In part one of our two-part series, we explored how biometric authentication methods are being defeated. In the second part, we’ll explore how manipulating biometrics can alter society, and what can be done to avoid a biometric dystopia. Biometric authentication secures access to most consumer phones, many laptops and PCs, and even physical access to homes and offices. Many of the consequences of defeating biometric authentication are no different than those of defeating other forms … More
The sheer volume of data created by the Internet of Things (IoT) is increasing dramatically as the world is becoming progressively more connected. There is projected to be a mind-boggling 75 billion IoT devices in the world by 2025. Meanwhile, edge computing is set to be adopted into the mainstream by as early as 2020. This means that increasingly vast amounts of IoT data will be stored, processed and analyzed on the edge. While edge … More
In this Help Net Security podcast, Marco Rottigni, Chief Technical Security Officer for Qualys across EMEA, talks about the importance of IT asset management within digital transformation processes. He illustrates why it’s crucially important to understand what you have, and how to build security in versus bolting it on. Here’s a transcript of the podcast for your convenience. Hello, my name is Marco Rottigni and I work for Qualys as a Chief Technical Security Officer … More
The post The importance of IT asset management within digital transformation processes appeared first on Help Net Security.
The inability to adequately assess and understand the risks that vendors pose is becoming incredibly costly to healthcare providers, according to a new report by Censinet and the Ponemon Institute. According to the research, the yearly hidden costs of managing vendor risk is $3.8 million per healthcare provider, far surpassing the $2.9 million that each data breach costs providers. The cost across the healthcare industry is $23.7 billion per year. The research also indicates that … More
The post Yearly hidden costs of managing vendor risk? $3.8 million per healthcare provider appeared first on Help Net Security.
Artificial intelligence (AI) is rapidly finding applications in nearly every walk of life. Self-driving cars, social media networks, cybersecurity companies, and everything in between uses it. But a new report published by the SHERPA consortium – an EU project studying the impact of AI on ethics and human rights – finds that while human attackers have access to machine learning techniques, they currently focus most of their efforts on manipulating existing AI systems for malicious … More
Digital technologies such as cloud computing, big data, data analytics, IoT, artificial intelligence, augmented reality, and blockchain are gradually being leveraged in the defense industry at both agency and operational levels as change enablers, according to Frost & Sullivan’s latest analysis. The deployment of digital technologies improves legacy processes and enhances operation and mission efficiencies, which will, in turn, produce cost savings. “The rise of digital platforms is empowering the military, enabling better continuity of … More
The post The rise of digital platforms is empowering the military, but challenges remain appeared first on Help Net Security.
ADVA launched ADVA SatAware, the industry’s first AI-powered analytics service for monitoring the quality of GNSS-based timing. The unique solution provides communication service providers (CSPs) and other operators of critical infrastructure with real-time insight into signal quality at their GNSS satellite receivers. With the ADVA SatAware solution, operators can easily identify any physical objects blocking GNSS signals and resolve issues before they impact the synchronization network. The non-intrusive, cost-effective solution is specifically designed to meet … More
The post ADVA launches AI-powered analytics service for monitoring the quality of GNSS-based timing appeared first on Help Net Security.
It may be possible to democratize security by making it more accessible to average companies through community resources. We have an idea or two, but we would appreciate your thoughts. At the 2019 RSA security conference, Matt Chiodi, Chief Security Officer of Palo Alto Networks said “… small organizations are using on average between 15 and […]… Read More
The post Open Invitation to Help Develop Infosec Community Resources appeared first on The State of Security.
Quest Software, a global systems management, data protection and security software provider, announced the general availability of Quest QoreStor 6.0 to enable software defined hybrid cloud secondary storage for businesses. With new feature enhancements to the award winning QoreStor technology, along with enterprise class compression and backup-vendor agnostic deduplication technology, businesses can now take advantage of QoreStor’s Cloud Tier cloud native storage technology to seamlessly streamline non-invasive long term retention. QoreStor 6.0 also introduces a … More
The post Quest QoreStor 6.0 offers native cloud support and instant recovery appeared first on Help Net Security.
Nucleus Cyber, the intelligent data-centric security company for the modern workplace, at Microsoft Inspire in Las Vegas announced its NC Protect solution now utilizes MIP labels to enhance conditional access and data security controls in Microsoft platforms to guard against insider threats, sensitive data misuse, unauthorized sharing and exfiltration. Tom Hill, Managing Director at Slater Hill, a Microsoft Gold Partner for Portals and Collaboration, said, “We’re very excited about this new enhancement from Nucleus Cyber. … More
The post Microsoft data security improved with Nucleus Cyber MIP integration appeared first on Help Net Security.
Leading provider of blockchain-powered devices Pundi X has successfully completed integration support of its XPOS module on X990 made by US-based Verifone, one of the largest providers of traditional point-of-sale (POS) terminals in the world, to allow a wider network of retailers to accept payments in cryptocurrencies. With this integration, shops and retail outlets using the Verifone X990 with XPOS module activated will now be able to process cryptocurrency payments alongside traditional transactions. The XPOS … More
The post Pundi X completes integration support of its XPOS module on Verifone X990 appeared first on Help Net Security.
Saviynt, a trusted and award-winning provider of a leading intelligent, identity governance and management platform, announced support for the newly launched Amazon EventBridge, from Amazon Web Services (AWS). Amazon EventBridge is a serverless event bus service that connects applications using events. Events include security configuration changes, changes in application data, privilege access escalations, or joiner/mover/leaver/conversions in human resources (HR) systems. Amazon EventBridge allows Saviynt to further enhance and extend its services by publishing key events … More
Avast announced it has appointed Jaya Baloo to the position of Chief Information Security Officer (CISO), effective October 1, 2019. Jaya Baloo joins Avast from KPN, the largest telecommunications carrier in the Netherlands, where she held the position of CISO. Ms. Baloo has been formally recognized in the list of the top 100 CISOs globally and ranks among the top 100 security influencers worldwide. Ms. Baloo has been working in the field of information security … More
Last Friday, Cloudflare posted a detailed blog post that described about how a poorly implemented software deployment caused a massive CPU spike, rendering the Cloudflare service unavailable. Because Cloudflare servers couldn’t handle incoming HTTP requests, global customer websites were unavailable for approximately 30 minutes.
A critical vulnerability affecting the Ad Inserter WordPress plugin could be exploited by authenticated attackers to remotely execute PHP code.
Security researchers at Wordfence discovered a critical vulnerability in the Inserter WordPress plugin that could be exploited by authenticated attackers to remotely execute PHP code.
Ad Inserter is an Ad management plugin that allows administrators to benefit of advanced features to insert ads at optimal positions. It supports major ad programs, including Google
The Ad Inserter WordPress plugin is currently installed on over 200,000 websites.
The security flaw resides in the authorization process implemented in the check_admin_referer
“The function check_admin_referer
“The WordPress documentation makes it clear, though, that check_admin_referer() is not intended for access control, and this vulnerability is a good example of why misusing nonces for authorization is a bad idea.”
Experts pointed out that nonce should never be relied on for authentication or authorization, access control.
“The weakness allowed authenticated users (Subscribers and above) to execute arbitrary PHP code on websites using the plugin,” continues the experts.
Authenticated attackers can bypass authorization checks implemented by the check_admin_referer
The experts discovered that the debugging feature can be triggered by any user who has the special cookie “Cookie: AI_WP_DEBUGGING=2.”
The debugging feature could be triggered by an attacker that has access to a nonce, he can also exploit the ad preview feature by sending a malicious payload containing arbitrary PHP code.
The flaw affects all WordPress websites that
Below the disclosure timeline:
July 12 – Vulnerability discovered by Wordfence Threat Intelligence Team
July 12 – Firewall rule released to Wordfence Premium users
July 12 – Plugin developer notified of the security issue
July 13 – Patch released
August 11 – Firewall rule becomes available to free users
(SecurityAffairs – Ad Installer, WordPress plugin)
The post Flaw in Ad Inserter WordPress plugin allows remote attackers to execute code appeared first on Security Affairs.
Majority of security systems are installed to try and forestall any external threats to a business’ network, but what about the security threats that are inside your organisation and your network?
Data breaches have the potential to expose a large amount of sensitive, private or confidential information that might be on your network. Insider threats are a significant threat to your business and are increasingly being seen as an issue that needs dealing with.
SecureTeam are experts in cybersecurity and provide a variety of cybersecurity consultation solutions to a range of businesses. They have used their extensive knowledge of internal network security to write this handy guide to help businesses protect themselves from insider data breaches.
Who is considered an Insider Threat?
Insider threats can come from a variety of different sources and can pose a risk to your business that you might not have considered.
Data breaches from internal threats have the potential to cause the loss of sensitive or confidential information that can damage your business’ reputation and cost you a significant amount of money. There are some ways you can attempt to prevent insider data breaches, however.
How to prevent Data Breaches
There are a few simple ways you can try to prevent an internal data breach, including:
Identify your Sensitive Data
Create a Data Protection Policy
Create a Culture of Accountability
Utilise Strong Credentials & Access Control
Review Accounts and Privileged Access
The threat of an insider data breach continues to be an issue to businesses throughout a range of sectors. However, by putting a plan in place for these insider security threats it improves the speed and effectiveness of your response to any potential issues that arise.
It is sensible to assume that most, if not all, businesses will come under attack eventually and by taking the threat seriously and adhering to the best security practices then you can help to prevent an attack turning into a full-blown data breach.
npm registry has been compromised, it is the installer for PureScript.
The installer for PureScript package in the
Last week many developers reported several problems with the installer and PureScript contributor Harry Garrood found malicious code in its
Launching the installer by typing
The installer was originally developed and maintained the Japanese developer Shinnosuke Watanabe (@shinnn), later the maintainers of the project asked him to pass the control of the installer to them.
The developer accepted the request but was disappointed
@shinnn claims that the
The malicious code was identified and removed by the maintainers of the project that have also dropped the Watanabe’s dependencies.
“If you want to be absolutely sure you do not have malicious code on your machine, you should delete your node_modules directories and your
A similar case recently impacted developers using the Ruby strong_password library, the attacker hijacked the account of the real developer and injected malicious code in the library.
The post The npm installer for PureScript package has been compromised appeared first on Security Affairs.
The past few weeks have proven to be wins for family safety with several top social networks announcing changes to their policies and procedures to reduce the amount of hateful conduct and online bullying.
Twitter: ‘Dehumanizing Language Increases Risk’
In response to rising violence against religious minorities, Twitter said this week that it would update its hateful conduct rules to include dehumanizing speech against religious groups.
“Our primary focus is on addressing the risks of offline harm, and research shows that dehumanizing language increases that risk . . . we’re expanding our rules against hateful conduct to include language that dehumanizes others based on religion,” the company wrote on its Twitter Safety blog.
Twitter offered two resources that go in-depth on the link between dehumanizing language and offline harm that is worth reading and sharing with your kids. Experts Dr. Susan Benesch and Nick Haslam and Michelle Stratemeyer define hate speech, talk about its various contexts, and advise on how to counter it.
Instagram: ‘This intervention gives people a chance to reflect.’
Instagram announced it would be rolling out two new features to reduce potentially offensive content. The first, powered by artificial intelligence, prompts users to pause before posting. For instance, if a person is about to post a cruel comment such as “you are so stupid,” the user will get a pop-up notification asking, “are you sure you want to post this?”
A second anti-bullying function new to Instagram is called “Restrict,” a setting that will allow users to indiscreetly block bullies from looking at your account. Restrict is a quieter way to cut someone off from seeing your content than blocking, reporting, or unfollowing, which could spark more bullying.
These digital safety moves by both Instagram and Twitter are big wins for families concerned about the growing amount of questionable content and bullying online.
If you get a chance, go over the basics of these new social filters with your kids.
Other ways to avoid online bullying:
Wise posting. Encourage kids to pause and consider tone, word choice, and any language that may be offensive or hurtful to another person, race, or gender. You are your child’s best coach and teacher when it comes to using social apps responsibly.
Stay positive and trustworthy. Coach kids around online conflict and the importance of sharing verified information. Encourage your child to be part of the solution in stopping rumors and reporting digital skirmishes and dangerous content to appropriate platforms.
Avoid risky apps. Apps like ask.fm allow anonymity should be off limits. Kik Messenger, Yik Yak, Tinder, Down, and Whisper may also present risks. Remember: Any app is risky if kids are reckless with privacy settings, conduct, content, or the people they allow to connect with them.
Layer security. Use a comprehensive solution to help monitor screentime, filter content, and monitor potentially risky apps and websites.
Monitor gaming communities. Gaming time can skyrocket during the summer and in a competitive environment, so can cyberbullying. Listen in and monitor game time conversations and make every effort to help him or her balance summer gaming time.
Make profiles and photos private. Require kids under 18 to make all social profiles private. By doing this, you limit online circles to known friends and reduces the possibility of cyberbullying and online conflict.
The post Family Safety: Twitter, Instagram Beef Up Measures to Fight Hate Speech, Bullying appeared first on McAfee Blogs.
While there is significantly more to be done to protect our data, consumers have never been better apprised of the imperiled state of their privacy. That said, it’s still an acute problem. The air travel equivalent would be when the cabin depressurizes and oxygen masks drop. In the dramatic destabilization that has occurred to our collective privacy over the past 15 years, the trigger event–a mixture of Facebook arrogance and the Equifax breach–has come and gone, but kids have not yet received the crucial attention needed to protect their data.
A recent study shows that nearly 40% of Amazon Prime Day shoppers have actively avoided Alexa-enabled products because they are concerned about the possibility of eavesdropping. Mozilla Firefox now features enhanced tracking protection as a default behavior. And, Apple CEO Tim Cook memorably doubled (if not tripled) down on prioritizing user privacy as the parade of Facebook stories rattled consumers to the core. More recently, New York State introduced legislation to update its data protection and privacy laws, and California’s new privacy law, modeled on the EU’s GDPR, goes into effect January 1, 2020.
Even with all the positive news from the frontlines of protecting consumer information, the safeguarding of children’s data still has a long way to go.
Consider just one recent story. Video-sharing giant YouTube is currently being investigated for the illegal collection of data from users under the age of 13 (competitor service TikTok recently paid $5.7 million in fines for similar practices), and Amazon.com’s Dot Echo is the focus of a class action suit for illegally recording children. A recent study from UC-Berkeley found that 57% of apps listed under Google Play’s “Designed for Families” section collected data on children under the age of 13 in direct violation of COPPA, the Children’s Online Privacy Protection Act.
How Did We Get Here?
Unless you have been living in an upside-down chowder bowl on the bottom of Cape Cod Bay, tracking and trafficking in the online browsing habits of children should come as no surprise. While there’s a massive industry for all user data, from online quizzes to browsing habits to online purchases, kids online worlds make them easy prey for pretty much every monetized online behavior out there.
ISPs, mobile carriers, social media providers, and web browsers are currently making a very healthy profit from the data associated with your day-to-day life, both on- and offline. Children are the Holy Grail for advertisers, and represent a sizable chunk of the consumer market. Their data is just as valuable as those of adults, if not more so.
While children are supposed to be protected under COPPA, the regulations have gone largely unchanged since it was passed in the late 90s, and became the law of the land in 2000. File under: “Man plans, God laughs.” Meanwhile, the Internet made Las Vegas look like a sad, poorly planned desert boom town gone bust. The surveillance economy didn’t exist when COPPA was conceived, and it needs to be updated to address our new world of constant, persistent, near-total exposure.
What is COPPA and Why Is it Failing?
The broad strokes of COPPA are straightforward: Websites aren’t allowed to collect information associated with children under the age of 13 without the express consent of a parent or guardian.
While this sounds reasonable, it also contains a major and easily exploited loophole: Namely that there is no liability for non-compliance, for just one instance, if a company or provider is not aware of that this or that information belongs to an underage user. In short, if they don’t ask for the age of the user, they’re off the hook.
When COPPA went into effect, the internet had roughly 361 million users worldwide. For context, Facebook alone currently has 2.38 billion monthly active users. Only 3% of households in 2000 had broadband Internet access, with roughly a third of households being on dial-up internet.
We’ve come a long way (for better and worse). Currently 80% of pre-teens use social media, despite the fact that the most widely-used platforms all prohibit accounts for anyone under 13.
COPPA’s idea of children requiring permission from a parent made more sense when Internet access was mainly accomplished using a land line phone connection. The law neither allowed for nor expected multi-device households, with children able to connect to the Internet via IoT devices, tablets and mobile devices via continuous wireless connection. It didn’t anticipate the rise of “free” apps that would track the activity of every user in exquisite detail. Had the framers of COPPA forseen the advent of the surveillance economy, chances are pretty good they would have been busy chasing seed money in the late ’90s.
Connected devices are designed to be as user friendly as possible, which makes them child accessible. When Disney acquired Fox, that consolidation gave the new larger entity access to giant portfolios of underage-user data. It probably should have been COPPA’s Equifax moment, but if we’re going to keep it real, Equifax probably should have had a Home Depot moment. We live in a time when the profitability of a privacy depredation makes progress hard to come by.
Since it’s no mean feat to determine the age of a user, maybe it’s time to assume users are underage, and be more restrictive with captured data. Whatever happens next, the protection of children’s data is a problem in sore need of solutions as quickly as possible. There is too much at stake.
The post Tech Giants Are Using Children’s Online Data Like It’s 1999 (or ’98, to Be More Precise) appeared first on Adam Levin.
The Bank of England has announced that Alan Turing’s face will grace the new £50 note.
Oracle to Release Critical Patch Update
“While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory,” Oracle wrote.
The Critical Patch Update is a collection of patches for multiple security vulnerabilities, and the July 16 update contains 322 new fixes. Six of the security vulnerabilities were reportedly discovered by the Onapsis Research Labs team.
"Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," the announcement stated.
Two of the six different patches that were originally reported by the Onapsis Research Lab team addressed "critical vulnerabilities in the Oracle E-Business Suite (EBS), which has been deeply researched by Onapsis in the last few years,” researchers wrote. “Successfully exploiting these vulnerabilities may allow an attacker three critical scenarios compromising the integrity and availability of EBS: remote code execution in the server, remote code execution in the client and a Denial of Service.”
The two vulnerabilities reported by Onapsis are an unrestricted file upload, which was originally reported in November 2018 and leads to remote code execution (CVSS 9.1), and a reflected server-side request forgery, which was originally reported in April 2019 and can lead to a denial of service (DoS) and a client-side remote code execution (CVSS 9.6).
If left unpatched, these vulnerabilities have the potential to allow remote execution and DoS, disrupting critical services such an ERP system convert this attack into a critical one, since it affects all availability, confidentiality and integrity of the data.
“Both vulnerabilities allow remote command execution, one in any EBS client and the other one directly on the server side. Even though all the announced CPUs should be applied, these critical vulnerabilities must be immediately addressed, and customers should prioritize implementation of the patches in order to avoid malicious exploitation,” the blog stated.
Have you ever felt the cold chill in your spine when the “fix engine” light comes on in your car? How about when one of your children turns pale and gets their first fever? It’s a feeling of helplessness and concern regarding what could be wrong. Then there’s the feeling of relief that comes with understanding, even if it’s only partial understanding. We give the child medicine and the fever fades. We add oil to the engine and the light goes off. The human mind often wants to take the easiest path away from fear and stress. But these solutions only fix the symptoms, leaving the cause of the issue unaddressed. The same thing is true in security related situations.
The Microsoft Detection and Response Team (DART) recently worked with a customer who had been subject to a targeted compromise, one where the entity was intently and purposefully attempting to get into their systems. The attack came through one of the customer’s child organizations, who was initially compromised. The parent organization shares a trust with the child organization. During an investigation of the child organization, the parent organization was notified that attackers had migrated their access foothold into the parent network. The parent organization was able to take immediate steps to stop the malicious activities, just before things could have gotten very serious.
From a security perspective, the customer has addressed the symptom (a known compromise) but missed the opportunity to address the core issues that allowed the compromise. It’s not unusual for an organization to shift to the perspective that everything is now better. But it’s never quite so simple.
For DART, one of our key responsibilities is helping our customers understand what happened, how it happened, how long it’s been happening, the potential impact to the organization, and how the customer can improve their protection, detection, and response mechanisms to be better prepared in the future.
Understanding a compromise
Let’s dissect this story a bit more to better understand what happened. The example customer is a global company, with dozens of child organizations around the globe, all connected to the same Active Directory architecture. From a customer perspective, the IT and security functions are decentralized at each child, with each region retaining autonomous control over the operation of their data resources. This takes the pressure off the parent organization by delegating administrative processes like patching, account management, and configuration management to administrators at the child organization; and allowing the parent to focus primarily on critical business operations and their own IT and security.
Each of the child organizations operates their own Active Directory forest for their users and systems, and a majority of these organizations have a two-way trust with the Active Directory in the parent organization. Roughly half of these trusts have no security identifier (SID) filtering in place to restrict account movement between the various forests. The parent organization’s incident was possible because a compromised account was allowed to move into their network, unhindered. In fact, a compromise in any of the other child organizations would have the same result, creating legitimate risk for the parent and all the other connected child organizations.
How DART helps customers address underlying risks
DART spent days trying to weave a story for the customer explaining the real risk to the organization, even though this specific attack had been blocked. There are a number of systemic issues that worked together to create the risk to the customer networks. Patching was sporadic, and due to the decentralized nature of both the information technology (IT) and security processes across the various organizations, there were large numbers of systems with known vulnerabilities. The decentralized nature of the network also created blind spots in security monitoring across the various forest and network boundaries. The customer could not have detected the lateral movement of bad actors on the network because they weren’t watching those boundaries.
Finally, the lack of configuration management across the company allowed users to have excessive account privileges and to install unsafe software packages. This resulted in large numbers of dangerous software packages to be installed on user systems with privileged access—simply because users opened email attachments, clicked a link, or installed questionable software downloaded from the internet, such as key generators for commercial software products.
The large number of potentially unwanted applications (PUAs) and malware present on the network was clear evidence of the issues facing the customer. A compromised user in one segment of the customer organization creates risk for the entire company. Faced with the reality of the situation, the customer shifted perspectives to improving the security of their environment.
To start, the customer needed to get a handle on the configuration and security of the various arms of the organization. Centralizing IT and security functions would allow for consistent patching, secure account management, and security monitoring. Two-way trusts putting the organization at risk should be managed with appropriate SID filtering, reduced to one-way trusts as needed, or removed from a trust relationship altogether, depending on business need. Standardized security software, such as anti-malware solutions with automatic updates, would provide detection of malware much more quickly on endpoints. Security monitoring at all key network boundaries would create immediate alerts when malicious software or bad actors attempt to move across the environment or create persistence points. A sensible and centralized management plan would enable the customer to protect, detect, and respond to incidents.
It’s easy to get forget security incidents are sometimes symptoms of a bigger problem facing the organization. Leadership would benefit from taking a step back from current events to work with their team and determine where the real security issues exist, and what’s needed to make the organization more secure. In essence, a security aspirin will help lower our fever, but it’s a temporary fix. The fever will return, and it could be worse. It’s more effective in the long run to obtain the needed X-rays or take appropriate blood tests to determine how sick the network is, and what treatment options will remove the key risks to network health.
To learn more about DART, our engagements, and how they are delivered by experienced cybersecurity professionals who devote 100 percent of their time to providing cybersecurity solutions to customers worldwide, please contact your account executive. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
Amazon Prime Day is becoming one of the hottest shopping periods for the summer. However, it is also becoming one of the hottest opportunities for cybercriminals, as hackers target shoppers in a number of ways during peak shopping moments to steal personal data or financial information. In fact, researchers at McAfee Labs have uncovered a phishing kit specifically created to steal personal information from Amazon customers in America and Japan.
How exactly does this phishing kit work? The kit allows hackers to create phishing emails that look like they have come from Amazon. The emails prompt users to share their login credentials on a malicious website. Once the victim hands over their login, the hackers can use the victim’s account to make fraudulent purchases and steal their credit card information saved in their Prime account.
According to McAfee Labs researchers, this phishing scam has already seen widespread use, with over 200 malicious URLs being used to prey on innocent online shoppers. Additionally, the phishing kit is being sold through an active Facebook group with over 300 members and 200 posts in recent weeks. McAfee has notified Facebook of the existence of this group. The social network has taken an active posture in recent months of taking down groups transacting in such malicious content.
So, what does this threat mean for Amazon users? If you’re planning on participating in Prime Day, follow these security steps to help you swerve malicious cyberattacks:
- Beware of bogus deals. If you see an ad for Prime Day that looks too good to be true, chances are that the ad isn’t legitimate.
- Think before you click. Be skeptical of ads shared on social media sites, emails, and messages sent to you through platforms like Facebook, Twitter, and WhatsApp. If you receive a suspicious message regarding Prime Day, it’s best to avoid interacting with the message.
- Do your due diligence with discount codes. If a discount code lands in your inbox, you’re best off verifying it through Amazon.com directly rather than clicking on any links.
If you do suspect that your Amazon Prime account has been compromised due to a cyberthreat, take the following steps:
- Change your password. Change the passwords to any accounts you suspect may have been impacted. Make sure they are strong and unique.
- Keep an eye on your bank account. One of the simplest ways to determine whether someone is fraudulently using your credit card information is to monitor your bank statements. If you see any charges that you did not make, report it to the authorities immediately.
- Consider using identity theft protection.A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.
The post Ready, Set, Shop: Enjoy Amazon Prime Day Without the Phishing Scams appeared first on McAfee Blogs.
The cybercriminals behind the GandCrab ransomware-as-a-service (RaaS) offering recently announced they were closing up shop and retiring after having allegedly earned more than $2 billion in extortion payments from victims. But a growing body of evidence suggests the GandCrab team have instead quietly regrouped behind a more exclusive and advanced ransomware program known variously as “REvil,” “Sodin,” and “Sodinokibi.”
“We are getting a well-deserved retirement,” the GandCrab administrator(s) wrote in their farewell message on May 31. “We are a living proof that you can do evil and get off scot-free.”
However, it now appears the GandCrab team had already begun preparations to re-brand under a far more private ransomware-as-a-service offering months before their official “retirement.”
In late April, researchers at Cisco Talos spotted a new ransomware strain dubbed Sodinokibi that was used to deploy GandCrab, which encrypts files on infected systems unless and until the victim pays the demanded sum. A month later, GandCrab would announce its closure.
Meanwhile, in the first half of May an individual using the nickname “Unknown” began making deposits totaling more than USD $130,000 worth of virtual currencies on two top cybercrime forums. The down payments were meant to demonstrate the actor meant business in his offer to hire just a handful of affiliates to drive a new, as-yet unnamed ransomware-as-a-service offering.
“We are not going to hire as many people as possible,” Unknown told forum members in announcing the new RaaS program. “Five affiliates more can join the program and then we’ll go under the radar. Each affiliate is guaranteed USD 10,000. Your cut is 60 percent at the beginning and 70 percent after the first three payments are made. Five affiliates are guaranteed [USD] 50,000 in total. We have been working for several years, specifically five years in this field. We are interested in professionals.”
Asked by forum members to name the ransomware service, Unknown said it had been mentioned in media reports but that he wouldn’t be disclosing technical details of the program or its name for the time being.
Unknown said it was forbidden to install the new ransomware strain on any computers in the Commonwealth of Independent States (CIS), which includes Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan.
The prohibition against spreading malware in CIS countries has long been a staple of various pay-per-install affiliate programs that are operated by crooks residing in those nations. The idea here is not to attract attention from local law enforcement responding to victim complaints (and/or perhaps to stay off the radar of tax authorities and extortionists in their hometowns).
But Kaspersky Lab discovered that Sodinokobi/REvil also includes one other nation on its list of countries that affiliates should avoid infecting: Syria. Interestingly, latter versions of GandCrab took the same unusual step.
What’s the significance of the Syria connection? In October 2018, a Syrian man tweeted that he had lost access to all pictures of his deceased children after his computer got infected with GandCrab.
“They want 600 dollars to give me back my children, that’s what they’ve done, they’ve taken my boys away from me for a some filthy money,” the victim wrote. “How can I pay them 600 dollars if I barely have enough money to put food on the table for me and my wife?”
That heartfelt appeal apparently struck a chord with the developer(s) of GandCrab, who soon after released a decryption key that let all GandCrab victims in Syria unlock their files for free.
But this rare display of mercy probably cost the GandCrab administrators and its affiliates a pretty penny. That’s because a week after GandCrab released decryption keys for all victims in Syria, the No More Ransom project released a free GandCrab decryption tool developed by Romanian police in collaboration with law enforcement offices from a number of countries and security firm Bitdefender.
The GandCrab operators later told affiliates that the release of the decryption keys for Syrian victims allowed the entropy used by the random number generator for the ransomware’s master key to be calculated. Approximately 24 hours after NoMoreRansom released its free tool, the GandCrab team shipped an update that rendered it unable to decrypt files.
There are also similarities between the ways that both GandCrab and REvil generate URLs that are used as part of the infection process, according a recent report from Dutch security firm Tesorion.
“Even though the code bases differ significantly, the lists of strings that are used to generate the URLs are very similar (although not identical), and there are some striking similarities in how this specific part of the code works, e.g., in the somewhat far-fetched way that the random length of the filename is repeatedly recalculated,” Tesorion observed.
My guess is the GandCrab team has not retired, and has simply regrouped and re-branded due to the significant amount of attention from security researchers and law enforcement investigators. It seems highly unlikely that such a successful group of cybercriminals would just walk away from such an insanely profitable enterprise.
Last Valentines day, we made a fearless declaration here in Hackercombat.com, that Trickbot is shaping itself of becoming the “malware of the year”, due to its massive campaigns of infecting computers worldwide. That will remain as our forecast; Trickbot was recently named by the DeepInstinct security researchers as responsible for the compromise of at least 250 million email accounts. It rode on the massive spam emails coming from computers that were already infected, in a campaign to cast a wider net for the banking trojan.
Trickbot used to use the flawed SMB protocol in unpatched versions of Windows to spread itself, navigate the network shared files and install itself deep into the operating system. Known as the “TrickBooster” update, TrickBot received a huge facelift in its history, as the banking trojan can now tap the address book of installed in the infected computer, sending phishing attacks to all the contacts of the user. As per DeepInstinct’s research of the new version of TrickBot, the use of user’s contacts further increases the trojan’s possibilities to infect more machines than it used to.
The new spam emails are unique, able to bypass the tried and tested antispam formula established by Outlook.com, Yahoomail.com and GMail.com. In fact, the most heavily infiltrated email address of TrickBot turned out to be from @gmail.com with 25 million unique instances of spam emails containing TrickBot. Yahoo Mail comes second, with 21 million of their customers received the spam email at least once and lastly Outlook.com users with 11 million instances.
“We analyzed the malware sample and found swaths of PowerShell code in its memory. Analysis of this PowerShell code immediately led us to the conclusion that we are dealing with a mail-bot. We discovered more samples of the malware, both signed and not, additional infrastructure used in the campaign – both to distribute (infection points) and control the malware (C2 Servers),” explained Shaul Vilkomir-Preisman, security researcher at DeepInstinct in their official website blog.
The new strain has the capability to hook to Outlook.exe creates a parallel thread, then executes a COM-based command. As it taps the Microsoft.Office.Interop.Outlook instance alongside CoCreateInstance, it hooks to OUTLOOK.exe via OleRun function. TrickBot 2.0 also incorporates advanced features that aid to its proliferation such as cookie theft capability and use legitimately looking digital certificates for the Microsoft Office attachments where it piggybacks.
Rumors have been circulating online discussing TrickBot’s new version were able to reach the mailboxes of United State’s federal agencies such as the Department of Transportation; NASA; Federal Aviation Administration; Internal Revenue Service; Social Security Administration; Department of Justice; Department of Homeland Security; Bureau of Prisons; and Bureau of Alcohol, Tobacco and Firearms.
Compared to the espionage accusations against Huawei Technologies of China, TrickBot authors have made success in stealing not only personally identifiable information but also banking data of Americans and other nationalities. “We continued monitoring the campaign and the infrastructure involved in it, both its infection points and C2 Servers, which were going on and off line, and employing various Geo-IP restrictions and other mechanisms to hamper analysis. It was at one of these servers that we found something that made us realize how successful this campaign is – an Email dump containing approximately 250 million Email addresses,” concluded Vilkomir-Preisman.
The post TrickBot’s “TrickBooster” Update Compromised 250M Emails appeared first on .
Monroe College Campuses Downed by Ransomware
Multiple campuses of Monroe College have had their systems downed after a ransomware attack reportedly struck the for-profit institution on July 11.
The attack reportedly affected each of Monroe’s campuses in Manhattan and New Rochelle, New York, and St. Lucia, and emails have been compromised. Infosecurity contacted Monroe College via the email listed on its website, but the message was returned as undeliverable, indicating that systems are still downed.
The college took to Twitter to share the news with its online students.
In a statement, Marc Jerome, president of Monroe College, said, “Our team is working feverishly to bring everything back online, and we are working with the appropriate authorities to resolve the situation as quickly as possible,” according to Insider Higher Ed.
“In the meantime, Monroe continues to operate. We’re simply doing it the way colleges did before email and the internet, which results in more personal interactions. As we have done throughout our 86-year history, we are coming together to assure that our students, faculty and staff are well served."
An attacker demanded the college pay $2 million to have its files decrypted. Jackie Ruegger, executive director of public affairs at the college, reportedly told Inside Higher Ed that the college knows who conducted the attack. Infosecurity attempted to call the numbers listed on the Twitter message, but the recipient disconnected the calls.
The attack follows a number of university cyber-attacks, including the recent OSU, Graceland University and Missouri Southern State University email-based breaches in the last few months. According to recent data from Mimecast’s State of Email Security report, 56% of organizations in the education sector saw an increase in phishing with malicious links or attachments in the last year. It took 31% two to three days to get back to a recovered state upon suffering an email-based attack. Nearly half (42%) of organizations say ransomware has impacted their business operations in the last 12 months and 73% have experienced two to five days of downtime as a result of the ransomware attack.
By Edmund Brumaghin and other Cisco Talos researchers.
Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we’re calling “SWEED,” including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.
SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that’s been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we’ve seen in the past in the way that it is packed, as well as how it infects the system. In this post, we’ll run down each campaign we’re able to connect to SWEED, and talk about some of the actor’s tactics, techniques and procedures (TTPs).
Nearly 20% of Organizations Still Run Windows 7
Despite the awareness that in six months Microsoft will officially end its support for its nearly 10-year-old operating system, Windows 7, 18% of large enterprises have not yet migrated to Windows 10, according to new research from Kollective.
At the start of 2019, researchers found that 43% of companies were still running Windows 7. Of those, 17% didn’t even know about the end of support. In its most recent analysis of 200 US and UK IT decision makers, the report revealed that organizations have a long way to go to prepare for the much anticipated end of Windows 7 support.
Six months later, 96% of IT departments have started their migration, and 77% have completed the move. However, given that the migration from Windows XP to Windows 7 reportedly took some firms more than three years to complete, companies that have not started migration are at risk of missing the final deadline.
In order to aid organizations in deploying a new OS to all endpoints, Microsoft has provided different options for companies still running Windows 7, one of which includes an extended support package at an annual cost of up to $500,000 for a company with 10,000-plus endpoints, the research said.
“The combined versions of Microsoft Windows operating systems equal more than 50 percent of global operating system usage. Windows 10 has the lion’s share of the market, which bodes well for security since Microsoft’s support for Windows 7 will end in January 2020,” wrote the Center for Internet Security (CIS), which released the CIS Controls Microsoft Windows 10 Cyber Hygiene Guide on July 11.
“Though many businesses are better prepared now than they were for the end of Windows XP, the move to Windows 10 comes with its own set of challenges,” said Dan Vetras, CEO of Kollective. “The migration itself is only the first step. IT managers moving to Windows 10 now have to prepare their networks for increasingly frequent ‘as a service’ updates to the OS. They will need to ensure their networks are ready for more testing, more roll outs and more network congestion to keep up to date.”
Most companies use Cloud Service Providers (CSP) when they move to Office365 for many reasons. However, most CSPs will retain high level access to your email and files and not every CSP has they same level of security practices. This epsiode talks about Microsoft’s new mandatory rollout of multi-factor authentication on CSPs. Be aware, be […]
The post Episode 536 – Microsoft Making Multi-Factor Mandatory On Cloud Service Providers appeared first on Security In Five.
What happens when you want to share your computer with someone else, but you’re really not in a charitable mood? Create a new user, of course. I know that it sounds like a no-brainer, yet, truth be told, following Windows 10’s account-creation walkthroughs are not what you might call ‘on point’. So, how to create a new user on Windows 10?
So, if you’re still searching for other UAC-creation step-by-steps guides, look no further because I got you covered. This not-so-small guide will walk you through the entire process. Here you will learn all about the user account GUI, how to enable ‘God mode’ on your PC, and how to turn your machine into a kiosk computer. So, without further ado, here’s how account-creation works in Windows 10.
How to create a new user on Windows 10 (Easy Way)
Compared to older Windows builds (XP, Windows 7 or Vista), it’s quite easy to create a new user on Win 10. Now, why would someone do that? Well, creating one or several users on the same machine isn’t some whim, but a very ‘hygienic’ cybersecurity practice.Even if you’re the one and only owner of the PC, it’s still a good idea to use a non-administrative account in case you wind up on the wrong side of the Internet (best time to wonder about how to create a Windows 10 account).
Doesn’t matter what kind of malware your computer picks up – running your PC on a typical, non-admin account, ensures that the ‘nastinesses’ can’t gain a foothold in the system and start messing around with functions and processes (i.e. boot. ini, msdos.sys, autoexec.bat, io.sys, svchost.exe).
SECURE YOUR ONLINE BROWSING!Get Thor Foresight
Adding a new user through Accounts’ GUI
Now, the fastest way to create a new user account on Windows 10 is through Settings. Here’s what you’ll need to do:
Step 1. Hit or tap the Start button.
Step 2. Click or tap on the Settings button (that would be the “gear” icon). You can also access Settings by hitting the Windows key on your keyboard and writing “Settings” in the search bar.
Step 3. In Settings, click or tap on Accounts (the icon should be right under Network & Internet).
Step 4. Under Accounts, click or tap on Family & other users.
Step 5. Look under Other users and click on the “+” (plus sign) next to Add someone else to this PC to create a new account on your machine.
Step 6. Choose how the new user will log in his account: Xbox, Office Online, OneDrive, Office, or Skype. Type the address in the bar and hit the Next button.
Step 7. Review the details and press the Finish button to complete the registration process.
That’s it – the new user can log in by typing in his Microsoft username and password. Now, you should keep in mind that this method can only be used in conjunction with one of the above-mentioned accounts. If you want to create a local account (no online account verification required), follow the steps below.
How to create a local account with Windows 10
Step 1. Click or tap on the Start button.
Step 2. Head to Settings.
Step 3. Click or tap on Accounts.
Step 4. Go to Family & other users.
Step 5. Under Other users, click or tap on Add someone else to this PC.
Step 6. In the bottom part of the page, click or tap the hyperlink reading I don’t have this person’s sign-in information.
Advice: If the user you’re about to add doesn’t have a Microsoft account, don’t mess around with the email and passwords fields located in the upper part of the screen.
Step 7. Click or tap on the hyperlink reading Add a user without a Microsoft account.
Step 8. In the account registration window, enter the name of the person who’s going to use the computer and choose a password (hint: don’t use “1234” or “qwerty”, wink-wink). Reconfirm your password and set a hint. When you’re done, press the Next button to complete the registration process.
Okay, I have to admit that all of these steps seem basic enough, but the good news is that Windows 10’s account-managing platform allows the user (that’s you) to ‘mess’ around with privileges. Let’s assume that the account you’re about to create is for a family member.
If you’re not too comfortable with the idea of letting him or her mess around with certain applications, you can easily restrict access. How to do that, you ask? Easy – just turn the computer in a kiosk, and everything will be hunky-dory.
How to add a user to kiosk
A kiosk-like machine works, more or less, like those public info booths – they can be used to check a destination, look up information about certain tourist traps, etc. Well, you can do the same with a computer if you’re looking to curb an account’s activity. Just follow the steps below to link an account to a kiosk – best answer to how to create a new user on Windows 10 question.
Step 1. Create a new user on your Windows 10 machine using one of the featured methods.
Step 2. When you’re done, head to the Family & other people section.
Step 3. On the right side of the screen, click or tap on the Set up assigned access hyperlink (it’s right at the bottom, right on top of the Set up an account for taking tests at your school feature).
Step 4. In the next screen, link your new user account to the kiosk. Just hit the “+” (plus sign) under the choose an account section and, well, choose.
Step 5. After selecting your “kiosk” account, choose the apps that the new user will be allowed to access. You will find this under the account selection section.
That’s about it on how to turn a newly-created account into a kiosk-like user. Sure, you can always sign out from all your online accounts, but why bother when you can select which apps the new user can access. Several clicks later, the account’s ready to be used. And yes, you can stop worrying about someone messing up your Netflix playlist and preferences.
How to set up a test/school user account
Of course, you can always take the restriction game to the next level literally turning your computer into a tech version of Hotel California (such a lovely place, indeed). Remember the “Set up an account for taking tests at your school” feature I mentioned earlier?
FYI: it also works for cases when you really don’t want someone to visit non-educational (ahem!) websites. Here’s what you need to know in order to create a test or school account.
Step 1. Go to Accounts.
Step 2. Head to Access work or school.
Step 3. Click or tap on Set Account for taking tests.
Step 4. Select a test-taking account from the drop-down box.
Step 5. Enter the test’s web address.
Hint: if you want to set up an account for your kid, type in the address of an educational website (i.e. National Geographic, Discovery, Sparknotes, Brightstorm). Bear in mind that once the user logs in, he will be unable to access web content other than the website written in this field.
Step 6. Enforce additional restrictions (i.e. require printing, allow screen monitoring and allow text suggestions).
(Optional) You can use Microsoft’s Set up an account for taking tests to feature in conjunction with a lockdown API which basically clamps down the account when the time’s up.
Going Super Saiyan with Your New Account
If you want to step up your account-creation game, there’s a way to create a super user. Yes, I know that there shouldn’t be anything else above sysadmin, but Microsoft managed to prove us wrong.
Called the ‘God Mode’, this type of user is not exactly what one might expect, given the name (a gateway to the birthplace of the Internet or something). It’s actually just a regular admin account, but with a couple of nifty twists. Remember when you had to call up the administrative tools menu from control panel each time you wanted to format a disk partition or manage your computer’s certificates?
Well, with ‘God mode’ you will be able to perform these tasks directly from Win Explorer’s quick access wheel or from the desktop. Still wondering about what tools you’ll be able to mess around with while in ‘God Mode’? Here’s a quick rundown.
- Indexing Options.
- Administrative tools.
- Color Management.
- Date & Time.
- Credential Manager.
- Internet Options.
- Keyboard + mouse.
- Pen & Touch.
- Phone & Modem.
- Network & Sharing Center.
- Power Options.
- Tablet PC setting.
- Taskbar & navigation.
- User Accounts.
- Windows Defender Firewall.
- Windows Mobility Center.
- Work Folders.
- Speech recognition & more.
Word of advice: before attempting to activate Win10’s ‘Super Saiyan’ mode, keep in mind that having a single user account, supercharged with privileges, makes you an easy target for hackers.
What it all boils down to is this – if a single malware manages to bypass your security, it will have access to everything. And when I say “everything”, I really mean every single and sensitive function of your PC. So, as the saying goes: “tread softly and carry a big gun” (which in this case is a top-notch antimalware software).
How to enable ‘God Mode’ on your PC.
Step 1. Create a new account using one of the methods listed in this guide.
Step 2. Right-click anywhere on your desktop.
Step 3. Highlight and left-click on Folder.
Step 4. Right-click on the newly created folder and hit Rename.
Step 5. In the text field, copy & paste or write the following line:
N.B. if you don’t like how “GodMode” sounds, you can replace it with anything you like. Just be sure to write the alpha-numerical string after the name exactly as it is. Otherwise, you will receive an error message reading :“you must type a file name.”
Step 6. Hit Enter or click anywhere on the desktop to continue. If everything’s right, the folder icon will change to a control panel-like icon.
Step 7. Double-clicking on it will take you to Win Explorer’s quick access wheel.
Step 8. Profit and tweak like a boss! The ‘God Mode’ gives you access to over 200 functions, some of them being on the more exotic side (set up iSCSI initiator, set up ODBC data sources for x86 and x64 etc.).
Adding a new user account to your PC (Geek Way)
Win10’s account menu is, indeed, the fastest way to create a new user, but not the only one. If you’re up for writing some code lines, I’m going to show you how to do the same thing from CMD (Command Prompt). Let’s dig right into it.
How to create a local account with CMD
Step 1. Fire up the Start menu.
Step 2. Type in “command prompt”.
Step 3. Right-click on the “command prompt” icon and select the Run as administrator option.
Note: it’s required to run CMD in admin mode to create new accounts.
Step 4. When the UAC splash appears, click Yes to continue.
Step 5. Add a new user and assign a password. To do this, type in the following character string:
C:\Windows\system32\net user John newnumberwhodis /add
Note: you can change the name and password with anything you like. Just be sure to type in the “net user” command at the beginning of the code line, and the “/add” at the end.
Step 6. Hit Enter. If done correctly, you will receive the following prompt: “The command completed successfully”. Check your Accounts menu to review the new user’s details.
Note: although I would advise against it, you can create a ‘passwordless’ user (a person can log in without a password). To do that just type in the line above but omit the password string.
Here’s a quick example:
C:\Windows\system32\net user Smith /add
How to grant admin privileges with CMD to a newly created account
Here’s what to do in order to grant admin privileges to the newly made account.
Step 1. Hit the Start menu.
Step 2. Search for “command prompt”.
Step 3. Run CMD (command prompt) as administrator.
Step 4. Type in the following string:
C:\WINDOWS\system32\net localgroup administrators John /add
Note: you can’t directly create an admin account. You’ll first need to create a local user and then update it to admin.
Advanced tweaks and features
- Add new user account to a domain: C:\Windows\system32\net user John newpcwhodis /ADD /DOMAIN.
- Assign a full name to new UAC: C:\Windows\system32\net user John newpcwhodis /ADD /FULLNAME:”John_Delaware”
- Allow new user to change password: C:\Windows\system32\net user John newpcwhodis /ADD /PASSWORDCHG:Yes
- Deny password change request to the new user: C:\Windows\system32\net user John newpcwhodis /ADD /PASSWORDCHG: NO
5 Security Tips to Safeguard Your Newly Created Account
Congrats on creating a new account on your machine! Now, as one good turn deserves another, let’s see what you can do about your account’s cybersecurity. Here are five awesome tips on how to make your PC safe again.
#1. Deploy antimalware/antivirus software on your PC.
Probably the most painless way to ensure that your PC is protected. Now, if you haven’t already deployed an antimalware and antivirus solution on your machine, don’t forget to install it for all users. It’s of no use having an AV/AM on your device if it’s set to protect a single account.
Sure, hackers always gun for accounts with elevated privileges but do keep in mind that an unsecured local account can also become a breaching point. So, as always, if you want to save a couple of bucks, give Starbucks a rest; don’t settle for an inefficient AM/AV solution because that’s how every malware ‘love affair’ begins.
EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.Try Thor Foresight
#2. Careful with Plug-and-Play devices
Yes, I know that nowadays it’s all about cloud storage, but there are still a few of us who carry ‘obsolete’ external storage devices such SD cards, flash pens, and portable hard-drives. As one of my colleagues noted in her article on actionable cybersecurity tips, never, ever, should you plug a USB device that came from an unverifiable source.
#3. Need a bathroom/cig break? LOCK UP YOUR PC!
If you’re a slob just like yours truly, then you most certainly don’t lock up the computer each time you go on a lunch break or for a little smoke. Bad decision! By not locking up your PC, you basically tell everyone: “Hey! My computer’s up for grabs. Get it while it’s hot!”.
So, if you want to prevent someone from tampering with your PC (or wake up with Nicholas Cage’s face set as the desktop background), do yourself a favor and lock up your station every time you feel like leaving the room.
#4. Keep tabs on your account
It doesn’t matter if you’re using your brother’s/sister’s/SO’s computer; that account is your responsibility and yours alone! If you come across any activity that may qualify as suspicious, run a quick malware scan, and get in touch with the admin ASAP.
On that note, you should definitely refrain from opening suspicious email attachments, using an unsecured network, or downloading pirated content (i.e. games, movies, software).
#5. Revamp your default password
In most cases, the person creating your account will ask you to change it to something else. Take your cybersecurity game up a notch and choose a strong password. Remember that a solid passkeys should have at least 8 characters. Try a combo of upper- and lowercase letters, symbols, and numbers. You know what they say: there’s safety in numbers; and yes, the longer the password, the harder it will be for someone to crack it open.
It has certainly been a long trip getting from “how do I create a new UAC?” to “let me add a string in CMD to prevent the user from changing his password”. Always remember that using an account other than admin is a very good call since it prevents most malware from messing around with your device’s sensitive functions. As always, if you have any questions or rants, do shoot me a comment. Cheers!
Instagram has recently addressed a critical flaw that could have allowed hackers to take over any Instagram account without any user interaction.
Instagram has recently addressed a critical vulnerability that could have allowed attackers to completely take over any account without user interaction.
The news was first reported by TheHackerNews, the issue was reported to the Facebook-owned photo-sharing service by the Indian security expert Laxman Muthiyah.
According to Muthiyah, the flaw affects the “password reset” mechanism implemented by Instagram for the mobile version of the service. When
The expert focused its test on the maximum number of requests allowed and discovered the absence of blacklisting. He was able to send requests continuously without getting blocked even when he reached the maximum number of requests he can send in a fraction of time.
“When a user enters his/her mobile number, they will be sent a six-digit passcode to their mobile number. They have to enter it to change their password.
Finally, he discovered two things that allowed him to bypass their rate limiting mechanism, a race condition and the IP rotation.
“Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited.” explained the expert. “The number of requests we can send is dependent on concurrency of reqs and the number of IPs we use. Also, I realized that the code expires in 10 minutes, it makes the attack even harder, therefore we need 1000s of IPs to perform the attack. “
Summarizing the rate limiting can be bypassed by carrying out a brute force attack from different IP addresses and leveraging race condition, sending concurrent requests.
The expert also published a video PoC of the attack that shows the exploitation of the flaw while hacking an Instagram account using 200,000 different passcode combinations without being blocked.
Laxman Muthiyah received by the company a $30,000 reward as part of its bug bounty program.
The post A flaw could have allowed hackers to take over any Instagram account in 10 minutes appeared first on Security Affairs.
A security researcher has been awarded $30,000 after discovering a serious vulnerability that could potentially have put any Instagram account at risk of being hacked.
Read more in my article on the Hot for Security blog.
On July 6, a ransomware attack brought down government computer systems
at La Porte County, Indiana, finally, the county decided to pay $130,000 ransom.
On July 6, a ransomware attack paralyzed the computer systems
The county IT director shut down the computer systems to avoid the spreading of the threat and to limit potential damage. At least half of the servers at the
Now La Porte County decided to pay $130,000 to recover data on systems infected with the ransomware.
For at least three days, government systems
Immediately after the attack, the county reported the incident to the FBI and was working with experts of some security firms to investigate the attack and mitigate the threat. The law firm of Mullen Coughlin LLC was managing the incident response operations, but despite the efforts of the experts the La Porte County was not able to resume its operations.
According to WSBT, La Porte County’s systems were infected with a variant of the Ryuk ransomware, the same malware that infected computers at City of Lake City on June 10.
“Two organizations in our area are recovering from recent cyber attacks. Both the South Bend Clinic and La Porte County government are dealing with the aftermath.” reported the WSBT.
“La Porte County paid the ransom on a cyber attack that locked up part of the government’s computer system. The Ryuk virus got into the backup servers.”
It seems that $100,000 out of $130,000 are being covered by insurance.
“Fortunately, our county liability agent of record, John Jones, last year recommended a cybersecurity insurance policy which the county commissioners authorized from Travelers Insurance” explained Dr. Vidya Kora,
Recently other administrations decided to pay the ransom to decrypt their files. Crooks earned a total of over $1 million in June from the attacks on two municipalities in Florida, Lake City and Riviera Beach.
In April, Stuart City was
The same ransomware was recently used in an attack that affected the newspaper distribution for large major newspapers, including the Wall Street Journal, the New York Times, and the Los Angeles Times.
Further investigation on the malware allowed the experts from security firms FireEye and CrowdStriketo discover that threat actors behind the
Ryuk ransomware are working with another cybercrime gang to gain access to target networks. They are collaborating with threat actors behind TrickBot, a malware that once infected a system creates a reverse shell back to the attackers allowing them to break into the network.
Experts at Crowdstrike believe the Ryuk ransomware is operated by a crime gang they tracked as GRIM SPIDER, in particular by its Russian based cell dubbed WIZARD SPIDER that is behind TrickBot.
Experts pointed out that Hermes was available for sale into the online underground community, attackers could have purchased it to create their own version of Ryuk.
Recently the United States Conference of Mayors asked its members to “stand united” against paying ransoms in case their systems are hit by ransomware. The decision is essential to discourage criminal practice.
(SecurityAffairs – La Porte, ransomware)
The post La Porte County finally opted to pay $130,000 Ransom appeared first on Security Affairs.
Motherboard got its hands on Palantir's Gotham user's manual, which is used by the police to get information on people:
The Palantir user guide shows that police can start with almost no information about a person of interest and instantly know extremely intimate details about their lives. The capabilities are staggering, according to the guide:
- If police have a name that's associated with a license plate, they can use automatic license plate reader data to find out where they've been, and when they've been there. This can give a complete account of where someone has driven over any time period.
- With a name, police can also find a person's email address, phone numbers, current and previous addresses, bank accounts, social security number(s), business relationships, family relationships, and license information like height, weight, and eye color, as long as it's in the agency's database.
- The software can map out a person's family members and business associates of a suspect, and theoretically, find the above information about them, too.
All of this information is aggregated and synthesized in a way that gives law enforcement nearly omniscient knowledge over any suspect they decide to surveil.
Read the whole article -- it has a lot of details. This seems like a commercial version of the NSA's XKEYSCORE.
Boing Boing post.
The FBI wants to gather more information from social media. Today, it issued a call for contracts for a new social media monitoring tool. According to a request-for-proposals (RFP), it's looking for an "early alerting tool" that would help it monitor terrorist groups, domestic threats, criminal activity and the like.
The tool would provide the FBI with access to the full social media profiles of persons-of-interest. That could include information like user IDs, emails, IP addresses and telephone numbers. The tool would also allow the FBI to track people based on location, enable persistent keyword monitoring and provide access to personal social media history. According to the RFP, "The mission-critical exploitation of social media will enable the Bureau to detect, disrupt, and investigate an ever growing diverse range of threats to U.S. National interests."
Security researchers have released a free decryption utility which victims of Ims00rry ransomware can use to recover their files. On 12 July, anti-virus and anti-malware solutions provider Emsisoft made the decryptor available to the public. The firm published a follow-up post about is tool two days later. In its research, Emsisoft explains that Ims00rry leverages […]… Read More
Chinese Software Engineer Accused of US IP Theft
A Chinese software engineer is still on the run after being accused of stealing intellectual property for his new employer.
Xudong (“William”) Yao, 57, worked at a Chicago-based manufacturer of equipment for train engines from August 2014, according to a December 2017 indictment unsealed last week.
Yet after just two weeks in his role, Yao had downloaded 3000 files containing proprietary and trade secret information relating to the system that operates the manufacturer’s locomotives, the Department of Justice (DoJ) claimed.
Other information, including technical documents and source code, was also downloaded by Yao over the next six months. At the same time, he apparently reached out to and accepted a place at a Chinese firm that provides automotive telematics service systems.
After Yao’s employment was terminated for unrelated reasons in February 2015, he made copies of all the stolen trade secret info and traveled home to China to start his employment at the company there.
Flying from Chicago O’Hare airport in November that year, he is alleged to have had in his possession the stolen trade secrets, including nine copies of control system source code and system specs explaining how the code worked, according to the indictment.
Yao face a maximum 10 years behind bars if found guilty of the nine counts of theft of trade secrets. But it’s unlikely he will be caught, unless he makes the mistake of setting foot back in the US or an allied country.
China has long been considered a prodigious stealer of intellectual property, whether its state-backed cyber-espionage designed to give domestic companies an advantage, or the behavior of individuals looking to abuse their insider positions at Western companies.
In June, a Chinese engineer was found guilty of conspiring to illegally export US semiconductors with military applications back home.
Japanese Exchange Bitpoint Hit By $32m Cyber-Attack
Japan-based cryptocurrency exchange Bitpoint has become the latest to lose tens of millions of dollars in a cyber-attack.
The firm said it was forced on Friday to stop all services — including withdrawals, deposits, payments, and new account openings — while it investigated the incident. It has also notified the relevant authorities in Japan.
Hackers managed to steal funds not only from the firm’s hot wallets, but also its offline cold wallets. After first detecting an error in Ripple remittances, Bitpoint said it realized it had been the victim of a cyber-attack. It then took another three hours before the firm realized the attack also compromised funds stored in Bitcoin, Bitcoin Cash, Litecoin, and Ethereal.
A total of around 3.5 billion yen ($32 million) had been stolen, most ($23m) of which were customer-owned funds. The remainder belonged to Bitpoint, but it’s not clear at this stage whether the firm is planning to reimburse its customers.
The firm is the latest in a long line of cryptocurrency exchanges to come under the scrutiny of cyber-criminals. Last year, two Japanese exchanges were hit: Zaif lost 6.7bn yen ($60m) after hackers stole it from a hot wallet, while Coincheck lost 500m NEM tokens worth $530m at the time.
Just last month, Singaporean cryptocurrency exchange Bitrue was estimated to have lost around $4.5m in funds after hackers breached a hot wallet and moved the funds to other exchanges. A month previous, hackers stole in the region of $41m from Binance in a single hot wallet transaction.
In most incidents, at least the majority of stolen money is returned to customers.
Last month, Europol convened a meeting of cryptocurrency experts at its HQ in the Hague in a bid to share best practice and build partnerships to improve policing of digital crimes.
Facebook Set For Record $5bn FTC Fine
Facebook is reportedly set to be handed a record $5bn fine by a US regulator over privacy violations leading to the Cambridge Analytica scandal.
The Federal Trade Commission (FTC) is said to have made the decision following an investigation begun in March last year after sensational reports emerged of improper use of users’ personal data.
It turned out that the shadowy consultancy had managed to obtain data collected by a third-party app on 87m Facebook users and their friends and use it to profile and target wavering voters ahead of the 2016 Presidential election.
When it levied a maximum £500,000 fine under the pre-GDPR data protection regime last October, the UK’s Information Commissioner’s Office (ICO) argued that Facebook had processed user information “unfairly” by allowing developers to access this data without adequately “clear and informed consent.” It also criticized the social network for allowing developers to access the personal data of users who had not even downloaded the app but were friends of those who had.
The $5bn fine is unlikely to trouble a firm that made over $15bn in the first three months of 2019 alone, but it is believed to be the largest ever levied by the FTC against a tech firm and for privacy violations.
It is also around the amount Facebook predicted it would be fined a few months ago, according to Dan Goldstein, former attorney and owner of digital marketing agency, Page 1 Solutions.
"The real ‘teeth’ of this announcement will come not from the $5 billion settlement. Facebook is worth hundreds of billions of dollars, so this amount is practically a drop in the bucket. I am more curious about the regulations expected to accompany the terms of the settlement," he argued.
"If the financial losses don't paint a clear enough picture for the tech industry as a whole, perhaps new regulations for one of its key players will finally convince these companies to begin protecting users instead of exploiting them.”
Regulators outside the US are already coming down hard on data protection and privacy violations. Last week the ICO issued to huge fines to BA and Marriott International for cybersecurity failings that led to massive data breaches at their respective organizations.
A serious vulnerability in Walkie-Talkie App on Apple Watch forced the tech giant to disable the applications to avoid attackers spying on its users.
Apple has temporarily disabled the Walkie-Talkie app on the Apple Watch due to a vulnerability that could be exploited to spy on users. The issue was reported to Apple via its report a vulnerability portal.
The Walkie-Talkie app allows users to communicate with other users using a compatible Watch, it emulates the traditional behavior of walkie-talkie.
According to TechCrunch, Apple is already working on a patch, but the application will not work until it will release a fix.
“Apple has disabled the Apple Watch Walkie Talkie app due to an unspecified vulnerability that could allow a person to listen to another customer’s iPhone without consent, the company told TechCrunch this evening.” reads the post published by TechCrunch. “Apple has apologized for the bug and for the inconvenience of being unable to use the feature while a fix is made.”
An attacker can use another user’s iPhone to listen to
“Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously,” reads a statement from Apple. “We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer’s iPhone without consent.”
The good news is that Apple is not aware of attacks in the wild exploiting the vulnerability.
Early this year, another major vulnerability in the Apple FaceTime allowed hearing the audio of the person you were calling before he picks up the call.
At the time, privacy advocated and authorities raised concerns about how Apple managed to address the issue.
The post Apple temporarily blocked Walkie-Talkie App on Apple Watch due to a flaw appeared first on Security Affairs.
If you ask Yago Hansen, a hacker specialized in Wi-Fi and RF security, curiosity and a willingness to learn and improve your skills are the two things that you absolutely must have to embark on a (white hat) hacking career. A love for money, on the other hand, is not. “In my mind, hackers are security researchers who spend a lot of their life in testing, learning and getting better at what they do because … More
The post Do you have what it takes to be a hardware hacker? appeared first on Help Net Security.
The newly discovered ransomware family targets the QNAP network attached storage (NAS) devices. This malicious program, known by security researcher Anomali as eCh0raix (identified by Trend Micro as Ransom.Linux.ECHORAIX.A), was developed for ransomware attacks similar to those of Ryuk or LockerGoga.
A NAS device that is connected to a network acting as file storage and backup system or located in a central location where users can easily access the data. They are a measurable and cost-effective solution for many businesses.
How eCh0raix’s works
eCh0raix is written in Go/Golang, a programming language increasingly used to develop malware. This ransomware- Ch0raix determine the location of the NAS devices by performing language checks and cancels out if it is located in some Commonwealth countries such as Ukraine, Belarus, and Russia. eCh0raix encrypts documents and text files, PDF files, files, and databases as well as multimedia files.
The ransomware demands a ransom of 0.05 – 0.06 bitcoin (around US$567 as of July 11, 2019), paid via a site hosted in Tor, in exchange for the necessary decrypt key. Bleeping Computer has reported that the decryptors seem to be available for Windows and macOS. Affected QNAP NAS devices include QNAP TS-251, QNAP TS-451, QNAP TS-459 Pro II, and QNAP TS 253B.
Ransomware demands 0.05 to 0.06 bitcoin, which are paid via Tor-hosted Web sites in exchange for the required decryption key. Decrypters for Windows and macOS seem to be available, according to BleepingComputer.
Experts have not been able to know the exact infection vector, but the message on the Bleeping Computer forum reads that infected NAS devices do not have the latest patches, with weak passwords. It is believed that people behind eCh0raix used brute-force to exploit the vulnerabilities of their specific NAS devices. The researchers also discovered that eCh0raix, unlike the normal ransomware is designed for targeted attacks. For example, in the offline version of eCh0raix, a coded encryption key for a particular purpose is embedded and the decryption key is uniquely assigned to each key.
Targeted ransomware attack
eCh0raix is not the first family of ransomware to target NAS devices, but a threat for file encryption designed specifically for this purpose. Although ransomware activities decreased in 2019, they targeted ransomware attacks was very much in the news. For example, with LockerGoga, Norsk Hydro lost about $ 40 million, while Ryuk was used to block the press activity in the United States. Ransomware also suspended some government services in Baltimore following an alleged attack costing them $ 18.2 million.
Many threats use insecure systems. In the case of eCh0raix, these are weak password or vulnerabilities. For example, Anomali researchers discovered that their Internet analytics in the United States had generated more than 19,000 QNAP NAS devices with direct access to the Internet. NAS devices are generally not protected by anti-malware solutions, making them highly vulnerable.
Backup NAS devices
QNAP Systems, the NAS device manufacturer targeted by eCh0raix, has issued recommendations for the prevention of ransomware software, such as, enabling the QNAP snapshot feature that can backup and restore files. To further reduce the number of attacks on NAS devices, users and businesses must apply best practices, including:
- Update the NAS device firmware to fix exploitable vulnerabilities, and change the default credentials or add the authentication and authorization mechanism to access the NAS device.
- Make sure other systems or devices, including routers connected to or integrated with NAS devices, are also updated.
- Minimal Privilege Policy Compliance: Enable features or components only when necessary or use a VPN to access NAS devices over the Internet.
- Enable the built-in security features of NAS devices. For example, protecting access to the QNAP network helps to prevent brute force attacks or similar disruptions.
The post eCh0raix Ransomware Targeting QNAP Devices appeared first on .
Security experts at Emsisoft released a new decryptor, it could be used for free by victims of the Ims00rry ransomware to decrypt their files.
Thanks to the experts at Emsisoft the victims of the Ims00rry ransomware can decrypt their files for free.
The Ims00rry ransomware used AES-128 algorithm for the encryption process. Unlike most of the ransomware, Ims00rry and doesn’t append an extension to the filenames of the encrypted files. Instead, the ransomware adds the text “—
Crooks demands a 50$ ransom worth of Bitcoin to decrypt the files.
Below the text of the ransom note:
I am sorry!!! My friend. I want to start my own business, but i have no money. All your files photos, databases, documents and other important are encrypted with strongest encryption and algorithms RSA 4096, AES-256. If you want to restore your files payment and write to Telegram bot Price decrypt software is $50. Attention!!! Do not rename or move the encrypted files. Bitcoin wàllet: 1tnZbveCXmqRS1gfZSxztG5MbdJhptaqu Contact Telegram bot: @Ims00rybot
The post Emsisoft released a free decryptor for the Ims00rry ransomware appeared first on Security Affairs.