Good Afternoon,
I have uploaded the complete set of videos to the 2nd assignment. I have also sent a link to the location for the videos on OWLBox.
This weeks class spent a lot of time reviewing what will be needed to complete assignment 2.
- I have fix the above link, as well as added everyone in class to be able to see the files. I missed updating the access. If anyone is having any issues please let me know.
Please post items you have found difficult or need help building the environment. This week most of the participation on the site will focus on getting things working for our next class.
As a secondary item would questions or thought about CIS or NIST baselines.
Class slides for Week 4
See those that can make it tonight at 5:30 on WebEx; if not I’ll post the recording after class tonight.
- Week 4 Video: WebEx Link
I have sent an e-mail to four students that have not submitted their first assignment, which is considered late (with a 10% deduction). I will grade those that I have gotten and start to post the grades on BBLearn.
Here are the links from the Class slides to drive this weeks conversation:
- CIS Site:
- Would You Have Spotted This Skimmer?
- I would not have; that one really looks real
- Internet Storm Center
- Patch Tuesday…? (Always changing)
- https://isc.sans.edu/
- SQL injection and division by zero exceptions
- Patch Tuesday…? (Always changing)
Frederic D Rohrer says
Site: https://www.cisecurity.org/cis-benchmarks/
Introduction:
CI Security, or Center for Internet Security, is a nonprofit founded in 2000 with the goal to establish a crowd-sourcing model to identify threats and work on effective security measures. The organization offers CIS benchmarks for a wide range of software, which are distributed free of charge.
CIS offers a wide range of Benchmarks for Operating Systems, IaaS systems such as Amazon Linux or Docker, and for productivity software such as MS Office.
The Benchmark:
CIS’ benchmarks follow the same formatting: a security patch is listed with a rationale, an audit tutorial and a remediation tutorial. In addition, some patches are scored, which includes them in the benchmark score. At the end of the list all settings are accounted for and the benchmark score is calculated.
For example, lets look at the Linux Debian 8 benchmark, setting 6.1 (Ensure the X Window system is not installed.) This is a scored setting, meaning if the X Window system is indeed enabled, we have to subtract points from the overall benchmark.
The profile applicability is Level 1, meaning that it is an essential security setting that does not impact the use case beyond acceptable means. Level 1 settings reflect the minimum baseline with no impact, whereas Level 2 settings are very secure but may impact utility or performance of the system.
The description tells us what the X Window system does.
The rationale explains why that system should be disabled.
The audit lists a command that we can run to check for the xserver package. If the package is not found we are good to go, however if it is installed we can look for the next point;
The remediation lists command/s for fixing the setting, in this case uninstalling the xserver package.
In a corporate setting we would ideally run two benchmarks, one in which settings are audited, and then again one in which we remedy the settings where our use case allows.
CIS also publishes already hardened images and remediation kits for some OSes. These images are however only available on AWS, Google Cloud and Azure.
Jason A Lindsley says
Great summary Frederic. I also found these benchmarks very useful and I was impressed with the level of detail and structure of these documents. I also think it’s great that they publish Cloud images for these main Cloud providers.
One of the greatest benefits of Cloud is to easily deploy hardened images. However, it’s essential that organizations formally document and maintain their baselines and monitor for configuration drift.
It’s also important to have an exception process. There will always be applications and systems that will require a deviation from baseline, so it is important that there is a formal process to document and request an exception, perform a risk assessment on the exception, gather approvals, and review the exception periodically (at least annually).
Satwika Balakrishnan says
CIS benchmarks are a great way for organizations to assess and improve the security of their networks. They are particularly strong because they have been founded by a group of other participating organizations and are based on defenses from actual attacks. I like how detailed and clear they are. Apart from the fact that they are public and free, what most interested me was that these can be adopted by anyone for even their personal devices as well. Another big advantage is that they cover a lot of standards right from the planning phase to audit phase. This can also help small organizations who often spend huge amount especially in consulting external auditors about fundamental audit and security practices.
However, it should be understood that these benchmarks are a set of base level or foundational level practices that all the organizations should incorporate into their best practices and that the risk levels for each organization will vary based on their operations, so it is still necessary to adopt other security measures to develop a robust and safe cyber infrastructure.
Vince Kelly says
How to convert a VMWare Virtual Machine to run on Hyper-V using MS Converter Utility and PowerShell
Per the previous posts from week 2 and 3, this course is really the first time that I’ve had an opportunity to work with Hyper-V and at this point I can honestly say that I’m actually somewhat impressed by it.
Hyper-V comes with Windows10 (you just need to turn it on), it’s extremely simple to use,(not a lot of complex bells and whistles) and certainly seems somewhat more secure than other virtual machine managers (recall that VirtualBox logs and VM configuration files get stored as plaintext).
With this in mind, I decided to try to see if I could convert/migrate some of the VMWare VMs that I’ve been keeping around over to Hyper-V. Like I said, Hyper-V doesn’t have a lot of bells and whistles but I stumbled across a Microsoft utility that will convert VMWare Virtual Machine .vmdk files into Microsoft Hyper-V .vhdx virtual disks which can then be imported into Hyper-V – for the life of me I don;t understand why this isn’t part of Hyper-V manager already – but here are the steps to do the conversion anyway:
1. Get the the VMWare VM (.vmdk) file that you want to convert. For the purposes of this example, lets say the VM name is ‘Server_2012’ and you put it in the following directory:
c:userspublicdocumentsServer_2012.vmdk
2. Download and install the .vmdk converter utility tool from Microsoft. It can be found here:
https://www.microsoft.com/en-us/download/details.aspx?id=42497
The installation process creates the following directory for the converter:
C:Program FilesMicrosoft Virtual Machine Converter
The installation utility also installs a powershell module called MvmcCmdlet.psd1 in this directory. This is the module that we will use to do the actual conversion.
3. Open up Powershell (run as administrator)
4. Enter the following PowerShell commands:
# Import the conversion utility as follows:
#
Import-Module “C:Program FilesMicrosoft Virtual Machine ConverterMvmcCmdlet.psd1”
# Now execute the conversion – don’t forget the quotes!
#
ConvertTo-MvmcVirtualHardDisk -SourceLiteralPath “c:userspublicdocumentsServer_2012.vmdk” -DestinationLiteralPath “c:userspublicdocumentsServer_2012.vhdx” -VhdType DynamicHardDisk -VhdFormat Vhdx
…and that’s all that’s to it! The process creates a Hyper-V virtual disk that you can now use to create a VM..
5. Once the above step is done, go into Hyper-V manager and create a new VM using the virtual disk (.vhdx file) that you just created like so:
– Under the Actions tab click New–>Virtual Machine
– This brings up the New Virtual Machine Wizard
– Click NEXT
– Give the VM a name – for this example we want to call it ‘Server-2012’
– Click NEXT
– Select Generation 1
– Click NEXT
– UNCHECK the box ‘Use Dynamic Memory for This Virtual Machine’ (unless you want to crash your PC;)
– Click NEXT
– Configure the network adapter connection for the vSwitch (this step optional – see week 2/3 posts)
– Click NEXT
– Select ‘Use an existing virtual hard disk’
– Browse to where you stored the .vhdx file that you just created using the utility
– Clict NEXT
– This brings up the final summary page.
– Click FINISH
WARNING! WARNING! WARNING! WARNING!
(my opinion here) It seems as though Microsoft is a bit slow in updating its conversion utility with the latest device drivers from competitors like VMWare (imagine that!;). So SOMETIMES, depending on the VM being converted, the utility seems to mess up the ethernet device driver that was ported over from VMWare – even if that VM was working perfectly fine before it was converted from .vmdk to .vhdx
In my case, one of the VMs that I brought over was a Ubuntu machine. After going through all of the steps above, the new VM came up but it didn’t have a ethernet driver installed – the ethernet configuration file was there and configured correctly – it’s just that the virtual ethernet NIC hardware was ‘missing’.
I could see that Hyper-V had (correctly) configured a network adapter when I looked at the settings for the VM, its just that the VMs ethernet device driver was simply not there.
30 minutes and a few choice curse words later, I stumbled upon the following way to fix it:
– shut down the VM in Hyper-V manager
– Right click on the VM then choose settings
– from the VM setting wizard, select the network adapter that’s been configured
– choose ‘Remove’ to delete this adapter
– choose ‘Apply’
– Now at the very top of the hardware panel 9on the left of the wizard), select ‘Add Hardware’
– choose ‘Legacy Network Adapter’
– Click ADD
– At this point all you need to do is to connect your new legacy adapter to the vSwitch/external network
– Click Apply
Restart your VM and you should be good to go…
Again, this little gotcha only seems to happen occasionally but the fix works for me every time I’ve needed to use it.
Jason A Lindsley says
Vince,
Curious, what are you running Hyper-V on? I’m using VM Workstation on Windows 2016, but I’m curious about your hardware setup. Also, do Temple students have access to a free copy of Hyper-V?
Andrew Szajlai says
If you have Windows 10 you can follow the following to install hyper-v (https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v). I added it to my Surface Pro. I’ll bring to class on Thursday.
Vince Kelly says
yes, just a Surface Pro 4. If you have Windows10 it comes with it. I did a write up on how to turn it on and configure VMs over the last couple of weeks – *EXTREMELY* easy to do and use!!!!
Obviously, all those .iso’s and VM files suck up a lot of disk space – but then you’ve got that problem anyway for any hypervisor,. I just didn’t want to have to install VirtualBox or another hypervisor when it was there anyway.
You did get me wondering now though, I wonder if the Hyper-V VM virtual disk images (the .vhdx files) have a smaller disk footprint than the same VM configured for VMW or Vbox?
I’ll check it out and let you know.
Good luck
Patrick DeStefano (tuc50677) says
Would You Have Spotted This Skimmer?
https://krebsonsecurity.com/2018/02/would-you-have-spotted-this-skimmer/
The article goes over how a fraudster was able to create and install a skimming device at Aldi grocery store. The skimming was virtually unidentifiable to the unsuspecting eye.
For the past 6 years, I’ve been working in IT for a large credit card company. In my experience, I have worked on testing the functionality of NFC, Magnetic Strip, Chip, and Mobile Wallet when making transactions with credit cards. It’s truly terrifying how easy it is to skim the magnetic strip of a credit card and clone a card. You can go and buy a $15 magnetic strip reader on amazon and plug it into your USB drive, Open up notepad and then swipe your credit card. Notepad will write out the data from the magnetic stripe automatically. If you do this, you will see that with just a single swipe, you give away your account number, expiration date, name, and security code from your card. This is one of the reasons almost all credit card companies have begun using Chips on their cards and are really encouraging customers to use mobile wallets whenever possible. Data from a chip is much more difficult to obtain and clone compared to a magnetic strips and mobile wallets don’t use your account number all together by using and storing only a token number which only the issuing bank is aware of. Fraud is a very profitable business and costs issuers millions and millions of dollars every year, which is why these issuers have been really stepping up their game and investing in technology to reduce cloning and fraud related to it.
Now that I got my credit card blurb out of the way, to address the issue in the article specifically.
Fraudsters are always going to be out there trying new ways to steal card information, so there’s no way to eliminate the risk completely unless you decide to always pay with cash, but that has it’s own risks. From a card user perspective, you can lower your risk by simply being aware of your surroundings and taking a good look at any card reader you are about to insert your card into, maybe tug on it a bit to ensure it doesn’t come off, and verify that the device doesn’t look like it’s been tampered with. Your best bet on keeping your PII secure is to use a mobile wallet, such as ApplePay, SamsungPay, AndroidPay, etc. These all use tokens which will be useless to fraudsters attempting to clone cards.
The responsibility to ensure the card reader is legitimate also lies with the merchant here. If it can be proved that fraud occurred or originated from a skimmer or security breach at a merchant terminal, the financial responsibility of the fraud committed lies with the merchant itself. As a merchant, it would be a wise decision to train employees how to recognize if a device has been tampered with and to inspect all of the card readers on a frequent basis. This will help mitigate any financial risk as well as risk of consumer confidence loss due to card skimming.
Duy Nguyen says
Hi Patrick,
This article is more alarming than the related ones. Some skimmers are installed in regular check out lines, this article reviews installation of skimmers in self-checkout lanes where security and supervision are at a minimal. Thus, making it even less challenging for thieves to install and receive the skimmer and skimmed data. I agree that some responsibility should be on the merchant to guarantee a safe transaction, but additional responsibility should be on the card companies as well. And yes, the card companies have responded with newer chip technologies making the transaction more secured. Now it’s just for the users to actually be alert and uses these new chip technology.
https://krebsonsecurity.com/2016/10/self-checkout-skimmers-go-bluetooth/
Patrick DeStefano (tuc50677) says
I agree Duy,
Related to which party is responsible for any fraud, there was a liability shift which happened back in October of 2015. Essentially, after Oct 2015, legally, between the merchant and credit card company, whichever party has the lesser security measures will be liable for any fraud which occurred on that account. If an issuer has chip cards, but a merchant doesn’t have a chip reader or their chip reader is non-functioning, the merchant assumes liability for any fraud on that account at their terminal. If it is the other way around and the merchant has a chip reader, but the bank has not issued a chip card, then the bank assumes responsibility and the cost of any fraud on that account. See this article: https://www.creditcards.com/credit-card-news/understanding-EMV-fraud-liability-shift-1271.php
Scott Radaszkiewicz says
https://krebsonsecurity.com/2018/02/would-you-have-spotted-this-skimmer/
This is a very interesting article that describes a very low profile ATM skimmer that was placed in Aldi stores in a local Pennsylvania area.
Skimming has been going on for a while, with not just ATM cards, but credit cards too. I used to use my ATM/Visa card for purchases, but over the past several years, I have not used it, specifically because of this reason. Should a person get my ATM pin, then that’s my money, real money. And the fight to get that real money back, as explained in the article, can be a real inconvenience. I strictly use credit cards when paying for purchases, not my ATM card. Dealing with fraud and theft is much easier with a credit card.
But not all people will do what I do. Unfortunately, since users will continue to be users, and not notice things like this until it’s too late, the only countermeasure is cards with Chips, versus the old swipe technology. If you’re interested on how the chip works, I found this article a while back that I think explained it really well.
https://money.howstuffworks.com/personal-finance/debt-management/chip-and-pin-credit-cards.htm
Frederic D Rohrer says
Scott,
you point out a great advantage for credit cards (besides the points you can earn). I feel that credit cards/ATM cards present a system that has to be secured like any other. Like you said, using a credit line for physical payments is a great way to limit risk. Separating your payment methods for physical transactions is also similar to security compartmentalization. Monitoring can be used to further limit your risk, in this case that could mean setting up email notifications for transactions over a certain amount. I think ultimately a credit card presents a system that needs to be secured, unfortunately –at least in my experience– that needs to be done by the end user who does not always know how to.
Patrick DeStefano (tuc50677) says
I would strongly suggest using an emerging technology, mobile wallets, with either your ATM/Debit cards or Credit Cards. The technology used with processing ApplePay, SamsungPay, AndroidPay, or other mobile wallets is far superior to even using chip cards themselves. These mobile wallets work with your bank and setup a token number to use and send between the phone, merchant, and issuer as opposed to sending a users personal details , such as account number, zip code, customer name, etc.
Matt Roberts says
iOS 9 Leaked
https://www.technewsworld.com/story/85126.html
A portion of the source code for Apple’s iOS 9 mobile operating system has been leaked recently on GitHub. Apple has issued a copyright violation notice since then and maintained that the leak of this code should not compromise security, especially that of their more up-to-date versions which most users already have installed. While in theory the leak of source code should not necessarily enable an attacker to get into the system, it should be noted that the leaked portion was important for the secure iBoot process. While this news doesn’t warrant immediate alarm, it is possible that it could be used to find ways to jailbreak the tight security restrictions of iOS and find undiscovered vulnerabilities within the boot loader. This is definitely something for iPhone users to keep an eye on.
BIlaal Williams says
February 2018 Adobe Flash Security Update
https://helpx.adobe.com/security/products/flash-player/apsb18-03.html
Adobe Flash Player is known for its issues, and many flaws have been discovered in the software. This most recent Patch Tuesday revealed another zero-day vulnerability in Adobe Flash Player.
The latest flaw allows Remote Code Execution on various platforms and it appears to already affect some Windows users. It’s been discovered that a group named Group 123 is behind the malware. A Flash SWF file is embedded in a Microsoft Excel document, and opening it will lead to the Flash object downloading a ROKRAT payload from malicious websites, and then execute it. Apparently, this group is not known for using zero-day in attacks, so this represents an advancement in the capabilities shown by the group.
A patch was released on February 5, and anyone who runs automatic updates will be patched. The affected versions are 28.0.0.137 and earlier for Desktop Runtime, Chrome, Microsoft Edge, and IE.
https://helpx.adobe.com/security/products/flash-player/apsb18-03.html
Jason A Lindsley says
Thanks for sharing Bilaal. I’ll bet this is one of the many reasons my work computer had so many updates pushed and installed over the past few weeks. I’ll need to check my personal devices to see if they are vulnerable.
Adobe Flash is like a zombie, but it looks like it will finally be sunset in 2020:
http://www.theverge.com/platform/amp/2017/7/25/16026236/adobe-flash-end-of-support-2020
This article mentions that a lot of gaming, education, and video sites will be impacted. They need to transition to HTML5 before 2020. They probably won’t though and us users will be the ones impacted. Hopefully browsers and tech companies will just block sites still using Adobe Flash.
Scott Radaszkiewicz says
Thanks Bilaal. Yes, finally going to see the end of Flash in 2020. It can’t come too soon. Recently Google announced that the Chrome Browser would default to HTML5 when possible, and Google has banned Flash from any of it’s display ads. The problem is that so much is built on flash that it just can’t be killed off! So many websites still use, and rely on Flash to run. I work at a school district. We have two very major software programs for our elementary students that are heavily flash based. The company is working to remedy that, but their time frame is sometime in 2019! They have to rebuild their software that they spend 7 years building!
Fred Zajac says
Hey all,
Flash can be disabled in all popular internet browsers. Plus, you can set up office to not allow files with flash or any plug in.
To stop flash in group policy:
Search Group Policy editor –> Computer Configuration –> Administrative Templates –> Windows Components –> Internet Explorer –> Security Features –> Add On Management –> Turn off Adobe Flash = Enabled.
Enable by clicking Turn off Adobe Flash –> click Edit Policy Setting –> Select Enable
No more flash for IE on you local computer. Do this in a networked environment too. You can use Powershell and run a script to do this quickly. We did this in Assignment 1
Shi Yu Dong says
“Hackers Can Now Steal Data Even From Faraday Cage Air-Gapped Computers”
In Wireless Network Security, given the nature of physics related to Wireless Signal propagation in the air, exposure of Wireless Radio Frequency waves beyond intended security perimeter such as building or room had always been an issue. When signal is bleeding outside of building and is reachable from a cafe shop across the street, it must be considered as a big problem because a a hacker can perform malicious activities while drinking coffee in a cafe shop across the street without even necessity to get into the building. While this is an issue, companies for many years have been accepting this fact “as-is” and protected wireless access by applying best industry practices (such as Changing Passcode every 3-6 months) and implementing appropriate wireless security to prevent from malicious eavesdropping.
While general wireless security solutions work for most organizations, some organizations may need to have workstation completely isolated from network communications. A “Faraday Cage” is what usually used to achieve complete isolation from network by containment of any signal transmission within the cage where critical workstation reside.
https://thehackernews.com/2018/02/airgap-computer-hacking.html
Vince Kelly says
Interesting post Shi, thanks. It seems like a bit of a stretch thought don’t you think? It assumes the malware can be planted and then happily just sit there regulating/manipulating the workloads without being detected?
I guess you never know:)
Good point on wireless – I seem to recall that several of the early versions of Wireless NIC’s had features that allowed you to ‘tune’ down Tx power and beacon transmit frequency – wonder why they got rid of those tunability features?
Sev Shirozian says
This sounds like something that would happen in Mission Impossible or in James Bond but working in the Defense industry this is definitely a real concern. Even if your working in a SCIF, they don’t want you to bring any technology, cell phones, laptops, pager, etc to avoid issues like this. Only the approved systems that are in that room are allowed to be used. And removing data from that room has to follow a specific process, with markings, classifications and specific directions. If it’s really possible to steal data via a wireless method its good that that the government has these requirements for classified areas.
– Sev Shirozian
Scott Radaszkiewicz says
Very interesting article. Faraday cages have been around a long time. I read the article, twice in fact. I’m jammed up on the fact that they say in the article “Once a computer is infected”. So this is not really breaking into a computer that is protected by a Faraday Cage Air-Gap, it’s getting the data off of it.
If you do it right, how can you even get to it to get it off?
None the less, a very interesting concept and article. I’m sure, with this incentive, someone will solve the puzzle of how to get it on there.
Jason A Lindsley says
Would You Have Spotted This Skimmer?
https://krebsonsecurity.com/2018/02/would-you-have-spotted-this-skimmer/
I agree with others that this was an interesting article and it is shocking how simple it is to install a skimmer to intercept the card data from a swipe of the magnetic strip. I also thought it was disturbing to read some of the other articles that explained how these devices use bluetooth technology to send that harvested data to a remote location.
To me the most interesting part of the article was this statement:
“While Aldi payment terminals in the United States are capable of accepting more secure chip-based card transactions, the company has yet to enable chip payments….”
Merchants were given until October 1, 2015 to transition to chip-based POS systems. After that date, merchants that do not accept chip based cards are liable for all fraud committed on chip based cards that were forced to use a magnetic swipe.. See this article for more information:
https://www.inc.com/john-swanciger/most-small-companies-still-dont-accept-chip-based-credit-cards-putting-them-at-risk-of-fraud.html
This deadline was important for both merchants and financial institutions that issue credit cards. While merchants raced to upgrade their POS systems, financial institutions were also racing to convert to EMV chip based cards due to these changes in fraud liability. If merchants didn’t cutover to EMV readers, they were now on the hook for fraud. If financial institutions didn’t issue chip based cards, they remained liable for fraud.
The article I linked above also discusses that many small business merchants have not made the transition. There are many up front costs to making this change, but the cost of a major fraud could put the company out of business.
It especially amazes me that large companies like Aldi (and Wawa) have not activated their chip based systems. I imagine that a big part of this is the fact that it can take 10-20 seconds for a chip based transaction to clear. Perhaps they made a business decision that this is not acceptable and would lead to longer lines and less revenue. Fortunately, the article mentions that the speed of a chip based transaction is improving. Perhaps these improvements will encourage merchants to finally accept chip based transactions (and mobile wallet payments).
Brock Donnelly says
I really don’t think that chipped based transaction take all that long. I would say that they feel to take the same time. Sometimes I wonder if this magnification of time measurement is due to the fact that people can’t handle “uncomfortable” silence. Have you ever had to trouble shoot a computer issue in front of an audience? Have you ever had to wait for a computer to reboot in front of an audience. You could time that reboot and know it takes only 90 seconds but you would swear it was 6 minutes. I think a lot of the “chipped cards take longer” phenomenon comes from misconceived time due to lacking comfort in a quite social scene and the resistance to change.
My gripe with the chipped systems is that they are not all the same. Based on how you owl like to process your transaction sometimes you are required to take the card out and then swipe. Other do not, why?
Patrick DeStefano (tuc50677) says
As someone who works for a large credit card issuer and who helped implement this chip technology, I can tell you that if a chip reader is working properly, you should not have to pull the card out and then swipe. If you have to do this, that would be called a fallback transaction where for some reason, the communication between the card and the chip reader is malfunctioning (could be a chip issue or a reader issue). In a magstrip transaction, there are only a few select types of data which get communicated between the card, merchant, and issuer. In a chip transaction, there are many more fields/data elements communicated including a specially generated cryptogram, chip transaction counter, and other types of data. All this data is used to analyze the transaction to better analyze potential fraud cases.
As far as the wait time, when chip was brand new, it did in fact take a lot longer to read the chip data than it was for a simple swipe of a mag stripe, however over the pst several years processing speeds have improved as the technology in the readers have improved along with it.
Mustafa Aydin says
Top 3 Malware Last Month
1- Kovter
This malware family is well known for being tricky to detect and remove because of its file-less design after infection. They infect your PCs, so malware perpetrators can perform click-fraud and install additional malware on your machines.
They can steal your personal information, download more malware, or give a malicious hacker access to your PC. When Kovter is installed, the malware will drop its main payload as data in a registry key. After installation, the malware will remove the original installer from the disk leaving only registry keys that contain the malware.
2- CoinMiner
This threat uses your PC to generate Bitcoins. It installs software that can make your PC run slower than usual.
The trojan drops an application that uses your PC to make bitcoins for a malicious hacker. The trojan often drops other component files, such as commonly-used library files, that allow s the miner to function properly. The bitcoin mining application can be installed with the same name as a legitimate process.
3- Emotet
This threat can collect your sensitive information and send it to a malicious hacker. It can be installed on your PC when you open a malicious spam email attachment.
This threat usually arrives on your PC as a .zip or .exe file attached to a spam email. This trojan injects code into explorer.exe to add persistence and hide its running process. It can also inject its code to other running processes.
https://www.cisecurity.org/cybersecurity-threats/
https://www.microsoft.com/
Brock Donnelly says
I was wondering if we would see malware to assist in cryptocurrency mining. It’s brilliant really. I don’t have nougat computers to mine, nor enough money to acquire them… well just steal everyone else memory resources.
I always thought A library at a major education institution would make a good coin mining operation. Looks like I am not the only one.
Coin miner is likely being installed via the ever popular fake flash player update notice you get form visiting web pages. Here is an article I found with removal instructions:
https://www.pcrisk.com/removal-guides/12088-coinminer-malware
Frederic D Rohrer says
Brock,
this is an interesting topic. Some websites use a JavaScript based miner instead of running advertisement. I recently saw a Web Assembly miner, classified by Symantec as PUA.WASMcoinminer. Check out Remedy ticket 1198502 for that.
Scott Radaszkiewicz says
A client that I help support actually got his with this CoinMiner Malware last week. They had contacted me telling me things were running real slow on one of the systems. I connected in, and after a few minutes found this .exe file that was consuming 80-90% of the system resources. Some research showed that it was a bit coin mining malware program. I removed the offending program and did some investigating. Turns out the person using the system was working on a presentation with a colleague. These guys are old school, and were sharing a USB key with the documents on them. The USB key had the trojan on it. Still trying to find ground zero, and how this got onto the USB key. Had this malware been smart, and taken up smaller amounts of resources, then this might have gone on for a long time. The CPU hog alerted someone to an issue. I thought hackers were smarter!
Patrick DeStefano (tuc50677) says
Scott, a friend of mine who works in InfoSec for a hospital here in Philly was mentioning that this happened to them a month or two ago (maybe we are thinking of the same thing). He told me that they noticed one of their servers was running at a very high capacity for a prolonged period. After they researched, they found that it was being used as a bitcoin miner.
If the hackers were smarter, like you said, they should have not had it run so heavily on that server, but just like wall street, greed can make people try to hard to the point where it gets them in trouble.
Mustafa Aydin says
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FCoinMiner
Donald Hoxhaj says
That’s pretty useful information Mustafa. This malware list is definitely a worth noting information and most of it of which I have never heard before. CoinMiner as I see is pretty dangerous considering the fact that Bitcoins are the future of virtual payment systems. I came across this interesting article which pretty much says how to remove CoinMiner malware from systems. Might be useful to read. Link below:
https://www.2-spyware.com/remove-jscoinminer.html
Zirui You says
“Apple’s Confidential iBoot Source Code Leaked Online”
http://searchsecurity.techtarget.com/news/252434802/Apples-confidential-iBoot-source-code-leaked-online
Apple’s confidential source code for its iBoot for iOS devices have been first leaked on American social news aggregation site, Reddit last year, but was noticed by lots of people until uploaded to the hosting service site – Github in the beginning of 2018. Although the source code was for iOS 9, the most current version of iOS 11 runs pretty much the same way. Apple was quickly responded to confirm this incident and request remove the code from the related website. Apple did not release any further solution about how to deal with this issue, but people could realize that the Apple’s devices have potential vulnerability by leaking the iBoot source code out.
Brock Donnelly says
I don’t see this at too much of a security concern for IOS current OS or iBoot. As the article mentioned it is an older version for OS9. It is possible they are still using portions of iBoots OS9 code but generational changed to this type of code is a swift way to mitigate vulnerabilities.
Apple’s real problem lays with their employees ethics. If we assume this wasn’t stolen then it had to be leaked. That can only happen from the inside. Could this be an access control issue at apple? Or just a disgruntled employee?
Scott Radaszkiewicz says
I think the biggest thing hurt here is Apple’s feelings! It’s iOS 9, and a bit old. I’m sure the code will give some insight into how Apple iOS is built and might allow hackers to hack later systems, but to me, Apple got a black eye on this. Their precious secrets are out in the open.
Donald Hoxhaj says
I feel that this might not be of a great concern especially when Apple was never using iOS9 and had moved 2 generations ahead. However, this would have been a concern for users who have been using iOS9. I think the company did a great job in removing the code from the related website. It’s also surprising how the confidential source code for iBoot got leaked when Apple is known to have a far safer Operating System when compared to others OS.
Brock Donnelly says
https://krebsonsecurity.com/2018/02/would-you-have-spotted-this-skimmer/
I can remember about a two week period where both my boss and I were skimmed. I am aware of skimmers as is my boss. Our situations did not contain overlays and we were still suckered. The skimming took place at the gas pump for the both of us but at different gas station locations. Aware of skimmers I already make sure that I choose the credit card option for all gas pump charges, my boss however does not. As for my boss, he felt eyes on him during his transaction and noticed a nervous guy highly paying attention to him in a way that seemed like he was trying to see a pin number entered. He felt so put off by this individual that he ran right to the office and right to his bank account net login. Money was missing already. He was fortunate to have caught it so early that the bank forgave him as this money cam directly out of his savings account.
I check for skimmers on ever card swipe transaction. I can say with out a doubt that my skimmer was internal to the gas pump or an internal operation at that station. Having chose credit card for my transaction, I only ned to put in my zip code for authentication. With my card skimmed and my number sent off to California, holes rooms and general groceries were purchased before the credit card authority noticed the erratic charges. No money was removed from my savings and the charges were erased. I was skimmed but the impact was only on my time.
That being said I would probably still fall victim to this skimmer.
What confuses me about this skimmer is the shoulder surfing rubber protector. I would have to assume that the card scanner they are placing this on does not have the rubber surfer protector. That would be a huge give-away to the establishments employees. I know the article stresses that Aldi’s should not be held responsible but I disagree. This is something that should fall under loss prevention. Retail establishments generally all have a loss prevention team and if not, they have loss prevention training for all employees. In such training your are taught how to observe people of suspect and their often masked actions. I shop at Aldi’s, a lot, and I completely hold them accountable to what happens in their store and on their equipment that processes financial transactions.
Patrick DeStefano (tuc50677) says
It’s always a good idea to check for skimmers whenever using a card swiper. I give you props for using the credit card as opposed to a debit card as gas stations can be a prime location for this type of fraud. I can’t wait for the day where AFDs (Automated Fuel Dispensers) begin allowing mobile wallet payments as they are much more secure than any types of physical cards. Someone really close to me continues to get his card skimmed at gas stations to the point where he had to have his issuing bank add an authorization rule to his account to require his authorization for any transactions over $50.
Sev Shirozian says
Would You Have Spotted This Skimmer?
https://krebsonsecurity.com/2018/02/would-you-have-spotted-this-skimmer/
This was a interesting article that kind of hits close to home. Not only did this happen in the Philly area, but it also happened at a grocery store that my wife frequents all the time. The skimmer was looking to grab the PIN number off your card. This is probably the one piece of data that’s the hardest to get from a user and when paired with the credit card/debit card number it can be very dangerous. I’ve seen skimmer on ATM machines in public areas, but this is at a different level. Not only does it look like the real thing, it was installed within a retail establishment, not just on an ATM sitting outside on a street. Although I do tug on ATM card skimmers all the time, I probably would not have tugged on this given it’s indoors and looks so real.
Believe it or not, the United States is behind the game with Credit Card security. Other countries, include our neighbors up north in Canada have implemented chip security on their credit cards long ago. In fact, if want to use your credit card in some of these countries, you won’t be able to if you plan on just sliding the card for a transaction. You need to call your credit card company and ask them to enable a PIN with the credit card swipe for it to work. This happened to me when I tried to purchase gas at a gas station in Toronto. Not only did the card not work, I was asked to go inside and present it. And when I did they guy asked me for my PIN. At that point I didn’t even know you can setup a PIN for a credit card (unlike a debit card where you can). I had to call the bank and get it setup for it to work.
The technology is there but institutions are still not getting the big picture that we need new methods to authenticate credit card transactions. Apple Pay is one of those technologies that solves this, but its still used everywhere. It usually takes a incident or two for people to wake up and start using new technology to make life a little more secure.
– Sev Shirozian
Patrick DeStefano (tuc50677) says
This technology is there and right now most banks in the US have the ability to enable PIN chip transactions, but they just have to roll it out on a card member level. I remember back in 2012, I was studying abroad in Shanghai and I went to Walmart and was asked for a pin when checking out. Fortunately I was able to just press Enter or enter 0000 to bypass the pin functionality there, or I would have been screwed. I do agree that ApplePay or other mobile wallets would be best, however they are still not accepted everywhere. It would be most effective against a lot of fraud if they started giving that functionality at gas stations as it seems like theres a lot of fraud originating from gas stations.
Donald Hoxhaj says
https://krebsonsecurity.com/2018/02/would-you-have-spotted-this-skimmer/
Would You Have Spotted This Skimmer?
The article is quite interesting as it throws light on the ATM fraud when a pair of men installed card and PIN skimmers at checkout lanes inside of Aldi supermarkets. These skimmers are were so smartly placed that it was essentially not possible to even detect its presence in naked eye. The underside of the skimmer does all the important job and captures the PIN (Personal Identification Number) of shoppers who pay for the purchase using debit card.
The practice of skimming has always been on the rise, especially with debit and credit cards that are used in ATMs and retail stores. The magnetic tapes in the ATM readers act as skimming machines to extract PIN of customers who swipe. That’s why I personally avoid using Debit cards at non-recognized places or for a matter of fact, even at ATMs. I prefer using Credit Card as the risk of use is shared with the bank and I can easily make a complaint of a fraud transaction. What’s astonishing is that these skimming devices have in-built Bluetooth devices to transmit the stolen data to a remote network. If we had to carefully observe, it would not be more than a matter of a minute that one’s PIN would be transferred to multiple remote locations for misuse, leaving one devastated of one’s hard earned earnings.
The article quotes saying “While Aldi payment terminals in the United States are capable of accepting more secure chip-based card transactions, the company has yet to enable chip payments (although it does accept mobile contactless payment methods such as Apple Pay and Google Pay).”. Now who is to blame for this?