Daily Archives: July 15, 2019

Avoiding a biometric dystopia

In part one of our two-part series, we explored how biometric authentication methods are being defeated. In the second part, we’ll explore how manipulating biometrics can alter society, and what can be done to avoid a biometric dystopia. Biometric authentication secures access to most consumer phones, many laptops and PCs, and even physical access to homes and offices. Many of the consequences of defeating biometric authentication are no different than those of defeating other forms … More

The post Avoiding a biometric dystopia appeared first on Help Net Security.

IIoT risks of relying heavily on edge computing

The sheer volume of data created by the Internet of Things (IoT) is increasing dramatically as the world is becoming progressively more connected. There is projected to be a mind-boggling 75 billion IoT devices in the world by 2025. Meanwhile, edge computing is set to be adopted into the mainstream by as early as 2020. This means that increasingly vast amounts of IoT data will be stored, processed and analyzed on the edge. While edge … More

The post IIoT risks of relying heavily on edge computing appeared first on Help Net Security.

The importance of IT asset management within digital transformation processes

In this Help Net Security podcast, Marco Rottigni, Chief Technical Security Officer for Qualys across EMEA, talks about the importance of IT asset management within digital transformation processes. He illustrates why it’s crucially important to understand what you have, and how to build security in versus bolting it on. Here’s a transcript of the podcast for your convenience. Hello, my name is Marco Rottigni and I work for Qualys as a Chief Technical Security Officer … More

The post The importance of IT asset management within digital transformation processes appeared first on Help Net Security.

Yearly hidden costs of managing vendor risk? $3.8 million per healthcare provider

The inability to adequately assess and understand the risks that vendors pose is becoming incredibly costly to healthcare providers, according to a new report by Censinet and the Ponemon Institute. According to the research, the yearly hidden costs of managing vendor risk is $3.8 million per healthcare provider, far surpassing the $2.9 million that each data breach costs providers. The cost across the healthcare industry is $23.7 billion per year. The research also indicates that … More

The post Yearly hidden costs of managing vendor risk? $3.8 million per healthcare provider appeared first on Help Net Security.

How can attackers abuse artificial intelligence?

Artificial intelligence (AI) is rapidly finding applications in nearly every walk of life. Self-driving cars, social media networks, cybersecurity companies, and everything in between uses it. But a new report published by the SHERPA consortium – an EU project studying the impact of AI on ethics and human rights – finds that while human attackers have access to machine learning techniques, they currently focus most of their efforts on manipulating existing AI systems for malicious … More

The post How can attackers abuse artificial intelligence? appeared first on Help Net Security.

The rise of digital platforms is empowering the military, but challenges remain

Digital technologies such as cloud computing, big data, data analytics, IoT, artificial intelligence, augmented reality, and blockchain are gradually being leveraged in the defense industry at both agency and operational levels as change enablers, according to Frost & Sullivan’s latest analysis. The deployment of digital technologies improves legacy processes and enhances operation and mission efficiencies, which will, in turn, produce cost savings. “The rise of digital platforms is empowering the military, enabling better continuity of … More

The post The rise of digital platforms is empowering the military, but challenges remain appeared first on Help Net Security.

ADVA launches AI-powered analytics service for monitoring the quality of GNSS-based timing

ADVA launched ADVA SatAware, the industry’s first AI-powered analytics service for monitoring the quality of GNSS-based timing. The unique solution provides communication service providers (CSPs) and other operators of critical infrastructure with real-time insight into signal quality at their GNSS satellite receivers. With the ADVA SatAware solution, operators can easily identify any physical objects blocking GNSS signals and resolve issues before they impact the synchronization network. The non-intrusive, cost-effective solution is specifically designed to meet … More

The post ADVA launches AI-powered analytics service for monitoring the quality of GNSS-based timing appeared first on Help Net Security.

Open Invitation to Help Develop Infosec Community Resources

It may be possible to democratize security by making it more accessible to average companies through community resources. We have an idea or two, but we would appreciate your thoughts. At the 2019 RSA security conference, Matt Chiodi, Chief Security Officer of Palo Alto Networks said “… small organizations are using on average between 15 and […]… Read More

The post Open Invitation to Help Develop Infosec Community Resources appeared first on The State of Security.

Quest QoreStor 6.0 offers native cloud support and instant recovery

Quest Software, a global systems management, data protection and security software provider, announced the general availability of Quest QoreStor 6.0 to enable software defined hybrid cloud secondary storage for businesses. With new feature enhancements to the award winning QoreStor technology, along with enterprise class compression and backup-vendor agnostic deduplication technology, businesses can now take advantage of QoreStor’s Cloud Tier cloud native storage technology to seamlessly streamline non-invasive long term retention. QoreStor 6.0 also introduces a … More

The post Quest QoreStor 6.0 offers native cloud support and instant recovery appeared first on Help Net Security.

Microsoft data security improved with Nucleus Cyber MIP integration

Nucleus Cyber, the intelligent data-centric security company for the modern workplace, at Microsoft Inspire in Las Vegas announced its NC Protect solution now utilizes MIP labels to enhance conditional access and data security controls in Microsoft platforms to guard against insider threats, sensitive data misuse, unauthorized sharing and exfiltration. Tom Hill, Managing Director at Slater Hill, a Microsoft Gold Partner for Portals and Collaboration, said, “We’re very excited about this new enhancement from Nucleus Cyber. … More

The post Microsoft data security improved with Nucleus Cyber MIP integration appeared first on Help Net Security.

Pundi X completes integration support of its XPOS module on Verifone X990

Leading provider of blockchain-powered devices Pundi X has successfully completed integration support of its XPOS module on X990 made by US-based Verifone, one of the largest providers of traditional point-of-sale (POS) terminals in the world, to allow a wider network of retailers to accept payments in cryptocurrencies. With this integration, shops and retail outlets using the Verifone X990 with XPOS module activated will now be able to process cryptocurrency payments alongside traditional transactions. The XPOS … More

The post Pundi X completes integration support of its XPOS module on Verifone X990 appeared first on Help Net Security.

Saviynt now supports Amazon EventBridge

Saviynt, a trusted and award-winning provider of a leading intelligent, identity governance and management platform, announced support for the newly launched Amazon EventBridge, from Amazon Web Services (AWS). Amazon EventBridge is a serverless event bus service that connects applications using events. Events include security configuration changes, changes in application data, privilege access escalations, or joiner/mover/leaver/conversions in human resources (HR) systems. Amazon EventBridge allows Saviynt to further enhance and extend its services by publishing key events … More

The post Saviynt now supports Amazon EventBridge appeared first on Help Net Security.

Avast appoints Jaya Baloo as CISO

Avast announced it has appointed Jaya Baloo to the position of Chief Information Security Officer (CISO), effective October 1, 2019. Jaya Baloo joins Avast from KPN, the largest telecommunications carrier in the Netherlands, where she held the position of CISO. Ms. Baloo has been formally recognized in the list of the top 100 CISOs globally and ranks among the top 100 security influencers worldwide. Ms. Baloo has been working in the field of information security … More

The post Avast appoints Jaya Baloo as CISO appeared first on Help Net Security.

Cloudflare Denial of Service (DoS) Blackout: The case for expert-driven pen testing

Last Friday, Cloudflare posted a detailed blog post that described about how a poorly implemented software deployment caused a massive CPU spike, rendering the Cloudflare service unavailable. Because Cloudflare servers couldn’t handle incoming HTTP requests, global customer websites were unavailable for approximately 30 minutes.[1]

Flaw in Ad Inserter WordPress plugin allows remote attackers to execute code

A critical vulnerability affecting the Ad Inserter WordPress plugin could be exploited by authenticated attackers to remotely execute PHP code.

Security researchers at Wordfence discovered a critical vulnerability in the Inserter WordPress plugin that could be exploited by authenticated attackers to remotely execute PHP code.

Ad Inserter is an Ad management plugin that allows administrators to benefit of advanced features to insert ads at optimal positions. It supports major ad programs, including Google AdSense, Google Ad Manager(DFP – DoubleClick for publishers), contextual Amazon Native Shopping Ads, Media.net and rotating banners.

The Ad Inserter WordPress plugin is currently installed on over 200,000 websites. 

The security flaw resides in the authorization process implemented in the check_admin_referer() function that was designed to protect WordPress sites against cross-site request forgery (CSRF) exploits using nonces.

“The function check_admin_referer() is intended to protect against cross-site request forgery (CSRF) attacks by ensuring that a nonce (a one-time token used to prevent unwanted repeated, expired, or malicious requests from being processed) is present in the request.” reads the post published by Wordfence.

“The WordPress documentation makes it clear, though, that check_admin_referer() is not intended for access control, and this vulnerability is a good example of why misusing nonces for authorization is a bad idea.”

Experts pointed out that nonce should never be relied on for authentication or authorization, access control.

“The weakness allowed authenticated users (Subscribers and above) to execute arbitrary PHP code on websites using the plugin,” continues the experts.

Authenticated attackers can bypass authorization checks implemented by the check_admin_referer() function to access the debug mode provided by the Ad Inserter plugin for admins.

The experts discovered that the debugging feature can be triggered by any user who has the special cookie “Cookie: AI_WP_DEBUGGING=2.”

“Normally, these debugging features are only available to administrators, and when certain options are enabled a block of Javascript is included on nearly every page. That Javascript contains a valid nonce for the ai_ajax_backend action,” continues Wordfence.

ad inserter

The debugging feature could be triggered by an attacker that has access to a nonce, he can also exploit the ad preview feature by sending a malicious payload containing arbitrary PHP code.

The flaw affects all WordPress websites that uses the Ad Inserter plugin version 2.4.21 or previous ones. The developer revealed the 2.4.22 version on July 13 that address the authenticated RCE flaw.

Below the disclosure timeline:

July 12 – Vulnerability discovered by Wordfence Threat Intelligence Team
July 12 – Firewall rule released to Wordfence Premium users
July 12 – Plugin developer notified of the security issue
July 13 – Patch released
August 11 – Firewall rule becomes available to free users

Pierluigi Paganini

(SecurityAffairs – Ad Installer, WordPress plugin)

The post Flaw in Ad Inserter WordPress plugin allows remote attackers to execute code appeared first on Security Affairs.

How to Prevent Insider Data Breaches at your Business

Guest article by Dan Baker of SecureTeam

Majority of security systems are installed to try and forestall any external threats to a business’ network, but what about the security threats that are inside your organisation and your network?

Data breaches have the potential to expose a large amount of sensitive, private or confidential information that might be on your network. Insider threats are a significant threat to your business and are increasingly being seen as an issue that needs dealing with.

SecureTeam are experts in cybersecurity and provide a variety of cybersecurity consultation solutions to a range of businesses. They have used their extensive knowledge of internal network security to write this handy guide to help businesses protect themselves from insider data breaches.

Who is considered an Insider Threat?

Insider threats can come from a variety of different sources and can pose a risk to your business that you might not have considered.

Malicious Insider 
This is when an employee who might have legitimate access to your network has malicious intentions and uses that access to intentionally leak confidential data. Employees who intentionally provide access to the network to an external attacker are also included in this threat.

Accidental Insider
This is when an employee makes an honest mistake that could result in a data breach. Something as simple as opening a malicious link in an email or sending sensitive information to the wrong recipient are all considered data breaches. The main cause of accidental insider data breaches is poor employee education around security and data protection and can be avoided by practising good security practices.

Third Party
There is a data protection risk that arises when third-party contractors or consultants are provided with permission to access certain areas of the network. They could, intentionally or unintentionally, use their permission to access private information and potentially cause a data breach. Past employees who haven’t had their security access revoked could also access confidential information they are no longer entitled too and could be seen as a threat.

Social Engineers
Although this threat is technically external a social engineers aim is to exploit employees by interacting with them and then attempting to manipulate them into providing access to the network or revealing sensitive information.

Data breaches from internal threats have the potential to cause the loss of sensitive or confidential information that can damage your business’ reputation and cost you a significant amount of money. There are some ways you can attempt to prevent insider data breaches, however. 

How to prevent Data Breaches

There are a few simple ways you can try to prevent an internal data breach, including:

Identify your Sensitive Data
The first step to securing your data is to identify and list all of the private information that you have stored in your network and taking note of who in your organisation has access to it. By gathering all of this information you are able to secure it properly and create a data protection policy which will help keep your sensitive data secure.

Create a Data Protection Policy
A data protection policy should outline the guidelines regarding the handling of sensitive data, privacy and security to your employees. By explaining to your staff what they are expected to do when handling confidential information you reduce the risk of an accidental insider data breach.

Create a Culture of Accountability
Both employees and managers should be aware of and understand their responsibilities and the responsibilities of their team when it comes to the handling of sensitive information. By making your team aware of their responsibilities and the consequences of mistakes and negative behaviour you can create a culture of accountability. This also has the more positive effect of highlighting any issues that exist before they develop into full problems which can then be dealt with training or increased monitoring.

Utilise Strong Credentials & Access Control
By making use of stronger credentials, restricting logins to an onsite location and preventing concurrent logins you can make your network stronger and remove the risk of stolen credentials being used to access the network from an external location.

Review Accounts and Privileged Access
It is important that you regularly review your user's privileges and account logins to ensure that any dormant accounts no longer have access to private information and that users don’t have unnecessary access to data. This helps to reduce the risks of both accidental and malicious insider data breaches.

The threat of an insider data breach continues to be an issue to businesses throughout a range of sectors. However, by putting a plan in place for these insider security threats it improves the speed and effectiveness of your response to any potential issues that arise.

It is sensible to assume that most, if not all, businesses will come under attack eventually and by taking the threat seriously and adhering to the best security practices then you can help to prevent an attack turning into a full-blown data breach.

The npm installer for PureScript package has been compromised

It has happened again, another JavaScript package in the npm registry has been compromised, it is the installer for PureScript.

The installer for PureScript package in the npm registry has tampered forcing project maintainers to purge the malicious code.

Last week many developers reported several problems with the installer and PureScript contributor Harry Garrood found malicious code in its npm installer.

Launching the installer by typing npm i -g purescript from the command line, it is possible to install the package, an extensive collection of libraries that counts for 2,000 installs a week.

The installer was originally developed and maintained the Japanese developer Shinnosuke Watanabe (@shinnn), later the maintainers of the project asked him to pass the control of the installer to them.

The developer accepted the request but was disappointed for the decision.

after a few too many disagreements and unpleasant conversations with @shinnn about the maintenance of the purescript npm installer, we (the compiler maintainers) recently decided that it would be better if we maintained it ourselves, and asked him if he would transfer the purescript package on npm to us. He begrudgingly did so.” wrote Garrood. “The 0.13.2 PureScript compiler release, which we cut last week, is the first release of the compiler since we took over the purescript npm package.”

Garrood explained that the PureScript installer has some dependencies that are also controlled by Watanabe, and malicious code was added to some dependencies of the npm installer at separate times.

@shinnn claims that the packagers were compromised by an attacker who gained access to his npm account. The good news is that the malicious code that was added has the only purpose of sabotage, it crashes the Purescript npm installer.

The malicious code was identified and removed by the maintainers of the project that have also dropped the Watanabe’s dependencies.

“If you want to be absolutely sure you do not have malicious code on your machine, you should delete your node_modules directories and your package-lock.json files, and set a lower bound of 0.13.2 on the purescript package” wrote Garrood.

A similar case recently impacted developers using the Ruby strong_password library, the attacker hijacked the account of the real developer and injected malicious code in the library.

Pierluigi Paganini

(SecurityAffairs – npm, hacking)

The post The npm installer for PureScript package has been compromised appeared first on Security Affairs.

Family Safety: Twitter, Instagram Beef Up Measures to Fight Hate Speech, Bullying

The past few weeks have proven to be wins for family safety with several top social networks announcing changes to their policies and procedures to reduce the amount of hateful conduct and online bullying.

Twitter: ‘Dehumanizing Language Increases Risk’

In response to rising violence against religious minorities, Twitter said this week that it would update its hateful conduct rules to include dehumanizing speech against religious groups.

“Our primary focus is on addressing the risks of offline harm, and research shows that dehumanizing language increases that risk . . . we’re expanding our rules against hateful conduct to include language that dehumanizes others based on religion,” the company wrote on its Twitter Safety blog.

Twitter offered two resources that go in-depth on the link between dehumanizing language and offline harm that is worth reading and sharing with your kids. Experts Dr. Susan Benesch and Nick Haslam and Michelle Stratemeyer define hate speech, talk about its various contexts, and advise on how to counter it.

Instagram: ‘This intervention gives people a chance to reflect.’ 

Instagram announced it would be rolling out two new features to reduce potentially offensive content. The first, powered by artificial intelligence, prompts users to pause before posting. For instance, if a person is about to post a cruel comment such as “you are so stupid,” the user will get a pop-up notification asking, “are you sure you want to post this?”

A second anti-bullying function new to Instagram is called “Restrict,” a setting that will allow users to indiscreetly block bullies from looking at your account. Restrict is a quieter way to cut someone off from seeing your content than blocking, reporting, or unfollowing, which could spark more bullying.

These digital safety moves by both Instagram and Twitter are big wins for families concerned about the growing amount of questionable content and bullying online.

If you get a chance, go over the basics of these new social filters with your kids.

Other ways to avoid online bullying:

Wise posting. Encourage kids to pause and consider tone, word choice, and any language that may be offensive or hurtful to another person, race, or gender. You are your child’s best coach and teacher when it comes to using social apps responsibly.

Stay positive and trustworthy. Coach kids around online conflict and the importance of sharing verified information. Encourage your child to be part of the solution in stopping rumors and reporting digital skirmishes and dangerous content to appropriate platforms.

Avoid risky apps. Apps like ask.fm allow anonymity should be off limits. Kik Messenger, Yik Yak, Tinder, Down, and Whisper may also present risks. Remember: Any app is risky if kids are reckless with privacy settings, conduct, content, or the people they allow to connect with them.

Layer security. Use a comprehensive solution to help monitor screentime, filter content, and monitor potentially risky apps and websites.

Monitor gaming communities. Gaming time can skyrocket during the summer and in a competitive environment, so can cyberbullying. Listen in and monitor game time conversations and make every effort to help him or her balance summer gaming time.

Make profiles and photos private. Require kids under 18 to make all social profiles private. By doing this, you limit online circles to known friends and reduces the possibility of cyberbullying and online conflict.

The post Family Safety: Twitter, Instagram Beef Up Measures to Fight Hate Speech, Bullying appeared first on McAfee Blogs.

Tech Giants Are Using Children’s Online Data Like It’s 1999 (or ’98, to Be More Precise)

While there is significantly more to be done to protect our data, consumers have never been better apprised of the imperiled state of their privacy. That said, it’s still an acute problem. The air travel equivalent would be when the cabin depressurizes and oxygen masks drop. In the dramatic destabilization that has occurred to our collective privacy over the past 15 years, the trigger event–a mixture of Facebook arrogance and the Equifax breach–has come and gone, but kids have not yet received the crucial attention needed to protect their data.

A recent study shows that nearly 40% of Amazon Prime Day shoppers have actively avoided Alexa-enabled products because they are concerned about the possibility of eavesdropping. Mozilla Firefox now features enhanced tracking protection as a default behavior. And, Apple CEO Tim Cook memorably doubled (if not tripled) down on prioritizing user privacy as the parade of Facebook stories rattled consumers to the core. More recently, New York State introduced legislation to update its data protection and privacy laws, and California’s new privacy law, modeled on the EU’s GDPR, goes into effect January 1, 2020.

Even with all the positive news from the frontlines of protecting consumer information, the safeguarding of children’s data still has a long way to go.

Consider just one recent story. Video-sharing giant YouTube is currently being investigated for the illegal collection of data from users under the age of 13 (competitor service TikTok recently paid $5.7 million in fines for similar practices), and Amazon.com’s Dot Echo is the focus of a class action suit for illegally recording children. A recent study from UC-Berkeley found that 57% of apps listed under Google Play’s “Designed for Families” section collected data on children under the age of 13 in direct violation of COPPA, the Children’s Online Privacy Protection Act.

How Did We Get Here?

Unless you have been living in an upside-down chowder bowl on the bottom of Cape Cod Bay, tracking and trafficking in the online browsing habits of children should come as no surprise. While there’s a massive industry for all user data, from online quizzes to browsing habits to online purchases, kids online worlds make them easy prey for pretty much every monetized online behavior out there.

ISPs, mobile carriers, social media providers, and web browsers are currently making a very healthy profit from the data associated with your day-to-day life, both on- and offline. Children are the Holy Grail for advertisers, and represent a sizable chunk of the consumer market. Their data is just as valuable as those of adults, if not more so.

While children are supposed to be protected under COPPA, the regulations have gone largely unchanged since it was passed in the late 90s, and became the law of the land in 2000. File under: “Man plans, God laughs.” Meanwhile, the Internet made Las Vegas look like a sad, poorly planned desert boom town gone bust. The surveillance economy didn’t exist when COPPA was conceived, and it needs to be updated to address our new world of constant, persistent, near-total exposure.

What is COPPA and Why Is it Failing?

The broad strokes of COPPA are straightforward: Websites aren’t allowed to collect information associated with children under the age of 13 without the express consent of a parent or guardian.

While this sounds reasonable, it also contains a major and easily exploited loophole: Namely that there is no liability for non-compliance, for just one instance, if a company or provider is not aware of that this or that information belongs to an underage user. In short, if they don’t ask for the age of the user, they’re off the hook.

When COPPA went into effect, the internet had roughly 361 million users worldwide. For context, Facebook alone currently has 2.38 billion monthly active users. Only 3% of households in 2000 had broadband Internet access, with roughly a third of households being on dial-up internet.

We’ve come a long way (for better and worse). Currently 80% of pre-teens use social media, despite the fact that the most widely-used platforms all prohibit accounts for anyone under 13.

COPPA’s idea of children requiring permission from a parent made more sense when Internet access was mainly accomplished using a land line phone connection. The law neither allowed for nor expected multi-device households, with children able to connect to the Internet via IoT devices, tablets and mobile devices via continuous wireless connection. It didn’t anticipate the rise of “free” apps that would track the activity of every user in exquisite detail. Had the framers of COPPA forseen the advent of the surveillance economy, chances are pretty good they would have been busy chasing seed money in the late ’90s.

Connected devices are designed to be as user friendly as possible, which makes them child accessible. When Disney acquired Fox, that consolidation gave the new larger entity access to giant portfolios of underage-user data. It probably should have been COPPA’s Equifax moment, but if we’re going to keep it real, Equifax probably should have had a Home Depot moment. We live in a time when the profitability of a privacy depredation makes progress hard to come by.

Since it’s no mean feat to determine the age of a user, maybe it’s time to assume users are underage, and be more restrictive with captured data. Whatever happens next, the protection of children’s data is a problem in sore need of solutions as quickly as possible. There is too much at stake.


The post Tech Giants Are Using Children’s Online Data Like It’s 1999 (or ’98, to Be More Precise) appeared first on Adam Levin.

Oracle to Release Critical Patch Update

Oracle to Release Critical Patch Update

Oracle will release its Critical Patch Update on July 16, 2019, which will include seven new fixes for the Oracle database server, according to a pre-release announcement.   

“While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory,” Oracle wrote.

The Critical Patch Update is a collection of patches for multiple security vulnerabilities, and the July 16 update contains 322 new fixes. Six of the security vulnerabilities were reportedly discovered by the Onapsis Research Labs team.

"Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," the announcement stated.

Two of the six different patches that were originally reported by the Onapsis Research Lab team addressed "critical vulnerabilities in the Oracle E-Business Suite (EBS), which has been deeply researched by Onapsis in the last few years,” researchers wrote. “Successfully exploiting these vulnerabilities may allow an attacker three critical scenarios compromising the integrity and availability of EBS: remote code execution in the server, remote code execution in the client and a Denial of Service.”

The two vulnerabilities reported by Onapsis are an unrestricted file upload, which was originally reported in November 2018 and leads to remote code execution (CVSS 9.1), and a reflected server-side request forgery, which was originally reported in April 2019 and can lead to a denial of service (DoS) and a client-side remote code execution (CVSS 9.6).

If left unpatched, these vulnerabilities have the potential to allow remote execution and DoS, disrupting critical services such an ERP system convert this attack into a critical one, since it affects all availability, confidentiality and integrity of the data.

“Both vulnerabilities allow remote command execution, one in any EBS client and the other one directly on the server side. Even though all the announced CPUs should be applied, these critical vulnerabilities must be immediately addressed, and customers should prioritize implementation of the patches in order to avoid malicious exploitation,” the blog stated.

Facing the cold chills

Have you ever felt the cold chill in your spine when the “fix engine” light comes on in your car? How about when one of your children turns pale and gets their first fever? It’s a feeling of helplessness and concern regarding what could be wrong. Then there’s the feeling of relief that comes with understanding, even if it’s only partial understanding. We give the child medicine and the fever fades. We add oil to the engine and the light goes off. The human mind often wants to take the easiest path away from fear and stress. But these solutions only fix the symptoms, leaving the cause of the issue unaddressed. The same thing is true in security related situations.

The Microsoft Detection and Response Team (DART) recently worked with a customer who had been subject to a targeted compromise, one where the entity was intently and purposefully attempting to get into their systems. The attack came through one of the customer’s child organizations, who was initially compromised. The parent organization shares a trust with the child organization. During an investigation of the child organization, the parent organization was notified that attackers had migrated their access foothold into the parent network. The parent organization was able to take immediate steps to stop the malicious activities, just before things could have gotten very serious.

From a security perspective, the customer has addressed the symptom (a known compromise) but missed the opportunity to address the core issues that allowed the compromise. It’s not unusual for an organization to shift to the perspective that everything is now better. But it’s never quite so simple.

For DART, one of our key responsibilities is helping our customers understand what happened, how it happened, how long it’s been happening, the potential impact to the organization, and how the customer can improve their protection, detection, and response mechanisms to be better prepared in the future.

Understanding a compromise

Let’s dissect this story a bit more to better understand what happened. The example customer is a global company, with dozens of child organizations around the globe, all connected to the same Active Directory architecture. From a customer perspective, the IT and security functions are decentralized at each child, with each region retaining autonomous control over the operation of their data resources. This takes the pressure off the parent organization by delegating administrative processes like patching, account management, and configuration management to administrators at the child organization; and allowing the parent to focus primarily on critical business operations and their own IT and security.

Infographic of parent org and child org relationship. The child orgs surround the parent org, which is in the cloud, and is made vulnerable as the child orgs are made vulnerable.

Each of the child organizations operates their own Active Directory forest for their users and systems, and a majority of these organizations have a two-way trust with the Active Directory in the parent organization. Roughly half of these trusts have no security identifier (SID) filtering in place to restrict account movement between the various forests. The parent organization’s incident was possible because a compromised account was allowed to move into their network, unhindered. In fact, a compromise in any of the other child organizations would have the same result, creating legitimate risk for the parent and all the other connected child organizations.

How DART helps customers address underlying risks

DART spent days trying to weave a story for the customer explaining the real risk to the organization, even though this specific attack had been blocked. There are a number of systemic issues that worked together to create the risk to the customer networks. Patching was sporadic, and due to the decentralized nature of both the information technology (IT) and security processes across the various organizations, there were large numbers of systems with known vulnerabilities. The decentralized nature of the network also created blind spots in security monitoring across the various forest and network boundaries. The customer could not have detected the lateral movement of bad actors on the network because they weren’t watching those boundaries.

Finally, the lack of configuration management across the company allowed users to have excessive account privileges and to install unsafe software packages. This resulted in large numbers of dangerous software packages to be installed on user systems with privileged access—simply because users opened email attachments, clicked a link, or installed questionable software downloaded from the internet, such as key generators for commercial software products.

The large number of potentially unwanted applications (PUAs) and malware present on the network was clear evidence of the issues facing the customer. A compromised user in one segment of the customer organization creates risk for the entire company. Faced with the reality of the situation, the customer shifted perspectives to improving the security of their environment.

To start, the customer needed to get a handle on the configuration and security of the various arms of the organization. Centralizing IT and security functions would allow for consistent patching, secure account management, and security monitoring. Two-way trusts putting the organization at risk should be managed with appropriate SID filtering, reduced to one-way trusts as needed, or removed from a trust relationship altogether, depending on business need. Standardized security software, such as anti-malware solutions with automatic updates, would provide detection of malware much more quickly on endpoints. Security monitoring at all key network boundaries would create immediate alerts when malicious software or bad actors attempt to move across the environment or create persistence points. A sensible and centralized management plan would enable the customer to protect, detect, and respond to incidents.

It’s easy to get forget security incidents are sometimes symptoms of a bigger problem facing the organization. Leadership would benefit from taking a step back from current events to work with their team and determine where the real security issues exist, and what’s needed to make the organization more secure. In essence, a security aspirin will help lower our fever, but it’s a temporary fix. The fever will return, and it could be worse. It’s more effective in the long run to obtain the needed X-rays or take appropriate blood tests to determine how sick the network is, and what treatment options will remove the key risks to network health.

Learn more

To learn more about DART, our engagements, and how they are delivered by experienced cybersecurity professionals who devote 100 percent of their time to providing cybersecurity solutions to customers worldwide, please contact your account executive. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Facing the cold chills appeared first on Microsoft Security.

Ready, Set, Shop: Enjoy Amazon Prime Day Without the Phishing Scams

Amazon Prime Day is becoming one of the hottest shopping periods for the summer. However, it is also becoming one of the hottest opportunities for cybercriminals, as hackers target shoppers in a number of ways during peak shopping moments to steal personal data or financial information. In fact, researchers at McAfee Labs have uncovered a phishing kit specifically created to steal personal information from Amazon customers in America and Japan.

How exactly does this phishing kit work? The kit allows hackers to create phishing emails that look like they have come from Amazon. The emails prompt users to share their login credentials on a malicious website. Once the victim hands over their login, the hackers can use the victim’s account to make fraudulent purchases and steal their credit card information saved in their Prime account.

According to McAfee Labs researchers, this phishing scam has already seen widespread use, with over 200 malicious URLs being used to prey on innocent online shoppers. Additionally, the phishing kit is being sold through an active Facebook group with over 300 members and 200 posts in recent weeks. McAfee has notified Facebook of the existence of this group. The social network has taken an active posture in recent months of taking down groups transacting in such malicious content.

So, what does this threat mean for Amazon users? If you’re planning on participating in Prime Day, follow these security steps to help you swerve malicious cyberattacks:

  • Beware of bogus deals. If you see an ad for Prime Day that looks too good to be true, chances are that the ad isn’t legitimate.
  • Think before you click. Be skeptical of ads shared on social media sites, emails, and messages sent to you through platforms like Facebook, Twitter, and WhatsApp. If you receive a suspicious message regarding Prime Day, it’s best to avoid interacting with the message.
  • Do your due diligence with discount codes. If a discount code lands in your inbox, you’re best off verifying it through Amazon.com directly rather than clicking on any links.

If you do suspect that your Amazon Prime account has been compromised due to a cyberthreat, take the following steps:

  • Change your password. Change the passwords to any accounts you suspect may have been impacted. Make sure they are strong and unique.
  • Keep an eye on your bank account. One of the simplest ways to determine whether someone is fraudulently using your credit card information is to monitor your bank statements. If you see any charges that you did not make, report it to the authorities immediately.
  • Consider using identity theft protection.A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Ready, Set, Shop: Enjoy Amazon Prime Day Without the Phishing Scams appeared first on McAfee Blogs.

Is ‘REvil’ the New GandCrab Ransomware?

The cybercriminals behind the GandCrab ransomware-as-a-service (RaaS) offering recently announced they were closing up shop and retiring after having allegedly earned more than $2 billion in extortion payments from victims. But a growing body of evidence suggests the GandCrab team have instead quietly regrouped behind a more exclusive and advanced ransomware program known variously as “REvil,” “Sodin,” and “Sodinokibi.”

“We are getting a well-deserved retirement,” the GandCrab administrator(s) wrote in their farewell message on May 31. “We are a living proof that you can do evil and get off scot-free.”

However, it now appears the GandCrab team had already begun preparations to re-brand under a far more private ransomware-as-a-service offering months before their official “retirement.”

In late April, researchers at Cisco Talos spotted a new ransomware strain dubbed Sodinokibi that was used to deploy GandCrab, which encrypts files on infected systems unless and until the victim pays the demanded sum. A month later, GandCrab would announce its closure.

A payment page for a victim of REvil, a.k.a. Sodin and Sodinokibi.

Meanwhile, in the first half of May an individual using the nickname “Unknown” began making deposits totaling more than USD $130,000 worth of virtual currencies on two top cybercrime forums. The down payments were meant to demonstrate the actor meant business in his offer to hire just a handful of affiliates to drive a new, as-yet unnamed ransomware-as-a-service offering.

“We are not going to hire as many people as possible,” Unknown told forum members in announcing the new RaaS program. “Five affiliates more can join the program and then we’ll go under the radar. Each affiliate is guaranteed USD 10,000. Your cut is 60 percent at the beginning and 70 percent after the first three payments are made. Five affiliates are guaranteed [USD] 50,000 in total. We have been working for several years, specifically five years in this field. We are interested in professionals.”

Asked by forum members to name the ransomware service, Unknown said it had been mentioned in media reports but that he wouldn’t be disclosing technical details of the program or its name for the time being.

Unknown said it was forbidden to install the new ransomware strain on any computers in the Commonwealth of Independent States (CIS), which includes Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan.

The prohibition against spreading malware in CIS countries has long been a staple of various pay-per-install affiliate programs that are operated by crooks residing in those nations. The idea here is not to attract attention from local law enforcement responding to victim complaints (and/or perhaps to stay off the radar of tax authorities and extortionists in their hometowns).

But Kaspersky Lab discovered that Sodinokobi/REvil also includes one other nation on its list of countries that affiliates should avoid infecting: Syria. Interestingly, latter versions of GandCrab took the same unusual step.

What’s the significance of the Syria connection? In October 2018, a Syrian man tweeted that he had lost access to all pictures of his deceased children after his computer got infected with GandCrab.

“They want 600 dollars to give me back my children, that’s what they’ve done, they’ve taken my boys away from me for a some filthy money,” the victim wrote. “How can I pay them 600 dollars if I barely have enough money to put food on the table for me and my wife?”

That heartfelt appeal apparently struck a chord with the developer(s) of GandCrab, who soon after released a decryption key that let all GandCrab victims in Syria unlock their files for free.

But this rare display of mercy probably cost the GandCrab administrators and its affiliates a pretty penny. That’s because a week after GandCrab released decryption keys for all victims in Syria, the No More Ransom project released a free GandCrab decryption tool developed by Romanian police in collaboration with law enforcement offices from a number of countries and security firm Bitdefender.

The GandCrab operators later told affiliates that the release of the decryption keys for Syrian victims allowed the entropy used by the random number generator for the ransomware’s master key to be calculated. Approximately 24 hours after NoMoreRansom released its free tool, the GandCrab team shipped an update that rendered it unable to decrypt files.

There are also similarities between the ways that both GandCrab and REvil generate URLs that are used as part of the infection process, according a recent report from Dutch security firm Tesorion.

“Even though the code bases differ significantly, the lists of strings that are used to generate the URLs are very similar (although not identical), and there are some striking similarities in how this specific part of the code works, e.g., in the somewhat far-fetched way that the random length of the filename is repeatedly recalculated,” Tesorion observed.

My guess is the GandCrab team has not retired, and has simply regrouped and re-branded due to the significant amount of attention from security researchers and law enforcement investigators. It seems highly unlikely that such a successful group of cybercriminals would just walk away from such an insanely profitable enterprise.

TrickBot’s “TrickBooster” Update Compromised 250M Emails

Last Valentines day, we made a fearless declaration here in Hackercombat.com, that Trickbot is shaping itself of becoming the “malware of the year”, due to its massive campaigns of infecting computers worldwide. That will remain as our forecast; Trickbot was recently named by the DeepInstinct security researchers as responsible for the compromise of at least 250 million email accounts. It rode on the massive spam emails coming from computers that were already infected, in a campaign to cast a wider net for the banking trojan.

Trickbot used to use the flawed SMB protocol in unpatched versions of Windows to spread itself, navigate the network shared files and install itself deep into the operating system. Known as the “TrickBooster” update, TrickBot received a huge facelift in its history, as the banking trojan can now tap the address book of installed in the infected computer, sending phishing attacks to all the contacts of the user. As per DeepInstinct’s research of the new version of TrickBot, the use of user’s contacts further increases the trojan’s possibilities to infect more machines than it used to.

The new spam emails are unique, able to bypass the tried and tested antispam formula established by Outlook.com, Yahoomail.com and GMail.com. In fact, the most heavily infiltrated email address of TrickBot turned out to be from @gmail.com with 25 million unique instances of spam emails containing TrickBot. Yahoo Mail comes second, with 21 million of their customers received the spam email at least once and lastly Outlook.com users with 11 million instances.

“We analyzed the malware sample and found swaths of PowerShell code in its memory. Analysis of this PowerShell code immediately led us to the conclusion that we are dealing with a mail-bot. We discovered more samples of the malware, both signed and not, additional infrastructure used in the campaign – both to distribute (infection points) and control the malware (C2 Servers),” explained Shaul Vilkomir-Preisman, security researcher at DeepInstinct in their official website blog.

The new strain has the capability to hook to Outlook.exe creates a parallel thread, then executes a COM-based command. As it taps the Microsoft.Office.Interop.Outlook instance alongside CoCreateInstance, it hooks to OUTLOOK.exe via OleRun function. TrickBot 2.0 also incorporates advanced features that aid to its proliferation such as cookie theft capability and use legitimately looking digital certificates for the Microsoft Office attachments where it piggybacks.

Rumors have been circulating online discussing TrickBot’s new version were able to reach the mailboxes of United State’s federal agencies such as the Department of Transportation; NASA; Federal Aviation Administration; Internal Revenue Service; Social Security Administration; Department of Justice; Department of Homeland Security; Bureau of Prisons; and Bureau of Alcohol, Tobacco and Firearms.

Compared to the espionage accusations against Huawei Technologies of China, TrickBot authors have made success in stealing not only personally identifiable information but also banking data of Americans and other nationalities. “We continued monitoring the campaign and the infrastructure involved in it, both its infection points and C2 Servers, which were going on and off line, and employing various Geo-IP restrictions and other mechanisms to hamper analysis. It was at one of these servers that we found something that made us realize how successful this campaign is – an Email dump containing approximately 250 million Email addresses,” concluded Vilkomir-Preisman.

Also, Read:

Status of Today’s Email as a Malware Vector

Laptop Running Six Most Dangerous Malware up for Auction

The Fileless Malware Attacks Are Here To Stay

The post TrickBot’s “TrickBooster” Update Compromised 250M Emails appeared first on .

Monroe College Campuses Downed by Ransomware

Monroe College Campuses Downed by Ransomware

Multiple campuses of Monroe College have had their systems downed after a ransomware attack reportedly struck the for-profit institution on July 11. 

The attack reportedly affected each of Monroe’s campuses in Manhattan and New Rochelle, New York, and St. Lucia, and emails have been compromised. Infosecurity contacted Monroe College via the email listed on its website, but the message was returned as undeliverable, indicating that systems are still downed.

The college took to Twitter to share the news with its online students.

In a statement, Marc Jerome, president of Monroe College, said, “Our team is working feverishly to bring everything back online, and we are working with the appropriate authorities to resolve the situation as quickly as possible,” according to Insider Higher Ed.

“In the meantime, Monroe continues to operate. We’re simply doing it the way colleges did before email and the internet, which results in more personal interactions. As we have done throughout our 86-year history, we are coming together to assure that our students, faculty and staff are well served."

An attacker demanded the college pay $2 million to have its files decrypted. Jackie Ruegger, executive director of public affairs at the college, reportedly told Inside Higher Ed that the college knows who conducted the attack. Infosecurity attempted to call the numbers listed on the Twitter message, but the recipient disconnected the calls. 

The attack follows a number of university cyber-attacks, including the recent OSU, Graceland University and Missouri Southern State University email-based breaches in the last few months. According to recent data from Mimecast’s State of Email Security report, 56% of organizations in the education sector saw an increase in phishing with malicious links or attachments in the last year. It took 31% two to three days to get back to a recovered state upon suffering an email-based attack. Nearly half (42%) of organizations say ransomware has impacted their business operations in the last 12 months and 73% have experienced two to five days of downtime as a result of the ransomware attack.

SWEED: Exposing years of Agent Tesla campaigns

By Edmund Brumaghin and other Cisco Talos researchers.

Executive summary

Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we’re calling “SWEED,” including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.

SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that’s been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we’ve seen in the past in the way that it is packed, as well as how it infects the system. In this post, we’ll run down each campaign we’re able to connect to SWEED, and talk about some of the actor’s tactics, techniques and procedures (TTPs).


Nearly 20% of Organizations Still Run Windows 7

Nearly 20% of Organizations Still Run Windows 7

Despite the awareness that in six months Microsoft will officially end its support for its nearly 10-year-old operating system, Windows 7, 18% of large enterprises have not yet migrated to Windows 10, according to new research from Kollective.

At the start of 2019, researchers found that 43% of companies were still running Windows 7. Of those, 17% didn’t even know about the end of support. In its most recent analysis of 200 US and UK IT decision makers, the report revealed that organizations have a long way to go to prepare for the much anticipated end of Windows 7 support.

Six months later, 96% of IT departments have started their migration, and 77% have completed the move. However, given that the migration from Windows XP to Windows 7 reportedly took some firms more than three years to complete, companies that have not started migration are at risk of missing the final deadline.

In order to aid organizations in deploying a new OS to all endpoints, Microsoft has provided different options for companies still running Windows 7, one of which includes an extended support package at an annual cost of up to $500,000 for a company with 10,000-plus endpoints, the research said.

“The combined versions of Microsoft Windows operating systems equal more than 50 percent of global operating system usage. Windows 10 has the lion’s share of the market, which bodes well for security since Microsoft’s support for Windows 7 will end in January 2020,” wrote the Center for Internet Security (CIS), which released the CIS Controls Microsoft Windows 10 Cyber Hygiene Guide on July 11.

“Though many businesses are better prepared now than they were for the end of Windows XP, the move to Windows 10 comes with its own set of challenges,” said Dan Vetras, CEO of Kollective. “The migration itself is only the first step. IT managers moving to Windows 10 now have to prepare their networks for increasingly frequent ‘as a service’ updates to the OS. They will need to ensure their networks are ready for more testing, more roll outs and more network congestion to keep up to date.”

Episode 536 – Microsoft Making Multi-Factor Mandatory On Cloud Service Providers

Most companies use Cloud Service Providers (CSP) when they move to Office365 for many reasons. However, most CSPs will retain high level access to your email and files and not every CSP has they same level of security practices. This epsiode talks about Microsoft’s new mandatory rollout of multi-factor authentication on CSPs.  Be aware, be […]

The post Episode 536 – Microsoft Making Multi-Factor Mandatory On Cloud Service Providers appeared first on Security In Five.

A flaw could have allowed hackers to take over any Instagram account in 10 minutes

Instagram has recently addressed a critical flaw that could have allowed hackers to take over any Instagram account without any user interaction.

Instagram has recently addressed a critical vulnerability that could have allowed attackers to completely take over any account without user interaction.

The news was first reported by TheHackerNews, the issue was reported to the Facebook-owned photo-sharing service by the Indian security expert Laxman Muthiyah.

According to Muthiyah, the flaw affects the “password reset” mechanism implemented by Instagram for the mobile version of the service. When Instagram users request to recover their passwords, they have to confirm a six-digit secret passcode (that expires after 10 minutes) that is sent to their associated mobile number or email account. This means that to change the passwords in the work case the attackers need to try one million of possible combinations.

The expert focused its test on the maximum number of requests allowed and discovered the absence of blacklisting. He was able to send requests continuously without getting blocked even when he reached the maximum number of requests he can send in a fraction of time.

“When a user enters his/her mobile number, they will be sent a six-digit passcode to their mobile number. They have to enter it to change their password. Therefore if we are able to try all the one million codes on the verify-code endpoint, we would be able to change the password of any account.” reads the analysis of the expert. “But I was pretty sure that there must be some rate limiting against such brute-force attacks. I decided to test it.” “Two things that struck mind was the number of requests and the absence of blacklisting.”

Finally, he discovered two things that allowed him to bypass their rate limiting mechanism, a race condition and the IP rotation.

“Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited.” explained the expert. “The number of requests we can send is dependent on concurrency of reqs and the number of IPs we use. Also, I realized that the code expires in 10 minutes, it makes the attack even harder, therefore we need 1000s of IPs to perform the attack. “

Summarizing the rate limiting can be bypassed by carrying out a brute force attack from different IP addresses and leveraging race condition, sending concurrent requests.

The expert also published a video PoC of the attack that shows the exploitation of the flaw while hacking an Instagram account using 200,000 different passcode combinations without being blocked.

“In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big, but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.” added the expert.

Laxman Muthiyah received by the company a $30,000 reward as part of its bug bounty program.

Pierluigi Paganini

(SecurityAffairs – Instagram, hacking)

The post A flaw could have allowed hackers to take over any Instagram account in 10 minutes appeared first on Security Affairs.

La Porte County finally opted to pay $130,000 Ransom

On July 6, a ransomware attack brought down government computer systems at La Porte County, Indiana, finally, the county decided to pay $130,000 ransom.

On July 6, a ransomware attack paralyzed the computer systems at La Porte County, Indiana, according to County Commission President Dr. Vidya Kora, employees were not able to access to any government email or website.

The county IT director shut down the computer systems to avoid the spreading of the threat and to limit potential damage. At least half of the servers at the county’s infrastructure were infected, less than 7% of the laptops was not impacted.

Now La Porte County decided to pay $130,000 to recover data on systems infected with the ransomware.

For at least three days, government systems were not working forcing the County officials to evaluate the option to pay the ransom.

Immediately after the attack, the county reported the incident to the FBI and was working with experts of some security firms to investigate the attack and mitigate the threat. The law firm of Mullen Coughlin LLC was managing the incident response operations, but despite the efforts of the experts the La Porte County was not able to resume its operations.

According to WSBT, La Porte County’s systems were infected with a variant of the Ryuk ransomware, the same malware that infected computers at City of Lake City on June 10.

“Two organizations in our area are recovering from recent cyber attacks. Both the South Bend Clinic and La Porte County government are dealing with the aftermath.” reported the WSBT.

“La Porte County paid the ransom on a cyber attack that locked up part of the government’s computer system. The Ryuk virus got into the backup servers.”

Loocipher Ransomware

It seems that $100,000 out of $130,000 are being covered by insurance.

“Fortunately, our county liability agent of record, John Jones, last year recommended a cybersecurity insurance policy which the county commissioners authorized from Travelers Insurance” explained Dr. Vidya Kora,

Recently other administrations decided to pay the ransom to decrypt their files. Crooks earned a total of over $1 million in June from the attacks on two municipalities in Florida, Lake City and Riviera Beach.

In April, Stuart City was victim of the Ryuk Ransomware too, but it refused to pay the ransom. Early March, another city was hit by the same ransomware, computers of Jackson County, Georgia, were infected with Ryuk that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

The Ryuk ransomware appears connected to Hermes malware that was associated with the notorious Lazarus APT group.

The same ransomware was recently used in an attack that affected the newspaper distribution for large major newspapers, including the Wall Street Journal, the New York Times, and the Los Angeles Times.

Further investigation on the malware allowed the experts from security firms FireEye and CrowdStriketo discover that threat actors behind the 
Ryuk ransomware are working with another cybercrime gang to gain access to target networks. They are collaborating with threat actors behind TrickBot, a malware that once infected a system creates a reverse shell back to the attackers allowing them to break into the network.

Experts at Crowdstrike believe the Ryuk ransomware is operated by a crime gang they tracked as GRIM SPIDER, in particular by its Russian based cell dubbed WIZARD SPIDER that is behind TrickBot.

Experts pointed out that Hermes was available for sale into the online underground community, attackers could have purchased it to create their own version of Ryuk.

Recently the United States Conference of Mayors asked its members to “stand united” against paying ransoms in case their systems are hit by ransomware. The decision is essential to discourage criminal practice.

Pierluigi Paganini

(SecurityAffairs – La Porte, ransomware)

The post La Porte County finally opted to pay $130,000 Ransom appeared first on Security Affairs.

Palantir’s Surveillance Service for Law Enforcement

Motherboard got its hands on Palantir's Gotham user's manual, which is used by the police to get information on people:

The Palantir user guide shows that police can start with almost no information about a person of interest and instantly know extremely intimate details about their lives. The capabilities are staggering, according to the guide:

  • If police have a name that's associated with a license plate, they can use automatic license plate reader data to find out where they've been, and when they've been there. This can give a complete account of where someone has driven over any time period.

  • With a name, police can also find a person's email address, phone numbers, current and previous addresses, bank accounts, social security number(s), business relationships, family relationships, and license information like height, weight, and eye color, as long as it's in the agency's database.

  • The software can map out a person's family members and business associates of a suspect, and theoretically, find the above information about them, too.

All of this information is aggregated and synthesized in a way that gives law enforcement nearly omniscient knowledge over any suspect they decide to surveil.

Read the whole article -- it has a lot of details. This seems like a commercial version of the NSA's XKEYSCORE.

Boing Boing post.


The FBI wants to gather more information from social media. Today, it issued a call for contracts for a new social media monitoring tool. According to a request-for-proposals (RFP), it's looking for an "early alerting tool" that would help it monitor terrorist groups, domestic threats, criminal activity and the like.

The tool would provide the FBI with access to the full social media profiles of persons-of-interest. That could include information like user IDs, emails, IP addresses and telephone numbers. The tool would also allow the FBI to track people based on location, enable persistent keyword monitoring and provide access to personal social media history. According to the RFP, "The mission-critical exploitation of social media will enable the Bureau to detect, disrupt, and investigate an ever growing diverse range of threats to U.S. National interests."

Free Decryptor Released for Ims00rry Ransomware

Security researchers have released a free decryption utility which victims of Ims00rry ransomware can use to recover their files. On 12 July, anti-virus and anti-malware solutions provider Emsisoft made the decryptor available to the public. The firm published a follow-up post about is tool two days later. In its research, Emsisoft explains that Ims00rry leverages […]… Read More

The post Free Decryptor Released for Ims00rry Ransomware appeared first on The State of Security.

Chinese Software Engineer Accused of US IP Theft

Chinese Software Engineer Accused of US IP Theft

A Chinese software engineer is still on the run after being accused of stealing intellectual property for his new employer.

Xudong (“William”) Yao, 57, worked at a Chicago-based manufacturer of equipment for train engines from August 2014, according to a December 2017 indictment unsealed last week.

Yet after just two weeks in his role, Yao had downloaded 3000 files containing proprietary and trade secret information relating to the system that operates the manufacturer’s locomotives, the Department of Justice (DoJ) claimed.

Other information, including technical documents and source code, was also downloaded by Yao over the next six months. At the same time, he apparently reached out to and accepted a place at a Chinese firm that provides automotive telematics service systems.

After Yao’s employment was terminated for unrelated reasons in February 2015, he made copies of all the stolen trade secret info and traveled home to China to start his employment at the company there.

Flying from Chicago O’Hare airport in November that year, he is alleged to have had in his possession the stolen trade secrets, including nine copies of control system source code and system specs explaining how the code worked, according to the indictment.

Yao face a maximum 10 years behind bars if found guilty of the nine counts of theft of trade secrets. But it’s unlikely he will be caught, unless he makes the mistake of setting foot back in the US or an allied country.

China has long been considered a prodigious stealer of intellectual property, whether its state-backed cyber-espionage designed to give domestic companies an advantage, or the behavior of individuals looking to abuse their insider positions at Western companies.

In June, a Chinese engineer was found guilty of conspiring to illegally export US semiconductors with military applications back home.

Japanese Exchange Bitpoint Hit By $32m Cyber-Attack

Japanese Exchange Bitpoint Hit By $32m Cyber-Attack

Japan-based cryptocurrency exchange Bitpoint has become the latest to lose tens of millions of dollars in a cyber-attack.

The firm said it was forced on Friday to stop all services — including withdrawals, deposits, payments, and new account openings — while it investigated the incident. It has also notified the relevant authorities in Japan.

Hackers managed to steal funds not only from the firm’s hot wallets, but also its offline cold wallets. After first detecting an error in Ripple remittances, Bitpoint said it realized it had been the victim of a cyber-attack. It then took another three hours before the firm realized the attack also compromised funds stored in Bitcoin, Bitcoin Cash, Litecoin, and Ethereal.

A total of around 3.5 billion yen ($32 million) had been stolen, most ($23m) of which were customer-owned funds. The remainder belonged to Bitpoint, but it’s not clear at this stage whether the firm is planning to reimburse its customers.

The firm is the latest in a long line of cryptocurrency exchanges to come under the scrutiny of cyber-criminals. Last year, two Japanese exchanges were hit: Zaif lost 6.7bn yen ($60m) after hackers stole it from a hot wallet, while Coincheck lost 500m NEM tokens worth $530m at the time.

Just last month, Singaporean cryptocurrency exchange Bitrue was estimated to have lost around $4.5m in funds after hackers breached a hot wallet and moved the funds to other exchanges. A month previous, hackers stole in the region of $41m from Binance in a single hot wallet transaction.

In most incidents, at least the majority of stolen money is returned to customers.

Last month, Europol convened a meeting of cryptocurrency experts at its HQ in the Hague in a bid to share best practice and build partnerships to improve policing of digital crimes.

Facebook Set For Record $5bn FTC Fine

Facebook Set For Record $5bn FTC Fine

Facebook is reportedly set to be handed a record $5bn fine by a US regulator over privacy violations leading to the Cambridge Analytica scandal.

The Federal Trade Commission (FTC) is said to have made the decision following an investigation begun in March last year after sensational reports emerged of improper use of users’ personal data.

It turned out that the shadowy consultancy had managed to obtain data collected by a third-party app on 87m Facebook users and their friends and use it to profile and target wavering voters ahead of the 2016 Presidential election.

When it levied a maximum £500,000 fine under the pre-GDPR data protection regime last October, the UK’s Information Commissioner’s Office (ICO) argued that Facebook had processed user information “unfairly” by allowing developers to access this data without adequately “clear and informed consent.” It also criticized the social network for allowing developers to access the personal data of users who had not even downloaded the app but were friends of those who had.

The $5bn fine is unlikely to trouble a firm that made over $15bn in the first three months of 2019 alone, but it is believed to be the largest ever levied by the FTC against a tech firm and for privacy violations.

It is also around the amount Facebook predicted it would be fined a few months ago, according to Dan Goldstein, former attorney and owner of digital marketing agency, Page 1 Solutions.

"The real ‘teeth’ of this announcement will come not from the $5 billion settlement. Facebook is worth hundreds of billions of dollars, so this amount is practically a drop in the bucket. I am more curious about the regulations expected to accompany the terms of the settlement," he argued.

"If the financial losses don't paint a clear enough picture for the tech industry as a whole, perhaps new regulations for one of its key players will finally convince these companies to begin protecting users instead of exploiting them.”

Regulators outside the US are already coming down hard on data protection and privacy violations. Last week the ICO issued to huge fines to BA and Marriott International for cybersecurity failings that led to massive data breaches at their respective organizations.

Apple temporarily blocked Walkie-Talkie App on Apple Watch due to a flaw

A serious vulnerability in Walkie-Talkie App on Apple Watch forced the tech giant to disable the applications to avoid attackers spying on its users.

Apple has temporarily disabled the Walkie-Talkie app on the Apple Watch due to a vulnerability that could be exploited to spy on users. The issue was reported to Apple via its report a vulnerability portal.

apple Walkie-Talkie app
Apple Walkie-Talkie app – Source The Mirror

The Walkie-Talkie app allows users to communicate with other users using a compatible Watch, it emulates the traditional behavior of walkie-talkie.

According to TechCrunch, Apple is already working on a patch, but the application will not work until it will release a fix.

“Apple has disabled the Apple Watch Walkie Talkie app due to an unspecified vulnerability that could allow a person to listen to another customer’s iPhone without consent, the company told TechCrunch this evening.” reads the post published by TechCrunch. “Apple has apologized for the bug and for the inconvenience of being unable to use the feature while a fix is made.”

An attacker can use another user’s iPhone to listen to communications made throgh the app, at the time no other technical details have been made publicly disclosed.

“Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously,” reads a statement from Apple. “We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer’s iPhone without consent.”

The good news is that Apple is not aware of attacks in the wild exploiting the vulnerability.

Early this year, another major vulnerability in the Apple FaceTime allowed hearing the audio of the person you were calling before he picks up the call.

At the time, privacy advocated and authorities raised concerns about how Apple managed to address the issue.

Pierluigi Paganini

(SecurityAffairs – walkie-talkie app, GDPR)

The post Apple temporarily blocked Walkie-Talkie App on Apple Watch due to a flaw appeared first on Security Affairs.

Do you have what it takes to be a hardware hacker?

If you ask Yago Hansen, a hacker specialized in Wi-Fi and RF security, curiosity and a willingness to learn and improve your skills are the two things that you absolutely must have to embark on a (white hat) hacking career. A love for money, on the other hand, is not. “In my mind, hackers are security researchers who spend a lot of their life in testing, learning and getting better at what they do because … More

The post Do you have what it takes to be a hardware hacker? appeared first on Help Net Security.

eCh0raix Ransomware Targeting QNAP Devices

The newly discovered ransomware family targets the QNAP network attached storage (NAS) devices. This malicious program, known by security researcher Anomali as eCh0raix (identified by Trend Micro as Ransom.Linux.ECHORAIX.A), was developed for ransomware attacks similar to those of Ryuk or LockerGoga.

A NAS device that is connected to a network acting as file storage and backup system or located in a central location where users can easily access the data. They are a measurable and cost-effective solution for many businesses.

How eCh0raix’s works

eCh0raix is written in Go/Golang, a programming language increasingly used to develop malware. This ransomware- Ch0raix determine the location of the NAS devices by performing language checks and cancels out if it is located in some Commonwealth countries such as Ukraine, Belarus, and Russia. eCh0raix encrypts documents and text files, PDF files, files, and databases as well as multimedia files.

The ransomware demands a ransom of 0.05 – 0.06 bitcoin (around US$567 as of July 11, 2019), paid via a site hosted in Tor, in exchange for the necessary decrypt key. Bleeping Computer has reported that the decryptors seem to be available for Windows and macOS. Affected QNAP NAS devices include QNAP TS-251, QNAP TS-451, QNAP TS-459 Pro II, and QNAP TS 253B.

Ransomware demands 0.05 to 0.06 bitcoin, which are paid via Tor-hosted Web sites in exchange for the required decryption key. Decrypters for Windows and macOS seem to be available, according to BleepingComputer.

Experts have not been able to know the exact infection vector, but the message on the Bleeping Computer forum reads that infected NAS devices do not have the latest patches, with weak passwords. It is believed that people behind eCh0raix used brute-force to exploit the vulnerabilities of their specific NAS devices. The researchers also discovered that eCh0raix, unlike the normal ransomware is designed for targeted attacks. For example, in the offline version of eCh0raix, a coded encryption key for a particular purpose is embedded and the decryption key is uniquely assigned to each key.

Targeted ransomware attack

eCh0raix is not the first family of ransomware to target NAS devices, but a threat for file encryption designed specifically for this purpose. Although ransomware activities decreased in 2019, they targeted ransomware attacks was very much in the news. For example, with LockerGoga, Norsk Hydro lost about $ 40 million, while Ryuk was used to block the press activity in the United States. Ransomware also suspended some government services in Baltimore following an alleged attack costing them $ 18.2 million.

Many threats use insecure systems. In the case of eCh0raix, these are weak password or vulnerabilities. For example, Anomali researchers discovered that their Internet analytics in the United States had generated more than 19,000 QNAP NAS devices with direct access to the Internet. NAS devices are generally not protected by anti-malware solutions, making them highly vulnerable.

Backup NAS devices

QNAP Systems, the NAS device manufacturer targeted by eCh0raix, has issued recommendations for the prevention of ransomware software, such as, enabling the QNAP snapshot feature that can backup and restore files. To further reduce the number of attacks on NAS devices, users and businesses must apply best practices, including:

  • Update the NAS device firmware to fix exploitable vulnerabilities, and change the default credentials or add the authentication and authorization mechanism to access the NAS device.
  • Make sure other systems or devices, including routers connected to or integrated with NAS devices, are also updated.
  • Minimal Privilege Policy Compliance: Enable features or components only when necessary or use a VPN to access NAS devices over the Internet.
  • Enable the built-in security features of NAS devices. For example, protecting access to the QNAP network helps to prevent brute force attacks or similar disruptions.

Also, Read:

Data Resolution LLC Battles Ryuk Ransomware Attack

Ryuk Ransomware – Too Early to Predict The Actors

Top 5 Encryption Software to Securely Encrypt Your Files in the Cloud

The post eCh0raix Ransomware Targeting QNAP Devices appeared first on .

Emsisoft released a free decryptor for the Ims00rry ransomware

Security experts at Emsisoft released a new decryptor, it could be used for free by victims of the Ims00rry ransomware to decrypt their files.

Thanks to the experts at Emsisoft the victims of the Ims00rry ransomware can decrypt their files for free.

The Ims00rry ransomware used AES-128 algorithm for the encryption process. Unlike most of the ransomware, Ims00rry and doesn’t append an extension to the filenames of the encrypted files. Instead, the ransomware adds the text “—shlangan AES-256—” before the contents of the files. Authors of the malware ask the victim to contact them through the Telegram account @Ims00rybot.

Crooks demands a 50$ ransom worth of Bitcoin to decrypt the files.

Below the text of the ransom note:

I am sorry!!!
My friend. I want to start my own business, but i have no money.
All your files photos, databases, documents and other important are encrypted with strongest encryption and algorithms RSA 4096, AES-256.
If you want to restore your files payment and write to Telegram bot
Price decrypt software is $50.
Do not rename or move the encrypted files.
Bitcoin wàllet:

Contact Telegram bot:

Emsisoft release the detailed usage guide for the decryptor that is available here.

Ims00rry ransomware

In May Emsisoft experts released free Decrypter tools for other threats, the JSWorm 2.0 and GetCrypt.

Pierluigi Paganini

(SecurityAffairs – ransomware, malware)

The post Emsisoft released a free decryptor for the Ims00rry ransomware appeared first on Security Affairs.