Author Archives: Graham CLULEY

RAT author jailed for 30 months, ordered to hand over $725k worth of Bitcoin

A US court has sentenced a programmer to 30 months in a federal prison in connection with software that claimed to be a legitimate tool for Windows sysadmins to remotely manage computers, but was actually used by criminals to backdoor PCs and secretly spy on victims.

The post RAT author jailed for 30 months, ordered to hand over $725k worth of Bitcoin appeared first on The State of Security.

Smashing Security #100: One flippin’ hundred

Smashing Security #100: One flippin' hundred

Yes, it’s the 100th edition of the “Smashing Security” podcast.

There’s a little celebration at both ends of this week’s podcast - but the meat of the sandwich is our normal look at the security stories of the last week - including an alarming IoT failure and a dating app disaster for Donald Trump devotees.

Considering Electronic Document Signing? Try OneSpan Sign Free For 30 Days

Considering Electronic Document Signing? Try OneSpan Sign Free For 30 Days

Graham Cluley Security News is sponsored this week by the folks at OneSpan. Thanks to the great team there for their support!

More than 10,000 customers in 100 countries rely on OneSpan to secure access, manage identities, verify transactions, simplify document signing and protect high value assets and systems.

In today’s digital era, more and more organizations choose e-Signature technology as part of their digitization process.

OneSpan Sign is the white-labeled solution behind some of the most trusted brands and security-conscious organizations in the world. The last ten industry reports show that OneSpan Sign received the highest overall customer satisfaction score among e-signature products. 99% of users rated it four or five stars.

Try sending and e-signing documents now, free of charge, and discover how to:

  • Enhance user experience across all channels
  • Increase operational efficiency
  • Meet compliance challenges

Start e-signing in minutes on web and mobile, by signing-up for an Unlimited 30-Day Trial now!


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

HOTforSecurity: Pentagon data breach puts personal details of 30,000 staff at risk

The Pentagon has admitted that up to 30,000 military workers and civilian personnel have had their personal information and credit card data exposed following a security breach.

The security breach occurred at a third-party vendor which provides travel management services to the Department of Defense.

The vendor, which has not as yet been publicly identified due to security concerns and ongoing contracts, was not however responsible for informing the Pentagon of the breach. Instead it appears that the DoD’s own computer security team which discovered a breach had occurred.

According to an Associated Press report, it it possible that the breach happened “some months ago,” and that further investigations may uncover that even more staffers were exposed.

The Department of Defense says that it has started notifying individuals affected by the security breach, and that those impacted will be offered prepaid identity theft monitoring services.

Pentagon spokesperson Lt. Col. Joseph Buccino issued a statement confirming the breach does not affect all staff who have used travel management services:

“The Department is continuing to gather additional information about the incident, which involves the potential compromise of personally identifiable information (PII) of DoD personnel maintained by a single commercial vendor that provided travel management services to the Department. This vendor was performing a small percentage of the overall travel management services of DoD.”

The one piece of good news is that it appears no classified material is likely to have been put at risk through the breach.

News of the breach does, however, come at an awkward time for the US Department of Defense which is currently smarting from a report issued last week by the US Government Accountability Office (GAO).

That report concluded that poor security has made next-generation weapons systems easy to hack.

In one case, it was reported that it was possible for unauthorised users to gain access to a weapons system within just one hour, and that the Pentagon was not following basic security practices such as changing default passwords.

“One test report indicated that the test team was able to guess an administrator password in nine seconds. Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed.”

There have, of course, been US government data breaches that have affected a far larger number of individuals than the 30,000 estimated to be impacted in this latest incident.

But that doesn’t make it any less important for organisations like the Department of Defense to consider not only how they best protect their systems, but also how well their third-party service suppliers are securing sensitive DoD data.



HOTforSecurity

Pentagon data breach puts personal details of 30,000 staff at risk

The Pentagon has admitted that up to 30,000 military workers and civilian personnel have had their personal information and credit card data exposed following a security breach.

The security breach occurred at a third-party vendor which provides travel management services to the Department of Defense.

The vendor, which has not as yet been publicly identified due to security concerns and ongoing contracts, was not however responsible for informing the Pentagon of the breach. Instead it appears that the DoD’s own computer security team which discovered a breach had occurred.

According to an Associated Press report, it it possible that the breach happened “some months ago,” and that further investigations may uncover that even more staffers were exposed.

The Department of Defense says that it has started notifying individuals affected by the security breach, and that those impacted will be offered prepaid identity theft monitoring services.

Pentagon spokesperson Lt. Col. Joseph Buccino issued a statement confirming the breach does not affect all staff who have used travel management services:

“The Department is continuing to gather additional information about the incident, which involves the potential compromise of personally identifiable information (PII) of DoD personnel maintained by a single commercial vendor that provided travel management services to the Department. This vendor was performing a small percentage of the overall travel management services of DoD.”

The one piece of good news is that it appears no classified material is likely to have been put at risk through the breach.

News of the breach does, however, come at an awkward time for the US Department of Defense which is currently smarting from a report issued last week by the US Government Accountability Office (GAO).

That report concluded that poor security has made next-generation weapons systems easy to hack.

In one case, it was reported that it was possible for unauthorised users to gain access to a weapons system within just one hour, and that the Pentagon was not following basic security practices such as changing default passwords.

“One test report indicated that the test team was able to guess an administrator password in nine seconds. Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed.”

There have, of course, been US government data breaches that have affected a far larger number of individuals than the 30,000 estimated to be impacted in this latest incident.

But that doesn’t make it any less important for organisations like the Department of Defense to consider not only how they best protect their systems, but also how well their third-party service suppliers are securing sensitive DoD data.

Fake Adobe update really *does* update Flash (while also installing cryptominer)

Online criminals are planting cryptomining code on victims' Windows computers, using the camouflage of an update to Adobe Flash Player.

The post Fake Adobe update really *does* update Flash (while also installing cryptominer) appeared first on The State of Security.

The State of Security: Fake Adobe update really *does* update Flash (while also installing cryptominer)

Online criminals are planting cryptomining code on victims' Windows computers, using the camouflage of an update to Adobe Flash Player.

The post Fake Adobe update really *does* update Flash (while also installing cryptominer) appeared first on The State of Security.



The State of Security

China accused of sabotaging thousands of servers at major US companies with tiny microchips hidden on motherboards

Bloomberg thumb

An extraordinary report released by Bloomberg BusinessWeek, which claims that China has been exploiting the supply-chain, planting a tiny microchip on servers which ended up in the server rooms of almost 30 companies, including the likes of Apple and Amazon.

Smashing Security #098: A Facebook omnishambles

Smashing Security #098: A Facebook omnishambles

Millions of Facebook user accounts put at risk after hack! The UK Conservative party’s conference app causes a privacy omnishambles! And Facebook (again) has been doing something naughty with the phone numbers you give it for security reasons! Oh, and Maria gets very excited about something to do with Star Trek.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Free buyer’s guide to evaluating fraud detection & prevention tools

Buyer’s Guide to Evaluating Fraud Detection & Prevention Tools (White Paper by OneSpan)

Graham Cluley Security News is sponsored this week by the folks at OneSpan. Thanks to the great team there for their support!

More than 10,000 customers in 100 countries rely on OneSpan to secure access, manage identities, verify transactions, simplify document signing and protect high value assets and systems.

The fraud detection and prevention market offers a wide range of tools with a wide range of capabilities, but fraud is an ever-evolving threat. Not every tool can keep up with the new fraud schemes in play today.

Download this guide from OneSpan to gain expert insight on the essential capabilities you need in a fraud detection tool. From machine learning and an advanced rule engine to dynamic authentication flows, learn the nine key requirements to look for when comparing fraud solutions.

Inside, you’ll discover:

  • The nine capabilities you need to combat today’s fraud schemes
  • The value of a layered, context-aware online security approach to fraud detection
  • Why analyzing the mobile device itself is so crucial
  • How to explore the full potential of your data
  • How OneSpan’s Risk Analytics solution meets these requirements

Download OneSpan’s “Buyer’s Guide to Evaluating Fraud Detection & Prevention Tools”.


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

Australian teen who hacked into Apple and stole 90 GB of files avoids jail

An Australian teenager who hacked into Apple's network on multiple occasions over several months, and stole sensitive files, has been told that he will not be imprisoned.

The post Australian teen who hacked into Apple and stole 90 GB of files avoids jail appeared first on The State of Security.

Smashing Security #097: Dash cam surveillance, robocall plague, and Zoho woe

Smashing Security #097: Dash cam surveillance, robocall plague, and Zoho woe

Why was Zoho’s website taken offline by its own domain registrar? How are dash cams making you less secure? And why are robocalls on the rise in the United States?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire’s Dave Bittner.

Malware steals passwords from 6.4 million SHEIN customers

Women’s fashion retailer SHEIN has suffered a major security breach that has exposed the personal information and passwords of over six million customers.

In a press statement, SHEIN reveals that it discovered on August 22 2018 that malicious hackers had compromised its computer network, and that between June and early August 2018 customer email addresses and “encrypted password credentials” had been stolen.

According to the company, malware had opened backdoors on corporate servers through which the attackers had stolen data associated with approximately 6.42 million customers.

What hasn’t been disclosed is how the malware came to be planted on SHEIN’s servers, and says it is against its policy to discuss the specific details, but SHEIN does say that the security holes exploited by the hackers have now been closed.

From the description, the attack against SHEIN does not appear to bear the hallmarks of the Magecart attacks which have impacted a number of sites in recent months, including Ticketmaster.

Fortunately, SHEIN says that it does not typically store payment card information on its systems, and there is no evidence to suggest that customers’ credit card details might have been stolen.

SHEIN says that it is reaching out to customers advising that passwords are changed, and is offering one year’s worth identity threat monitor for “affected customers in certain markets.”

In an FAQ, SHEIN tells users that they can reset their password by clicking on a link in an email they are sending users, or by manually visiting the SHEIN website, and after logging in, clicking the “Edit Password” link under the “Account Setting” page.

My advice is that you should visit the website to change your password, and *not* click on a link in an email. After all, now the breach is public knowledge it wouldn’t be too surprising if a criminal attempted to cause even more mayhem by spamming customers with a bogus email that *pretends* to come from SHEIN but really points to a site under the control of the hackers.

Furthermore, if you are concerned that your SHEIN password may have been compromised, please please do make sure that you are not using that same password on any other website.

Password reuse is one of the most common errors made by internet users. Every time you use the same password on different websites, you are increasing the chances that a hacker will be able to successfully exploit credentials stolen during an attack on one site to break into other accounts you may own online.

Take this short survey to assess your organization’s threat intelligence maturity

Recorded Future. Take this short survey to assess your organization's threat intelligence maturity.

Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support!

Recorded Future believes that every security team can benefit from threat intelligence. That’s why it has launched its new Threat Intelligence Grader — so you can quickly assess your organization’s threat intelligence maturity and get best practices for improving it.

Recorded Future delivers the only complete threat intelligence solution powered by patented machine learning to lower risk. It empowers organizations to reveal unknown threats before they impact business, and enables teams to respond to alerts 10 times faster.

To supercharge the efforts of security teams, Recorded Future’s technology automatically collects and analyzes intelligence from technical, open web, and dark web sources and aggregates customer-proprietary data. Recorded Future delivers more context than threat feeds, updates in real time so intelligence stays relevant, and centralizes information ready for human analysis, collaboration, and integration with security technologies.

91 percent of the Fortune 100 use Recorded Future.

Try out Recorded Future’s Threat Intelligence Grader for yourself now!


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

Smashing Security #096: Bribing Amazon staff, and blinking deepfakes

Ss episode 96 thumb

Amazon staff are being bribed to delete negative reviews and leak data, deepfakes are getting more dangerous, an update on John McAfee’s bitcoin bet, and our guest gets a shock…

All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week (for a while at least) by David Bisson.

8 Industry Best Practices for a Successful Mobile First Strategy (eBook by OneSpan)

8 Industry Best Practices for a Successful Mobile First Strategy (eBook by OneSpan)

Graham Cluley Security News is sponsored this week by the folks at OneSpan. Thanks to the great team there for their support!

More than 10,000 customers in 100 countries rely on OneSpan to secure access, manage identities, verify transactions, simplify document signing and protect high value assets and systems.

And you can now download OneSpan’s free eBook: “8 Industry Best Practices for a Successful Mobile First Strategy”.

Financial institutions strategically aim for customers to do more with mobile while minimizing fraud exposure tied to untrusted, high-risk devices. To enable growth in the mobile channel, financial institutions need to provide fast, convenient and frictionless high-value services delivered as securely and fraud-proof as possible. Building trust between the bank and the customer is priority one in achieving this goal.

Inside OneSpan’s eBook, you’ll discover how to:

  • Provide a frictionless experience
  • Measure risk on each mobile device
  • Combat social engineering and other threats
  • Simplify document signing
  • Login quickly and securely
  • Adopt an Omni-channel approach
  • Be ready for regulation

Download now: “8 Industry Best Practices for a Successful Mobile First Strategy”.


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

HOTforSecurity: How to crash and restart an iPhone with a CSS-based web attack

A security researcher has revealed a method of crashing and restarting iPhones and iPads, with just a few lines of code that could be added to any webpage.

Sabri Haddouche tweeted a link to webpage containing his 15-line proof-of-concept attack, which exploits a vulnerability in the WebKit web rendering engine used by Apple’s Safari browser.

Haddouche, who for a day job works as part of Wire’s security team, demonstrated that the Safari browser could be easily overloaded by applying a CSS background-filter property to over nested 3,000 <div> tags.

As the WebKit’s rendering engine consumes resources, iOS eventually freezes and devices can crash and restart.

The good news is that the weakness can not be exploited to steal information from iPhone and iPad users. However, it could be used by a mischief-maker or malicious attacker in a “denial-of-service” type of attack, effectively stopping a device from working.

Many users would certainly find it a more than trivial inconvenience to have their smartphones power cycle off, and take a few seconds to restart again (requiring a passcode to be entered).

According to reports, the attack works on a variety of versions of iOS, including the latest iOS 12 beta.

But it’s not just iOS users that are potentially at risk.

For instance, Some have even produced videos which appear to demonstrate that Apple Watches are also vulnerable.

Furthermore, Haddouche told ZDNet that he had found that (although not as dramatic) the weakness could be targeted on the macOS version of Safari:

“With the current attack (CSS/HTML only), it will just freeze Safari for a minute then slow it down. You will be able to close the tab afterward.”

“To make it work on macOS, it requires a modified version containing Javascript. The reason why I did not publish it is that it seems that Safari persists after a forced reboot and the browser is launched again, therefore bricking the user’s session as the malicious page is executed once again.”

And if WebKit itself is vulnerable then it’s likely that there are many apps besides Safari that are at risk if they user WebKit for rendering webpages.

Haddouche has informed Apple about the vulnerability, which is believed to be investigating.

For now, without a patch available, there’s not much that users can do to prevent themselves from becoming the unwitting victims of the attack.

As always, be suspicious of links sent to you in unsolicited emails, and at least feel some consolation that this particular vulnerability is not going to lead to your private data being stolen.



HOTforSecurity

Smashing Security #095: British Airways hack, Mac apps steal browser history, and one person has 285,000 texts leaked

Smashing Security #095: British Airways hack, Mac apps steal browser history, and one person has 285,000 texts leaked

Malicious script is being blamed for the British Airways hack, Trend Micro’s apps are booted out of the Mac App Store for snaffling private data, and Paul Manafort’s daughter wants Twitter to remove a link.

All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by David Emm of Kaspersky Lab.

Trend Micro apologises after Mac apps found scooping up users’ browser history

Trend Micro apologises after Mac apps found scooping up users' browser history

Trend Micro has confirmed reports that some of its Mac consumer products were silently sending users’ browser history to its servers, and apologised to customers for any “concern they might have felt.”

But apparently it’s the users’ fault anyway for not reading the EULA.

Cyber as a Business Enabler: Operationalizing Cyber Risk Analytics. Download free ebook sneak peek today

Cyber as a Business Enabler: Operationalizing Cyber Risk Analytics. Download free ebook sneak peek today

Graham Cluley Security News is sponsored this week by the folks at Nehemiah Security. Thanks to the great team there for their support!

Coming this fall, Nehemiah is releasing their newest ebook, “Cyber as a Business Enabler: Operationalizing Cyber Risk Analytics”. This introductory guide arms the modern day cybersecurity leader to put cyber risk into motion and transform cybersecurity operations into a business enabler.

Topics covered in this book include:

  • The end goal of cyber risk analytics
  • Where to gather the right data
  • Key stakeholders involved
  • What it takes to quantify cyber risks financially

Follow this link for a sneak peek into the content and to reserve your copy when the full book is released!


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

Smashing Security #094: Rogue browser extensions, Twitter presence, and how to cheat in exams

Smashing Security #094: Rogue browser extensions, Twitter presence, and how to cheat in exams

What’s the danger when browser extensions go bad? Is Twitter sharing your online status a boon for stalkers? And which of the show’s hosts is going to admit to cheating in their exams?

All this and much much more is discussed in the latest edition of the award-winning “Smashing Security” podcast hosted by computer security veterans Graham Cluley and Carole Theriault, joined this week by technology journalist David McClelland.

Read OneSpan’s 8-page report on the top six e-Signature use cases in banking

Read OneSpan's 8-page report on the top six e-Signature use cases in banking

Graham Cluley Security News is sponsored this week by the folks at OneSpan. Thanks to the great team there for their support!

More than 10,000 customers in 100 countries rely on OneSpan to secure access, manage identities, verify transactions, simplify document signing and protect high value assets and systems.

OneSpan has produced a free report on the top six e‑signature use cases in banking. With it you can learn the most common starting points for e‑signatures, plus the top targets for expanding across the enterprise.

E-signatures are being used in all areas of the bank, from customer-facing transactions to B2B and internal processes.

Some banks start by introducing e-signatures as part of a branch transformation initiative. Others begin in the online channel with high volume, self-serve transactions.

As digitalization efforts mature, it is becoming common for organizations such as U.S. Bank, BMO (Bank of Montreal), RBC (Royal Bank of Canada) and even non-bank lenders like OneMain Financial to expand e-signature capability across all channels, lines of business, mobile apps and more.

OneSpan’s free paper offers guidance to banks of all sizes seeking to answer questions like:

  • What are the common challenges in going digital?
  • What are the latest e-signature adoption and technology trends in banking?
  • Where to start, and what is the best way to expand?

Download the OneSpan White Paper “Top e-Signature Use Cases in Banking” now.


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

Smashing Security #093: Abandoned domains and dating app dangers

Smashing Security #093: Abandoned domains and dating app dangers

How do fraudsters exploit abandoned domains to steal your company’s secrets? How can you better protect your privacy when looking for love online? And who has the longest arms in the animal kingdom?

All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.

Facebook pulls its VPN from the iOS App Store after data-harvesting accusations

Facebook has withdrawn its Onavo Protect VPN app from the iOS App Store after Apple determined that it was breaking data-collection policies.

The app, which was free to download, promoted itself as helping users keep themselves and their data safe when you go online, “blocking potentially harmful websites and securing your personal information.”

What users of Onavo may not have realised was that the app was also being used by Facebook to collect information about other apps installed on a user’s iPhone.

Under Apple developer guidelines, such information is not allowed to be collected by apps for analysis or marketing. However, data collected by Onavo is used to provide valuable market intelligence about marketshare and usage of apps.

In the words of the app’s own store description:

“Onavo may collect your mobile data traffic. This helps us improve and operate the Onavo service by analyzing your use of websites, apps, and data. Because we’re part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences.”

According to a report in the Wall Street Journal, Apple and Facebook met last week to discuss concerns about the behaviour of the app, where the iPhone maker suggested that it be withdrawn from the App Store. Facebook, seemingly recognising that it would look better to choose to withdraw the app than be kicked out of the store, agreed.

A Facebook spokesperson claimed that the company has been upfront about how Onavo works:

“We’ve always been clear when people download Onavo about the information that is collected and how it is used. As a developer on Apple’s platform we follow the rules they’ve put in place.”

In the past, Facebook chief Mark Zuckerberg and Apple boss Tim Cook have publicly disagreed over their respective companies’ different approaches to user privacy.

Although the Onavo Protect app has now been withdrawn from the App Store, it’s possible that there are still plenty of users still relying on the service. In light of the accusations of data-harvesting, users would be wise to uninstall it from their devices.

Even if you aren’t concerned about the data collection, the app will no longer be receiving updates including, if they were made available, security updates. So the only sensible step is to remove the app and find an alternative VPN service which respects your privacy.

One other thing. Facebook has only pulled its controversial Onavo Protect VPN app from Apple’s app store. It is still available from the Google Play Android marketplace, where it has been downloaded over 10 million times.

Unlike Apple, Google may not be kicking up a stink about Facebook’s Onavo app but that’s not a reason for Android users to be any less concerned. Think carefully about what apps you install on your smartphone, and always consider how app developers might be planning to monetise your private data.

Apple hacked by 16-year-old who “dreamed” of working for firm

An Australian teenager has admitted hacking into Apple’s internal network and stealing 90 GB worth of files.

The 16-year-old, who cannot be named for legal reasons, has pleaded guilty to breaking into Apple’s systems on multiple occasions over the course of a year, from his parent’s home in Melbourne’s suburbs.

According to a report in The Age, the young hacker claimed to be a “fan” of the company, who “dreamed” of working for Apple one day.

The teen is thought to have attempted to hide his identity using a variety of tools, such as VPN software. But after Apple eventually spotted the unauthorised access of their internal systems they informed the FBI, who in turn worked with the Australian Federal Police to track down the intruder.

A search of the teenager’s home last year saw law enforcement officers seize two Apple laptops with serial numbers that “matched the serial numbers of devices which accessed the internal systems”, according to a prosecutor.

In addition, a mobile phone and hard drive was also seized.

According to the report, the boy is thought to have successfully accessed authorised login keys, and stored files in a folder labelled “hacky hack hack”.

In what is perhaps an indication of his immaturity, the teenage hacker is alleged to have bragged about his actions to others via WhatsApp.

An official statement from Apple, provided to the BBC, attempts to reassure Apple customers that their personal data was not at risk:

“We vigilantly protect our networks and have dedicated teams of information security professionals that work to detect and respond to threats.

“In this case, our teams discovered the unauthorised access, contained it, and reported the incident to law enforcement.

“We regard the data security of our users as one of our greatest responsibilities and want to assure our customers that at no point during this incident was their personal data compromised.”

Apple is understandably very sensitive to headlines that its systems may have been hacked, and there will no doubt be even greater embarrassment that it may have been successfully compromised for over a year by a boy aged just sixteen.

The boy is due to be sentenced on 20 September, and might serve as a warning to others: if you want to work for a company, it’s generally not a good idea to hack into it first.