Daily Archives: November 13, 2020

Weekly Update 217

Weekly Update 217

This week's update had a load of questions so even whilst the planned content didn't consume a lot of time, audience engagement was great and I appreciate all the input. The big excitement for me was that Ubiquiti doorbell and whilst that might seem like a small thing, I'm absolutely loving it and the ability to answer it from anywhere whilst also integrating it into Home Assistant and triggering events like Sonos text to speech is really cool. Check it out in the links below or here me talk about it in the video, it rocks 😎

Weekly Update 217
Weekly Update 217
Weekly Update 217
Weekly Update 217


  1. My (ISC)² award arrived! (it's a beautiful piece I'm very humbled to have received)
  2. I killed some time messing with an SEO spammer (what do you mean Troy Hunt sucks?!)
  3. The Reply All episode I referred to is number 102, Long Distance (this is where they track down a Windows virus scam operator by travelling to India)
  4. I loaded a bunch more data breaches into HIBP (and there's still a big backlog I'm working through)
  5. I finally got my Ubiquiti doorbell installed (this is a really nice unit, plus the Sonos integration is pretty cool 😎)
  6. Sponsored by: Orca Security. Watch Cloud Security Punch-Out! Showdowns w/ Palo Alto Networks, Qualys & More. What our competition doesn’t want you to see.

New TroubleGrabber malware targets Discord users

TroubleGrabber is a recently discovered credential stealer that spreads via Discord attachments and uses Discord webhooks to exfiltrate data

Netskope security researchers have spotted a new credential stealer dubbed TroubleGrabber that spreads via Discord attachments and uses Discord webhooks to transfer stolen data to its operators.

The malware the same functionalities used by other malware that target Discord gamers, like AnarchyGrabber, but it appears to be the work of different threat actors. TroubleGrabber was developed by an individual named “Itroublve” and is currently used by multiple threat actors.

This malware is distributed via drive-by download, it is able to steal web browser tokens, Discord webhook tokens, web browser passwords, and system information. The malware sends information back to the attacker via webhook as a chat message to his Discord server.

The malware was distributed via Discord in 97.8% of detected infections, “with small numbers distributed via anonfiles.com and anonymousfiles.io, services that allow users to upload files anonymously and free for generating a public download link.”

The info stealer was also distributed among Discord users from over 700 different Discord server channel IDs.

Netskope researchers discovered TroubleGrabber in October 2020 while analyzing Discord threats.

The experts identified more than 5,700 public Discord attachment URLs hosting malware.

“In October 2020 alone, we identified more than 5,700 public Discord attachment URLs hosting malicious content, mostly in the form of Windows executable files and archives. At the same time, we scanned our malware database for samples containing Discord URLs used as next stage payloads or C2’s.” reads the report published by NetSkope.

“Figure 1 shows a breakdown of the top five detections of 1,650 malware samples from the same time period that were delivered from Discord and also contained Discord URLs.”

The TroubleGrabber attack kill chain leverages both Discord and Github as repository for next stage payloads that is downloaded to the C:/temp folder once a victim is infected with the malware.

TroubleGrabber payloads steal victims’ credentials, including system information, IP address, web browser passwords, and tokens.

“It then sends them as a chat message back to the attacker via a webhook URL.” continues the report.


NetSkope discovered that the author of the malware currently runs a Discord server with 573 members, and hosts next stage payloads and the malware generator’s on their public GitHub account.

OSINT analysis allowed the experts to identify the Discord server, Facebook page, Twitter, Instagram, website, email address, and a YouTube channel.

“Netskope Threat Labs have reported the attack elements of TroubleGrabber to Discord, GitHub, YouTube, Facebook, Twitter, and Instagram on November 10, 2020.” concluded the report.

“The Indicators Of Compromise (IOC’s) associated with TroubleGrabber is available on Github.”

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post New TroubleGrabber malware targets Discord users appeared first on Security Affairs.

Friday Squid Blogging: Underwater Robot Uses Squid-Like Propulsion

This is neat:

By generating powerful streams of water, UCSD’s squid-like robot can swim untethered. The “squidbot” carries its own power source, and has the room to hold more, including a sensor or camera for underwater exploration.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

How to Prevent Keyboard Snooping Attacks on Video Calls

How to Prevent Keyboard Snooping Attacks on Video Calls

Video conferencing has really taken off this year. With more people working and learning from home than ever before, video calling has rapidly become the mainstream method for remote communication, allowing users to stay connected. But very few may realize that they might be giving away their passwords on video calls through their body language. According to Tom’s Guide, call participants can guess a user’s passwords through the arm and shoulder movements they make while they type.

Let’s unpack how this threat works so you can continue to connect via video calls worry-free.

How Hackers Use Video Calls to Swipe Personal Data

Keyboard snooping, or a keyboard interference threat, occurs when an attacker is present on a video call and observes the target’s body and physiological features to infer what they are typing. To pull off this attack, the hacker would need to record the meeting or video stream and feed it through a computer program. This program eliminates the visual background and measures the user’s arm and shoulder movements relative to their face. From there, the program analyzes the user’s actions to guess which keys they are hitting on the keyboard – including passwords and other sensitive information.

So, how accurate is this program, anyway? While this shows that the program was only correct 20% of the time when subjects were on their own devices in an uncontrolled environment, the program’s accuracy increased to 75% if their password was one of the one million most commonly used passwords. And suppose the program already knew their email address or name. In that case, it could decipher when the target was typing this information during the video call (and when their password would immediately follow) 90% of the time. The less complex the target makes their password, the easier it is for the program to guess what they’re typing.

Stay Protected From Keyboard Snoopers

Keystroke inference attacks can have potentially dangerous effects, since the text typed can often contain sensitive or private information even beyond passwords, like credit card numbers, authentication codes, and physical addresses. It’s also important to note that any video conferencing tool or videos obtained from public video sharing/streaming platforms are susceptible to this attack.

Therefore, to prevent your meeting attendees from snooping on what you’re typing, follow these tips for greater peace-of-mind:

Create a robust and unique password

Avoid giving keyboard snoopers the upper hand by making your password or passphrase as unique as the information it’s protecting. If a hacker does manage to guess your password for one of your online accounts, they will likely check for repeat credentials across multiple sites. By using different passwords or passphrases for your online accounts, you can remain calm and collected knowing that the majority of your data is secure if one of your accounts becomes vulnerable.

Use multi-factor authentication

Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification like texting or emailing a secure code to verify your identity. Most popular online sites like Gmail, Dropbox, LinkedIn, Facebook, etc. offer multi-factor authentication, and it takes just a few minutes to set it up. This reduces the risk of successful impersonation by criminals who may have uncovered your information by keyboard snooping.

Leverage a password manager

Take your security to the next level with a password manager, like the one included in McAfee Total Protection. A password manager can help you create strong passwords, remove the hassle of remembering numerous passwords, and log you on to websites automatically.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

This study is from researchers at the University of Texas at San Antonio and the University of Oklahoma, so assuming it should be safe to use since its non-competitor but please let us know otherwise! [BH3]

The post How to Prevent Keyboard Snooping Attacks on Video Calls appeared first on McAfee Blogs.

Hacker stole $2 million worth of Dai cryptocurrency from Akropolis

Threat actors have stolen $2 million worth of Dai cryptocurrency from the cryptocurrency borrowing and lending service Akropolis.

Cryptocurrency borrowing and lending service Akropolis disclosed a “flash loan” attack, hackers have stolen roughly $2 million worth of Dai cryptocurrency.

The attack took place on November 12, in response to the attack the platform halted all the transactions to prevent hackers from stealing further funds.

The company immediately launched an investigation into the incident with the help of two forensics firms. The experts determined that the platform was hit with a “flash loan” attack.

Below the results of the investigation published by the company:

“There exist two bugs related to the Deposit flow:

  1. No check that tokens deposited are actually the ones registered in our contracts
  2. Re-entrance issue with “transferFrom” function which an attacker was able to exploit because of first bug”

Below the attack flow:

  • The hacker created a flash-loan to borrow funds then called SavingsModule.deposit() with fake token (his own contract 0xe2307837524db8961c4541f943598654240bd62f)
  • During “transferFrom” of this fake token, he executed another deposit with real 800k DAI borrowed from DyDx.
  • The balance of the pool was actually increased during the first deposit and as a result our PoolTokens were minted twice.
  • Thus he was able to withdraw almost double amount.

A Flash loan attack takes place when hackers loan funds from a DeFi platform and bypass the loan mechanism to steal funds using exploits.

Since February, researchers observed a growing number of load attacks, in October, a hacker stole approximately $24 million worth of cryptocurrency assets from decentralized finance service Harvest Finance,

According to the advisory, the stolen funds are currently held in the Ethereum wallet 0x9f26ae5cd245bfeeb5926d61497550f79d9c6c1c.

Akropolis notified major cryptocurrency exchanges about the attack and it is working to freeze the Ethereum account where the funds are stored.

The company announced it is planning to reimburse its users.

Pierluigi Paganini

(SecurityAffairs – hacking, Akropolis)

The post Hacker stole $2 million worth of Dai cryptocurrency from Akropolis appeared first on Security Affairs.

Inrupt’s Solid Announcement

Earlier this year, I announced that I had joined Inrupt, the company commercializing Tim Berners-Lee’s Solid specification:

The idea behind Solid is both simple and extraordinarily powerful. Your data lives in a pod that is controlled by you. Data generated by your things — your computer, your phone, your IoT whatever — is written to your pod. You authorize granular access to that pod to whoever you want for whatever reason you want. Your data is no longer in a bazillion places on the Internet, controlled by you-have-no-idea-who. It’s yours. If you want your insurance company to have access to your fitness data, you grant it through your pod. If you want your friends to have access to your vacation photos, you grant it through your pod. If you want your thermostat to share data with your air conditioner, you give both of them access through your pod.

This week, Inrupt announced the availability of the commercial-grade Enterprise Solid Server, along with a small but impressive list of initial customers of the product and the specification (like the UK National Health Service). This is a significant step forward to realizing Tim’s vision:

The technologies we’re releasing today are a component of a much-needed course correction for the web. It’s exciting to see organizations using Solid to improve the lives of everyday people — through better healthcare, more efficient government services and much more.

These first major deployments of the technology will kick off the network effect necessary to ensure the benefits of Solid will be appreciated on a massive scale. Once users have a Solid Pod, the data there can be extended, linked, and repurposed in valuable new ways. And Solid’s growing community of developers can be rest assured that their apps will benefit from the widespread adoption of reliable Solid Pods, already populated with valuable data that users are empowered to share.

A few news articles. Slashdot thread.

Threat Roundup for November 6 to November 13

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between November 6 and November 13. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More


20201113-tru.json  – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Now’s the time to build the digital workplace of tomorrow

Business leaders know hesitation isn’t an option, so when confronted with a global crisis most were quick to adapt to new realities. But the job of turning a company into a sleek digital operation is ongoing, and now is not the time to sit back. In most predictions about the future of business, technology is…

The post Now’s the time to build the digital workplace of tomorrow first appeared on IT World Canada.

Harry Rosen brings its personalized in-store experience online

Can a high-end retailer offer a digital customer experience that matches the personalized service it’s known for in-store? Can a decades-old company undergo digital transformation and stay true to who they are? Harry Rosen did just that, with the help of IBM Cloud and Kubernetes. Founded in 1954, the high-end Canadian men’s clothing retailer is…

The post Harry Rosen brings its personalized in-store experience online first appeared on IT World Canada.

Nation-State Attackers Actively Target COVID-19 Vaccine-Makers

Three major APTs are involved in ongoing compromises at pharma and clinical organizations involved in COVID-19 research, Microsoft says.

Under Analytics

Back when network management was booming in the early 90’s, the whole idea seemed straightforward. System administrators would speak of endpoints on the network as being “under management” or conversely “unmanaged.” There seemed to be a place for everything and looking back now at those times, enterprises seemed so simple compared to today. Maybe simple is not the right term, maybe they just seemed more orderly compared to the modern network landscape.

At some point, hackers showed up and names like “under management” or “unmanaged network elements” made little difference to them. I remember security folks in the early days joking that SNMP (Simple Network Management Protocol) stood for “Security Not My Problem.” An insecure network meant that you had an insecure business! The experienced security architect knows that whether the system is under management, under someone else’s management, or completely unmanaged, if that system is part of the business, it is still their job to secure it. To put it another way, while management of systems can span certain, more specific information systems, security must always be as wide as the business.

I would like to suggest a new term and concept for our vocabulary and that is “under analytics.” I like to think of this as a conceptual means to discuss if areas of your digital business have enough visibility for continuous monitoring of its integrity. Why not just call it “under management?” Well, because more and more these days, you are NOT the one managing that area of the network. It might be the cloud service provider managing it, but it is still your problem if something gets hacked. You could even then speak of observable domains as having certain requirements that satisfy the type of analytics you would like to perform.

There are many types of observational domains to consider so let’s talk about some here. Back in the day, there was just your enterprise network. Then when folks connected to the internet, the concepts of internal and external and even the DMZ networks were referenced as observable network domains. These days, you have to deal with public cloud workloads, Kubernetes clusters, mobile devices, etc. Let’s just say that you can speak of having any amount of observable domains for which you require telemetry that will get you the visibility required to detect the most advanced threat actors in those domains.

For each of these observable domains, there will need to be telemetry. Telemetry is the data that represents changes in that domain that feeds your behavioral analytics outcomes. You could make a list of the competency questions you would want to answer from these analytical outcomes.

  • Are there any behaviors that suggest my systems have been compromised?
  • Are there any behaviors that suggest some credential has been compromised?
  • Are there any behaviors to suggest there is a threat actor performing recognizance?

My suggestion is that you begin with these questions and then hold security analytics to them to see if they are competent to answer them daily, weekly, monthly, etc.

From there, you can go one step further and start to consider and look into scenarios like the following:

  • We have a new partner network, is it “under analytics?”
  • We have a new SaaS service, is it “under analytics?”
  • This company has a new cloud deployment, do we know if it is “under analytics?”
  • What part of our digital busines is not “under analytics?”

How well do you know your digital business behavior when it is 100% without compromise? How would you even go about answering this? The truth is, you really do need to get to this level because if you don’t, threat actors will. Even if parts of the business use SaaS products, while parts of the network are using Infrastructure as a Service (IaaS), you can still set the requirements that there must be a sufficient amount of telemetry and analytics that help you understand the answers to these questions above. Your business must always remain “Under analytics” and only then will you be one step ahead of your attackers.

To learn more, visit the Cisco Secure Network Analytics webpage.

ICE Operation Arrests 113 Child Predators

ICE Operation Arrests 113 Child Predators

A joint operation by Brazil and the United States has led to the arrest of 113 people suspected of producing child sexual abuse material (CSAM) and sharing it online. 

US Immigration and Customs Enforcement (ICE) Homeland Security Investigations (HSI) and the Brazil Ministry of Justice and Public Security (MJSP) Secretariat for Integrated Operation (SEOPI) Cyber Laboratory made the arrests across the US and South America between November 2 and November 6 as part of Operation Protected Childhood's seventh phase.

OPC VII, which simultaneously targeted the distributors and producers of CSAM throughout the Americas, was conducted across multiple ICE HSI domestic field offices and executed in coordination with the agency's Cyber Crimes Center (C3) and with law enforcement counterparts in Brazil, Argentina, Paraguay, and Panama.

In the United States, HSI offices in Pennsylvania, North Carolina, Tennessee, California, Colorado, and Florida executed 13 child exploitationrelated search warrants and made nine arrests for child exploitation offenses.

HSI Raleigh and the Cary Police Department made an arrest on November 6 after receiving a lead from C3 that the suspect was posting CSAM in chat rooms on the social media app Kik. Forensics uncovered hundreds of indecent images of minors, including some naked photographs of the suspect's own children. 

In Brownsville, Pennsylvania, a search warrant was executed regarding the possession and distribution of CSAM following information supplied by Kik Inc that a suspect had used its site to share indecent images of children.  

In Florida's Panama City, a suspect was arrested by Lynn Haven Police Department following a tip from the National Center for Missing and Exploited Children that CSAM was being distributed via Facebook's Messenger app.

Information supplied by Twitter and HSI McAllen, Texas, led to the execution of a search warrant for possession and distribution of CSAM in West Hills, California, where a suspect had allegedly used Twitter's direct messaging to share sexually explicit images of children.

OPC was launched in March 2015 by HSI Brazil in partnership with Brazil's MJSP Cyber Lab to increase the effectiveness of investigations into online child exploitation.  Since 2017, the operation has resulted in 781 arrests, 1,383 executed search warrants, and the rescue of dozens of minor victims.

Announcing our open source security key test suite

Security keys and your phone’s built-in security keys are reshaping the way users authenticate online. These technologies are trusted by a growing number of websites to provide phishing-resistant two-factor authentication (2FA). To help make sure that next generation authentication protocols work seamlessly across the internet, we are committed to partnering with the ecosystem and providing essential technologies to advance state-of-the-art authentication for everyone. So, today we are releasing a new open source security key test suite

The protocol powering security keys

Under the hood, roaming security keys are powered by the FIDO Alliance CTAP protocols, the part of FIDO2 that ensures a seamless integration between your browser and security key. Whereas the security-key user experience aims to be straightforward, the CTAP protocols themselves are fairly complex. This is due to the broad range of authentication use cases the specification addresses: including websites, operating systems, and enterprise credentials. As the protocol specification continues to evolve—there is already a draft of CTAP 2.1—corner cases that can cause interoperability problems are bound to appear.

Building a test suite  

We encountered many of those tricky corner cases while implementing our open-source security-key firmware OpenSK and decided to create a comprehensive test suite to ensure all our new firmware releases handle them correctly. Over the last two years, our test suite grew to include over 80 tests that cover all the CTAP2 features.

Strengthening the ecosystem 

A major strength of the security key ecosystem is that the FIDO Alliance is an industry consortium with many participating vendors providing a wide range of distinct security keys catering to all users' needs. The FIDO Alliance offers testing for conformance to the current specifications. Those tests are a prerequisite to passing the interoperability tests that are required for a security key to become FIDO Certified. Our test suite complements those official tools by covering additional scenarios and in-market corner cases that are outside the scope of the FIDO Alliance’s testing program.

Back in March 2020, we demonstrated our test suite to the FIDO Alliance members and offered to extend testing to all FIDO2 keys. We got an overwhelmingly positive response from the members and have been working with many security key vendors since then to help them make the best use of our test suite.

Overall, the initial round of the tests on several keys has yielded promising results and we are actively collaborating with many vendors on building on those results to improve future keys.

Open-sourcing our test suite 

Today we are making our test suite open source to allow security key vendors to directly integrate it into their testing infrastructure and benefit from increased testing coverage. Moving forward, we are excited to keep collaborating with the FIDO Alliance, its members, the hardware security key industry and the open source community to extend our test suite to improve its coverage and make it a comprehensive tool that the community can rely on to ensure key interoperability. In the long term, it is our hope that strengthening the community testing capabilities will ultimately benefit all security key users by helping ensure they have a consistent experience no matter which security keys they are using.


We thank our collaborators: Adam Langley, Alexei Czeskis, Arnar Birgisson, Borbala Benko, Christiaan Brand, Dirk Balfanz, Guillaume Endignoux, Jeff Hodges, Julien Cretin, Mark Risher, Oxana Comanescu, Tadek Pietraszek and all the security key vendors that worked with us.

Ticketmaster Fined £1.25m Over Data Breach

Ticketmaster Fined £1.25m Over Data Breach

A British ticketing company has been financially penalized over a 2018 data breach that exposed the personal information of millions of customers across Europe. 

The Information Commissioner’s Office (ICO) has fined Ticketmaster UK Limited £1.25m for failing to keep its customers’ personal data secure.

Ticketmaster issued a data breach notice in June 2018 after a third-party platform provider Inbenta Technologies was infected with malicious software. 

The malware, which was detected on a customer support product, exfiltrated customer data and passed it on to an unknown attacker. 

Information compromised in the incident included names, addresses, emails, telephone numbers, payment card numbers, expiry dates, CVV numbers, and Ticketmaster login details of as many as 11 million Ticketmaster customers in Europe and the United Kingdom.

An investigation into the incident by the ICO found that Ticketmaster violated the General Data Protection Regulation by failing to put "appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page."

The breach, which began in February 2018, was discovered after Monzo Bank customers reported fraudulent transactions. 

"The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster," said the ICO, "but the company failed to identify the problem."

Investigators found that Ticketmaster only started monitoring the network traffic through its online payment page nine weeks after being alerted to possible fraud.

Investigators found that the breach caused 60,000 payment cards belonging to Barclays Bank customers to be used fraudulently. Another 6,000 cards belonging to Ticketmaster customers were replaced by Monzo Bank over suspected fraudulent use.

“A key point from this case is that the data compromised was not submitted to the chat bot itself, but to pages on which the chat bot was embedded, which hackers were then able to scrape through exploiting the chat bot," commented Emma Erskine-Fox, associate at UK law firm TLT.

“When assessing the risks of processing personal data using software embedded into websites, organizations should therefore consider not just what data might be submitted to that particular software, but how any vulnerabilities might affect data submitted on other areas of the website.”

New Center Supports Rail Cybersecurity

New Center Supports Rail Cybersecurity

An international construction engineering and mobility services company is joining forces with a software business to launch a new center that aims to protect the cybersecurity of the railway industry.

The new partnership between France-based Egis Group and Israeli tech company Cylus was announced today along with their plan to construct a Center for Excellence for advanced, rail-focused cybersecurity services.

Built in line with standards (IEC 62443), the Center will deliver a wide array of advanced security solutions and services to customers worldwide. The aim of this new resource is to support railway companies in all aspects of cybersecurity, from development of strategy and risk identification of cyber-risks through to detection and incident response.

Cylus was founded in 2017 with the mission to help mainline and urban railway companies avoid safety incidents and service disruptions caused by cyber-attacks. Leading the company is a team of former executives in the railway industry and veterans from the Israel Defense Forces’ Elite Technological Unit.

“We are thrilled to establish a partnership with Egis, which has decades of experience in providing mobility services around the globe," said Amir Levintal, CEO of Cylus.

“This partnership strengthens our capabilities to provide end-to-end support to rail organizations in meeting the specter of cyber threats. Our joint services are designed specifically for the railway industry and will enable our customer to focus on their day-to-day operations, business, and growth, leaving their cyber-defense management to our security experts. We are certain that this partnership will drive the rail industry towards a cyber-safe future.”

Egis, a 75%-owned subsidiary of Caisse des Dépôts, which had a turnover of €1.22bn in 2019, cut its rail-sector teeth on the introduction of France's first high-speed rail links. 

“We are excited to collaborate with Cylus, the leading rail cybersecurity company. Joining forces enables us to provide our customers, unique domain expertise as well as cutting-edge cybersecurity know-how and best practices," said Olivier Bouvart, executive director rail at Egis.

“We decided to take action and be proactive in supporting our customers by preparing them for the growing risk of cyber threats.”

Pandemic pressures mounting for IT leaders

Canadian IT leaders say they’re feeling the stress of juggling IT issues brought on by the pandemic and the need to move forward on strategic plans. “The world has changed so drastically and paradigms we used even a year ago have been thrown out the window,” said Jack Lumley, National Sales Manager Networking with Citrix…

The post Pandemic pressures mounting for IT leaders first appeared on IT World Canada.

NIST Vehicle Teleoperation Forum

Join NIST on Friday, November 13, 2020 for a full day virtual forum designed to bring leaders industry, academia, and government agencies to discuss the challenges, opportunities, and potential paths forward in vehicle teleoperation. The forum presenters will present their views on the future of automated driving and vehicle teleoperation, the roles of cloud computing and 5G in vehicle teleoperation, and the key challenges to be addressed.

Hashtag Trending – YouTube goes down for the count; New device puts music in your head; Arm-based MacBook Air speed controversy

YouTube experiences widespread technical problems playing videos, a new device can apparently inject the music into your head without headphones, and the internet argues over how fast the new Arm-based Macbook Air really is.

The post Hashtag Trending - YouTube goes down for the count; New device puts music in your head; Arm-based MacBook Air speed controversy first appeared on IT World Canada.

Coffee Briefing, November 13, 2020 – MFA tips from Microsoft, news from OVHcloud and Google, and a new privacy bill

MFA warning from Microsoft, news from OVHcloud and Google, and ISED is set to enact the Consumer Privacy Protection Act.

The post Coffee Briefing, November 13, 2020 - MFA tips from Microsoft, news from OVHcloud and Google, and a new privacy bill first appeared on IT World Canada.

This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs

Welcome to our weekly roundup, where we share what you need to know about cybersecurity news and events that happened over the past few days. This week, learn about a ransomware group that walked away with 2,200 Bitcoin: More than $33 million based on the current Bitcoin exchange rate. Also, read about this month’s Patch Tuesday security updates from Microsoft, including patches for 112 vulnerabilities.


Read on:

Microsoft Patch Tuesday Update Fixes 17 Critical Bugs

Microsoft’s November Patch Tuesday roundup of security fixes tackled an unusually large crop of remote code execution (RCE) bugs. Twelve of Microsoft’s 17 critical patches were tied to RCE bugs. In all, 112 vulnerabilities were patched by Microsoft, with 93 rated important, and two rated low in severity. In this article, ZDI’s Dustin Childs shares his thoughts on Microsoft’s removal of descriptions from CVE overviews.

An Old Joker’s New Tricks: Using Github to Hide Its Payload

Trend Micro detected a new Joker malware version on a sample on Google Play, which utilizes Github pages and repositories in an attempt to evade detection. The app promised wallpapers in HD and 4K quality and was downloaded over a thousand times before it was removed from the Play Store by Google after being reported as malicious.

NETGEAR Router, WD NAS Device Hacked on First Day of Pwn2Own Tokyo 2020

Due to the coronavirus pandemic, this year’s Pwn2Own Tokyo was turned into a virtual event coordinated by ZDI from Toronto, Canada. On the first day of the event, the NETGEAR Nighthawk R7800 router, Western Digital My Cloud Pro series PR4100 NSA device and Samsung Smart TV were targeted and $50,000 was awarded among teams STARLabs, Trapa Security and Team Flashback.

Developing Story: COVID-19 Used in Malicious Campaigns

As the number of those afflicted with COVID-19 continues to surge by thousands, malicious campaigns that use the disease as a lure likewise increase. In this report, Trend Micro researchers share samples on COVID-19 related malicious campaigns. The report also includes detections from other researchers.

IoT Security is a Mess. These Guidelines Could Help Fix That

The supply chain around the Internet of Things (IoT) has become the weak link in cybersecurity, potentially leaving organizations open to cyberattacks via vulnerabilities they’re not aware of. However, new guidelines from the European Union Agency for Cybersecurity (ENISA) aims to ensure that security forms part of the entire lifespan of IoT product development.

US Department of Energy Launches New Program for Technology Security Managers

The US Department of Energy (DOE) recently launched the Operational Technology (OT) Defender Fellowship. Another milestone from the Department in enhancing the US’s critical infrastructure. In collaboration with DOE’s Idaho National Laboratory (INL) and the Foundation for Defense of Democracies’ (FDD) Center for Cyber and Technology Innovation (CTTI), the OT Defender Fellowship hopes to expand the knowledge of primary US front-line critical infrastructure defenders.

Ransomware Gang is Raking in Tens of Millions of Dollars

A ransomware organization has raked in tens of millions of dollars, according to a new report. The organization, identified as group “One,” walked away with 2,200 Bitcoin, according to a report by Advanced Intelligence. That’s more than $33 million based on the current Bitcoin exchange rate.

CISA Braces for 5G with New Strategy, Initiatives

The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released its 5G Strategy, ensuring the federal government and its many states, local, tribal, territorial, and private sector partners are secure as when the 5G technology arrives. The agency’s document hoped to expand on how the US government would secure 5G infrastructure both in the country and abroad.

Hacker-for-Hire Group Targeting South Asian Organizations

There’s a new cyber mercenary group on the block, and they’re going after targets in more than a dozen countries globally, according to a BlackBerry research report. The hack-for-hire shop, which BlackBerry is calling “CostaRicto,” has largely gone after targets in South Asia, especially in India, Bangladesh and Singapore. Some of its targeting was also located in Africa, the Americas, Australia and Europe.

Defense in Depth, Layered Security in the Cloud

In this blog, Trend Micro’s vice president of cybersecurity, Greg Young, discusses the evolution of network security into how it manifests itself today, how network security has looked up until now, how the future of network security looks and why security teams need layered protection in the cloud.

Surprised by Microsoft’s decision to remove the description section from Patch Tuesday bulletins?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs appeared first on .

Shutterstock Adds Single Sign-On Integration to its Platform

Shutterstock Adds Single Sign-On Integration to its Platform

Creative content provider Shutterstock has announced the launch of turnkey single sign-on (SSO) integration on its platform to enhance security for its enterprise customers across the globe.

The tech company, which grants customer access to a database of 350+ million high-quality licensed images, videos and music tracks, said the new service can be set up in minutes.

The SSO is designed to eliminate password fatigue and speed up workflows by quickly and safely authenticating users across a number of digital platforms and identity management solutions.

Shutterstock said its SSO is now available to over 250,000 companies worldwide as it collaborates with industry-leading identity solutions providers such as Auth0, Microsoft’s Azure AD, Okta, OneLogin and Ping Identity.

“As teams navigate the challenges of working from home, having secure and centralized access to tools and platforms is essential to productivity,” said Alex Reynolds, Shutterstock vice-president and general manager of platform solutions. “The global rollout of SSO stems from our growing commitment to serve the rigorous and ever-changing needs of enterprise customers around the world.”

Cyber News Rundown: Flood of Phony IRS Emails

Reading Time: ~ 2 min.

Phony IRS Emails Flooding Inboxes

Upwards of 70,000 inboxes have been receiving spam claiming to be from the IRS threatening legal action for late or missing payments. Most recipients are Microsoft Office 365 users and have been receiving threats of lawsuits to, wage garnishment and even arrest. These spoofing scams have risen in popularity in recent years, but have mixed results since many users are familiar with the tactic.

Pakistani Airlines Network Access for Sale

Researchers found a listing for full admin access to the Pakistan International Airlines network on multiple dark web forums earlier this week. The current asking price is an incredibly low $4,000, considering the amount of information that could be used for malicious activities. The hackers claim to have 15 databases, each with many thousands of records, including passport data and other highly sensitive personal information on passengers and employees alike. It is believed that this group has been responsible for at least 38 other sales of network access in the past five months.

Zoom Enhances Security at Heed of FTC

Following a settlement with the FTC, the video communication service Zoom is being forced to upgrade its overall security after it was found that they weren’t implementing the end-to-end encryption the business touted. It was also discovered that encryption of recorded video calls often did not take place and regular security testing of security measures did not occur, endangering user privacy for personal video calls and chats.

Mashable Database Compromised

The online media outlet Mashable confirmed it had suffered a cyberattack on its systems, and that the attacker had already published some of the stolen data, this weekend. Fortunately, Mashable also confirmed the stolen data was from a system that was no longer in use. The company has also begun contacted affected customers and informing them to be wary of suspicious emails and to forward them to Mashable for further investigation.

Millions of RedDoorz Records for Sale

Roughly 5.8 million user records belonging to the hotel booking platform RedDoorz were found for sale on a hacker forum. These records were likely the the result of a cyberattack targeting RedDoorz in September, though the company firmly stated no financial information was compromised. After viewing a sample of the stolen data, however, it was discovered that a significant amount of extremely sensitive information belonging to customers who may have stayed at any of their 1,000 properties across Southeast Asia had been published.

The post Cyber News Rundown: Flood of Phony IRS Emails appeared first on Webroot Blog.

Successful Ransomware Attacks on Education Sector Grew 388% in Q3 2020

The number of successful ransomware attacks on the education sector increased 388% in the third quarter of 2020. According to Emsisoft, the education sector reported 31 ransomware incidents in Q3 2020. That’s a 388% increase over the 8 incidents that occurred in the previous quarter. Nine of the 31 ransomware attacks disclosed in the third […]… Read More

The post Successful Ransomware Attacks on Education Sector Grew 388% in Q3 2020 appeared first on The State of Security.

New Zealand Election Fraud

It seems that this election season has not gone without fraud. In New Zealand, a vote for “Bird of the Year” has been marred by fraudulent votes:

More than 1,500 fraudulent votes were cast in the early hours of Monday in the country’s annual bird election, briefly pushing the Little-Spotted Kiwi to the top of the leaderboard, organizers and environmental organization Forest & Bird announced Tuesday.

Those votes — which were discovered by the election’s official scrutineers — have since been removed. According to election spokesperson Laura Keown, the votes were cast using fake email addresses that were all traced back to the same IP address in Auckland, New Zealand’s most populous city.

It feels like writing this story was a welcome distraction from writing about the US election:

“No one has to worry about the integrity of our bird election,” she told Radio New Zealand, adding that every vote would be counted.

Asked whether Russia had been involved, she denied any “overseas interference” in the vote.

I’m sure that’s a relief to everyone involved.

Cyber Security Today – Data breach at Animal Jam, warnings to Minecraft users and Oracle point of sale admins, and login advice from Microsoft

Today's podcast reports on a large data breach at kid's online game Animal Jam, warnings to Minecraft users about fleeceware, Oracle point of sale administrators urged to patch and 2FA login advice from Microsoft

The post Cyber Security Today - Data breach at Animal Jam, warnings to Minecraft users and Oracle point of sale admins, and login advice from Microsoft first appeared on IT World Canada.

Data Breach Hits 28 Million Texan Drivers

Data Breach Hits 28 Million Texan Drivers

A breach at an insurance software company has resulted in the compromise of 27.7 million personal and driver’s license details in Texas.

Vertafore claimed in a notification this week that, due to human error, three files were stored in an unsecured third-party service which was subsequently accessed without authorization.

The firm was unable to say exactly when this happened — only that it occurred at some point between March 11 and August 1.  Vertafore has told Infosecurity that the customer notice was delayed at law enforcement’s request.

Vertafore said that, upon discovering the breach, it immediately secured the files and engaged the help of an outside consultancy to investigate further, as well as law enforcement. The firm didn’t itself detect the breach but had to be notified by a “trusted third party."

“The files, which included driver information for licenses issued before February 2019, contained Texas driver license numbers, as well as names, dates of birth, addresses and vehicle registration histories,” it explained.

“They did not contain any Social Security numbers or financial account information. No information misuse has been identified. No customer data or any other data — including partner, vendor or other supplier data — or systems hosted for them were impacted. Additionally, no Vertafore system vulnerabilities were identified.”

Vertafore is offering affected customers free credit monitoring and identity restoration services for a year.

The firm said in its FAQs that “we are not aware of any way this information could be used to commit fraud.” However, there is certainly ample opportunity for cyber-criminals to launch convincing follow-on phishing attacks using the personal and driver’s license details compromised.

The North Face resets passwords after credential-stuffing attack

An undisclosed number of customers of outdoor clothing retailer The North Face have had their passwords reset by the company, following a credential-stuffing attack. The company has revealed that on October 9, 2020, it became aware that hackers had used usernames and passwords stolen from a third-party website to gain unauthorised access to customer accounts. […]… Read More

The post The North Face resets passwords after credential-stuffing attack appeared first on The State of Security.

Credential Stuffers Scaled The North Face to Access Accounts

Credential Stuffers Scaled The North Face to Access Accounts

Outdoor clothing giant The North Face has notified customers that it has been hit by a credential stuffing attack which may have given third parties access to their personal information.

In a data breach notice filed with the Californian Office of the Attorney General (OAG), the San Francisco-headquartered firm claimed that the brute force attack had been launched against its site on October 8-9.

A credential stuffing attack occurs when cyber-criminals use automated software to try previously breached log-ins across a large range of sites: they’ll be able to access accounts where the individual has reused their password.

Fortunately, The North Face uses tokenization to obfuscate customer card details, but customers’ personal information  may have been accessed in the incident.

“Based on our investigation, we believe that the attacker obtained your email address and password from another source and may have accessed the information stored on your account at thenorthface.com, including products you have purchased on our website, products you have saved to your ‘favorites,’ your billing address, your shipping address(es), your VIPeak customer loyalty point total, your email preferences, your first and last name, your birthday (if you saved it to your account), and your telephone number (if you saved it to your account),” the noticed read.

As a precaution, the firm deleted all payment card tokens on the site, limited logins from suspicious sources and disabled all passwords from accounts compromised in the attack. Affected customers will need to create new passwords and re-enter payment card details, it said.

“We strongly encourage you not to use the same password for your account at thenorthface.com that you use on other websites, because if one of those other websites is breached, your email address and password could be used to access your account at thenorthface.com,” the notice continued.

“In addition, we recommend avoiding using easy-to-guess passwords. You should also be on alert for schemes, known as phishing attacks, where malicious actors may pretend to represent The North Face or other organizations, and you should not provide your personal information in response to any electronic communications regarding a cybersecurity incident.”

Retail accounted for over 90% of the 64 billion credential stuffing attempts detected by Akamai over the period July 1 2018 to June 30 2020.

Free tools from Recorded Future that can make you a security intelligence expert

Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support! There has never been a better time to be a cybercriminal. From extortion ransomware to cyberespionage campaigns, malicious hackers are capitalizing on uncertainty in 2020, causing chaos, and cashing in. The best … Continue reading "Free tools from Recorded Future that can make you a security intelligence expert"

CISA’s Krebs Set to be Fired in Blow for Security Community

CISA’s Krebs Set to be Fired in Blow for Security Community

The head of the US Cybersecurity and Infrastructure Security Agency (CISA) expects to become the latest high-profile public servant fired by outgoing President Donald Trump, according to reports.

Christopher Krebs is a widely respected figure with support from both sides of the political divide, who has served as the Department of Homeland Security (DHS) agency’s first head since 2018.

However, three sources familiar with the matter told Reuters that he has already informed associates he expects to be fired. His assistant director, Bryan Ware, has already been asked to leave his position and handed his resignation in yesterday, according to reports.

There are suggestions that the Trump administration is displeased at CISA’s Rumor Control service, which was set-up to debunk mis- and disinformation about the integrity of the election result. Many of the rumors the site has dismissed are being actively peddled by Trump and his allies in the Republican party.

“Under Chris Krebs’ leadership, CISA has been a trusted source of election security information. If Donald Trump fires him, it will suggest Trump is preparing to spread lies about the election from a government agency,” warned Democrat senator, Ron Wyden.

Mark Warner, another Democrat senator, praised Krebs for his role in protecting the country’s elections from misinformation.  

“He is one of the few people in this administration respected by everyone on both sides of the aisle. There is no possible justification to remove him from office. None,” he tweeted.

The news comes on the back of multiple sackings by Trump of high-profile officials, including defense secretary Mark Esper. CIA director, Gina Haspel’s fate is also said to be in the balance. The unprecedented moves will make an orderly transition to the next administration that much harder.

Chloé Messdaghi, VP of strategy at Point3 Security, also had nothing but praise for Krebs.

“It is up to CISA to help America understand cybersecurity threats and misinformation. Christopher Krebs is utterly non-partisan and he deserves his CISA post in every way,” she argued.

“He has earned the nation’s trust and faith, and worked tirelessly to help secure the current election cycle. We owe him an enormous debt of gratitude.”

Group-IB opens HQ in Amsterdam as a central hub for research into the European threat landscape

Group-IB has opened the doors of its European headquarters in Amsterdam, which will serve as a central hub for the company’s research into the European threat landscape. Having been operating on the continent for years, the company now formalizes its operations by inaugurating its new HQ that will be consolidating and maturing the expertise gathered in cyber investigations, incident response and threat hunting activities across the region under one roof. The Amsterdam office, located at … More

The post Group-IB opens HQ in Amsterdam as a central hub for research into the European threat landscape appeared first on Help Net Security.

Fraudulent Transactions a Bigger Worry for Online Retailers During #COVID19

Fraudulent Transactions a Bigger Worry for Online Retailers During #COVID19

Increased risk of fraudulent payment transactions has been one of the biggest concerns of online retailers this year, according to new research from payments platform Paysafe.

In the survey, which asked 1100 small and medium-sized businesses (SMBs) with an online presence about the effect of COVID-19 on their operations, 60% of online retailers said they feel consumers are more worried than ever about becoming a victim of fraud as a result of the crisis. More than three-quarters (76%) had noticed their customers had changed the way they are making payments, with 40% citing searching for a more secure payment as the reason for this.

In addition, Paysafe found that security remained the primary payment concern among SMBs for the third year running. Nearly half (45%) of respondents said it was in the top three most important factors to consider when evaluating a payments provider, ranking higher than reliability (36%), cost (34%) and ease of integration (22%).

Despite this, the majority (58%) admitted they had faced difficulties in achieving the right balance between improving security processes and creating a quick and simple customer journey. However, there appears to be a greater tolerance among consumers for more stringent security to be put in place, with Paysafe highlighting its research from April in which 51% of consumers said they would accept any security measure if it kept their data secure, however poor it made the user experience.

Danny Chazonoff, chief operating officer at Paysafe, commented: “Protecting ourselves from fraud has long been reported as a concern among businesses and consumers, but our research shows that security has become more of a priority than ever, and there are a few reasons for this. The economic impact of COVID-19 has led to a natural desire from both consumers and businesses to protect their finances. Coupled with that, we know that criminal activity such as fraud historically rises during national and global crises, and this pandemic has been no exception.”

There has been a huge shift to digital shopping during the pandemic, with many consumers forced to purchase items online for the first time due to lockdown restrictions. This has opened up new opportunities for fraudsters, particularly exploiting those unused to using the internet. For instance, the charity Age UK found that elderly people in the UK were scammed out of £2.4m in the period from March 23 to July 31 this year.

Live Webinar: Reducing Complexity by Increasing Consolidation for SMEs

Complexity is the bane of effective cybersecurity. The need to maintain an increasing array of cybersecurity tools to protect organizations from an expanding set of cyber threats is leading to runaway costs, staff inefficiencies, and suboptimal threat response. Small to medium-sized enterprises (SMEs) with limited budgets and staff are significantly impacted. On average, SMEs manage more than a

Why MSPs and their partners must prioritise cyber security

Cyber attackers have been increasingly turning their attention to MSPs (managed service providers) in recent years, with devastating results.

MSPs often work with dozens, if not hundreds, of organisations – so a single vulnerability can have far-reaching consequences.

You don’t need to look any further than the ongoing damage at Blackbaud for evidence. The software supplier, which is used by some of the UK’s biggest universities and non-profits, suffered a ransomware attack this summer, the scale of which is still being revealed.

More than 125 organisations were affected, with the University of Exeter, King’s College London and the University of London among those that reported losing sensitive data.

Blackbaud eventually paid the ransom, which averted the short-term risk of data being leaked online. However, it did nothing to protect those whose operations had been disrupted through no fault of their own, no doubt leaving them frustrated.

This demonstrates how perilous the cyber security situation is for MSPs. After all, a cyber attack will not only affect you but also organisations in your supply chain – potentially causing a cascade of problems for which recovery could be impossible.

How MSPs can address cyber security risks

It’s not just large MSPs such as Blackbaud that run into these problems; it’s an issue that everyone faces. The US Secret Service issued a cyber security warning earlier this year warning that that cyber-related attacks on MSPs were on the rise.

Meanwhile, the 2020 MSP Benchmark Survey found that in Europe, the Middle East and Africa, 91% of service providers said their customer base suffered a cyber attack in the previous 12 months.

It also found that 29% of respondents listed “meeting security risks” as the top IT need for their clients, and another 14% said that cyber security services were a top need.

The most common services that those organisations provide are:

  • Antivirus and anti-malware;
  • Firewall and VPN management;
  • Operating system patching;
  • Managed firewall; and
  • Password management.

Among the less commonly provided services were penetration testing and vulnerability management – which we find strange given how important it is to effective security.

Penetration testers assess vulnerabilities to identify potential attack vectors, weaknesses and entry points. Meanwhile, administrators use perform such tests to find previously unknown or unidentified vulnerabilities that may affect their security infrastructure.

Organisations can use the information gathered during these assessments to shore up products and services, prevent security incidents for third parties work with the MSP.

Unfortunately, only 53% of respondents to the 2020 MSP Benchmark Survey said they provide vulnerability management services, which means that many organisations must conduct penetration tests themselves if they are to be confident in their security.

If you’re considering penetration testing, it’s worth noting that their complexity – and the potential for conflict of interest – means that you should always seek an independent expert to conduct them. That’s where IT Governance can help.

We are a CREST-accredited provider of security testing services, with a range of solutions ideal for all organisations.

We offer on-site and remote testing to help you assess your networks in the most convenient way for you.

You can find out how to get started by speaking to one of our experts.

Subscribe to our Weekly Round-up

The post Why MSPs and their partners must prioritise cyber security appeared first on IT Governance UK Blog.

SAD DNS — New Flaws Re-Enable DNS Cache Poisoning Attacks

A group of academics from the University of California and Tsinghua University has uncovered a series of critical security flaws that could lead to a revival of DNS cache poisoning attacks. Dubbed "SAD DNS attack" (short for Side-channel AttackeD DNS), the technique makes it possible for a malicious actor to carry out an off-path attack, rerouting any traffic originally destined to a specific