Daily Archives: August 10, 2018

Google Public DNS turns 8.8.8.8 years old



Once upon a time, we launched Google Public DNS, which you might know by its iconic IP address, 8.8.8.8. (Sunday, August 12th, 2018, at 00:30 UTC marks eight years, eight months, eight days and eight hours since the announcement.) Though not as well-known as Google Search or Gmail, the four eights have had quite a journey—and some pretty amazing growth! Whether it’s travelers in India’s train stations or researchers on the remote Antarctic island Bouvetøya, hundreds of millions of people the world over rely on our free DNS service to turn domain names like wikipedia.org into IP addresses like 208.80.154.224.
Google Public DNS query growth and major feature launches

Today, it’s estimated that about 10% of internet users rely on 8.8.8.8, and it serves well over a trillion queries per day. But while we’re really proud of that growth, what really matters is whether it’s a valuable service for our users. Namely, has Google Public DNS made the internet faster for users? Does it safeguard their privacy? And does it help them get to internet sites more reliably and securely?

In other words, has 8.8.8.8 made DNS and the internet better as a whole? Here at Google, we think it has. On this numerological anniversary, let’s take a look at how Google Public DNS has realized those goals and what lies ahead.
Making the internet faster

From the start, a key goal of Google Public DNS was to make the internet faster. When we began the project in 2007, Google had already made it faster to search the web, but it could take a while to get to your destination. Back then, most DNS lookups used your ISP’s resolvers, and with small caches, they often had to make multiple DNS queries before they could return an address.

Google Public DNS resolvers’ DNS caches hold tens of billions of entries worldwide. And because hundreds of millions of clients use them every day, they usually return the address for your domain queries without extra lookups, connecting you to the internet that much faster.
DNS resolution process for example.org

Speeding up DNS responses is just one part of making the web faster—getting web content from servers closer to you can have an even bigger impact. Content Delivery Networks (CDNs) distribute large, delay-sensitive content like streaming videos to users around the world. CDNs use DNS to direct users to the nearest servers, and rely on GeoIP maps to determine the best location.

Everything’s good if your DNS query comes from an ISP resolver that is close to you, but what happens if the resolver is far away, as it is for researchers on Bouvetøya? In that case, the CDN directs you to a server near the DNS resolver—but not the one closest to you. In 2010, along with other DNS and CDN services, we proposed a solution that lets DNS resolvers send part of your IP address in their DNS queries, so CDN name servers can get your best possible GeoIP location (short of sending your entire IP address). By sending only the first three parts of users’ IP addresses (e.g. 192.0.2.x) in the EDNS Client Subnet (ECS) extension, CDNs can return the closest content while maintaining user privacy.

We continue to enhance ECS, (now published as RFC 7871), for example, by adding automatic detection of name server ECS support. And today, we’re happy to report, support for ECS is widespread among CDNs.

Safeguarding user privacy

From day one of our service, we’ve always been serious about user privacy. Like all Google services, we honor the general Google Privacy Policy, and are guided by Google’s Privacy Principles. In addition, Google Public DNS published a privacy practice statement about the information we collect and how it is used—and how it’s not used. These protect the privacy of your DNS queries once they arrive at Google, but they can still be seen (and potentially modified) en route to 8.8.8.8.

To address this weakness, we launched a public beta of DNS-over-HTTPS on April 1, 2016, embedding your DNS queries in the secure and private HTTPS protocol. Despite the launch date, this was not an April Fool’s joke, and in the following two years, it has grown dramatically, with millions of users and support by another major public DNS service. Today, we are working in the IETF and with other DNS operators and clients on the Internet Draft for DNS Queries over HTTPS specification, which we also support.

Securing the Domain Name System

We’ve always been very concerned with the integrity and security of the responses that Google Public DNS provides. From the start, we rejected the practice of hijacking nonexistent domain (NXDOMAIN) responses, working to provide users with accurate and honest DNS responses, even when attackers tried to corrupt them.

In 2008, Dan Kaminsky publicized a major security weakness in the DNS protocol that left most DNS resolvers vulnerable to spoofing that poisoned their DNS caches. When we launched 8.8.8.8 the following year, we not only used industry best practices to mitigate this vulnerability, but also developed an extensive set of additional protections.

While those protected our DNS service from most attackers, they can’t help in cases where an attacker can see our queries. Starting in 2010, the internet started to use DNSSEC security in earnest, making it possible to protect cryptographically signed domains against such man-in-the-middle and man-on-the-side attacks. In 2013, Google Public DNS became the first major public DNS resolver to implement DNSSEC validation for all its DNS queries, doubling the percentage of end users protected by DNSSEC from 3.3% to 8.1%.

In addition to protecting the integrity of DNS responses, Google Public DNS also works to block DNS denial of service attacks by rate limiting both our queries to name servers and reflection or amplification attacks that try to flood victims’ network connections.

Internet access for all

A big part of Google Public DNS’s tremendous growth comes from free public internet services. We make the internet faster for hundreds of these services, from free WiFi in San Francisco’s parks to LinkNYC internet kiosk hotspots and the Railtel partnership in India‘s train stations. In places like Africa and Southeast Asia, many ISPs also use 8.8.8.8 to resolve their users’ DNS queries. Providing free DNS resolution to anyone in the world, even to other companies, supports internet access worldwide as a part of Google’s Next Billion Users initiative.

APNIC Labs map of worldwide usage (Interactive Map)

Looking ahead


Today, Google Public DNS is the largest public DNS resolver. There are now about a dozen such services providing value-added features like content and malware filtering, and recent entrants Quad9 and Cloudflare also provide privacy for DNS queries over TLS or HTTPS.

But recent incidents that used BGP hijacking to attack DNS are concerning. Increasing the adoption and use of DNSSEC is an effective way to protect against such attacks and as the largest DNSSEC validating resolver, we hope we can influence things in that direction. We are also exploring how to improve the security of the path from resolvers to authoritative name servers—issues not currently addressed by other DNS standards.

In short, we continue to improve Google Public DNS both behind the scenes and in ways visible to users, adding features that users want from their DNS service. Stay tuned for some exciting Google Public DNS announcements in the near future!

Threat Roundup for August 3-10


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Aug. 3 - 10. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

  • Win.Malware.Dbzx-6628757-0
    Malware
    This is a variant of the Tspy family. It is able to execute after every reboot, making it persistent. It contacts domains that are related to RATs and are generally command and control (C2) servers to upload data, and receives additional commands. The samples are often packed and contain anti-debug tricks to complicate the manual analysis.
     
  • Win.Malware.Emotet-6628754-0
    Malware
    This cluster provides generic detection for the Emotet trojan that's downloaded onto a targets machine. Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products.
     
  • Win.Malware.Zerber-6629234-0
    Malware
    This is a malware identification for a ransomware variant of Cerber.
     
  • Win.Malware.Startsurf-6628791-0
    Malware
    Strtsurf is a trojan targeted at collecting personal information, and sometimes labeled as a potentially unwanted application (PUA) in other coverage signatures.
     
  • Win.Packed.Eorezo-6629326-0
    Packed
    This malware is known to enable the display of advertisements in Internet Explorer. It's also downloads several pieces of software and installs them in the background.
     

Threats

Win.Malware.Dbzx-6628757-0


Indicators of Compromise


Registry Keys
  • <HKLM>\Software\Wow6432Node\Microsoft\Tracing
Mutexes
  • QSR_MUTEX_HnRHWDxWQnveBdUtWT
IP Addresses
  • N/A
Domain Names
  • ip-api[.]com
Files and or directories created
  • N/A
File Hashes
  • 25430a357d53aec77dd1f119b838ceae79a22bb3a60c7a002cb7328b098546a7
  • 54279416f864d374f33fe9a2fe2998db3976c4ff43e8b0da006548489a50bbdd
  • 5ce812ebf77f6d63de37a1e3d261b9688d595aaeadaef3388f4214896bb64892
  • 810fb35557e051a7be3f03b37247c90796595a2d5afa1b2c3034187de2a3f0bc
  • 8f08bcadd3a44055a70dbae3308cf18c8d1824e424100eda03ddc71e9417fb5e
  • 9435b87c7c91ac98f9f461aeaa6b1630e2270e2d2ccdf6a05d46fa02de91d1eb
  • 9634a2afb40139e39da8c8ef0da8f5104229d7bb4c3b95faee5a4396713f528e
  • a137c89d2c6f0ae74217724e1cb56aea726e285d0e6e98adfda16617ad51d176
  • a2907c7011b20373fd47e03a0f4679fdd51b982b973bb37d1d45bfa4a618bc5a
  • b3c6a0883d9ed8bcf1bf162c0ade8b16f2cd4ae890e30ba9e9540f4bdf5f5ba1
  • ba5afe1245d10f72637d34a96bf6e365c2f4326da69dcd440beacf421b634133
  • cd3a4783c2795a16c82518c56f955c9b56f415d59ef5bc77e143f6124123364b
  • d0dbd75a4d8716ba7ca7d025ee1c772aa4ff554214a993b4b874a0a26dcf5a6c
  • e2116a9a176ff765f1c5ec23003266bfe0f1592e46e41236482ad4c3520ea53a
  • e2846881f6127d99222144e4ece509bd18522fdd7791bf84d7697b37ffa40919
  • efc3e1b1d6c13c3624160edc36f678dd92f172339bfde598ad1a95b02b474981
  • f7df8c9e36cf3440709111a33721e7ac7268a2a80057df08843ba95a72c222eb
  • fdd4cce37fd524f99e096d0e45f95ac4dac696c8d7e8eb493bb485c63409c7b3

Coverage


Screenshots of Detection

AMP



ThreatGrid




Umbrella


Win.Malware.Emotet-6628754-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • PEMB2C
  • PEM944
  • PEM80C
  • PEMA10
IP Addresses
  • 67[.]68[.]235[.]25
  • 187[.]192[.]180[.]144
Domain Names
  • N/A
Files and or directories created
  • %WinDir%\SysWOW64\TO5sH5uBMit.exe
File Hashes
  • 0406ad0fe90d371b02742e6821486abbfbf2bbd72a7593e8ddb650f0b97673b3
  • 0604aa87706cb7890075b494f026c88b2f03b621367f1bb62a87f5c5deb87870
  • 086af92d83279f5792c15a762a70e158de54b67c1a96bfc14c4ad52a24468f32
  • 10f13af2a3591efa3d58c47bb0635e3a653e14ec7726493bb4595b4dd8cd51cb
  • 127c316e7a10579e61369d6a8154e3e34726209b3cc075ddd6d9875c439c583e
  • 1fc9fda1b0c868dc7cb0cf6d8867b7aefc202436fe9e41cba5b2b35bb1ce9e9f
  • 23ba67cf24c95f3bfd36b66f822feb3d2fd0f72617921550fee034a1b7b8cc74
  • 27e37ac7cc8b48573a8345223399ce6b0ab9432ee977acf02c09bcf64cf6622d
  • 2bf1192e5200b6f8d25586908b05912a5fa6e06e87540dbb914200446a3deb10
  • 2ee83958eb1e8cb622ca833c38e51b53548d299b6574e5b7203741a2d27963f5
  • 2fca527cf8ebf4576e982118e22dfe3fd8e445749a5403dafed36089666f2357
  • 30bbfb79d26a172975e9482204f06423eff6948b1732384e7b6d23f9932ec08d
  • 30bf6e1a41dea6e4024853f9b7a6a878e4f5e4141dba4b0fe7686159925fe6cf
  • 42fca9d196c668747b74f80ca996aee9ae38bed96956b42436949a8d4d33ecf1
  • 45e6356ca3b373da3a80a72a1b64f1254f4426949598b8877abd6de99e379166
  • 4ac5db87bc83dcbf1399f4fc0fede3c5ecee5b8ef2a2500fd79b1588ef033429
  • 4b2f6d80bf78ad165c2f07d914cb4137ba31918f3f8f03f812b20715c3451f56
  • 4d7d9d73dad989590860178530dd8848d9b79a23f1cb379bc1ca5545cb196eca
  • 4e81241256ab4adb5bb96b21633d95773cc34ee72e499659064db0d32046dabf
  • 4ea92195bc159e268c7a348f2649010cb01a3e67c315d2f0b8115eaf2c879692
  • 5639d3af9cf530a057aebf3cbf92061b58539b2c311491a26d8f404a211d66bb
  • 59644dcd34cce275ff5d72c022fa76ac42a422b038d816909281e01e392d3b40
  • 599e4e8130e4a1f3f3777c6f9f088cc03c2781f4e802e0e16e417a43ec58c518
  • 5eef8b5433ebc22e4c9ea3c1462d525192a4bda8d20be4e7b09fe7d03fb9d119
  • 6238c7a704baa8771812e4f3452acb042c6475913db4cd57cfaf17a7454d4d22

Coverage


Screenshots of Detection

AMP




ThreatGrid


Win.Malware.Zerber-6629234-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: FlashPlayerApp
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
    • Value Name: Run
  • <HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR
    • Value Name: AutoRun
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • Value Name: DefaultConnectionSettings
Mutexes
  • shell.{381828AA-8B28-3374-1B67-35680555C5EF}
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • %AppData%\Microsoft\Windows\Start Menu\Programs\StartUp\FlashPlayerApp.lnk
  • %AppData%\{6F885251-E36F-0FE6-9629-63208157D7A2}\FlashPlayerApp.exe
File Hashes
  • 25f8455b83b98f38809af120e35c3eda189a05538f7aa2d527a265520bc3c75e
  • 342a9470e5d3dd522c17cf0a5bc588d87a84689d90362c0b18c320385b2e908d
  • 41ebdf1d4a210f395d5ee32bf55c6b07ee1e0a0bdf939bd081f6d751323c643c
  • 54be105a129d959359107d7dff6b379cd366e32bf7be9ac9a06bc2141d3ca7fa
  • 5dce0e7e0a1807d2804f28c5d5afd4ac282a022acd1945786bd118e1caf4050c
  • 5fe244200c9367e1b132ccc13df6daaba5479d2491db8fe95658f43981567c5a
  • 6292ddf51023ccca84211ed4f33944b4c3df1b694d102d90d3dd2a5a080ed2b9
  • 649c52d7b9a58837e6ccd308665d63971e424d29480c44448ddbef15e91649a6
  • 6dd74f0816f8b24a6f93c2dae0c69d33689e4baba632605d138216d9c7aab2ba
  • 7322fb7767b733ef5a279720f581d54edae9ea4af69d39aaa3e79fc443e2bb33
  • 76be26ac77aa81a5fb7d78135adb05b579cecc2173ffef5f5ab6b484e37f9e6e
  • 793b978af24469a77490ea609de0142ff817e557ad78a688dd5d65c2fe49a8db
  • 7c0e65092e8786d9052bbd74f4dc7b26567e150efb25d1503c4bfd9b3895b8ab
  • 8815e1daad1f9cb4ff4243ff485218e3a0be93e2afef07048852ba79fdd9294e
  • 8e84fbc38403f1516447b73b73b5051777314089f0d1fefcfae004b1ef615641
  • a0e3bd64d556ce80b85b7d328bb61beeaf2da297dc09058211150617d6a83b8b
  • b6b3b53b1001b6de24797a89d61bd825760574ab4cb60f7a5971115acb53c8e4
  • ef66d0161200d413bb8a577a517fe03f325f2fd2f0df778f6297a8658ca0abc8
  • f25d03efc63cba1a262034382f809aaa5918f218b965164897df0c989a08dd04
  • f8ee14337fe367aded0aee32c6c84ce404eaef53a6f75d86c6c08235f55ec303

Coverage


Screenshots of Detection

AMP




ThreatGrid




Umbrella




Win.Malware.Startsurf-6628791-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • Local\MSCTF.Asm.MutexDefault1
IP Addresses
  • N/A
Domain Names
  • lip[.]healthcakes[.]men
Files and or directories created
  • N/A
File Hashes
  • 00cc9438408d1b22b0afc57e3b233ff62774cbcb92e58b392403d8c794d988ed
  • 118e08c379b0035cef2a155d59d97c6e8cae94b6f46c5e77f58d84c88c689d2c
  • 1f270dc860158d63bb400e08f12bce40a9a50494368ea6e44cfd89f7e0dc23f4
  • 3e49b3e58eec40b735124509bafcf434904f5945c9d65a5a860b0950850a979d
  • 4348a4b50eba73d6eb5d0d254241d0e44fc63c975b589ac5276d6dc5cf8bab13
  • 4a1c1cf9c70b127cc514fa6cdbb0e286ee33bf19f6ff41ca02951c9947dac55e
  • 4ae8cf675d6517b7989391fc653e8ddc96aa81cec4802e7e66de30adf0e96d2e
  • 527eac30113eb365330ec5c35591fe9ae69d4e1beca8b0ae24666e97d8773e36
  • 53366f90f59348b8de81bdc04652200d2dcf8bad5cfc46a533c3b20cd0e200b2
  • 5f98685ee9098a31ced944840670772bb972db31ac5d1690974e59f566d1adae
  • 61e7c5b6a7f1608cf0bf728d15f8cdfc0f9f5c7c3748ee28452cfa2a496e54cc
  • 70ebc88b9a71c661b68325dd92d0945ea1927e4d115da217640a4efefcf0c730
  • 722e86b32635a1cace77ceee414761f28e386743fd2c513650e55814179bdac5
  • 91bb8eb10e0aa88ea1e33d1ec23893d5a45e01e8ab69081b96835b4aff3b906a
  • 97645bb27e056b282a0aa46dbbc79ed03bdc29c6f96e369d7537ee2bb1c8dd6e
  • 9b36f0e70d5f7b4795b1278e052356484d4f2374f49563195f224ade6ce08c71
  • ac86cafcc7062a389e25a4e26dd15df7ce2e64b7a6890bf5712189ab9ec81c8c
  • c3883ba74230604d38a638a1b8d0673cc3c91e01b482e6b83a6e6bbd4edd3b10
  • c56e3ca164803c5668cf0b8228c97626c486f5a7063d4b3109840137b67c8f98
  • c82eaf2f1f156b95b43b2a984867e486911f6ceb329daea6ac9a6c53fae42685
  • ca544eaedd654782fa6b7a130bdc58869c2124a59754ed1baf9a5c00fafae12a
  • d4ab2cc67c707cab8f7aab0fde94b50670f1b787b049f45564fe5368205ed642
  • eac8c3c76e954d8e2be7a5d1570643b4ce6a856e8143faf6263ad50cf53aceb2
  • f0a9c1c2fc19b4abd905e8a2f187f94e74dfe1e7de2d9a5328b13893b301488d
  • fb2aa3891cc9383631ddcca4076ae800d67d701a7ffb83d48240cc1d72372175

Coverage


Screenshots of Detection

AMP




ThreatGrid




Umbrella



Win.Packed.Eorezo-6629326-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: 6518673
Mutexes
  • Amazonassistant2018
  • Windows Workflow Foundation 3.0.0.0_Perf_Library_Lock_PID_2c8
  • Windows Workflow Foundation 4.0.0.0_Perf_Library_Lock_PID_2c8
  • WmiApRpl_Perf_Library_Lock_PID_2c8
IP Addresses
  • N/A
Domain Names
  • www[.]wizzmonetize[.]com
  • ionesystemcare[.]info
  • www[.]rothsideadome[.]pw
  • www[.]usatdkeyboardhelper[.]pw
Files and or directories created
  • %ProgramFiles%\WJTLINYZUI\cast.config
  • %LocalAppData%\Temp\DaGXhZc6w\Nursehealth.exe
  • %System32%\Tasks\One System Care Monitor
  • %ProgramFiles% (x86)\OneSystemCare
  • %SystemDrive%\TEMP\config.conf
  • %LocalAppData%\Temp\U8R09Z5FM2\OneTwo.exe
  • %LocalAppData%\Temp\U8R09Z5FM2\up.exe
  • %WinDir%\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new
  • %ProgramFiles%\WJTLINYZUI\GCOMQP0KN.exe
File Hashes
  • 002d9959f5e7417cc2cbc657243f2dab82fac3d2e94fa2d0c8e45eda10889b08
  • 03c948623cf78efe90258d894ab0e793bca7009bd73d0be0f652575f81bda621
  • 0f8d729821902252b7f7a1c0d51004d3770356969e7181548126f13f1e2ebf2a
  • 1e64134ff7358ea6e632fd2377532491235cf089f33095a72552e150088b42f1
  • 1eed9456e69a80cb4e8444ad0356d71e09a073715f92e51afa008e80d2a0352a
  • 26f928ef89fde0e3e3fa996073c7c0bba00c2cbfe280de338de15367f4c8f76b
  • 2b0c6557b39ad8cca97ea6975aa3f4a8341774461b1bacab05d04ab20a9463eb
  • 3a5ac5c5ee7985367349d84d60be2c5f94f876c56cf73acbae6fc680ebbdb3c6
  • 47bcf1f1bca23a36e291a0ac4cb8d1cd59c0c80d6a8e3b2cc3d646284cc531d5
  • 4ae3efb9a9cca68c098dcdba33d2aef39888cf229cd02be64cbf59a0b68dae30
  • 5112edf0351d70ad31152f67e8996c9c4ad062f0023cfd43b4baecb8aa7b16b4
  • 52544303a89f2c4e3eedd64c000504a2ef4c920c20361961fc81cae3f520244f
  • 55e181f0e0e88efccf6534949ad8dd93a179e2b94b71e76a9e7db4d938ea2bd2
  • 56982cc1f4b4e92aea28a30684bdfc752122eb78fc545ccc3f4169a1597233cc
  • 5c3982a206d40ec00b2029d4bdde1bb37192341583e803556872b97a609411ae
  • 61ee5c724a4c9408e9c8120eabac1babea8e91bf5719b02c78ce129f68239ff6
  • 63cc723ad7e85798e9126f5cc933c48d0e3cdfa7504579ef0b0b3cced9cb19c8
  • 65a0bb3fd94ec888696598703ed111471bd47962278a5f1006e7e0716bd5b58e
  • 71d6d1ed9a5bd71e8dbd03a91151a2965ac12198fa1825366bf19c4b14106cb7
  • 71e3009284ae35a3087ef041162a2ada636b388738033ea62faefc2bbfca9dfc
  • 7e17ee126754a9306b4ffcf536f384abe5c718672807de1e27e7c7f3846d9e74
  • 85b36ab50aeb452822886815076c7c90c30273854496dde7fd3473e62119f672
  • 877b9a03f0b8763c265ecbc4be76ffafc9eb26c4b618c2827ce1e200797ca876
  • 885718a7bd95c44d14dec7f0efa101147b671e60a7ecac2622ac86061dab17f2
  • 9583c8f1f3c9982a45ed56fbc30f8be06708cfaa8557aa7f5b6117847018cd4f

Coverage


Screenshots of Detection

ThreatGrid



Umbrella



Hackers Tee Up a Ransomware Attack for the PGA Ahead of the 2018 Championship

Fore! That’s not a ball hitting the 9th hole, that’s a ransomware attack. You heard correctly – the PGA (Professional Golfers’ Association) was hit with a ransomware attack this week, just days ahead of its annual championship tournament. Specifically, the attack was on the PGA’s computer servers, and is keeping officials from accessing files, such as numerous PGA banners, logos, and signage, for the PGA Championship 2018.

Though it’s unsure how the crooks were able to get inside the PGA’s system, they have made their motives clear. Per Golfweek’s report, the cybercriminals left a message for the PGA staff, stating, “Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm.” “Any attempt to break the encryption could cause the loss of all of the work. This may lead to the impossibility of recovery of certain files,” the message threatened. They also included a Bitcoin wallet number for the PGA, however, the organization has yet to put anything in there.

That means, as of now, the PGA is still without access to a few of their promotional materials as their tournament is underway. However, the 2018 championship is still carrying on successfully, as planned.

Now, what can we take away from this situation? The tournament is still running smoothly, even despite the disruption from hackers. So, take a page out of PGA’s book – stand up to cybercriminals and don’t pay the ransom. Beyond not paying the ransom, here are a few additional security tips to follow if you’re ever faced with a ransomware attack on your personal device:

  • Keep your devices up-to-date. Though it’s not exactly known how cybercriminals gained access to the PGA’s systems, usually, ransomware attacks depend on a known vulnerability. So, make sure you update your devices’ software early and often, as patches for flaws are typically included in each update.
  • Do a complete backup. With ransomware attacks locking away crucial data, you need to back up the data on all of your machines. If a machine becomes infected with ransomware, there’s no promise you’ll get that data back – it could even become wiped entirely in some cases. Therefore, make sure you cover all your bases and have your data stored on an external hard drive or in the cloud.
  • Use decryption tools. No More Ransom, an initiative McAfee is a part of, has a suite of tools to free your data, each tailored for a specific type of ransomware. If your device gets held for ransom, start by researching what type of ransomware it is. Then check out No More Ransom’s decryption tools and see if one is available for your specific strain of ransomware.
  • Use comprehensive security. To be prepared for ransomware or any other type of cyberattack that may come your way, it’s important you lock down all your devices with an extra layer of security. To do just that, use a comprehensive security solution.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Hackers Tee Up a Ransomware Attack for the PGA Ahead of the 2018 Championship appeared first on McAfee Blogs.

Mind Map of Hack Me Practice sites

There's an excellent mind map of Internet practice sites set up to train pen testers by offering a place to practice their skills. Put out by Aman Hardikar, you can find the list here. There's also an URL only version here, which can be easier to read. Some of the sites are old, some brand new, and they are broken down into category for easy concentration on whatever you are learning. Aman has a whole catalog of other mind maps, found here.

Some VPN providers leak your IPv6 IP address

Just a short note. Today a friend called me if I could help him to get TV streaming from TV stations in the US running. When I looked at it, he even selected a VPN provider which offers servers in the US to circumvent the Geo restrictions, but still it didn’t work. He showed me the NBC website where the first ad was shown and than the screen stayed black. Having no experience with VPN providers and TV streaming sites I first checked the openvpn configuration and made sure that the routing table was correct (sending all non local traffic to the VPN). Looked good, so I opened the developer tools in the browser and saw following repeating.

 

Searching the Internet did not provide an answer … than I just tried to download the file with wget and I got following:

$ wget http://nbchls-prod.nbcuni.com/tve-adstitch/4421/xxxx-1.ts
--2018-08-10 19:20:20-- http://nbchls-prod.nbcuni.com/tve-adstitch/4421/xxxx-1.ts
Resolving nbchls-prod.nbcuni.com (nbchls-prod.nbcuni.com)... 2600:1406:c800:495::308, 2600:1406:c800:486::308, 104.96.129.98
Connecting to nbchls-prod.nbcuni.com (nbchls-prod.nbcuni.com)|2600:1406:c800:495::308|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2018-08-10 xx:xx:xx ERROR 403: Forbidden.

Seeing this it hit me … its using IPv6 … so I did a fast check with

% wget -4 http://nbchls-prod.nbcuni.com/tve-adstitch/4421/xxxx-1.ts
--2018-08-10 19:20:30-- http://nbchls-prod.nbcuni.com/tve-adstitch/4421/xxxx-1.ts
Resolving nbchls-prod.nbcuni.com (nbchls-prod.nbcuni.com)... 104.96.129.98
Connecting to nbchls-prod.nbcuni.com (nbchls-prod.nbcuni.com)|104.96.129.98|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 242520 (237K)

So with a IPv4 request it worked. His VPN provider was leaking the IPv6 traffic to the Internet – that is potentially a security/privacy problem as many use a VPN provider to hide them! So make sure to check before relying on the VPN security/privacy.

Latest on the Currys PC World Data Breach Impacting 10 Million Customers

Following further investigations, Currys PC World today confirmed 10 million of their customer personal details may have been stolen by hackers, a revised number from the 1.2 million customers and 5.9 million payment cards it advised back in June.

In June 2018, the company said there was "an attempt to compromise" 5.8 million credit and debit cards but only 105,000 cards without chip-and-pin protection had been leaked after hackers attempted access to company's payment processing systems.

The hack was said to have occurred nearly a year before it was disclosed, so it either went undetected, which is common where there is inadequate security monitoring in place, or the business knew about the breach but choose not to disclose it to their impacted customers.

The Information Commissioner's Office (ICO) fined the Dixons Carphone £400,000 for a data in 2015 breach, however, Currys PC World stated the incidents were not connected.

The business stressed it has now improved its security measures including enhanced controls, monitoring, and testing to safeguard customer information, and "trebling their investment in cybersecurity". Unfortunately, no details have been disclosed explaining how the hackers were able to access such large quantities of personal data. The company "security improvement" statement suggests their IT security was rather underfunded and not at a sufficient standard to adequately secure their business operations and customer data.

The ICO (statement) and the NCSC (statement) both have released statements in June about the breach. So we'll see what the ICO makes of it, but I think the business is likely to be fined again, although not the potentially massive GDPR penalties, as this data breach occurred before the GDPR came into force in May.

Customer statement by Currys PC World to their customers today

On June 13, we began to contact a number of our customers as a precaution after we found that some of our security systems had been accessed in the past using sophisticated malware.

We promptly launched an investigation. Since then we have been putting further security measures in place to safeguard customer information, increased our investment in cyber security and added additional controls. In all of this we have been working intensively with leading cyber security experts.

Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address.

While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and we have no confirmed instances of customers falling victim to fraud as a result. We are continuing to keep the relevant authorities updated.

As a precaution, we are letting our customers know to apologise and advise them of protective steps to take to minimise the risk of fraud. These include:

If you receive an unsolicited email, letter, text or phone call asking for personal information, never reveal any full passwords, login details or account numbers until you are certain of the identity of the person making the request. Please do not click on any links you do not recognise.


If you think you have been a victim of fraud you should report it to Action Fraud, the UK’s national fraud and internet crime reporting centre, on 0300 123 2040*.

We also recommend that people are vigilant against any suspicious activity on their bank accounts and contact their financial provider if they have concerns.
You can find more information here


We take the security of your data extremely seriously and have previously announced that we have taken action to close off this access and have no evidence it is continuing. Nevertheless, we felt it was important to let customers know as soon as possible.

We continue to make improvements and investments to our security systems and we’ve been working round the clock to put this right. We’re extremely sorry about what has happened – we’ve fallen short here. We want to reassure you that we are fully committed to protecting your data so that you can be confident that it is safe with us.

Security Flaws & Fixes – W/E – 081018

Check Point Identifies Vulnerability Within WhatsApp (08/08/2018)
Check Point Software Technologies researchers have identified a new vulnerability for the WhatsApp that allows a threat actor to "intercept and manipulate messages sent by those in a group or private conversation." This flaw, it was noted, allows the hacker to steer potential evidence, create and spread misinformation, and steer potential evidence. Further information is available via the Check Point Web site.

IBM Details New "DeepLocker" Malware (08/08/2018)
IBM detailed new "DeepLocker" malware that employ AI (artificial intelligence). The PoC (proof-of-concept) issue - which was discovered by IBM Research and detailed at the Black Hat USA 2018 event - leverages visual, audio, geolocation, and system-level features, thus making it "challenging to reverse engineer" and "recover the mission-critical secrets." DeepLocker was designed in order to better understand how "AI and malware techniques" can be "combined to create a highly evasive new breed of malware" that "conceals its malicious intent."

Mozilla Issues Advisory Regarding Thunderbird 60 (08/06/2018)
Mozilla issued a security advisory regarding a series of vulnerabilities that it has patched in Thunderbird 60. This "critical" flaw offers risk to both the browser and other "browser-like contexts," and is caused by a potential buffer overflow when rendering canvas content. This, in turn, causes data to be written outside of currently computed boundaries to potentially result in an exploitable crash.

New Security Flaw Found to Impact Devices on Big 4 Wireless Carriers (08/08/2018)
The Department of Homeland Security (DHS) claims that customers of all four major wireless carriers are vulnerable to a new security flaw. The revelation was reported by news site Fifth Domain, with its sources claiming that the security flaw impacts users of several devices on the networks of Verizon WirelessAT&TT-Mobile and Sprint. While the DHS has not revealed the full details of the security issue, it claims that the problem could be exploited by malicious parties to allow them to access the user's data, emails and texts. A DHS program manager named Vincent Sritapan also told Fifth Domain that the vulnerability could be used to "escalate privileges and take over the device." Sritapan went on to suggest that even his team would be hard pressed to be able to detect when this had occurred on a given device. The team involved in discovering the flaw is slated to release additional information on its parameters later this week.

TSMC Semiconductor Production Hit with Virus (08/06/2018)
The manufacturer of processors used throughout Apple's line of products was hit with a computer virus that affected production lines and could impact shipping dates. Taiwan Semiconductor Manufacturing Company (TSMC) said that the virus outbreak was due to "misoperation" during the software installation process for a new tool. According to MacRumors, the virus is a variant of the 2017 WannaCry ransomware and affected facilities in Tainan, Hsinchu, and Taichung, including locations that produce Apple chips. TSMC CEO C.C. Wei ruled out the possibility of this being a targeted attack on his company, saying that an "unidentified vendor" inadvertently provided the company with the infected tool. The virus then spread once the tool was connected to TSMC's computer network. "We are surprised and shocked," Wei told reporters. "We have installed tens of thousands of tools before, and this is the first time this happened." Although TSMC's 12-inch wafer fabrication plants - where Apple's A12 processor is produced - were affected, TSMC says it "is expected to be able to fill orders on time for Apple Inc."

US-CERT Reports Linux Kernel Vulnerability (08/06/2018)
The US Computer Emergency Readiness Team (US-CERT) reported on a Linux kernel vulnerability that has been recognized by the US Department of Homeland Security (DHS)'s National Cybersecurity and Communications Integration Center (NCCS). This vulnerability affects versions 4.9 and greater of Linux, and could potentially allow the attacker to launch DOS (denial-of-service) conditions. The group is recommending that users review the vulnerability and apply any necessary updates.

VMware Issues Horizon Software Security Advisory (08/07/2018)
VMware issued a security advisory regarding Horizon 6, 7, and Client software. The company noted that it officially patched an "out-of-bounds" read vulnerability within the applications' Message Framework library that could allow a less-privileged user to leak information from a privileged process running on a system where Horizon Connection Server, Horizon Agent, and Horizon Client are installed.

NBlog August 11 – managing outsider threats

September's awareness seminar for management on "outsider threats" is coming along nicely.

This week I've been researching the web (well, OK, Googling) and exploring opinions, firstly on what "outsider threats" are, and secondly what to do about them.

It has been a frustrating few days, digging up the odd insightful nugget hidden under piles of tripe gently steaming away in Google-land. 

A disappointing majority of commentators seem oblivious to the distinctions between "threat", "vulnerability" and "risk", their confused language more than merely hinting at a fundamental lack of understanding of the concepts that underpin the field. One piece in particular made me laugh out loud, muddling up impacts with exposure.  [To be clear, over-exposure to the sun makes you red and sore.  Melanoma is the impact.  Muddle them up at your peril!]

Several are stubbornly and myopically focused on cyber, a few even defining "outsider threats" as if there is nothing but IT to worry about. If only it were that easy! Knock yerself out tackling hackers and malware, mate, while I get to grips with All The Rest Of It.  Yes, I know you have a tough job. Yes I know those haxx0rs and VXers are evl, cunning buggrz. And no, you don't deserve a raise for being a superhero.

Today, I've made the decision to explain the process of managing information risks, again, using outsider threats specifically to illustrate the steps. I say "again" because information risk management is one of the home bases to which we return in almost every NoticeBored module. It's one of the handbags we always dance around, so to speak. It's an old friend that's never out of line.



So, here's slide 13 from the management slide deck, a process overview that we'll build up over the 8 preceding slides using typical examples of "outsider threats" ... and vulnerabilities ... and impacts to explain each step, bringing the cascade to life. It's part awareness, part teaching, part exploring the topic, part demonstrating techniques. 

The trick, though, is to find engaging and insightful situations to illustrate each step. Drawing the process diagram took minutes. Preparing the sequence of slides, a few more minutes. Thinking up relevant examples will take me all weekend ... but luckily I can think about this while Doing Other Stuff - lambs to count, trees to plant, ditches to dig, that sort of thing.

Have a good weekend.