018 alone is a testament to the appeal and benefits that the ZDI program offers to those who want to conduct responsible security research and be appropriately compensated for their efforts. Since the program’s inception, over $18 million USD has been awarded to external researchers. This is quite an accomplishment given that there was only one submission in the first year of the program. Contributions to the ZDI program have been growing steady since 2010 and in the first half of 2018, the ZDI published a record-breaking 600 advisories, paying researchers over $1 million USD.

But the benefits of ZDI go beyond the researcher community – Trend Micro customers also benefit from the vulnerability research conducted by the ZDI. The insights on threat and exploit trends that the team sees from external researchers, as well as their own internal research, has led to increased focus on SCADA and Industrial IoT (IIoT) vulnerabilities, which make up approximately 30% of submissions this year. The ZDI also works very closely with ICS-CERT and was the number one supplier of SCADA/ICS vulnerabilities in 2017. Trend Micro customers also benefit through preemptive protection for vulnerabilities that come through the ZDI program. Patch management is a constant headache for most organizations, and it can become a flat-out nightmare if a zero-day hits and you have hundreds of systems to patch. Filters that are created as a result of the exclusive access to vulnerability information from ZDI provide protection an average of 72 days before a patch is available and can play a key role in alleviating the patch management headache with a virtual patch at the network level while you work to update systems or wait for a vendor patch. Trend Micro is one of the few security vendors that has the breadth and depth of vulnerability research that results in this level of protection coverage. Does every vulnerability submitted to the program get exploited? No. But just like I carry automotive insurance “just in case” I get in a car accident, think of the ZDI program along the same lines – an extra level of protection “just in case” you can’t patch your systems in time in the event a vulnerability submitted through our program is exploited before a patch is issued by the affected vendor.

The continued growth of the Zero Day Initiative bug bounty program and leadership in vulnerability research can only lead to more secure products and more secure customers. Many vulnerabilities would continue to either remain behind closed doors, or be sold to the black market and used for corrupt purposes. Accountability is paramount to the program, and over the course of 13 years, the ZDI has worked to build trust with leading software vendors and the research community to promote the importance of security in the product development lifecycle. As the threat landscape evolves, the ZDI will evolve with it and stay on the forefront of vulnerability research to make our technology world a safer place.

For more details on the ZDI’s record first half of 2018 and the trends they’re seeing, check out Brian Gorenc’s blog here. You can also follow the team on Twitter at @thezdi for the latest updates.

The post Zero Day Initiative: A 1H2018 Recap appeared first on .

Emails, the gateway for threats to your company

It’s an undeniable fact: these days, email has become one of the main vectors for cyberattacks against companies.  According to the recent 2018 Email Security Trends report by Barracuda, 87% of IT security professionals have admitted that their company has faced some kind of threat via email in the last year. This has led three quarters of the professionals surveyed to be more concerned about this risk factor now than they were five years ago.

And this concern hasn’t appeared out of the blue. The same study has shown that 81% of heads of corporate IT security have noticed an increase in the number of cases compared to the situation one year ago.  What’s more, a quarter of the professionals who agree with this statement qualify the increase as “drastic”.

But why is the volume of cyberattacks carried out over email on the up?  Just like with other kinds of threats, the success of these attacks can be put down to human error: whether it’s due to a lack of time to stop and assess the authenticity of the email, or because of our innate sense of curiosity or compassion, mechanisms like social engineering do exactly what they set out to achieve. This is the opinion shared by the vast majority of the IT professionals surveyed; they single out “poor employee behavior” as their main concern when dealing with these cyberthreats.

Mitigation costs are rising drastically

The economic consequences of these attacks are also increasing.  81% of heads of cybersecurity agree with this statement, emphasizing, in 22% of cases, that the costs stemming from mitigating a security breach have grown very significantly.

Of the different types of malicious actions that can financially damage a company via email, information theft, ransomware, and BEC scams are the most costly.  In other words, we’re facing two types of cyberattacks: on the one hand, we have attacks that seek to make a profit by attacking a company’s information and either selling it, or kidnapping it in order to demand a ransom. On the other hand, we see attacks whose aim is to trick an employee who has access to the company finances into making a transfer to the cybercriminals without realizing.  In a previous post, we saw how this last kind of scam, Business Email Compromise, became the most lucrative cybercrime of 2017 in the USA.

How can I deal with this threat in my company?

The fact that human error plays such a key role in the success of this kind of scam of course means that companies must train employees at all levels to pay attention to tell-tale signs in suspicious emails: how they’re written, spelling, or the kind of links they contain.  Likewise, they must get into the habit of thoroughly verifying the supposed intention of any emails received: for example, by checking with the finance department that the bank transfer that they are being asked for is legitimate, in order to avoid BEC scams.

But is this enough? The heads of IT security who responded also recommended some other measures that should be kept in mind:

  • Phishing drills: This highly effective method to test the possible negative effects of phising consists of surprising your employees with this kind of email, to see how they react. Those who get tricked by the email will have learned for themselves the type of behavior they must avoid in the future, whereas those who pass the test will still be alert as they were before.
  • Social engineering detection: This requires a specific, practical training process for employees. The aim is to make sure they ask themselves a series of questions before replying or paying attention to a dubious email. Here are some examples of this type of question: “Can a third party help me verify the identity of the person who is contacting me?”, “Am I really authorized to carry out the thing they’re asking me to do?”, “Is the action or information that they are requesting public?”
  • Encrypting emails: To avoid the possible theft of emails containing confidential information, your company must have a system that encrypts all emails sent by employees, making it necessary to introduce an additional password in order to gain access to the content of the email.
  • Having an advanced cybersecurity solution: Using a suite like Panda Adaptive Defense will help you to detect any possible attempts to attack your company via email, thanks to the use of cognitive intelligence and a real time detection system. This way, you will avoid possible financial losses that can result from this kind of cyberattack.

The post Emails, the gateway for threats to your company appeared first on Panda Security Mediacenter.

Sinovel Wind Group found guilty of IP theft, fined $1.5 million

Update July 9, 2018:

Sinovel Wind Group was fined the maximum statutory fine of $1.5 million for the theft of trade secrets from American Superconductor Inc by a federal judge on July 6, 2018, according to the Department of Justice. In addition, American Superconductor Inc and Sinovel Wind Group reached a settlement amount of $57.5 million. As of July 6, 2018, Sinovel had paid $32.5 million and has one year to pay the remaining $25 million.

----------------------------------------------

To read this article in full, please click here

DomainFactory Hacked—Hosting Provider Asks All Users to Change Passwords

Besides Timehop, another data breach was discovered last week that affects users of one of the largest web hosting companies in Germany, DomainFactory, owned by GoDaddy. The breach initially happened back in last January this year and just emerged last Tuesday when an unknown attacker himself posted a breach note on the DomainFactory support forum. It turns out that the attacker breached

Why Multifactor Authentication Is Crucial to Strengthen Mainframe Security

Mainframes are built to be far more reliable and scalable than common endpoints and systems. However, the security guarding the valuable data they hold may not always meet the same standard.

But what can be done to strengthen mainframe security?

Today’s most advanced mainframes can process billions of high-value transactions per day — and if you’re authenticating users with passwords alone, it may be time to go multifactor.

What Is Multifactor Authentication?

Multifactor authentication (MFA) is an increasingly important tool for validating the identity of users accessing everything from desktops to cloud-based resources. MFA creates friction for attackers with minimal disruption to legitimate users.

How does it do this? MFA inspects multiple identifying factors associated with a specific user account. These factors can range from physical tokens to a user’s biometric and behavioral traits. Whatever the details, MFA throws a wrench into attackers’ plans by raising the authentication assurance level that the system can demand of a specific user.

Don’t Leave the Mainframe Key Under the Doormat

Mainframe infrastructure is different from most user-facing elements of an enterprise’s IT environment — and MFA may not be top of mind as an element of mainframe security.

Mainframes hold more mission-critical and sensitive data than any other platform. They also typically sit in a physically secured data center. Since only a small number of expert users work in these facilities, it’s tempting to think of mainframes as secure by default. However, these are not isolated systems — to achieve their high return on investment (ROI), mainframes must still connect to myriad systems and people outside of the data center.

The problem of password insecurity that affects smartphones, cloud-based systems and more also applies to mainframes. In fact, the stakes are much higher because mainframes store some of the enterprise’s most sensitive assets. Besides the threat of data theft, other risks include costly fines for regulatory noncompliance.

Attackers know mainframes hold vital data, and they do their best to steal the passwords that get them past the gate. No matter how physically secure they are, mainframes are typically accessed by network connections, which are often protected by passwords alone. If a threat actor gains the privileges of an authorized user, he or she may be able to bypass other security features of the mainframe itself.

Not even pervasive encryption can prevent data loss on its own if it’s transparent to a legitimate login that has been stolen. Every security administrator knows passwords can be compromised — whether through malicious or negligent insider behavior or brute-force guessing. Trusted and honest users also share passwords innocently for convenience, potentially exposing their credentials to interception.

A Layered, Flexible Approach to Mainframe Security

Strong security systems are all about reducing risk and closing the gaps that intruders can sneak through, but their value is greatly diminished if they interrupt or delay users or require complex changes to the security infrastructure. Mainframe users must carefully steward the resources they have access to — and every minute counts.

By adopting an MFA solution for mainframe security, administrators can present a layered defense without requiring any third-party software or hardware between a user’s remote system and the mainframe itself. Depending on the authorization method chosen, the solution can be hosted entirely on the mainframe.

Because risks vary, this MFA approach is flexible. The security administrator defines which authentication factors are appropriate and determines which users must supply additional factors. IBM MFA for z/OS, for example, is designed to centralize the valid factors within the context of the IBM Resource Access Control Facility (RACF), as well as CA Top Secret and CA Access Control Facility 2 (ACF2).

These factors can include:

  • Passwords and passphrases;
  • Cryptographic token devices, including both hardware and software-based tokens like RSA SecurID and Gemalto’s SafeNet Authentication Service tokens;
  • The entry of a timed one-time use password (TOTP) generated from a variety of sources, including IBM TouchToken, IBM Verify and any RADIUS-based server; and
  • Certificate-based authentication, including smart cards, personal identity verification (PIV) cards and common access cards (CACs).

Although mainframe security tends to fall off organizations’ radar, IT leaders should implement at least as much protection on these systems as they would on any mobile device, application or cloud-based service. After all, mainframes typically hold the enterprise’s crown jewels — making them prime targets for attackers. Given these high stakes, MFA is must-have for any mainframe system administrator.

Learn more about IBM Multi-Factor Authentication for z/OS

The post Why Multifactor Authentication Is Crucial to Strengthen Mainframe Security appeared first on Security Intelligence.

How to Get Directors On Board With Cyber Risk Governance

“Cybersecurity cannot be guaranteed, but a timely and appropriate reaction can,” noted a recent report from the Directors and Chief Risk Officers Group (DCRO).

The DCRO is made up of over 2,000 board and C-suite officers from more than 100 countries. The council’s two co-chairs have served in several high-profile roles, including commissioner at the Securities and Exchange Commission (SEC), cyber risk consultant for a central bank and other senior advisory positions.

In June 2018, the DCRO released the Guiding Principles for Cyber Risk Governance report. The 12-page report is chock-full of well-written, straight-to-the-point advice — and some warnings — to help board directors and executives understand the critical role they must play in assessing and mitigating cyber risks.

Five Guiding Cyber Risk Governance Principles for Top Leadership

The days of relegating cybersecurity to the IT department are long gone. The DCRO guidelines highlighted the sense of urgency and fiduciary duty that falls squarely on board directors’ shoulders — and warned that an effective cybersecurity program requires an appropriate level of engagement by the board.

The report’s authors organized their insights into five guiding principles to help top leadership improve its level of engagement around cyber risk governance.

1. Cybersecurity as an Enterprise Risk

The first principle calls for a deep understanding of what the organization values most, the types of threats that might target those crown jewels, how those risks affect the business’ bottom line and how they should be handled. The board’s role is to review those plans, ensure they are accurately and appropriately prioritized and grant the security team access to the resources it needs to carry them out. Boards should review risk-transfer options, such as cyber insurance, to ensure they properly understand coverage choices and address any gaps.

The report also stressed that every department — not just IT — is responsible for cyber risk management. It implored IT leaders to conduct frequent training to improve security awareness. Executives should also assess the organization’s preparedness for responding to a data breach by reviewing its business continuity capacity.

2. Holding Management Accountable

Because cybersecurity has become such a high-level issue, directors need to hold management accountable for its cyber risk strategy. This includes how the organization prepares for and responds to a breach, as well as how it measures and improves employees’ cyber awareness. A cyber risk framework can help the organization strive for improved outcomes rather than simply reporting on risk mitigation activities.

This principle requires the chief information security officer (CISO) to have strong communication skills and a penchant for crisis management. In times of high stress, the report noted, “it is far better to have a skillful leader rather than a subject matter expert.”

3. Improving Resilience Through Three Lines of Defense

As cyber risks evolve, the organization’s response must adapt accordingly. Boards should urge management to drop its traditional, prevention-driven approach and start operating under the assumption that the organization has already been breached. This means leveraging threat intelligence and threat modeling; testing defenses and reactions; and practicing what-if scenarios to determine what to do if those fail.

Board directors should also verify the quality of the information they receive from cybersecurity leaders, risk managers and internal auditors. This strategy, called the Three Lines of Defense model, can help executives accurately assess the effectiveness of the organization’s cyber risk management efforts.

4. Vigilance Over Third-Party Cyber Risks

Third-party threats can cause long-term damage to a business — so it’s crucial for security leaders to monitor the activity of external vendors and partners closely.

As a company grows, these relationships create a multitude of new entry points into the IT environment, each of which represents an attack vector. Because these threats are well within the organization’s perimeter defenses, they will likely blend in with legitimate traffic.

5. Building a Culture of Security

Employees are a significant source of risk because they have access to loads of data about customers, contracts and even intellectual property. However, they can also act as the first line of defense — an early warning system, if you will. Of course, there must be an organizational culture of security.

Such an environment must be supported by a continuous learning program and a record of positive interactions between IT leaders and users who take the time to alert them to potential issues. The report also stressed that nobody — not even the C-suite — is exempt from practicing basic cyber hygiene.

A Consistent Message to Board Directors

The DCRO’s recommendations are consistent with other cyber risk governance guidelines, including the National Association of Corporate Directors (NACD)’s “Director’s Handbook on Cyber-Risk Oversight.”

The message is clear across the board: Top leadership must improve its oversight of cyber risk, understand the legal implications of data compromise, review cyber risk reports regularly and measure the effectiveness of the organization’s security strategy continually.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

The post How to Get Directors On Board With Cyber Risk Governance appeared first on Security Intelligence.

A Brief History of iOS: The Evolution of MDM and Enterprise Mobility

As organizations have gradually embraced mobile technology over the years to boost productivity, the task of protecting enterprise networks has become increasingly difficult for IT and security professionals. Each device represents a potentially vulnerable endpoint, and cybercriminals have mastered the art of exploiting these weaknesses to infiltrate corporate networks.

Fortunately, each iteration of Apple’s iOS has made security teams’ jobs easier by introducing new features that can be applied to mobile device management (MDM).

Below is a brief history to show how each release marked another crucial step in the evolution of enterprise mobility.

Apple and the Dawn of Mobile Device Management

In 2010, Apple released iOS 4, which opened the door to the enterprise with MDM capabilities. IT and security leaders gained the ability to enroll iOS devices over the air (OTA) to perform basic MDM functions. These functions included locate, lock and wipe. As an added benefit, iOS 4 also introduced mobile application management (MAM) capabilities, enabling security teams to push apps down to devices and set compliance rules.

The following year, iOS 5 introduced Siri, iCloud and OTA operating system (OS) updates, which could also be managed by an MDM solution. By this point, enrolled devices were subject to more customization from an IT security standpoint, such as disabling Siri and determining what could be synced and backed up to iCloud.

Enterprise Containment and the BYOD Model

The release of iOS 6 in 2012 brought a new facet to MDM capabilities by providing application programming interfaces (APIs) to private developers. At that time, MDM solutions aimed to capitalize on a then-rising enterprise need: containment.

By this point, iOS devices had gained popularity for personal use, and businesses were just catching on to their versatility. The APIs released in this version allowed IT teams to containerize and separate their enterprise information within the user’s device, which brought about the bring-your-own-device (BYOD) model. During this time, organizations frequently used a corporate-owned device model as their standard practice for mobile productivity.

However, the option of containing enterprise data on a user’s personal device — as opposed to purchasing, setting up and deploying a new device — proved to be the more cost-effective business model.

Aside from the BYOD aspect, iOS 6 introduced a supervised mode, making it easier for IT teams to manage corporate-owned devices. Supervised mode gave IT full administrative rights to the device and set restrictions to prevent the user from falling out of compliance.

New Look, New Management Capabilities

In 2013, iOS 7 packed a punch with a completely new OS redesign, upgraded security features and better management capabilities. One of the most noticeable and innovative features of iOS 7 was TouchID. This new security measure was the first of its kind within the Apple product line to use biometric data instead of a passcode for device access. It also provided APIs to enable or disable MDM solutions, allowing IT teams to use TouchID for access to the enterprise container, as well as the device itself.

With iOS 7, Apple included another feature that has saved many an administrator from endless headaches: disabling Activation Lock. The idea behind this feature was that if a device were lost or stolen, it could not be wiped without entering the associated Apple ID.

This feature was a major pain point for IT teams because users often enabled Activation Lock while setting up their device and, when their employment ended, IT teams were left with devices they could not wipe. Since the release of iOS 7, IT teams have been able to toggle the feature on and off and remotely wipe devices (as needed) without having to wait days or weeks to complete the task.

From 2014 through 2016, subsequent releases of iOS 8, 9 and 10 added more capabilities for the supervised mode, such as the Device Enrollment Program (DEP) and an advanced kiosk mode. DEP enabled IT teams to curate their devices, settings, apps and content before they were sent out to users. Once a device was turned on, the user would go through the enrollment process and everything he or she needed would be pushed down over the air. Apple has since expanded on DEP by allowing for retroactive purchases and retailers that are not Apple partners.

The kiosk mode enhancements allowed administrators to control which apps were shown to the user, helping them boost productivity and reduce the risk of users falling out of compliance or downloading malicious apps. These improvements also enabled administrators to control users’ wallpapers and standardize how apps were arranged on their devices.

As superficial as this seems, it was a big win for administrators because it allowed them to establish continuity across all enterprises devices for more granular visibility.

Watch the on-demand webinar: SOS! Remote Support for iOS & Android With UEM

Facing Forward With Biometric Authentication

iOS 11 was released in the fall of 2017 alongside Apple’s 10th-anniversary edition iPhone, which included a new feature called FaceID. Much like TouchID is used for identity and access management (IAM) within the device itself, FaceID performs a quick scan of the user’s face to provide more secure biometric authentication than the traditional fingerprint method. As far as MDM capabilities go, FaceID falls under the same APIs as TouchID.

Aside from the new hardware features, iOS 11 introduced a new classroom feature, which administrators of educational institutions can use to limit what students have access to on their iOS devices while still providing a rich experience that coincides with their lesson plan. Teachers can now turn off screens, push out apps and deliver presentations from a central device to all their students at once.

Since iOS entered the enterprise, IT teams have needed some form of remote support. Users might be miles away from their IT representative and need fast, effective help. For years, the only method of delivering remote support was through AirPlay, which required both the IT representative and user to be on the same Wi-Fi network. With iOS 11, remote assistance is available with software such as TeamViewer to provide a live look at a user’s device. This feature also integrates with the organization’s MDM solution.

Notable iOS MDM Enterprise Features by Version

  • iOS 4: Apple enters the MDM and MAM field for easy device management for the enterprise.
  • iOS 5: Siri, iCloud and OTA OS updates are introduced — thus bringing granular controls and automatic actions via MDM compliance rules.
  • iOS 6: Apple releases APIs that MDM solutions use to separate work and personal data and a supervised mode, which gives the organization full admin rights over the device.
  • iOS 7: With a full OS redesign, Apple introduces its biometric security feature, TouchID, which can be enabled and disabled via an MDM solution. iOS 7 also brings about the much-desired ability to disable Activation Lock, allowing administrators to remotely wipe a device without an Apple ID.
  • iOS 8: Apple Configurator becomes an OTA solution with DEP, so IT teams can configure and deploy their devices without touching each one.
  • iOS 9: Supervised mode with enhanced kiosk mode, including app lock and app compliance, enables IT administrators to dictate which apps are visible to users for a more customized device.
  • iOS 10: Small enhancements to the supervised mode, such as enabling dictation and spellcheck, are introduced.
  • iOS 11: Apple introduces FaceID, Apple Classroom settings can be managed via MDM and remote support like TeamViewer directly integrates with MDM solutions.

What’s Next for iOS and MDM?

Each iteration of iOS introduces more features that can be applied to MDM capabilities, making the jobs of IT and security leaders easier. Over the years, iOS device management has grown from basic commands to in-depth, complex and customized solutions that fit organizations perfectly. With iOS 12 coming in the fall of 2018, we can only speculate as to what capabilities IT administrators will be able to manage through an MDM solution.

Watch the on-demand webinar: SOS! Remote Support for iOS & Android With UEM

The post A Brief History of iOS: The Evolution of MDM and Enterprise Mobility appeared first on Security Intelligence.

PROPagate Code Injection Seen in the Wild

Last year, researchers wrote about a new Windows code injection technique called PROPagate. Last week, it was first seen in malware:

This technique abuses the SetWindowsSubclass function -- a process used to install or update subclass windows running on the system -- and can be used to modify the properties of windows running in the same session. This can be used to inject code and drop files while also hiding the fact it has happened, making it a useful, stealthy attack.

It's likely that the attackers have observed publically available posts on PROPagate in order to recreate the technique for their own malicious ends.

Timehop Confirms Data Breach Affected 21 Million Users

Timehop confirmed that a data breach affected certain pieces of personal information belonging to 21 million of its users. According to a statement posted on its website, the service that distributes social media memories to its members detected a network intrusion in the afternoon of 4 July. Timehop learned that those responsible for the incident […]… Read More

The post Timehop Confirms Data Breach Affected 21 Million Users appeared first on The State of Security.

Timehop Hacked — Hackers Stole Personal Data Of All 21 Million Users

And the hacks just keep on coming. Timehop social media app has been hit by a major data breach on July 4th that compromised the personal data of its more than 21 million users. Timehop is a simple social media app that collects your old photos and posts from your iPhone, Facebook, Instagram, Twitter and Foursquare and acts as a digital time machine to help you find—what you were doing on

In cryptoland, trust can be costly

While the legal status of cryptocurrencies and laws to regulate them continue to be hammered out, scammers are busy exploiting the digital gold rush. Besides hacking cryptocurrency exchanges, exploiting smart-contract vulnerabilities, and deploying malicious miners, cybercriminals are also resorting to more traditional social-engineering methods that can reap millions of dollars. Their targets are not just the owners of cryptocurrency wallets, but basically anyone with an interest in the subject.

To understand how scammers can access victims’ money, it helps to remember how cryptocurrencies work and what it means when we talk about the address and private key of a cryptocurrency wallet.

Cryptocurrencies are based on asymmetric encryption with public and private keys. The wallet address, which anyone can transfer money to, can be generated from a public key, which in turn can be obtained from a private one. The private key is required for all wallet transactions, hence scammers’ interest in it. Note, however, that attackers are not always after the victim’s private key— the goal is often to get people to transfer funds into the scammers’ accounts all by themselves. But one thing at a time.

Classic phishing

Authentication on cryptocurrency exchanges and wallets

Cryptocurrencies are bought and sold through specialized services known, like their physical counterparts, as exchanges. They also provide crypto storage services, issuing a wallet for each currency held and storing private keys on users’ behalf.  Naturally, if the scammers manage to get hold of the authentication data for a crypto exchange account, they will gain access to the user’s money. This explains the abundance of phishing pages mimicking the authorization pages of popular crypto exchanges. Such sites are usually very convincing and virtually indistinguishable from the originals, except for the URL. In the first half of the year, our security solutions prevented more than 100,000 attempts to redirect users to such resources.


Examples of phishing pages imitating the authorization pages of popular crypto exchanges

Another method of stealing money is to hack the service itself and siphon off funds from user accounts. A recent example of such a heist comes from South Korea, where the country’s largest exchange Bithumb was forced to cease trading following the theft of $32 million worth of virtual coins. And at the end of last year, having had 17% of all its assets swiped by cyber thieves, another crypto exchange, Youbit, also called time on trading.

Therefore, many users prefer to keep cryptocurrencies in their “own” wallets, of which there are two types: online and offline (desktop, hardware, paper). Online wallets are no safer than the ones held on exchanges: the private key is entrusted to a third party and the owner has no control over it.  Hardware crypto wallets are considered the most secure. These are physical devices that generate and internally store a non-recoverable private key for the wallet. When performing a transaction, all operations take place inside the wallet, and only the electronic signature is issued externally.


A phishing email, supposedly from the Luno team, alerting the user to suspicious activity on their account and inviting them to click on a link to secure the account

The methods used to access online wallets are indistinguishable from classic phishing techniques: scammers create pages that mimic the authentication page of the target website. Links to fake resources are most often distributed via email with typical scare stories about accounts being blocked or unusual activity on them. The hook is to persuade users that they must go through identification to prevent losing funds.


Examples of phishing pages imitating the authentication pages of popular online crypto wallets

Delving deeper into phishing site scripts, it’s clear that in addition to logins and passwords, scammers also harvest information about IP addresses and user agents. Using this data, cybercriminals can get round some anti-fraud systems by using this information to masquerade as the account owner.


Example of a phishing page imitating a BLOCKCHAIN.INFO wallet, and a snippet of code generating a message with data to be sent to the scammers

Fake registration

For the wallet-less, scammers have a separate scheme that involves luring them to fake crypto wallet sites, promising all sorts of registration “bonuses,” including, for example, a sum of cryptocurrency.

The simplest phishing pages simply collect users’ personal data, and then redirect them to the real site of the service. The more dangerous ones really do open wallets for the victim using the data they specify. As a result, the victim receives a confirmation message at the email address they provided and a personal account on the real online resource, lulling them into a false sense of security. But the wallet is compromised from the start, so as soon as any money appears there, it is quickly siphoned off.


A fake BLOCKCHAIN.INFO wallet registration form, the original confirmation letter of registration, and the fake personal account that the victim is redirected to after registration

It might seem that only online wallets and exchanges are targeted by phishers, but that’s not the case. For instance, fakes of MyEtherWallet, a solution that facilitates transactions with digital coins stored on users’ local PCs, are very popular.


A fake registration page replicating precisely the MyEtherWallet registration process

The registration procedure is exactly the same as the original, including downloading the Keystore file, required to access the funds. The private key, which the victim receives after such registration, is already compromised, and any money transferred to the wallet ends up in the hands of the scammers.

Fake mobile apps

Another attack vector is fake crypto storage software distributed through official app stores. Such programs often top the downloads, as in the case of a fake MyEtherWallet mobile app that became the third most popular finance app in the App Store.

Investments

According to CoinSchedule stats for 2018, when this article went to press, 427 ICOs (initial coin offerings) had been held and funds totaling more than $10 billion raised. The huge sums, the hype, and the lack of legislative control in many countries make ICOs a natural target for scammers.

One of the most common ways to steal funds is by sending phishing emails to potential investors. When an ICO is announced, email addresses of interested persons are often collected in order to notify them, for instance, about the start of the token selling. But the database of potential investors’ details could fall into the wrong hands. In this case, shortly before the actual start date, scammers send out emails saying that sales (or a preliminary round) have already begun and containing the number of the wallet to which funds should be transferred.


The Bee Token ICO: scammers managed to get hold of the emails of potential investors and send out a perfectly timed invitation specifying an e-wallet for the transfer of Ether tokens. This wallet pocketed 123.3275 Ether (about $84,162.37). The scammers also created several phishing sites masquerading as the official platform

Another common method is to create fake sites that mimic official ICO projects.


Fake ICO projects: the first page is located on the domain fantom.pub and mimics fantom.foundation, the real site of the FANTOM project; the second—hosted on sparkster.be—is a fake version of sparkster.me, the website of the SPARKSTER project

Links to such resources are distributed not only by email, IM, and social networks, but through ads in major search engines.


Advertising helps push this phishing site to the top of the search results

The more popular the project, the greater the number and the higher the quality of the fakes. Telegram’s ICO currently holds the record for investments raised. We found dozens of phishing resources exploiting this event, some of which looked very professional indeed. What’s more, the wallet addresses for victims to transfer money were created individually for each “investor,” making it harder to track the funds.

Coin dispensing

Airdrop

A crypto airdrop is a way of popularizing new virtual coins that are not yet available on exchanges. Anyone can receive an “airdropped” sum of new cryptocurrency in exchange for doing something to promote the project. For example, the user may need to subscribe to a Twitter account, make a repost, or write a blogpost.


After registration, this Tubig Blockchain Water airdrop scheme steals funds through a wallet verification phishing page

Similar schemes are used by scammers to lure users to websites of non-existent airdrops. After registering on the site of a non-existent project, the victim is directed to a wallet verification phishing site where they are asked to enter their private key or other personal information that cybercriminals can use to gain access to money.


Phishing page mimicking a crypto wallet site. Note the use of an “ł” character to create a domain name barely distinguishable from the original

Ironically, victims themselves contribute to the spread of such scams by reposting information and subscribing to fake company accounts in social media.

Giveaway

One of the most common baits is the promise of free coins under the “give a bit, get a lot” motto. The user’s initial contribution is supposedly required for wallet verification purposes. To make the cover story more convincing, a list of transactions is displayed showing how the funds of other users of the service have magically multiplied, but in fact it’s just a pretty picture.


List of fake transactions with user “earnings”

In fact, all the transferred funds go the scammers, which is confirmed by a simple check of the transactions made with the wallet number. The scheme is simple yet there seems to be no lack of gullible users. One site alone (pictured above) received “contributions” worth 405.43 ETH, which at the current exchange rate is approximately $245,000.

Cybercriminals often mask such methods as bounty programs exploiting the names of well-known crypto wallets, exchanges, or ICOs:


A page offering coins seemingly on behalf of popular exchange Binance under the pretext of a bounty program. To receive the “reward,” users must verify their identity by transferring 0.3-5 ETH from their wallet to the one specified on the website, with the promise of a tenfold payback

Coin giveaways are sometimes announced as a thank you to users or to mark the company’s success; fake comments on the site about money received encourage victims to act rashly.

At first glance, the link in the image above points to the Bitfinex site, but the user is redirected to a phishing page:

Fake giveaways also exploit famous names. In the last couple of years, for instance, Twitter has become a hotbed of fake accounts masquerading as profiles of well-known companies and people, often linked in some way to the cryptocurrency industry. For example, there are numerous fake accounts in the name of Vitalik Buterin (cofounder of Ethereum) with information about a 100 ETH giveaway for the Ethereum community. To receive the money, users are again asked to transfer a certain sum to a specific wallet. Scammers often spread this information in the form of replies to posts from the original account.

Buterin’s name is so commonly exploited by scammers that he himself changed his account name to Vitalik “Not giving away ETH” Buterin:


The original account is marked with a special icon that guarantees the owner’s true identity

Fake accounts are generally spottable by the lack of a verification badge next to the name (issued by the administration of the social network), a small number of subscribers, and a recent registration date. But the mighty blue tick is not a cast-iron guarantee: there have been cases of cybercriminals buying verified accounts and changing the name (for example, to Pavel Durov, Telegram founder).

Attacks are more successful if accompanied by a news hook. For example, when Telegram suffered a blackout and Pavel Durov tweeted about it, a multitude of scam replies offered “compensation” in Pavel’s name. To obtain it, users had to go to a site and transfer a certain sum to the wallet number indicated, after which they could look forward to receiving 5-100 ETH in return.


A fake Pavel Durov account

Fairly large sums in various cryptocurrencies are also regularly offered on Twitter by phoney Elon Musks. Again, if 0.3-2 ETH is sent to a particular wallet, a payout ten times that amount is promised. Links in tweets point to sites similar to those described above, which specify a wallet number and show a constantly updated “list of transactions.” Scammers use bots to boost the number of likes for messages from fake accounts and leave gushingly positive comments.


Fake giveaways are also held in the name of Tesla

According to some estimates, scammers en masse have managed to extract around $4.9 million from trusting users of the microblog.

Don’t forget that scammers themselves sometimes transfer a certain sum to their wallets to assuage doubts about their legitimacy. However, the above examples show that a static image of a fake list of transactions is usually sufficient. Comments on the popular Etherscan token tracker contain heartfelt pleas either from duped users or from scammers looking to cash in on sympathizers:


Comments of a user who transferred 20 ETH to scammers

Whatever the case, the number of instances of naive users sending scammers their last savings in the hope of a windfall is large and rising.

How to avoid getting hooked

The chances of scammers losing interest in cryptocurrencies are zero: the entry threshold for the “business” is too low and the potential pickings are too juicy. Our rather rough estimates (based on data from more than a thousand ETH wallets used by cybercriminals) show that this past year they managed to earn more than 21,000 ETH (nearly $10 million at the current exchange rate), and that’s not even counting classic phishing and cases of generating individual addresses for each victim. Given the sheer scale of fraud, if you’ve decided to try your hand as a crypto investor, always follow these simple rules:

  • Remember that the only free cheese is in a mousetrap, so take tempting offers with a large pinch of salt.
  • Check information about giveaways and “charitable” actions in official and independent sources.
  • Use a third-party resource to verify the transactions on the wallet that you plan to entrust with your savings.
  • Wallets that have been spotted in fraudulent schemes are often flagged in token trackers and block explorers (online tools for viewing detailed information about cryptocurrency transactions).
  • Always check hyperlink addresses and URLs.
  • Bookmark the address of your wallet and access it only from there.

Hackers steal 600 gallons of fuel from a US gas station

We have read about credit card skimmers at ATMs or gas stations but how would someone hack into fuel pumps to steal gas? From recent hacks and data breach incidents, it seems the hackers have changed their targets. Apparently, cybercriminals have got their hands on a high-tech electronic device that allows them to steal gasoline from fuel pumps without getting caught. These hackers hacked a US gas station to pilfer 600 gallons of gas worth $1,800 and did so brazenly in the middle of the day.

The Detroit police department is looking for two men suspected in the larceny of fuel from a Marathon Oil Service Station in the 17800 block of W. Seven Mile on the city's west side.

The Marathon gas station suffered this attack around 1pm on June 23, 2018, when two men reached the pump for fuel. Reportedly, they took control of the pump at the gas station through a remote device, thus preventing the hack from being blocked by the clerk present at the station from his system.

Anyone who recognises the suspects is asked to call DPD'sEight Precinct.

According to Fox2Detroit, the clerk, Aziz Awadh, said about the incident, “I tried to stop it here from the screen but the screen’s not working. I tried to stop it from the system; nothing working.”

Awadh told that he was able to shut down the pump only after he found the emergency kit. He then called the police. However, until then, the hackers managed to drain a large volume of fuel.

In a statement, Dontae Freeman, Detroit police spokesman told FOX that “the suspects had about 10 large vehicles lined up at the pump and filled their tanks with gas. He said investigators believe it took the suspects about 90 minutes to fill up the vehicles.”

Vulnerability In HP Takes Into Consideration Remote Code Execution



Vulnerability has been found in HPE Integrated Lights-Out 4 (iLO 4) servers, which could take into consideration remote code execution. In spite of the fact that it was first discovered on February 2017, yet was released with patches in August 2017.

HPE iLO 4 is an embedded server management tool utilized for out-of-band administration. The fruitful exploitation of this vulnerability is said to bring about remote code execution or even at times authentication bypass, as well as extraction of plaintext passwords, addition of an administrator account, execution of malicious code, or replacement of iLO firmware.

This vulnerability in iLO cards can be utilized to break into numerous organizations' networks and perhaps access exceptionally delicate or restrictive data as these devices are, to a great degree prominent among the small and the large enterprises alike.

The trio of security researchers, who found the vulnerability CVE-2017-12542 a year ago, say that it can be exploited remotely, by means of an Internet connection, putting all iLO servers exposed online in danger.

Additionally including later that it is essentially a verification sidestep that permits attackers access to HP iLO consoles and this access can later be utilized to remove cleartext passwords, execute noxious code, and even supplant iLO firmware. Execution of the vulnerability requires the attacker to cURL to the influenced server, trailed by 29 "A" characters.

Researchers published two GIFs showing how easy are to bypass iLO authentication with their method, and how they were able to retrieve a local user's password in cleartext.



Extra subtle elements on the vulnerability and exploit code were as of late distributed in different open-source media reports, and a Metasploit module was also made accessible, altogether expanding the hazard to vulnerable systems.

In any case, iLO server proprietors do not have any reason to panic as since security research team found this vulnerability path back in February 2017 they notified HP with the assistance of the CERT division at Airbus.

What's more, as far as it concerns HP released patches for CVE-2017-12542 in August a year ago, in iLO 4 firmware version 2.54. System administrators who're in the propensity for frequently fixing servers are undoubtedly secured against this bug for quite a long time.

CVE-2018-13782 (entercoin)

The mintToken function of a smart contract implementation for ENTER (ENTR) (Contract Name: EnterCoin), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.

CVE-2018-13773 (netkillertoken)

The mintToken function of a smart contract implementation for Enterprise Token Ecosystem (ETE) (Contract Name: NetkillerToken), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.

CVE-2018-13780 (esh)

The mintToken function of a smart contract implementation for ESH, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.

CVE-2018-13735 (entertoken)

The mintToken function of a smart contract implementation for ENTER (ENTR) (Contract Name: EnterToken), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.

CVE-2018-13730 (hey)

The mintToken function of a smart contract implementation for HEY, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.

CVE-2018-13714 (cm)

The mintToken function of a smart contract implementation for CM, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.

CVE-2018-13708 (buytoken)

The mintToken function of a smart contract implementation for Order (ETH) (Contract Name: BuyToken), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.

CVE-2018-13707 (yss)

The mintToken function of a smart contract implementation for YSS, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.

CVE-2018-13691 (rtokenmain)

The mintToken function of a smart contract implementation for R Time Token v3 (RS) (Contract Name: RTokenMain), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.

CVE-2018-13684 (zip)

The mintToken function of a smart contract implementation for ZIP, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.

CVE-2018-13664 (cws)

The mintToken function of a smart contract implementation for CWS, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.

CVE-2018-13669 (ncu)

The mintToken function of a smart contract implementation for NCU, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.