Category Archives: Industry News

NotPetya/GoldenEye back in the spotlight: UK officially points finger to Kremlin for June 2017 cyberattack

2017 has already gone down as the worst year on record from a cybersecurity standpoint. But the world is still not over the two infamous attacks deployed by hackers in May (WannaCry) and June (NotPetya/Goldeneye) of last year, which together dealt billions of dollars’ worth of damages to victims worldwide.

After conducting scrupulous assessments in the wake of June’s NotPetya/GoldenEye pandemic, the UK’s cybersecurity watchdog claims it knows Russia was behind it. And it wants Russia to know it is not having it anymore.

A letter signed by the Foreign & Commonwealth Office, National Cyber Security Centre, and Lord Ahmad of Wimbledon reads:

“The UK’s National Cyber Security Centre assesses that the Russian military was almost certainly responsible for the destructive NotPetya cyber-attack of June 2017. Given this is the highest level of assessment and the broader context, the UK government has made the judgement that the Russian government was responsible for this cyber-attack.”

“The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt. Primary targets were Ukrainian financial, energy and government sectors. Its indiscriminate design caused it to spread further, affecting other European and Russian business.”

Ahmad said the UK Government “judges” that the malware was crafted and subsequently deployed by none other than the Russian military, adding that “The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organisations across Europe costing hundreds of millions of pounds” – a figure already circulated by the media after victims released financial statements mentioning the losses incurred by the attack.

As avid readers might remember, NotPetya/ GoldenEye’s total financial damage was ultimately calculated at over 1 billion US Dollars.

“The Kremlin has positioned Russia in direct opposition to the West yet it doesn’t have to be that way,” Ahmad continues his denunciatory message. “… The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm.”

Most cybersecurity experts agree that NotPetya/GoldenEye was merely crafted to work like ransomware but was instead primarily aimed at destabilizing Ukraine – not necessarily to turn a profit for the attackers.

After hitting Ukraine, the malware spread to several other European countries (including the UK), disrupting international power distributors, pharmaceutical companies, banks, advertisers, law firms, public transport, even airports.

The UK is not at its first warning that it will respond accordingly when faced with such mischievousness. Eight months ago, the country’s defense secretary Sir Michael Fallon  threatened to deploy “air, land, sea or cyber space” attacks onto hackers caught infiltrating British government systems.

Protect your Privacy with Bitdefender VPN

A Virtual Private Network – also known as a VPN – is a group of computers linked together over the internet. This basically allows someone who’s connected to the internet, from anywhere in the world, to access a network that’s otherwise restricted and not accessible to everyone with a simple internet connection.

While the connection between them makes it seem like they all share the same LAN (Local Area Network) – for instance, home or business network – they’re actually using the public internet to talk to each other in a secure and encrypted manner.

Privacy Matters

Let’s pretend a VPN is a really secure tunnel between you and the destination you want to visit on the internet. In fact, don’t pretend — that’s exactly what it is. When your information passes through this tunnel, it means no one outside the tunnel will know exactly what is being passed through it, meaning your communication is secure.

One reason someone would need to use a VPN is to access company resources that are not accessible from outside the company. In countries where content or access to certain websites is blocked, a VPN could allow the user to change his virtual identity, and appear as if he’s visiting the restricted website from an unrestricted location.

Others simply have growing concerns that they’re constantly tracked by online service providers or even governments, raising concerns that their personal information and private conversations could be eavesdropped on at any time. The fact that VPNs also support encrypted traffic means that, whenever you’re roaming the internet, anyone who tries to spy on your communication will only “see” gibberish. They can’t steal your passwords, spy on your conversations, or even redirect you to malicious websites.

This is great for when you’re connected to a public Wi-Fi hotspot or any network that you don’t fully trust, as you can encrypt everything you send online without worrying that someone controlling the network will be able to spy on you.

This particular feature is great for online banking, shopping, connecting to your social media accounts or even accessing content that’s restricted in your region. The way the tunnel works is that, when you establish a secure connection with the VPN server, everything you visit online looks like the VPN server is actually visiting it. This means that your identity and location is always protected.

Encryption is vital when surfing the web as it not only keeps your online transactions hidden from prying eyes, but it also makes sure that everything you do online is completely unreadable by cybercriminals trying to get between you and the one you’re talking to. While not all encryption is made equal, as some can be broken or bypassed under the right circumstances, the general rule of thumb is that strong encryption and good security hygiene – such as having a security solution installed either on your PC or mobile device – pair up nicely to offer maximum protection against any online threats, risks, or types of attack.

The really interesting part is that some VPN solutions also allow you to change the location of your VPN server, meaning that you can browse the web as if you’re from the United States, Europe, or any other region on the map.

Privacy for Android and Windows

Regardless whether you’re mobile – on your Android smartphone or tablet – or on your Windows computers, a VPN solution keeps your private information safe from prying eyes. VPN features vary based on whether you’re using the free or paid version, with differences involving bandwidth cap, ability to change server location and trial periods.

Either way, having a VPN solution tightly integrated with your security solution enables you to both browser the web in complete privacy while constantly be protected from threats and malware. Whether you own an Android smartphone or tablet or even a Windows-based terminal, having both security and privacy enables you to do your thing, protected.

Bitdefender VPN offers both privacy and encryption for Windows and Android users, enabling you to safely browse the internet worry-free. For more information about Bitdefender VPN – both the free and the paid version – check out the official webpage.

How Hackers Are Leveraging Machine Learning

Machine learning can be leveraged for both beneficial enterprise purposes as well as malicious activity.

For business executives and internal information security specialists, it seems that every day brings a new potential risk to the company – and in the current threat environment, it isn't hard to understand this viewpoint.

Sophisticated cybercriminals are continually on the lookout for the next big hacking strategy, and aren't shy about trying out new approaches to breach targets and infiltrate enterprises' IT assets and sensitive data. One of the best ways to stem the rising tide of threats in this type of landscape is to boost awareness and increase knowledge about the latest risks and how to guard against them.

Currently, an emerging strategy among hackers is the use of machine learning. Unfortunately, like many advanced and innovative technological processes, machine learning can be leveraged for both beneficial enterprise purposes as well as malicious activity.

Machine learning: A primer

Many internal IT and development teams as well as technological agencies are experimenting with machine learning – but white hats aren't alone in their use of this method.

As SAS explained, machine learning is an offshoot of artificial intelligence, and is based on the ability to build automated analytical models. In other words, machine learning enables systems to increase their own knowledge and adapt their processes and activities according to their ongoing use and experience.

"The iterative aspect of machine learning is important because as models are exposed to new data, they are able to independently adapt," SAS stated. "They learn from previous computations to produce reliable, repeatable decisions and results. It's a science that's not new – but one that has gained fresh momentum."

Individuals have likely encountered some form of machine learning algorithm in their daily life already – things like online recommendations from streaming services and retailers, as well as automated fraud detection represent machine learning use cases already in place in the real world.

Digital brain surrounded by computer parts. Artificial intelligence and machine learning can be used to bolster malicious attacks.

Machine learning on both sides of the coin

However, as legitimate agencies and white hat security professionals continue to dig deeper into advantageous machine learning capabilities, hackers are increasingly looking toward AI-based processes to boost the effects of cyberattacks.

"We must recognize that although technologies such as machine learning, deep learning, and AI will be cornerstones of tomorrow's cyber defenses, our adversaries are working just as furiously to implement and innovate around them," Steve Grobman, security expert and McAfee chief technology officer told CSO. "As is so often the case in cybersecurity, human intelligence amplified by technology will be the winning factor in the arms race between attackers and defenders."

But how, exactly, are hackers putting machine learning algorithms to work, and how will these impact today's enterprises? Let's take a look:

ML vs. ML: Evasive malware

When hackers create malware, they don't just look to breach a business – they also often want to remain within victims' systems for as long as possible. One of the first, and likely most dangerous, ways machine learning will be leveraged by hackers is to fly under the radar of security systems aimed at identifying and blocking cybercriminal activity.

A research paper from Cornell University authors described how this type of instance could be brought to life by hackers. Researchers were able to create a generative adversarial network (GAN) algorithm which, in and of itself, was able to generate malware samples. Thanks to machine learning capabilities, the resulting infection samples were able to effectively sidestep machine learning-based security solutions designed specifically to detect dangerous samples.

Security experts also predicted that machine learning could be utilized by cybercriminals to modify the code of new malware samples based on the ways in which security systems detect older infections. In this way, hackers will leverage machine learning to create smarter malware that could potentially fly under the radar within infected systems for longer periods of time.

This will require enterprises to be increasingly proactive with their security posture – monitoring of critical IT systems and assets must take place continually, and security officers must ensure that users are observing best protection practices in their daily access and network activities.

Magnifying glass on binary code with the word DATA in red in magnifying glass. Hackers could automate data gathering processes with machine learning.

Preemptive efforts: Laying the groundwork for attack

Forbes contributor and ERPScan co-founder and CTO Alexander Polyakov noted that hackers could also begin utilizing machine learning to support the work done leading up to an attack.

Before they look to breach an organization, cybercriminals typically begin by gathering as much information about a target as possible. This includes details about company stakeholders that could potentially later be used to spur a phishing attack. With machine learning in place, hackers wouldn't have to carry out these research efforts manually, and instead can automate and speed up the entire processes.

Leveraging machine learning in this way could mean a spike in targeted attacks that utilize personally identifiable information about company leaders and even lower level employees. Polyakov reported that this style of phishing attack could boost the chances of success by as much as 30 percent.

As phishing and targeted attacks become more sophisticated, it's imperative that executives and employees are educated about how to spot a fraudulent message created to appear legitimate. Often, phishing messages will include the recipient's name, title and other details to encourage the victim to open it. However, these emails may also include spelling errors or small changes in sender email addresses, company names, logos and other items used to support the appearance of legitimacy. Ensuring that employees don't fall for these tricks begins with proper security education and training as part of a layered security posture.

Bypassing CAPTCHA systems: Unauthorized access

Many websites and systems leverage CAPTCHA technology as a way to distinguish human users from bots or machine input. However, in the age of machine learning, even these formerly tried-and-true access protections aren't impervious.

This isn't the first time machine learning has emerged as a way for hackers to break through CAPTCHA access – in 2012, researchers proved that machine learning could bypass reCAPTCHA-based systems with an 82 percent success rate. More recently in 2017, researchers used machine learning to support 98 percent accuracy to sidestep Google reCAPTCHA protections.

This threat means that enterprises will have to strengthen their security protections, particularly those that prevent botnet access on customer-facing systems. Polyakov recommended replacing recognition CAPTCHA with MathCAPTCHA, or another more robust alternative.

Machine learning for security

Thankfully, as noted, machine learning can also be leveraged to boost security on the side of the enterprise.

As noted in this blog, machine learning can help pinpoint and close gaps in IoT security, improve the monitoring of data exchange between employee users, and even predict and stop zero-day threats. Click here to read more.

And to learn more about how to safeguard your enterprise against machine learning-based attacks, connect with the security experts at Trend Micro today.

Russian nuclear weapons engineers detained after using facility’s supercomputer to mine cryptocurrency

Reminiscent of the California Gold Rush, the cryptocurrency phenomenon has captured the minds of virtually everyone who understands digital currency. And those with the means to ‘mine’ it will go to great lengths to do so, as evidenced most recently by engineers at a nuclear weapons plant in Russia.

With direct access to 1 petaflop of computing horsepower and no apparent supervision, engineers at the Russian Federation Nuclear Center in Sarov – where the Soviets developed their first atom bomb in the 1940s – decided to make some easy money.

According to Russia’s Interfax News Agency, an unconfirmed number of engineers at the RFNC have been arrested for mining (or attempting to mine) cryptocurrency with “office computing resources.” Those resources were none other than the facility’s 1-petaflop supercomputer, which the institute uses to stimulate nuclear tests.

One petaflop is a unit of computing speed equal to one quadrillion floating point operations per second (FLOPS). It achieves this by leveraging thousands of individual processors in parallel.

“There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining,” said Tatyana Zalesskaya, head of RFNC public relations department.

In the cryptocurrency world, mining refers to validating transactions. To do that, the computer used to mine the currency must be connected to the public ledger, shared by everyone trading it. In other words, it needs to use the Internet.

And that’s exactly what one of the detained engineers reportedly attempted to do, which triggered alarms at the country’s Federal Security Service (FSB) and led to the engineers’ arrest.

Because the institute’s supercomputer is designed to test top-secret nuclear arms, the Kremlin obviously doesn’t want an Ethernet cable anywhere near it. One can only imagine the potential repercussions of these engineers’ actions. Punishment will likely greatly exceed a slap on the wrist.

Winter Olympics ceremony allegedly hacked by Russia; no comment from IOC

Hackers attacked the opening ceremony of the Pyeongchang Winter Olympics in South Korea, organizers confirmed. The attacks were allegedly carried out by Russia following a doping ban, but the organizers made no comments, writes the Guardian. Soon after the event started on Friday, the official website went offline for 12 hours, and the stadium’s Wi-Fi stopped working, along with television and network connections in the press center.

“There was a cyberattack and the server was updated yesterday during the day and we have the cause of the problem,” said Sung Baik-you, a spokesperson for the Olympics. “They know what happened and this is a usual thing during the Olympic Games.

“We are not going to reveal the source,” he said. “We are taking secure operations and, in line with best practice, we’re not going to comment on the issue because it is an issue that we are dealing with. We wouldn’t start giving you the details of an investigation before it is coming to an end, particularly if it was on security which, at these games, is incredibly important.”

International Olympic Committee (IOC) spokesman Mark Adams has not yet commented on the source of the attack but he assured users that their systems are secure.

When asked about accusations that Russia is behind the cyberattack, Russia’s foreign ministry said there was no evidence to present. In addition, he knew “that Western media are planning pseudo-investigations on the theme of ‘Russian fingerprints’ in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea.”

Russia appealed the ban, arguing they had been unjustly eliminated from the competition, decimating their Olympics team. Their appeal was rejected at the last minute and resulted in the exclusion of around 47 coaches and athletes, including Viktor Ahn, a six-time Olympic gold medalist.

The Pyeongchang Winter Olympics take place some 80 kms from the North Korean border, in a complicated political context as the two states are on hostile terms, and South maintains close ties to the US.

HOTforSecurity: Uh-oh. How just inserting a USB drive can pwn a Linux box

Remember the notorious Stuxnet worm?

It was a highly-sophisticated piece of malware – developed by the United States and Israeli intelligence – which targeted Iran’s Natanz uranium enrichment facility.

One of the things which made Stuxnet so notable was that it exploited a zero-day vulnerability in Windows, meaning that it could infect a Windows computer (even with Windows AutoRun and AutoPlay disabled) just by plugging in an infected USB stick.

The exploit was in how Microsoft Windows handled .LNK shortcut files, and meant that malicious code could be run on a computer without any user interaction – just inserting the thumb drive was enough.

Of course, this vulnerability was uncovered back in 2010. Nothing like that would ever happen these days… right?

Sadly for Linux users running the KDE Plasma desktop environment, they find themselves now facing a similar scenario. If anything it’s worse, according to a security advisory released late last week.

In short, if a USB memory stick is plugged into a vulnerable computer has a volume label containing the characters `` or $(), the text contained within the characters will be executed as shell commands.

Or, to put it another way, give a USB drive the volume name `rm -rf`, and hand it to a friend who runs KDE Plasma on their Linux box, and they won’t be your friend much longer.

Of course, this isn’t the sort of attack that could be conducted remotely. An attacker needs to have physical access to the vulnerable computer, or maybe sneakily leave it lying around in a car park in the hope that an unsuspecting user will plug it into their computer out of curiosity.

It’s easy to imagine how both malicious attackers and immature pranksters might attempt to abuse this flaw, so make sure that any vulnerable Linux computers under your control are properly protected.

KDE Plasma users are advised to update their systems as soon as possible to version 5.12.0 or later.

Astonishingly, in 2015 it was discovered that Microsoft’s 2010 attempt to patch the USB flaw had been insufficient, and so it had another go.

Let’s hope KDE Plasma has better luck than Microsoft.



HOTforSecurity

Uh-oh. How just inserting a USB drive can pwn a Linux box

Remember the notorious Stuxnet worm?

It was a highly-sophisticated piece of malware – developed by the United States and Israeli intelligence – which targeted Iran’s Natanz uranium enrichment facility.

One of the things which made Stuxnet so notable was that it exploited a zero-day vulnerability in Windows, meaning that it could infect a Windows computer (even with Windows AutoRun and AutoPlay disabled) just by plugging in an infected USB stick.

The exploit was in how Microsoft Windows handled .LNK shortcut files, and meant that malicious code could be run on a computer without any user interaction – just inserting the thumb drive was enough.

Of course, this vulnerability was uncovered back in 2010. Nothing like that would ever happen these days… right?

Sadly for Linux users running the KDE Plasma desktop environment, they find themselves now facing a similar scenario. If anything it’s worse, according to a security advisory released late last week.

In short, if a USB memory stick is plugged into a vulnerable computer has a volume label containing the characters `` or $(), the text contained within the characters will be executed as shell commands.

Or, to put it another way, give a USB drive the volume name `rm -rf`, and hand it to a friend who runs KDE Plasma on their Linux box, and they won’t be your friend much longer.

Of course, this isn’t the sort of attack that could be conducted remotely. An attacker needs to have physical access to the vulnerable computer, or maybe sneakily leave it lying around in a car park in the hope that an unsuspecting user will plug it into their computer out of curiosity.

It’s easy to imagine how both malicious attackers and immature pranksters might attempt to abuse this flaw, so make sure that any vulnerable Linux computers under your control are properly protected.

KDE Plasma users are advised to update their systems as soon as possible to version 5.12.0 or later.

Astonishingly, in 2015 it was discovered that Microsoft’s 2010 attempt to patch the USB flaw had been insufficient, and so it had another go.

Let’s hope KDE Plasma has better luck than Microsoft.

Hospital warns 24,000 patients that its EMR system was hacked to mine cryptocurrency

Hackers are increasingly setting their sights on electronic medical records (EMR) to extort money from hospitals and their affiliated system vendors. Most recently, one hospital has seen its EMR service hijacked to mine cryptocurrency.

On January 26, Parsons, Tennessee-based Decatur County General Hospital started notifying customers that its EMR vendor was compromised by a hacker who injected cryptocurrency mining malware into its systems.

“On November 27, 2017, we received a security incident report from our EMR system vendor indicating that unauthorized software had been installed on the server the vendor supports on our behalf,” reads the DCGH notice. “The unauthorized software was installed to generate digital currency, more commonly known as ‘cryptocurrency.’”

An investigation revealed the attacker infected the servers remotely some time in September. However, the hospital was only notified of the breach two months later, which is highly unorthodox considering that the attackers could have (and potentially might have) compromised the sensitive information of tens of thousands of patients.

It is unclear how much cryptocurrency was generated for the attacker(s) as part of the hack, but DCGH says “the EMR vendor replaced the server and operating about four days later [following the breach].”

The hospital says information on the affected server included patient names, addresses, dates of birth, Social Security numbers, diagnosis and treatment data, and insurance billing information.

On the good side, while the investigation into the breach continues, DCGH claims (so far) it has no evidence that patient information was acquired or viewed by unauthorized parties.

“Based upon reports of similar incidents, we do not believe that your health information was targeted by any unauthorized individual installing the software on the server,” reads the reassuring notice.

The growing popularity of cryptocurrency has spawned huge interest in cryptocurrency miners and ransomware. Digital currency is highly untraceable, while at the same time it can be generated out of thin air by hacking and using other people’s computers to ‘mine’ new coins.

For the curious, the cryptocurrency mined with the hacked EMR vendor’s systems was reportedly Dash. According to the World Coin Index, which tracks the fluctuating values of all cryptocurrencies in existence, Dash is the fourth-most valuable cryptocurrency per unit, currently trading at 557 USD.

For comparison, one Ethereum is $820, BitcoinCash sells for just over $1,000, and the almighty Bitcoin – which two months ago stood at almost $20,000 per unit – is now worth $8,200.

Security hole meant Grammarly would fix your typos, but let snoopers read your every word

A Google vulnerability researcher has found a gaping security hole in a popular web browser extension, that could have potentially exposed your private writings on the internet.

The Grammarly real-time spelling and grammar checker, which has over seven million daily users, describes itself as all you need to ensure that “everything you type is clear, effective, and mistake-free.”

As someone who is prone to getting muddled over whether to use “less” or “fewer”, or how to spell “accommodation”, I can certainly understand its appeal.

But by constantly looking over your shoulder at everything you type online, you want to be sure that Grammarly is taking proper care over the information it is proof-reading for you.

Perhaps, then, poor spellers around the world should be grateful that vulnerability hunter extraordinaire Tavis Ormandy of Google’s Project Zero group appears to have found what he described as a “high severity bug” before it was uncovered by anybody more malicious.

Ormandy discovered that a simple piece of JavaScript hidden on a malicious website could secretly trick the Grammarly extension for Firefox and Chrome into handing over a user’s authentication token.

With such a token, a malicious hacker could log into your Grammarly account, access Grammarly’s online editor, and unlock your “documents, history, logs, and all other data.”

The good news is that Grammarly responded with impressive speed after being informed of the problem by Ormandy. Even though the Google security researcher gave Grammarly 90 days to fix the issue, it was actually resolved within a few hours – a response time that Ormandy described as “really impressive.”

Grammarly turned to Twitter to reassure users that it had rolled out a patch for the bug, and that exploitation of the vulnerability was limited to text saved in the Grammarly Editor.

“This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the browser extension.”

“The bug is fixed, and there is no action required by our users.”

With an automatic update already rolled out to the Firefox and Chrome extension libraries, chances are that the problem has been fixed before it could be maliciously exploited. All the same, it’s impossible to be 100% certain that Tavis Ormandy was the first person in the world to uncover this particular bug – so it always makes sense to keep your eye open for suspicious activity.

Running Firefox, OnyX or Deeper on your Mac? You might be mining cryptocurrency for a hacker

Three widely used Mac apps infected with cryptocurrency miners have been flagged by security researchers this week. The programs, distributed through third-party aggregators (i.e. not the official Mac App Store), need to be immediately uninstalled if users are to stay out of harm’s way.

Earlier this week, researchers found fake or otherwise modified versions of Mozilla’s Firefox web browser, as well as system tools OnyX and Deeper, infected with cryptocurrency-mining malware targeting Macs. The modified apps were distributed through MacUpdate, a third-party Mac software aggregator.

Deeper is a personalization utility and OnyX is a popular maintenance tool. Both apps were created by veteran development studio Titanium Software.

Dubbed OSX.CreativeUpdate, the malware spread through hacked pages on MacUpdate. OSX.CreativeUpdate is a Trojan that, once installed, downloads its cryptocurrency mining component. The miner hijacks the Mac’s processor to generate digital “coins” that go straight to the attacker’s wallet.

A spokesperson for MacUpdate confirms the hack in a comment on all three infected download pages.

“If you have installed-and-run Firefox 58.0.2, OnyX, or Deeper since 1 February 2018, please accept my apologies, but you will need to follow these steps to remove a bitcoin miner which hacked versions of those apps,” writes the person, identified only as Jess. “This is not the fault of the respective developers, so please do not blame them. The fault is entirely mine for having been fooled by the hackers.”

In short, if you’ve downloaded any of these three apps through MacUpdate as of late, you need to trash them.

However, just deleting the app binaries is not enough. As power users should know, when new software is installed, MacOS makes room for additional application resources in different parts of the system – specifically, the Library folder. So, even if you delete the app itself, some leftovers might remain in this directory.

Case in point – according to Jess, users need to follow these exact steps to eliminate any potential infection with OSX.CreativeUpdate:

  • Delete any copies of the above titles you might have installed.
  • Download and install fresh copies of the titles.
  • In Finder, open a window for your home directory (Cmd-Shift-H).
  • If the Library folder is not displayed, hold down the Option/Alt key, click on the “Go” menu, and select “Library (Cmd-Shift-L)”.
  • Scroll down to find the “mdworker” folder (~/Library/mdworker/).
  • Delete the entire folder.
  • Scroll down to find the “LaunchAgents” folder (~/Library/LaunchAgents/).
  • From that folder, delete “MacOS.plist” and “MacOSupdate.plist” (~/Library/LaunchAgents/MacOS.plist and ~/Library/LaunchAgents/MacOSupdate.plist).
  • Empty the Trash.
  • Restart your system.

The web site says it already fixed the pages for Firefox, Onyx and Deeper. A lot of Mac owners make use of the vast software library that is MacUpdate. However, we advise downloading your third-party software either from the developer’s web site or through Apple’s curated Mac App Store. For more peace of mind, run Bitdefender Antivirus for Mac, which classifies cryptocurrency miners as malware and blocks them as such.

A Look Back: Reviewing the Worst Cyber Attacks of 2017 and the Lessons Learned

Unsurprisingly, 2017 was another year of record-high attacks and breaches.

It seems that each year that passes is worse than the last in terms of hacking and cyber attacks, and 2017 was no exception.

"Surprising no one, 2017 was marked another 'worst year ever' in data breaches and cyber incidents around the world," said Jeff Wilbur, director of the Internet Society's Online Trust Alliance.

In the trend of years passed, 2017 saw numerous, high-profile data breaches and dangerous malware and ransomware samples, each appearing more sophisticated and advanced than the last. Hackers aren't easing up on business or consumer targets anytime soon. So the best course of action for the industry to take is to apply the lessons learned from these attacks to future protection strategies.

"The vast majority of 2017 breaches could have been prevented with simple security processes."

Let's review some of the disastrous breaches, attacks and infections that took place in 2017 and see what lessons can be learned from these impactful instances: 

Equifax: Waiting to report a breach

Hands down, Equifax was the poster child for calamitous data breaches last year. Unfortunately, this breach event included a veritable storm of worst-case scenarios – not only did the breach impact a considerable number of consumers, but it was highly sensitive data that was stolen, and the information was taken from a company that promised to help prevent the kind of fraud its breach likely supported.

According to CNN, attackers breaching Equifax systems were able to steal 182,000 sensitive documents that included customers' personal information, as well as 209,000 credit card numbers. All told, the attack is estimated to impact as many as 143 million Americans, whose Social Security numbers, birth dates, addresses and other personal details were contained in stolen documents.

One of the most daunting issues about this attack is that hackers made off with basically everything an attacker needs to create a stolen identity profile. These packaged identities sell for $30 or more on underground black markets, and with the sheer amount of data stolen, attackers stand to make a bundle from this attack, while threatening the identities of millions.

"Data breaches involving Social Security numbers are not rare, but this is the largest ever recorded," said Eva Velasquez, Identity Theft Resource Center CEO. "This is a unique situation because of the quality of data that was stolen along with the scale of the breach."

A key lesson for businesses to learn from this attack is not to wait to report the breach. CNN noted that the company paused for six full weeks before making the public aware of the attack. This gave hackers a considerable head start when it came to the sale and eventual fraudulent use of stolen sensitive data.

When a breach takes place, it's imperative to respond as quickly as possible, and ensure that those impacted by the event are aware. In this way, the breached organization along with its affected customers and partners can work in tandem to reduce the consequences.

Consumer handing credit card with POS portals in the background. Credit monitoring and fraud prevention firm Equifax was victim of one of the most damaging breaches of 2017.

Uber: Covering up the attack

Popular ride-sharing service Uber was breached in the fall of 2016, with the names, emails and phone numbers of 57 million users being compromised in the process. This instance makes this year's list, however, because the breach wasn't reported until the company's new CEO Dara Khosrowshahi came forward in late November 2017 – over a year later.

Worse still, is the fact that it appears the company worked to actively cover up the attack instead of addressing it. WIRED contributor Lily Hay Newman reported that Uber paid a $100,000 ransom to hackers to prevent them from exposing the attack to the public.

"These actions likely violated data breach disclosure laws in many states, and Uber reportedly may have even tried to hide the incident from the Federal Trade Commission investigators," Newman wrote. "If you're going to be hilariously sketchy about covering up your corporate data breach, this is how it's done."

A word to the wise: Don't.

WannaCry: Unpatched vulnerability 

In addition to damaging attacks on businesses, 2017 also presented lessons in individual samples impacting a wide swath of organizations across the globe. In a single day, thousands of targets around the world were impacted by WannaCry, with some instances being life threatening – WIRED reported that the particularly damaging ransomware sample infected the National Health Service in the United Kingdom, and affected the daily operations and patient care in emergency rooms, hospitals and facilities.

Compounding the damages here was the fact that the ransomware leveraged a critical vulnerability now known as EternalBlue, which was made public after hacking group the Shadow Brokers breached the National Security Agency in the spring of 2017. After the attack, the Shadow Brokers released stolen NSA tools, including the EnternalBlue Windows exploit.

CNN reported that all told, WannaCry impacted targets in over 150 countries. Although a patch for EternalBlue was released before the vulnerability was highlighted by the Shadow Brokers, the number of infected organization shows the risk outdated software can pose.

"The WannaCry infections were so bad that, in an unusual move, Microsoft released a patch for Windows systems that it had stopped updating," CNN contributor Selena Larson wrote.

"Ransomware" in red among white and grey zeros and ones. WannaCry was one of worst ransomware infections seen last year.

Honorable mention: Misconfigured security exposes voter records

While not one of the most widespread or damaging instances of last year, there's still a critical lesson to be learned here.

In the spring of 2017, a security researcher found open and accessible records of nearly 200 million American voters. The issue was eventually traced back to misconfigurations by a GOP data firm within its Amazon cloud storage security settings. Interestingly, CNN pointed out that this wasn't the only event of its kind recently.

"It was the latest in a string of major breaches stemming from insecure Amazon servers where data is stored," Larson wrote. "They are secure by default, but Chris Vickery, a researcher at cybersecurity firm UpGuard, regularly finds that companies set it up wrong."

This instance shines the light on security settings – it's imperative that organizations understand the services they are using and the configuration choices available to them. Any time a change is made, IT stakeholders should check that settings have been adjusted correctly and that no open doors are left for unauthorized users.

A need for robust, multi-layered protection

There are several lessons to be learned from last year's infections and breaches. In addition to the points discussed above, it's critical that businesses have multi-layered protection in place and consistently leverage best practices for data protection.

TechRepublic reported that the vast majority of 2017 breaches – 93 percent overall – could have been prevented with simple security processes like ensuring patches are in place, blocking fraudulent email addresses and training employees about phishing strategies.

For more information on securing data and systems within your enterprise, connect with the experts at Trend Micro today.

FBI sounds alarm over malware-laden phishing email making the rounds

Phishing remains the greatest threat to online services, even though it’s one of the oldest tricks in the book. A warning by the FBI suggests phishing scams will continue to make headlines in 2018, as bad actors go as far as to impersonate the FBI cybercrime division, sending out malware-laced emails in its name.

In a public service announcement, the bureau says it has received complaints about an apparent phishing scam involving its Internet Crime Complaint Center (IC3). An investigation into these claims made over the past seven months revealed they were true.

In typical fashion, the email templates (three, by the FBI’s last count) attempt to persuade victims to supply sensitive personal information that the attackers can then use to access their finances. If all else fails, the email relies on a plan B of-sorts to infect the victim’s computer with malware.

“Cyber actors are scamming victims into providing personal information and downloading malicious files by impersonating the Internet Crime Complaint Center (IC3),” reads the note.

“In a recent scam, the unknown actors emailed victims requesting the recipients provide additional information in order to be paid restitution. In an attempt to make the emails appear legitimate, the scammers included hyperlinks of news articles which detailed the arrest or apprehension of an internet fraudster. The unknown actors also attached a text document (.txt) to download, complete, and return to the perpetrators. The text file contained malware which was designed to further victimize the recipient.”

The intelligence agency posts three examples of email templates that the attackers are using, with one bearing telltale signs of a typical phishing scam.

The clues – ranging from crippled English and sloppy punctuation to overemphatic arguments and an overall juvenile narrative – are striking enough to prompt even the untrained user to think twice before handing over personal information.

The bureau advises anyone who believes they may be a victim of an online scam to file a complaint with the IC3 at www.ic3.gov.

In a joint cybersecurity study last year, Google and the University of California revealed phishing was the greatest threat to account-based online services.

More recently, data compiled by experts in email analytics showed that online retailers are exposing their customers to huge risks by maintaining weak email validation systems. Specifically, 87.6 percent of root domains operated by top e-retailers in the U.S. and E.U. are putting their consumers at risk of having their data stolen through phishing attacks, the research found.

How hackers recycle top threats

Just like white hat developers, hackers have been known to reuse and recycle code.

Developers are known for reusing pieces of code over and over again – after all, if it isn't broke, why fix it? In fact, this is what makes open source programs so popular and valuable – as opposed to having to create completely new code, developers can utilize existing open source code, and can leverage it in a way that fits their current needs.

Unfortunately, this approach isn't only used by software developers and other white hats – hackers have also recycled and repacked older exploits that worked well in the past to create a completely new threat. Worse still, many of these reused threats are leveraged in combination with new and sophisticated infection strategies, making them even more difficult to protect against.

Most new malware isn't new

With all the different statistics coming out about new malware, it's easy to assume that the internet and connected systems are flooded with threats. In fact, G Data reported that 22 million new malware samples were identified during Q1 of 2017. To put it another way, this means that a new threat was found almost every 4 seconds.

While it's certainly true that there are a considerable number of malware samples available for hackers to choose from, many of these aren't exactly new.

"22 million new malware samples were identified during Q1 of 2017."

"[M]ost of it is actually a Frankenstein-version that consists of chunks of code that have been pieced together from existing malware or publicly released vulnerabilities and tools," Secplicity pointed out.

In this way, hackers leverage existing code and capabilities, and build upon these with unique functions to establish a new malware sample.

Motivations for reuse

There are several reasons why this reuse and recycling approach is popular among hackers. First and foremost, it saves them time. Instead of having to create new code for a basic function, it's much faster and easier to use a section of code that the hacker knows already works. What's more, as security analyst Marc Laliberte pointed out, saving time in this way enables cybercriminals to direct their attention to more pressing pursuits.

"Why reinvent the wheel when another author already created a working solution?" Laliberte wrote. "By copying code wherever possible, malware authors have more time to focus on other areas, like detection avoidance and attribution masking."

In addition to reusing code to save time, many cybercriminals will also recycle top threat capabilities simply because they've shown to be successful in the past. This is why there are countless variants of ransomware, spear-phishing campaigns and other tactics.

Making code available: Malware and exploit kits

It's also become incredibly simple for hackers to access and reuse code thanks to available sources like malware and exploit kits. These kits package threats and code into a single package, and are often offered for sale on underground marketplaces or hosted on compromised websites.

For instance, Sensors Tech Forum contributor Milena Dimitrova reported that researchers who examined 66,000 URLs and over 7,800 phishing kits discovered two kits in particular that were in place within more than 30 compromised hosts.

In addition to selling the kits themselves, some hackers also provide back-doored kits, allowing other cybercriminals to access previously compromised hosts.

malwareFrankenstein-style malware can be insidious.

Examples of reuse

Let's take a look at a few cases wherein hackers borrowed code from another malware author:

  • Reaper and Mirai: Laliberte noted that this is one of the best examples of code reuse, where hackers utilized sections of code from the Mirai botnet, a particularly powerful and successful threat. Reaper leveraged basic code from Mirai, but built upon the threat by improving upon Mirai's exploitation and launching tactics.

    "Reaper's additions to the Mirari source code include active exploitation of known IoT vulnerabilities and the use of the LUA programming language, allowing more sophisticated attacks than simple DDoS," Laliberte wrote.

  • WannaCry and NotPetya: This is an interesting example where hackers capitalized upon the work of hacktivist group the Shadow Brokers. The group released source code that included identification of several zero-day vulnerabilities within Microsoft Windows' file-sharing service. The code, initially stolen by the Shadow Brokers from none other than the NSA, was repurposed by hackers in the damaging WannaCry and NotPetya ransomware campaigns.
  • Carbanak and Silence Trojan: It isn't just sections of code that are reused – as discussed previously, hackers also like to repurpose infection techniques and mechanisms that served them well in the past. Dimitrova pointed out that this is just what occurred with the Carbanak and Silence Trojans.

    When researchers observed the Silence Trojan – which enabled hackers to access internal banking networks and create video recordings to better understand how legitimate software was being used by employees – they noticed that the attack strategy was familiar. Both the Silence Trojan and the previously discovered Carbanak samples used this approach, leveraging the lessons learned from the video recordings to steal as much money as possible while remaining under the radar of employees and security systems.

Threat reuse on the horizon

According to predictions from Trend Micro's 2018 report, it doesn't appear that this style of threat reuse will stop anytime soon. In fact, experts forecast that familiar infection techniques like those used to spread email and web-based spam will resurface in connection with the fake news triangle.

"From spear-phishing emails sent to foreign ministries to the blatant use of documents to discredit authorities, dubious content can spread freely and spark forceful opinions or even real protests," the 2018 Security Predictions Report stated. "Manipulated political campaigns will continue to mount smear tactics and deliberately shift public perception, as allowed by the tools and services readily available in underground marketplaces. It is likely that the upcoming Swedish general election will not be exempt from attempts to influence the voting outcome through fake news."

This makes hackers' capabilities even more potentially damaging than before. Because threats are now available on underground marketplaces, hackers no longer need specific coding skills – they can simply purchase a pre-built threat and reuse it with minor modifications to reduce the chances of detection. 

Digital magnifying glass over digital background of 0s and 1s. New threats built using the capabilities of old infections create dangerous malware samples.

Protecting against new and old threats

Because new threats will continue to reuse previously established tactics, it's important that organizations take the proper steps to protect their brands, their technological investments and their critical data:

  • Use multi-layered security: There should be several protection systems standing in between the company IT assets and a malicious, unauthorized user.
  • Limit automatic capabilities: As Dimitrova noted, it can be helpful to limit or even disable certain automatic system capabilities, and instead implement settings wherein these types of services prompt for admin access before carrying out functions. This will enable more visibility over the activity taking place on individual machines and across the network.
  • Make sure patches are in place: Older exploits typically succeed because systems aren't patched quickly enough for known vulnerabilities. When an update is released, it's best that the patch is put in place as soon as possible.
  • Educate about current threats: It's imperative that users and stakeholders across the company are educated about current top threats. Employees themselves can provide an extra layer of security, helping to prevent tried-and-true tactics like phishing and social engineering from impacting the organization.

To find out more, connect with the experts at Trend Micro today.

India bans cryptocurrencies, but will further explore blockchain

The Indian government doesn’t recognize bitcoin as legal tender and is fully committed to eliminating cryptocurrency payments from its system, Bloomberg writes. Government officials have repeatedly called cryptocurrency payments mere ‘Ponzi schemes’ and sent out thousands of tax notices to cryptocurrency investors.

Despite banning the purchase and sale of cryptocurrency, the Indian government wants to further explore blockchain technology (on which bitcoin is based).

“The government does not consider cryptocurrencies legal tender or coin and will take all measures to eliminate use of these crypto-assets in financing illegitimate activities or as part of the payment system,” Finance Minister Arun Jaitley told lawmakers in New Delhi on Thursday. “The government will explore use of blockchain technology proactively for ushering in digital economy.”

India is not the only country taking measures affecting cryptocurrencies; South Korea and China also announced recently they would regulate cryptocurrencies.

Generally, countries have different policies regarding cryptocurrencies and are looking into either banning them or legalizing cryptocurrency payments by enforcing the same taxes and reporting obligations as for traditional currency.

Social media giant Facebook announced this week that it will ban ads promoting “financial products and services that are frequently associated with misleading or deceptive promotional practices, such as binary options, initial coin offerings and cryptocurrency.”

Following Jaitley’s announcement that India will ban cryptocurrencies, bitcoin, ripple and ethereum prices dropped dramatically.

The Evolution of Ransomware

Ransomware has become a pervasive, dangerous and expensive threat to businesses and individual users.

While many businesses and individual users understand that ransomware isn't a new threat, many don't actually know how long this particular infection style has been utilized by hackers. The first attacks took place more than a decade ago, and since then, ransomware authors have only become more sophisticated and creative when establishing advanced locking or encrypting infection samples.

Compounding the issue of increasingly dangerous samples is the fact that the malicious actors behind the attacks are now demanding higher ransoms – and, in some instances, even after a particularly expensive ransom is paid, files and data remain inaccessible to attack victims.

Because the first step toward protection and prevention is knowledge, it's imperative that enterprise leaders and employees understand this rampant threat. Today, we're taking a closer look at the history and evolution of ransomware.

Early history: The first attacks

According to Trend Micro's research paper, Ransomware: Past, Present and Future, some of the earliest ransomware infections took place more than 10 years ago in 2005 and 2006. These instances involved victims in Russia, using compression to prevent access to password-safeguarded files on victims' endpoints. These infections also included the upload of a file to victims' computers to present the ransom note, which demanded $300 for the returned access to data and files.

These early ransomware samples didn't exactly operate in the way that today's samples do. Often, the pervasive ransomware that we're used to hearing about today falls under one of two categories – locking ransomware, or encrypting ransomware. In both cases, victims are unable to open and retrieve files and data. Per their names, locking ransomware locks the operating system and prevents access that way, whereas encrypting ransomware leverages robust encryption algorithms and then demands ransom for the decryption key.

The first ransomware samples, however, were only capable of locking down specific files, but malware authors ensured that their malicious code targeted some of the most commonly used types, including .JPG, .PDF, .ZIP and .DOC.

Yellow "INFECTED" key on keyboard with skull and crossbones image. Ransomware infections have evolved considerably over the last decade.

Heading into the mainstream: Fear-inducing ransom notifications

Fast forward a few years, and ransomware was becoming increasingly sophisticated and impactful. In 2012, we saw some of the first infections that looked to cash in on fear for payment. In 2012, attackers in Russia and Europe utilized a ruse involving ransomware notes that appeared to be legitimate warnings from law enforcement. This tactic made victims believe they had somehow broken the law, and had to pay a fine to resolve the matter.

This fear-based strategy was used for years, and even made its way onto mobile platforms. In 2015, The Register contributor John Leyden wrote about an Android ransomware sample that displays a warning message appearing to be from the FBI.

"The device's home screen delivers an alarming fake message from the FBI telling users they have broken the law by visiting pornographic websites. To make the message more compelling, hackers add screenshots of the so-called browsing history. The warning gets scarier as it claims to have screenshots of the victims' faces and know their location," Bitdefender chief security strategist Catalin Cosoi told Leyden.

What's more, this sample had the ability to increase the price of the ransom based on victims' responses – while the initial ransom sat at $500, hackers demanded $1,500 from those who attempted to bypass the fraudulent FBI and unlock their devices. This type of ransomware was a far cry from early samples, which were incredibly basic by comparison.

Crypto-ransomware bursts onto the scene

As time passed, malware authors used increasingly damaging methods to encourage victims to pay up. By 2013, hackers weren't just locking away files and preventing access with on-screen ransom demands. This was the year that crypto-ransomware samples came about, which had the ability to eliminate data as well as lock it away.

"This threat no longer just encrypted files, it started deleting files if victims refused to pay," Trend Micro noted. "To get files back, victims were asked to pay varying ransom amounts in the form of Bitcoins in exchange for a decryption key."

"Eliminating data could mean the collapse of the company, so victims were considerably motivated to pay."

This type of ransomware was incredibly impactful when it came to unsecured and unprepared businesses – eliminating data in this type of setting could mean the collapse of the company, so victims were considerably motivated to pay.

Secondary ransom demands

We've even seen instances in which organizations pay the ransom, but the desired outcome – the returned access to files and data – doesn't actually happen. In 2016, Healthcare IT News contributor Bill Siwicki reported on a ransomware infection that took place at a Kansas hospital. In this case, the health care institution paid the initial ransom, but did not receive its unlocked data as promised – instead, hackers demanded a second ransom, which the hospital did not pay.

"Demands for funds are soaring, and the problem is organizations are paying. Ransomware will get worse before it gets better," said Fortinet vice president Ryan Witt. "You don't want to think of return on investment as it pertains to criminal activity, but there is a strong ROI, and these attackers are quite sophisticated and know there is money to be made."

A global attack surface: WannaCry and Petya

One family that surely won't become a footnote in the evolution of ransowmare is WannaCry. CSO called the infection "a perfect ransomware storm," and with its extensive reach and high-profile victims, it isn't difficult to understand why.

WannaCry spread across networks in numerous different countries in May 2017 and quickly became one of the most pervasive ransomware threats to date. The sample leveraged the Windows vulnerability EternalBlue leaked by hacking group the Shadow Brokers, and attacked businesses, health care providers, utility companies and other organizations in Europe, Japan and beyond.

Following close on the heels of WannaCry was Petya, which as The Guardian pointed out, represented the second major global ransomware attack taking place within the space of just eight short weeks. Petya also leveraged the same Windows vulnerability, but had a backup plan in case a patch was installed – the ransomware could also seek out weaknesses in Windows administrative tools to spur attack.

On the horizon: What's next for ransomware?

Experts don't see an end to ransomware anytime in the near future. In fact, Trend Micro forecasted in its 2018 Security Predictions report that ransomware will "only be anticipated to make further rounds," particularly as the rise of ransomware-as-a-service within underground marketplaces becomes more popular.

In this environment where ransomware continues to be a dangerous threat, businesses and individual users should protect their data and assets with multi-layered security solutions coupled with robust backups.

To find out more about guarding against ransomware infections, connect with the experts at Trend Micro today.

90% of online retailers expose customers to phishing attacks – research

Phishing, one of the most common attack vectors that cybercriminals use to steal your data, remains a huge risk for online shoppers as we enter 2018. New data compiled by experts in email analytics shows that online retailers are exposing their customers to huge risks.

Email phishing is a method to steal sensitive information such as usernames, passwords, credit card information, etc. The recipient receives an email purporting to be from a legitimate party – i.e. their bank – asking them to log into their account, or supply their user name and password for one reason or another.

The fake email is made to look genuine to trick the victim into handing over the information straight to the attackers. Attackers then use those credentials to log into the victim’s accounts and online services and try to steal whatever they can – especially cash.

Phishing and spoofing attacks are most likely when companies lack strong email validation systems. And according to email analytics firm 250ok, nearly all top-tier online retailers in the U.S. and Europe fall embarrassingly in that category.

87.6 percent of root domains operated by top e-retailers in the United States and Europe are putting their consumers at risk of having their data stolen through the most basic form of social engineering – phishing.

The company analyzed 3,300 domains of the top 1,000 U.S. internet retailers and 500 EU internet retailers by revenue and found most do use some level of email authentication on their domains.

However, the vast majority are inconsistent in their approach across the multiple domains they control. Only 11 to 12 percent of top retailer domains meet the recommended minimum protocol for the email channel, according to the study.

“By failing to publish basic authentication records like SPF and a DMARC record for all of the domains they operate, retailers are blind to the potential abuse of their brands’ domain names,” said Matthew Vernhout, director of privacy at 250ok. “It leaves both the brand and the consumer unnecessarily exposed to phishing attacks that damage brand trust.”

Some 91 percent of all cyberattacks begin with a phishing email so, especially with the General Data Protection Regulation just around the corner, online retailers clearly have a huge problem on their hands. And they will have to deal with it by May, or else.

Last year, Google did a joint study with the University of California, Berkeley to better understand how hijackers trick users into taking over their online accounts. Researchers found that, between March 2016 and March 2017, cybercrooks ran off with 12 million credentials solely via phishing attacks.

Bitcoin hijack steals from both ransomware authors AND their victims

Talk about having a bad day…

First you get hit with ransomware, demanding you send a Bitcoin payment to anonymous hackers

Then you realise that you don’t have a secure backup of your files, so you’ll have to pay up to have any hope of getting your files back.

And finally, after you have worked out how to buy yourself some Bitcoins online, and as you are attempting to pay the hackers their ransom… the payment gets diverted to someone else entirely.

In short, your files are still encrypted, and you’ve lost all your money.

That’s the ultimate bad-day scenario being described by security researchers who claim to have identified a scam that both steals from ransomware authors and their victims.

Here’s the background.

It’s not at all unusual for ransomware to present victims with a demand that the ransom be paid via a Tor .onion site on the dark web. Of course, the typical victim of ransomware has probably never been on the dark web, and probably doesn’t have the first clue about how to install the Tor browser.

As a result, they might use a Tor proxy instead. Tor proxy services act as a man-in-the-middle, allowing anybody to simply enter a .onion address into a website – or add a suffix to the URL such as “.to” or “.top” – to have their request completed, with no need to install special software.

Of course, you are putting an enormous amount of trust in the hands of the Tor proxy service that they are not meddling with the information you are seeing – or indeed the data that you are sending.

Fascinatingly, security researchers say that they have uncovered evidence that at least one Tor proxy is interfering with ransomware payments, effectively stealing from the ransomware’s authors and victims alike. According to Proofpoint, ransomware payment webpages are being the secretly altered when viewed via the Onion.top Tor-to-web proxy in order to display a different Bitcoin address.

Ransomware such as Sigma, GlobeImposter, and LockeR have all been identified as suffering from a sneaky switcheroo of Bitcoin wallet addresses via the proxy, giving a different payment address than when the same page is viewed via the real Tor browser.

Perhaps it’s no surprise then that some ransomware is actually warning its victims not to use Onion.top.

As always, the best way to avoid the effects of ransomware is not to have your computer or smartphone infected in the first place. Be sure to follow Hot for Security’s tips for reducing the ransomware threat before you become the next victim.

How your enterprise applications could be putting your company at risk

The typical enterprise has more than 500 applications in place.

The typical company, large or small, depends on a number of different enterprise applications in order to ensure that employees can complete critical, daily tasks. Apps like those for enterprise resource planning, customer relationship management, screen and file sharing have become commonplace in corporate settings – doing things any other way is archaic, at this point.

However, these key applications are often targeted by hackers, and can provide the perfect entryway for rampant malicious activity across the network. All it takes is a single unpatched vulnerability exploited by a cyber criminal as a launch pad for attack – this simple scenario takes place more often than many enterprises would like to admit, but can result in a large-scale breach with the potential to take down an organization.

There’s no arguing the criticality and importance of enterprise apps. However, without the proper precautions, employee training and security safeguards, these platforms could be putting your business at serious risk of infection and attack.

How large is the attack surface?

Consider the number of applications the typical company has in place today – some for communications, some for resource tracking, some for production and others with more granular and specific capabilities. What’s more, managers have to consider the shadow IT that could (and usually is) taking place within the enterprise – if an employee isn’t familiar or doesn’t like the functions of an app, he may download something else, without the approval or oversight of the IT team.

In today’s environment, businesses often have more apps within their networks than they realize. The most recent statistics available show that the average medium- to large-size organization has anywhere between 300 and 400 cloud apps in place, most of which (90 percent) weren’t deployed officially by the IT team, according to ZDNet.

“The typical enterprise has more than 500 applications in place.”

A separate study discovered even more applications – Netskope found that the typical enterprise has more than 500 applications in place, Forbes reported. Worse still, many of these apps supported capabilities that put data at considerable risk – 85 percent of data came from file sharing apps and 81 percent of data being downloaded within the company took place in an app that didn’t include encryption for data at rest.

The bottom line that both studies show is a lack of IT administrator visibility over the apps being used within the organization. Even with best practices in place, IT workers can’t patch vulnerabilities in applications that they don’t know exist within the network. In this way, the attack surface for risk associated with enterprise apps is considerably large – the threat exists for almost every business across all industries.

Continuing security flaws

In 2017, companies like Microsoft and Adobe issued countless patches for their platforms – Patch Tuesday is now common practice, and Microsoft users now look out for these monthly updates. Trend Micro analysts predict that frequently security flaws in need of patching within widely-used applications aren’t going to slow in this year, and IT stakeholders will need to continue being on top of installing security patches.

“Users and enterprises are advised to routinely check for software updates and apply patches once they are available,” Trend Micro stated in the report, Security Predictions for 2018: Paradigm Shifts. 

New trend in attack: Manipulating production environments

Hackers aren’t just seeking out specific vulnerabilities in typical enterprise apps – Trend Micro predicted in its new report that cyber criminals will increasingly seek out digitally twinned, production platforms commonly used by businesses to pinpoint and resolve performance issues in their actual platforms.

“[W]e believe that while it’s poised to transform operations, the product network can be infiltrated by malicious actors aiming to manipulate the system and cause operational disruptions and damages,” the report stated. “By manipulating the digital twin itself, these actors can make production processes look legitimate when they have, in fact, been modified.”

This sneaky process enables hackers to fly under the radar, and such manipulations can even be later used for attacking real-world production processes.

“If a manipulated piece of data or wrong command is sent to an ERP system, machines will be liable to sabotage processes by carrying out erroneous decisions, such as delivery of inaccurate numbers of supplies, unintended money transfers, and even systems overloads,” the report pointed out.

Digital app icons with suit-wearing business man behind them. Your enterprise apps could provide an opening for hacker activity, infection and data breaches.

Weak credentials open doors, provide APT foothold

In addition to exploiting known threats within unpatched applications, hackers can also leverage weak access credentials to break into an application, and eventually, the rest of the enterprise network.

Poor, easily-guessed passwords have been a thorn in the side of businesses for years now, and this problem persists in many industries – the Cloud Security Alliance identified insufficient identity, credential and access management as one of its top 12 threats.

Worse still is that weak passwords can be compounded by the fact that some workers will utilize the same credentials for multiple accounts. Once a hacker breaks into one app using stolen or jailbroken access details, he may be able to apply the same credentials to break into other systems.

A breach of this kind can also enable an advanced persistent attack, wherein hackers remain within the infected network and steal data over a long period of time.

“Once in place, APTs can move laterally through data center networks and blend in with normal network traffic to achieve their objectives,” explained CSO contributing writer Bob Violino.

Reducing the risk: Safeguarding enterprise applications

While essential, enterprise applications can still open up considerable risk for today’s businesses. There are some best practices that organizations can use to reduce the threat and better safeguard these critical assets:

  • Work to eliminate shadow IT: It’s imperative that IT stakeholders have visibility into all of the apps present on the network. Company policies should include language that prevents employees from downloading applications without IT approval. In addition, the IT team should create and maintain an application list to ensure that nothing falls through the cracks when it comes to updates and overall security.
  • Install updates; compliment with vulnerability shielding: When possible, security patches should be put in place as soon as they are made available. This can be a challenge, however.
    “[A]s administrators can stumble over immediate deployment of updates, we recommend integrating vulnerability shielding into systems so that platforms are protected against upatched and zero-day vulnerabilities,” Trend Micro advised.
  • Train users appropriately: Employees should receive training on app security that covers their individual responsibilities, as well as the ways in which they contribute to the overall security posture. Training should include establishment of robust, unique access credentials. In addition, when a new application is deployed, employees should be educated about its features and usability to help prevent shadow IT.
  • Consider whitelisting: This common and beneficial approach can help ensure that only approved applications are able to operate within the network, reducing the attack surface and chance for malicious activity.
  • Don’t forget about mobile: It’s not just on-prem applications that present an issue – employees are also accessing company applications from their mobile devices. It’s imperative to put a layer of security on these endpoints to help prevent attack and misuse.
  • Investigate app wrapping for on-prem: TechBeacon noted that an advantageous technique involves wrapping apps, effectively segmenting them into an individual, managed environment. This helps eliminate lateral movement by threat actors, protecting the rest of the network if one app is attacked and infiltrated. App wrapping is best used only for specific apps and in particular situations, but it’s worth considering for platforms with highly sensitive data.
  • Leverage a best-in-class security solution: Layered security is imperative. In this way, organizations should have app-focused security solutions that enable protection of their most critical applications.

To find out more and better safeguard your company’s applications, check out Trend Micro’s Intrusion Prevention technology and connect with the experts at Trend Micro today.

Millennials, careless with passwords, spur shift to biometrics – study

A survey of 4,000 adults from the US, the Asia Pacific (APAC) and Europe indicates a new trend is afoot concerning authentication – particularly in the steps consumers take to safeguard their digital lives.

Examining consumer perspectives around digital identity and authentication, IBM Security found that people are beginning to prioritize security over convenience when logging into services and devices, easing the long-held belief that “convenience is king.”

Millennials and the Generation Z, described in the report as “younger adults,” are a bit careless about the strength of their passwords but are also more likely to entrust their digital identity to biometric locks, multifactor authentication and password managers.

“With millennials quickly becoming the largest generation in today’s workforce, these trends may impact how employers and technology companies provide access to devices and applications in the near future,” says the technology giant.

The report is lengthy and studded with numbers, making it a difficult read for some. To make it easier on the eyes, skim the key findings below:

  • While 67 percent are comfortable using biometric authentication today, 87 percent are confident they will join the party soon
  • 75 percent of millennials are comfortable using biometrics, less than half use complex passwords (those containing upper and lower case letters, special characters, etc.) and 41 percent reuse passwords
  • Older generations showed more care with password creation, but were less inclined to use biometrics and multifactor authentication
  • APAC users are more familiar with biometric authentication than consumers in the U.S.
  • The average American manages over 150 online accounts that require a password, and that number is expected to double in the coming years
  • For social media apps, convenience re-enters the spotlight (36 percent), followed by security (34 percent) and privacy (30 percent)
  • 44 percent ranked fingerprint biometrics as one of the most secure methods of authentication
  • 55 percent worry about how their biometric data is collected and used, and 50 percent fear others could fake their biometric data and break into their accounts
  • Those aged 55 and older use 12 passwords, while Gen Z (ages 18 – 20) averages only five passwords, suggesting they re-use them more
  • 75 percent of millennials are comfortable using biometrics, compared to just 58 percent of those over age 55
  • APAC users were also the most comfortable with biometrics today (78 percent comfortable vs. 65 percent EU, 57 percent US)
  • Europe has the strongest password practices, with 52 percent of respondents using strong passwords, vs. 46 percent in APAC and 41 percent in the US

Overall, the data indicates that younger generations are no longer fond of traditional passwords. IBM believes this poses a challenge for employers that manage millennial users’ access to data.

“As the percentage of millennial and Gen Z employees continues to grow in the workforce, organizations and businesses can adapt to younger generations’ proclivity for new technology by allowing for increased use of mobile devices as the primary authentication factor and integrating approaches that substitute biometric methods or tokens in place of passwords,” the report concludes.

HOTforSecurity: Major security flaw in Lenovo’s ThinkPad Manager allows hackers access into your laptop

A critical encryption vulnerability in Lenovo’s ThinkPad Manager Pro software exposes laptops running Windows 7, 8, and 8.1 could allow hackers access into a user’s computer by bypassing fingerprint recognition, the company confirmed last week in a security advisory.

“A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in,” reads the statement.

Devices running Windows 10 were not affected because they use the fingerprint reader support from Microsoft.

To exploit the vulnerability, hackers had do to it in person as local access was required.

A patch for the Fingerprint Manager Pro application was released on Jan. 25. Users with vulnerable models are encouraged to download and install version 8.01.87.

The vulnerable machines are:

ThinkPad L560
ThinkPad P40 Yoga, P50s
ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
ThinkPad W540, W541, W550s
ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
ThinkPad X240, X240s, X250, X260
ThinkPad Yoga 14 (20FY), Yoga 460
ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
ThinkStation E32, P300, P500, P700, P900



HOTforSecurity

Major security flaw in Lenovo’s ThinkPad Manager allows hackers access into your laptop

A critical encryption vulnerability in Lenovo’s ThinkPad Manager Pro software exposes laptops running Windows 7, 8, and 8.1 could allow hackers access into a user’s computer by bypassing fingerprint recognition, the company confirmed last week in a security advisory.

“A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in,” reads the statement.

Devices running Windows 10 were not affected because they use the fingerprint reader support from Microsoft.

To exploit the vulnerability, hackers had do to it in person as local access was required.

A patch for the Fingerprint Manager Pro application was released on Jan. 25. Users with vulnerable models are encouraged to download and install version 8.01.87.

The vulnerable machines are:

ThinkPad L560
ThinkPad P40 Yoga, P50s
ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
ThinkPad W540, W541, W550s
ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
ThinkPad X240, X240s, X250, X260
ThinkPad Yoga 14 (20FY), Yoga 460
ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
ThinkStation E32, P300, P500, P700, P900

U.S. Secret Service warns hackers use endoscopes to clean out ATMs

You read that right. The first “jackpotting” attacks are unfolding in the U.S., with hackers using medical endoscopes to look inside front-loading ATMs and locate components where they can tether a laptop, inject malware and make the ATM spit out all its cash.

A notice to financial institutions by the US Secret Service reveals that “jackpotting” hackers, typically known to be operating in Europe and Asia, are now targeting the United States, where several such attacks have been unfolding for almost two weeks now.

Sources that asked to remain anonymous told security researcher Brian Krebbs that “the Secret Service has received credible information that crooks are activating so-called ‘cash out crews’ to attack front-loading ATMs manufactured by ATM vendor Diebold Nixdorf.”

The hackers have been using the Ploutus.D malware in coordinated attacks over the past 10 days, according to the secret service memo. And this is where it gets interesting:

“The Secret Service alert explains that the attackers typically use an endoscope — a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body — to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM’s computer,” Krebbs reports.

Once the hackers tether to the ATM’s innards, remote “co-conspirators” begin to control the ATM from afar, forcing it to dispense cash. During this time, the ATM will appear Out of Service.

“In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds [until the machine is completely emptied of cash],” according to the alert.

All financial institutions operating vulnerable machines have reportedly received the memo, complete with instructions to mitigate risk. Notably, the US secret service says ATMs still running on Windows XP are “particularly vulnerable” to jackpotting. Operators are urged to ditch the old OS in favor of a newer version.

Last year, Positive Technologies made a video demonstration for BBC Click to show how easy it is to trick ATMs running Windows XP into releasing money on demand. The hackers drilled a hole in the machine, pulled out a USB cable and physically infected the ATM with malware.

More recently, an employee of Russian website Habrahabr showed how a full-size keyboard on a Windows-enabled ATM can allow anyone to hack it with just five keystrokes.

Coincheck Hack Ghosts $534 Million Worth of Cryptocurrency

Following the recent hack of Japanese exchange service Coincheck, $534 million worth of cryptocurrency was stolen from the company’s “hot wallet”. With the investigation revealing that hackers remained undetected for an estimated eight hours on Jan. 25, the Japanese Financial Services Agency (FSA) warned the exchange service to set up improvements that prevent or limit such incidents.

Although Japan has asked all cryptocurrency operators to register with the government in an attempt to regulate the cryptocurrency industry, Coincheck was allowed to continue operations. Because it had applied for license as an exchange, though, Coincheck does fall under the supervision of the FSA.

The company said it’s currently tracking the missing funds and may be able to recover them. However, there is no guarantee that the process will be successful.

“We know where the funds were sent,” said Co-founder Yusuke Otsuka in a press conference. “We are tracing them and if we’re able to continue tracking, it may be possible to recover them. But it is something we are investigating at the moment.”

While the equivalent of 58 billion yen of NEM tokens were stolen, Coincheck did say they will cover 90 percent of losses using internal funds.

“What’s the lasting impact? It’s hard to tell,” said Marc Ostwald, global strategist at ADM Investor Services International in London. “Japan is one of the most pro-crypto trading countries, among the G-20. In Japan they don’t really want a wholesale clampdown. So it will be interesting how Japanese regulators respond to this, if they indeed do.”

Coincheck is not the first cryptocurrency exchange to fall victim to a cryptocurrency heist; in 2014 Mt. Gox lost between $400 and $480 million. Japanese regulators have since started to try to regulate cryptocurrency exchanges to prevent similar losses.

Hacker uses malware to steal, resell gas in major Russian fraud scheme

Russian Federal Security Service (FSB) agents arrested a Russian national in Stavropol on Sunday for launching a large malware campaign targeting gas stations in southern Russia, informs Russian news outlet Rosbalt.

According to the investigation, Denis Zayev created a malicious program that he sold to dozens of gas station employees to inject in the pumps’ software and cash registers. In some schemes he was also a partner, getting a share of the money from the stolen fuel.

The scam was simple: after the malware was installed on the IT systems, a gas tank would be left empty on purpose so some of the fuel that customers bought would be diverted to the empty tank. Customers would get less fuel than they paid for, while employees resold the fuel collected in the empty tank.

Zayev and his partners stole between 3% and 7% of the fuel for some “hundreds of millions or rubles.” The malicious program was undetectable and they fully covered their tracks by showing fake data and deleting any information about the resale operation.

Zayev’s scheme covered the Russian territories of Stavropol, Adygea, Krasnodar, Kalmykia and a number of regions in North Caucasus, in what sources in law enforcement have named the largest scam of its kind.

FSB agents did not say how they detected the crime, but they confirmed it was almost impossible to identify since the malware corrupted the pumps, cash registers and back-end systems.

“In the past, scammers used special ‘bugs’ for theft at the gas station, then they were replaced by viruses,” said a law enforcement source for Rosbalt.

“However, they could still be found. Zayev also created a unique product. His malicious programs could not be detected either by the specialists of the control service of oil companies, who constantly conduct inspections at the filling stations, or the employees of the Ministry of Internal Affairs. And we managed to establish all this in an operative way.”

HOTforSecurity: Hacker uses malware to steal, resell gas in major Russian fraud scheme

Russian Federal Security Service (FSB) agents arrested a Russian national in Stavropol on Sunday for launching a large malware campaign targeting gas stations in southern Russia, informs Russian news outlet Rosbalt.

According to the investigation, Denis Zayev created a malicious program that he sold to dozens of gas station employees to inject in the pumps’ software and cash registers. In some schemes he was also a partner, getting a share of the money from the stolen fuel.

The scam was simple: after the malware was installed on the IT systems, a gas tank would be left empty on purpose so some of the fuel that customers bought would be diverted to the empty tank. Customers would get less fuel than they paid for, while employees resold the fuel collected in the empty tank.

Zayev and his partners stole between 3% and 7% of the fuel for some “hundreds of millions or rubles.” The malicious program was undetectable and they fully covered their tracks by showing fake data and deleting any information about the resale operation.

Zayev’s scheme covered the Russian territories of Stavropol, Adygea, Krasnodar, Kalmykia and a number of regions in North Caucasus, in what sources in law enforcement have named the largest scam of its kind.

FSB agents did not say how they detected the crime, but they confirmed it was almost impossible to identify since the malware corrupted the pumps, cash registers and back-end systems.

“In the past, scammers used special ‘bugs’ for theft at the gas station, then they were replaced by viruses,” said a law enforcement source for Rosbalt.

“However, they could still be found. Zayev also created a unique product. His malicious programs could not be detected either by the specialists of the control service of oil companies, who constantly conduct inspections at the filling stations, or the employees of the Ministry of Internal Affairs. And we managed to establish all this in an operative way.”



HOTforSecurity

HOTforSecurity: New ransomware attack forces hospitals to turn away patients

Allscripts, a provider of electronic health record (EHR) technology to hospitals, was hit by ransomware this week, provoking an outage that affected thousands of physicians’ practices and healthcare providers across the United States.

Allscripts reportedly handles data for 180,000 physicians, 100,000 electronic prescribing physicians, 40,000 in-home clinicians, 2,700 hospitals, 13,000 extended care organizations and 7 million patients across the country. Besides EHR tools, it develops and sells solutions for patient engagement and care coordination, as well as financial and analytics technology.

Early this week, the company confirmed to partnering hospitals that it fell victim to a ransomware attack that crippled its systems.

Ransomware is malware that encrypts data on the endpoints it infects. If successful, the malware displays a note demanding payment – in the form of untraceable digital currency – in exchange for decrypting the data.

As reported by Healthcare IT News, facilities relying on their own server were less severely affected than those relying on cloud-hosted services and applications supplied by Allscripts.

Cleveland’s News 5 confirmed this with doctors at Pulmonary Physicians in Canton. Because of the Allscripts outage, the office has not been able to access vital patient information, and is forced to turn away its patients.

Like Hancock Health and Adams Memorial, Allscripts was apparently hit by the same type of ransomware – albeit a slightly different strain – dubbed SamSam. It emerged in 2016 and specifically targeted the healthcare industry.

SamSam spreads through the web and Java apps, and specifically targets external-facing RDP servers. It relies on unsophisticated techniques (i.e. brute force tools) to guess weak passwords and make its way into the network. Thanks to a wormable component, once it makes its way inside, it spreads laterally to infect other vulnerable systems.

David Finn, an executive at consulting firm CynergisTek, points out that organizations use endpoint protection tools but forget to lock up servers with antimalware solutions.

“It needs to be on all of your endpoints. We sometimes forget about those servers being endpoints,” said Finn.

Allscripts has not yet issued a public statement on the attack.



HOTforSecurity

New ransomware attack forces hospitals to turn away patients

Allscripts, a provider of electronic health record (EHR) technology to hospitals, was hit by ransomware this week, provoking an outage that affected thousands of physicians’ practices and healthcare providers across the United States.

Allscripts reportedly handles data for 180,000 physicians, 100,000 electronic prescribing physicians, 40,000 in-home clinicians, 2,700 hospitals, 13,000 extended care organizations and 7 million patients across the country. Besides EHR tools, it develops and sells solutions for patient engagement and care coordination, as well as financial and analytics technology.

Early this week, the company confirmed to partnering hospitals that it fell victim to a ransomware attack that crippled its systems.

Ransomware is malware that encrypts data on the endpoints it infects. If successful, the malware displays a note demanding payment – in the form of untraceable digital currency – in exchange for decrypting the data.

As reported by Healthcare IT News, facilities relying on their own server were less severely affected than those relying on cloud-hosted services and applications supplied by Allscripts.

Cleveland’s News 5 confirmed this with doctors at Pulmonary Physicians in Canton. Because of the Allscripts outage, the office has not been able to access vital patient information, and is forced to turn away its patients.

Like Hancock Health and Adams Memorial, Allscripts was apparently hit by the same type of ransomware – albeit a slightly different strain – dubbed SamSam. It emerged in 2016 and specifically targeted the healthcare industry.

SamSam spreads through the web and Java apps, and specifically targets external-facing RDP servers. It relies on unsophisticated techniques (i.e. brute force tools) to guess weak passwords and make its way into the network. Thanks to a wormable component, once it makes its way inside, it spreads laterally to infect other vulnerable systems.

David Finn, an executive at consulting firm CynergisTek, points out that organizations use endpoint protection tools but forget to lock up servers with antimalware solutions.

“It needs to be on all of your endpoints. We sometimes forget about those servers being endpoints,” said Finn.

Allscripts has not yet issued a public statement on the attack.

3 reasons the ransomware threat will continue in 2018

Ransomware continues to be a dangerous threat for individual users and enterprise systems.

Ransomware has been on the scene for more than a decade now, and thanks to increasingly sophisticated samples that attack victims across nearly every country, it’s become a global threat. According to CSO, ransomware has a longer history than many realize. While large-scale attacks reached the spotlight within the last handful of years, hackers have been using ransomware since 2005. What’s more, ransomware attacks have outnumbered general data breaches for the past 11 years running.

Unfortunately, ransomware continues to prove successful for cybercriminals, and more high-profile business targets fall victim to this kind of infection nearly every day. There’s no doubt that ransomware will maintain its reputation as a formidable threat in the cybersecurity industry. Here are three reasons why this threat will continue to be an issue for years to come:

1) Threats continue to evolve

The majority of ransomware samples are either known as crypto-based, or locker-based. Heimdal Security explained that crypto-based samples, also known as encrypting or data-locker infections, leverage sophisticated encryption algorithms to make system files and associated data inaccessible to the victim. CryptoLocker is one of the most well-known samples of this kind.From an outsider’s point of view, ransomware may appear simple: Take something from the victim and demand money for its safe return. However, there are several different types of ransomware threats that fall under the encryption and locker umbrellas, and there are numerous strategies for infecting victims.

Locker samples, on the other hand, lock down the infected device’s operating system – meaning that all files and data, as well as applications and other system platforms, are rendered unavailable. The recent Petya attacks fall into this category.

In addition to selecting between locker and encryption ransomware samples, attackers also have several choices when it comes to the actual technique used for infection. Traditionally, most infections are launched with a spam email that includes a malicious link or attachment, providing hackers entry into the system and enabling them to deliver the ransomware and lock down the system.

Hackers can also utilize unpatched security vulnerabilities to breach systems and let loose the ransomware sample, or leverage a self-propagating sample that begins with the infection of one machine and then spreads to all other connected computers.

Other strategies like injecting malicious code into legitimate webpages, or redirecting traffic to spoof sites have proven successful as well.

Because hackers have an array of samples and infection techniques to choose from, ransomware infections do not all look or operate the same way. While one infection may begin with an email and result in all data being encrypted, another may come from a malicious website and end with the entire operating system being locked down. This variation makes it difficult for users to guard against threats – but protection is not impossible.

2) It’s a lucrative business for hackers

Ransomware also gives hackers the ability to eliminate middle-man processes and instead target monetary rewards directly. As opposed to infecting victims, stealing their credentials and using these for fraud or selling them on an underground marketplace, cybercriminals are hitting up victims directly for cash.

“If the evolution of cybercriminal tactics over the years is any indication, cybercriminals are now going straight for the money instead of tricking users to give up their credentials,” Trend Micro noted in the new report, Security Predictions for 2018: Paradigm Shifts.

Man in all black - gloves, mask, jacket - typing on a laptop with binary code coming out of his face and heading into the laptop screen. Ransomware continues to be a big business for hackers who reap considerable profits.

Over the years, ransomware has demonstrated to be a successful cybercriminal business model for hackers, and with the money they rake in, it isn’t difficult to understand the driving factors behind the infections.

Despite numerous cases where victims pay the ransom only to realize that their system or files are still locked – or worse still, hackers demand a second ransom – businesses and individual users continue to offer up Bitcoin to cease attacks. The FBI put ransomware payments in the neighborhood of $24 million in 2015, and $1 billion in 2016.

The bad news is, as victims keep paying ransoms, hackers become more confident and demand more. CyberScoop reported that in 2016, the average ransom topped $1,000, an uptick of 266 percent compared to 2015. Some ransoms are considerably higher, depending upon the victim – a California college paid a ransom of $28,000 for the return of their files and data, and one medical center paid $17,000 to hackers for a decryption key.

The bottom line here is that as long as ransomware results in profit, hackers will continue to use it as a main attack strategy.

ransomwareThe threat of ransomware is pervasive, even as certain industries are commonly targeted.

3) There’s no shortage of targets

Ransomware continues to be a popular cybercriminal approach because of the sheer number of targets that can be infected. Everyone from individual users to large enterprises have been attacked, and small to expansive infections won’t stop anytime soon.

“The current success of ransomware campaigns — especially their extortion element — will prompt cybercriminals looking to make generous profits out of targeting populations that will yield the most return possible,” Trend Micro’s 2018 Security Predictions report stated. “Attackers will continue to rely on phishing campaigns in which emails with ransomware payload are delivered en masse to ensure a percentage of affected users. They will also go for the bigger buck by targeting a single organization, possibly in an Industrial Internet of Things (IIoT) environment, for a ransomware attack that will disrupt the operations and affect the production line.”

In addition, Heimdal found that certain sectors are more prone to ransomware infections than others due to the criticality of their data and reliance on it for daily operations. This includes:

• Healthcare providers

• Government agencies

• Educational institutions

• Legal firms

However, it appears that the lowest hanging fruit in most cases are individual smartphone users. As more consumers leverage these devices for work and personal activities and more sensitive data is stored on mobile systems, this will be a popular avenue for attack – Trend Micro discovered 234,000 mobile ransomware apps in the first half of 2017 alone.

Protecting against formidable threats

Because the threat of ransomware isn’t going anywhere anytime soon, it’s imperative that both individual users and enterprises leverage best practices for protection. This includes being aware of the most current threats and attack strategies, and maintaining an especially watchful eye for suspicious emails, attachments, links and websites. Protecting against formidable threats

Individual users and business employees that leverage their own mobile device for work should have a mobile security solution in place to help guard against cybercriminal activity like mobile malware samples.

Enterprises should also have a multi-pronged security system in place that includes email and web protection, endpoint safeguards, as well as network and server protection.

To find out more, connect with the security experts at Trend Micro today.

HOTforSecurity: Dutch ministers to use ‘safe phones’ on trips to ‘difficult countries’

The Dutch secret service “Algemene Inlichtingen en Veiligheidsdienst” (AVID) has kicked off a program to equip ministers with ‘safe phones’ on foreign trips to thwart attempts by hackers to intercept their communications.

The dumbed-down Tiger/S 7401, developed by a company called Sectra, resembles an old-school Nokia handset with physical buttons and nothing but call & text features.

“Sectra Tiger/S 7401 has been developed to provide mobility and flexibility to those individuals and organizations handling high-level classified information,” the vendor says on its website. “It has been designed to resist attacks from any source, making it the optimal choice for foreign missions and government organizations on a ministerial level.”

Built on dedicated hardware and leveraging a smart card for user authentication, Sectra Tiger/S 7401 is approved up to classification level SECRET in the Netherlands and the European Union, with NATO SECRET approval pending. The phone supports no third-party apps and has no Internet connection whatsoever.

A Tiger/R model is also available. Essentially a Samsung smartphone, the Tiger/R is a RESTRICTED-level voice and text communication device.

These “safe phones” are for ministers to take with them on official trips to “difficult countries,” according to dutchnews.nl. Prime Minister Mark Rutte reportedly already uses one at all times. Home Affairs Minister Kajsa Ollongren and Defence Minister Ank Bijleveld are less attached to them, but they still rely on the devices to communicate with the security services, the report notes.



HOTforSecurity

Dutch ministers to use ‘safe phones’ on trips to ‘difficult countries’

The Dutch secret service “Algemene Inlichtingen en Veiligheidsdienst” (AVID) has kicked off a program to equip ministers with ‘safe phones’ on foreign trips to thwart attempts by hackers to intercept their communications.

The dumbed-down Tiger/S 7401, developed by a company called Sectra, resembles an old-school Nokia handset with physical buttons and nothing but call & text features.

“Sectra Tiger/S 7401 has been developed to provide mobility and flexibility to those individuals and organizations handling high-level classified information,” the vendor says on its website. “It has been designed to resist attacks from any source, making it the optimal choice for foreign missions and government organizations on a ministerial level.”

Built on dedicated hardware and leveraging a smart card for user authentication, Sectra Tiger/S 7401 is approved up to classification level SECRET in the Netherlands and the European Union, with NATO SECRET approval pending. The phone supports no third-party apps and has no Internet connection whatsoever.

A Tiger/R model is also available. Essentially a Samsung smartphone, the Tiger/R is a RESTRICTED-level voice and text communication device.

These “safe phones” are for ministers to take with them on official trips to “difficult countries,” according to dutchnews.nl. Prime Minister Mark Rutte reportedly already uses one at all times. Home Affairs Minister Kajsa Ollongren and Defence Minister Ank Bijleveld are less attached to them, but they still rely on the devices to communicate with the security services, the report notes.

Jail for man who launched DDoS attacks against Skype, Google, and Pokemon Go

A British man has been sentenced to two years in jail after admitting to a series of computer crime offences, which included over 100 attempts to knock the likes of Google, Skype and Nintendo’s popular video game Pokemon Go offline.

21-year-old Alex Bessell pleaded guilty to charges at Birmingham Crown Court that he had accessed computers without authorisation, disrupted computer operations, made and supplied malware, as well as been involved in money laundering.

Operating from his bedroom in Toxteth, Liverpool, Bessell not only had a zombie army of over 9000 hijacked computers under his control to launch distributed denial-of-service (DDoS) attacks. He also ran an underground online criminal business called Aiobuy, that earned more than US $700,000 by selling malware code to malicious hackers.

On Aiobuy, Bessell offered 9,077 products for sale, including remote access trojans, crypters (designed to hide malware from anti-virus software), botnet code. and other malicious tools. Law enforcement agencies uncovered evidence of more than 35,000 purchases through the site which had recorded over a million visitors.

DC Mark Bird of the West Midlands Regional Cybercrime Unit, which investigated the case, described Bessell’s conviction as important:

“This is one of the most significant cybercrime prosecutions we’ve seen: he was offering an online service for anyone wanting to carry out a web attack.”

“It meant anyone who had a grudge against an individual or company, or who simply wanted to conduct a cyber-attack, didn’t need the technical know-how themselves. They simply needed to pick a piece of malware, pay the fee, and Bessell would do the rest.”

When police raided Bessell’s home they discovered banking trojans on his computers, designed to steal login credentials. In addition, 750 stolen usernames and passwords were recovered from the computers’ hard drives.

Bessell, who is believed to have been involved in cybercrime since the age of 14, was said by prosecutors to have processed more than US $3 million through PayPal and anonymous cryptocurrencies, retaining a percentage for himself. And yet, until late 2017, he also held down a legitimate job as a driver for the takeaway delivery firm Deliveroo.

From the sound of things, it will be some time before Bessell enjoys the luxury of calling out for a takeaway. His unscrupulous actions helped others to commit thousands of hacking attacks against innocent internet users and businesses.

Bessell will have plenty of time to reflect on how he has screwed up his own life, and inflicted pain and hardship on others, as he tucks into his prison meals for the next couple of years.

OnePlus hacked; credit card info of 40,000 customers compromised

Hackers attacked the web site of smartphone manufacturer OnePlus and compromised credit card information of up to 40,000 customers, the Shenzhen, China-based company has confirmed.

In a January 19 forum post, OnePlus reveals a malicious script was injected into its payment page code after hackers successfully penetrated one of its systems. The script ran intermittently but could sniff out credit card information as it was entered.

“We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users,” the company says.

“We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down.”

The phone maker reveals that oneplus.net had been under attack for an extended period – from mid-November 2017 to January 11, 2018. Credit card information (including card numbers, expiry dates and security codes) entered at oneplus.net during this time “may be compromised,” the company says.

Customers shopping with a “saved” credit card (i.e. who didn’t have to enter the information manually) should not be affected. The same applies to users who paid with “credit card via PayPal,” and users who paid with PayPal itself.

The threat has since been eliminated, and OnePlus has quarantined the infected server. The company is working with payment providers and local authorities to better understand how hackers infiltrated its systems. As it conducts its audit, OnePlus is also implementing “a more secure” credit card payment method.

In the meantime, customers who received OnePlus’s email about the hack are instructed to check their card statements and report any suspicious activity to their bank. Users who happen upon “potential system vulnerabilities” on the oneplus.net website are urged to report them to security@oneplus.net.

HOTforSecurity: ‘Im Sorry’ – Second Indiana hospital hit by ransomware

The very day that Hancock Health fell victim to a ransomware attack, another hospital in Indiana suffered a similar breach. Adams Health Network, which runs Adams Memorial Hospital, said the attack did not affect the quality and safety of patient care.

As the story goes, on December 11 an employee at Adams Memorial Hospital noticed strange network behavior and alerted IT administrators. Susan Sefton, a spokesperson for Adams Memorial Hospital, said the network went blank before files on the system read “sorry.”

If Sefton’s recollection is correct, it appears Adams Memorial was hit by a relatively well-known strain of ransomware dubbed “Im Sorry.”

Uncovered in 2017, Im Sorry encrypts files on the computer it has infected and appends file names with the “.imsorry’ extension. For instance, a Word document titled “Filename.docx” will be renamed to “Filename.docx.imsorry.”

After it encrypts files on a system, the ransomware creates a text file containing instructions telling users how and where to pay a ransom to decrypt them. The .txt file is placed in each folder that has encrypted files.

As a result of the breach, doctors could not access patient history or appointment schedules, according to local newspaper wane.com. Sefton said the attack affected 60 to 80 patients. At first, the hospital avoided making the attack public, attributing the outage to bad weather. Then, it released the following statement:

“While AHN did experience a business interruption throughout the weekend as we worked to restore the affected severs, there was never an interruption in patient care. We are continuing to assess the severity of the situation, but at this time we believe no patient files have been accessed. At no time during this event has the quality and safety of patient care been affected.”

The hospital got hit on the same day that Hancock Health, another healthcare operator based in the state of Indiana, confirmed it fell victim to an almost identical attack. While Adams has not yet said if it has paid or will pay the ransom, Hanckock has reportedly already paid the attacker $50,000 in digital currency to have its files decrypted.



HOTforSecurity

‘Im Sorry’ – Second Indiana hospital hit by ransomware

The very day that Hancock Health fell victim to a ransomware attack, another hospital in Indiana suffered a similar breach. Adams Health Network, which runs Adams Memorial Hospital, said the attack did not affect the quality and safety of patient care.

As the story goes, on December 11 an employee at Adams Memorial Hospital noticed strange network behavior and alerted IT administrators. Susan Sefton, a spokesperson for Adams Memorial Hospital, said the network went blank before files on the system read “sorry.”

If Sefton’s recollection is correct, it appears Adams Memorial was hit by a relatively well-known strain of ransomware dubbed “Im Sorry.”

Uncovered in 2017, Im Sorry encrypts files on the computer it has infected and appends file names with the “.imsorry’ extension. For instance, a Word document titled “Filename.docx” will be renamed to “Filename.docx.imsorry.”

After it encrypts files on a system, the ransomware creates a text file containing instructions telling users how and where to pay a ransom to decrypt them. The .txt file is placed in each folder that has encrypted files.

As a result of the breach, doctors could not access patient history or appointment schedules, according to local newspaper wane.com. Sefton said the attack affected 60 to 80 patients. At first, the hospital avoided making the attack public, attributing the outage to bad weather. Then, it released the following statement:

“While AHN did experience a business interruption throughout the weekend as we worked to restore the affected severs, there was never an interruption in patient care. We are continuing to assess the severity of the situation, but at this time we believe no patient files have been accessed. At no time during this event has the quality and safety of patient care been affected.”

The hospital got hit on the same day that Hancock Health, another healthcare operator based in the state of Indiana, confirmed it fell victim to an almost identical attack. While Adams has not yet said if it has paid or will pay the ransom, Hanckock has reportedly already paid the attacker $50,000 in digital currency to have its files decrypted.

Bug bounty program offers $100 million for ‘ethical hackers’ to earn by 2020

HackerOne has put $100 million up for grabs in bug bounty rewards for “ethical hackers” over the next two years, the bug bounty platform said in a press release announcing the results of its 2018 Hacker Report. Many other programs are also available, making ethical hacking a lucrative business for some.

Ethical hacking, formally described as “penetration testing” (or pen test), is the practice of waging authorized simulated attacks on a computer system to evaluate the system for weaknesses that bad actors could exploit.

The 2018 Hacker Report examines the geography, demographics, experience and tools used, as well as the motivations of nearly 2,000 bug bounty hackers across 100 countries. The results are based on the largest survey ever of the ethical hacker community.

Hacking more profitable than traditional engineering for some

The major takeaway from the report is that ethical hacking has become more lucrative than software engineering – at least for some. In other words, some researchers have found they no longer need a day job.

Platforms like HackerOne are undoubtedly a strong influence behind this trend. The company has announced a generous budget for the next couple of years in terms of rewards (emphasis ours):

“This new data comes on the heels of HackerOne’s fastest-growing year, with 1,000 customer programs and more than $23M in bounties awarded to the hacker community. The company plans to pay over $100 million in rewards to hackers by 2020,” reads the press release.

Apparently top-earning ethical hackers make up to 2.7 times the salary of a software engineer. In India, hackers are making as much as 16 times the median salary of their engineering counterparts.

At the same time, the data indicates that some hackers are becoming less motivated by monetary gain, with as many as 24 percent donating their bounty money to organizations like the Electronic Frontier Foundation (EFF), Red Cross, Doctors Without Borders, Save the Children and animal shelters.

Other findings include:

  • A quarter of hackers rely on bounties for at least 50 percent of their annual income
  • 14 percent say their bug bounty hunting generates 90-100 percent of their annual income
  • 12 percent make $20,000 or more annually from bug bounties
  • 3 percent make more than $100,000 per year and
  • 1 percent make over $350,000 annually
  • Over 90 percent of all successful bug bounty hackers are under the age of 35
  • 45 percent are between 18 and 24 years of age
  • 37 percent hack as a hobby in their spare time

No shortage of bug bounty platforms to choose from

Vulnerability coordination platforms leverage the findings of ethical hackers – essentially white hat hackers – to help make the Internet a safer place.

Search giant Google has been running such a program – the Vulnerability Reward Program (VRP) for Google-owned web properties – since November 2010.

Google also maintains a program dedicated to making Google Play Store a safer place. In October 2017, the company announced that the Google Play Security Reward Program will reward researchers who find and report security problems in Android apps sold on its app store.

Like HackerOne, Google is not stingy with its rewards – sometimes offerings tens of thousands of dollars per vulnerability found (depending on the severity of the flaw). For example, finding a single vulnerability that gives direct access to Google servers can pay anywhere from $100 to more than $30,000.

Other notable bug bounty programs include: “The Internet Bug Bounty,” a joint effort between Facebook and Microsoft; “Hack the Pentagon,” the U.S. federal government’s first bug bounty program; and “Open Bug Bounty,” a crowd-sourced program that discloses website security vulnerabilities and relies on the good will of the affected website operators to obtain rewards.

Twitter accused of breaking privacy claims by conservative media group

Social media giant Twitter is in the midst of a scandal following accusations of breaking privacy claims. Pro-Trump group Project Veritas released three videos in which Clay Haynes,  a senior engineer at Twitter, is recorded without his consent in a bar making various statements about the company’s policy on disclosing sensitive tweets and DMs.

Speaking in what he thinks is a casual, possibly romantic meeting, he says Twitter has developed a machine learning algorithm that analyzes tweets and DMs, yet the video is selectively edited to fit Project Veritas’ story that actual employees monitor this information. Twitter is not the only social network to aggressively monitor its content to eliminate pornography, spam and deviant behavior.

“We do not proactively review DMs. Period. A limited number of employees have access to such information, for legitimate work purposes, and we enforce strict access protocols for those employees,” Twitter said.

What’s more, the man expresses a negative opinion about US President Donald Trump and said Twitter would voluntarily hand over the president’s deleted tweets and DMs to the US Department of Justice.

“We’re more than happy to help the Department of Justice in their little investigation,” Haynes says. “Giving them every single tweet that he’s posted, even the ones he’s deleted, any direct messages, any mentions.”

“The individual depicted in this video was speaking in a personal capacity and does not represent or speak for Twitter,” a company spokesperson said.

“Twitter only responds to valid legal requests and does not share any user information with law enforcement without such a request… Twitter is committed to enforcing our rules without bias and empowering every voice on our platform, in accordance with the Twitter Rules. We deplore the deceptive and underhanded tactics by which this footage was obtained and selectively edited to fit a pre-determined narrative.”

Project Veritas is a controversial media group known for unethical investigations and fake news, trying in the past to convince the Washington Post to publish a fake story to lose credibility among readers.

Hawaii’s missile alert agency keeps its password on a Post-it note

Last Saturday the people of Hawaii received a terrifying alert about a ballistic missile heading its way.

Fortunately the alert was a false alarm, caused by a worker who was supposed to send an internal test, and accidentally chose the wrong menu item.

It took a full 38 minutes for the Hawaii Emergency Management Agency (HEMA) to allay fears, and send out a correction.

Serious questions have been asked about how the bogus missile alert could have been sent out, and what can be done to ensure that members of the public are more rapidly informed if more mistakes occur in the future.

My feeling is that although there was no foul play behind the false missile warning, HEMA might be wise to also look at its general approach to IT security.

As Business Insider describes, evidence has come to light that some of the organisation’s staff might be in the habit of sticking Post-it notes containing passwords onto their computer monitors.

That in itself is far from ideal, but what’s even worse is that these Post-it note passwords have been caught on camera by the media, and available for anybody to view on the internet.

A photograph, taken by Associated Press back in July 2017, shows HEMA’s operations officer in front of a bank of computer screens at its headquarters in Honolulu. But if you look past Jeffrey Wong’s colourful Hawaiian shirt, and zoom in on the computers used to monitor potential hazards, you’ll see a solitary Post-it note.

My eyesight isn’t perfect, but it looks to me like it reads:

Password: Warningpoint2

Now, there’s no suggestion that that is a password that could be used to remotely access computers at the agency, or indeed that it’s a password connected with the sending of alerts, but… it surely does say something about the state of security practices at what should be a considered a potential target for a state-sponsored attack.

Organisations who have previously accidentally revealed their passwords in front of the media’s unblinking gaze include BBC News, France’s TV5Monde (ironically in a news report about how it had been recently hacked), and the Super Bowl’s top secret security hub, amongst others.

If the media is visiting your office, it’s probably sensible to remove any passwords which could appear in the background. In fact, maybe it makes sense to remove any such visible passwords regardless of whether someone is likely to be pointing a camera around.

Over $400,0000 worth of Stellar Lumen Cryptocurrency Stolen in BlackWallet DNS Hijack

Following a recent hijack of BlackWallet’s DNS server, hackers have allegedly stolen almost 670,000 Lumens from users’ wallets, estimated to be worth around $400,000.

BlackWallet.co is a web-based wallet application that lets users manage their Stellar Lumen Cryptocurrency (XLM). The DNS hijack allowed cybercriminals to redirect victims to an attacker-controlled server, from which they could manipulate transactions. If users had more than 20 Lumens in their wallet, the funds would automatically be transfered to the attacker’s wallet.

“If you used BlackWallet in the past then use your Secret Key and login to Stellar Account Viewer to use them. If you don’t login in the BlackWallet website your XLM is safe,” reads a warning. “Lumens are not stored in the wallets, Lumens are ALWAYS stored in the network, you just use wallets to have access to the network. If you use BlackWallet with your Secret Key then the script will steal your Secret Key and then your Lumens.”

Although the warning was posted on social media and microblogging platforms, it does seem that around $400,000 worth of cryptocurrency was stolen. In the following hours, attackers started making transactions using the stolen XLMs, effectively laundering the stolen funds and hiding their tracks.

“I am the creator of Blackwallet. Blackwallet was compromised today, after someone accessed my hosting provider account,” wrote the creator of BlackWallet. I am sincerely sorry about this and hope that we will get the funds back. I am in talks with my hosting provider to get as much information about the hacker and will see what can be done with it.”

This is not the first time hackers have made off with cryptocurrencies, and it definitely won’t be the last. Everyone who recently visited BlackWallet is strongly encouraged to move their funds to a new wallet – if any still remain.

HOTforSecurity: Canadian behind leaked credentials website appears in court

The Canadian arrested for running leaked credentials site and allegedly selling billions of passwords from major data breaches appeared in his first court hearing on Monday. The man is accused of trafficking in identity information, unauthorized use of computer (s. 342.1 of the Criminal Code), mischief to data and possession of property obtained by crime, announced the Royal Canadian Mounted Police (RCMP).

27-year-old Jordan Evan Bloom from Ontario was identified as the man behind Leakedsource.com, a site hosted on servers in Quebec that collected a database of some 3 million identity records and passwords. Bloom was arrested on Dec. 22 in the Project “Adoration” criminal investigation. According to the RCMP, he made approximately $198,000 from selling identity information.

“This investigation is related to claims about a website operator alleged to have made hundreds of thousands of dollars selling personal information,” said Inspector Rafael Alvarado, Officer in Charge of the RCMP Cybercrime Investigative Team at National Division. “The RCMP will continue to work diligently with our domestic and international law enforcement partners to prosecute online criminality.”

Leakedsource.com appeared in 2015 and it was the largest collection of stolen credentials from major high-profile data breaches such as Ashley Madison, Last.fm, Yahoo, LinkedIn and Myspace. The site was used as a resource by a number of journalists investigating data breaches and leaked records. Although it was taken down, currently the same domain is live but hosted in Russia.

The arrest was part of an international effort between the RCMP’s National Division Cybercrime Investigative Team, Dutch National Police and the FBI.



HOTforSecurity

Canadian behind leaked credentials website appears in court

The Canadian arrested for running leaked credentials site and allegedly selling billions of passwords from major data breaches appeared in his first court hearing on Monday. The man is accused of trafficking in identity information, unauthorized use of computer (s. 342.1 of the Criminal Code), mischief to data and possession of property obtained by crime, announced the Royal Canadian Mounted Police (RCMP).

27-year-old Jordan Evan Bloom from Ontario was identified as the man behind Leakedsource.com, a site hosted on servers in Quebec that collected a database of some 3 million identity records and passwords. Bloom was arrested on Dec. 22 in the Project “Adoration” criminal investigation. According to the RCMP, he made approximately $198,000 from selling identity information.

“This investigation is related to claims about a website operator alleged to have made hundreds of thousands of dollars selling personal information,” said Inspector Rafael Alvarado, Officer in Charge of the RCMP Cybercrime Investigative Team at National Division. “The RCMP will continue to work diligently with our domestic and international law enforcement partners to prosecute online criminality.”

Leakedsource.com appeared in 2015 and it was the largest collection of stolen credentials from major high-profile data breaches such as Ashley Madison, Last.fm, Yahoo, LinkedIn and Myspace. The site was used as a resource by a number of journalists investigating data breaches and leaked records. Although it was taken down, currently the same domain is live but hosted in Russia.

The arrest was part of an international effort between the RCMP’s National Division Cybercrime Investigative Team, Dutch National Police and the FBI.

HOTforSecurity: Cybersecurity quiz winners rewarded with malware-infected USB sticks

It is a truth universally acknowledged in the infosecurity community, that giving away free USB sticks only leads to trouble.

On countless occasions we’ve seen businesses embarrassed as they hand out thumb drives which are not only stuffed to the brim with marketing material, but are also unwittingly hiding malware.

And yet, companies continue to put the public at risk by giving away cheap USB sticks at trade shows, with often little consideration as to what may also be lurking on the device.

In perhaps the most ironic example of “Danger USB!” yet, we hear that Taiwan’s cybercrime-fighting investigators recently handed out malware-infected USB sticks to… winners of a cybersecurity quiz.

Taiwan’s Criminal Investigation Bureau has apologised after handing out 54 infected flash drives at a data security expo hosted by the government from 11-15 December. An event which had the noble aim of raising awareness of cybercrime. Ho hum!

As local media reports, distribution of the 8GB devices was halted on the afternoon of 12 December after early winners of the quiz warned that their anti-virus software had warned them that the drives contained malware.

The Windows-based malware was designed to steal personal information from infected PCs and send it via an IP address based in Poland to parties unknown.

However, it seems unlikely that Taiwan’s computer crime-busting cops, or the event itself, were deliberately targeted by hackers. Instead, as is often the case, there is a more down-to-earth explanation for what happened – and why only 54 of the 250 giveaway USB drives are believed to contain the malware.

According to the Criminal Investigation Bureau, the infections have been traced back to a single PC at an external contractor. It seems that a random sample of the USB drives were plugged into the infected PC in order to test their storage capacity, and the malware was unwittingly transmitted to 54 of them at that time.

It’s the kind of security goof that is all-too-familiar. Readers with long memories may recall that, in 2010, IBM handed out USB sticks at the AusCERT security conference infected by not one… but two pieces of malware.

Seven years later, IBM found itself in the embarrassing position of having to admit that it had shipped malware-infected USB sticks to enterprise customers.

How can you protect yourself from unsolicited, unwanted USB sticks? Well, there’s one simple fool-proof method that guarantees your computer won’t become infected.

No prizes if you guessed correctly. Simply throw it in the rubbish bin.



HOTforSecurity

Ransomware attack drives Indianapolis hospital back to pen and paper

A hacker out to make a fast buck last week decided to hit an Indianapolis hospital with a ransomware attack, demanding a ransom payment to his Bitcoin wallet in exchange for de-crippling the facility’s computer network.

Hancock Health fell victim to the attack sometime last week, when employees noticed the network started running more slowly than normal, according to local newspaper The Greenfield Reporter.

One of the hospital’s computers then flashed a message indicative of a typical ransomware attack – that the facility’s data was being held “hostage” until a ransom was paid to the attacker.

The hacker, who infiltrated the network using a “sophisticated” attack, encrypted important parts of the Hancock Health network and demanded an undisclosed ransom in Bitcoin, a digital currency almost entirely untraceable in nature.

“This was not a 15-year-old kid sitting in his mother’s basement,” Hancock Health CEO Steve Long told reporters on Friday, after enlisting the help of the FBI and an unnamed security firm to learn more about the attack.

“That somebody would do this to a hospital really boggles the mind,” Long said.

According to the newspaper, the attack drove doctors and nurses back to using “pen and paper” to keep medical charts updated.

According to a recent survey by University of Phoenix College of Health Professions, hackers are increasingly targeting patient records as healthcare providers do little to protect their data. The key reason, according to a healthcare cyber research report for 2017: stolen medical records make for a lucrative extortion tool.

Patient records can be so valuable that some organizations will go to great lengths to obtain them, even if it means doing so without the patients’ consent.

An investigation by the Daily Telegraph has revealed that the data covering every case of lung cancer diagnosed in England over a four-year period was handed by NHS to a firm working with Philip Morris International for the past 30 years. Investigators reportedly fear that the anonymised data could be used in legal cases to downplay the dangers of smoking, or to fight regulation.

Hackers increasingly target patient records as HCPs do little to protect data – research

One in five healthcare professionals has experienced breaches of patient data, yet many also say they’re “very confident” in their facility’s ability to protect that data against theft, according to a survey by University of Phoenix College of Health Professions.

Despite increased data breaches in all industries, only a quarter of registered nurses (RNs) have seen changes in the way their companies handle data security over the past year.

The data also reveals a worrying disconnect between healthcare professionals’ confidence in protecting sensitive patient data and the actual protection of that data.

Some 48% of RNs and 57 percent of administrative staff say they are “very confident” their institution can safeguard patient records against potential data theft. At the same time, only 25 percent of RNs and 40 percent of administrative staff cited data security & privacy improvements over the past year.

The University acknowledges that the healthcare industry is “one of the highest targeted by cybercriminals, due to its heavy reliance on technology and vast amount of available patient data.”

Research by Cryptonite NXT supports this claim. According to the company’s Health Care Cyber Research Report for 2017, stolen medical records make for a terrific extortion tool.

One example is the London Bridge Plastic Surgery data breach three months ago, when The Dark Overlord cybercriminal group hacked the high-profile clinic and stole graphic images of celebrities undergoing plastic surgery. The purpose behind the breach was believed to be extortion. No reports confirm this theory, but it’s possible the group got what they were after and kept a lid on it.

Dennis Bonilla, executive dean for the College of Information Systems and Technology at University of Phoenix, believes healthcare providers (HCPs) are “extremely susceptible to human error.”

“If one employee accidently invites malicious malware into a system, the impact can be catastrophic. To limit the amount of breaches, cybersecurity governance must improve,” Bonilla said.

Again, the University’s findings can be easily supported with real-life examples. The WannaCry ransomware attack in May 2017 revealed just how easily malware could move laterally in a computer network.

As avid readers know, the UK’s National Health Service lost hundreds of thousands of patient records in the attack, which leveraged unpatched Windows computers. Patients with life-threatening conditions had to be put on hold, and the financial consequences to NHS were devastating.

On a positive note, nurses and staff administrators agree that additional support and training is needed for healthcare privacy and security. The survey also found that HCPs are taking some steps to better protect patient data, such as updated privacy and access policies, role-based access to sensitive information, and enhanced data surveillance.

Man Charged With Spying on MacOS Users with Malware for 13 Years

A computer programmer from Ohio was recently indicted on 16 charges involving developing and using spyware to exfiltrate sensitive user data, and producing child pornography.

Developed for MacOS devices, the FruitFly malware is believed to have been infecting thousands of victims for over 13 years. Although security experts estimate that it remained undetected for years, possibly because it relied on unsophisticated code, 28-year-old Phillip R. Durachinsky, who is believed to have developed the spyware, faces charges of Computer Fraud and Abuse Act violations, Wiretap Act violations, and identify theft, amongst others.

“Durachinsky is alleged from 2003 through Jan. 20, 2017, to have orchestrated a scheme to access thousands of protected computers owned by individuals, companies, schools, a police department, and the government, including one owned by a subsidiary of the U.S. Department of Energy,” reads the statement by the US Department of Justice. “He is alleged to have developed computer malware later named “Fruitfly” that he installed on computers and that enabled him to control each computer by accessing stored data, uploading files, taking and downloading screenshots, logging a user’s keystrokes, and turning on the camera and microphone to surreptitiously record images and audio.”

Since the charges are still allegations, Durachinsky is considered innocent until proven guilty. However, he is also accused of having used some stolen credentials to access information for other websites, potentially extending the range of collected personal information from victims.

“For more than 13 years, Phillip Durachinsky allegedly infected with malware the computers of thousands of Americans and stole their most personal data and communications,” said Acting Assistant Attorney General John Cronan. “This case is an example of the Justice Department’s continued efforts to hold accountable cybercriminals who invade the privacy of others and exploit technology for their own ends.”

The malware is believed to also be compatible with Linux-based systems, as it shares similarities with MacOS code. If that’s the case, the extent of Fruitfly’s surveillance capabilities could be far greater than authorities first believed.

Malware-infected beauty shop hadn’t backed up data in 2 years

Not having a backup and recovery strategy has drastic business implications, as an online vendor of makeup sponges from California found out. Known online as ‘beautyblender,’ Rea.deeming Beauty, Inc. sent a notification to California’s Office of the Attorney General informing the department that their online shop had been infected with malware that stole payment data at checkout.

Because the vendor hadn’t backed up data daily, they couldn’t determine who had fallen victim and what the exact implications of the breach were, writes BleepingComputer. As a result, the company is reaching out to all its 3,673 customers residing in California, because they have no idea who has been affected.

Beautyblender started a forensic investigation and informed its web host after two customers reported fraudulent transactions made with credit cards used on the website. The malware was detected by the web host in October 2017. Third-party investigators confirmed it in November, and reported that the website was infected sometime in July. Hackers had unauthorized access to customer names, addresses, phone numbers, emails and credit or debit card information.

“The forensic investigator then began efforts to determine when the malware was placed on the website,” Beautyblender says. “Unfortunately, due to the lack of backups of the website that were available from the website hosting company, beautyblender has been unable to confirm the date that the malware was placed on the website.”

The company had last backed up its data in April 2015, leaving it extremely vulnerable. Not only were its customers exposed to data theft and fraud, but Beautyblender can’t rebuild the data that consisted in years of valuable information for their business. Failure to kee[ regular, multiple backups is one of the most common mistakes companies make, because in case of natural disasters, system failure or cyberattacks, the company could face permanent data loss.

In the notification email sent to customers, Beautyblender confirms the infected code has been removed from the website, but thorough monitoring of credit card statement is still recommended.

“We have removed the infected code that led to the vulnerability and implemented additional security measures to reduce the likelihood of a similar incident from happening in the future,” reads the email signed by Catherine Bailey, President and COO. “We are providing notice of this incident to those who may have been impacted so that they can take steps to prevent against possible fraud, should they feel it is necessary to do so. We will also notify any required state regulators and the credit reporting agencies about this incident.”

The company has not made public statement.

WPA3 will protect weak passwords, simplify Wi-Fi configuration

The Wi-Fi Alliance, a consortium that certifies Wi-Fi products, has announced the next-generation network security protocol for Wi-Fi communication, dubbed Wi-Fi Protected Access 3 (WPA3 for short).

Although reported as vulnerable, the WPA2 protocol used by billions of devices worldwide “continues to provide reliable security,” according to the Alliance.

The organization – whose members include tech giants like Apple, Intel and Microsoft – issued a press release on Monday announcing key enhancements and new features for Wi-Fi Protected Access (WPA). The enhancements are to be deployed both for the current WPA2 implementation, and as part of the new WPA3.

Since WPA2 will still be deployed for years to come (as aligning everyone to the yet-unreleased WPA3 will take a considerable amount of time), the Wi-Fi Alliance plans to keep improving WPA2 “to ensure it delivers strong security protections to Wi-Fi users as the security landscape evolves.”

As some readers will remember, a researcher from the University of Leuven last year discovered a critical flaw in the WPA2 standard that left virtually all Wi-Fi-connected devices vulnerable to attack. The standard is still not bulletproof, but the Alliance pledges to strengthen it with:

  • Protected Management Frames to maintain the resiliency of mission-critical networks
  • Testing enhancements to reduce the potential for vulnerabilities due to network misconfiguration
  • Centralized authentication services to safeguard managed networks

As part of the WPA3 deployment (the launch date is yet to be set, apparently), four major enhancements will benefit regular users and service providers alike.

Two of them will ensure robust protections even when users choose “passwords that fall short of typical complexity recommendations,” while simplifying the configuration process for devices with limited, or no, interfaces.

Through individualized data encryption, WPA3 will further strengthen privacy in open networks, while a 192-bit security suite will protect Wi-Fi networks with higher security requirements (i.e. government networks).

Someone hacked Blackberry to steal computing power for mining cryptocurrency [Updated]

Cryptocurrency mining service Coinhive is again in the news for misuse by a customer, this time involving handset maker Blackberry. Apparently, someone hacked into the company’s global operations website and used it to steal visitors’ computing power to mine Monero – a digital currency.

Cryptocurrencies like Bitcoin, Ethereum and Monero are digital currencies whose numbers and / or value grows as new transactions are validated by solving complex mathematical problems. Lending your computing power to keep the blockchain alive increases the currency’s value, and also fattens your personal crypto wallet, but only if you can mine quickly enough – which requires immense computing resources, especially for the likes of Bitcoin.

Coinhive sells a cryptocurrency mining tool that allows users to embed it in a desired platform – such as a website – and mine Monero using visitors’ computing power. It advertises the tool as a more elegant alternative to displaying intrusive ads. Currently, one Monero unit is valued at around $400.

But there’s a problem with Coinhive. The service is apparently so alluring to fast-buck aficionados that it has become a one-stop-shop for bad actors. The latest such incident was reported on Reddit, where a user nicknamed “Rundvleeskroket” revealed that Blackberry was hacked for cryptocurrency mining.

A friend of Rundvleeskroket discovered the hack, and shared a screenshot of the Blackberry site’s source code where Coinhive is clearly referenced. A spokesperson for Coinhive soon joined the discussion and confirmed that someone indeed had hacked Blackberry, and a number of other sites, and used their tool for the reported nefarious purpose.

“We’re sorry to hear that our service has been misused. This specific user seems to have exploited a security issue in the Magento web shop software (and possibly others) and hacked a number of different sites,” the representative said.

Ironically, Blackberry claims to be offering the “world’s most trusted mobile security software.”

Security vendors, including Bitdefender, classify cryptocurrency miners as malware, and block them. Although Coinhive states that customers should warn their end-users of the practice, many prefer to keep their mining a secret.

The past year has seen several reports of concealed cryptocurrency mining – almost all of them involving Coinhive.

In September last year, The Pirate Bay notably ran what it called a “test pilot program” to see if mining Monero worked as an alternative to displaying ads. A month later, an engineer discovered a hidden cryptocurrency miner inside a popular Google Chrome URL shortening extension.

Oslo-based Opera Software AS recently rolled out a new version of its web browser, featuring an anti-Bitcoin mining tool. Browser extensions serving the same purpose are available for Google Chrome users as well.

Update:

BlackBerryMobile.com is operated by TCL Communication who manufactures, markets and sells BlackBerry Android smartphones globally under a brand licensing agreement with BlackBerry Limited.  Soon after this story hit the wires, a Blackberry spokesperson reached out to us to clarify some matters.

“Recently, BlackBerry Limited was alerted by a third party of an exploited security vulnerability affecting the BlackBerryMobile.com site,” the spokesperson said. “Upon notification and our own verification, BlackBerry Limited moved quickly to communicate with our partner at TCL and to temporarily redirect our links to BlackBerryMobile.com to BlackBerry.com pages.

The representative insisted that “At no time was BlackBerry.com compromised,” adding that “TCL has restored a new site with partial content and is collaborating with BlackBerry Limited to harden its site to prevent future cyberattacks.”

Researcher finds hardcoded backdoor in Western Digital storage devices

Western Digital network attached storage (NAS) devices have been found vulnerable to remote exploitation that would allow bad actors to download your private files at will.

Security researcher James Bercegay reveals in an advisory that an array of “My Cloud” NAS products from Western Digital are inherently vulnerable to attack because of a hardcoded backdoor that, if exploited properly, can allow a hacker to remotely access your photos, videos, and anything else on your NAS.

The technicalities are described in detail in Bercegay’s post over at GulfTech, but the gist of it is the firmware for WD’s My Cloud products has hardcoded user names and passwords. This, when used along with several other weaknesses, can allow an attacker to take control of the devices remotely, and access the data stored on them without permission.

WD’s My Cloud line of products is among the most popular NAS solutions, both for businesses and regular customers, so many users could be at risk of having their data compromised.

“As you can see in the … code, the login functionality specifically looks for an admin user named ‘mydlinkBRionyg’ and will accept the password of ‘abc12345cba’ if found. This is a classic backdoor,” Bercegay writes.

According to the researcher, an attacker simply needs to “login with the credentials” and, thanks to a separate bug in the system, they can get ahold of your NAS from a remote location.

Being LAN-bound doesn’t offer much more safety either. According to Bercegay, an attacker can direct the victim to a rigged website and make a request to the device using one of the many default hostnames for the WD My Cloud family of devices, such as “wdmycloud” and “wdmycloudmirror.”

“The triviality of exploiting this issues makes it very dangerous, and even wormable,” he warns.

Bercegay says he and his team are merely contributing to the security community by reporting the flaws and offering proof of concept (PoC) exploits.

When WD was informed of the flaws, the company asked for 90 days to address the issue. At the time of writing, 180 days have passed and the holes reported by Bercegay and his teammates remain unplugged.

The researcher believes Western Digital “should know better,” especially since another group of hackers last year disclosed many command injection vulnerabilities in its products.

A list of affected devices can be found in Bercegay’s advisory. Users who believe they may be at risk could try changing their NAS default hostname and keep the device locked in a local network / LAN until WD deploys the necessary patches.

For extra peace of mind, users might want to consider a solution like Bitdefender BOX to protect all inbound and outbound traffic to their connected devices.

CoffeeMiner PoC Targets Public Wi-Fi Networks to Mine for Cryptocurrency

A recently published proof-of-concept notes that it could be possible for attackers to hijack coffee shop Wi-Fi networks and get connected users to mine cryptocurrencies, according to software developer Arnau Code.

A couple of weeks back, an incident involving a Starbucks coffee shop having their customers mining for cryptocurrency – it seems the internet service provider that offered Wi-Fi connectivity was at fault – so it seems attackers physically in the coffee shop could hijack the network. Arnau pulled off the proof-of-concept by performing a man-in-the-middle attack that involved redirecting all customers through his proxy by performing an ARP-spoofing attack, then injecting a single line of code into visited HTML pages that calls the cryptocurrency miner in the victim’s browser.

“The objective is to have a script that performs autonomous attack on the WiFi network,” wrote Arnau. “It’s what we have called CoffeeMiner, as it’s a kind of attack that can be performed in the cafes WiFi networks”

Although the attack requires the cybercriminal to actually be present in the coffee shop and have a strong enough Wi-Fi antenna so that it can hijack traffic from as many clients as possible, the attack does seem plausible, provided the targeted router or switch lacks built-in ARP-spoofing protection.

Leveraging the same CoinHive cryptocurrency mining JavaScript used by The Pirated Bay or some rogue Google Chrome extensions, Arnau does point out that, for the mining to yield positive results, the victim needs to visit the affected website for more than 40 seconds per session.

“CoinHive miner makes sense when user stays in a websit for mid-long term sessions. So, for example, for a website where the users average session is around 40 seconds, it doesn’t make much sense,”
reads the blog post. “In our case, as we will inject the crypto miner in each one of the HTML pages that victims request, will have long term sessions to calculate hashes to mine Monero.”

The developer suggests that adding more automation to his proof-of-concept could increase its effectivness, although the project has been tagged “for academic purposes only”.

Google’s CPU Patch Builds Software ‘Trampolines’ that ‘Negligibly’ Impact Performance

Following the recent discovery of vulnerabilities in Intel, AMD and ARM CPUs, Google engineers developed a new chip-level patch that specifically addresses one of the three issues, namely the “Branch target injection” that’s also referred to as “Spectre”.

Dubbed “Retpoline”, which is derived from “return” and “trampoline”, Google’s software construct is supposed to isolate indirect branches from speculative execution, effectively protecting select binary files – that belong to the operating system or the hypervisor – from Spectre-powered attacks.

“It is a trampoline construct constructed using return operations which also figuratively ensures that any associated speculative execution will ‘bounce’ endlessly,” reads the Google post. “If it brings you any amusement: imagine speculative execution as an overly energetic 7-year old that we must now build a warehouse of trampolines around.”

Countering speculation that installing security fixes for this issue might seriously downgrade CPU performance, Google’s technique allegedly has a “negligible impact on performance”. This should excite businesses and Google Cloud customers, as some of them feared poor performance and higher costs. While Intel said performance penalties will likely differ based on workloads, Google’s announcement offers a breath of hope – at least to their customers – as they don’t seem to be very affected.

The technique has already been applied to Google Cloud, and it’s their belief that other companies can follow in their footsteps to patch at least the Spectre vulnerability without using the Retpoline technique to avoid any significant slowdowns. Testing the patch is recommended before fully deploying it in your infrastructure, as it’s likely performance penalties will vary for each use case.

To fully prevent any of the reported vulnerabilities from being exploited, it’s recommended to install the latest patches from your CPU manufacturer, to ensure cybercriminals can’t exploit either “Meltdown” or “Spectre” vulnerabilities. The same advice serves both average users and businesses, as the vulnerability can indiscriminately affect anyone using a vulnerable chip.

How to Protect Yourself?

Since every CPU produced in the past 20 years is affected by both “Meltdown” and “Spectre”, everyone from Android users to Windows and Mac owners are equally affected. So here’s what you need to do to protect yourself:

  • Android users will eventually receive the patch, depending on when manufacturers and carriers push it, but Google-branded phones should receive the fixes starting January 5th 2018. Keep an eye on your Android Update notifications to install the latest version that fixes these serious vulnerabilities
  • iPhone and iPad users should already be protected if their OS version is 2 or later, as the fixes were introduced with the December 2nd 2017 update. Otherwise, hit Settings > General > Software Update to download the latest version.
  • Windows users running Windows 10 should check the Settings > Update & security setting to make sure they have no pending security updates. For those running Windows 10 version 1709 (Fall Creators Update), installing the Security Update for Windows (KB4056892) patch should do the trick. Otherwise, you can manually install the patch by checking the Windows Update Catalog page.
    • Firmware Updates cloud also become available from your system’s vendor – as this is a hardware issue – and you might want to check out your laptop’s manufacturer support page for those as well. This shouldn’t conflict with your Windows patch, and it’s best to add as many layers of protection as possible.
  • Macs contain fixes if you’re running the Mac OS High Sierra 10.13.2 update that rolled out December 6th Your iMacs, MacBooks, Mac Pros and Mac Mini should all be updated to the latest OS version, so updating your devices is now more important than ever.
  • Browsers have also claimed to release patches that prevent web-based attacks. Chrome has a Site Isolation feature that enables each tab to run in its own instance instead of a single thread. Write chrome://flags/#enable-site-per-process in your address bar, look for Strict Site Isolation, hit Enable, then hit Relaunch Now. Also, Mozilla, Microsoft, Apple and Firefox stated they’ll release updated versions of their browser to prevent web-based attacks from exploiting these vulnerabilities, so keep an eye out for those as well.

As a side note, any device that has an Intel, AMD or ARM CPU is technically vulnerable, so it’s probably best to check the manufacturer’s page for any software or firmware updates.

Bitcoin loses ground; hackers opt for other encrypted digital currencies

Bitcoin’s popularity is waning as alternatives such as Stellar, ZCash or monero climb the cybercriminals’ preferred list. Hackers are switching to other cryptocurrencies that law enforcement may be less familiar with, so chances of detecting crime or money laundering related transactions decrease. ZCash and monero, for example, allegedly bring better encryption and privacy features to the table.

“The two most well-known cryptocurrencies are considered too expensive for most new entrants. Despite being able to purchase a fraction of each, there is a real psychological barrier around owning something in its entirety,” explained for CNBC Dave Chapman, managing director at trading house Octagon Strategy.

At a total value of more than $750 billion, bitcoin covers 36 percent of the cryptocurrency market, leaving plenty of room for others like litecoin, ethereum, ripple, dash and monero to grow in market capitalization. Bitcoin’s market share dropped from last month’s 56 percent, while ethereum’s share has tripled.

“With the Ethereum blockchain reaching 1 million transactions per day, and both Ethereum and other blockchain projects frequently reaching their full transaction capacity, the need for scaling progress is becoming more and more clear and urgent,” announced ethereum founder Vitalik Buter.

As a result, “two experimental subsidy schemes” will be started to “tie into and improve Ethereum’s scalability.”

Even Dogecoin, a new cryptocurrency created as a joke, has grown in popularity, reaching a market cap of over $1 billion in January.

According to Bloomberg, analytic firms are paying more attention to transactions and are improving techniques to detect illicit activity and transactions.

“The altcoins today, in large part, are not trying to be bitcoin competitors,” said Lex Sokolin, global director of fintech strategy at Autonomous Research LLP in London. “They are doing something else entirely — ethereum as a smart-contracts platform, iota as a machine-economy token, ripple for interbank payments, and so on.” Their use “should become increasingly relevant as the novelty of crypto wears off.”

Behavioral biometrics will replace passwords by 2022 – Gartner

In just a few years, we can all safely forget those cumbersome passwords we use to secure and unlock our devices. And we will be able to thank on-device artificial intelligence (AI) for easing the strain on our memory, according to a forecast by Gartner.

Gartner analysts believe on-device AI, as opposed to cloud-based AI, will mark a paradigm shift in digital security, and will do so sooner than most people think.

“On-device AI is currently limited to premium devices and provides better data protection and power management than full cloud-based AI, since data is processed and stored locally,” Gartner says in a report published on January 4.

The research company outlines 10 AI solutions expected to run on 80% of smartphones in 2022 that will become an essential part of vendor roadmaps and our everyday lives. At least four of them impact security.

“Digital Me”

“Smartphones will be an extension of the user, capable of recognizing them and predicting their next move,” reads the report. “They will understand who you are, what you want, when you want it, how you want it done and execute tasks upon your authority.”

This ability will not only ensure that your digital devices act under your authority, and your authority alone, but it will also ensure you know what to expect from them in terms of functionality and behavior. Going by Gartner’s forecast, “digital me” will be a crucial selling point for IoT / smart home vendors in the next couple of years.

Personal Profiling

New-generation smartphones will collect behavioral data to more accurately profile the user, paving the way for dynamic protection and assistance in emergency situations. It will also benefit insurers. Gartner speculates that car insurers will be able to adjust insurance rates based on driving behavior.

Behavioral Biometrics is an emerging technology that analyzes user behavior (including keystroke dynamics, gait analysis, voice ID, mouse use characteristics, signature analysis and cognitive biometrics), and creates a unique biometric template on the device. When the behavior doesn’t match the template, the (presumed) impostor is blocked from using the device or the device requires multi-layer authentication (just in case it makes a mistake).

Content Censorship/Detection

A device with on-board AI could automatically detect inappropriate content – such as objectionable images, videos or text – and flag it, or block it altogether.

“Computer recognition software can detect any content that violates any laws or policies,” according to the report. “For example, taking photos in high security facilities or storing highly classified data on company-paid smartphones will notify IT.”

User Authentication

Probably the boldest, but also the most-likely-to-materialize prediction from the report is the idea that on-device AI will render password-based authentication obsolete. Passwords / passcodes and PINs are indeed a weak defense, with hundreds of millions of credentials leaked, stolen or otherwise compromised every year.

For example, a list of 100 worst passwords compiled by SplashData was only made possible thanks to 5 million leaked credentials.

“Password-based, simple authentication is becoming too complex and less effective, resulting in weak security, poor user experience, and a high cost of ownership,” Gartner asserts.

“Security technology combined with machine learning, biometrics and user behavior will improve usability and self-service capabilities. For example, smartphones can capture and learn a user’s behavior, such as patterns when they walk, swipe, apply pressure to the phone, scroll and type, without the need for passwords or active authentications.”

Gartner isn’t just making assumptions either – Australian scientists have successfully prototyped a small wearable that uses your gait as an authentication token.

Other AI technologies that Gartner expects in portable devices by 2022 include emotion recognition, natural-language understanding, audio analytics, and more.

The road to “true AI”

Artificial intelligence was founded as an academic discipline in the 1950s and it has since had many ups and downs. Tasks requiring “intelligence” from a machine are often discarded from the definition as they become ubiquitous.

Optical character recognition, for example, has become so mundane that it no longer fits the definition. This has led computer scientist Larry Tesler to postulate a theorem along with a now-famous quip: “AI is whatever hasn’t been done yet.”

More recently AI has become a controversial topic, where even those actively developing AI systems express deep concerns about its implications if not handled correctly. Tesla CEO Elon Musk and theoretical physicist Stephen Hawking are just two of many prominent figures of our time casting a gloomy projection of AI in the years to come.

Still, humanity is a long way from true AI. Even the most complex computer systems today can’t emulate the most basic characteristics of human intelligence, such as reasoning or planning.

DHS breach exposes data of almost 247,000 employees, subjects, witnesses, complainants

Philip Kaplan, chief privacy officer of the US Department of Homeland Security, has confirmed in a statement that a 2014 security breach exposed personally identifiable information of more than 240,000 people who worked for the department in the previous 12 years, as well as subjects, witnesses and complainants in investigations.

An unauthorized copy of the database was found during a criminal investigation on the home server of a former employee.

“From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed,” reads the press release.

“These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.”

Although the data was leaked in 2014, the leak was detected in May 2017 and reported by media outlets in November. A number of DHS employees have been informed via email that their personal data may have been exposed, including Social Security Numbers, dates of birth, addresses, phone numbers, positions, grades, and duty stations. The leaked database contained no information about family members.

“This message is to inform you of a privacy incident involving a database used by the Department of Homeland Security’s (DHS) Office of the Inspector General (OIG),” wrote the Office of the Inspector General (OIG).

“You may have been impacted by this privacy incident if you were employed by DHS in 2014, or if you were associated with a DHS OIG investigation from 2002 through 2014. “

DHS will take further precautions to strengthen its security system. People affected will receive free identity protection services for 18 months.

“The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized transfer of data.”

According to the New York Times reporting in November, the inside job was run by three employees who had stolen the computer system to alter the software used in investigations and then sell it to other offices in federal government.

The IRS, the NSA and other agencies have also dealt with similar privacy incidents in the past.

Iranian officials suspend Telegram for ‘encouraging hateful conduct’; Trump reacts

In an attempt to quell mass protests across the country, Iranian officials have blocked access since Dec. 31 to Telegram, an application used by activists to arrange anti-government rallies due to its end-to-end encryption functionality.

“Iranian authorities are blocking access to Telegram for the majority of Iranians after our public refusal to shut down … peacefully protesting channels,” Telegram CEO Pavel Durov wrote on Twitter.

Iranian officials claim the situation is only temporary and Telegram was suspended because it was “encouraging hateful conduct, use of Molotov cocktails, armed uprising, and social unrest,” tweeted on Saturday Mohammad-Javad Azari Jahromi, Iran’s Minister of Information and Communications Technology.

“The rumors about the permanent closure of the social networks do not correspond to the reality. It seems that they seek to create social discontent and pessimism,” the minister wrote on his Twitter account, according to Tehran Times.

US President Donald Trump commented on Twitter that Iran “closed down the internet so that peaceful demonstrators cannot communicate. Not good!”

“Big protests in Iran. The people are finally wise as to how their money and wealth is being stolen and squandered on terrorism,” Trump wrote. “Looks like they will not take it any longer. The USA is watching very closely for human rights violations!”

Following an increase in internet censorship in recent years and the implementation of content control software, Facebook and Twitter have been blocked since 2009, and access is now restricted for YouTube and most top 500 websites as well. Despite Iran’s aggressive censorship, people have found alternatives to accessing the restricted websites. For example, Iranian President Hassan Rouhani has a Facebook account. The number of Tor users has also increased to 10,000.

With over 40 million accounts in Iran alone, Telegram has been repeatedly criticized by US and European governments, which demanded access to user data to intercept communication between terrorists.

Russian ATM hacked with 5 keystrokes – Video

Slapping a full-size QUERTY keyboard on an automated teller machine is not the best way to keep the ATM safe from prying hands, as one Sberbank customer found out this holiday season.

In early December, an employee of Russian website Habrahabr went to get some cash from a Sberbank ATM that incidentally had a full-size keyboard. Out of boredom, as the man recalls, he started hitting the Shift key repeatedly when, all of the sudden, the Sticky Keys feature switched on, giving him full access to the machine’s underlying Windows XP operating system.

Sticky Keys, an accessibility feature originating in Apple’s System 6, is shared by many GUI-based operating systems, including Microsoft’s ancient Windows XP.

By pressing the Shift key five times in a row, Windows serializes keystrokes, allowing the user to press and release modifier keys. This eliminates the need to hold one key with a finger while reaching for other keys.

While it’s certainly helpful to users who have physical disabilities or to those with Emacs Pinky syndrome, Sticky Keys leaves Windows-based ATMs vulnerable to attacks – especially when customers are offered a full-size keyboard. The hack was captured on video and posted to YouTube (embedded below) for everyone’s viewing pleasure.

https://youtu.be/vMP6zu38YE4

As the footage shows, Sticky Keys let the user quickly access the Windows XP UI, including the Start menu and taskbar. Access to these areas of the OS means a malicious user could try to modify the way the ATM works, shut down the machine, use the ATM as a regular PC and, under the right conditions, maybe even deploy malware.

Sberbank took weeks to fix the problem, according to the Habrahabr post, but eventually patched all its ATMs. A bank statement appeared to downplay the flaw as a “peculiarity” of its systems that otherwise “did not carry any risks for device security.”

‘starwars’ joins the top 100 worst passwords list in 2017

2017 will be remembered for some of the worst hacks and data leaks. Equifax, WannaCry, Goldeneye and Uber’s concealment of the leak of 57 million user records have apparently taught the average internet user nothing about security. Users still haven’t understood the importance of strong unique passwords, password management provider SplashData concluded after analyzing over 5 million leaked credentials.

According to the company’s list of the 100 worst passwords of 2017, ‘123456’ and ‘password’ are still the most used passwords. Amid intense promotion of the Star Wars movies this year, ‘starwars’ has made the list as one of the most used passwords in 2017.

“Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, ‘starwars’ is a dangerous password to use,” said Morgan Slain, CEO of SplashData, Inc. “Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words.”

Other passwords include sports terms such as ‘baseball,’ ‘football,’ ‘Lakers,’ ‘jordan23,’ car brands such as ‘ferrari’ and ‘corvette,’ and words such as ‘welcome,’ ‘monkey,’ ‘cheese,’ and ‘trustno1.’ According to the list, many users choose first names as passwords, including ‘Robert,’ ‘Joshua,’ ‘Maggie’ and ‘Phoenix.’

“Hackers know your tricks, and merely tweaking an easily guessable password does not make it secure,” says Slain. “Our hope is that our Worst Passwords of the Year list will cause people to take steps to protect themselves online.”

With some users thinking that replacing the letter ‘o’ with the number ‘0’ makes an insecure password safe, 2017 ends on a sad note for computer security. Users still lack interest in online security and protecting their data from identity theft.

Researchers use sound to compromise hard drives in new DOS proof-of-concept

In an entirely new twist on the security of hard disk drives (HDDs), a team of researchers from Princeton and Purdue University have released a paper demonstrating how acoustic signals at specific frequencies can compromise devices that rely on HDD technology.

Motivated by the insight that computers, closed-circuit television (CCTV) systems, medical bedside monitors, and even automated teller machines (ATMs) heavily rely on HDDs, the team of six borrowed concepts from “resonance scattering theory” to prove HDDs could leak critical private information through acoustic or electromagnetic emanations.

The team proposes an innovative denial-of-service (DoS) attack against HDDs that, instead of exploiting software, exploits a physical phenomenon known as “acoustic resonance.”

In what the team believes is the first instance of non-contact denial of service security attacks against HDDs, the paper investigates how an attacker can leverage acoustic resonance “to negatively affect the regular operation of HDDs.”

The researchers then highlight the negative consequences of the proposed attack using two real-world case studies involving a regular computer and a CCTV system.

“We demonstrate how an attacker can disable a CCTV system by targeting its digital video recorder (DVR) device. Further, we show how the proposed attack can target a personal computer, causing a failure in its underlying OS,” the paper reads.

To perform the acoustic attack proof-of-concept without any barrier shielding the HDD, the team opened up a hard drive and left its parts exposed to the carefully crafted sound waves. This, according to the team, was an effort to “better analyze potential vulnerabilities.” The team’s experimental setup is depicted in the image above.

After performing a number of attacks, SMART logs of tested HDDs showed increased “Seek_Error_Rate,” a pre-failure attribute that that can hurt the system’s performance.

In the case of CCTV cameras, “every frame of video stored on a DVR could potentially be highly crucial forensic evidence,” the paper reads, making this vulnerability extremely feasible to bad actors.

Read the full research paper (highly recommended) to learn more about potential attackers and their capabilities, halting Read/Write operations through sound, as well as the interesting physics behind the proposed attack.

Wall Street warming up to Bitcoin as Goldman Sachs sets up trading desk

Investment firm Goldman Sachs Group is about to dip a toe into the Bitcoin market, according to people familiar with the bank’s strategy. Bitcoin is heavily associated with cybercrime – in particular ransomware.

Goldman Sachs is setting up a trading desk to create markets in digital currencies, Bloomberg reports, citing two people with knowledge of the firm’s long-term plans.

“In response to client interest in digital currencies, we are exploring how best to serve them,” firm spokesman Michael DuVally told the news agency.

Goldman Sachs has set its sights on Bitcoin, risky but potentially extremely profitable crypto currency that has captured the imagination of the world, including hackers. Cybercriminals love crypto currencies for one major advantage: anonymity.

The proliferation of ransomware – currently the #1 cyberthreat – was made possible partially thanks to digital currencies. After encrypting a victim’s computer, cyber crooks leave their Bitcoin wallet’s address on the screen demanding ransom be paid at that address in the form of cryptocurrency. While the public can see the wallet and its contents, no one knows who owns it.

Other popular “altcoins” (as they are collectively called) include Monero, Ethereum, Litecoin and Zcash – each with their respective valuation and unique pros and cons. However, no altcoin is more valuable than Bitcoin, currently trading at around $14,000 apiece.

But because it isn’t backed by any real assets, and because it is a cybercrime currency, Bitcoin is also highly volatile – making it a very risky affair for Wall Street. Just last week, Bitcoin peaked at an impressive $20,000 per coin.

Also worth noting, several cryptocurrency concerns have fallen victim to cyberattacks. NiceHash, the self-proclaimed “largest crypto-mining marketplace” lost $60 million to hackers earlier this month.

Perhaps not surprisingly then, banks like Citigroup and Bank of America have taken a wait-and-see approach.

Nissan Canada Finance waits 10 days to inform 1.13 million customers of data breach

Nissan Canada Finance was breached, and the personal information of 1.13 million customers in Canada may have been leaked, possibly including customer name, address, vehicle make and model, vehicle identification number (VIN), credit score, loan amount and monthly payment, reads a company statement released on Thursday.

The automaker waited 10 days before announcing it had fallen victim to a cyberattack. On Dec. 11, it detected the breach that “may have involved unauthorized person(s) gaining access to the personal information of some customers that have financed their vehicles through Nissan Canada Finance and INFINITI Financial Services Canada.”

For now, the company is investigating the breach and has reached out for help to Canadian privacy regulators, law enforcement and specialists in data security. An exact number of affected customers has not been released, but all customers are being contacted as a precaution. It is believed customers outside of Canada were not affected. Nissan Canada Finance assures customers that neither payment card information nor other personal banking details were leaked.

“We sincerely apologize to the customers whose personal information may have been illegally accessed and for any frustration or inconvenience that this may cause,” said company president Alain Ballu. “We are focused on supporting our customers and ensuring the security of our systems.”

As hackers may attempt to exploit the stolen information for illicit purposes, Nissan Canada Finance said affected customers will receive free credit monitoring for one year through TransUnion.