Week 09: Malware

China has been accused of hijacking the internet’s Border Gateway Protocol (BGP) to carry out covert man-in-the-middle surveillance on Western countries and companies.

BGP governs how traffic is routed between subdivisions of the internet known as autonomous systems (AS). It ensures that traffic reaches the correct servers – meaning messing around with it is bad news.

The researchers claim China Telecom has essentially been doing the same again – abusing BGP to route international Net traffic via its POPs, of which it has eight located in the US and two in Canada.

These included months of ‘hijacking’ routes from Canada to Korea in 2016, which saw traffic take longer detours into China before completing its journey.

Or the traffic from the US to a bank in Milan, Italy which was diverted via China Telecom POPs in a way that only stood out because it never arrived.

One defence against BGP hijacking is TLS encryption. It doesn’t stop the rerouting but if someone diverts web, email or DNS traffic encrypted with TLS through their POP it should be unreadable.

https://nakedsecurity.sophos.com/2018/10/30/china-hijacking-internet-traffic-using-bgp-claim-researchers/

Tumblr Patches A Flaw That Could Have Exposed Users Account Info

– Swati Khandelwal

Tumblr today published a report admitting the presence of a security vulnerability in its website that could have allowed hackers to steal login credentials and other private information for users’ accounts.

 

The affected information included users email addresses, protected (hashed and salted) account passwords, self-reported location (a feature no longer available), previously used email addresses, last login IP addresses, and names of the blog associated with every account.

 

Tumblr assured that its internal investigation found no evidence of the bug being abused by an attacker.

 

Reference: https://thehackernews.com/2018/10/tumblr-account-hacking.html

As per the research performed by Kaspersky Lab, there has been nearly 1,000 phishing attempts hitting at least 131 universities in 16 countries over the last year. Researchers say that attackers are targeting users with fraudulent web pages that look identical to the university’s official page. The only thing that distinguishes it from the original web page is a slightly different URL, which mostly is difficult to detect. Once a user clicks on the link, they are redirected to credentials-stuffing pages, and are asked to provide sensitive information, which includes university account credentials, IP addresses and location data. There were phishing pages mimicking the login pages of the University of Washington, Harvard Business School, and Stanford University.

Collecting the IP addresses would enable cyber-criminals to circumvent anti-fraud systems “by masquerading as account holders”. Moreover, personal accounts on the university site would provide access to both general information as well as paid services and research results.

The University of Washington (11.6% of attack attempts), Cornell University (6.8%) and the University of Iowa (5.1%) were top three targeted schools.

https://www.infosecurity-magazine.com/news/multiple-phishing-campaigns-target/

 

Interesting article about Microsoft Windows built-in anti-malware tool, Windows Defender, has become the very first antivirus software to have the ability to run inside a sandbox environment. Sandboxing is a process that runs an application in a safe environment isolated from the rest of the operating system and applications on a computer. So that if a sandboxed application gets compromised, the technique prevents its damage from spreading outside the closed area. According to Microsoft, implementing sandboxing in Windows Defender was a challenge for its engineers because the process had the potential to cause performance degradation and required a number of fundamental changes.

How to Turn On Sandbox Feature in Windows Defender Antivirus:
For now, Windows Defender running on Windows 10, version 1703 or later, support the sandbox feature, which is not enabled by default, but you can turn the feature on by running following command on your system:
Open Start and Search for “CMD” or “Command Prompt”
Right Click on it and select “Run as administrator.”
Type: “setx /M MP_FORCE_USE_SANDBOX 1” and then press ENTER
Then restart your computer.