Serious Flaw Found in Many Siemens Industrial Products
7.12.2017 securityweek ICS
Several product lines from Siemens are affected by a serious vulnerability that can be exploited by a remote attacker to cause systems to enter a denial-of-service (DoS) condition.

The flaw, tracked as CVE-2017-12741 and rated “high severity,” was reported to Siemens by George Lashenko of industrial cybersecurity firm CyberX.

According to Siemens, the list of affected products includes SIMATIC S7-200 Smart micro-PLCs for small automation applications, some SIMATIC S7 CPUs, SIMATIC WinAC RTX software controllers, SIMATIC ET 200 PROFINET interface modules, SIMATIC PN/PN couplers, SIMATIC Compact field units, development kits for PROFINET IO, SIMOTION motion control systems, SINAMICS converters, SINUMERIK CNC automation solutions, SIMOCODE motor management systems, and SIRIUS 3RW motor soft starters.

An attacker can cause affected systems to malfunction by sending them specially crafted packets via UDP port 161, which is used for the simple network management protocol (SNMP). In order to recover from the DoS condition, the devices must be manually restarted.

The mitigating factors section of Siemens’ advisory lists the requirement that the attacker must have network access for exploitation, and the fact that it advises organizations to operate these devices only in trusted environments.

However, CyberX told SecurityWeek that there are roughly 2,000 Siemens devices accessible from the Internet, including approximately 400 that have an open SNMP port, which could make them vulnerable to the company’s exploit.

“DoS vulnerabilities shouldn’t be taken lightly,” CyberX said. “The December 2016 attack on the Ukrainian electrical grid used this type of exploit to disable protection relays and make it more difficult for operators to recover.”

The security firm said Siemens was very responsive to its vulnerability report. The vendor has released firmware updates that patch the flaw in some SIMATIC S7, EK-ERTEC, SIMOTION and SINAMICS products.

Until fixes become available for the other affected products, Siemens recommends disabling SNMP, which fully mitigates the vulnerability, protecting network access to port 161, applying defense-in-depth and cell protection concepts, and using VPNs.


HBO hacker linked to the Iranian Charming Kitten APT group
7.12.2017 securityweek APT

A new report published by ClearSky linked a man accused by U.S. authorities of hacking into the systems of HBO to the Iranian cyber espionage group Charming Kitten.
Experts from the security firm ClearSky have published a new detailed report on the activities of Charming Kitten APT group, also known as Newscaster and NewsBeef.

The Newscaster group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Iranian Hackers used a network of fake accounts (NEWSCASTER network) on principal social media to spy on US officials and political staff worldwide, this is reported in an analysis done by iSIGHTPartners. The Charming Kitten group is also known for the abuse of Open Source Security Tools, including the BeEF.

The threat actor targeted numerous entities in Iran, the U.S., Israel, the U.K. and other countries. The hackers also hit individuals involved in academic research, human rights, and the media.

ClearSky detailed the group’s activities during 2016-2017, the report includes information related to the infrastructure used by the APT and to a new strain of malware dubbed DownPaper.

The report also linked the hacker behind the HBO security breach to the Charming Kitten, and reveals the identities of two other alleged members of the group.

Last month, the United States charged the Iranian computer expert Behzad Mesri of ‘Games of Thrones‘ HBO Hack, the man was charged with stealing scripts and plot summaries for ‘Games of Thrones’.

The Manhattan US attorney Joon Kim said Mesri is “had previously hacked computer systems for the Iranian military”. The man threatened to release stolen data unless HBO paid a $6 million ransom in Bitcoin.

Prosecutors confirmed that the Iranian man was a member of the Iranian-based Turk Black Hat Security hacking group that targeted hundreds of websites in the United States and around the world.

“MESRI is an Iran-based computer hacker who had previously worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems, and Israeli infrastructure.” continues the DoJ.

“At certain times, MESRI has been a member of an Iran-based hacking group called the Turk Black Hat security team and, as a member of that group, conducted hundreds of website defacements using the online hacker pseudonym “Skote Vahshat” against websites in the United States and elsewhere.”

Experts discovered that Masri and Charming Kitten were linked through the member of Turk Black Hat group “ArYaIeIrAN.” another member of Turk Black Hat.

Charming Kitten

The email addresses associated with this individual have been used to register several domains used by the Charming Kitten. ClearSky also discovered that the same email address was also used by threat actors to registered a domain for an Iranian hosting firm named MahanServer, which has hosted Charming Kitten infrastructure.

“To sum up, the HBO hacker – Behzad Mesri is a member of Turk Black Hat along with ArYaIeIrAn, who provides infrastructure for Charming Kitten activity via PersianDNS / Mahanserver together with Mohammad Rasoul Akbari, who is a Facebook friend of Behzad Mesri’s.” states the report. “We tend to identify ArYaIeIrAn with Mohammadamin Keshvari, because the latter is the only other employee of Mahanserver and works in a company whose domain was registered by the former (and both have a similar and unique profile picture). We estimate with medium certainty that the three are directly connected to Charming Kitten, and potentially, along with others – are Charming Kitten”

Iranian hackers are becoming even more aggressive even if experts believe that they are not particularly sophisticated.

Recently we discussed the OilRig gang has been using a new Trojan in attacks aimed at targets in the Middle East.

OilRig is just one of the Iran-linked hacker crews, other groups tracked by security experts are APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.


NiceHash Hacked – Crooks have allegedly stolen $60m worth of Bitcoin
7.12.2017 securityweek Incindent

The cryptocurrency mining market NiceHash confirmed it has fallen victim to a hacking attack that may have resulted in the loss of $60m worth of Bitcoin
Cryptocurrency companies continue to be a privileged target of hackers, the last victim in order of time is the cryptocurrency mining market NiceHash. The NiceHash marketplace allows users to buy and sell their computing cycles to mine cryptocurrency, the company confirmed it was hacked, attackers stole its entire Bitcoin wallet.

“Unfortunately, there has been a security breach involving NiceHash website. We are currently investigating the nature of the incident and, as a result, we are stopping all operations for the next 24 hours.” reads the statement issued by NiceHash.

“Importantly, our payment system was compromised and the contents of the NiceHash Bitcoin wallet have been stolen. We are working to verify the precise number of BTC taken.”

NiceHash data breach

The security breach has been reported to law enforcement, the company is also investigating the attack.

Even if NiceHash did not provide financial data on the security breach, it has been estimated hackers have stolen around $60m.

NiceHash declared that it is fully committed to restoring the service with the highest security measures, it doesn’t want to exit from the market due to the incident.

The company doesn’t provide further details on the hack, as a precaution it recommends users to change their online passwords.

“While the full scope of what happened is not yet known, we recommend, as a precaution, that you change your online passwords.” concludes the statement.“We are truly sorry for any inconvenience that this may have caused and are committing every resource towards solving this issue as soon as possible.”

The security breach was disclosed just hours after NiceHash confirmed its website was down for maintenance.


NiceHash
@NiceHashMining
Dear NiceHash user, our service is currently under maintenance.
We are sorry for the inconvenience and please stay tuned for updates.
Thank you for your understanding.

8:52 AM - Dec 6, 2017
201 201 Replies 64 64 Retweets 179 179 likes
Twitter Ads info and privacy
At the time of writing, The NiceHash website still shows a maintenance page.


Cybercriminals vs financial institutions in 2018: what to expect
7.12.2017 Kaspersky  CyberCrime
Introduction – key events in 2017
2017 was a year of great changes in the world of cyberthreats facing financial organizations.

Firstly, in 2017 we witnessed a continuation of cyberattacks targeting systems running SWIFT — a fundamental part of the world’s financial ecosystem. Attackers were able to use malware in financial institutions to manipulate applications responsible for cross-border transactions, making it possible to withdraw money from any financial organization in the world, because SWIFT software is unified and used by almost all the major players in the financial market. Victims of these attacks included several banks in more than 10 countries around the world.

Secondly, in 2017 we saw the range of financial organizations that cybercriminals have been trying to penetrate, expand significantly. Different cybercriminal groups penetrated bank infrastructure, e-money systems, cryptocurrency exchanges, capital management funds, and even casinos. Their main goal was to withdraw very large sums of money.

To complete their cybercriminal activities, attackers rely on proven schemes of monetizing network access. In addition to their attacks on SWIFT systems, cybercriminals have been actively using ATM infections, including those on financial institution’s own networks, as well as wielding RB (remote banking) systems, PoS terminal networks, and making changes in banks’ databases to ‘play’ with card balances.

Attacks on ATMs are worth mentioning separately. This kind of robbery became so popular that 2017 saw the first ATM malware-as-a-service: with cybercriminals providing on underground forums all necessary malicious programs and video instructions to gain access to ATMs. Those who bought a subscription only needed to choose an ATM, open it following the instructions, and pay the service organizers for activating the malicious program on the ATM, after which the money withdrawal process started. Schemes like this significantly increased the number of cybercriminals, even making cybercrime accessible to non-professionals.

We saw the interception of bank customers’ electronic operations through the hijacking of bank domains. Thus, customers did not have access to their bank’s real infrastructure, but to a fake one created by intruders. For several hours, criminals were therefore able to perform phishing attacks, install malicious code and wield the operations of customers who were using online banking services at the time.

It’s worth noting that, in some countries, banks have forgotten about the most “unimportant” thing – physical security. This has made attacks on banks’ financial assets possible. In some cases, this was due to easy access to cable lines, to which small Raspberry Pi devices were then connected. For several months these devices passively collected information about bank networks and sent intercepted data over LTE connections to the servers of intruders.

Predictions for 2018
Attacks via the underlying blockchain technologies of financial systems
Almost all of the world’s large financial organizations are actively investing in systems based on blockchain technology. Any new technology has its advantages, but also a number of new risks. Financial systems based on blockchain do not exist autonomously, therefore vulnerabilities and errors in blockchain implementation can enable attackers to earn money and disrupt the work of a financial institution. For instance, in 2016-2017, a number of vulnerabilities and errors were discovered in smart contracts, on which a number of financial institution’s services have been built.

More supply chain attacks in the financial sphere
Large financial organizations invest considerable resources in cybersecurity, thus the penetration of their infrastructure is not an easy task. However, a threat vector that is likely to be actively used by cybercriminals in the coming year is attacks on software vendors supplying financial organizations. Such vendors, for the most part, have a weak level of protection compared to the financial organizations themselves. Last year, we witnessed a number of attacks like this: including against NetSarang, CCleaner, and MeDoc. As we can see, attackers replaced or modified updates for very different types of software. In the next year, we can expect cybercriminals to perform attacks via software designed specifically for financial organizations, including software for ATMs and PoS terminals. A few months ago we registered the first attempts of this kind, when attackers embedded a malicious module into a firmware installation file, and placed it on the official website of one of the American ATM software vendors.

Mass media (in general, including Twitter accounts, Facebook pages, Telegram, etc.) hacks and manipulation for getting financial profit through stock/crypto exchange trade
2017 will be remembered as the year of ‘fake news’. Besides the manipulation of public opinion, this phrase can also mean a dishonest way of earning money. While stock exchange trading is mostly carried out by robots manipulating source data, which is used to make certain transactions, it can also lead to enormous changes in the price of goods, financial instruments and cryptocurrencies. In fact, just one tweet from an influencer, or a wave of messages on a social network created with the help of fake accounts, can drive the markets. And this method will certainly be used by intruders. With this approach, it’s almost impossible to find out which of the beneficiaries is the customer of the attack.

ATM malware automation
The first malware for ATMs appeared in 2009, and since then these devices have received constant attention from cyber-fraudsters. There has been a continuous evolution of this type of attack. The past year saw the emergence of ATM malware-as-a-service, and the next step will be the full automation of such attacks – a mini-computer will be connected automatically to an ATM, leading to malware installation and jackpotting or card data collection. This will significantly shorten the time needed for intruders to commit their crime.

More attacks on crypto exchange platforms
For the past year, cryptocurrencies have attracted a huge number of investors, which in turn has led to a boom in new services for trading various coins and tokens. Traditional players in the financial market, with highly developed cybersecurity protection, haven’t rushed to enter this field.

This situation provides attackers with an ideal opportunity to target cryptocurrency exchanges. On the one hand, new companies haven’t managed to test their security systems properly. On the other hand, the entire cryptocurrency exchange business, technically speaking, is built on well-known principles and technologies. Thus, attackers know, as well as have, the necessary toolkit to penetrate the infrastructure of new sites and services working with cryptocurrencies.

Traditional card fraud will spike due to the huge data breaches of the previous year
Big personal data leaks – including the recent Equifax case, which resulted in more than 140 million U.S. residents’ data being leaked to cybercriminals, and the Uber case, when the data of another 57 million customers was leaked – has created a situation where traditional banking security can seriously fail, because it’s based on the analysis of data about current or potential customers.

For example, detailed knowledge of a victim’s personal data can allow attackers to pose as a banking customer, and extract their victim’s money or security information, while to the bank concerned, their request looks legitimate. Therefore, the coming year may be marked by a spike in quite traditional fraud schemes, with the big data that has been collected (but not properly protected) by organizations about their customers for years, set to help attackers in the successful realization of their fraud schemes.

More nation-state sponsored attacks against financial organizations
The infamous Lazarus group, which is likely to be North-Korean state-sponsored, has attacked a number of banks in different parts of the world in the last few years. These have included banks in countries in Latin America, Europe, Asia and Oceania. Their main purpose has been to withdraw large sums of money, amounting to hundreds of millions of dollars. In addition, the data released by the Shadow Brokers indicates that experienced state-sponsored APT-groups are targeting financial institutions in order to learn more about cash flows. It is very likely that, next year other APT groups from countries that have just joined the cyber-spy game will follow this approach – both to earn money and to obtain information about customers, the flow of funds and the internal procedures of financial organizations.

Fintechs’ inclusion and mobile only-users: a fall in the number of traditional PC-oriented internet-banking Trojans. Novice mobile banking users will be a new prime target for criminals
Digital banks will continue revolutionizing the financial sector on a global scale, especially in emerging markets. For example, in Brazil and Mexico, these banks are gaining more and more momentum and this, of course, has attracted cybercriminal attention. We are sure that the world of cybercrime will see increasing attacks against this type of banks and their customers. Their main feature is the complete absence of branches and traditional customer service. All communication between the bank and its customers actually occur through a mobile application. This can have several consequences.

The first is a decrease in the number of Windows Trojans, aimed at stealing money through traditional internet banking. The second is that the growing number of digital financial institutions will lead to organic growth in the number of users that are easy targets for cybercriminals: people without any mobile banking experience, but with banking applications installed on their mobile devices. These people will be the main targets for both malware attacks, such as Svpeng, and schemes completely built on social engineering. Persuading a customer to transfer money through a mobile application is much easier than forcing them to go to a physical bank and make a transaction.

Conclusion
During the past few years, the number and quality of attacks aimed at financial sector organizations has grown continuously. These are attacks on the infrastructure of an organization and its employees, not its customers.

The financial institutions that have not already thought about cybersecurity will soon face the consequences of hacker attacks. And these consequences will be incompatible with the continuation of these businesses: they will lead to a complete halt in operations as well as extreme losses.

To prevent situations like this from happening, it is necessary to constantly adapt security systems to new emerging threats. This is impossible without analyzing data and information about the most important and relevant cyberattacks aimed at financial organizations.

An effective approach to combating attacks will be for banks to choose the right security solutions, but also to use specialized intelligence reports on attacks as these contain information that must be implemented immediately into overall protection systems. For example, using YARA-rules and IOCs (indicators of compromise), will become vital for financial organizations in the coming months.


Hackers Can Steal Data From Air-Gapped Industrial Networks via PLCs
7.12.2017 securityweek ICS
Researchers have discovered a method that hackers could use to stealthily exfiltrate data from air-gapped industrial networks by manipulating the radio frequency (RF) signal emitted by programmable logic controllers (PLCs).

Attackers may be able to plant a piece of malware on an isolated network, including via compromised update mechanisms or infected USB drives, but using that malware to send valuable data outside the organization poses its own challenges.

In the past few years, Israeli researchers have found several methods that can be used to jump the air gap, including via infrared cameras, scanners, the LEDs on routers and hard drives, heat emissions, radio signals, and the noise made by hard drives and fans. One of their proof-of-concept (PoC) malware, named AirHopper, uses electromagnetic signals emitted by a computer’s graphics card to send data to a nearby receiver.

Researchers at CyberX, a company that specializes in protecting industrial control systems (ICS), have found a way to apply a similar data exfiltration method to systems in air-gapped industrial networks. The method was first disclosed in October at SecurityWeek’s ICS Cyber Security Conference by CyberX VP of Research David Atch.

CyberX shows how malware can jump the air gap via PLCs

The technique relies on PLCs and the RF signals they emit. Tests were conducted using the popular Siemens S7-1200 PLC, but experts believe the attack likely works on PLCs from other vendors as well.

The exfiltration method discovered by CyberX does not leverage any vulnerabilities or design flaws in PLCs. Experts also noted that it does not involve any RF functionality in the device itself. Rather, the RF signals emitted by the device are a byproduct of repeatedly writing to the PLC’s memory in a specific way.

Researchers analyzed the radio waves from these systems and found that the frequency changes when data is written to the device’s memory. If an attacker can manipulate this frequency, they can use it to exfiltrate data bit by bit – a certain frequency represents a “0” bit and a different frequency represents a “1” bit. The signal can be captured by a nearby antenna and decoded using software-defined radio.

Writing to the PLC memory in a specific cycle that causes a modulation in the frequency of the RF signal can be achieved by uploading a specially crafted ladder diagram to the device. Ladder diagrams are created with ladder logic, a programing language used to develop software for PLCs.

An attacker who has access to the targeted organization’s systems, specifically to its industrial controllers, can upload a malicious ladder diagram to a PLC and abuse it to exfiltrate sensitive data.

In the tests it conducted, CyberX managed to transmit data at a rate of 1 bit per second over a distance of roughly 1 meter (3 feet) with an off-the-shelf antenna. However, experts believe the distance can be increased using a higher quality antenna, and improvements made to signal processing algorithms can help increase the speed of the transmission.

The exfiltrated data can be captured using various methods, such as an antenna attached to a drone flying over the site, or by an adversary posing as cleaning staff and carrying an antenna in their pocket.

While the data exfiltration rate may seem very slow, experts believe the method can be useful for stealing small pieces of information typically collected in the reconnaissance phase of an attack launched by a sophisticated threat actor, including network topology, protocols and devices, intellectual property stored in HMIs and historians, and work schedules.

Researchers warned that these types of attacks are typically difficult to detect due to the fact that there aren’t any security solutions running on PLCs. Furthermore, once a device has been compromised, the malicious code persists for an extended period of time since they are rarely formatted.

“Organizations can prevent these types of attacks with continuous monitoring and behavioral anomaly detection,” Atch told SecurityWeek. “For example, this would immediately detect the cyber reconnaissance phase preceding data exfiltration -- such as devices scanning the network and querying devices for configuration information -- as well as unauthorized updates to PLC ladder logic code to deploy the specially-crafted code to generate encoded RF signals.”


StorageCrypt Ransomware Targets NAS Devices via SambaCry Exploit
7.12.2017 securityweek Ransomware
A new ransomware family is using the SambaCry vulnerability that was patched in May to infect network-attached storage (NAS) devices, researchers have discovered.

Dubbed StorageCrypt, the ransomware demands between 0.4 and 2 Bitcoins ($5,000 to $25,000) from its victims for decrypting the affected files.

To infect NAS devices, StorageCrypt abuses the Linux Samba vulnerability known as SambaCry and tracked as CVE-2017-7494. Affecting devices from major vendors, the bug allows remote attackers to execute arbitrary code on targeted systems by uploading a shared library to a writable share, and then causing the server to load that library.

The first attempt to abuse the vulnerability resulted in targeted systems being infected with a cryptocurrency miner. During summer, a piece of malware dubbed SHELLBIND started abusing the flaw to infect NAS devices.

StorageCrypt leverages the SambaCry in the same manner as SHELLBIND did, BleepingComputer’s Lawrence Abrams reveals. The attack relies on the exploit executing a command to download a file called sambacry, store it in the /tmp folder as apaceha, and then running it.

What the security researcher couldn’t yet determine is whether the executable is only used to install the ransomware or is also serves as a backdoor for future attacks.

Once StorageCrypt is up and running on the infected device, it encrypts and renames the files and appends the .locked extension to them. It also drops a ransom note containing the ransom amount, the attackers’ Bitcoin address, and email address JeanRenoAParis@protonmail.com.

The malware was also observed dropping two files on the infected NAS devices, namely Autorun.inf and 美女与野兽.exe (which reportedly translates to Beauty and the beast). The former file is meant to spread the Windows executable to the machines the folders on the NAS device are accessed from.

To stay protected from this ransomware or other malware abusing SambaCry, users are advised to apply the latest patches to ensure their devices aren’t vulnerable, as well as to disconnect NAS devices from the Internet. Setting up a firewall and using a VPN for secure access to the NAS should also be taken into consideration.


The StorageCrypt ransomware is the last malware in order of time exploiting SambaCry to target NAS Devices
7.12.2017 securityaffairs Ransomware

StorageCrypt Ransomware is the last malware in order of time exploiting the SambaCry vulnerability, it was developed to target NAS Devices.
Experts discovered a new strain of malware exploiting the SambaCry vulnerability (CVE-2017-7494), it has been called StorageCrypt Ransomware because it targets NAS Devices via SambaCry Exploit.

The StorageCrypt ransomware demands between 0.4 and 2 Bitcoins ($5,000 to $25,000) for decrypting the encrypted files.

“Recently BleepingComputer has received a flurry of support requests for a new ransomware being named StorageCrypt that is targeting NAS devices such as the Western Digital My Cloud.” wrote the malware expert Lawrence Abrams from BleepingComputer.

“Victims have been reporting that their files have been encrypted and a note left with a ransom demand of between .4 and 2 bitcoins to get their files back.”

Experts discovered that the malware exploits the Linux Samba vulnerability, aka SambaCry, that was patched in May.

The vulnerability could be exploited by remote attackers to execute arbitrary code on targeted systems by uploading a shared library to a writable share, and then causing the server to load that library.

In July, experts discovered a malware dubbed SHELLBIND that exploited the CVE-2017-7494 Samba vulnerability in attacks against Internet of Things devices.

SHELLBIND infected most network-attached storage (NAS) appliances, it exploits the Samba vulnerability (also known as SambaCry and EternalRed) to upload a shared library to a writable share, and then cause the server to load that library.

CVE-2017-7494 is a seven-year-old remote code execution vulnerability that affects all versions of the Samba software since 3.5.0. The flaw has been patched by the development team of the project.

The CVE-2017-7494 flaw can be easily exploited, just a line of code could be used for the hack under specific conditions:

make file- and printer-sharing port 445 reachable on the Internet,
configure shared files to have write privileges.
use known or guessable server paths for those files
The Samba vulnerability affects the products of several major vendors, including NAS appliances.

The Samba bug appears to be a network wormable issue that could be exploited by a malicious code to self-replicate from vulnerable machine to vulnerable machine without requiring user interaction.

In June, researchers at Kaspersky Lab set up honeypots to detect SambaCry attacks in the wild. The experts spotted a malware campaign that was exploiting the SambaCry vulnerability to infect Linux systems and install a cryptocurrency miner.

According to Lawrence Abrams, the StorageCrypt Ransomware relies on the exploit executing a command to download a file called sambacry, store it in the /tmp folder as apaceha, and then executing it.

It is still unclear if the executable only installs the StorageCrypt ransomware or if it is also used as a backdoor.

Once the ransomware infected a device, it encrypts the files and renames them by appending the .locked extension to them.

“When a file is encrypted it will be renamed so that the .locked extension is appended to the filename. The ransomware will also drop a ransom note named _READ_ME_FOR_DECRYPT.txt that contains the ransom amount, the bitcoin address to send payment to, and the email address JeanRenoAParis@protonmail.com to contact after payment.” continues Abrams.

StorageCrypt Ransomware

The ransomware drops two files on the infected NAS devices, namely Autorun.inf and 美女与野兽.exe, the latter file is meant to spread the Windows executable to the machines the folders on the NAS device are accessed from.

To avoid being infected by the StorageCrypt ransomware or other malware exploiting the SambaCry flaw, users need to apply the latest. Users also need to disconnect NAS devices from the Internet, set up a firewall to protect the storage device and use a VPN for secure access to it.


Bitcoinového boomu využívají počítačoví piráti

7.12.2017 SecurityWorld Hacking
Rostoucí hodnotu Bitcoinů provází také nárůst malwaru zaměřeného právě na kryptoměnu.

Společnost Malwarebytes vykázala, že během jediného měsíce zastavila téměř 250 milionů pokusů o propašování těžebního malwaru do počítačů bez vědomí jejich uživatelů. Podle jiné firmy – Symantecu – je nárůst malwaru souvisejícího s těžbou kryptoměny za nedávné období desetinásobný.

Hackeři přitom k jeho šíření používají jak specializovaný software, tak nabourané webové stránky, ale i emaily. Jejich zvýšenou aktivitu podnítila právě rostoucí cena Bitcoinu, jehož hodnota se oproti začátku letošního roku zdesetinásobila a před pár dny překonala hranici 10 000 dolarů (214 500 Kč).

„Okolo kryptoměny se vytvořil obrovský hype a spousta lidí se na ní teď snaží vydělat,“ komentuje Candid Wuest ze Symantecu. Bitcoin přitom není primárním cílem kyberzlodějů – ti se, vzhledem k náročnosti jeho těžby, soustředí převážně na ostatní kryptoměny, jako je například Monero, jež si nežádá takový výkon, a k jehož těžbě lze zneužít třeba i chytrého mobilního telefonu. A jejich hodnota také stoupá.

Dle zprávy společnosti Malwarebytes její bezpečnostní software v těchto dnech zablokuje denně v průměru osm milionů pokusů o propašování těžebního malwaru do PC, a to většinou z webových stránek, které hackeři napadli. Škodlivý kód však mohou obsahovat i rozšíření či doplňky webových prohlížečů.

Jakmile se tento kód dostane do počítače, zapojí ho do těžebního procesu tak, že ždíme procesor téměř na 100 %. Na chytrých telefonech se to může projevit nejen snížením výkonu, ale také rychlým vybíjením baterie.

Donedávna těžební malware fungoval jen s využitím zapnutého prohlížeče oběti, nové typy však dokážou těžit i bez toho, aby byl prohlížeč zapnutý.

„Trik je v tom, že i když se prohlížeč jeví jako zavřený, další skrytý zůstává nadále otevřený,“ popisuje Jerome Segura z Malwarebytes, jak malware funguje. Uživatel si miniaturního okna skrytého pod panelem nástrojů prakticky nemá možnost všimnout.


Každá organizace je obětí mobilních útoků

7.12.2017 SecurityWorld Mobilní
Check Point Software Technologies představil výsledky první studie o dopadu mobilních útoků na podnikové prostředí. Studie vychází z dat od více než 850 organizací ze čtyř kontinentů. Výsledky jsou zřejmé: Podniková mobilní prostředí jsou zranitelná a hrozí útoky na obě hlavní mobilní platformy, Android i iOS.

Mobilní hrozby mohou ohrozit jakékoli zařízení a získat libovolný přístup k citlivým datům. V bezpečí před mobilními útoky není nikdo, od finančních společností a výrobních podniků až po vládní organizace.

Z průzkumu například vyplývá, že:

100 % všech organizací zaznamenalo mobilní malwarový útok
54 je průměrný počet mobilních malwarových útoků na jednu organizaci
89 % společností zaznamenalo útok typu man-in-the-middle přes Wi-Fi
75 % organizací mělo v síti v průměru 35 rootovaných nebo jailbroken zařízení

„Útoky na mobilní zařízení překročily v roce 2017 útoky na osobní počítače ve frekvenci i finanční hodnotě a náš report pomáhá tento trend pochopit a vysvětlit,“ říká Petr Kadrmas, Secuity Engineer Eastern Europe ve společnosti Check Point. „Mobilní zařízení jsou pro kyberzločince v podstatě nová zadní vrátka a jsme proto rádi, že můžeme představit vylepšené řešení SandBlast Mobile, které proaktivně chrání organizace i jednotlivé zákazníky.“

Check Point upozorňuje, že útoky na mobilní zařízení se posunuly od známého malwaru a zneužití slabin v sítích a operačních systémech k zero-day malwaru, SMS útokům a zneužití Bluetooth zranitelností.


Bezpečnostní experti varovali před virem Redirector. Uživatele navede na škodlivé weby

7.12.2017 Novinky/Bezpečnost Viry

Antivirová společnost Eset vydala žebříček těch největších hrozeb za měsíc listopad. V nich kraloval trojský kůň Redirector, který dokáže v počítači udělat pěknou neplechu. Uživatele totiž přesměrovává na škodlivé weby. Lidé by si tak na něj měli dát velký pozor.

„Redirector je škodlivý kód, který automaticky přesměrovává internetový prohlížeč napadeného zařízení na škodlivé stránky, odkud uživatel může stáhnout do svého počítače další druhy malwaru. Škodlivý software bývá obvykle vložen přímo do HTLM kódu odkazovaných stránek,“ varoval Miroslav Dvořák, technický ředitel společnosti Eset.

Uživatel se tedy může tímto trojským koněm infikovat i v případě, kdy bude pracovat s nějakou infikovanou webovou stránkou.

„Jde o nepříjemný malware, který se projevuje automatickým otevíráním stránek s různým, často nesmyslným obsahem. K otevírání stránek dochází v nepravidelných intervalech a dané stránky mohou uživatele nabádat, aby si stáhl další software, například kvůli napadení jeho počítače a eliminaci škod,“ doplnil Dvořák.

Otevírá okna s nevyžádanou reklamou
Nevyžádaná okna internetového prohlížeče otevírá i druhý v listopadu nejčetněji zachycený malware v Česku, který nese plný název JS/Adware.AztecMedia. „Nepřesměrovává však na jiné internetové stránky, nýbrž otevírá okna s nevyžádanou reklamou a v některých případech dokáže dokonce i změnit domovskou stránku internetového prohlížeče,“ konstatoval bezpečnostní expert.

Třetím nejčastěji detekovaným škodlivým kódem v listopadu byl exploit SMB/Exploit.DoublePulsar. „Jde o nechvalně proslulý škodlivý kód, který ke svému šíření využíval ransomare WannaCry,“ zdůraznil Dvořák.

Škodlivý software ransomware pojmenovaný jako WannaCry nebo WanaCrypt0r 2.0 letos v květnu napadl 300 000 počítačů ve 150 zemích světa. Podle bezpečnostních expertů jde vůbec o největší útok ransomwaru vůbec.

Přehled deseti nejrozšířenějších virových hrozeb za uplynulý měsíc naleznete v tabulce níže:

Deset nejčastějších internetových hrozeb v České republice za říjen 2017:
1. JS/Redirector (3,91 %)
2. JS/Adware.AztecMedia (3,59 %)
3. SMB/Exploit.DoublePulsar (3,56 %)
4. JS/Danger.ScriptAttachment (3,03 %)
5. PowerShell/Agent.BS (2,75 %)
6. Java/Adwind (2,51 %)
7. Win32/GenKryptik (2,30 %)
8. PowerShell/Adware.Adposhel (2,23 %)
9. VBS/TrojanDownloader.Agent.PJJ (1,65 %)
10. JS/Kryptik.MX (1,44 %)
Zdroj: Eset


Firefox obsahuje kritickou bezpečnostní trhlinu. Útočníci mohou převzít kontrolu nad PC

7.12.2017 Novinky/Bezpečnost Zranitelnosti
Na pozoru by se měli mít uživatelé internetového prohlížeče Firefox od společnosti Mozilla. Obsahuje totiž kritickou bezpečnostní chybu, kterou mohou zneužít počítačoví piráti k infiltraci do cizího počítače. Tvůrci naštěstí již vydali bezpečnostní záplatu.
Před nově objevenou trhlinou varoval český Národní bezpečnostní tým CSIRT.CZ. Ten zároveň upozornil i na to, že opravy pro chybu jsou již k dispozici.

„U Firefoxu vydávaného společností Mozilla doporučujeme aktualizaci na verzi 57.0.1,“ prohlásil bezpečnostní analytik CSIRT.CZ Pavel Bašta s tím, že nejnovější verze prohlížeče s logem ohnivé lišky již trhlinu neobsahuje.

Chyba je kritická. To jinými slovy znamená, že útočníci mohou do počítače propašovat prakticky jakýkoli škodlivý kód. Klidně mohou i na dálku počítač zotročit a využít jej k DDoS útokům, případně mohou samozřejmě i odposlouchávat komunikaci uživatele, která na počítači probíhá.

V případě automatických aktualizací se uživatelé Firefoxu nemusejí o nic starat. Pokud je však tato funkce vypnuta, je nutné navštívit webové stránky tvůrců a nejnovější záplatovanou verzi stáhnout manuálně.

Řada nových funkcí
Firefox se v listopadu dočkal velké aktualizace zvané Quantum, která přidala celou řadu nových funkcí. Má totiž zcela nový vzhled, nové jádro a je výrazně rychlejší než předchůdce.

V první řadě je třeba zmínit nové uživatelské rozhraní zvané Photon. To místo zaoblených panelů sází na ostře řezané linie, působí modernějším dojmem a je přehlednější. Nová domovská stránka nabízí zajímavý obsah pro opětovné navštívení a průvodce, který uživateli ukáže zajímavé funkce Firefoxu.

„Mnoho akcí v prohlížeči probíhá asynchronně, takže jsou rychlejší, plynulejší a neblokují zbytek Firefoxu. Například posouvání stránek (scrollování – pozn. red.), přepínání panelů nebo animace tlačítek použité ve Photonu,“ konstatoval Michal Stanke ze serveru Mozilla.cz.

Celá řada změn se ale dotkla i technické stránky prohlížeče. „Nová CSS knihovna Stylo zrychluje vykreslování stránek. Do Firefoxu se dostala v rámci projektu Quantum – odtud název verze,“ přiblížil Stanke jednu z předností.


Android Development Tools Riddled with Nasty Vulnerabilities
6.12.2017 securityweek Android   
Java/Android developers are exposed to vulnerabilities affecting the development tools, both downloadable and cloud based, used in the Android application ecosystem, Check Point warns.

Check Point security researchers have discovered several vulnerabilities impacting the most common Android Integrated Development Environments (IDEs), namely Google’s Android Studio and JetBrains’ IntelliJ IDEA and Eclipse, along with major reverse engineering tools for Android applications, including APKTool, the Cuckoo-Droid service, and more.

The bugs were reported to the impacted IDE companies in May 2017 and have been already resolved in Google and JetBrains tools.

According to Check Point, their research focused on APKTool (Android Application Package Tool), which emerges as the most popular tool for reverse engineering third party Android apps, and which allows developers to decompile and build APK files.

Both of the tool’s features, however, are plagued by vulnerabilities, the researchers argue. The program’s source code revealed an XML External Entity (XXE) vulnerability in a function called “loadDocument,” which is being used in both core functionalities.

Because of this vulnerability, the entire OS file system of APKTool’s user is exposed, which allows an attacker exploiting the vulnerability to “potentially retrieve any file on the victim’s PC.” For that, a malicious “AndroidManifest.xml” file that exploits the issue is needed.

The researchers also analyzed the XML parser called “DocumentBuilderFactory” that is being used in the APKTool project and discovered multiple vulnerable implementations of the XML parser within other projects. It also led to the discovery that IDEs such as Intellij, Eclipse, and Android Studio are affected as well.

“By simply loading the malicious ‘AndroidManifest.xml’ file as part of any Android project, the IDEs start spitting out any file configured by the attacker,” the security researchers explain.

The researchers uploaded a malicious project library to GitHub and cloned it to an Android Studio project, which demonstrated that an attack abusing this vulnerability is successful. Other attack vectors were discovered as well, such as injecting a malicious AAR (Android Archive Library) containing the XXE payload into repositories.

“It is possible, for example, to upload an infected AAR to a public repository such as the central Maven repository. Cloning the infected AAR from the repository by the victim would allow the attacker to steal sensitive files such as configuration files, source code, company digital proprietary and much more from the OS file system,” Check Point says.

Next, the researchers discovered a vulnerability in APKTool that could allow an attacker to execute commands on the victim’s PC.

The issue was discovered in the configuration file “APKTOOL.YML,” which is employed for the advanced use of the tool, and which contains a section called “unknownFiles” that “allows users to include a non-standard file location that will be placed correctly on the rebuild process of an APK.”

The selected files are saved in a ‘Unknown’ folder and modifying the path of the “unknownFiles” section can result in injecting arbitrary files anywhere on the file system, because APKTool “does not validate the path of which the unknown files will be extracted from the packed APK.”

Injecting arbitrary files in the filesystem can lead to remote code execution, and any APKTool user/service is vulnerable when attempting to decode a crafted malicious APK.

“It is impossible to estimate the number of users of this well-known open source project. Yet, knowing that among them are some large services and companies, we contacted APKTool developer and IDE companies and are pleased to report that they all fixed the security issues and released updated and improved versions of their products,” Check Point concludes.


Mailsploit: Popular Email Apps Allow Spoofing, Code Injection
6.12.2017 securityweek  Hacking  
Tens of email clients, including some of the most popular applications, are plagued by flaws that can be exploited for address spoofing and, in some cases, even for code injection.

The attack method, dubbed Mailsploit, was discovered by Sabri Haddouche, a pentester and bug bounty hunter whose day job is at secure messaging firm Wire.

The researcher found that an attacker can easily spoof the sender’s address in an email, and even bypass spam filters and the DMARC protection mechanism. More than 30 email apps are impacted, including Apple Mail, Mozilla Thunderbird, Outlook and other applications from Microsoft, Yahoo Mail, Hushmail, and ProtonMail.

All affected vendors were notified in the past months. Yahoo, ProtonMail and Hushmail have already released patches, while others are still working on a fix. Some organizations, such as Mozilla and Opera, said they don’t plan on addressing this issue, and others have not informed Haddouche on whether or not fixes will be rolled out.

Mailsploit attacks are possible due to the way non-ASCII characters are encoded in email headers. These headers are required to contain only ASCII characters, but RFC-1342, published in 1992, provides a way to encode non-ASCII characters so that mail transfer agents (MTAs) can process the email.

Haddouche discovered that many email providers, including clients and web-based apps, fail to properly sanitize the decoded string, which leaves room for abuse.

For example, take the following string in the From parameter of the header:

From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=00?==?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@mailsploit.com

When decoded by Apple’s Mail application, it becomes:

From: potus@whitehouse.gov\0(potus@whitehouse.gov)@mailsploit.com

However, iOS discards everything after the null byte, and macOS displays only the first valid email address it detects, which leads to recipients seeing the sender as “potus@whitehouse.gov.”

The Mailsploit attack can be dangerous not only because of how the email address can be spoofed. Using this method also bypasses DMARC, a standard that aims to prevent spoofing by allowing senders and recipients to share information about the email they send to each other.

“The server still validates properly the DKIM signature of the original domain and not the spoofed one,” the researcher explained. “While MTAs not only don’t detect and block these spoofed email addresses, they will happily relay those emails as long as the original email seems trustworthy enough (the attacker can therefore ironically profit from setting up DMARC on that email address). This makes these spoofed emails virtually unstoppable at this point in time.”

In some cases, attackers can also execute arbitrary JavaScript code. This is possible by encoding the code they want to execute in the From parameter of the header. The code will get executed either when the malicious email is opened or when certain actions are performed (e.g. creating a new rule, replying to an email), depending on the application.


HBO Hacker Linked to Iranian Spy Group
6.12.2017 securityweek Hacking    
A man accused by U.S. authorities of hacking into the systems of HBO and attempting to extort millions of dollars from the company has been linked by security researchers to an Iranian cyber espionage group tracked as Charming Kitten.

Security firm ClearSky has published a new report detailing the activities of Charming Kitten, which is also known as Newscaster and NewsBeef. The threat actor has been active since at least 2014 and it has targeted numerous entities in Iran, the U.S., Israel, the U.K. and other countries. Its attacks have often been aimed at individuals involved in academic research, human rights and the media.

The ClearSky report describes the group’s activities during 2016-2017, including the infrastructure used and a new piece of malware named DownPaper. It also details the connection between the individual accused of hacking HBO and Charming Kitten, and reveals the identities of two other alleged members of the group.

Behzad Mesri, also known as Skote Vahshat, was charged last month by U.S. prosecutors on seven counts related to hacking HBO, stealing scripts and other information on popular TV shows, and threatening to release the data unless the network paid $6 million in Bitcoin.

When they unsealed the indictment, authorities said Mesri had also launched cyberattacks on behalf of the Iranian military against military systems, nuclear software systems, and Israeli infrastructure. They also claimed he was a member of an Iran-based hacking group called Turk Black Hat, which conducts website defacements.

Collin Anderson, a researcher specializing in state-sponsored attacks, particularly ones attributed to Iran, was the first to point out that based on the information in the indictment, Mesri appeared to be a member of Charming Kitten.

ClearSky has also found connections between Masri and Charming Kitten. One of the links is through “ArYaIeIrAN,” another member of Turk Black Hat. Email addresses associated with this individual have been used to register several Charming Kitten domains. The same email address also registered a domain for an Iranian hosting firm named MahanServer, which has hosted Charming Kitten infrastructure.

The CEO of this company appears to be one Mohammad Rasoul Akbari, and ArYaIeIrAN could be one Mohammadamin Keshvari, who is listed as MahanServer’s only other employee on LinkedIn. Akbari is linked to Masri via their Facebook profiles.

“We estimate with medium certainty that the three are directly connected to Charming Kitten, and potentially, along with others – are Charming Kitten,” ClearSky wrote in its report.

In the past years, security researchers have linked several cyber espionage groups to Iran, including APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), and CopyKittens. There are many overlaps between these actors, both in terms of infrastructure and malware, which means the individuals identified by ClearSky could be part of other Iranian groups as well, not just Charming Kitten.


Corporate IoT Implementation Struggling, Survey Finds
6.12.2017 securityweek IoT   
Security is the Primary Concern for Firms Implementing an IoT Strategy, IT Pros Say

Remaining competitive is the primary motivation for implementing a corporate 'internet of things' (IoT) strategy; but 90% of those doing so admit the implementation is struggling. Security is the primary concern, holding back 59% of organizations with a current IoT project.

Security is followed by the cost of implementation (46%); competing priorities (37%); an intimidatingly complex IT infrastructure (35%); and funding (32%). The figures come from a survey (PDF) published this week by Vanson Bourne, commissioned by the Wi-SUN Alliance, which questioned 350 IT decision makers from firms in the U.S., UK, Sweden and Denmark that are already investing in at least one IoT project.

The purpose of the survey was to help Wi-SUN better understand how it is perceived in the IoT marketplace, and to help plan future operations. Wi-SUN is a non-profit alliance of around 170 major firms throughout the world with a mission to drive interoperable IoT communications based on open global standards in industrial IoT, with particular concern for utilities and smart cities.

Security Concerns Slow Use of IoT in the EnterpriseKey findings from the survey show that the U.S. (65% of respondents) is ahead of the other three countries surveyed with fully implemented IoT strategies. It is 47% in the UK, 44%in Sweden, and 24% in Denmark. The U.S. also leads in prioritizing IoT enablement: U.S. (73%), UK (64%), Sweden (62%) and Denmark (58%).

One clear outcome from the survey is the emphasis on security as the most important characteristic when considering an IoT implementation for both smart cities (84%) and utilities (85%). Second only to security is the preference for industry open standards: again 84% for smart cities, and 81% for utilities.

These two features fit well with the Wi-SUN network design specification. "Wi-SUN is about the communications layer," Phil Beecher, chair of the Wi-SUN Alliance, told SecurityWeek. "We're providing what could be seen as a large scale outdoor IoT wireless mesh that looks like an internet. It has all the resilience and reliability of a decentralized communication network. It doesn't specify any of the applications that run on top of that, so any application that runs over UDP or TCP can be run over Wi-SUN."

That, of course, is only part of a large-scale IoT network. "In a smart city," he continued, "we would provide wireless communication between street lights, or from street lights to traffic signals. But at strategic points there would be a connection to a high speed, probably fiber, connection to transport data to the network's back office." It's not a wifi network because the wifi range is too limiting. Instead Wi-SUN uses stronger radio communications able to cover up to several kilometers.

The security comes in two areas: certificate-based device authentication, and the mesh and wireless topology of the network itself.

"One of our strengths," continued Beecher, "is that we offer bi-directional communications at a fairly high data rate -- so we can do over-the-air upgrades to apply security patches. No device can connect to the network without being 'vetted'. This is based on the use of certificates. Every device has its own certificate burned in during production, and every device needs to have that certificate verified before it can join the network. Once it is verified and on the network, it is possible to download new code into that device."

The process cannot, of course, be retrofitted to old devices that can't be patched. Security here must be applied through traditional network gateways and routers; but in reality organizations with such devices should be considering renewing them with more modern devices -- and taking advantage of security updates and certificate-based security.

"This certificate authentication," said Beecher, "makes it very difficult for a remote attacker to hack any of the devices or a local attacker to tamper with the device. The mesh topology of the network also makes it difficult to deliver an effective DoS attack, whether by jamming or data overload, against the network."

Jamming is difficult because the network uses the military technique of frequency hopping. "You would need a high-power wide-band jammer," he explained. "This is difficult to achieve; although it is possible at, say, military levels. Otherwise Wi-SUN is largely immune to local jamming."


Senate Confirms New US Homeland Security Chief
6.12.2017 securityweek BigBrothers   
The US Senate confirmed White House deputy chief of staff Kirstjen Nielsen as Secretary of Homeland Security on Tuesday, putting her in charge of implementing the Trump administration's immigration crackdown.

Nielsen is close to White House Chief of Staff John Kelly, who was President Donald Trump's first secretary at the Department of Homeland Security before he was brought in to discipline Trump's chaotic office at the end of July.

Nielsen, 45, is a lawyer and veteran of the national security sector. She served in the transportation security unit of DHS during the George W. Bush administration, and was also Bush's homeland security advisor in the White House.

Senate confirms Kirstjen Nielsen as US Homeland Security chief

Later she ran her own security advisory firm, Sunesis Consulting.

Known for expertise in cyber issues, she was named Kelly's chief of staff when he took over DHS at the beginning of the Trump administration, and then followed him to the White House.

Described as tough and no-nonsense, she nevertheless lacks the experience of running a massive organization like the 240,000-strong DHS.

The agency oversees a wide range of security issues, from immigration, to cyber, terror threats and disaster relief.

The Senate approved her nomination 62-37.

Her confirmation came on a day when DHS reclaimed substantial success in slowing illegal immigration across the southern border and arresting and deporting criminal aliens.

DHS said arrests of illegal immigrants were up 40 percent in the first nine months of the Trump administration, while border crossings plummeted based on tougher enforcement.

Trump has also ordered DHS to build a wall along the southern border.

But both Kelly and Nielsen have said that a wall on the entire 2,000 mile (3,200 kilometer) frontier with Mexico would be inappropriate, and that other measures, including electronic monitoring, would be required as well.


Mobile Response to Security Alerts Allows Immediate Action Anywhere, Anytime
6.12.2017 securityweek  Mobil

Mobile Alerts Improve Incident Response

Cybersecurity is 24/7; cybersecurity staff are not. While larger corporations can arrange for 24/7 cover, most smaller organizations cannot do this. This means that senior security staff are effectively permanently 'on call' whether they are in the office, between offices, or at home.

A recent small survey by Barkly queried 95 IT and security professionals from companies with between 50 and 1,000 endpoints, "to learn more about how they're currently receiving and managing security alerts." Nearly half of the respondents (46%) said they had missed alerts while out of the office, while about 20% said that it had been necessary to return to the office to handle an alert that could not be managed remotely.

Given these figures, it is not surprising that 76% said that their ability to respond to alerts efficiently and speedily would improve if they could both receive and respond via a mobile device.

"The ability to react quickly can be crucial," commented Barkly's Jonathan Crowe, "especially with a resurgence of worming capabilities [think WannaCry and NotPetya] making it possible for malware to spread throughout and across organizations faster than ever."

Barkly has now released a mobile version of the complete Barkly Management Portal, allowing security staff to actively respond to new alerts at any time.

"With mobile incident response Barkly empowers security leaders to view and respond to blocked attacks wherever they are, from the convenience of their phone or tablet," said Mike Duffy, CEO of Barkly, calling it a 'game-changer'.

Josh Holmes, IT Director of Pennington Law agrees: "When an alert comes in, I need to quickly understand what Barkly blocked and what next actions to take. The ability to receive and immediately respond to alerts from my phone is invaluable."

Barkly's endpoint protection SaaS technology combines both supervised and unsupervised machine learning to continuously 'disambiguate' good and bad behavior -- rapidly detecting old-style malware file attacks and newer fileless attacks. "You cannot claim to do endpoint protection unless you can stop both file-based and fileless attacks before they get through and harm the client," Barkly CTO Jack Danahy told SecurityWeek. "A fileless attack is ten times more likely to succeed than a file-based attack."

The new mobile portal isn't simply the ability to access a cloud-based control panel via a mobile browser. "With this release, we completely re-architected and redesigned our cloud-portal for mobile responsiveness," Barkly's senior product marketing manager Allison Averill told SecurityWeek. "That means when customers log in to our portal on a mobile device, they see a mobile-specific design that makes it easier to accomplish their key workflows on mobile."


Industrial Firms Slow to Adopt Cybersecurity Measures: Honeywell
6.12.2017 securityweek Cyber
Industrial companies are slow to adopt cyber security capabilities and technology to protect their data and operations, according to a report released on Wednesday by industrial giant Honeywell.

A survey of 130 strategic decision makers from around the world revealed that more than half of industrial organizations have suffered a cybersecurity incident, including ones involving removable media, denial-of-service (DoS) attacks, malware, hackers breaking into plant IT systems, state-sponsored attacks, and direct attacks on control systems.

However, the study found that organizations underinvest in cybersecurity best practices in terms of people, processes and technology – three elements that need to work in harmony for an organizational culture that takes security seriously, Honeywell said.

Forty percent of respondents said they do have a cybersecurity chief in their organization and 15 percent plan on creating the role in the future. When it comes to having someone in charge of cybersecurity for manufacturing, only 35 percent of firms surveyed by Honeywell said they have someone in this role.

As for cybersecurity processes, nearly half of organizations have an enterprise- and plant-wide IT account management policy, and 22 percent plan on implementing one within the next year. A similar percentage also has or plans on having a definitive list of connections to the plant and what data flows through them.

Only one-third of respondents said they continually monitor their systems for suspicious activity and one quarter claim they plan on implementing such measures within a year. On the other hand, roughly 70 percent of organizations conduct risk assessments at least once a year, and more than 60 percent test their firewalls at least yearly.

When it comes to adoption of cybersecurity technologies, the Honeywell study shows that many organizations still have a long way to go. A majority of companies only have a firewall between plant and business systems, and only less than one-third have implemented proper access control and authentication measures for devices in the plant.

Security measures implemented by industrial companies

While the industrial sector is typically slower to adopt new technologies compared to other sectors, many organizations either already have an initiative for digital transformation or they plan on having one within a year. As companies move towards the adoption of the Industrial Internet of Things (IIoT), the main technology pitfall is cyber security, Honeywell said.

The company has advised organizations to ensure that cybersecurity is on the CEO’s agenda. Security needs to be part of the digital transformation strategy, and organizations must focus on adopting best practices.

Honeywell’s complete report, titled “Putting Industrial Cyber Security at the Top of the CEO Agenda,” is available for download in PDF format.


MailSploit vulnerabilities allow email spoofing with more than 30 email clients
6.12.2017 securityaffairs  Vulnerebility

A security researcher discovered a collection of vulnerabilities dubbed MailSploit affecting more than 30 popular email client software.
Email spoofing is quite simple and it is an important activity in any phishing/spear phishing attack.

Attackers modify email headers and send an email with the forged sender address to trick recipients into opening the message believing they are receiving it from a trusted source.

The security researcher Sabri Haddouche has discovered a collection of vulnerabilities affecting more than 30 popular email client software that could be exploited by an attacker to send spoofed messages bypassing anti-spoofing systems.

The collection of flaws discovered by Haddouche was dubbed MailSploit, the list of vulnerable clients includes Apple Mail (macOS, iOS, and watchOS), Mozilla Thunderbird, several Microsoft email clients, Yahoo Mail, ProtonMail, and others.

It is curious to highlight that almost any affected email client has implemented anti-spoofing mechanisms, such as DKIM and DMARC.
MailSploit flaws affect the way email clients and web interfaces parse “From” header.
The expert set up a dedicated website that contains details about the set vulnerabilities.

“Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters.” reads the website.

“Bugs were found in over 30 applications, including prominent ones like Apple Mail (macOS, iOS and watchOS), Mozilla Thunderbird, various Microsoft email clients, Yahoo! Mail, ProtonMail and others.”

Haddouche explained that flaws result from the lack of input sanitization by flawed email clients, they are not related to vulnerabilities in DMARC mechanisms.

The researcher published a PoC, he used the email of the US President potus@whitehouse.gov, he explained that all headers must only contain ASCII characters, including the “From” header.

“The trick resides in using RFC-1342 (from 1992!), a recommendation that provides a way to encode non-ASCII chars inside email headers in a such way that it won’t confuse the MTAs processing the email.” continues the expert.

“Unfortunately, most email clients and web interfaces don’t properly sanitize the string after decoding which leads to this email spoofing attack.”

Haddouche created a payload by encoding non-ASCII characters inside the email headers, with this trick he was able to send a spoofed email from an official address belonging to President of the United States.

“Using a combination of control characters such as new lines or null-byte, it can result in hiding or removing the domain part of the original email,” explained Haddouche.

mailsploit PoC
Below a video PoC of the attack published by the expert.

Haddouche also discovered that some of the email clients, including Hushmail, Open Mailbox, Spark, and Airmail, are affected by cross-site scripting (XSS) vulnerabilities.

The researcher reported the MailSploit flaw to 33 different client applications, in 8 cases development teams have already patched the issues before the public disclosure and 12 are currently working on patches.
It is important to highlight that Mozilla and Opera will not release any fix because classified the MailSploit as a server-side issue.

“All vendors were contacted at least 3 months prior to the publication, some of them even 4 or 5 months before the publication.” concluded the expert.

“The spoofing bug was found and confirmed in 33 different products. As of Dec 5th 2017, it was fixed in 8 products (~ 24%) and triaged for 12 additional products (~ 36%). Two vendors (Mozilla and Opera) said they won’t fix the bug (they consider it to be a server-side problem) and another one (Mailbird) closed the ticket without responding.

As for the remaining 12 products (~ 36%), the vendors have received the bug report but have not commented on whether they will address it.”


TeamViewer fixes a flaw that allows users sharing a desktop session to gain control of the other’s PC
6.12.2017 securityaffairs Vulnerebility

TeamViewer released a patch to fix a vulnerability that allows users sharing a desktop session to gain control of the other’s computer without permission.
Remote support software company TeamViewer released a patch to address a vulnerability that allows users sharing a desktop session to gain control of the other’s computer without permission.

TeamViewer confirmed the existence of the vulnerability after its public disclosure and promptly issued a patch for Windows users on Tuesday.

The flaw was first reported by the Reddit user “xpl0yt” early this week, he also linked to a proof-of-concept injectable C++ dll that uses naked inline hooking and direct memory modification to change TeamViewer permissions.

This allows a user to “enable the ‘switch sides’ feature which is normally only active after the user has already authenticated control with the client, and initiated a change of control/sides.”

The PoC was published onGitHub by a user named “gellin,” This flaw could be exploited to gain control of the presenter’s session or the viewer’s session without permission.

“As the Server – Enables extra menu item options on the right side pop-up menu. Most useful so far to enable the “switch sides” feature which is normally only active after you have already authenticated control with the client, and initiated a change of control/sides.” reads the description privided by Gellin on GitHub.

“As the Client – Allows for control of mouse with disregard to servers current control settings and permissions.”

TeamViewer server_switch_sides

The attacker would have to inject the PoC code into their own process with a tool such as a DLL injector.

“Once the code is injected into the process it’s programmed to modify the memory values within your own process that enables GUI elements that give you the options to switch control of the session,” Gellin told Threat Post. “Once you’ve made the request to switch controls there are no additional check on the server-side before it grants you access.”

Gellin explained that such kind of attack is easy to detect and stop by ending the session, however, gellin highlighted that before the patch was deployed, that attacker could exploit the flaw to disable a host’s visual input and force the targeted computer’s screen go black, hiding any malicious operation on the target.

The flaw affects Windows, macOS and Linux versions of the popular software. According to Axel Schmidt, senior PR manager for TeamViewer, the company will release a patch for macOS and Linux versions within Wednesday.

Users that have configured TeamViewer to accept automatic updates will get the patch automatically, however, patches could take up to three to seven days before the update is installed. Users that do not have automatic updates set will receive a notification about the availability of the update.

Such kind of flaw could be rapidly exploited by threat actors in the wild, especially by attackers carrying out malicious tech support scams.


31 Million of client records belonging to the virtual keyboard app AI.type leaked online
6.12.2017 securityaffairs  Hacking

Another day, another clamorous data breach, this time let’s discuss a data breach that exposes personal data collected by the Keyboard App AI.type.
This story reminds us that every time we download an app we are enlarging our surface of attack, in the majority of cases we are not aware of exact amount of data they collect and how they use them

A group of researchers at the Kromtech Security Center has discovered online a huge trove of personal data belonging to more than 31 million users of the popular virtual keyboard app, AI.type.

The data was included in a MongoDB database that has been accidentally exposed online without any mechanism of protection.

“The Kromtech Security Center has discovered a massive amount of customer files leaked online and publically available. Researchers were able to access the data and details of 31,293,959 users.” states the post published by Kromtech Security.

“The misconfigured MongoDB database appears to belong to Ai.Type a Tel Aviv-based startup that designs and develops a personalized keyboard for mobile phones and tablets for both Android and iOS devices.”

Ai.Type was founded in 2010, its customizable and personalizable on-screen keyboard for Android was downloaded about 40 million times from the Google Play store.
The misconfigured MongoDB database exposed 577 GB of data online, the records include sensitive details on the users, and the worst thing is that such data was not even necessary for the app to work. Researchers highlighted the fact that the Ai.Type request “Full Access” to all data stored on the mobile devices.

“When researchers installed Ai.Type they were shocked to discover that users must allow “Full Access” to all of their data stored on the testng iPhone, including all keyboard data past and present. It raises the question of why would a keyboard and emoji application need to gather the entire data of the user’s phone or tablet?” continues the post.

“Based on the leaked database they appear to collect everything from contacts to keystrokes. This is a shocking amount of information on their users who assume they are getting a simple keyboard application.”

ai.type keyboard

The leaked data includes:

Full name, phone number, and email address
Device name, screen resolution and model details
Android version, IMSI number, and IMEI number
Mobile network name, country of residence and even user enabled languages
IP address (if available), along with GPS location (longitude/latitude).
Links and the information associated with the social media profiles, including birth date, emails, photos.
The researcher made another shocking discovery, the 6,435,813 records contained data collected by the app from users’ contact books. The leaked database included more than 373 million records scraped from registered users’ phones, which include all their contacts saved/synced on linked Google account.

The archive also includes a range of statistics.

“There was a range of other statistics like the most popular users’ Google queries for different regions. Data like average messages per day, words per message, the age of users, words_per_day’: 0.0, ‘word_per_session and a detailed look at their customers,” the researchers say.

The real question is, “why would like a keyboard, and emoji application need to gather the entire data of the user’s phone or tablet?”


Android Security Bulletin—December 2017
5.12.2017 Google Android 

2017-12-01 security patch level—Vulnerability details
In the sections below, we provide details for each of the security vulnerabilities that apply to the 2017-12-01 patch level. Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

Framework
The most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.

CVE References Type Severity Updated AOSP versions
CVE-2017-0807 A-35056974 EoP High 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0870 A-62134807 EoP High 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0871 A-65281159 EoP High 8.0
Media framework
The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

CVE References Type Severity Updated AOSP versions
CVE-2017-0872 A-65290323 RCE Critical 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0876 A-64964675 RCE Critical 6.0
CVE-2017-0877 A-66372937 RCE Critical 6.0
CVE-2017-0878 A-65186291 RCE Critical 8.0
CVE-2017-13151 A-63874456 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13153 A-65280854 EoP High 8.0
CVE-2017-0837 A-64340921 EoP High 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0873 A-63316255 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0874 A-63315932 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0880 A-65646012 DoS High 7.0, 7.1.1, 7.1.2
CVE-2017-13148 A-65717533 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
System
The most severe vulnerability in this section could enable a proximate attacker to execute arbitrary code within the context of a privileged process.

CVE References Type Severity Updated AOSP versions
CVE-2017-13160 A-37160362 RCE Critical 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13156 A-64211847 EoP High 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13157 A-32990341 ID High 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13158 A-32879915 ID High 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13159 A-32879772 ID High 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
2017-12-05 security patch level—Vulnerability details
In the sections below, we provide details for each of the security vulnerabilities that apply to the 2017-12-05 patch level. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, severity, component (where applicable), and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

Kernel components
The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process.

CVE References Type Severity Component
CVE-2017-13162 A-64216036* EoP High Binder
CVE-2017-0564 A-34276203* EoP High ION
CVE-2017-7533 A-63689921
Upstream kernel EoP High File handling
CVE-2017-13174 A-63100473* EoP High EDL
MediaTek components
The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process.

CVE References Type Severity Component
CVE-2017-13170 A-36102397*
M-ALPS03359280 EoP High Display driver
CVE-2017-13171 A-64316572*
M-ALPS03479086 EoP High Performance service
CVE-2017-13173 A-28067350*
M-ALPS02672361 EoP High System server
NVIDIA components
The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process.

CVE References Type Severity Component
CVE-2017-6262 A-38045794*
N-CVE-2017-6262 EoP High NVIDIA driver
CVE-2017-6263 A-38046353*
N-CVE-2017-6263 EoP High NVIDIA driver
CVE-2017-6276 A-63802421*
N-CVE-2017-6276 EoP High Mediaserver
Qualcomm components
The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

CVE References Type Severity Component
CVE-2017-11043 A-64728953
QC-CR#2067820 RCE Critical WLAN
CVE-2016-3706 A-34499281
QC-CR#1058691 [2] RCE Critical UDP RPC
CVE-2016-4429 A-68946906
QC-CR#1058691 [2] RCE Critical UDP RPC
CVE-2017-11007 A-66913719
QC-CR#2068824 EoP High Fastboot
CVE-2017-14904 A-63662821*
QC-CR#2109325 EoP High Gralloc
CVE-2017-9716 A-63868627
QC-CR#2006695 EoP High Qbt1000 driver
CVE-2017-14897 A-65468973
QC-CR#2054091 EoP High RPMB driver
CVE-2017-14902 A-65468970
QC-CR#2061287 EoP High MProc
CVE-2017-14895 A-65468977
QC-CR#2009308 EoP High WLAN
Qualcomm closed-source components
These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm AMSS security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

CVE References Type Severity Component
CVE-2017-6211 A-36217326* N/A Critical Closed-source component
CVE-2017-14908 A-62212840* N/A High Closed-source component
CVE-2017-14909 A-62212839* N/A High Closed-source component
CVE-2017-14914 A-62212297* N/A High Closed-source component
CVE-2017-14916 A-62212841* N/A High Closed-source component
CVE-2017-14917 A-62212740* N/A High Closed-source component
CVE-2017-14918 A-65946406* N/A High Closed-source component
CVE-2017-11005 A-66913715* N/A High Closed-source component
CVE-2017-11006 A-66913717* N/A High Closed-source component


Anti-Phishing Firm IRONSCALES Raises $6.5 Million
5.12.2017 securityweek IT
IRONSCALES, an Israel-based startup that specializes in automated phishing prevention, detection and response, announced on Tuesday that it has raised $6.5 million in a Series A funding round.

This brings the total raised by IRONSCALES since 2015 to more than $8 million. The company says this has been its third consecutive year of triple-digit revenue growth.

The investment round was led by K1 Investment Management, with participation from existing investor RDC. The company says the newly raised funds will be used to accelerate its channel partner program, expand its global sales team, and expedite research and development for its threat detection, intelligence sharing, and incident response technologies.Ironscales raises $6.5 million

​​​​​“IRONSCALES’ unique approach to phishing detection and remediation particularly resonated with the K1 team, and we looking forward to leveraging our previous experience in partnering with growing security companies as the company strengthens its position within a rapidly evolving market,” commented Hasan Askari, managing partner at K1.

IRONSCALES also announced on Tuesday that its North American headquarters will be launched in the first quarter of 2018. The company’s VP of sales will be based in Atlanta, Georgia, while R&D will remain in Israel.

IRONSCALES products provide protection for every stage of an email-based phishing attack. IronSchool provides simulations and training for an organization’s employees, while IronSights is designed to detect phishing attacks in users’ inboxes. IronTraps is a solution for automated incident response, and Federation provides real-time intelligence sharing.


Android's December 2017 Patches Resolve Critical Flaws
5.12.2017 securityweek Android
The December 2017 Android security patches that Google released this week resolve 47 vulnerabilities, including 10 rated Critical severity.

The patches affect a variety of platform components and were split in two packages, or security patch levels, as Google calls them. The first addresses 19 vulnerabilities while the second resolves 28 issues.

The 2017-12-01 security patch level resolves 6 Critical severity vulnerabilities and 13 High risk flaws, Google notes in a security bulletin.

The issues affect the framework (3 High risk elevation of privilege bugs), Media framework (5 Critical remote code execution, 2 High elevation of privilege, and 4 High denial-of-service bugs), and System components (1 Critical remote code execution, 1 High elevation of privilege, and 3 High information disclosure issues).

The 2017-12-05 security patch level addresses 4 Critical risk vulnerabilities and 24 High severity issues.

The vulnerabilities were found in Kernel components (4 High elevation of privilege bugs), MediaTek components (3 High elevation of privilege flaws), NVIDIA components (3 High elevation of privilege issues), Qualcomm components (3 Critical remote code execution and 6 High elevation of privilege flaws), and Qualcomm closed-source components (1 Critical and 8 High flaws of undisclosed type).

Devices updated with the 2017-12-01 or later patch level are safe from all issues associated with the 2017-12-01 security patch level. The security patch levels of 2017-12-05 or later, on the other hand, resolve the issues associated with all previous patch levels as well.

Along with the Android security bulletin for December 2017, Google announced a separate set of security updates for Nexus and Pixels devices, meant to address vulnerabilities and bring functional improvements to supported Google devices.

As part of this month’s set of patches, Google resolved a total of 48 issues in Media framework, Broadcom, Kernel, MediaTek, NVIDIA, and Qualcomm components, as well as in Qualcomm closed-source components.

Most of the resolved vulnerabilities were elevation of privilege bugs, but Google also addressed DoS and information disclosure bugs. The vast majority of the issues were Moderate severity, except for a Critical bug in Qualcomm closed-source components and a High severity issue in Kernel components.

All supported Nexus and Pixel devices will receive these patches as part of the 2017-12-05 security patch level.


MailSploit — Email Spoofing Flaw Affects Over 30 Popular Email Clients
5.12.2017 thehackernews  Hacking


If you receive an email that looks like it's from one of your friends, just beware! It's possible that the email has been sent by someone else in an attempt to compromise your system.
A security researcher has discovered a collection of vulnerabilities in more than 30 popular email client applications that could allow anyone to send spoofed emails bypassing anti-spoofing mechanisms.
Discovered by security researcher Sabri Haddouche, the set of vulnerabilities, dubbed MailSploit, affects Apple Mail (macOS, iOS, and watchOS), Mozilla Thunderbird, several Microsoft email clients, Yahoo Mail, ProtonMail, and others.
Although most of these affected email client applications have implemented anti-spoofing mechanisms, such as DKIM and DMARC, MailSploit takes advantage of the way email clients and web interfaces parse "From" header.
Email spoofing is an old-school technique, but it works well, allowing someone to modify email headers and send an email with the forged sender address to trick recipients into believing they are receiving that email from a specific person.

 

In a dedicated website went up today, Haddouche explained how the lack of input sanitization implemented by vulnerable email clients could lead to email spoofing attack—without actually exploiting any flaw in DMARC.
To demonstrate this attack, Haddouche created a payload by encoding non-ASCII characters inside the email headers, successfully sending a spoofed email from an official address belonging to President of the United States.
"Using a combination of control characters such as new lines or null-byte, it can result in hiding or removing the domain part of the original email," Haddouche says in his blog post.

"We've seen a lot of malware spreading via emails, relying on social engineering techniques to convince users to open unsafe attachments, or click on phishing links. The rise of ransomware distributed over email clearly demonstrates the effectivity of those mechanisms."
Besides spoofing, the researcher found some of the email clients, including Hushmail, Open Mailbox, Spark, and Airmail, are also vulnerable to cross-site scripting (XSS) vulnerabilities, which stems from the email spoofing issue.
Haddouche reported this spoofing bug to 33 different client applications, 8 of which have already patched this issue in their products before the public disclosure and 12 are on their way to fix it.

Here you can find the list of all email and web clients (both patched and unpatched) that are vulnerable to MailSploit attack.
However, Mozilla and Opera consider this bug to be a server-side issue and will not be releasing any patch. Mailbird closed the ticket without responding to the issue, while remaining 12 vendors did not yet comment on the researcher's report.


Young Hacker, Who Took Over Jail Network to Get Friend Released Early, Faces Prison
5.12.2017 thehackernews  Hacking
Well, "a friend in need is a friend indeed" goes a long way, but in this case, this phrase hardly makes any sense.
A 27-year-old Michigan man who hacked into the government computer system of Washtenaw County Jail to alter inmate records and gain early release for his friend is now himself facing federal charges after getting caught.
Konrads Voits from Ann Arbor, Michigan, pleaded guilty in federal court last week for hacking into the Washtenaw County government computer system earlier this year using malware, phishing, and social engineering tricks in an attempt to get his friend released early from jail.
Prosecutors say Voits also used phone calls to prison staff claiming to be a manager at the County Jail's IT department and tricking them into downloading and running malware on their computers by visiting a phony website at "ewashtenavv.org," which mimics the Washtenaw official URL, "ewashtenaw.org."
Voit then obtained the remote login information of one of the Jail employees and used that information to install malware on the County's network and gain access to sensitive County's XJail system in March this year.
Gaining access to this system eventually allowed Voits to steal jail records of several inmates, search warrant affidavits and personal details, including passwords, usernames, and email addresses, of over 1,600 employees, along with altering electronic records of at least one inmate for early release.
However, things did not work as Voits wanted them to, and instead, they all backfired on him when jail employees detected changes in their records and alerted the FBI.
No prisoners were then released early.
This incident took place between January 24th, 2017 and March 10th, 2017 and cost Washtenaw County more than $235,000 to fix the whole mess before authorities busted Voits.
"Cyber intrusions affect individuals, businesses and governments. Computer hackers should realize that unlawfully entering another's computer will result in a felony conviction and a prison sentence," said the United States Attorney Daniel Lemisch.
"We applaud the dedication of so many hard-working law enforcement officers to take away this man's [Voits] ability to intrude into the computer systems of others."
Voits was arrested by the authorities a month later and pleaded guilty last week. He is now facing a fine of up to $250,000 and a maximum sentence of ten years prison, though he is unlikely to receive the maximum sentence.
Voits has agreed to surrender his belongings used during the attack, including his laptop, four cellphones and an undisclosed amount of Bitcoin.
Voits is currently in federal custody and is set to face a sentencing hearing on 5 April 2018.


PayPal Subsidiary Data Breach Hits Up to 1.6 Million Customers
5.12.2017 thehackernews  Incindent
Global e-commerce business PayPal has disclosed a data breach that may have compromised personally identifiable information for roughly 1.6 million customers at a payment processing company PayPal acquired earlier this year.
PayPal Holdings Inc. said Friday that a review of its recently acquired company TIO Networks showed evidence of unauthorized access to the company's network, including some confidential parts where the personal information of TIO's customers and customers of TIO billers stored.
Acquired by PayPal for US$233 Million in July 2017, TIO Network is a cloud-based multi-channel bill payment processor and receivables management provider that serves the largest telecom, wireless, cable and utility bill issuers in North America.
PayPal did not clear when or how the data breach incident took place, neither it revealed details about the types of information being stolen by the hackers, but the company did confirm that its platform and systems were not affected by the incident.
"The PayPal platform is not impacted in any way, as the TIO systems are completely separate from the PayPal network, and PayPal's customers' data remains secure," The data breach in TIO Networks was discovered as part of an ongoing investigation for identifying security vulnerabilities in the payment processing platform.
As soon as PayPal identified an unauthorized access to the TIO's network, PayPal took action by "initiating an internal investigation of TIO and bringing in additional third-party cybersecurity expertise to review TIO's bill payment platform," PayPal press release [PDF] reads.
The company has begun working with companies it services to notify potentially affected customers.
Besides notifying, the company is also working with a consumer credit reporting agency, Experian, to provide free credit monitoring memberships for fraud and identity theft to those who are affected by the breach.
To protect its customers, TIO has also suspended its services until a full-scale investigation into the incident is completed.
"At this point, TIO cannot provide a timeline for restoring bill pay services, and continues to recommend that you contact your biller to identify alternative ways to pay your bills," TIO's Consumer FAQ reads.
"We sincerely apologize for any inconvenience caused to you by the disruption of TIO's service."
Since the investigation is ongoing, PayPal will communicate with TIO customers and merchant partners directly as soon as the company has more details on the incident. Also, the affected customers will be directly contacted by the company.


Is Your DJI Drone a Chinese Spy? Leaked DHS Memo Suggests
5.12.2017 thehackernews  BigBrothers

The United States Department of Homeland Security (DHS) has recently accused Da-Jiang Innovations (DJI), one of the largest drone manufacturers, of sending sensitive information about U.S. infrastructure to China through its commercial drones and software.
A copy memo from the Los Angeles office of the Immigration and Customs Enforcement bureau (ICE) has begun circulating online more recently, alleging "with moderate confidence" that DJI drones may be sending US critical infrastructure and law enforcement data back to China.
However, the bureau accessed "with high confidence" that this critical data collected by the DJI systems could then be used by the Chinese government to conduct physical or cyber attacks against the U.S. critical infrastructure and its population.
The memo goes on to specify the targets the Chinese Government has been attempting to spy on, which includes rail systems, water systems, hazardous material storage facilities, and construction of highways, bridges, and rails.
The memo, marked as "unclassified/law enforcement sensitive," was dated back to August this year, but was recently published by the Public Intelligence project.
In its memo, ICE cited what it called a reliable source in the drone industry "with first and secondhand access," but did not identify it, specifying that the concern is over DJI drones used by companies and institutions, not the ones flown by hobbyists in the U.S. and elsewhere.
According to ICE, the DJI drones operate on two Android smartphone apps—DJI GO and Sky Pixels—that automatically tag GPS imagery and locations, access users' phone data, and register facial recognition data even when the system is off.
Beside this, ICE says the apps also capture users identification and personal information, like their full names, email addresses, phone numbers, computer credentials, images, and videos.
"Much of the information collected includes proprietary and sensitive critical infrastructure data, such as detailed imagery of power control panels, security measures for critical infrastructure sites, or materials used in bridge construction," the ICE memo reads.
Citing an unnamed source, ICE alleged that DJI then automatically uploads this collected information to its cloud storage systems located in China, Taiwan, and Hong Kong, which the Chinese government most likely has access to.
Drone Maker Denies Sending Data to Chinese Government
Of course, the drone-maker has denied the allegations, saying that the memo from the US government office was based on "clearly false and misleading claims."
"The allegations in the bulletin are so profoundly wrong as a factual matter that ICE should consider withdrawing it, or at least correcting its unsupportable assertions," DJI said in a statement, cited by The New York Times.
According to a DJI spokesman, users have complete control over how much data they can share with the Chinese drone maker, and the automatic function offered by the DJI apps to store user flight logs can also be turned off.
Moreover, the DJI has recently added a new feature that allows pilots to cut off all outside internet connections while the drone is flying.
According to drone research firm Skylogic Research, DJI dominates the overall drone market with an almost two-thirds share in the United States and Canada. Not just hobbyists, but DJI drones are also used by commercial customers like contractors, police and realtors.
The accusation that DJI is facing is similar to the one faced by Kaspersky Labs for spying on its users and sending the stolen data back to the Russian government.
The DHS has also banned Kaspersky antivirus products in US government agencies over Russian spying fears without actually having any substantial evidence. The company has always denied any direct involvement with the Russian spies in the alleged incident.


Feds Shut Down 'Longest-Running' Andromeda Botnet
5.12.2017 thehackernews  BotNet

In a coordinated International cyber operation, Europol with the help of international law enforcement agencies has taken down what it called "one of the longest-running malware families in existence" known as Andromeda.
Andromeda, also known as Win32/Gamarue, is an infamous HTTP-based modular botnet that has been around for several years now, and infecting computers with it's malicious intentions ever since.
The primary goal of Andromeda bot is to distribute other malware families for mass global malware attacks.
The botnet has been associated with at least 80 malware families, and in the last six months, it was detected (or blocked) on an average of more than 1 million machines per month.
Last year, law enforcement agencies took down the criminal infrastructure of the infamous Avalanche botnet in a similar massive international cyber operation. Avalanche botnet was used as a delivery platform to spread other malware families, including Andromeda.
While investigating into the Avalanche botnet, information obtained by the German authorities was shared with the Federal Investigation of Bureau (FBI) via Europol, which eventually helped the international agencies to tear down Andromeda just last week.

In a joint operation, the international partners took down servers and more than 1,500 web domains which were being used to distribute and control Andromeda malware.
"This is another example of international law enforcement working together with industry partners to tackle the most significant cybercriminals and the dedicated infrastructure they use to distribute malware on a global scale," Steven Wilson, the Head of Europol's European Cybercrime Centre (EC3), said.
"The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us."
Using sinkholing the now-seized domains, tactic researchers use to redirect traffic from the infected machines to a self-controlled system; authorities found over 2 million unique IP addresses from at least 223 countries associated with Andromeda victims with just 48 hours.
Further investigation also helped law enforcement authorities arrest a suspect in Belarus, who was allegedly involved in the Andromeda cybercrime gang.
Just last week, Europol seized more than 20,000 web domains for illegally selling counterfeit products, including luxury products, sportswear, electronics, pharmaceuticals and online piracy on e-commerce platforms and social networks in its fight against the online trade of counterfeit goods.


German Government prepares Law for backdoors and hacking back
5.12.2017 securityaffairs  BigBrothers

The German Government is preparing a law that will force hardware vendors to include a backdoor in their products and to allow its unit to hack back.
The German Government is preparing a law that will force hardware vendors to include a backdoor in their products. The law aims to allow law enforcement agencies to use backdoors to gather information during their investigations.

The law would target devices in any industry, including telecommunications, automotive and IoT products.

According to local news outlet RedaktionsNetzwerk Deutschland (RND), German Officials are expected to submit their proposal for debate this week.

“The acting Federal Minister of the Interior Thomas de Maizière (CDU) wants to oblige the industry, German security authorities to open digital gateway for the spying on private cars, computers and smart TVs.” states the news outlet.

“The application is overwritten with “Need for action on the legal obligation of third parties for measures of covert information gathering according to §§ 100c and 100f StPO”. De Maizière wants to drastically expand the so-called eavesdropping attack by “using technical means against individuals”. Above all, large corporations and producers of digital security systems should be required to provide information and notification.”

The proposal is strongly supported by the Federal Minister of the Interior Thomas de Maizière who cites the difficulty investigations have had in the past especially when fighting against terrorist organizations.

German Government prepars Law for backdoors and hacking back

The Interior Minister explained that modern technology is able to alert suspects for every suspicious activity conducted by law enforcement agencies.

The Minister cited the cases of smart cars that alert an owner as soon as the car is shaken or any other anomalous activity is conducted by police officers.

Well the presence of a backdoor could allow investigators to operate stopping any warning is sent to the suspect.

De Maizière stressed out that companies have a “legal obligation” to introduce backdoors for the use of law enforcement agencies.

The Minister aims to oblige hardware manufacturer to disclose their “programming protocols” for analysis of Government experts and consequently to force companies to disclose details about their encrypted communication practices.

“Accordingly, eavesdropping would in future be possible wherever devices are connected to the Internet. The industry should give the state exclusive access rights, such as private tablets and computers, smart TVs or digitized kitchen appliances. A precondition for all measures of the extended wiretapping attack, however, would remain a judicial decision.” continues the news outlet.

One of the most disturbing aspects of the new law is that it would give German officials powers to hack back any remote computer that is suspected to be involved in attacks against the country infrastructure.

Something similar was discussed by the French Defense Minister Le Drian comments in January 2017 and by the US authorities, in both cases, the Government officials were referencing the cyber attacks conducted by the Russian intelligence.

The Minister says this is important to “shut down private computers in the event of a crisis,” such as is the case with botnet takedowns.

“De Maizière also wants an authorization for the security authorities to shut down private computers in the event of a crisis. An “Botnet takedown specialist concept” will allow security authorities to use private data to alert end users in good time if hackers want to misuse their computers for criminal purposes. In the event that online providers refuse to cooperate, far-reaching penalties are provided for.” continues the RedaktionsNetzwerk Deutschland.

Privacy advocates believe the German law could open the door to a mass surveillance programs, Government officials will have full powers of snooping everyone’s online communications.

The German authorities refused such kind of accusations and highlighted that any access to data gathered under these surveillance programs would be allowed only after law enforcement have obtained a court order.

The reality is that the presence of backdoor dramatically reduces the overall security of any system, the backdoors could be discovered and used by malicious actors such as a foreign government and a criminal syndicate with unpredictable consequences.


Global operation allowed law enforcement agencies to take down the Andromeda Botnet
5.12.2017 securityaffairs  BotNet

A joint international operation conducted by the FBI, law enforcement agencies in Europe and private partners managed to dismantle the Andromeda botnet.
A joint international operation conducted by the FBI and law enforcement agencies in Europe managed to dismantle the dreaded Andromeda botnet (aka Gamarue and Wauchos) last week.

The Andromeda botnet has been around since 2011, it was used across the years to distribute several malware families, including the Dridex banking Trojan or the GamaPoS point-of-sale (PoS) malware.

Law enforcement authorities worldwide dismantled several long-running botnets powered by the malware family dubbed as Gamarue, mostly detected by the security firm ESET as Win32/TrojanDownloader.Wauchos.

ESET worked with Microsoft to disruption the botnets, the experts tracked the malicious infrastructure, identified their C&C servers and the threat delivered by each of them.

“Microsoft then contacted law enforcement with information that included: 464 distinct botnets, 80 associated malware families, and 1,214 domains and IP addresses of the botnet’s C&C servers.” states the analysis published by ESET.

Andromeda botnet

The joint operation was performed on November 29 and involved experts from the FBI, the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust, and private-sector partners,

The takeover of the Andromeda botnet was also possible thanks to the last year’s shut down of a large criminal network known as Avalanche, an infrastructure used to power mass global malware attacks and money mule recruiting.

“One year ago, on 30 November 2016, after more than four years of investigation, the Public Prosecutor’s Office Verden and the Luneburg Police in Germany, the United States Attorney’s Office for the Western District of Pennsylvania, the Department of Justice, the FBI, Europol, Eurojust and global partners, had dismantled the international criminal infrastructure Avalanche. This was used as a delivery platform to launch and manage mass global malware attacks such as Andromeda, and money mule recruitment campaigns.” states the report published by the Europol.

“Insights gained during the Avalanche case by the investigating German law enforcement entities were shared, via Europol, with the FBI and supported this year’s investigations to dismantle the Andromeda malware last week.”

According to the Europol, the experts were able to identify 1500 domains used by the Avalanche platform and used the sinkholing technique to analyzed its traffic and track the infected systems. Microsoft revealed that during 48 hours of sinkholing, the experts observed approximately 2 million unique Andromeda victim IP addresses from 223 countries.

The operation also included the search and arrest of a suspect in Belarus.

The investigators then extended the sinkholing of the Avalanche infrastructure for another year, as globally 55% of the computers originally infected in Avalanche continue to be infected.

The activity against Andromeda and Avalanche involved the following countries: Austria, Belgium, Finland, France, Italy, the Netherlands, Poland, Spain, the United Kingdom, Australia, Belarus, Canada, Montenegro, Singapore, and Taiwan.

“This is another example of international law enforcement working together with industry partners to tackle the most significant cyber criminals and the dedicated infrastructure they use to distribute malware on a global scale. The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us,” Steven Wilson, the Head of Europol’s European Cybercrime Centre, said.

Technical details about the global operations are included in a report published by ESET.


DJI drones may be sending data about U.S. critical infrastructure and law enforcement to China
5.12.2017 securityaffairs  BigBrothers

The US DHS has accused the Chinese Da-Jiang Innovations (DJI) of cyber espionage on U.S. critical infrastructure and law enforcement.
The US Department of Homeland Security (DHS) has recently accused the Chinese Da-Jiang Innovations (DJI), one of the largest drone manufacturers, of sending sensitive information about U.S. critical infrastructure and law enforcement to China.

A copy memo from the Los Angeles office of the Immigration and Customs Enforcement bureau (ICE) was published recently by the Public Intelligence project. The copy was marked as “unclassified / law enforcement sensitive, it alleges “with moderate confidence” that DJI drones were used by the Chinese Government as spying tools.

The authors of the memo provide several examples of law enforcement and critical infrastructure organizations using the DJI drones.

The situation is worrisome because data gathered by the DJI could be used by the Chinese government to conduct physical or cyber attacks against the US critical infrastructure (i.e. rail systems, water systems, hazardous material storage facilities, and construction of highways, bridges, and rails).

DIJ drones

The concern is related only to DJI drones used by companies and government organizations, not the unmanned vehicles used by hobbyists.

“It is based on information derived from open source reporting and a reliable source within the unmanned aerial systems (UAS) industry with first and secondhand access. The date of information is 9 August 2017.” reads the intelligence bulletin.
“(U//LES) SIP Los Angeles assesses with moderate confidence that Chinese-based company DJI Science and Technology is providing U.S. critical infrastructure and law enforcement data to the Chinese government. SIP Los Angeles further assesses with high confidence the company is selectively targeting government and privately owned entities within these sectors to expand its ability to collect and exploit sensitive U.S. data.”

According to the ICE, the DJI drones operate on two Android smartphone applications called DJI GO and Sky Pixels that automatically tag GPS imagery and locations, register facial recognition data even when the system is off, and access smartphone data.

The ICE revealed the mobile apps also gather user’s identification and personal information, including full names, email addresses, phone numbers, computer credentials, images, and videos.

“Additionally, the applications capture user identification, e-mail addresses, full names, phone numbers, images, videos, and computer credentials. Much of the information collected includes proprietary and sensitive critical infrastructure data, such as detailed imagery of power control panels, security measures for critical infrastructure sites, or materials used in bridge construction.” the ICE memo reads.

“According to the source of information (SOI), DJI automatically uploads this information into cloud storage systems located in Taiwan, China, and Hong Kong, to which the Chinese government most likely has access. SIP Los Angeles assesses with high confidence a foreign government with access to this information could easily coordinate physical or cyber attacks against critical sites.”

The Chinese drone manufacturer denied the allegations, in a statement, the company said the report was “based on clearly false and misleading claims.”

“The allegations in the bulletin are so profoundly wrong as a factual matter that ICE should consider withdrawing it, or at least correcting its unsupportable assertions,” DJI said in a statement, cited by The New York Times.

According to a DJI spokesman, users can properly configure their drones to control over how much data they can share with the Chinese drone manufactures.

“DJI does strive to comply with local laws and regulations in each country where its drones operate and to facilitate compliance by our customers. To the extent that there are location-specific rules and policies within China, we ensure that our systems comply with these rules, including the need to register or include no-fly zones on board,” DJI stated.

“In compliance with the Chinese regulation, DJI utilizes the user’s IP address, GPS location, and MCC ID to determine if a drone is being operated in China. If so, DJI provides the customer with the features necessary to comply with Chinese regulations and policies. Otherwise, DJI provides no information about or data collected by the drone to the Chinese government,”

Moreover, the DJI has recently implemented a new feature that allows pilots to cut off all outside internet connections while the drone is flying.


Hacked password service Leakbase shuts down, someone suspects it was associated to the Hansa seizure
5.12.2017 securityaffairs  Hacking

LeakBase, an online service that provided paid access to leaked credentials, was shut down over the weekend, what has happened?
LeakBase, an online service that provided paid access to leaked credentials, was shut down over the weekend and started redirecting to the data breach notification website HaveIBeenPwned.

2 Dec

LeakBase
@LeakbasePW
This project has been discontinued, thank you for your support over the past year and a half.


LeakBase
@LeakbasePW
We understand many of you may have lost some time, so in an effort to offer compensation please email, refund@leakbase.pw
Send your LeakBase username and how much time you had left.
We will have a high influx of emails so be patient, this could take a while

3:38 AM - Dec 3, 2017
2 2 Replies 1 1 Retweet 2 2 likes
Twitter Ads info and privacy
The service started selling membership access in September 2016, claiming to provide access to two billion credentials resulting from major data leaks.


In January 2017, after launching the paid breach notification service, the LeakedSource went dark, apparently because it was raided by feds.

Leakbase

The popular investigator Brian Krebs associated the shutdown of the LeakBase service with the seizure of the Hansa black marketplace occurred in July, Krebs cited a source close to the matter.

“A source close to the matter says the service was taken down in a law enforcement sting that may be tied to the Dutch police raid of the Hansa dark web market earlier this year.” wrote Krebs.

Leakbase reportedly came under new ownership in April 2017, after it was hacked. According to the anonymous source cited by Krebs, the new owners of Leakbase dabbled in dealing illicit drugs at Hansa dark web marketplace.

“The Dutch police had secretly seized Hansa and operated it for a time in order to gather more information about and ultimately arrest many of Hansa’s top drug sellers and buyers. ” continues Krebs.

“According to my source, information the Dutch cops gleaned from their Hansa takeover led authorities to identify and apprehend one of the owners of Leakbase. This information could not be confirmed, and the Dutch police have not yet responded to requests for comment.”

Leakbase denied the accusation in this tweet:
LeakBase
@LeakbasePW
The fact that we need to tweet this is disappointing in its self, non of the LeakBase operators have any connections to Hansa.
The fact that this can be portrayed as near fact is astonishing as it is only a claim.

4:10 PM - Dec 4, 2017
2 2 Replies 4 4 Retweets 3 3 likes
Twitter Ads info and privacy
Regardless of whether a connection to Hansa exists, the ownership of these services could prove that their commercial activity aimed to help potential victims of data breaches and not to facilitating further crimes.


Common Infiltration, Exfiltration Methods Still Successful: Report
5.12.2017 securityweek Virus
Many organizations are still having difficulties protecting their systems against the most common infiltration, exfiltration and lateral movement methods used by attackers, according to the latest Hacker’s Playbook report from SafeBreach.

The company provides a platform designed to test an organization’s defenses by continuously simulating attacks and breaches. For the third edition of its Hacker’s Playbook report, SafeBreach has analyzed data from roughly 11.5 million automated simulations conducted between January and November 2017. The simulations covered more than 3,400 attack methods – from exploit kits and malware to brute force and credential harvesting – that allowed the company to see where attackers are blocked and where they are successful.

An analysis of the top 5 infiltration methods used by malware showed that more than 55 percent of attack attempts are successful. The methods used by notorious malware families such as the WannaCry ransomware, which leverages SMB, and the Carbanak (Anunak) banking Trojan, which relies on HTTP, had a success rate of 63.4% and 59.8%, respectively, in SafeBreach’s simulations.

Other popular infiltration methods involve malicious executables packed in CHM, VBS and JavaScript files. These help attackers trick both end users and high-level scanners, and they had success rates between 50% and 61%.

Once they gain access to a targeted organization’s network, attackers use various methods for lateral movement. The most common methods, all of which involve a piece of malware or exploit, were successful in 65%-70% of the simulations run by SafeBreach.

The relatively high success rates show that organizations often fail to implement proper segmentation controls. Once the perimeter has been breached, there is no malware scanning in place within the network, allowing attackers to easily move from one machine to another.

As for exfiltrating data, success rates range between 40% and 57% for methods involving MySQL queries, TLS, SSL, HTTP POST and HTTP GET. The most commonly targeted ports are 123 (NTP), 443 (HTTPS), and 80 (HTTP).

Top lateral movement methods

“Attackers will always try the easiest routes first - and sadly, it appears they will often find success,” SafeBreach said in its report. “Techniques like DNS tunneling, or trickling data out within packet headers to slowly steal data without raising suspicion are clever, but attackers don’t get bonus points for creativity. When simply sending data outbound via clear or encrypted web traffic will work - attackers will happily take the easy way out.”

“We also took a deeper look into this traffic, and validated that indeed traditional web traffic, over traditional web ports, is the leading risk of data exfiltration. However, some sneakier tactics were also highlighted, as we were often able to sneak data out over NTP - which is often open and unscanned,” the company added.

WannaCry, Locky and Cryptolocker have made many organizations realize that ransomware should be taken seriously. However, SafeBreach found that these types of attacks are often successful even if the deployed security solutions are working as designed.

The security firm pointed out that most of its customers have managed to significantly reduce attack success rates simply by optimizing existing security controls.

“Security teams already have the tools/controls they need for security. Oftentimes, teams chase after every new security fad, when they should be optimizing their current technology,” SafeBreach told SecurityWeek.


SEC Files Charges in Digital Currency Investment Scam
5.12.2017 securityweek Spam
The US Securities and Exchange Commission said Monday its newly-created Cyber Unit shut down a digital currency investment scam, charging a company that took millions from investors, "falsely promising" a speedy, 13-fold profit.

The SEC's Cyber Unit filed charges against and froze the assets of Dominic Lacroix, a Canadian with a history of securities law violations, and his company PlexCorps in an initial coin offering fraud.

Using Facebook, the company sold securities called PlexCoin -- that its website billed as "the next cryptocurrency" -- to investors in the US and elsewhere, raising $15 million since August, and promising a return of 1,354 percent within 29 days, the SEC said in a statement.

These were the first charges filed by the unit the SEC created in September to focus on fraudulent initial coin offerings of digital currency and other crimes.

"This first Cyber Unit case hits all of the characteristics of a full-fledged cyber scam and is exactly the kind of misconduct the unit will be pursuing," the unit's chief Robert Cohen said in a statement. "We acted quickly to protect retail investors from this initial coin offering's false promises."

The SEC won an emergency court order to freeze the assets of PlexCorps, Lacroix, 35, and his partner Sabrina Paradis-Royer, 26, accusing them of trading in unregistered securities.

PlexCorps promotional materials claimed the company's executives could not be identified for security and privacy reasons when in reality this was because Lacroix had already been pursued by Canadian authorities for securities law violations, the agency said.

The SEC's move comes amid mounting interest in digital currencies, with the most well-established, bitcoin, seeing its value soar this year to dizzying heights, attracting both investor interest and skepticism.

The US Commodities Futures Trading Commission, which regulates trade in derivatives, last week cleared the way for mainstream exchanges, including the CME Group and Cboe Futures Exchange, to offer contracts for futures of the virtual currency.

Cboe was the first out of the gate Monday, announcing it would launch bitcoin futures trading beginning Sunday. CME plans to allow trading in bitcoin futures later this month.


Leaked Credentials Service Shuts Down
5.12.2017 securityweek  Hacking
LeakBase, an online service that provided paid access to leaked credentials, was shut down over the weekend.

The service started selling membership access in September last year, claiming to provide access to two billion credentials that leaked in major hacking incidents. The service received a boost in January 2017, when paid breach notification service LeakedSource went dark.

LeakBase claimed to be providing users with information on leaked credentials to help them better understand the risks hacked information poses and to allow them to remedy the situation.

The leaked credentials, however, were leveraged for financial gain, as LeakBase visitors (the same as LeakedSource) had to pay for using the service. Subscribers were provided access to the entire database of leaked credentials and passwords.

A message posted on LeakBase’s Twitter account on Saturday is informing users that the service has been discontinued. In a subsequent tweet, the service’s operators said they were willing to refund users who had paid for access but couldn’t take advantage of the service anymore.

2 Dec

LeakBase
@LeakbasePW
This project has been discontinued, thank you for your support over the past year and a half.


LeakBase
@LeakbasePW
We understand many of you may have lost some time, so in an effort to offer compensation please email, refund@leakbase.pw
Send your LeakBase username and how much time you had left.
We will have a high influx of emails so be patient, this could take a while

3:38 AM - Dec 3, 2017
2 2 Replies 1 1 Retweet 2 2 likes
Twitter Ads info and privacy
Over the weekend, the service started redirecting users to haveibeenpwned.com, a breach alerting service created and maintained by security researcher Troy Hunt. HIBP allows users to check whether their email address appeared in a breach but doesn’t store the hacked passwords.

While the exact reasons behind the service’s shutdown haven’t been revealed as of now, security blogger Brian Krebs suggests that one of the owners of LeakBase was identified and apprehended due to their connection with the dark web marketplace Hansa.

The information that led to the arrest was supposedly provided by the Dutch police, which had secretly seized Hansa in July and operated it for a while to gather data on its users.

A tweet posted on LeakBase’s account several moments ago suggests that none of the LeakBase operators have any connections to Hansa.

4 Dec

LeakBase
@LeakbasePW
The fact that we need to tweet this is disappointing in its self, non of the LeakBase operators have any connections to Hansa.
The fact that this can be portrayed as near fact is astonishing as it is only a claim.


LeakBase
@LeakbasePW
If claims as simple as that hold such weight, than our claim, as stated above should hold equal if not much more power.

4:11 PM - Dec 4, 2017
Replies 2 2 Retweets 1 1 like
Twitter Ads info and privacy

Regardless of whether a connection to Hansa exists, the owners of services such as LeakBase could face criminal charges in the event prosecutors could prove that they intended to sell passwords to facilitate further crimes.


UK Members of Parliament Share Passwords with Staff
5.12.2017 securityweek BigBrothers
UK member of parliament (MP) Nadine Dorries has declared on Twitter that she shares the password to her work computer with staff 'including interns'.

The immediate purpose of the statement was to lend political support to under-fire First Secretary of State Damian Green. Green was accused by a former Metropolitan Police assistant commissioner of accessing porn on his work computer following a 2008 police raid investigating Home Office leaks. Dorries' tweet includes the statement, "For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous!!"

But in supporting her colleague, she might have stirred a bigger scandal than that concerning Green: MPs' attitude towards passwords. Several other MPs have agreed with and supported Dorries' position.

The Dorries' Green defense is common in both politics and international cyber relations: plausible deniability through the difficulty of attribution. If multiple people can be guilty of an act, you cannot easily prove which one is the guilty party. And if multiple people have access to the password, it's hard to prove who did what with the computer.

In security, however, the fourth criterion after confidentiality, integrity and availability (CIA) is often defined as accountability. It is clear that any MP that shares his or her password is automatically failing to maintain, or specifically obfuscating, accountability. In reality, they are also guilty of ignoring official policy. The House of Commons Staff Handbook (section 5.8) says, "You MUST NOT... share your password."

The UK's National Cyber Security Center (NCSC) Password Guidance, updated in August 2016, also states, "You should never allow password sharing between users. Sharing accounts, or even occasional use by anyone other than the account holder, negates the benefit of authenticating a specific user. In particular, the ability to audit and monitor a specific user's actions is lost."

However, the sharing of MPs' passwords may go beyond simply ignoring advice and/or policy. Although sharing passwords is not in itself a breach of the UK's Data Protection Act, it could lead to a breach. The UK's data protection regulator, the ICO, itself tweeted, "We're aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities. We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure."

It is questionable whether giving interns access to the potentially sensitive personal information of constituents is within the spirit if not letter of the current law. It is also concerning that Britain's lawmakers should have such a lax attitude towards security at a time when its intelligence agencies are increasingly warning about Russia targeting the UK government.

Security researcher Troy Hunt suggests, without condoning, that this is an example of users bypassing policy in order to work more efficiently. "Her approach to password sharing may simply be evidence of humans working around technology constraints." This is common in all organizations -- and is generally countered by security awareness training supported by technological controls.

The need to share data among several different people is not uncommon -- and there are numerous technology solutions that could be employed. These include delegated access, shared access to collaboration tools (where the MP's staff would have password-controlled access to the documents rather than to the MP's computer), or even Microsoft's SharePoint.

The most worrying aspect to MPs and their password sharing is their common belief that there is nothing wrong in this. This in turn suggests that MPs do not receive adequate security awareness training and/or that parliament's IT department isn't offering sufficient options to make this unnecessary -- or controls to make it impossible. In most private enterprises,sharing passwords would be considered a disciplinary offense.


Critical Flaw in WAGO PLC Exposes Organizations to Attacks
5.12.2017 securityweek ICS
Programmable logic controllers (PLCs) from Germany-based industrial automation company WAGO are affected by a potentially serious vulnerability that could give a remote attacker access to an organization’s entire network.

The flaw, discovered by a researcher at security services and consulting company SEC Consult, impacts Linux-based WAGO PFC200 series PLCs, specifically a total of 17 750-820X models running firmware version 02.07.07 (10). The affected devices are advertised by the vendor as ultra-compact and secure automation systems that can be used for traditional machine control, process technology, and in the offshore sector.

The security hole exists due to the use of version 2.4.7.0 of the CODESYS Runtime Toolkit. This embedded software is developed by 3S-Smart Software Solutions and it’s used by several vendors in hundreds of PLCs and other industrial controllers.

A few years ago, researcher Reid Wightman discovered that versions 2.3.x and 2.4.x of CODESYS Runtime were affected by critical access control and directory traversal vulnerabilities that could have been exploited to hack devices.

Building on Wightman’s research, SEC Consult discovered that various functions of a service named “plclinux_rt” can be accessed without authentication by sending specially crafted TCP packets on port 2455, which is the programming port.

An attacker can use this method to write, read or delete arbitrary files, which can be done with a tool created by Digital Bonds several years ago for interacting with PLCs that use CODESYS. Since SSH is enabled by default on PFC200 PLCs, an unauthenticated hacker can exploit this to rewrite the etc/shadow file, which stores password hashes, and gain root privileges to the device.

SEC Consult said the vulnerability can also be exploited to modify the PLC program during runtime and cause the device to step over a function, restart or crash.

Attack simulation on WAGO PLC

The security firm told SecurityWeek that while it hasn’t scanned the Internet for devices that can be exploited on port 2455, it has found nearly 2,500 WAGO PFC200 devices on the Web via the Censys search engine. These devices are often found in critical infrastructure organizations, including power plants, the company said.

“Because of the use in industrial and safety-critical environments the patch has to be applied as soon as it is available,” SEC Consult warned in a blog post. “We explicitly point out to all users in this sector that this device series in the mentioned device series with firmware 02.07.07(10) should not be connected directly to the internet (or even act as gateway) since it is very likely that an attacker can compromise the whole network via such an device.”

WAGO was informed about the vulnerability in August, but it has yet to release a patch. The vendor estimates that a fix will be made available in January 2018.

SEC Consult has published an advisory describing the flaw, but it will not release a proof-of-concept (PoC) exploit until a patch is available. In the meantime, the security firm has advised users to either delete the “plclinux_rt” service or close the 2455 port in order to prevent potential attacks.

The company believes the vulnerability could affect devices from other vendors that use CODESYS Runtime 2.3.x or 2.4.x. These are older versions of the tool – versions 3.x are not impacted.

This is not the first time a significant number of ICS devices have been exposed to attacks due to the use of a CODESYS component. Earlier this year, CyberX warned that hundreds of thousands of Industrial Internet of Things (IIoT) and ICS devices had been vulnerable due to a critical flaw in the web server component of the CODESYS WebVisu visualization software.


Člověk z NSA se přiznal, že vynesl tajná data. Kaspersky je prý smazal
4.12.2017 Idnes.cz BigBrother
Americké ministerstvo spravedlnosti obvinilo bývalého zaměstnance NSA z vynášení tajných materiálů. Ze soukromého počítače se pak tyto materiály údajně dostaly k ruským hackerům
NSA The National Security Agency - Národní bezpečnostní agentura, vznikla v listopadu 1952 | foto: thedailysheeple.com

Ministerstvo zahraničí USA obvinilo Nghia Pho, bývalého zaměstnance NSA, z nelegálního „vědomého přechovávání informací související s národní bezpečností“. Konkrétně mělo jít o materiály v digitální i tištěné podobě, který Pho během let 2006 a 2016 vynesl ze své kanceláře NSA v Marylandu do svého domova v Ellicott City (podrobnosti o žalobě v PDF na Justice.gov).

Tím, že Pho data vynesl z NSA na svůj soukromý počítač, porušil nejen vnitřní bezpečnosti předpisy NSA, ale také zákon o informacích souvisejících s bezpečností USA, konkrétně paragraf o sběru, přenosu a ztrátě bezpečnostních informací (viz 18 U.S. Code paragraf 793)

Kanceláře NSA v Marylandu (červená značka) a Ellicot City (modrá značka)
Kanceláře NSA v Marylandu (červená značka) a Ellicot City (modrá značka)

Pho podle obžaloby vynesl i data klasifikována jako TOP SECRET, SECRET a CONFIDENTIAL, což jsou označení vyhrazená pro dokumenty, jejichž únik by mohl znamenat „závažné ohrožení národní bezpečnosti“.

Sedmašedesátiletý Nghia Hoang Pho se k činu přiznal (PDF) a přijal tak nabídku žalobce výměnou za mírnější trest. Podmínky dohody (“plea deal“) nejsou zveřejněny.

Role společnosti Kaspersky není jasná
O případu jsme na Technet.cz informovali v říjnu, kdy se objevily informace o tom, že vynesená data získali ruští hackeři. Spekulovalo se totiž o tom, že ruští hackeři se k utajovaným dokumentům - jmenovitě těm o pronikání do cizích počítačových sítí - dostali skrze antivirový systém Kaspersky, který měl prý Pho nainstalovaný na svém domácím počítači.

Američtí vyšetřovatelé tehdy podle informací The Wall Street Journal spekulovali o tom, že ruští hackeři se o umístění tajných materiálů na soukromém počítači dozvěděli právě díky antiviru ruské firmy Kaspersky Lab.

Ruská antivirová firma od začátku takové nařčení odmítá. Dále společnost Kaspersky Lab uvedla, že je ochotna setkat se s vládními představiteli USA nebo poskytnout své zdrojové kódy k oficiálnímu auditu.

Firma Kaspersky Lab se dostala do nemilosti federálních úřadů USA, které ji označily za nedůvěryhodnou a software Kaspersky od září 2017 nesmí být instalován na vládní počítače USA. Existuje totiž podezření, že Kaspersky spolupracoval či spolupracuje s ruskou rozvědkou FSB. Také toto obvinění zakladatel firmy, Eugen Kaspersky, rezolutně odmítl: „Společnost Kaspersky Lab nemá žádné vazby na vlády, nikdy nepomáhala a ani nebude pomáhat žádným vládám jakéhokoliv státu v kyberšpionážních aktivitách.“
Eugene Kaspersky (Twitter)
@e_kaspersky
05.října 2017 v 20:05, příspěvek archivován: 03.prosince 2017 v 23:03

OK, here is our official statement re the recent article in WSJ. https://t.co/rdH6YcsZBZ

323 lidí to sdílíodpovědětretweetoblíbit
Podle interního vyšetřování má incident nevinné vysvětlení
Kaspersky Lab zveřejnily předběžné výsledky svého interního vyšetřování. Podle nich došlo k běžné detekci škodlivého software na soukromém počítači: „Náš produkt detekoval známý malware Equation na uživatelově počítači. Později na stejném počítači našel i stopy po pirátské verzi Microsoft Office a komprimovaný soubor 7zip obsahující do té doby neznámý malware.“

Kaspersky Internet Security
Kaspersky Internet Security

V souladu s nastavením poté antivir poslal vzorek tohoto neznámého malware do laboratoří na testování. „Ukázalo se, že komprimovaný soubor obsahoval několik malware spojených se skupinou Equation, a také několik wordovských dokumentů označených jako tajné.“

Kaspersky Lab tak vysvětlují, že necílily úmyslně na konkrétní počítač: „Komprimovaný soubor byl detekován automaticky naší proaktivní technologií.“ Navíc byl údajně archiv, automaticky zaslaný do Kaspersky Lab, vzápětí smazán, a to na příkaz šéfa Kaspersky Lab.

Kromě toho Kaspersky tvrdí, že daný počítač byl možná „napaden více hackery“, neboť na něm antivir našel stopy po velkém množství malware. Výsledky svého interního šetření je firma Kaspersky údajně hotova poskytnout k prověření třetí straně.


Ruský antivirus Kaspersky podezírají v Británii ze špionáže
4.12.2017 Idnes.cz BigBrother
Putinovo Rusko je bezpečnostní hrozba. Britské Národní středisko kybernetické bezpečnosti (NCSC) varovalo vládní úřady před používáním antivirového softwaru od ruské společnosti Kaspersky Lab kvůli obavám ze špionáže.
Eugene Kaspersky osobně zahajuje Security Analyst Summit 2017. | foto: Jan Kužník, Technet.cz

Šéf NCSC Ciaran Martin v dopise stálým sekretářům uvedl, že ruský antivirový software by se neměl používat v systémech obsahujících informace, které by mohly poškodit národní bezpečnost, pokud by k nim získala přístup ruská vláda.

Dodal, že NCSC jedná se společností Kaspersky Lab o vytvoření mechanismu, který by produkty firmy umožnil v Británii kontrolovat. Firma Kaspersky k situaci také vydala prohlášení, ve kterém se mimo jiné uvádí, že se na spolupráci s NCSC těší. Šéf společnosti na Twitteru navíc upřesnil, že výrobky firmy nebyly v žádném případě na britském trhu zakázány.

Eugene Kaspersky (Twitter)
@e_kaspersky
02.prosince 2017 v 14:10, příspěvek archivován: 04.prosince 2017 v 13:44
Let me stress: there is *no* ban for KL products in the UK. We are in touch with @NCSC regarding our Transparency Initiative and I am sure we will find the way to work together

92 lidí to sdílíodpovědětretweetoblíbit
Jak jsme na Technet.cz informovali, administrativa amerického prezidenta Donalda Trumpa již dříve nařídila vládním úřadům v USA odstranit z počítačů produkty společnosti Kaspersky Lab. Zdůvodnila to obavami z úzkých vztahů firmy s ruskými zpravodajskými službami a z možného využívání softwaru k ruské špionáži.

Člověk z NSA se přiznal, že vynesl tajná data. Kaspersky je prý smazal
Americké ministerstvo spravedlnosti obvinilo bývalého zaměstnance NSA z vynášení tajných materiálů. Ze soukromého počítače se pak tyto materiály údajně dostaly k ruským hackerům.

NSA měla v plánu infikovat aplikace v Google Play a skrze ně pak sledovat...
Podezření zesílilo již letos v květnu, kdy se podle agentury Bloomberg objevily e-maily z roku 2009, které spolupráci antivirové firmy s ruskou tajnou službou naznačují. Zakladatel firmy Eugene Kaspersky to samozřejmě kategoricky popřel. Jeho tvrzení a další podrobnosti naleznete v našem článku. Kaspersky Lab tvrdí, že se stala obětním beránkem rostoucího napětí mezi Washingtonem a Moskvou.

Ruská antivirová firma Kaspersky Lab patří celosvětově mezi deset firem s největším podílem na trhu antivirových aplikací. Jejich antivirus patří k nejlépe hodnoceným na trhu. V bezpečnostní komunitě se ovšem neoficiálně mluví i o tom, že Kaspersky „zřejmě nějakým způsobem spolupracuje s ruskými autoritami“.

Podobné problémy řeší už delší dobu také čínská společnost Huawei, která dodává síťovou infrastrukturu operátorům po celém světě. V roce 2014 před firmou varovala i česká BIS. Přitom už v roce 2012 americké úřady obvinily Huawei ze špionáže.


Britské úřady byly varovány před antivirovým programem Kaspersky

4.12.2017 Novinky/Bezpečnost BigBrother
Britské Národní středisko kybernetické bezpečnosti (NCSC) varovalo vládní úřady před používáním antivirového softwaru od ruské společnosti Kaspersky Lab. Spojené státy již dříve používání tohoto softwaru vládním úřadům zakázaly kvůli obavám z ruské špionáže.

Šéf NCSC Ciaran Martin uvedl, že ruský antivirový software by se neměl používat v systémech obsahujících informace, které by mohly poškodit národní bezpečnost, pokud by k nim získala přístup ruská vláda. Dodal, že NCSC jedná se společností Kaspersky Lab o vytvoření mechanismu, který by produkty firmy umožnil v Británii kontrolovat.

Administrativa amerického prezidenta Donalda Trumpa v září nařídila vládním úřadům v USA odstranit z počítačů produkty společnosti Kaspersky Lab. Zdůvodnila to obavami z úzkých vztahů firmy s ruskými zpravodajskými službami a z možného využívání softwaru k ruské špionáži. 

Společnost Kaspersky Lab ale popírá, že by Rusku se špionáží pomáhala. Tvrdí, že se stala obětním beránkem rostoucího napětí mezi Washingtonem a Moskvou.


ICS-CERT Advice on AV Updates Solid, But Impractical
4.12.2017 securityweek ICS
The U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has offered some advice on how antivirus software should be updated in industrial environments, but the recommended method is not very practical and experts warn that organizations should not rely only on antiviruses to protect critical systems.

ICS-CERT recommendations on updating AVs in industrial networks

ICS-CERT, a component of the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC), coordinates security incidents involving control systems and facilitates information sharing in an effort to reduce the risk of cyberattacks. The organization’s latest Monitor newsletter provides some advice on how organizations should update their antiviruses in ICS environments.

“Antivirus software, when properly deployed and up-to-date, is an important part of a defense-in-depth strategy to guard against malicious software (malware),” ICS-CERT said. “Such software is widely used in Information Technology (IT) and ICS infrastructures. In business IT environments, it is common practice to configure each antivirus client to update directly from the antivirus vendor; however, because ICS and IT systems require separation by the ICS demilitarized zone (DMZ), ICS systems require different antivirus update methods.”

The ICS DMZ is the level between the enterprise zone and the control network. The DMZ, in addition to historians and remote access servers, can include the antivirus, Windows Server Update Services (WSUS), and patch servers.

Since the ICS DMZ is typically not allowed to communicate directly to the Internet, updating these services cannot be done automatically from the vendor’s server. One method for updating antiviruses on these systems is to manually download the update, copy it to a removable media drive, and then connect that drive to the machine needing the update.

ICS architecture

However, the process is not as straightforward as it sounds. ICS-CERT has advised organizations to first verify the source of the update, and then download the update file to a dedicated host. The file should be scanned for malware and its cryptographic hash needs to be verified in order to ensure it hasn’t been tampered with.

The removable media drive should also be scanned for malware and locked (i.e. prevent files from being written to it) once the update files have been copied. Before the updates are deployed on a production system, they should be tested and validated on a test environment that mimics production machines as closely as possible.

“This process is more labor intensive than an automatic chaining of updates, but it is not prohibitively time-consuming,” ICS-CERT said. “This ‘sneakernet’ method is common in air-gapped networks. Automatically ‘daisy chaining’ the updates, which is similar to the process used in many IT environments, is convenient but not recommended.”

Experts say the method is not very practical and AVs alone are not enough

SecurityWeek has reached out to several ICS security experts for comment on the recommendations from ICS-CERT.

Anton Shipulin, an ICS security expert with Kaspersky Lab, pointed out that while the sneakernet method does work for updating protection software in air-gapped networks, in practice, organizations are having difficulties keeping their systems updated. Kaspersky often finds outdated antimalware signature databases in the ICS networks analyzed during its assessments, Shipulin said.

“For the process to work, there should be good discipline in place to carry it out regularly, as well as a technically advanced endpoint solution - with capability to get updates from centralized on-premise update servers; it’s much simpler and faster to deliver updates only to a single point,” Shipulin explained. “It’s also worth mentioning that the same process should be a requirement for all OS, control systems and device software updates (with the agreement of ICS suppliers and vendors).”

Rick Kaun, VP of solutions at industrial cybersecurity firm Verve, noted that manually applying updates can be much more complicated than the process described by ICS-CERT.

“For example, not all AV updates are the same,” Kaun explained. “If you are under warranty support with a specific vendor for a specific AV function you not only need to download the AV file, you need to either get it from the vendor or at least confirm the vendor supports it. Further, many organizations may have multiple OEM vendors each with different AV solutions so you are needing to follow this practice for more than one set of files on different target systems – tracking and reporting of completion becomes a challenge.”

“Now let’s add into the mix the frequency at which AV files are generated. If they files are updated once a month this is likely manageable. If they are updated weekly this is more challenging. Now what happens when AV files get updated daily or even faster than that? What is your corporate stance on AV update frequency? This is an important consideration in deciding an appropriate balance between latest and greatest definition files (maximum protection) versus significant human effort (convenience/manpower),” Kaun added.

“There are very few organizations that are able to maintain the rigor and frequency of an AV program as outlined in the ICS article. It is well written and good advice but not overly practical in day to day application without significant dedication of manpower and/or automated tools,” Kaun said.

All the experts contacted by SecurityWeek agree that antiviruses should not be used – especially not on their own – to protect ICS. While industrial organizations are often concerned that security software could have a negative impact on their operations, modern solutions created specifically for ICS are designed to have minimal impact while still providing comprehensive protection. Furthermore, antiviruses cannot be installed directly on critical control devices, such as PLCs and DCSs. Modern products, however, passively monitor networks for any suspicious activity, regardless of the type of device targeted.

Patrick McBride, CMO at Claroty, pointed out that security products designed for IT environments should never be used in operational technology (OT) networks.

“AV has been proven ineffective and since it is not designed to work in OT environments, you need a Rube Goldberg process just to make ineffective stuff work poorly,” McBride said. “Unfortunately, some companies rely on outdated, ineffective AV solutions because various regulations require them.”

Dana Tamir, vice president of market strategy for Indegy, pointed out another interesting aspect. While antiviruses can provide partial protection, especially against known threats, the use of traditional antiviruses may not even be possible in some organizations due to the fact that many still rely on legacy systems such as Windows NT and XP in their ICS networks, and these legacy systems may not be supported by antivirus vendors, Tamir said.

This is confirmed by a recent CyberX study, which found that three out of four industrial sites are still running outdated operating systems in their ICS networks.

“[ICS-CERT’s advice] ignores the reality that many ICS environments aren't installing any Windows security patches or running any AV protection whatsoever because of unsupported OSs like Windows 2000 and XP,” Phil Neray, VP of Industrial Cybersecurity at CyberX, told SecurityWeek.

Tamir also noted that an organization can install antiviruses on all managed computers, but if it doesn’t use a more comprehensive solution to monitor unmanaged endpoints, threats can make it into the organization’s ICS network via the devices brought in by integrators and consultants.


Google to Warn Android Users on Apps Collecting Data
4.12.2017 securityweek Android
Google is stepping its fight against unwanted and harmful applications on Android up and will soon alert users on apps and websites leading to apps that collect personal data without their consent.

Produced by Google Safe Browsing, the alerts will start popping up on Android devices in a couple of months, as part of expanded enforcement of Google’s Unwanted Software Policy, the Internet giant announced.

The expanded enforcement also covers applications handling personal user data, such as phone numbers or email, or device data, all of which will be required to inform users on their activities and “to provide their own privacy policy in the app.”

What’s more, Google is now requesting applications that collect and transmit personal data unrelated to the functionality of the app to “prominently highlight how the user data will be used and have the user provide affirmative consent for such use,” prior to performing the collection and transmission operations.

“These data collection requirements apply to all functions of the app. For example, during analytics and crash reporting, the list of installed packages unrelated to the app may not be transmitted from the device without prominent disclosure and affirmative consent,” Paul Stanton, Safe Browsing Team, explains in a blog post.

The Internet search provider is enforcing the new requirements to applications in both Google Play and non-Google Play app markets. The company also published guidelines for how Google Play apps should handle user data and provide disclosure.

The warnings might start appearing in late January 2018 on user devices via Google Play Protect or on webpages that lead to these apps.

Webmasters should refer to the Search Console for guidance on remediation and resolution of the warnings, while developers should refer to guidance in the Unwanted Software Help Center. Also, application builders can request app reviews.


Authorities Take Down Andromeda Botnet
4.12.2017 securityweek BotNet

The Federal Bureau of Investigation (FBI) and law enforcement agencies in Europe managed to dismantle the Andromeda botnet last week.

Also known as Gamarue, Andromeda malware has been around since 2011 and used to ensnare the infected computers into a botnet. The main purpose of this network of infected machines was to distribute other malware families, including the Dridex banking Trojan or point-of-sale (PoS) malware GamaPoS.

In a FortiGuard Labs report detailing the top 5 methods used to attack healthcare in Q4, 2016, Andromeda emerged as the top botnet.

Packing a loader that features virtual machine and debug evasion techniques, Andromeda downloads modules and updates from its command and control (C&C) server. Overall associated with 80 malware families, the threat was detected on or blocked on an average of over 1 million computers every month for the past six months.

The takedown, a joint effort from the FBI, the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust, and private-sector partners, was performed on November 29.

The operation was the result of information gathered following last year’s shut down of a large criminal network known as Avalanche, a platform used for mass global malware attacks and money mule recruiting. Andromeda was also used in the Avalanche network.

“Insights gained during the Avalanche case by the investigating German law enforcement entities were shared, via Europol, with the FBI and supported this year’s investigations to dismantle the Andromeda malware last week,” a Europol announcement reads.

Investigators focused on taking down servers and domains used to spread the Andromeda malware and resulted in the sinkholing of 1500 domains. 48 hours of sinkholing resulted in around 2 million unique Andromeda victim IP addresses from 223 countries being captured.

The takedown operation also included the search and arrest of a suspect in Belarus.

The investigators also decided to extend the sinkhole measures of the Avalanche case for another year, as globally 55% of the computers originally infected in Avalanche continue to be infected.

The measures to combat Andromeda and Avalanche involved the following countries: Austria, Belgium, Finland, France, Italy, the Netherlands, Poland, Spain, the United Kingdom, Australia, Belarus, Canada, Montenegro, Singapore, and Taiwan.

Private and institutional partners involved in the takedown include: Shadowserver Foundation, Microsoft, Registrar of Last Resort, Internet Corporation for Assigned Names and Numbers (ICANN) and associated domain registries, Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE), and the German Federal Office for Information Security (BSI).

“This is another example of international law enforcement working together with industry partners to tackle the most significant cyber criminals and the dedicated infrastructure they use to distribute malware on a global scale. The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us,” Steven Wilson, the Head of Europol’s European Cybercrime Centre, said.


Kyberbezpečnost je nutné brát jako strategickou záležitost, nikoli jako investici do IT

4.12.2017 SecurityWorld Bezpečnost
Podniky se vydávají na cestu digitální transformace, která by jim měla pomoci nalézat nové obchodní příležitosti, zefektivňovat provoz a lépe uspokojovat potřeby jejich zákazníků. Digitální transformace vede podniky k zavádění cloudu, internetu věcí, velkých dat a dalších a dalších digitálních technologií a nutí je měnit zavedené postupy a automatizovat vše, od rozhodování po zákaznickou podporu.

Nové příležitosti s sebou ale nesou i nové hrozby pro kybernetickou bezpečnost. A hrozby jsou to reálné. Podle předpovědi analytické společnosti Gartner se očekává, že téměř 60 % digitálních podniků utrpí závažný výpadek kvůli neschopnosti svého bezpečnostního týmu zvládat digitální rizika. Problém částečně pramení z toho, že vyšší management a představenstvo podniků nepovažují bezpečnost z obchodního hlediska za naléhavý problém.

Na problém upozornil mimo jiné globální průzkum společnosti Fortinet (článek o průzkumu zde) zaměřený na kybernetickou bezpečnost v podnicích, jehož se zúčastnilo přes 1800 pracovníků IT s rozhodovací pravomocí. Zjistili jsme, že podle téměř poloviny respondentů není pro představenstvo podniku bezpečnost mezi hlavními prioritami.

Bylo by možné očekávat, že v důsledku kybernetických útoků z poslední doby – a jejich závažných dopadů na postižené podniky – mezi nejvyššími manažery výrazně vzroste zájem o problematiku bezpečnosti. Ti sice na bezpečnostní incidenty reagují, avšak zabývají se spíše řešením následků než prevencí.

Proti hrozbě průniku do systémů, vyděračského softwaru nebo narušení provozu není imunní nikdo. Cílem se stávají podniky všech oborů, typů a velikostí. Průzkum společnosti Fortinet to potvrzuje. 85 % dotázaných podniků se v uplynulých dvou letech stalo obětí narušení bezpečnosti, přičemž téměř polovina zaznamenala napadení škodlivým nebo vyděračským softwarem.

Proč se kybernetická bezpečnost stává prioritou vedení firem

Nejvyšší vedení podniků a manažery IT povede k zaměření na kybernetickou bezpečnost v roce 2018 řada faktorů. Uveďme si několik nejdůležitějších.

1. Narušení bezpečnosti a globální útoky. Naprostá většina podniků v uplynulých dvou letech zaznamenala nějaký druh narušení bezpečnosti nebo útoku. Po globálním útoku, jako byl např. WannaCry, začaly podniky věnovat bezpečnosti zvýšenou pozornost. Větší publicita a pozornost spolu s potenciálními dopady na pověst a provoz firmy posouvají kyberbezpečnost z problému, který by mělo řešit podnikové IT, mezi záležitosti, jimiž se musí zabývat nejvyšší vedení.

2. Prostor pro potenciální útoky. Širší využití cloudu, zavádění internetu věcí a rozvoj velkých dat vytváří nové příležitosti k útoku a zároveň komplikují obranu. S narůstajícími požadavky na objemy dat a jejich zpracování stoupá pro podniky priorita cloudové bezpečnosti. Neméně důležitým faktorem, který rozšiřuje možnosti pro útok, je internet věcí (IoT). Podle odhadů analytické společnosti Gartner vzroste do konce roku počet připojených zařízení IoT na více než 8,4 miliardy. Z nich bude 3,1 miliardy sloužit podnikovým účelům. Takové množství zařízení IoT je těžké ochránit a odborníci se shodují v předpovědích, že podíl útoků namířených proti zařízením IoT do roku 2020 přesáhne 25 % všech počítačových útoků.

3. Zákonné a regulatorní povinnosti. Nové zákony a oborové předpisy rovněž zvyšují význam zabezpečení. 34 % respondentů uvedlo, že předpisy jsou jedním z faktorů, které přispívají k tomu, že vedení firmy věnuje bezpečnosti zvýšenou pozornost. Příkladem je přijetí obecného nařízení o ochraně osobních údajů (GDPR), které nabyde účinnosti ve všech členských státech EU v roce 2018.

Tyto trendy vedou k tomu, že je kybernetická bezpečnost považována za strategickou otázku v rámci širší strategie řízení podnikových rizik, nikoli za pouhou investici do IT. Mají-li manažeři IT bezpečnosti uspět při digitální transformaci, musí přehodnotit svůj přístup k bezpečnosti, zejména získat lepší přehled o celém prostředí a možných směrech útoku, zkrátit dobu mezi detekcí a neutralizací hrozeb, zajistit dostatečný výkon bezpečnostních řešení a automatizovat sběr bezpečnostních informací a řízení.


Šest nejobávanějších virů počítačového a mobilního světa

4.12.2017 Novinky/Bezpečnost  Virus
Každý den kolují internetem tisíce virů, které cílí na klasické počítače, tablety i chytré telefony. Antivirová společnost Check Point zveřejnila žebříček šesti škodlivých kódů, které cílí právě na zmiňovaná zařízení. Právě na ně – a na způsob, jakým je kyberzločinci šíří – by si měli dát uživatelé velký pozor.

Žebříček je rozdělen na dvě části. V jedné je přehled třech nejrozšířenějších virů, které útočí na klasické počítače, v druhé pak trojice malwarů cílících na mobilní zařízení, jako jsou tablety a chytré telefony.

Nejprve se pojďme podívat, jaké škodlivé kódy útočí na klasická PC. První příčku obsadil RoughTed. Rozsáhlá malvertisingová kampaň RoughTed je využívána k šíření odkazů na nebezpečné webové stránky a k šíření škodlivého obsahu, jako jsou scam, adware, exploit kity a ransomware. Může být použita k útoku na jakýkoli typ platformy a operačního systému, vyhne se nástrojům na blokování reklamy a sleduje chování uživatelů, aby byl finální útok co nejrelevantnější.

Vyděračské viry na scéně
Druhá příčka pak patří vyděračskému viru Locky. Tento ransomware, který byl poprvé detekován v únoru 2016, se šíří především prostřednictvím spamu s infikovanou wordovou přílohou nebo přílohou ve formátu Zip, která obsahuje kód pro stažení a instalaci malwaru šifrujícího uživatelské soubory.

Nezvaný návštěvník Locky dokáže uzamknout počítač a za zpřístupnění zašifrovaných dat požaduje výkupné.

Trojici nejrozšířenějších virů pak uzavírá Seamless. Jde o systém distribuce provozu (TDS), který nenápadně přesměruje oběti na škodlivou webovou stránku, což vede k infekci pomocí tzv. exploit kitu. To jinými slovy znamená, že poté, co se tento záškodník uhnízdí v počítači, mohou do něj počítačoví piráti stahovat jakékoliv další škodlivé kódy.

V bezpečí nejsou ani mobily
Ani mobilní zařízení nejsou před škodlivými kódy v bezpečí. Nejvíce by se měli mít uživatelé na pozoru před virem Triada, který je nejrozšířenějším malwarem pro chytré telefony a počítačové tablety. Tento modulární backdoor cílí na zařízení s operačním systémem Android.

Škodlivý kód uděluje superuživatelské oprávnění útočníkům, takže kyberzločinci mohou stahovat do mobilních zařízení další malware. Triada také umí zfalšovat URL odkazy uložené v prohlížeči a nasměruje tak uživatele na podvodné stránky.

Druhá příčka patří vyděračskému viru LeakerLocker, který opět cílí na zařízení se systémem Android. Čte osobní uživatelská data a následně je ukazuje uživateli a hrozí, že pokud nedojde k zaplacení výkupného, tak budou informace zveřejněny na internetu.

Trojici nejrozšířenějších mobilních škodlivých kódů uzavírá Lotoor. Jde o hackerský nástroj, který zneužívá zranitelnosti v operačním systému Android, aby získal root oprávnění na napadeném zařízení. Díky tomu pak mohou útočníci zotročit zařízení na dálku.


Pro Windows 10 verze 1709 vyšla servisní aktualizace KB4051963. Co řeší?

4.12.2017 CNEWS.cz Zranitelnosti
Microsoft v posledních dnech vydával různě aktualizace pro Windows 10. Blíže se podíváme na tu pro nejnovější vydání Desítek.

Probíhá instalace nové verze Windows 10
Probíhá instalace nové verze Windows 10 (Ilustrační foto)
Jsou to skoro tři týdny od listopadového záplatovacího úterý. Někteří ale v posledních dnech mohli obdržet další aktualizace pro Windows nabízející nové opravy. Osobně jsem zaznamenal hlavně KB4051963, jež je určena pro Windows 10 v1709.

Kdo na nejnovější vydání Desítek přešel, může aktualizaci nainstalovat, takže se číslo sestavení zdvihne na 16299.98. Balík byl oficiálně vydán 30. listopadu, byť v Katalogu služby Microsoft Update najdete datum zveřejnění 29. listopadu. Přináší opravy následujících chyb:

Problém se skripty způsoboval selhání Internet Exploreru.
Okno pro zadání textu (od IME) mělo při použití s Internet Explorerem blíže nespecifikované problémy.
V Internet Exploreru mohly nastat problémy s vykreslováním grafických prvků.
V Internet Exploreru mohly nastat problémy s odesíláním formulářů.
Location hash byl ztracen, pakliže jste se vrátili zpět na neplatnou adresu URL.
Aplikace mohly vypovědět funkci, pokud jste použili proxy pomocí skriptu PAC. Mohlo v důsledku docházet k následujícím scénářům:
Outlook se nepřipojil k Office 365,
Internet Explorer a Edge nedokázaly správně vykreslit žádný obsah,
Cisco Jabber přestal odpovídat,
zasažena byla jakákoli aplikace či služba spoléhající na WinHTTP.
Aktualizace KB4051963 řeší mnoho nalezených chyb
Aktualizace KB4051963 řeší mnoho nalezených chyb
Blíže nespecifikovaná chyba způsobovala degradaci výkonu her a jiných aplikací v celoobrazovkovém režimu, které používají DirectX 9. (Že by vyřešení další části potíží objevených koncem léta? Pozn. red.)
Forza Motorsport 7 a Forza Horizon 3 neběžely na některých high-endových laptopech.
Volba frekvence dotazování se na zpětnou vazbu nebyla pokaždé uložena.
Síťová zařízení RNDIS 5 nezískala platnou adresu IP, případně nevykazovala síťovou aktivitu. Pokud vaše problémy budou přetrvávat, budete muset přeinstalovat Vzdálený NDIS síťový adaptér.
Manuální změna časového pásma, aniž byste počítač restartovali či se odhlásili, se neprojevila na zobrazovaném čase na zamykací obrazovce.
Některé tiskárny Epson SIDM a TM netiskly na systémech architektur x86 a x64. Tento problém se týká aktualizace KB4048955 (tj. aktualizace z posledního záplatovacího úterý).
Na seznamu známých chyb přetrvává jen jediná položka, kterou už ale Microsoft řeší několik týdnů. Naštěstí se jedná o nepodstatnou věc, aspoň pro běžné uživatele a uživatelky: ve specifických situacích (tj. když pracujete s SQL Server Reporting Services) v rozbalovacích nabídkách na webech nemusí být možné se při prohlížení v Internet Exploreru posunout až dolů pomocí posuvníku.

Aktualizace pro další verze Desítek
Dne 22. listopadu pak Microsoft vydal aktualizaci KB4055254 pro Windows 10 v1703, jež sestavení systému povyšuje na 15063.729. Obsahuje pouze jeden lék, a sice na výše zmíněnou nemoc postihující tiskárny Epson.

Dále byla uvolněně aktualizace KB4051033 pro Windows 10 v1607, jež číslo sestavení zvedá na 14393.1914. Kromě výše uvedeného napravuje mnoho dalších chyb. Vydána byla pro změnu 27. listopadu. Aktualizace tedy vychází v různé dny. Nejvíce by vás měly zajímat první dvě uvedené, protože většina lidí používá právě tyto verze Desítek. Stále relativně čerstvý Fall Creators Update pohání 20,5 % zařízení s Windows 10.


Google Unwanted Software Policy – It’s a fight against snooping apps
4.12.2017 securityaffairs 

Google has expanded enforcement of Google’s Unwanted Software Policy waring Android developers to explicitly declare data collection behaviors.
A few days ago, Google was caught collecting users’ location data even when location services were disabled, many privacy experts questioned the behavior of the tech giant.

Google promptly admitted the practice and suspended it.

Now Google made another move to protect the privacy of its users, it has warned Android developers to explicitly declare data collection behaviors of their apps.

Google revisioned the Safe Browsing rules expanding the enforcement of Google’s Unwanted Software Policy.

“In our efforts to protect users and serve developers, the Google Safe Browsing team has expanded enforcement of Google’s Unwanted Software Policy to further tamp down on unwanted and harmful mobile behaviors on Android.” reads the announcement published by Google.

“As part of this expanded enforcement, Google Safe Browsing will show warnings on apps and on websites leading to apps that collect a user’s personal data without their consent.”


If the developers don’t comply with Google rules within 60 days, the company will warn users via Google Play Protect or on webpages that lead to these apps.

“Starting in 60 days, this expanded enforcement of Google’s Unwanted Software Policymay result in warnings shown on user devices via Google Play Protect or on webpages that lead to these apps.” the announcement said.

Developers of apps that handle either personal data (phone number, e-mail) or device data (such as IMEI number) must prompt the user, and include a privacy policy in the app.

“Additionally, if an app collects and transmits personal data unrelated to the functionality of the app then, prior to collection and transmission, the app must prominently highlight how the user data will be used and have the user provide affirmative consent for such use,” added Google.

Data collection requirements apply to all functions of the app, including crash reporting, the company highlighted that apps cannot transmit the list of installed packages unrelated to their app without an affirmative consent.

Developers can also request an app review using this article on App verification and appeals, it contains guidance applicable to apps in both Google Play and non-Play app stores.


UK National Cyber Security Centre (NCSC)’s letter warns against software made in hostile states, specifically Russia
4.12.2017 securityaffairs 

The UK National Cyber Security Centre (NCSC) warns of supply chain risk in cloud-based products, including antivirus (AV) software developed by Russia.
We have a long debated the ban of the Russian security software from US Government offices, now part of the UK intelligence is adopting the same strategy.

Last week the CEO of the UK National Cyber Security Centre (NCSC), Ciaran Martin, wrote to permanent secretaries regarding the issue of supply chain risk in cloud-based products, including anti-virus (AV) software.

The NCSC is a branch of the UK Government Communications Headquarters (GCHQ), the UK intelligence and security agency.

The letter warns against software made in hostile states, specifically Russia, as the Prime Minister’s Guildhall speech set out, the Government of Moscow is acting against the UK’s national interest in cyberspace.

The Letter provides an advice to the Government agencies and offices, but isn’t a ban for specific solutions.

The letter highlights the intrusive nature of antivirus software that is necessary to detect malicious code, it is important to remain vigilant to the risk that AV products developed by a hostile actor could person a wide range of malicious activities.

“The job of AV is to detect malware in a network and get rid of it. So to do its job properly, an AV product must (a) be highly intrusive within a network so it can find malware, and (b) be able to communicate back to the vendor so it knows what it is looking for and what needs to be done to defeat the infiltration. It is therefore obvious why this matters in terms of national security. We need to be vigilant to the risk that an AV product under the control of a hostile actor could extract sensitive data from that network, or indeed cause damage to the network itself.” reads the letter.

“That’s why the country of origin matters. It isn’t everything, and nor is it a simple matter of flags – there are Western companies who have non-Western contributors to their supply chain, including from hostile states. But in the national security space there are some obvious risks around foreign ownership.”

“The specific country we are highlighting in this package of guidance is Russia.”

The official warns of the risk of exposure of classified information to the Russian state that would be a risk to national security, for this reason a Russia-based AV company should not be chosen. It is an obvious reference to the Kaspersky case.

NCSC letter

The Letter suggests banning the software developed by Russia-based companies from any system processing information classified SECRET and above.

“To that end, we advise that where it is assessed that access to the information by the Russian state would be a risk to national security, a Russia-based AV company should not be chosen. In practical terms, this means that for systems processing information classified SECRET and above, a Russia-based provider should never be used.” continues the Letter.

“This will also apply to some Official tier systems as well, for a small number of departments which deal extensively with national security and related matters of foreign policy, international negotiations, defence and other sensitive information.”

Martin confirmed that the NCSC is currently discussing with Kaspersky Lab about whether the UK Government can develop a framework that can be independently verified giving the Government assurance about the security of the involvement of the Russian firm in the wider UK market.

“In particular we are seeking verifiable measures to prevent the transfer of UK data to the Russian state. We will be transparent about the outcome of those discussions with Kaspersky Lab and we will adjust our guidance if necessary in the light of any conclusions.” continues the Letter.

In response to the current situation, Kaspersky launched the Transparency Initiative in late October that allows government agencies to review the its security software for backdoors.


PayPal-owned company TIO Networks data breach affects 1.6 million customers
4.12.2017 securityaffairs  Incindent

PayPal confirmed that one of the companies it owns, TIO Networks, suffered a security breach, that affected 1.6 million customers.
PayPal confirmed that one of the companies it owns, TIO Networks, suffered a security breach, hackers have accessed servers that stored information for 1.6 million customers.

The company TIO Networks was recently acquired by PayPal for $238 million, it is a Canadian firm that runs a network of over 60,000 utility and bills payment kiosks across North America.

On November 10, PayPal suspended the operations of TIO’s network due to the discovery of “security vulnerabilities” affecting the TIO platform and issues with TIO’s data security programme that does not follow PayPal’s security standards.

“While we apologise for any inconvenience this suspension of services may cause, the security of TIO’s systems and the protection of TIO’s customers are our highest priorities.” said TIO Networks.

“We are working with the appropriate authorities to safeguard TIO customers.”

“The PayPal platform is not impacted by this situation in any way and PayPal’s customers’ data remains secure.

“Our investigation is ongoing. We will communicate with TIO customers and merchant partners directly as soon as we have more details. Customer updates will also be posted at www.tio.com.”

The Canadian firm disclosed the data breach, but did not provide any other details.

PayPal TIO Networks data breach

On Friday, December 1, PayPal published a press release that includes more details on the hack.

“PayPal Holdings, Inc. (Nasdaq: PYPL) today announced an update on the suspension of operations of TIO Networks (TIO), a publicly traded payment processor PayPal acquired in July 2017. A review of TIO’s network has identified a potential compromise of personally identifiable information for approximately 1.6 million customers.” reads the press release.

“The PayPal platform is not impacted in any way, as the TIO systems are completely separate from the PayPal network, and PayPal’s customers’ data remains secure.”

TIO systems are completely separate from the PayPal network, this means that PayPal’s customers’ data were not affected by the incident.
PayPal confirmed that the attackers stole the personal information of both TIO customers and customers of TIO billers, but it avoided to disclose what type of information the hackers compromised.

Likely attackers accessed personally-identifiable information (PII) and financial details.

PayPal is notifying affected customers of the data breach and is offering free credit monitoring memberships.

The customers of TIO Networks can visit the TIO Networks website for more information on the data breach.

“TIO has also begun working with the companies it services to notify potentially affected individuals, and PayPal is working with a consumer credit reporting agency to provide free credit monitoring memberships. Individuals who are affected will be contacted directly and receive instructions to sign up for monitoring.” continue the Press Release.