Good afternoon,
Here is the slides for tonight: Week_11
In The News:
- Unix/Linux
- How many devices in your enterprise are running it?
- Dr. Eric Cole URL is On-Line
- How many devices in your enterprise are running it?
- Omitting the “o” in .com Could Be Costly
- Why companies buy miss-spelling of their company’s URL
- https://krebsonsecurity.com/2018/03/omitting-the-o-in-com-could-be-costly/
- Why companies buy miss-spelling of their company’s URL
- Atlanta Ransome-ware…
- Time Is Running Out For Atlanta In Ransomware Attack
- Lots of sites
- Time Is Running Out For Atlanta In Ransomware Attack
With facebook being in the news recently and with the campaign out there to “delete facebook” I thought this article was interesting cause Apple is doing the complete opposite of what facebook is doing with our private information that these vendors can collect about us on our personal and mobile devices.
Looks like one of the reasons driving this mindset in Apple is because of GDPR coming really soon in Europe. Or one can argue that’s what Apple mindset was before GDPR came about too. Apple allowing you to see, download and even delete the information they have about you is a refreshing concept in the world of online privacy and targeted advertisement.
It looks like the option will be available for folks that upgrade to iOS 11.3.
https://www.cultofmac.com/538515/view-edit-delete-everything-apple-knows-about-you/#more-538515
Sev Shirozian
Thanks for sharing Sev. I think it’s great that Apple is making this standard for all users and not just EU citizens that it is required for under GDPR. It will be interesting to see how much GDPR changes the landscape for data privacy beyond EU and how many other countries follow suit with similar regulations.
I’ll be interested to see what the user experience is like once I upgrade to iOS 11.3.
Great Article Sev,
I personally wasn’t aware Apple took this particular stance on user privacy, that being said I’m glad they do. It’s funny in that I just got off the phone with my friend. We were talking about Maserati cars with each other. He has android and I have an iPhone. He sent me a screenshot of an ad for a Maserati about 5 minutes later which popped up on a google search for him . Nothing of the sort on my iPhone. Just as Jason said, I’m really interested in seeing what position and practices companies implement as a reaction to the GDPR rules.
I agree with you Sev. Companies have become cautious with the recent Facebook data scandal, even though they might have done the same way of sharing data with publishers or advertisers. With this, customers will surely be confident of sharing their information with companies and can trust of absolute confidentiality. It would definitely be interesting to see how GDPR changes shape in non-European nations.
https://krebsonsecurity.com/2018/03/omitting-the-o-in-com-could-be-costly/
When reading the article “Omitting the “o” in .com Could Be Costly” on krebsonsecurity it reminded me of the hundreds of not thousands of times I have fat-fingered a URL in my browser. What I wasn’t aware of was how alot of these “typosquatting” domains and sites are hosted by one marketing company whose CEO is a convicted felon. The good thing about this is there are companies out there that do web URL filtering and can block full on servers/IPs/and URLs from being loaded on your workstations browser. One such company is called Zscaler.
Zscaler is a company that has a cloud offering to provide URL filtering based on categories. You can setup your enterprise systems with agents or even VPN tunnels back to their cloud hosted engine that will check all URLs typed by an end user to make sure that it doesn’t fall into one of the blocked categories. Some of these categories include:
Bandwidth Loss
Business Use
General Surfing
Legal Liability
Productivity Loss
Privacy Risk
Each of these general categories also have more detailed sub-categories. Also there’s a miscellaneous category where it categorizes sites it hasn’t had a chance to categorize yet. If you really want to tighten your URL filtering you block this too. But this will cause alot of help desk tickets and false positives.
There are other companies that do this too, such as Symantec’s Bluecoat. It doesn’t matter which company’s tool you use, but this is definitely a must in corporate enterprises to not only avoid legal issues, but to protect the end users from cyber attacks especially if the site they are going to is a malicious site trying to steal sensitive info or a phishing site trying to take your credentials.
One other thing that’s great is this link:
https://sitereview.zscaler.com/
You can use this to check what category a particular site might fall in before you actually type it into your browser.
Sev Shirozian
Six Cyber Threats to Really Worry About in 2018
From AI-powered hacking to tampering with voting systems, here are some of the big risks on our radar screen.
https://www.technologyreview.com/s/609641/six-cyber-threats-to-really-worry-about-in-2018/
Although most of these predictions, (Huge Data Breaches, Ransomware in the Cloud, etc.), seem to be almost a given, two predictions stand out to me:
Weaponization of AI is potentially the scariest – releasing open sourcing frameworks and tools for AI,(Elon Musk’s OpenAI initiative for example) gives potential adversaries that have few capital resources to expend in this area access to technology that has greater destructive potential than nuclear weapons.
True, the alternative of a single country controlling that sort of technology alone is scary but this gives almost any impoverished, unstable regime in the world an ability to literally hold the world hostage. (see: The World’s Ten most Unstable Countries http://www.newsweek.com/world-ten-most-unstable-countries-511821).
The second, less ‘politically charged” but equally interesting prediction is the (potential) theft of (distributed computational resources for cryptocurrency mining. This, I think could really be something to watch for especially because there is a potential motivation for Governments to get into the act.
Cryptocurrencies have become the perfect tool for countries to circumvent political sanctions – (“Russia Ministry of Finance to leaglize Cryptocurrency Trading” https://www.google.com/search?q=russia+opens+cryptocurrency+exchange&rlz=1C1CHZL_enUS755US755&oq=russia+opens+cryptocurrency+exchange&aqs=chrome..69i57.11617j0j7&sourceid=chrome&ie=UTF-8,
“South Korea says North stole cryptocurrency worth billions of won last year”
https://www.cnbc.com/2018/02/05/south-korea-says-north-stole-cryptocurrency-worth-billions-of-won-last-year.html, etc. ).
In fact, Russia recently assisted Venezuela in standing up its own Cryptocurrency trading system as a way of circumventing sanctions.
I think that this sort of activity (stealing compute cycles, ‘dark cryptocurrency exchanges’, etc), will probably accelerate to the point where any kind of future sanctions may become largely irrelevant – making the world that much more unstable – as if it’s not unstable enough already;)
Intel announced that they are no longer going to be patching older CPUs in regards to the Spectre vulnerability.
It was previously announced that Intel “would patch Bloomfield (45nm, Core i7), Clarksfield (45nm mobile Core i7), Jasper Forest (45nm Xeon), Penryn (45nm mobile Core 2 Duo), Yorkfield (45nm Core 2 Quad), and Wolfdale (45nm desktop Core 2 Duo). Intel’s SoFIA line of processors, some of which are still sold today, was also set to be updated as well.”
One of reasons that Intel provided in their reasoning of not patching those CPUs were because of the “Limited Commercially Available System Software support.” Most of the CPUs that were released in that list dates back as far as 2007. It is difficult to gauge how many computers are going to be vulnerable, however, it could potentially by in the millions.
It might be best to consider upgrading systems with newer CPUs that are set to be patched.
https://www.extremetech.com/computing/266884-intel-wont-patch-older-cpus-to-resolve-spectre-flaws
This is probably one of the more interesting vulnerabilities that’s been discovered due to the complexity of patching. There are probably hundreds of millions of devices that cannot ever be patched. I’ve read and heard various things about this vulnerability that downplay it’s significance – it’s difficult to weaponize and exploit, you need physical access to the device, there are much easier methods to plan an attack (e.g. phishing). What concerns me about this vulnerability is the unknown. All of these are assumptions for downplaying the vulnerability and it may be only a matter of time until a sophisticated exploit is available in the wild. If that happens, we’re going to have a potential real crisis (or “meltdown”) on our hands.
Hopefully users of these older machines are able to recognize that their system is one of the vulnerable ones and have the financial means to upgrade or remediate the risk . (Most probably won’t even realize until it’s too late though).
We talked about the security problem with misspelling domains in class last week and I thought I’d share this similar issue. While you can fat-finger a URL, you computer can do the same. Bits can randomly flip and this can be taken advantage of by registering a domain that is one bit different than a popular domain.
For example, aeazon.com is one bit away from amazon.com. Flipping a bit in that memory space could make your computer navigate to aeazon.com instead. This is not really a big issue since bits are very unlikely to flip, unless you live in space or inside a nuclear reactor. However with the amount of internet connected devices out there the likelihood increases. The author of this article got an average of 59 requests per day his 32 bit-squatting domains (human error excluded).
http://dinaburg.org/bitsquatting.html
Wow – this is a fascinating experiment. It would be interesting to do a follow-up to see what the recommendations are to prevent devices from flipping bits. Although it seems like the problem is relatively minor, it would be interesting to see what some of the root causes are for the thematic errors, especially in Windows devices. Thanks for sharing. If I ever get diverted to a strange website when I am certain I typed in the right URL, I’ll now know why! And I’ll be sure not to enter my user ID and password!
Interesting article and great slide deck. Worth checking out the video from his Defcon talk: https://www.youtube.com/watch?v=lZ8s1JwtNas
Thanks for sharing this.
Coming from a software development QA background, this scares me that this is even a possibility. Computers don’t do things randomly unless the code or program tells it to (At least Skynet hasn’t taken over yet). This tells me that there has to be certain very corner case scenarios triggering this bit to get flipped. If there is a way to isolate these occurrences and trace the activity on these lines to see what led up to this flip, we could possibly isolate the trigger for this bit flip. That being said, It would be extremely difficult to have this happen. Maybe some science experiment in space or inside a nuclear reactor would help? lol jk 😉
“Microsoft’s Meltdown Patch Made Windows 7 PCs More Insecure”
Meltdown CPU vulnerability was critical vulnerability of CPUs. Upon patching/fixing the vulnerability, Microsoft somehow made the flaw in the Patch/Fix that made vulnerability even worse on Windows 7 OS allowing any unprivileged, user-level application to read content from and even write data to the operating system’s kernel memory
No sophisticated exploits are necessary to take advantage of vulnerability. All attackers have to do is to write their own Page Table Entries (PTEs) into the page tables in RAM in order to access arbitrary physical memory.
It is suggested to update/patch Windows 7 OS immediately.
Ref. link:
https://thehackernews.com/2018/03/microsofts-meltdown-vulnerability.html
This is sad. How about an upgrade? Windows 7 is on the “out list” for a fair amount of organizations. I am sure finances come into play for organizations upgrade decisions but this buggy patch allows access to GBs of data in, not minutes, “a second.” Don’t worry, MS patched this problem as well.
I know we are supposed to always keep our software, operating systems, etc up to date with the most recent patches. With that being said, it’s also kinda worry-some that one of these updates or patches could actually contain or open up a large vulnerability itself within the application or operating system.
Shi,
I am surprised to see companies like Microsoft unable to test the patches even before releasing them for consumers around the world. Usually these issues are taken place through cross-device testing way in advance before releasing. I am still unsure what drastic effects has the recent Meltdown Patch has done to systems and what breaches have already been crossed. The company should technically give the option to roll back the patches to the previous ones before the insecurity becomes more vulnerable for external attacks.
https://www.wired.com/story/fin7-carbanak-hacking-group-behind-a-string-of-big-breaches/
This article is about a very sophisticated organization that makes about $50 million a month stealing credit cards from POS systems. They have been connected to many of the major POS breaches, including more recently SAKS Fifth Avenue, Saks Off 5th, and Lord & Taylor department stores.
The most interesting part of this article is the description of the sophistication of this mysterious group and how they operate as a business entity. The article explains that they have “a mastermind, they have managers, they have money launderers, they have software developers, and they have software testers.”
I imagine that entities like this and nation state entities will become even more sophisticated as time passes and the profitability and benefits of hacking are considered by certain individuals to outweigh the costs and risks. It is important that these groups are exposed and prosecuted to set an example and deter other criminals from following suit.
50 MILLION A… MONTH? That is insane. There is nothing like bringing home the bacon at 600 million a year. This group is more severe then ATM jackpotting and seem more successful than the best spammer outfits. Golly, I remember when gangs used to just carry knives.
Really interesting article Jason. That’s a staggering number! $50 Million. And guess who that loss gets passed onto, not the companies, but the consumer.
It’s a brave new world, and as much as the digital age has made our life easier, it will also make life easier for thieves! They don’t even have to leave their house in this world to steal your money.
Securing Devices by Making Simple Changes
https://www.cisecurity.org/newsletter/securing-devices-by-making-simple-changes/
A very useful article which lists various measures that we could take to secure our devices.
I would like to highlight a few points from the article which we often tend to overlook.
i) Network access or Internet access may be enabled on a device by default. Disable network/Internet access for devices that do not need it. Some devices require connecting to other devices in the home network alone, and do not require full access to world wide web.
ii) Wireless access points (APs) are oftentimes configured to broadcast the SSID, or network name. Consider changing these settings to turn this feature off, which can better secure your WiFi network.
iii) Create two different WiFi networks on your wireless router, if your router supports it. It is always best to have IoTs connected to a different network from the one used to connect computers and other personal dveices. This is also a good solution when you do not want your guests or other users to share your WiFi network.
iv) Wireless access points or routers are set up by default to not use encryption and to not require a password. It is always recommended to turn on WPA2 encryption for your wireless networks and to set a strong password.
v) Change all default passwords.
vi) Always enable PINS or unlock patterns on your mobile devices.
vii) Turn off location services if not needed.
viii) Cameras and audio input are enabled by default on some devices. Disable these features if not needed.
Great article Satwika. Some very simple and useful tips for people to follow. The problem is that you have people who know nothing more then how to plug in their router and connect their WiFi device to it. You would be surprised to see how many people don’t change their router password! I’ve even seen routers setup in business with default router passwords. I was at a doctor office once, and their “free Wifi” offer was really free. The Netgear Router they had plugged in was up and running, right out of the box. No changes at all. Default password, etc.
The problem sometimes is, most people don’t know what danger they are in!
Yes, it is true that majority of the people are unaware of the consequences. Even in an enterprise, I believe around 80% of the employees are often ignorant of cyber security. Sometimes it is because of lack of appropriate training or even ineffective training. Whatever the reason be, with the number of cyber attacks on rise, i think it is time we take some action in this regard.
Atlanta Ransome-ware…
For over a week, the City of Atlanta has battled a ransomware attack that has caused serious digital disruptions. Any ransomware attacks normally affect systems most often through phishing attacks and malicious executables. Once a PC is compromised, the malware then encrypts files before throwing up a landing page warning that if the victim does not pay up, they will never receive a key to decrypt their systems. Ransomware which infiltrates by exploiting vulnerabilities or guessing weak passwords uses mechanisms like the popular password discovery tool to start to gain control of a network.
To protect your systems from such attacks, here are a few countermeasures:
1. Patch all vulnerable versions of Microsoft, critical patches are released ahead of their Patch Tuesday.
2. Update your antivirus and anti-ransomware definitions regularly.
3. Regularly backup your critical data. In the advent of a ransomware attack, backups are the only way one can minimize the damage.
I wonder how many people who pay a ransom for their data actually get it returned. I seem to remember from previous discussions that some hacker groups are using ransomware designed by others with no intention of providing a resolution. I think it was Krebs that found a fair amount of found ransomware had a consistent account as to where to send your money. If people are using ransomware just to be malicious then Manogna, like you said regular backups may be the only solution.
https://www.fireeye.com/blog/threat-research/2018/04/fake-software-update-abuses-netsupport-remote-access-tool.html
Fake Software Update Abuses NetSupport Remote Access Tool
This article details an attack that uses remote access tools (RAT) which are spread using javascript and fake updates masquerading as legitimate sites – chrome, adobe etc. The RAT is then unknowingly installed on a users system and remote access/admin is possible. This is an interesting form of malware, as it preys on users who (and I am guilty of this) are quick to update/patch in an effort to remain secure.
Mitigation:
-Corporate environments should lock down GPO so that javascript can’t be run from untrusted sites, and users don’t have the ability to install new software.
– Top down / managed patching that is communicated to user. Explain that patches and updates are handled by security and you don’t need to do them yourself.
– Logging traffic and filtering for known exploits / vectors when they go public, do recursive scans to check.
In addition I would recommend checking hashes when downloading software and updates if possible!
Does anyone know of a good tool do automate this kind of thing?
Fraser,
The thing about patch management is testing the patch to see if it is valid or even if it will hinder your system. For instance, if you are not monitoring your hard drive space and a new patch gets installed that puts your hard drive in an unhealth state, then the good update may crash the system.
Automation on these things is difficult, but not impossible. We use a 3rd party provider that includes a network monitoring and patch management capibilities. The 3rd party provider tests the patch prior to releasing it to the “approved” patch list. This includes several different operating systems. It also monitors the system resources to determine if the patch / update caused significant increase in resources, or spikes. Thresholds are set for alerting. All of this is conducted in the Network Operation Center (NOC). We can’t afford a NOC, so we use a 3rd party for this automation.
https://thehackernews.com/2018/04/cisco-switches-hacking.html
Critical flaw leaves thousands of Cisco Switches vulnerable to remote hacking
Security researchers have found a base Common Vulnerability Scoring System (CVSS) score of 9.8 (critical) vulnerability in Cisco’s IOS software. With this flaw, an unauthorized remote hacker could execute code or take full control of the vulnerable equipment. All an informed hacker needs to do is send a “Smart Install message” to an affected device on TCP port 4786 (open by default) allowing a buffer overflow. Researchers state that it could also be used to create a denial of service as well.
Cisco has released a patch on March 28th but there are approximately 250,000 unpatched devices open to hackers.
Here is a list of the hardware affected:
Catalyst 4500 Supervisor Engines
Catalyst 3850 Series
Catalyst 3750 Series
Catalyst 3650 Series
Catalyst 3560 Series
Catalyst 2960 Series
Catalyst 2975 Series
IE 2000
IE 3000
IE 3010
IE 4000
IE 4010
IE 5000
SM-ES2 SKUs
SM-ES3 SKUs
NME-16ES-1G-P
SM-X-ES3 SKUs
QR Code Bug in Apple iOS 11 could Lead You to Malicious Sites
A new vulnerability has been disclosed in iOS Camera App that could be exploited to redirect users to a malicious website without their knowledge. The vulnerability affects Apple’s latest iOS 11 mobile operating system for iPhone, iPad, and iPod touch devices and resides in the built-in QR code reader.
With iOS 11, Apple introduced a new feature that gives users ability to automatically read QR codes using their iPhone’s native camera app without requiring any third-party QR code reader app. You need to open the Camera app on your iPhone or iPad and point the device at a QR code. If the code contains any URL, it will give you a notification with the link address, asking you to tap to visit it in Safari browser.
However, you may not be visiting the URL displayed to you. According to security researcher Roman Mueller, the URL parser of built-in QR code reader for iOS camera app fails to detect the hostname in the URL, which allows attackers to manipulate the displayed URL in the notification, tricking users to visit malicious websites instead.
For the demo, the researcher created a QR code (shown above) with the following URL:
https://xxx\@facebook.com:443@infosec.rm-it.de/
If you scan it with the iOS camera app, it will show following notification:
Open “facebook.com” in Safari
When you tap it to open the site, it will instead open:
https://infosec.rm-it.de/
QR (Quick Response) code is a quick and convenient way to share information, but the issue becomes particularly more dangerous when users rely on QR codes for making quick payments or opening banking websites, where they might end up giving their login credentials away to phishing websites.
The researcher had already reported this flaw to Apple in December last year, but Apple hasn’t yet fixed the bug to the date.
https://thehackernews.com/2018/03/ios-qr-code-camera.html
A few projects ago, I was asked to think about how to create baseline configurations based on different compliance regulations for Business Associates and Covered Entities. Once the baseline configurations are created, we will want to push them down to different network environments or other clients. Pretty simple process and solution.
The problem is… How do we know if the configurations or the baseline that was determined has been set or hasn’t be altered?
This is where a new feature in Server 2016 Configuration Management tool comes in. You now have the ability to audit the configurations of the devices on your network. Even NON-WINDOWS and Mobile devices.
The tool runs checks against the settings defined / baselines and reports on the findings. Will determine if an employee was smart enough to make a configuration change on a device connected to the network. Check it out!
I have not used this tool, but have added it to the list of things to check out in a test environment. You could use this on a monthly, quarterly, or annually basis to cover yourself against “negligence”.
https://docs.microsoft.com/en-us/sccm/compliance/get-started/get-started-with-compliance-settings
Here is information included with Configuration Manager 2016
https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/features-and-capabilities
You are able to
Google Bans Cryptocurrency Mining Extensions From Chrome Web Store
https://thehackernews.com/2018/04/cryptojacking-chrome-extension.html
Cryptojacking has been a very popular topic in the news recently. Cryptojacking is defined as the unknown use of a computing device to mine cryptocurrency. Encryption techniques are used to regulate cryptocurrency, so stealing CPU power from unknown users has become very popular.
Google has now blocked all crypto mining activity. In the past, they would allow any extension that informed the user about it’s mining, and was permitted by the user. Google states that about 90% of developers failed this test anyway, they have decided to block all crypto mining.
Twitter has also announced a similar plan, and Facebook banned ads promoting cryptocurrencies.
Omitting the “o” in .com Could Be Costly:
Why companies buy miss-spelling of their company’s URL
https://krebsonsecurity.com/2018/03/omitting-the-o-in-com-could-be-costly/
The article discusses a trend where spammers own domains which are near identical to real company URLs and use these webpages to trigger spam and potentially malware to users. For example, if you are trying to go to http://www.chase.com, however you have a type-o and go to http://www.chase.cm instead, this url could be used for spamming reasons. A good practice for any company to discourage such things from targeting your customers is to buy up url names for ones which may be easy for users to mistake with spelling errors and have them automatically redirect to your main page.
Omitting the “o” in .com could be costly
https://krebsonsecurity.com/2018/03/omitting-the-o-in-com-could-be-costly/
There are several cases, where we just miss-spelling the words on keyboard but it could land you in a serious problem while entering the URL if not taken care. In case if you just miss an “o” in .com and you type .cm instead, there is a chance of making yourself exploit to the enormous spam that spread on the internet.
A senior security advisor at SecureWorks, Matthew Chambers has penned a post on his personal blog about a situation, how a user got attacked by the malware after typing espn.cm instead of espn.com, as soon as he hit the enter several popups got displayed on his computer screen disallowing him to view the website. But later when Chambers examined the source code of that site (espn.cm), he stated that there is a weird activity in which the pages on the sites would vaporize themselves after the initial visit and displaying a standard 404 page not found error when revisited.
Later he listed some of the typo squatting domains which are hosted on the same Internet address (85.25.199.30), including aol.cm, facebook.cm, suntrust.cm and Walmart.cm