Author Archives: Kevin Jones

Sprint Data Breach Due To Samsung.com Bug Revealed

U.S. telecom giant, Sprint has recently revealed that a certain number of Sprint customer accounts were taken over by unauthorized users using a loophole in Samsung.com’s “add a line” feature. The company disclosed this information as per their June 22 internal report and the following information of affected users are now in the hands of unknown personalities:

  • Full name
  • Billing address
  • Subscriber ID
  • Account creation date
  • Account number
  • Phone number
  • Device ID
  • Device Type
  • Monthly recurring charges
  • Upgrade eligibility
  • Add-on services

Even with a huge laundry list of information was stolen, Sprint remains calm as the telecom giant claims that the information lost to the Samsung.com breach was not substantial enough to for identity theft to thrive. Sprint on their part issued a force reset of their customer’s PIN in order to lessen the chance of further security breaches. The forced PIN change was initiated on June 25, three full days after the discovery of the incident.

“Sprint has taken appropriate action to secure your account from unauthorized access and has not identified any fraudulent activity associated with your account at this time. Sprint re-secured your account on June 25, 2019. We apologize for the inconvenience that this may cause you. Please be assured that the privacy of your personal information is important to us. Please contact Sprint at 1-888-211-4727 if you have any questions or concerns regarding this matter,” explained Sprint in its official press release.

The company urges all its affected customers to visit www.indentitytheft.gov, a website operated by the U.S. Federal Trade Commission. Sprint claims that the preventive and security measures provided by the FTC will be very helpful for customers that continue to worry about the data breach incident. As of this writing, Sprint has not disclosed the details on what actually happened to Samsung.com’s “add a line” feature, and how it caused Sprint customers to get hacked through the use of the website.

On their part, Samsung claims that they keep their systems and website secure, and no Samsung customer info from their systems was leaked to the outside world. “We recently detected fraudulent attempts to access Sprint user account information via Samsung.com, using Sprint login credentials that were not obtained from Samsung. We deployed measures to prevent further attempts of this kind on Samsung.com and no Samsung user account information was accessed as part of these attempts,” said a Samsung spokesperson.

Also Read;

Five Important Things about Data Security

Data Breaches have become a common threat in online transactions

Beware of Fake Samsung Firmware Update App

 

The post Sprint Data Breach Due To Samsung.com Bug Revealed appeared first on .

Singapore’s IT Security Outlook

Singapore continues to be a role model when it comes to the fight towards cybersecurity readiness in Southeast Asia. The city-state has learned a lot from last year’s SingHealth data breach, that brought Singapore into the stage of renewed cybersecurity renewal. Singapore established bug bounty programs, now in its 3rd edition this year 2019, its leaders are also establishing new policies for “interim” technical measures that will hopefully lessen the attractiveness of the country in future cyber attacks.

Singapore’s public sector is now in full swing with its core project implementation of automated email filtering. When it comes to determining if the email is legitimately safe to open, the use of automated anti-spam and anti-phishing tools is more time-efficient. Of course, humans operating the computers will always be the front liners when it comes to any cybersecurity initiative, hence, massive public sector campaigns through user retraining programs are now being implemented across the city-state’s public sector and government agencies.

The initiative is under the supervision of Teo Chee Hean, a Senior Minister and concurrently a Coordinating Minister for National Security. His agency released initial findings, confirming threats, not only the public sector of the island nation but also against private enterprises. Minister Hean established a committee that will evaluate the progress of various government agencies to be fully compliant to the IT security policy set at the wake of SingHealth incident of 2018.

For Singapore, everything starts from the awareness, readiness, and eagerness of public servants in the area of safe computing habits. Regular IT audits are also in full swing which hopefully will address weaknesses in the public sector’s networks and computers. From the perspective of the Chief Information Officer (CIO)/Chief Information Security Officer (CISO), the move to cloud computing goes beyond “cost reduction measures” and gives control over IT-related assets.

Singapore is no different from the rest of the world, which cannot stop the march of cloud-computing. It is where the trade-off between security/privacy and convenience of accessibility of data is re-evaluated by each organization engaging with cloud-computing platforms. Cloud assumes that the security department will have veto power. It may or may not actually be. However, if you do not give too much veto power, you will make mistakes. For example, even if it is “compliance” (that is, important confidential information that can not be placed in the cloud environment), IT vendors immediately start selling “certified solutions” (in fact, such solutions already exist.)

In Cloud computing, it considers data (that is, confidential information) to be as liquid. We can control the flow of this liquid and let it flow in the desired river. User data is like gas, and behaving like gas is a new concept. The data will spread to fill the area being processed, true but really troublesome for any IT professional trying to secure devices in an organization. The convenience of information processing may be lost due to confidentiality. It is not clear if this fact could be learned from the information security of the past 20 years. If only one method can ensure the necessary convenience, the user is willing to adopt that method, even using a USB memory. To think that data (information) resembles a gas just because users do their own risk assessments related to policy violations. If the important data can be put into the cloud environment and work that leads to the improvement of the convenience of the company can be realized, users who are employees (good or bad) will try to take the risk of putting data into the cloud environment.

Also Read,

Singapore’s Countermeasure in Security Its Financial Sector

Singapore’s Healthcare Industry Has Been Attacked

Business Interruption Again Top Business Risk in Singapore

The post Singapore’s IT Security Outlook appeared first on .

United Kingdom’s NCSC Advisory vs DNS Hijacking Released

The United Kingdom’s National Cyber Security Centre (NCSC) has issued an advisory warning UK citizens using computers and other Internet-connected mobile devices that large-scale DNS hijackings in the Internet are ongoing, and the agency provides simple mitigation advice for IT professionals to implement in their respective areas of coverage. NCSC defined DNS hijacking as an incident where DNS entries of an authoritative DNS server were edited by a 3rd party without permission. Such attack creates an unsafe environment for users, as their traffic get redirected to a false website instead of the genuine website they wish to visit. NCSC highlighted that hackers are concentrating on establishing transparent proxy, Domain hijacking, obtaining TLS certificates without authority and creating malicious DNS records, all without the knowledge of the target victims.

Unfortunately, the majority of what NCSC describes as “Account Take Over” (ATO) cases involve the domain registrar itself, and end-users have nothing to do with it. Though the agency issued a short advice for domain registrars in order to minimize the chance of a take over of their DNS systems by unknown parties. “Registry and Registrar Lock – many registries offer a “registrar lock” service. This lock prevents the domain being transferred to a new owner, without the lock being removed. A “registry lock” (which sometimes involves a fee) is considered an additional level of protection whereby changes cannot be made until additional authentication has taken place which usually involves a call to the owner,” explained the NCSC report.

The focus of heightened alert is for service providers and domain registrars to prioritize offering domain lock for their customers, which comprises of the following functionalities, as directly quoted from NCSC:

  • Prevents the nameservers from being changed;
  • Prevents domain registrant and / or contact details being changed;
  • Prevents the domain from being transferred to another registrar.

DNS server hosting is a regular part of the domain registry and Internet Service Provider business, however, it is not considered as a money-making endeavor. Hence, ISPs and domain registrars are not placing a lot of investment when it comes to securing their DNS infrastructure.

NCSC provided the following security suggestions in order for DNS-hosting organizations to be confident of their DNS server security:

1. Implement DNSSEC

DNSSEC is a security extension that proves the reliability of correspondence information of IP address and host name sent from DNS server. This is to prevent DNS response spoofing attacks such as DNS cache poisoning. In DESSEC, the DNS server that sends the response signs the response using the private key, and the recipient verifies it with the public key. Because you can not sign correctly without the private key, you can detect false responses by verifying the signature. A normal DNS server does not have a means to authenticate the other party, so by supporting DNSSEC, it can have its function.

2. Monitor TLS

TLS certificate creation needs to be done correctly, the “web of trust” truly depends on the level of trust people to the certificate authority. Lost of trust to a certificate authority means lost of business, just like what happened to Diginotar’s and Symantec’s dissolved certificate authority businesses.

3. Auditing and Monitoring

4. Access Control

5. Change Control

Keep evidence – in case your entire domain is hijacked, you’ll need to appeal to your registry for help. Keep extensive records which can be used to prove ownership,” concluded the NCSC report.

 

Also Read, 

What is DNS Security? Why is it Important?

DNS Servers | How to Secure DNS Servers from hacker attacks?

 

The post United Kingdom’s NCSC Advisory vs DNS Hijacking Released appeared first on .

TrickBot’s “TrickBooster” Update Compromised 250M Emails

Last Valentines day, we made a fearless declaration here in Hackercombat.com, that Trickbot is shaping itself of becoming the “malware of the year”, due to its massive campaigns of infecting computers worldwide. That will remain as our forecast; Trickbot was recently named by the DeepInstinct security researchers as responsible for the compromise of at least 250 million email accounts. It rode on the massive spam emails coming from computers that were already infected, in a campaign to cast a wider net for the banking trojan.

Trickbot used to use the flawed SMB protocol in unpatched versions of Windows to spread itself, navigate the network shared files and install itself deep into the operating system. Known as the “TrickBooster” update, TrickBot received a huge facelift in its history, as the banking trojan can now tap the address book of installed in the infected computer, sending phishing attacks to all the contacts of the user. As per DeepInstinct’s research of the new version of TrickBot, the use of user’s contacts further increases the trojan’s possibilities to infect more machines than it used to.

The new spam emails are unique, able to bypass the tried and tested antispam formula established by Outlook.com, Yahoomail.com and GMail.com. In fact, the most heavily infiltrated email address of TrickBot turned out to be from @gmail.com with 25 million unique instances of spam emails containing TrickBot. Yahoo Mail comes second, with 21 million of their customers received the spam email at least once and lastly Outlook.com users with 11 million instances.

“We analyzed the malware sample and found swaths of PowerShell code in its memory. Analysis of this PowerShell code immediately led us to the conclusion that we are dealing with a mail-bot. We discovered more samples of the malware, both signed and not, additional infrastructure used in the campaign – both to distribute (infection points) and control the malware (C2 Servers),” explained Shaul Vilkomir-Preisman, security researcher at DeepInstinct in their official website blog.

The new strain has the capability to hook to Outlook.exe creates a parallel thread, then executes a COM-based command. As it taps the Microsoft.Office.Interop.Outlook instance alongside CoCreateInstance, it hooks to OUTLOOK.exe via OleRun function. TrickBot 2.0 also incorporates advanced features that aid to its proliferation such as cookie theft capability and use legitimately looking digital certificates for the Microsoft Office attachments where it piggybacks.

Rumors have been circulating online discussing TrickBot’s new version were able to reach the mailboxes of United State’s federal agencies such as the Department of Transportation; NASA; Federal Aviation Administration; Internal Revenue Service; Social Security Administration; Department of Justice; Department of Homeland Security; Bureau of Prisons; and Bureau of Alcohol, Tobacco and Firearms.

Compared to the espionage accusations against Huawei Technologies of China, TrickBot authors have made success in stealing not only personally identifiable information but also banking data of Americans and other nationalities. “We continued monitoring the campaign and the infrastructure involved in it, both its infection points and C2 Servers, which were going on and off line, and employing various Geo-IP restrictions and other mechanisms to hamper analysis. It was at one of these servers that we found something that made us realize how successful this campaign is – an Email dump containing approximately 250 million Email addresses,” concluded Vilkomir-Preisman.

Also, Read:

Status of Today’s Email as a Malware Vector

Laptop Running Six Most Dangerous Malware up for Auction

The Fileless Malware Attacks Are Here To Stay

The post TrickBot’s “TrickBooster” Update Compromised 250M Emails appeared first on .

Google’s Leaked Recordings Violates Data Security Policies

A report, based on the Belgium-based NWT VRT revealed that Google employees routinely listened to audio files recorded by Google Home Smart Home speaker, and Google Assistant smartphones.

As per ZdNet, the report elucidates how employees listen to snippets of the recordings when the user activates the device with the usual “OK Google” commands.

After receiving copies of several recordings, NWS VRT approached users, asking them to check their voices or those of their children and to talk to digital assistance or PDAs.

Google responded to the report by posting a blog titled “More information about our processes to safeguard speech data”.

Google acknowledged that it uses sequences of linguists from around the world who “understood the nuances and accents of a particular language”, and had reviewed and copied a small series of questions to better understand these languages. The terms and condition indicate that the users’ conversations are recorded.

Google blog mentions that that capturing interaction is an important part of the sound technology in the process of creating products like Google Assistant. According to them, various security measures are implemented to protect the privacy of users during the review process.

However, according to Google, the availability of the document violates the privacy policy.

Google product manager of Search David Monsees in a blog penned by him said, “We just learned that one of these language reviewers has violated our data security policies by leaking confidential Dutch audio data. Our Security and Privacy Response teams have been activated on this issue, are investigating, and we will take action. We are conducting a full review of our safeguards in this space to prevent misconduct like this from happening again.”

According to Google, it applies a wide range of safeguards to protect user privacy throughout the entire review process. The blog further adds, “Language experts only review around 0.2% of all audio snippets. Audio snippets are not associated with user accounts as part of the review process, and reviewers are directed not to transcribe background conversations or other noises, and only to transcribe snippets that are directed to Google.”

The company states that Google Assistant sends audio data to Google after device activation. He also said that devices, including Google Assistant can sometimes receive something like “false accept”, which means there are fewer voices or words in the background than their software interprets as keywords.

Although Google stated that the audio was recorded after the command was heard, NWT VRT stated that out of over a thousand sample heard, 153 should never be recorded and that the “OK Google” command was not clearly given.

In February, Google detailed that its Nest Guard, the centerpiece of the Nest Secure home alarm system, would soon receive Google Assistant functionality — meaning the device needed to have both a speaker and microphone.

Users were not made aware that the Nest Guard had a microphone at all, however.
Google responded that it was nothing more than a mistake to not to tell users about the Nest Guard microphones.

Earlier this year, Amazon found a team of people to answer questions about speakers powered by Alexa Amazon, similar to Google, to improve the accuracy of its voice assistant.

The recording sent to the human team does not have a full name, but is linked to the account name, the device serial number, and the user name of the clip.

Some team members are tasked with copying commands and analyzing whether Alexa answers correctly or not. Others were asked to write background noises and poorly calculated conversations by the device.

Also, Read

Google Duplex Assistant to Reach iPhones, Most Android Phones

Google Stored G Suite Customers Passwords in Plain Text

The post Google’s Leaked Recordings Violates Data Security Policies appeared first on .

Pale Moon Archive Server Infected With Malware

Hackers broke the file server of the Pale Moon browser project and attacked the previous version of the browser with malicious software.

The lead developer of Pale Moon, Mr. C. Straver, said the hack was undetectable for more than 18 months.

The Pale Moon file server is used to host an earlier version of the Pale Moon browser, just in case if the user wants to downgrade from the current stable version.

“A malicious party gained access to the at the time Windows-based archive server (archive.palemoon.org) which we’ve been renting from Frantech/BuyVM and ran a script to selectively infect all archived Pale Moon .exe files stored on it (installers and portable self-extracting archives) with a variant of Win32/ClipBanker.DY (ESET designation),” Straver said today.

The Developer of Pale Moon said that he had heard about the breach on July 9 and immediately deleted the compromised archive server.

The breach happened in 2017

Attackers used scripts to inject the EXE files stored on the server with the Win32/ClipBanker.DY Trojan variant, so that users who later download the Pale Moon browser installer and extract the files themselves, to be infected by malware.

As said above the Pale Moon team discovered a security breach on July 9 and immediately shut down all connections to the affected server to prevent the malware from spreading to other users.

The exact date of the infection results from the timestamp of the infected file:

“According to the date/time stamps of the infected files, [the hack] happened on 27 December 2017 at around 15:30,” Straver said, following a subsequent investigation.

“It is possible that these date/time stamps were forged, but considering the backups taken from the files, it is likely that this is the actual date and time of the breach.”

In the month of May this year, the Pale Moon project missed the opportunity to spot an intrusion when the original archive server encountered data corruption and blocking issues.

The Pale Moon developer said that all Pale Moon was 27.6.2 and had already been infected. Interestingly, previous versions archived in the Basilisk web browser were not infected even though they were hosted on the same server.

“Unfortunately, after the incident that rendered the server inoperable, the files transferred to the new system were taken from a backup made earlier that was already in an infected state due to the passage of time that this breach has gone undetected, so the infected binaries were carried over to the new (CentOS) solution,” Straver said.

Pursuing users of cryptocurrency

It is recommended that users download files from the archive servers that scan their systems or remove and reinstall their desktops for added security.

Win32 / ClipBanker.DY – security researcher calls a trojan pirate clipboard. Once the victim is infected, it is at the bottom of the operating system and monitors the operating system clipboard. This particular variant looks for pieces of text that look like Bitcoin addresses and replaces them with addresses configured in the hope of hijacking transactions in the hacker’s wallet.

The post Pale Moon Archive Server Infected With Malware appeared first on .

What Is a Rootkit? Detection and Prevention

Rootkits are secret computer programs that allow continuous and privileged access to a computer and actively hide its existence. The term rootkit is the combination of the two words “root” and “kit”. Initially, a rootkit was a set of tools for accessing computers or networks at the administrator level. Root refers to administrator accounts on Unix and Linux systems, and kits refer to software components that implement tools. Currently, rootkits are typically associated with malicious programs such as Trojans, worms, and viruses that hide their existence and actions, as well as other system processes.

What Can a Rootkit Do?

Rootkits can handle commands and controls on the computer without the user/owner of the computer knowing it. After installing the rootkit, the rootkit driver can remotely execute files and change the system settings of the host computer. Rootkits on infected computers can also access log files and spy on the legitimate uses of computer owners.

Rootkit Detection

One of the main goals of rootkits is to avoid detection in order to be installed and accessible on the victim’s system, and hence it is difficult to detect. Rootkit developers are trying to hide their malware. This means that there may not be many symptoms that indicate an infection of rootkits. There is no commercial product available that can find and eliminate all known and unknown rootkits.

There are several ways to search for rootkits on infected computers. Detection methods include behavior-based methods, such as looking for unusual behavior in a computer system), signature analysis, and image analysis in memory. Often, the only way to remove rootkits is to completely reformat the infected system.

Other symptoms of infection can be observed if the Windows configuration has changed by itself, without the user taking any concrete action. Other unusual behaviors, such as changing the wallpaper on the lock screen or editing items in the taskbar, may also indicate rootkit infections.

Finally, abnormally slow performance or high CPU usage and browser change may also indicate a rootkit infection.

Protection from Rootkit

Many rootkits invade computer systems by associating itself with legitimate software or viruses. You can protect your system against rootkits by ensuring that it protects against known vulnerabilities. This includes your operating system patches, updated applications, and virus definitions. Do not accept files or open email attachments from unknown sources. Be careful when you install the software and carefully read the End User License Agreement.

Static analysis can track the backdoor and other harmful software such as rootkits. Developers and IT departments who buy readymade software can scan their applications to detect “backdoor” and “hidden credentials.”

Well-Known Rootkit Examples

  • Lane Davis and Steven Dake: wrote the first known rootkit in the early 1990s
  • NTRootkit: one of the first dangerous rootkits for Windows operating systems
  • HackerDefender: This first Trojan modifies/improves the operating system to a very low call function level
  • Machiavelli: The first rootkit for Mac OS X was released in 2009. This rootkit calls hidden system and kernel threads
  • Greek wiretapping – In 2004/05, intruders installed rootkits for Ericsson’s AXE PBX
  • Zeus, who first identified in July 2007, is a Trojan horse that steals banking data by recording user keystrokes in the browser and retrieving forms
  • Stuxnet – the first rootkit for industrial control systems
  • Flame: In 2012, discovered computer malware attacking computers with a Windows operating system. You can record audio, screenshots, keyboard activities, and network traffic

The post What Is a Rootkit? Detection and Prevention appeared first on .