Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for August 2017

HBO Hackers Leak Game of Thrones Finale

HBO Hackers Leak Game of Thrones Finale

The hacking group responsible for stealing 1.5 terabytes of data from HBO has struck again, leaking information about the impending Game of Thrones finale, which is scheduled to air on Sunday night.

The group claims that its latest data dump contains confidential plot summaries and detailed outlines for the show.

HBO, for its part, is maintaining its equanimity: "The hacker may continue to drop bits and pieces of stolen information in an attempt to generate media attention…that’s a game we’re not going to participate in,” it said in a statement.

This is the latest escalation of the breach that came to light last week. The attackers say they have 1.5 terabytes of information in all—seven times the volume of the 2014 Sony breach. They have been continually releasing information—including unaired full episodes for several HBO shows, executive emails and social media passwords—and say they won’t stop until their demand for $6.5 million in ransom is met.

The group struck a taunting tone in a statement to Mashable.

"We know exactly what HBO and shoemakers around are doing now," they said. "Unlike HBO, we never getting surprised. Pattern analysis of HBO's silly hidden acts are as we expected. We eagerly waiting for Fireye's [sic] report … tell them to hurry up."

They also said they have 5 terabytes, not 1.5, and that they’ve sold it all off.

"By the way, we officially inform you and other hundred of reporters whom emailing us that we sold 'HBO IS FALLING's entire collection (5 TB!!!) to 3 customer in deep web and we earned half of requested ransom," the hackers told Mashable. "We put a condition for our respected customers and they approved. We will leak many many waves of HBO's internal stuff to punish them for playing us and set an example of greedy corporation."

Source: Information Security Magazine

DoJ Subject to Strict Oversight in Anti-Trump Site Investigation

DoJ Subject to Strict Oversight in Anti-Trump Site Investigation

A US judge has ruled that the Department of Justice (DoJ) must operate under strict court oversight when searching data associated with an anti-Trump website to find a group of alleged rioters.

Web hosting firm DreamHost has been locked in dispute with the government after it demanded access to data on 1.3 million visitors of the disruptj20.org protest site; including IP addresses, contact information, photos and more.

The hoster, helped by rights group the Electronic Frontier Foundation (EFF), argued that such a request was unconstitutional, breaking a First Amendment designed to protect political free speech and a Fourth Amendment which helps guard against dragnet seizure of information.

The DoJ subsequently narrowed its request, claiming it had no interest in the 1.3 million IP addresses of visitors to the site, but there remained privacy concerns.

Now DreamHost is claiming victory after chief judge Morin of the Superior Court of Washington DC ruled that the investigation would need significant oversight from the courts.

The department must present the court with a “minimization plan” which lists the names of all investigators with access to the data, and all the ways it will be searching that trove.

“The production of evidence from this trove of data will be overseen by the court. The DOJ is not permitted to perform this search in a bubble. It is, in fact, now required to make its case with the court to justify why they believe information acquired is or is not responsive to (aka: “covered by”) the warrant,” wrote DreamHost in a blog post.

“The court will then seal any information that is acquired but then deemed to be ‘not responsive’. After that point, this information will not be available to the government without a court order.”

The DoJ is also prohibited from disclosing the content of this responsive info to any other agency.

The EFF claimed that although the ruling is an important step, it still raises the possibility of the DoJ conducting a “general search” on the data; “the very danger that the Fourth Amendment is meant to guard against”.

“The revised warrant still seeks all ‘contents of e-mail accounts that are within the @disruptj20.org domain’ regardless of their participation or involvement with the January 20th protest. To date, the government has not publicly contended that any of the specific @disruptj20.org email addresses belong to anyone who has been accused of a specific crime during the January 20th protest,” argued EFF attorney, Stephanie Lacambra.

“Overseizure is especially troubling where, as in this case, First Amendment protected activity and speech is being threatened and chilled by the prospect of government intrusion. Our civil liberties should not be circumvented in the digital space just because the law has failed to keep up with the nuances of technology.”

In related news, DreamHost itself suffered a DDoS attack yesterday, lasting for several hours.

It’s unclear the rationale behind the attack, although the firm claimed yesterday to have unwittingly become the host of controversial white supremacist site Daily Stormer, via its automated sign-up page.

It has since ditched the neo-Nazi site.

Source: Information Security Magazine

Snoopers’ Charter Could Scupper UK-EU Data Flows: Experts

Snoopers’ Charter Could Scupper UK-EU Data Flows: Experts

The UK government has called for a “new, deep and special partnership” to protect its digital economy and data flows with the EU, but experts have warned that the Snoopers’ Charter could scupper any such arrangements.

A new positioning paper was released yesterday designed to provide “ongoing regulatory cooperation and certainty for businesses and other stakeholders.”

In it, the government recognized the importance of unhindered cross-border data flows with its largest trading partner, citing figures that suggest 43% of all large EU digital companies are started in the UK, and that 75% of UK cross-border data flows are with EU countries.

Aside from the economic implications, sharing data with the EU is also essential in the fight against serious crime and terrorism, the report claimed.

Between October 2014 and September 2015, over half (51%) of the 1566 requests from international partners received by the UK Financial Intelligence Unit (UKFIU) apparently came from EU Member States, for example.

The report optimistically suggested that having the new Data Protection Bill enshrine the GDPR into UK law will help the dialogue on cross-border data flows.

It claimed:

“The UK starts from an unprecedented point of alignment with the EU. In recognition of this, the UK wants to explore a UK-EU model for exchanging and protecting personal data, which could build on the existing adequacy model, by providing sufficient stability for businesses, public authorities and individuals, and enabling the UK’s Information Commissioner’s Office (ICO) and partner EU regulators to maintain effective regulatory cooperation and dialogue for the benefit of those living and working in the UK and the EU after the UK’s withdrawal.

However, it’s far from certain that, on leaving the EU, Britain will receive the green light from the European Commission that its data protection regime meets essential 'adequacy requirements'.

That’s because the Investigatory Powers Act grants unprecedented mass surveillance and bulk hacking powers to the UK state; powers which could be used to snoop on EU citizens’ data.

These are the same kind of concerns that led to the scrapping of the Safe Harbor agreement between the US and EU, and risk scuppering its replacement: Privacy Shield.

Simon Migliano, head of research at Top10VPN.com, argued that the IPA is “bad for privacy, bad for business and bad for law enforcement.”

“The UK government's over-the-top approach to mass surveillance of the British public in the Investigatory Powers Act has frequently been criticized for its serious privacy implications for individuals and ineffectiveness at fighting terrorism. Now we learn the Snoopers' Charter could be even worse for the nation than we thought,” he continued.

“This extreme legislation is now revealed as a likely major obstacle to maintaining the transfer of data between the UK and the EU post-Brexit. Not only would any disruption to that critical data flow deal a body blow to businesses but also make it harder to fight crime.”

The comments echo those of Chatham House associate fellow, Emily Taylor, who told Infosecurity Magazine last year that “at least some of the powers” granted by the Snoopers’ Charter could fail the high standards set by both the European Court of Human Rights (ECHR) and European Courts of Justice (CJEU) on privacy protection.

Tellingly, there’s no mention of the Investigatory Powers Act or any such concerns in the government’s new white paper.

Source: Information Security Magazine

Zerodium Offers Half-Million-Dollar Payouts for Secure Messaging Exploits

Zerodium Offers Half-Million-Dollar Payouts for Secure Messaging Exploits

Zerodium, which operates in the controversial exploit-brokering realm, is offering $500,000 per working exploit for code that can compromise secure messaging apps on mobile phones.

The company has released updated mobile pricing reflecting the addition of the category, which said that it’s looking for fully weaponized zero-days allowing remote code execution and local privilege elevation for WhatsApp, Signal, Facebook Messenger, iMessage, Telegram and others.

Zerodium founder Chaouki Bekrar told Kasperky Labs’ Threatpost that “The high value of zero-day exploits for such apps comes from both a high demand by customers and a small attack surface in these apps which makes the discovery and exploitation of critical bugs very challenging for security researchers.”

The start-up launched in 2015 backed by Vupen (where Bekrar was a cofounder), the French vulnerability dealer that has often drawn controversy for brokering exploits to the highest bidder. Though it says it won’t deal with “oppressive governments,” Vupen has been criticized for eschewing the concept of community-minded white-hat research in favor of fueling a kind of cyber-arms race by delivering advanced capabilities into the hands of governments and others that can end up in the wrong hands—i.e., the Stuxnet effect.

For its part, Zerodium bills itself as an effort “to build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.”

It also stresses that it has been founded by cybersecurity veterans with “unparalleled experience in advanced vulnerability research and exploitation,” and that it essentially functions like a third-party bug bounty program, rewarding independent researchers for their zero-day discoveries. From there, it will analyze, document and report the findings to its clients (organizations and governments), “along with protective measures and security recommendations.”

It does not, however, share the vulnerabilities with the affected vendors.

Zerodium also made a few other changes to its payout list: It is now offering $300,000 for Windows 10 remote code execution zero-days that target SMB or RDP; while Tor remote execution exploits on Linux are worth $100,000 and $80,000 on Windows. Apache on Linux and Microsoft IIS remote code execution attacks will now fetch $150,000, and Microsoft Outlook remote code execution zero-days have been bumped up to $100,000. Mozilla Thunderbird remote code executions and VMware ESXi guest-to-host escapes command $80,000. 

Source: Information Security Magazine

Spammers Get to Work: Tuesday is Prime Time

Spammers Get to Work: Tuesday is Prime Time

All in a week’s work: According to new research from IBM X-Force, Tuesday is the biggest day for spam.

It makes sense. Like any professional, spammers do their research and know Tuesday is a key day for email marketing—with 20% more opens than average, according to HubSpot.

“Contrary to the stereotype, a cyber-criminal is not necessarily a lonely guy living in his parent’s basement,” IBM X-Force spokesperson said. “Many work an eight-hour, Monday to Friday grind like you and me, sending 83% of their spam during weekdays and dropping off significantly on weekends. 85% of the malicious spam attachments deliver ransomware, which can lock data files until a ransom is paid.”

Looking at the hour range during which most spam was sent out, IBM X-Force observed a hike right around 5 a.m. Coordinated Universal Time (UTC) during weekdays, which is only 1 a.m. on the US East Coast.

“That’s because spammers start off with Europe before they follow the sun and start spamming recipients in the US,” explained Limor Kessem, IBM X-Force researcher. “The big drop in spam comes at around 8 p.m. UTC, or 4 p.m. EST, but some spamming lingers thereafter, likely only in the US at that point.”

In the different zones on the globe, X-Force data also showed that spammers like to get their sleep at night, even though there was an undercurrent of some spam activity that persists 24 hours a day.

This trend coincides with the focus of different malware families, such as banking trojans and ransomware, to target organizations and not just indiscriminate users on their email accounts. Trojans such as Dridex, TrickBot and QakBot are cybergang-owned malware designed to rob business bank accounts. As such, these gangs make sure to spam employees in very pointed bouts of malicious mail, during those times in which potential new victims are more likely to open incoming email.

While the threat of spam is real and growing—volume increased 400% last year and almost half of spam analyzed by IBM contained a malicious attachment—there are ways to avoid being duped.

While spam filters are not foolproof, they are a first line of defense, often freely available in the email client, and help to reduce the number of malicious emails that make it from the spammer’s outbox to an inbox. When one does see spam, instead of unsubscribing from spam emails—which will confirm to the spammer that the address is alive—users should mark it as junk and set up the automatic emptying of their junk folders.

If spammers are most active on Tuesday, consumers and workers should be, too: Take into consideration the spammer’s working habits.

And as always, if an email looks too good to be true, it probably is. Users should be very discerning when it comes to which attachments they open and the links they click in emails. They should check for misspellings and grammar mistakes, as well as suspicious hyperlinks or abnormal sender addresses, as these are common indicators that the sender is not what he/she seems.

Source: Information Security Magazine

Neptune EK Still Alive and Well and Driving Malvertising

Neptune EK Still Alive and Well and Driving Malvertising

Exploit kit (EK) activity has been on the decline ever since Angler Exploit Kit was shut down in 2016—but at least one, the Neptune EK, is alive and well—and driving major malvertising campaigns. Unfortunately, this indicates a poor patch management posture across the board.

According to FireEye, Neptune (aka Terror EK) initially started as a Sundown EK copycat operation and has relied heavily on malvertisements from the beginning, often dropping cryptocurrency miners. In its latest campaign, it abuses a legitimate popup ad service (within Alexa’s top 100) with redirects to ads about hiking clubs. The fake domains involved in these redirects imitate real domains, and are hard for the victims to identify as fraudulent.

Redirects from domains associated with these ads eventually use 302 redirects to move victims to exploit kit landing pages, which in turn redirect to further HTML and Adobe Flash exploit links after it checks the Flash versions installed on the victim’s machine. The EK exploits multiple vulnerabilities in one run, namely, three Internet Explorer exploits and two Flash exploits.

Most of the ads linked to this campaign have been observed on high-traffic torrent and multimedia hosting sites, FireEye noted.

“Despite an observable decline in exploit kit activity, users are still at risk, especially if they have outdated or unpatched software,” FireEye researchers noted, in a blog. “This threat is especially dangerous considering that drive-by exploit kits (such as Neptune EK) can use malvertisements to seamlessly download payloads without ever alerting of the user.”

Fewer people using Internet Explorer and a drop in browser support for Adobe Flash—two primary targets of many exploit kits—have contributed to the decline in EK use. However, Neptune’s continued success rests largely with the fact that patch management and getting end users and organizations to promptly apply patches for their critical applications remains a challenge.

One indicator of this can be seen by looking at EK vulnerability integration, which is the addition of exploit code within the exploit kit that targets various known vulnerabilities, which are usually tracked with CVE identifiers.

“Activity is not the only exploit kit characteristic that has been decreasing lately,” said Lane Thames, senior security researcher at Tripwire, via email. “Vulnerability integration, aka CVE integration, within the few exploit kits that are still active, has also decreased significantly within the last one to one-and-a-half years.”

“Lately, security researchers have provided numerous theories describing reasons for decreased exploit kit activity,” he added. “It’s an interesting thought experiment. Regardless of the real reasons, what we do know is that some exploit kits are still active, yet they continue to capitalize on older vulnerabilities for which patches have been available for months, if not years. This implies that there is no need to improve exploit kit success rates via the integration of exploit code for newly released vulnerabilities because older exploit code still works effectively. Hence, the reason we don’t see very much new integration.”

Besides ensuring appropriate patching of software, users can protect themselves from exploit kit-based attacks by using caution when clicking on hyperlinks, especially those that come in via email. Social engineering and phishing attacks are the most successful drivers of exploit kit-based attacks, Thames said.

Source: Information Security Magazine

DoJ Narrows Demands for Anti-Trump Protesters’ Data

DoJ Narrows Demands for Anti-Trump Protesters’ Data

A web hosting firm is claiming victory after the Department of Justice (DoJ) significantly narrowed its demands for data on users of an anti-Trump website.

DreamHost had labelled as “unconstitutional” the original DoJ demands for not only info on the founders of the disruptj20.org site but also anyone who has visited it – which would amount to the IP addresses and contact info of over 1.3 million netizens.

The right to exercise political free speech is protected under the First Amendment while the Fourth Amendment was designed in part to guard against dragnet seizure of info.

In a Tuesday filing, the DoJ clarified that it didn’t realize DreamHost collected so much visitor data and that it is solely focused on finding those who planned and took part in a January 20 “premeditated riot” to protest Donald Trump’s inauguration.

"The government has no interest in records relating to the 1.3 million IP addresses,” the filing noted. "The government could not exclude from the scope of the Warrant what it did not know existed.”

The government has now also dropped requests for “unpublished draft publications” like blogs; images and metadata and HTTP request and error logs.

It also claimed it will not use any data it is granted access to in order to potentially target political activists, saying it will be placed under a court seal.

However, while DreamHost labelled this a “huge win for internet privacy”, it raised concerns with the government’s revised request for data.

“Much of the DOJ’s original demand for information is still in place, and there are still a few issues that we consider to be problematic for a number of reasons,” it said in a blog post.

“We are moving forward with a filing to address the remaining First and Fourth Amendment issues raised by this warrant, and we look forward to voicing those concerns in the hearing scheduled for Thursday.”

Source: Information Security Magazine

Android Ransomware Jumps Over 100% in 2017

Android Ransomware Jumps Over 100% in 2017

Android ransomware detections increased by over 100% in 2017, as Zscaler spotted two new threats in the Google Play store masquerading as legitimate apps.

The 'Earn Real Money Gift cards' and ‘Bubble Shooter Wild Life' apps were both uploaded by the same author and may have had thousands of downloads already.

The former is actually a variant of the popular BankBot malware family, while the latter abuses Android's Accessibility permission to install additional apps without user's permission.

It uses a series of trick screens designed to con the user into making what they believe to be legitimate changes to Android accessibility and service settings, Zscaler revealed.

It also apparently features the Allatori obfuscator to protect the code from security controls and hide it from researchers.

“While the apps in this analysis are fairly new on Google Play with fewer than 5000 downloads, we are concerned about the increase in the availability of dubious apps in the store,” warned Zscaler. “As a first line of defense, we recommend that consumers also increase the caution with which they download apps.”

The news comes as new stats from Malwarebytes revealed a 138% increase in global Android ransomware detections from Q1 to Q2, with the top three families – Jisut, SLocker and Koler – accounting for 95%.

Overall malware on the Google ecosystem increased 5% since the beginning of the year, the firm claimed.

This contrasts with Nokia stats claiming a 63% increase in mobile device infections across all types of devices in the second half of 2016, versus the first half.

That report claimed infection rates hit an all-time high in October 2016 of 1.35% of all devices, with Android (81%) continuing to be the prime target.

Kaspersky Lab stats issued in February pointed to an increase of over 50% in Android ransomware over the previous year.

Source: Information Security Magazine

Fortune 500 and FTSE 100 Firms Failing on DMARC

Fortune 500 and FTSE 100 Firms Failing on DMARC

Over 90% of the top firms listed in the US, UK and Australia are exposing their customers and partners to phishing and other email-borne threats because they’ve yet to fully adopt the DMARC standard, according to new research.

Security vendor Agari analyzed public DNS records linked to companies on the Fortune 500, FTSE 100 and ASX 100 and found a similar pattern.

Over two-thirds (67%) of Fortune 500 and FTSE 100 firms and nearly three-quarters (73%) of ASX 100 companies have not published any DMARC policy.

Around a quarter in each region have adopted only a minimal DMARC policy that monitors, but doesn’t prevent, domain name spoofing, the report found.

According to the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard, the next step up from this minimal monitoring policy is “quarantine”, where unauthenticated messages are automatically moved into the spam folder.

However, this was even less common among Fortune 500 (3%), FTSE 100 (1%) and ASX 100 (1%) firms.

Just 5% of Fortune 500, 6% of FTSE 100 and 3% of ASX 100 companies went for the strongest policy, which blocks any unauthenticated messages completely, according to Agari.

It’s notable that UK firms with a large customer base of consumers are most likely to adopt DMARC.

For example, adoption in pharmaceuticals and finance is 100%, although many are still in “monitor” mode, Agari claimed.

"DMARC is an essential tool that helps prevent spam, phishing and data loss," said Shehzad Mirza, director of operations at non-profit the Global Cyber Alliance. "GCA urges organizations of all sizes to embrace this technology standard to eliminate direct domain spoofing.”

Despite poor take-up in the private sector, DMARC received a boost last September when the UK government mandated that its “Reject” policy be the default for all government emails from October.

The HMRC is one of the most phished organizations in the UK, as it handles tax returns and other highly sensitive data.

Source: Information Security Magazine

Online Dominates as UK ID Fraud Hits Record High

Online Dominates as UK ID Fraud Hits Record High

Identify fraud soared 5% from last year to reach record levels in the first six months of the year, with online scams comprising the vast majority, according to new figures from Cifas.

The anti-fraud non-profit said its members recorded 89,000 incidents in the first half of 2017, with online fraud now accounting for 83%.

Identity fraud is now the most common fraud type, comprising over half (56%) of all incidents reported to Cifas, the organization claimed.

Fraud grew particularly in cases involving loan applications ( 54%) online retail ( 56%), telecoms ( 61%) and insurance (10,250%).

However, scams involving bank accounts (-14.2%) and plastic cards (-12%) fell during the period.

Cifas CEO, Simon Dukes, said SMEs in particular need to educate staff on how to spot social engineering attempts to trick them into divulging sensitive customer information.

“We have seen identity fraud attempts increase year on year, now reaching epidemic levels, with identities being stolen at a rate of almost 500 a day,” he added.

“These frauds are taking place almost exclusively online. The vast amounts of personal data that is available either online or through data breaches is only making it easier for the fraudster.”

Rob Wilkinson, corporate security specialist at Smoothwall, argued that firms also need to look at potential weak points in suppliers and partners to keep customer data secure.

“They need to comply with regulation and build a layered security defense which spans encryption, firewalls, web filtering and ongoing threat monitoring as well as a proactive stance,” he added.

“But the public have a role to play too; they need to be incredibly careful about the information they share online. It can be very easy to pool this information and use it to build a profile which can be used for social engineering. Even something as simple as an email address and password can be all they need to cause financial and reputational damage."

Source: Information Security Magazine