Andrew Szajlai

agreed but that being said this is going to used to justify future consulting engagements for the rest of time! 😉 As everyone knows, these sorts of high profile incidents just keep the revenue flowing for consultants;)

I agree. The additional control which apple implemented is a step in the right direction, however I agree with the idea that mandatory re-authorization after a specified time interval passes. That way, even if someone gets control, they will only be able to until re-authorization is required.

That’s a good point. I hadn’t thought of that. VPNs are essential if you’re ever considering becoming an expat in another country.

In addition to privacy, other VPN benefits include access to your US Netflix catalog and other geographical based streaming services when traveling out of the country!

A very interesting model. I especially thought the service used for device-to-device and device-to-cloud certificate-based authentication is an interesting concept to secure IoT devices. I assume this is something that could prevent rogue bots (e.g. Mirai) from communicating with the devices.

Yeah, I don’t believe that $270k-$540k would cut it for this. That’s essentially the salary of 2-6 full time employees IT security for an entire city would be much more costly with the types of systems, applications, and resources required to lock down the system in a better manner. I agree that it would have taken a few million to even come close to enhancing the security of the systems throughout the city.

I thought it was interesting that one individual estimated that they could have spent about 10 – 20% of the cost to bring in the consultants to help with the issues prior to the incident. I guess that estimate ($270K – $540K) assumes the city already has a security department that can implement and sustain the services recommended by the consultants. Security resources are expensive (cheers from the ITACS student peanut gallery) and so are the control capabilities that would have prevented or detected this. I could easily see a city government investing millions in consulting fees, full time resources, and control capabilities to prevent an attack like this.

This is a very necessary and, what seems to be, a very well thought out system. It’s a fully designed end to end system from the custom designed microcontroller units, to the specially designed OS, to the cloud based connectivity which takes care of software and security updates.

IOT devices are some of the most insecure devices in today’s world, and this ecosystem could be a very big step forward in securing these devices.

I read about this when it first happened last month and remember thinking to myself that they are screwed financially, and this article proves it. Like the article points out, victims of these types of attacks have two options, pay the ransom and hope they get their data back, or refuse to pay and lose all the data that was compromised, which, when combined with the remediation and recovery costs, can get to be much much more expensive than the original ransom request.

Atlanta spends more than $2 million to recover from ransomware attack

https://finance.yahoo.com/news/atlanta-spends-more-2-million-202000413.html

. the attackers ‘only’ asked for $51K but the city of Atlanta ended up shelling out $2.7M for what ultimately became an unmitigated disaster and cautionary tale about crisis management and the importance of taking basic steps to protect systems.

Microsoft is now building its’ own Linux OS for IoT devices. They are focusing on protecting microcontroller-based IoT devices, including smart appliances, connected toys, and other smart gadgets,

“Azure Sphere provides security that starts in the hardware and extends to the cloud, delivering holistic security that protects, detects, and responds to threats—so they’re always prepared,” Microsoft said.

https://thehackernews.com/2018/04/microsoft-azure-sphere-iot-linux.html

In addition to privacy, other VPN benefits include access to your US Netflix catalog and other geographical based streaming services when traveling out of the country!

https://thehackernews.com/2018/04/iphone-itunes-wifi-sync.html

The article talks about the risk of trusting another computer when you plug your iPhone in the USB port to charge it. I rarely ever do this, but when I do use a computer USB to charge my phone, I never “trust” it. This article also talks about the risk of connecting to free airport charging stations and warns against “trusting” those. I remember reading another article that talked about the risk of plugging your phone into public outlets and charging stations. Apple has implemented some additional controls that require you to enter your password when trusting a computer, however Symantec advises that they should increase the controls – i.e. provide users with “noticeable indication or mandatory re-authentication between the user’s device and the trusted computer after a given interval of time.” Good suggestions.

In 60 seconds, security researchers can clone the master hotel-room keys for 140,000 hotels in 160 countries

In 60 seconds, security researchers can clone the master hotel-room keys for 140,000 hotels in 160 countries

Hackers with an room hotel key are able to derive the master keys to unlock every room. This vulnerability is not going to work for every RFID card scanner.Researchers alerted Vanguard (the main company susceptible to the hack) years ago of the vulnerability but some common problems present themselves. Hotel card locks are old, not connected to the internet (that could be a good thing) and it is up to the hotel to uptake and patch.

The researchers were unwilling to give the full details of the hack or how to derive the master codes but they loosely described it as using the location of a door to interpret the final code.

Vanguard had released some patched but unfortunately without a way to force the update all your hotel visits might as well be an open door policy.

https://thehackernews.com/2018/04/drupal-vulnerability-exploit.html

Drupal is an open source content management system that is written in PHP and it powers millions of websites. Drupal has been found vulnerable to a critical remote code execution vulnerability. This remote code execution vulnerability could allow miscreants to take over a website’s server, steal information or alter the pages. The fix is to apply the latest security patches.

https://arstechnica.com/gaming/2018/04/the-unpatchable-exploit-that-makes-every-current-nintendo-switch-hackable/

“The “unpatchable” exploit that makes every current Nintendo Switch hackable ”

Thought this was interesting, as game console manufacturers have unique challenges for preventing privacy. The Nintendo Switch uses an Nvidia Tegra X1 chipset which apparently can be hacked to allow arbitrary code to run. The hack involves short circuiting the hardware protection built in to Nvidia:

“By sending a bad “length” argument to an improperly coded USB control procedure at the right point, the user can force the system to “request up to 65,535 bytes per control request.” That data easily overflows a crucial direct memory access (DMA) buffer in the bootROM, in turn allowing data to be copied into the protected application stack and giving the attacker the ability to run arbitrary code.”

Interesting article – I don’t have any sort of remediation ideas at the moment.

U.S. UK Government Say Russia Increasing Infrastructure Attacks

http://www.eweek.com/security/u.s.-uk-government-say-russia-increasing-infrastructure-attacks

There have been increased concerns on the increasing Infrastructure attacks by some of the Russian cyber-criminals. These cyber-attacks have been targeted mostly towards Infrastructure systems such as routers, switches, and other infrastructure devices. Most of these attacks are of the nature of man-in-the-middle, espionage, hijacking and other attacks.
The main devices under threat are mostly used by larger companies and private sector industries where Infrastructure is a critical component. It is said that Russian attackers are depending on weak security, legacy protocols and service ports intended for administration purposes

What would be interesting to see is how SMEs would be able to prevent themselves from such attacks provided that the internal resources for defense is weak.

This is something that has actually been on my mind a lot lately. It’s truly a bit traumatizing that this can even be enacted without your knowing on your own computer and have images or videos sent elsewhere of your phone usage. After reading this article, I downloaded SEP Mobile and am actually in the process of downloading a security update on my iPhone as I write this.

I hate to admit that I had always fallen into the group who just says “I have an apple, I don’t need protection.” but after everything I’ve learned, I now know that it’s not the case in reality. Time to get protected.

Scott,
Nice article to ponder upon how safe our windows systems are. More than 30% organizations in the fortune companies use Windows Servers to run their internal systems and I am surprised how this was being allowed to be shipped even after the vulnerability was discovered by Chinese researchers. Microsoft should have rather immediately patched the existing systems using servers or stopped shipment of new machines.

With the recent upswing in crypto currencies over the past year, It’s no wonder that these type of operations are picking up as well. Hackers are beginning to exploit any weakness they can find to harness as much computing power as possible to mine crypto-currencies. It’s just one more thing that cyber professionals need to keep in mind to secure their environments in todays ever-changing world.

Windows Servers Targeted for Cryptocurrency Mining via IIS Flaw

https://www.bleepingcomputer.com/news/security/windows-servers-targeted-for-cryptocurrency-mining-via-iis-flaw/

Hackers are using CVE–2017–7269 to take over servers. This is a vulnerability discovered by two Chinese researchers in March 2017 that affects IIS’ WebDAV service. At the time it was discovered last year, the flaw was a zero-day, being under heavy exploitation for almost nine months, since June 2016.

Microsoft initially said it was not planning to fix the flaw because IIS 6.0 was end-of-life, and so were the operating systems that shipped with IIS 6.0 by default —Windows XP and Windows Server 2003.

But the vulnerability shared some common traits with the EXPLODINGCAN NSA exploit leaked in April 2017 by the Shadow Brokers, and it eventually received a fix in mid-June 2017.

Since then, it’s been used by at least one threat actor to deploy Monero miners on Windows servers still running the old IIS 6.0 version.

Just one more reason to ensure you don’t have Windows XP running!!

This is how it feels to face a major cyber attack

https://www.zdnet.com/article/this-is-how-it-feels-to-face-a-major-cyber-attack/

These classes are good introductions into the world of cyber-security and some, in my opinion focus on way too technical things. That being said, the only true real world experience is to actually live through these types of things. We can examine and learn from the mistakes of others whom have been through an attack as well to better prepare ourselves. The article depicts observations and experiences from employees at the UK National Health Service as well as Parliament when attacks happened. Among other things, a major issue brought up is that they wish that the procedures and disaster recovery plans were more thoroughly tested to prevent confusion and miscommunications during an attack.

Found an article where a casino was hacked through a fish tank water temperature thermometer. With the world of IoT growing, this is just another example of someone getting hacked through a 3rd party device installed with an Operating System that wasn’t patched, or probably had default login and password enabled. They used it to grab the high roller’s database. Doesn’t look like the name of the Casino is be disclosed at this time.

Someone hacked a casino’s high-roller list through a high-tech fish tank

Sev Shirozian

Similarities between these two operating systems:

Both Windows and Linux Operating systems have the concept of privileged users. In case of Linux it’s a root user and it the case of Windows its and Administrator.

For security, Windows uses Access Control Lists and Linux uses the concept or read/write/executable permissions.

Both Windows and Linux Operating Systems can support both Type 1 and Type 2 hypervisors.

Both Windows and Linux have native firewalls installed on them, Windows Firewall and iptables.

Both Windows and Linux can have a Graphic User Interface. Windows has one by default with Linux you can use gnome or KDE.

iOS Trustjacking – A Dangerous New iOS Vulnerability

https://www.symantec.com/blogs/feature-stories/ios-trustjacking-dangerous-new-ios-vulnerability

This article is about a new attack called TrustJacking which affects IPhone and IPad users. There is an iTunes Wi-Fi sync feature in iOS that allows users to sync their iPhones or iPads to a computer. So, if you enable this feature by mistake while you are connected to any public computers, then the computer owner can gain control of your device if the computer and the iOS device are connected to the same network, even when you have disconnected the device from the computer.

https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a

Piercing the Veil: Server Side Request Forgery to NIPRNet access

Interesting story of a White Hat breaking into NIPRNET, which is the Dept. of Defense’s secure (?) private network using a server side request forgery vulnerability found in Jira (bug tracking / software dev project mgmt). Worth a read for anyone interested in Pentesting.

Lessons here? Ethical hacking, bug bountys are an important part of security. Also, having a staff that is interested in security outside of just “my job” and following news (in this case the exploit was mentioned on twitter and the ethical hacker noticed it). Further reinforcement that human resources are a crucial part of security.

Satwika,

Pretty useful information on the pros and cons of Google Cloud platform. Certainly one can make use before hosting their services. The Cons are even more interesting because that is something that we don’t find on the internet very easily and hundreds of information only makes it more confusing. I feel Google Cloud is definitely trustworthy than other service providers in the market.

Shi,

Definitely a good article to read and ponder on the safety of passwords. This is bewildering to see the exposure of more than 130,000 passwords. What is not understood is that while companies do take a good amount of measure to inform the customers about the password breach, they fail to communicate on the future steps that it’s going to take to prevent such mishaps happening again.

I completely agree. Everyone is looking to go to cloud computing these days for some of these reasons exactly. It’s extremely flexible with expandability and versatility. The third party security is what does open up some risks, however there are ways to mitigate this, especially if you’re a big enough customer such as a large corporate client. You can more easily gain access to cloud service representatives and have a custom contract and/or service created for your use.

This is the beginning of something truly annoying. I think this might just be the next ‘pop-up’ of the spamming world. Reminds me a bit of the show “Black Mirror”. In one of the episodes, the characters are forced to watch advertisements or pay to skip them. Even if they close their eyes during the ad, the ad pauses and waits for them to keep watching again. That’s almost what this is and can be for phones and other apps. Want to check your email, go shopping on ebay for 30 minutes before you are able to access Gmail. Welcome to the wave of future advertising folks.

Very interesting Vince. I read about this before. With backers like Microsoft and Google, I’m curious to see how this is going to play out over the next year. It certainly is an interesting concept of a password free world.

Here are my personal pros and cons of Google Cloud:

Pros:

– the price is comparable to other Cloud providers and there is no minimum contract length.
– you can actually figure out how much your instance will cost (looking at you AWS…)
– lots of options (hardware, networking, security etc)
– quick provisioning
– Load-balanced instance groups are great
– you can really push the price down by using preemptible instances and all ephemeral settings

Cons:

– the external IP is ephemeral by default, meaning if your instance is migrated you lose it. You can make it static but its not that way by default
– External egress traffic costs $0.12/GB for the first 1000, then less and less but some other providers only charge for total bandwidth available
– there is no alternative to RDP on Windows instances, you can lock-yourself out completely (first hand experience)

Tech industry completes its standards for banishing passwords

https://www.engadget.com/2014/12/09/fido-alliance-publishes-specs/

The FIDO Alliance (Google, Microsoft, PayPal, and others) have just published a ‘password free’ standard that works with both single and two-factor authentication and relys on the use of sign-in methods other than passwords, (e.g., some fingerprint readers, USB dongles, etc.). It may take some time before it becomes accepted as a practical alternative to using passwords because it doesn’t support existing authentication mechanisms like Apple’s Touch ID fingerprint system or Bluetooth.

“Finland’s 3rd Largest Data Breach Exposes 130,000 Users’ Plaintext Passwords”

Finland’s citizens had their credentials compromised in a large data breach. Hackers attacked a new Business Center in Helsinki, a company that provides business consulting and planning and stole over 130,000 user’s credentials which were stored website database in plain-text without using any cryptographic hash.

Take-away: As part of their Incident Response plan, they reported the incidence to Helsinki Police authorities and publicly responded with their comments and steps taken towards investigating this data breach.

Ref. Link:
https://thehackernews.com/2018/04/helsingin-uusyrityskeskus-hack.html

I think Google cloud can be very convenient for a number of uses. It has very rapid expandibility and a myriad of use options on server-class hardware. It’s also extremely economical as you only pay for what you use, when you use it. The Google cloud makes it incredibly easy to quickly spin up a server of any kind. However, not having physical access to the hardware comes with it’s own drawbacks. If you are storing your data in the cloud, you are entrusting much of your security to a third party, depending on the level of configuration control your organization has. In the end, you are sacrificing a certain amount of control for scalability and flexibility.

Here are my pros and cons of Google Cloud Platform:

Pros:

• It took much less time to build the machines and the time taken to reboot was also less compared to physical servers.
• You are billed only for what you use, and you get to see the usage reports which I felt was advantageous, especially if you need to estimate any future costs.
• Several users can collaborate and work together from different locations.
• The overhead of server maintenance is low.
• No hardware costs or maintenance.

Cons:

• Somehow, I found the UI very confusing.
• Security is a huge concern since the server itself is outsourced.

So this was my first foray into using Google Cloud Services. It was exciting to get to play with this new technology. In my brief experience with it so far, a few Pros and Cons jump out at me right away.

Some Pros:
-Quickly create a VM; a minute or two for a fully patched operational server.
-Not limited in resources, such as hard drive space, processor speed, network connections, etc. Only limitation is the cost for such a VM.
-Easily accessed and managed from any Internet Connection.
-Easily share management with other users

Some Cons:
-Access to the live VM is through RDP. Our original lockdown removed RDP access. Once the VM was up and running, we couldn’t connect to it. Couldn’t find another way, like a web interface to connect. It might exist.
-Having RDP available to the public, could be a security risk.

Here is something funny, A joke ransomware. It encrypts all your files until you play PlayerUnknown Battlegrounds for one hour. As it turns out you don’t even have to play. you just need a process call TslGame.exe for a minimum of 3 seconds. So you could rename any process for a few seconds and all your files we decrypt. Is this the first example of Spam-Ransomware?

https://www.bleepingcomputer.com/news/security/pubg-ransomware-decrypts-your-files-if-you-play-playerunknowns-battlegrounds/

I enjoyed our experience over the past week with Google Cloud. Overall my pros and cons list includes:

Pros:
1) Great UI and UE, coming from ESXI experience it’s got way more functionality and ease of use.
2) Provisioning is super quick and easy. We had to recreate a MS Server as a host and it was up in less than 5 minutes ready to go.

Cons:
1) Had some trouble figuring out RDP solution. After locking ourselves out we had to recreate an instance. Good reminder that this cloud thing will always have a layer of separation from the screen.
2) Project management / deployment could be improved. Obviously everyone ran in to trouble, it wasn’t obvious who owned what and some people had trouble getting provisioned in the right groups.

Shi,

I am surprised to see companies like Microsoft unable to test the patches even before releasing them for consumers around the world. Usually these issues are taken place through cross-device testing way in advance before releasing. I am still unsure what drastic effects has the recent Meltdown Patch has done to systems and what breaches have already been crossed. The company should technically give the option to roll back the patches to the previous ones before the insecurity becomes more vulnerable for external attacks.

I agree with you Sev. Companies have become cautious with the recent Facebook data scandal, even though they might have done the same way of sharing data with publishers or advertisers. With this, customers will surely be confident of sharing their information with companies and can trust of absolute confidentiality. It would definitely be interesting to see how GDPR changes shape in non-European nations.

I know we are supposed to always keep our software, operating systems, etc up to date with the most recent patches. With that being said, it’s also kinda worry-some that one of these updates or patches could actually contain or open up a large vulnerability itself within the application or operating system.

Coming from a software development QA background, this scares me that this is even a possibility. Computers don’t do things randomly unless the code or program tells it to (At least Skynet hasn’t taken over yet). This tells me that there has to be certain very corner case scenarios triggering this bit to get flipped. If there is a way to isolate these occurrences and trace the activity on these lines to see what led up to this flip, we could possibly isolate the trigger for this bit flip. That being said, It would be extremely difficult to have this happen. Maybe some science experiment in space or inside a nuclear reactor would help? lol jk 😉

Fraser,

The thing about patch management is testing the patch to see if it is valid or even if it will hinder your system. For instance, if you are not monitoring your hard drive space and a new patch gets installed that puts your hard drive in an unhealth state, then the good update may crash the system.

Automation on these things is difficult, but not impossible. We use a 3rd party provider that includes a network monitoring and patch management capibilities. The 3rd party provider tests the patch prior to releasing it to the “approved” patch list. This includes several different operating systems. It also monitors the system resources to determine if the patch / update caused significant increase in resources, or spikes. Thresholds are set for alerting. All of this is conducted in the Network Operation Center (NOC). We can’t afford a NOC, so we use a 3rd party for this automation.

Great article Satwika. Some very simple and useful tips for people to follow. The problem is that you have people who know nothing more then how to plug in their router and connect their WiFi device to it. You would be surprised to see how many people don’t change their router password! I’ve even seen routers setup in business with default router passwords. I was at a doctor office once, and their “free Wifi” offer was really free. The Netgear Router they had plugged in was up and running, right out of the box. No changes at all. Default password, etc.

The problem sometimes is, most people don’t know what danger they are in!

This is sad. How about an upgrade? Windows 7 is on the “out list” for a fair amount of organizations. I am sure finances come into play for organizations upgrade decisions but this buggy patch allows access to GBs of data in, not minutes, “a second.” Don’t worry, MS patched this problem as well.

Yes, it is true that majority of the people are unaware of the consequences. Even in an enterprise, I believe around 80% of the employees are often ignorant of cyber security. Sometimes it is because of lack of appropriate training or even ineffective training. Whatever the reason be, with the number of cyber attacks on rise, i think it is time we take some action in this regard.

Great Article Sev,

I personally wasn’t aware Apple took this particular stance on user privacy, that being said I’m glad they do. It’s funny in that I just got off the phone with my friend. We were talking about Maserati cars with each other. He has android and I have an iPhone. He sent me a screenshot of an ad for a Maserati about 5 minutes later which popped up on a google search for him . Nothing of the sort on my iPhone. Just as Jason said, I’m really interested in seeing what position and practices companies implement as a reaction to the GDPR rules.

Hopefully users of these older machines are able to recognize that their system is one of the vulnerable ones and have the financial means to upgrade or remediate the risk . (Most probably won’t even realize until it’s too late though).

In addition I would recommend checking hashes when downloading software and updates if possible!

Does anyone know of a good tool do automate this kind of thing?

Interesting article and great slide deck. Worth checking out the video from his Defcon talk: https://www.youtube.com/watch?v=lZ8s1JwtNas

Thanks for sharing this.

I wonder how many people who pay a ransom for their data actually get it returned. I seem to remember from previous discussions that some hacker groups are using ransomware designed by others with no intention of providing a resolution. I think it was Krebs that found a fair amount of found ransomware had a consistent account as to where to send your money. If people are using ransomware just to be malicious then Manogna, like you said regular backups may be the only solution.

https://thehackernews.com/2018/03/ios-qr-code-camera.html

50 MILLION A… MONTH? That is insane. There is nothing like bringing home the bacon at 600 million a year. This group is more severe then ATM jackpotting and seem more successful than the best spammer outfits. Golly, I remember when gangs used to just carry knives.

Really interesting article Jason. That’s a staggering number! $50 Million. And guess who that loss gets passed onto, not the companies, but the consumer.

It’s a brave new world, and as much as the digital age has made our life easier, it will also make life easier for thieves! They don’t even have to leave their house in this world to steal your money.

Wow – this is a fascinating experiment. It would be interesting to do a follow-up to see what the recommendations are to prevent devices from flipping bits. Although it seems like the problem is relatively minor, it would be interesting to see what some of the root causes are for the thematic errors, especially in Windows devices. Thanks for sharing. If I ever get diverted to a strange website when I am certain I typed in the right URL, I’ll now know why! And I’ll be sure not to enter my user ID and password!

This is probably one of the more interesting vulnerabilities that’s been discovered due to the complexity of patching. There are probably hundreds of millions of devices that cannot ever be patched. I’ve read and heard various things about this vulnerability that downplay it’s significance – it’s difficult to weaponize and exploit, you need physical access to the device, there are much easier methods to plan an attack (e.g. phishing). What concerns me about this vulnerability is the unknown. All of these are assumptions for downplaying the vulnerability and it may be only a matter of time until a sophisticated exploit is available in the wild. If that happens, we’re going to have a potential real crisis (or “meltdown”) on our hands.

Thanks for sharing Sev. I think it’s great that Apple is making this standard for all users and not just EU citizens that it is required for under GDPR. It will be interesting to see how much GDPR changes the landscape for data privacy beyond EU and how many other countries follow suit with similar regulations.

I’ll be interested to see what the user experience is like once I upgrade to iOS 11.3.

With facebook being in the news recently and with the campaign out there to “delete facebook” I thought this article was interesting cause Apple is doing the complete opposite of what facebook is doing with our private information that these vendors can collect about us on our personal and mobile devices.

Looks like one of the reasons driving this mindset in Apple is because of GDPR coming really soon in Europe. Or one can argue that’s what Apple mindset was before GDPR came about too. Apple allowing you to see, download and even delete the information they have about you is a refreshing concept in the world of online privacy and targeted advertisement.

It looks like the option will be available for folks that upgrade to iOS 11.3.

https://www.cultofmac.com/538515/view-edit-delete-everything-apple-knows-about-you/#more-538515

Sev Shirozian

Intel announced that they are no longer going to be patching older CPUs in regards to the Spectre vulnerability.

It was previously announced that Intel “would patch Bloomfield (45nm, Core i7), Clarksfield (45nm mobile Core i7), Jasper Forest (45nm Xeon), Penryn (45nm mobile Core 2 Duo), Yorkfield (45nm Core 2 Quad), and Wolfdale (45nm desktop Core 2 Duo). Intel’s SoFIA line of processors, some of which are still sold today, was also set to be updated as well.”

One of reasons that Intel provided in their reasoning of not patching those CPUs were because of the “Limited Commercially Available System Software support.” Most of the CPUs that were released in that list dates back as far as 2007. It is difficult to gauge how many computers are going to be vulnerable, however, it could potentially by in the millions.

It might be best to consider upgrading systems with newer CPUs that are set to be patched.

Intel Won’t Patch Older CPUs to Resolve Spectre Flaws

We talked about the security problem with misspelling domains in class last week and I thought I’d share this similar issue. While you can fat-finger a URL, you computer can do the same. Bits can randomly flip and this can be taken advantage of by registering a domain that is one bit different than a popular domain.
For example, aeazon.com is one bit away from amazon.com. Flipping a bit in that memory space could make your computer navigate to aeazon.com instead. This is not really a big issue since bits are very unlikely to flip, unless you live in space or inside a nuclear reactor. However with the amount of internet connected devices out there the likelihood increases. The author of this article got an average of 59 requests per day his 32 bit-squatting domains (human error excluded).

http://dinaburg.org/bitsquatting.html

“Microsoft’s Meltdown Patch Made Windows 7 PCs More Insecure”

Meltdown CPU vulnerability was critical vulnerability of CPUs. Upon patching/fixing the vulnerability, Microsoft somehow made the flaw in the Patch/Fix that made vulnerability even worse on Windows 7 OS allowing any unprivileged, user-level application to read content from and even write data to the operating system’s kernel memory

No sophisticated exploits are necessary to take advantage of vulnerability. All attackers have to do is to write their own Page Table Entries (PTEs) into the page tables in RAM in order to access arbitrary physical memory.

It is suggested to update/patch Windows 7 OS immediately.

Ref. link:
https://thehackernews.com/2018/03/microsofts-meltdown-vulnerability.html

https://www.wired.com/story/fin7-carbanak-hacking-group-behind-a-string-of-big-breaches/

This article is about a very sophisticated organization that makes about $50 million a month stealing credit cards from POS systems. They have been connected to many of the major POS breaches, including more recently SAKS Fifth Avenue, Saks Off 5th, and Lord & Taylor department stores.

The most interesting part of this article is the description of the sophistication of this mysterious group and how they operate as a business entity. The article explains that they have “a mastermind, they have managers, they have money launderers, they have software developers, and they have software testers.”

I imagine that entities like this and nation state entities will become even more sophisticated as time passes and the profitability and benefits of hacking are considered by certain individuals to outweigh the costs and risks. It is important that these groups are exposed and prosecuted to set an example and deter other criminals from following suit.

https://www.fireeye.com/blog/threat-research/2018/04/fake-software-update-abuses-netsupport-remote-access-tool.html

Fake Software Update Abuses NetSupport Remote Access Tool

This article details an attack that uses remote access tools (RAT) which are spread using javascript and fake updates masquerading as legitimate sites – chrome, adobe etc. The RAT is then unknowingly installed on a users system and remote access/admin is possible. This is an interesting form of malware, as it preys on users who (and I am guilty of this) are quick to update/patch in an effort to remain secure.

Mitigation:

-Corporate environments should lock down GPO so that javascript can’t be run from untrusted sites, and users don’t have the ability to install new software.
– Top down / managed patching that is communicated to user. Explain that patches and updates are handled by security and you don’t need to do them yourself.
– Logging traffic and filtering for known exploits / vectors when they go public, do recursive scans to check.

https://thehackernews.com/2018/04/cisco-switches-hacking.html

Critical flaw leaves thousands of Cisco Switches vulnerable to remote hacking

Security researchers have found a base Common Vulnerability Scoring System (CVSS) score of 9.8 (critical) vulnerability in Cisco’s IOS software. With this flaw, an unauthorized remote hacker could execute code or take full control of the vulnerable equipment. All an informed hacker needs to do is send a “Smart Install message” to an affected device on TCP port 4786 (open by default) allowing a buffer overflow. Researchers state that it could also be used to create a denial of service as well.

Cisco has released a patch on March 28th but there are approximately 250,000 unpatched devices open to hackers.

Here is a list of the hardware affected:
Catalyst 4500 Supervisor Engines
Catalyst 3850 Series
Catalyst 3750 Series
Catalyst 3650 Series
Catalyst 3560 Series
Catalyst 2960 Series
Catalyst 2975 Series
IE 2000
IE 3000
IE 3010
IE 4000
IE 4010
IE 5000
SM-ES2 SKUs
SM-ES3 SKUs
NME-16ES-1G-P
SM-X-ES3 SKUs

I wonder how many people who pay a ransom for their data actually get it returned. I seem to remember from previous discussions that some hacker groups are using ransomware designed by others with no intention of providing a resolution. I think it was Krebs that found a fair amount of found ransomware had a consistent account as to where to send your money. If people are using ransomware just to be malicious then Manogna, like you said regular backups may be the only solution.

https://thehackernews.com/2018/03/ios-qr-code-camera.html

Google Bans Cryptocurrency Mining Extensions From Chrome Web Store

https://thehackernews.com/2018/04/cryptojacking-chrome-extension.html

Cryptojacking has been a very popular topic in the news recently. Cryptojacking is defined as the unknown use of a computing device to mine cryptocurrency. Encryption techniques are used to regulate cryptocurrency, so stealing CPU power from unknown users has become very popular.

Google has now blocked all crypto mining activity. In the past, they would allow any extension that informed the user about it’s mining, and was permitted by the user. Google states that about 90% of developers failed this test anyway, they have decided to block all crypto mining.

Twitter has also announced a similar plan, and Facebook banned ads promoting cryptocurrencies.

Great article Satwika. Some very simple and useful tips for people to follow. The problem is that you have people who know nothing more then how to plug in their router and connect their WiFi device to it. You would be surprised to see how many people don’t change their router password! I’ve even seen routers setup in business with default router passwords. I was at a doctor office once, and their “free Wifi” offer was really free. The Netgear Router they had plugged in was up and running, right out of the box. No changes at all. Default password, etc.

The problem sometimes is, most people don’t know what danger they are in!

Omitting the “o” in .com Could Be Costly:

Why companies buy miss-spelling of their company’s URL

https://krebsonsecurity.com/2018/03/omitting-the-o-in-com-could-be-costly/

The article discusses a trend where spammers own domains which are near identical to real company URLs and use these webpages to trigger spam and potentially malware to users. For example, if you are trying to go to http://www.chase.com, however you have a type-o and go to http://www.chase.cm instead, this url could be used for spamming reasons. A good practice for any company to discourage such things from targeting your customers is to buy up url names for ones which may be easy for users to mistake with spelling errors and have them automatically redirect to your main page.

Jason,

I believe the standard should “Freeze” should be changed for everyone immediately. You must “manually” change it to be “Un-Freezed” by visiting a website or when you apply for your next loan. You may also Freeze and Un-Freeze your account at anytime for no charge. This cost will be passed onto the banks, who will pass it on to the people borrowing money. The one-time borrowers / credit card users will barely feel the markup in cost. The burden will fall on those who take out several loans and have lines of credit.

Mustafa,

I understand your concern, but hackers already use credit scores to target people and businesses. Anyone can purchase someone’s credit score for a few dollars, and FTC regulations require a rating on financials, rating from AAA to Junk.

In my opinion, the cyber score should be required for all publicly traded companies who handle PII. Why, because as a shareholder, I would want to know if the company I am invested in has poor cyber security hygiene. A breach could compromise my stock value and/or a DDos attack could render my shares worthless. Imagine if people stopped using Facebook because of the privacy issues… Facebook share holders would be losing money everyday because of poor data management posture (Cambridge broke Facebooks data sharing rules and Facebook never found out).

I truly understand the concerns of scores being secrete, but as an investor, I want to know.

Fred,

I agree to your points Fred and this is to a large extent an issue that Equifax should have dealt much earlier. The information of all customers is out in the open and any breach here could significantly impact the financials of these customers. The question always would remain that, do customers always keep paying even for the mistakes of company’s false security infrastructures.

This is pretty interesting Vince to see Cisco getting way ahead in detecting fraudulent encrypted packets. However I agree to you that the percentage stated might be too high for today. it is important to ask what percentage of that 55% is applicable across industries of all kinds and at what quality level of data. Does the encryption to huge loads of corporate data? Is it today applicable to financial services where critical data movement is a big task?

I think this issue calls for a serious debate on the future of social media channels who collect user information. There is absolutely no transparency on why this data is used and where else it is sold to. With the recent Facebook breach, it is evident how data was misused. Post facto analysis of the issue does solve the data collection that was previously done. I believe all users have the right to share their personal information or not and this has to happen with an opt-out system in place.

I agree Jason,

While we must always be mindful of keeping an eye on our financial well being/reporting, when we are in a situation where we don’t have control of an entity having our data or not, such as a person not being in control if a specific credit reporting agency has our PII or not, it’s inherently up to these companies to protect the data, and if compromised, remediate and make amends for the users affected.

The credit freezes should be free for users to better protect their PII.

Sounds like they need some IT Security Governance. Not getting into politics, but it’s no secret that our government is not exactly a well oiled and efficient machine. It’s one of the slowest acting and one of the last to come up to speed with new technologies and trends (Unless you’re the military). These municipalities, such as Atlanta in this case, don’t seem to have the funding, guidance, nor expertise to be able to handle the cybersecurity needs of today. It’s unfortunate that so much resources needs to be poured into this type of thing instead of into public use projects.

Thanks for this, I’m going to have to check it out. I’ve personally only ever had my credit card information stolen once, however my friend seems to have it happen every few months or so. It would be interesting to find out what is out there on the dark web.

It would be wise for any financial services company such as banks and credit reporting agencies to have such offerings to their customers especially as attacks seem to be coming more and more common. If nothing else, it would help assist with consumer confidence in the business offering it.

It is interesting Fred,
I think it should not be publicly available. Otherwise, attackers may also use this security scoring system.

Interesting – sounds like another Mirai attack on the horizon.

How many servers are out there with this setting unknowingly? That’s a good question. I also wonder how many servers are out there that know this vulnerability exists and “do not have the time or resources to fix it.” See my post of Atlanta ransomware below…

Nice analogy Fred! At least I know the logging and monitoring in North Philly is working because I get Temple text alerts every time there is an incident!

To me it is a no-brainer to provide free credit freezes to citizens. We trusted credit bureaus with our data, they make a ton of money off of it, and this breach shows the impact when their is a breakdown in security. The least these credit bureaus can do is provide us with a seamless and FREE capability to freeze our credit when are not planning to run inquiries against it.

Intel has finally redesigned its processor architecture by using partitioning. The partitioning will create an extra barrier between applications and user privileges to prevent hackers from gaining access to sensitive data processed by the processor.

These updated processors will come out in their next-generation Xeon processors (Cascade Lake) and 8th generation Intel Core processors in the second half of the year.

https://www.pcauthority.com.au/news/intel-fixes-spectre-and-meltdown-vulnerabilities-with-updates-and-new-chips-487255

– Sev Shirozian

https://www.cnbc.com/2018/03/16/only-13-percent-of-government-employees-take-personal-responsibility-for-cybersecurity-survey-finds.html

A recent survey was conducted of government employees which found that only 13 percent believed they had total personal responsibility for the security of their workstations. Even more troubling, 1 in 3 believe they more likely to be struck by lightning than have their data compromised. This widespread apathy is very detrimental to the public sector’s overall security posture. User education and training is extremely important for securing an organization’s information as the least secure component of any system is always the human element.

https://cyber.schillingspartners.com/mining-mimecast-brute-forcing-your-way-to-success/

MINING MIMECAST: BRUTE FORCING YOUR WAY TO SUCCESS

This was a fascinating post written by a black hat hacker who was able to to farm sensitive information from organizations across Europe. Mimecast is a European security org that focuses on email. One of their products takes links that are sent in a clients email – e.g. here is a link to that financials spreadsheet – and both scans the link and shortens / obscures it for security purposes. The author of this article was able to reverse engineer the process used to make these links. Think of bit.ly or any other url shortener, and being able to decipher what links are generated. The author was able to go so far as to figure out how urls were generated down to specific orgs. It’s definitely worth the read!

Dubbed RottenSys, the malware that disguised as a ‘System Wi-Fi service’ app came pre-installed on millions of brand new smartphones that actually does not provide any WiFi services but rather takes all sensitive Android permissions to enable its malicious activity.

Ref. Link:
https://thehackernews.com/2018/03/android-botnet-malware.html

Breaking the Ledger Security Model by Saleem Rashid | Mar 20, 2018

https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/

Saleem was able to break the Ledger Hardware Wallet by using a supply chain attack to modify the recovery seed. The recovery seed can be used to change or just extract the PIN. If the Ledger is used after the attack, any funds can be stolen when plugged into a compromised device. However this would require the attacker to physically access the Ledger, or to sufficiently compromise the target’s computer, twice.
I found it interesting that Saleem chose to publish this vulnerability instead of cashing in on the security bounty.
He says that he did so “… mainly because Eric Larchevêque, Ledger’s CEO, made some comments on Reddit which were fraught with technical inaccuracy. As a result of this I became concerned that this vulnerability would not be properly explained to customers.”

That’s really cool Vince. Nice work summarizing these technical details in simple terminology.

https://thehackernews.com/2018/03/amd-processor-hacking.html

Kali on Windows

Kali Linux for WSL now available in the Windows Store

Fauxpersky malware steals and sends passwords to an attacker’s inbox

http://www.zdnet.com/article/fauxpersky-malware-steals-sends-passwords-google-forms/

A new threat has been detected that has the potential to steal passwords. The keylogger malware named Fauxpersky is built off a popular app, AutoHotKey, which lets users write small scripts for automating tasks, and compile the script into an executable file. It essentially spreads through the USB ports of computers and infects the Windows PCs. Researchers say that ‘the malware is highly efficient at infecting USB drives and exfiltrating data from the keylogger through Google directly to the attacker’s mailbox’.

This malware spreads on devices and monitors user behaviour. As soon as the malware is active in the computer, it keeps storing user typed information into a text file with the window’s name so that it becomes easier for the attacker to know the context of the file. The data from the file is exfiltrated from the computer to a Google Form and later the source file is deleted from the hard disk.

That sounds as if Microsoft has not done enough of many frontline products. First it was the messenger issue, then the window meltdown patch issue, and now the windows remote assistance. I wonder if organization are even protected in the case when the patch does has not been released and are informed beforehand. This is a strict case of information leak from my point of view. I believe more than 30% Fortune 500 companies use remote assistance and it would be great to see in the future how Microsoft treats this a case of lapse and releases patches much earlier in time.