Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for August 2017

OurMine Takes Down WikiLeaks—Again

OurMine Takes Down WikiLeaks—Again

OurMine, the hacking group that claims to just really care about their victims’ security profiles, is back, after apparently hacking WikiLeaks.

WikiLeaks’ website was defaced this morning, with the homepage at WikiLeaks.org displaying a message that indicated that its efforts in this case were not altruistic (even in a lip-service kind of way): “Hi, it’s OurMine (Security Group), don’t worry we are just testing your…. blablablab, oh wait, this is not a security test! Wikileaks, remember when you challenged us to hack you?”

According to the Verge, some visitors saw the message while others didn’t; and some got a message announcing that WikiLeaks’ account has been suspended entirely. As of this writing, the website was back in business, with its usual front-page links to Vault 7, its trove of hacking tools.

In any event, this seems to be the latest entry in the ongoing spat between OurMine and Anonymous.

OurMine has made a name for itself by breaking into bigwigs’ social media accounts, including Google CEO Sundar Pichai, Facebook founder Mark Zuckerberg and Uber CEO Travis Kalanick. Its efforts, it said, are meant to alert users to the security flaws in their habits and systems. It has also targeted organizations, including the New York Times and Buzzfeed, and in December of 2015 it took down WikiLeaks.

Anonymous, a longtime Julian Assange and WikiLeaks supporter, promptly doxed OurMine after that incident, claiming to publish personal info about the group. While the information was taken down, OurMine claimed that Anonymous continued to harass its members. In retaliation, in July 2016, OurMine DDoSsed WikiLeaks, successfully knocking the website offline for a few hours.

And now, this: In Thursday’s homepage message, OurMine added: “Anonymous, remember when you tried to dox us with fake information for attacking wikileaks [sic]?” the message continues. “There we go! One group beat you all! #WikileaksHack lets get it trending on twitter [sic]!”

OurMine could be ramping up activities again; earlier in August it kicked HBO while the premium network was down and reeling from its extortionist harassers, taking over the company’s Twitter and Facebook accounts.

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/

“Hi, Our?Mi?ne are here, we are just testing your security, HBO team please contact us to upgrade the security – ourmine .org -> Contact,” it posted.

Source: Information Security Magazine

Nottinghamshire County Council Exposes Elderly, Disabled PII for 5 Years

Nottinghamshire County Council Exposes Elderly, Disabled PII for 5 Years

The Nottinghamshire County Council in the UK has been fined £70,000 by the Information Commissioner’s Office for leaving vulnerable people’s personal information exposed online for five years.

The UK’s Data Protection Act requires organizations to take appropriate measures to keep personal data secure, especially when dealing with sensitive information. But the council in this case posted very personal information on elderly and disabled people in an online directory, which was left open to anyone on the internet thanks to a lack of basic security or access restrictions—not even a username or password.

The council had launched its Home Care Allocation System (HCAS), an online portal allowing social care providers to confirm that they had capacity to support a particular service user, in July 2011. When the breach was reported in June 2016, the HCAS system contained a directory of 81 service users. In total, the data of 3,000 people had been posted in the five years the system was online.

The data exposed included people’s gender, addresses and post codes, personal care needs and requirements such as the number of home visits per day, and whether they had been or were still in hospital. Although the service user's names were not included, a determined person would be able to identify them.

The situation was discovered when a random person stumbled across the data (and was able to access it with no need to log in) while using a search engine. This member of the pubic alerted the ICO out of concern that the information could be used by criminals to target vulnerable people or their homes – especially as it even revealed whether or not they were still in hospital.

“This was a serious and prolonged breach of the law,” said ICO head of enforcement Steve Eckersley. “For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.”

He added, “Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organizations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.”

The ICO has not been shy of assigning fines of late; in July for instance it slapped Moneysupermarket.com with an £80,000 fine after it was found guilty of sending millions of nuisance emails to customers.

Source: Information Security Magazine

Cyber-squatters Target Luxury Brands from Fendi to Prada

Cyber-squatters Target Luxury Brands from Fendi to Prada

Fan of Fendi? Lover of Louboutin? Gaga for Gucci? Be careful, as there are more than 500 websites out here that are actively tricking web users into thinking they’re legitimate luxury fashion websites.

DomainTools has uncovered a widespread trend of cyber-squatters targeting global haute couture brands, with 538 registered domains using the trademarked names of eight of the world’s leading fashion houses.

Cyber-squatting is the practice of purchasing domains with the intent of stealing internet traffic from a well-known brand or individual. The firm analyzed domains mimicking Cartier, Givenchy, Louis Vuitton, Burberry, Hermes, Chanel, Prada and Gucci and found hundreds with close-but-no-cigar web addresses. Examples include givenchy[.]com, burberryyuk[.]com, cartierwatches[.]me, hermes-bag[.]us and more.

These domains are often used in phishing email campaigns and various other kinds of scams, including pay-per-click ads, for-profit survey sites and social media scams to trick customers into handing over personal details and money for a product.

 “The ease of creating a domain is great for the average person looking to start their own website, but it is a never-ending nuisance for brands that have to monitor for domain squatters,” said Tim Helming, director of product management at DomainTools. “The bigger and more lucrative your brand, the more of a target you become for cyber-criminals.”

To avoid falling for a spoofed website, consumers should look for obvious red flags, like misspellings and extra letters in the names, and domains that have COM-[text] in them, like www.starbucks.com-latte[.]us. DomainTools advises that surfers should also look out for ‘rn’ disguised as an ‘m’, such as modem.com versus modern.com. Also, for linked text, users can verify that the address is what it purports to be by hovering over it and examining the pop-up text.

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/

Source: Information Security Magazine

UK Firms on GDPR Hiring Spree but Gaps Persist

UK Firms on GDPR Hiring Spree but Gaps Persist

Only two-thirds of UK firms are set to hire new permanent employees to deal with EU data protection laws coming next year, as several new reports reveal ongoing gaps in compliance.

Recruiter Robert Half polled 400 UK directors to find 66% were planning to bring in permanent and 64% temporary staff.

It claimed demand for permanent project managers (33%), business analysts (26%) and data protection officers (26%) will increase.

However, the requirement for a DPO is mandatory in the new EU General Data Protection Regulation (GDPR) and firms who don't appoint one could incur a maximum fine of €10m or up to 2% of global annual turnover.

In addition, just six of the top 20 biggest social media, software, financial technology and internet companies with EU operations contacted by the FT said they had already appointed a board member responsible for data protection.

Ideally a DPO or similar should already be in place to help co-ordinate compliance efforts ahead of the May 2018 deadline.

In fact, a quarter (28%) of large UK enterprises have yet to start, or have barely started, compliance efforts, with even fewer (22%) identifying as fully prepared, according to a CA poll of over 100 firms with 5000 employees.

Steve Durbin, managing director of the Information Security Forum (ISF), argued that the GDPR is the “greatest shake-up in privacy legislation that we have seen”, and will need organizations – especially in the tech sector – to invest in additional skills.

"It requires organizations to provide individuals with access to their personal data and then allow them to request that the data be corrected, moved to another service provider, or deleted altogether,” he added.

“This is key for the tech industry; regardless of potential cost, they must match the efforts of other industries to ensure the needs and wishes of its consumers are met."

There is an extra burden particularly on cloud service providers (CSPs), which have not previously been covered by data protection laws.

However, the new GDPR applies both to the data controllers that collect personal data on EU citizens, and the “processors” – including the CSPs – which service these companies.

Source: Information Security Magazine

Instagram Flaw Exposes Stars’ Phone Numbers & Email Addresses

Instagram Flaw Exposes Stars’ Phone Numbers & Email Addresses

Social networking site Instagram has revealed a flaw in its systems which exposed a number of celebrities’ phone numbers and email addresses to cyber-attackers.

As reported by the BBC, the Facebook-owned photo-sharing service, used by some 700 million people around the globe, believed that “one or more” attackers had targeted high-profile celebrities in an attempt to access their contact information. Instagram stated it has already got in touch with verified members to make them aware of the incident and fixed the bug in its application programming interface.

It is also believed that no passwords had been stolen, but users are advised to be on the lookout for unusual or suspicious activity on their accounts.

“High-profile Instagram users can breathe a small sigh of relief after the Facebook-owned social network yesterday revealed that no passwords had been swiped in the recent breach of the photo-sharing site,” said Lee Munson, security researcher at Comparitech.com. “They’ll need to catch their breath quickly though as other sensitive information has fallen into the hands of those responsible for the hack.”

With telephone numbers and email addresses out in the wild, he added, superstars and Z-list celebrities alike will need to be on their guard in the coming weeks as the attackers may use those contact details for other nefarious purposes. “To be on the safe side, rich and famous Instagram users should probably change their login credentials anyway, remembering to make their passwords complex and unique to each online account they have.”

The more individuals allow access to their data through social media, like Instagram, the more avenues there are for attackers to try, added Mark James, security specialist at ESET

“It’s good to remember that social media sites view people merely as a source of income. They are only concerned with the security of your data to the extent that the law requires. This is why it is critical for users to take responsibility of their own security.”

Source: Information Security Magazine

Jimmy Nukebot Explodes on the Scene, Transforming NeutrinoPOS

Jimmy Nukebot Explodes on the Scene, Transforming NeutrinoPOS

The NeutrinoPOS banking trojan, a constantly evolving malware thanks to its source code having been posted online last spring, has a new form, ominously dubbed Jimmy Nukebot.

Interestingly, it’s no longer in the banking business. Rather, it’s designed to help bad actors do so much more.

“The authors seriously rewrote the trojan—the main body was restructured, the functions were moved to the modules,” explained Kaspersky Lab researcher Sergey Yunakovsky, in an analysis. “The trojan has completely lost the functionality for stealing bank-card data from the memory of an infected device; now, its task is limited solely to receiving modules from a remote node and installing them into the system.”

Those modules contain the payloads, which notably include web injects (which can perform functions similar to those in NeutrinoPOS, like taking screenshots, setting up proxy servers and so on); and a large number of updates for the main module in various droppers.

Mounir Hahad, senior director of Cyphort Labs, noted that if it goes undetected, this new variant of NeutrinoPOS will be able to act as a backdoor into the organization. “[That means] allowing monitoring of user actions and exfiltration of any data the bad actors can lay their hands on,” he said, via email. “Given that it can install newly downloaded modules at will, the sky is the limit as to what it can be commandeered to do.”

Another payload is a miner that extracts the virtual Monero currency (XMR) using compromised machines.

Of interest is the trajectory that Jimmy Nukebot demonstrates for malware: This spring, the author of the NukeBot banking Trojan published the source code of his creation, resulting in this latest iteration some months later (it has probably been active since early July).

“It is an excellent example of what can be done with the source code of a quality trojan, namely, flexibly adapt to the goals and tasks set before a botnet to take advantage of a new source,” said Yunakovsky.

Josh Mayfield, platform specialist, Immediate Insight at FireMon, told us that the modification affords the trojan an opportunity to learn versus instantly executing malicious behavior (e.g. data theft)—which is a significant development.

“This is the quintessential algorithmic process pairing of explore and exploit,” he said. “Computational models have these pair running simultaneously to maximize effects and outcomes. We humans have this function in our neural system as well. Every time you’re deciding what to have for dinner, you are computing – exploring options, exploiting the knowledge to maximize the outcome. Jimmy is doing the same thing…This function allows Jimmy to gather information, be self-referential, and run through what it has explored for later use and exploitation.”

He added that historically, the attacker community would take advantage of widely applicable weaknesses and immediately went to exploitation. Jimmy on the other hand takes note of the information it receives from a given specified target and tailors its payload to that specific environment.

“End user education is a critical in the evolving landscape of trojans like Jimmy,” said Mayfield. “The average person is not going to be as well-informed about the threats or problems they face. It is important to make users aware that these things exist, they can cause damage and simple measures can be taken. End users do not readily see the need for things like two-factor authentication, regular password resets, password complexity standards and so on. Awareness of just how dangerous the world can be, can help them to take their medicine.”

Source: Information Security Magazine

Office 365 Campaign Attacks Companies from Within

Office 365 Campaign Attacks Companies from Within

Microsoft Office 365, which has more than 100 million monthly active subscribers—is the target of a widespread credential-harvesting campaign, where attackers attempt to steal logins and ultimately launch attacks from within an organization.

According to Barracuda Networks, Office 365 account compromise is becoming increasingly prevalent, and carried out by bad actors that take the time to craft personalized spear-phishing mails that are hard to identify as bogus. Unlike most broadcast phishing attempts, these don’t contain bold requests, misspelled words or questionable attachments that raise red flags—and they’re tailored.

“It’s almost become part of our identities, particularly inside the network, with emails circulating internally,” Barracuda said in a posting. “There’s an inherent trust when we receive an email from a coworker using his or her correct address. We are nearly certain it is legitimate, but unfortunately, that’s not always the case.”

Typically, such a message will come in to a Microsoft O365 user, who may click a link in the message that sends them to a well-crafted landing page where they are prompted to enter their credentials. Once they do that, the attackers can access the account.

From there, Barracuda said it has seen a few scenarios. For instance, attackers can set up forwarding rules on the account to observe the user’s communications patterns, both with others inside and outside the organization. This knowledge can be used as leverage for future attacks such as ransomware or other advanced threats.

In some cases, the bad guys will use a PDF attachment in a message that appears like a colleague is forwarding a document to review; and, there are usually casual instructions in the email that say the document can be accessed by entering a work email and password. In another case, a way to capture credentials is by sending an invoice for payment that requires the recipient to log on to a “web portal” to view the (fake) invoice.

Another common scenario is where attackers use the compromised account to send messages to other employees inside the organization in an attempt to collect additional credentials or other sensitive information. This approach typically has more short-term success, the firm said.

These insider threats are not only looking for credentials, however. Attackers often request an “urgent” action that needs attention, such as paying an invoice or forwarding sensitive information like employee tax details.

It’s clear that these attempts aren’t going to wane any time soon, so users should make use of multi-factor authentication, DMARC and other options for email security.

“Office 365 is still a relatively new tool with a large and growing user base, and attackers are taking advantage of the accessibility,” Barracuda said. “Cybercriminals have a long history of designing attacks to reach the largest number of eyeballs possible. From the early days of traditional spam, to search or trending topics on social platforms, criminals follow the users—and Office 365 has become a breeding ground for highly personalized, compelling attacks.”

Source: Information Security Magazine

Massive ‘Onliner’ Spambot Holds 711 Million Email Addresses

Massive ‘Onliner’ Spambot Holds 711 Million Email Addresses

Security researchers have uncovered one of the largest single spambots ever seen, loaded with 711 million email records.

The so-called 'Onliner' spambot was discovered by researcher 'Benkow' who claimed it has been in use since at least 2016, spreading a banking trojan called Ursnif.

It contains around 50GB of emails, credentials and SMTP configuration files, he explained in a blog post.

“I have seen this spambot targeting specific countries like Italy, or specific business like hotels,” said Benkow.

Troy Hunt, owner of the HaveIBeenPwned site, claimed it was the “largest single set of data I've ever loaded into HIBP.”

The trove was found on a Dutch server, with law enforcers in the country contacted to shut it down ASAP, he added.

Crucially, the Onliner campaign doesn’t just use email addresses, but also a smaller trove of 80 million SMTP credentials to authenticate and help bypass anti-spam filters.

“It's difficult to know where those lists of credentials came from. I have obviously seen a lot of public leaks (like Linkedin, Baidu or with every passwords in clear text) but credentials can also come from phishing campaigns, credentials stealer malwares like Pony, or they can also be found in a shop,” explained Benkow.

“Somebody even showed me a spambot with a SQL injection scanner which scans the internet, looks for SQLi, retrieves SQL tables with names like ‘user’ or ‘admin’.”

Not only is the campaign designed to evade spam filters but it also uses 'fingerprinting' techniques to identify victims running the right kind of systems that Ursnif can target, he added.

That raises the spammer’s chances of success whilst keeping his activities largely hidden from law enforcement.

As for the email addresses, the 711 million figure may be somewhat misleading as much of it has been scraped from the web with poor parsing.

“The point here is that there's going to be a bunch of addresses here that simply aren't very well-formed so whilst the ‘711 million’ headline is technically accurate, the number of real humans in the data is going to be somewhat less,” said Hunt.

“Our email addresses are a simple commodity that's shared and traded with reckless abandon, used by unscrupulous parties to bombard us with everything from Viagra offers to promises of Nigerian prince wealth. That, unfortunately, is life on the web today.”

Source: Information Security Magazine

FDA Approves Firmware Fix for St Jude Pacemakers

FDA Approves Firmware Fix for St Jude Pacemakers

The US Food and Drug Administration (FDA) has approved new firmware from Abbott Laboratories designed to fix vulnerabilities in its St Jude cardiac pacemakers which could allow hackers to deplete the device battery.

Abbott-owned St Jude Medical was at the centre of a legal storm last year after suing security firm MedSec and short seller Muddy Waters for publishing what it claimed to be false info about bugs in its equipment.

It argued this strategy helped them make money off the stock market when shares in St Jude inevitably fell on the news.

However, since then the firm has been forced to address some of the issues highlighted by MedSec by releasing security fixes for some products, as it did in January.

Now the FDA has approved another fix for St Jude RF-enabled implantable cardiac pacemakers, which number 465,000 in the US.

It explained:

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”

Users will need an in-patient update with their healthcare provider, taking just three minutes.

However, the FDA warned of a potential – but very small – update failure which could result in: reloading of the previous firmware version; loss of programmed settings; loss of diagnostic data; or complete loss of device functionality.

The agency warned that any medical device connected to a communications network could theoretically be exploited by unauthorized users, and urged prompt reporting of “adverse events”.

Source: Information Security Magazine

Two Million CeX Customer Accounts Breached

Two Million CeX Customer Accounts Breached

Second-hand UK technology retailer CeX has warned that the personal details of two million of its customers may have been accessed by hackers.

Those affected were registered with CeX’s webuy.com website and have been contacted by the Watford-based firm.

In an online statement, the retailer revealed that the personal information compromised could include first name, surname, address, email address and phone number, if the customer supplied them.

It added:

“A small amount of encrypted data from expired credit and debit cards may have been compromised. We would like to make it clear that any payment card information that may have been taken, has long since expired as we stopped storing financial data in 2009.”

CeX also urged affected customers to take the precautionary measure of changing their account password, adding:

“Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services. As such, as a precautionary measure, we advise customers to change their password across other services where they may have re-used their WeBuy website password.”

The firm didn’t disclose many more details of the breach as it is still working with the relevant authorities to help their investigation. However, there’s no indication that in-store personal membership information has been exposed in the breach.

CeX said it has hired a 'cybersecurity specialist' to conduct a review into its processes and had “implemented additional advanced measures of security” to prevent such an incident from occurring again.

Although financial information may be safe, customers would be advised to be on high alert for potential follow-on phishing attacks using the stolen personal information to trick users into handing over even more – including payment details.

ZoneFox CEO, Jamie Graves, praised CeX’s handling of the incident.

“The attack shows, once again, how companies of all sizes need to have a holistic approach to security and the need for a 360-degree visibility into what data is being moved around on and off the network,” he added.

“What's equally important is that your employees and clients are educated with a security-aware culture instilled to help close any gaps threats look to exploit."

Source: Information Security Magazine