Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Petya Decryption Tool Now Available

Petya Decryption Tool Now Available

Security experts are warning that a newly revealed hack designed to let victims of the Petya ransomware decrypt their files again, might not be useful for too much longer.

An unnamed researcher posted their solution to the Github developer site after apparently working on it when their father-in-law’s PC got infected at Easter.

The white hat produced a genetic algorithm which is able to deduce the decryption key needed to unlock a victim PC within seconds.

However, doing so is apparently far from easy. It requires a user to mount the infected drive on a third party machine, and extract data from two locations of their encrypted disk – the eight-byte nonce and 512-byte encrypted verification sector – before running it through the algorithm.

“I know the code is a mess, but I was kinda in a hurry,” the researcher wrote on Github.

Security experts welcomed the news but warned it was not a replacement for best practice security which can mitigate the risk of infection in the first place.

“The Petya decryption tool is a very impressive find that uses maths against maths. It’s excellent work and hopefully it will be useful to some of the users affected with Petya. However, I believe we are going to see less and less of these tools coming out in the future,” argued Qualys CTO, Wolfgang Kandek.

“They abuse weaknesses in the coding of the malware, in essence finding a vulnerability in the malware and using it to extract information format. This led to the decryption key being made available. However, just like in ‘normal’ industry sectors, malware developers will look at the exploit and the tool, and then fix the vulnerability in the next release. By definition these tools are single use only.”

Tim Stiller, senior systems engineer at Rapid7, added that organizations should concentrate on preventative measures, such as maintaining recent back-ups of data and avoiding any suspicious-looking emails and attachments.

Source: Information Security Magazine

Researcher Unearths Flaw in Popular Modems

Researcher Unearths Flaw in Popular Modems

More than 135 million modems around the world area vulnerable to a flaw that can be targeted to knock them offline, according to a report by The Hacker News.

The flaw, which can be exploited remotely, was unearthed by security researcher David Longenecker and is affecting one of the most popular and widely-used cable modems in the US, the Arris SURFboard SB6141.

According to Longenecker, the vulnerability leaves the modems open to unauthenticated reboot attacks.

Apparently, because the Arris does not provide any password authentication set up on its user interface, a local attacker can access the admin web interface at 192.168.100.1 without needing to enter a username/password.

From there, an attacker can carry out a Denial of Service attack by opting to ‘Restart Cable Modem’, disabling the modem for two to three minutes and knocking every device on the network offline.

Whilst two or three minutes without an internet connection is far from the end of the world, the attacker would also have the opportunity to select a Factory Reset, which would wipe out a modem’s configuration and settings. This would prove far more inconvenient as internet access would be lost for 30 minutes with the re-configuration process taking up to an hour to complete.

However, The Hacker News was quick to point out that this flaw is easily patchable and Arris has recently addressed the issue with a firmware update which it is in the process of making available to its customers.

UPDATE: Since this news broke, Arris has reached out with the following statement: “ARRIS recently addressed the reported GUI access issue with a firmware update. We are in the process of working with our Service Provider customers to make this release available to subscribers. There is no risk of access to any user data, and we are unaware of any exploits. As a point of reference, the 135 million number is not an accurate representation of the units impacted. We take product performance very seriously at ARRIS. We work actively with security organizations and our Service Provider customers to quickly resolve any potential vulnerabilities to protect the subscribers who use our devices.”

Source: Information Security Magazine

Tens of Millions of Desktops Still Run Windows XP

Tens of Millions of Desktops Still Run Windows XP

Microsoft ended support for Windows XP two years ago—but millions of desktops still haven’t been upgraded.

According to Net Applications, Windows XP is still running on 10.9% of all desktops as of March 2016. That makes it still the third-most popular desktop OS, behind Windows 7 (51.9%) and Windows 10 (14.2%). And there are more PCs running XP than Windows 8.1 (9.6%), and all versions of Mac OS X combined (7.8%).

Stat Counter numbers meanwhile find that Windows XP represents 7.4% of all desktops in April 2016, down from 10.9% in April 2015.

To put that in perspective, Microsoft says that the number of Windows devices out there is more than 1 billion—making for tens of millions of unprotected PCs—that’s quite an attack surface.

Since as of April 2014, XP customers no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates, it means that any new vulnerabilities discovered in XP will not be addressed by security updates from Microsoft. And that, Microsoft has warned in the past, opens the door for “zero-days forever.”

The reasons for not upgrading vary. Smaller businesses often don’t see themselves as targets and see a Windows migration as a cost effort that can wait. Many business also still have applications running on XP, many of which can’t be upgraded. The original vendor may not have issued an updated version or has gone out of business; the specialist software’s coders may no longer be available and no one else understands the code; the cost of updating is wildly disproportionate; or the source code is lost. And in some cases, trying to update the underlying operating system may break the proprietary software that runs it.

A survey last year found that businesses in EMEA are underinvesting in security, according to the IT professionals who work for them. According to Spiceworks’ 2016 State of IT report, one big indicator of this is a prevalence of outdated systems. A disconcerting 68% of EMEA companies surveyed are still running Windows XP. But, 53% plan to invest in Windows 10 sometime this year.

Photo © Mr. High Sky/Shutterstock.com

Source: Information Security Magazine

Citadel Banking Returns as ‘Atmos’

Citadel Banking Returns as ‘Atmos’

The Citadel banking Trojan is making a comeback, with a new variant dubbed Atmos. The new strain is currently targeting banks in France and it was also spotted being delivered with ransomware.

The latest Control & Command servers for Atmos are located in Vietnam, Canada, Ukraine, Russia, the US and Turkey, and, there are almost 1,000 bots already recruited in the network, according to Heimdal Security. That number is likely to increase as the larger the botnet, the larger its targets can be.

In an interesting development, Atmos was observed being delivered with TeslaCrypt, whose latest variant (TeslaCrypt 4) features unbreakable encryption and enhanced data-stealing capabilities.

“Banking Trojans haven’t been as active as ransomware strains in the past half a year, but there’s nothing stopping them from making a comeback,” noted Andra Zaharia, a security researcher at Heimdal Security, in a blog. “And this is especially the case since users and companies tend to expose themselves to cyber-attacks for lack of adequate patching.

Citadel emerged in 2011 after the source code for the Zeus banking Trojan was leaked online. It went on to become one of the most successful pieces of malware of all time, capable of stealing money, but also personal data.

The FBI recently sentenced its creator, Dimitry Belorossov, a/k/a Rainerfox, to four years, six months in prison following his guilty plea for conspiring to commit computer fraud. Belorossov had infected 11 million computers worldwide, operating the botnet primarily from Russia. Belorossov remotely controlled over 7,000 victim bots, including at least one infected computer system with an IP address resolving to the Northern District of Georgia. Belorossov’s Citadel botnet contained personal information from the infected victim computers, including online banking credentials for US-based financial institutions with federally insured deposits, credit card information, and other personally identifying information.

The botnet also gave Belorossov the power to execute additional code on the enslaved computers, everything from scareware to ransomware.

The Microsoft Digital Crimes Unit and the FBI were eventually able to disrupt the botnet. But now Atmos has appeared—Citadel’s polymorphic successor.

“So far, only a few strains of Atmos have been detected, and what they have in common is attacks targeting banks in France,” said Zaharia. “Because it’s based on Citadel, which, in turn, evolved from ZeuS, Atmos utilizes the same web injects that ZeuS became infamous for. Consequently, we can infer that this new financial malware strain is after the same objectives: money and confidential data.”

Photo © John T Takai

Source: Information Security Magazine

Denmark Takes Out Full-Page Ads for Hackers

Denmark Takes Out Full-Page Ads for Hackers

Denmark’s official spy agency, the Danish Defense Intelligence Service (DDIS), is creating a training academy for hackers.

The agency has placed full-page ads in local newspapers and online asking, “Do you have what it takes to become a member of a secret elite force?” Specifically, that means hackers with well-developed programming abilities, math and logical intelligence, and a clean criminal record. And, according to Lars Findsen, the head of the intelligence service, “a high degree of personal integrity, because they will be handling secrets and sensitive information.”

He added that Academy recruits will spend four and a half months at the school starting in August, working on a range of defensive and offensive techniques. These include counterintelligence (breaking encrypted communications of the enemy) and hacking the networks of terrorists. In many cases, they will have the chance to use methods that would be illegal outside of the purview of government-led programs.

“When you have these unique talents, you want to use them and you have very special opportunities in our environment,” Findsen said.

At the end of their stint, the best and brightest will be offered positions in the Danish intelligence community.

“We are looking for people who have the core competencies that we can develop further,” Findsen said. “They don’t need formal education or qualifications. They can be natural hacker talents. More than anything they need to keep going until they have cracked the codes. There are no limitations.”

Advanced cyber-attacks against foreign services is not a rare sight. A report by the Investigation Unit of the Center for Cyber Security under the Defence Intelligence in Denmark recently revealed the details of a specific attack campaign that took place during 2015 and went on for more than half a year. In the seven months that the attack lasted, perpetrators sent 47 phishing emails from 21 sender addresses to nine different accounts of employees at the Ministry of Foreign Affairs.

“This case is interesting because it very clearly illustrates why companies and governments need to take computer security seriously,” said head of the Center for Cyber Security, Thomas Lund-Sørensen. “We’ll never eliminate the human factor, but where we can, we need to do as much as we can. This is a task that must be addressed at both the management level, technical level and user level, and so it must be ensured that there is a high and continuous security awareness within the organization.”

Photo © Zateshilov

Source: Information Security Magazine

Nationwide Trialing Behavioral Biometrics

Nationwide Trialing Behavioral Biometrics

UK high street bank Nationwide is the latest lender said to be mooting a roll-out of biometric technology designed to authenticate its customers.

Swedish security provider BehavioSec announced today it has been working with Unisys for the past few months on a new app to authenticate Nationwide’s mobile banking users.

It added:

“The prototype is still in its early stages, but trialing behavioral biometrics with the digital services of the UK’s biggest building society means that we’re one step closer to seeing behavioral biometrics as a standard feature.”

“We’re not here to replace the password, but we know that it’s not enough to ask users to create strong passwords, especially when they need to remember at least six of them. Behavioral biometrics is the way forward for banking, payments, and other digital transactions.”

Specifically, the app will detect the unique way each individual interacts with their mobile device to authenticate them. The idea is to use these capabilities in combination with other methods of user authentication.

It’s yet another way to transition from password-only log-ins, which can be easily phished, hacked or cracked by third-party attackers with moderate skill.

Uncited stats used by BehavioSec claim the average UK adult has six passwords to remember, with 70% clicking “forgot password” on average twice a month.

This not only makes for a frustrating user experience, but can also encourage users to write their passwords down on paper, or else create easy-to-guess credentials, putting their accounts at greater risk of a successful attack.

Biometrics are gaining increasing traction in the banking industry.

It emerged earlier this year that HSBC will offer its 15 million customers the chance to log into their accounts via Apple’s Touch ID fingerprint scanning service or voice-activated authentication powered by speech recognition specialist Nuance.

RBS and NatWest already support fingerprint scanning and MasterCard is set to go global with its ‘pay-by-selfie’ tech.

Source: Information Security Magazine

Apple vs FBI Continues with Feds’ Appeal

Apple vs FBI Continues with Feds’ Appeal

The legal tussle between Apple and the FBI over access to the devices of suspected criminals appears to be far from over after the Feds appealed a decision by a Brooklyn judge in favor of the tech giant in February.

A court filing on Friday seen by Bloomberg revealed that the authorities believe the ruling is unfair because Apple has previously provided access to phones which it can break into – like this 5S device running iOS7.

This is, of course, in contrast to the 5C device running iOS9 which belonged to San Bernardino gunman Syed Farook. Apple claimed it couldn’t crack that phone even if it wanted to.

The FBI famously dropped that court case after claiming it had found an alternative way to get at the data on the device.

In an ironic twist, Apple is now said to be preparing a legal challenge to get the Justice department to disclose how it tried to gain entry into the handset.

In the case being held in Brooklyn, Apple received a boost in February when judge James Orenstein ruled that the All Writs Act of 1789 couldn’t be used by the FBI to compel Apple to circumvent the security on its device.

The archaic law is the primary legal weapon the Feds are using to try to set a precedent which could force all technology companies to provide access to their products on request – so the argument goes.

That’s why most of Silicon Valley appeared to get behind Apple in its battle over the San Bernardino device, in an unprecedented show of solidarity.

Amazon, Cisco, Facebook, Google, Twitter, eBay and others filed amici curiae in support for Apple, describing the FBI’s actions as “unprecedented and unnecessary.”

Some have urged Congress to step in with new legislation designed to bring clarity around these issues.

Source: Information Security Magazine

1 in 10 Britons Engage in 'Honest Hacking'

1 in 10 Britons Engage in 'Honest Hacking'

“Honest hacking”—is there such a thing? About 10% of the UK population seems to think so.

We’re not talking about white hat activities here. Research from Manchester-based security firm Online Spy Shop found that one in 10 Britons have hacked into another person’s social media or email account for what they deem to be “honest” reasons. Excuses for so-called “ethical snooping” include: Investigating infidelity; helping someone make a surprise marriage proposal; tracking down a missing person; and being asked by a significant other to check messages.

Eli Zheleva from Portsmouth for instance used a browser vulnerability to hack her friend’s email, and reset her social media passwords to find her location after she went missing.

“A friend of mine went missing,” he explained in the report. “Her housemate called me to let me know she's stormed off. Later on, he found a rather negative note buried under other paperwork on her desk. It wasn't suicidal as such, but it had lines such as ‘I don't want to live amongst people who'd rather I was not alive.’”

He added, “We didn't know where she was and she had left her phone at the house, thus we couldn't contact her, all we knew is that she'd had some alcohol to drink and then drove off, which worried us even more. She was supposed to take a flight to Bulgaria a week later and we were wondering if she'd rebooked her flight to leave earlier. We were desperate to discover her location. Thankfully she did turn up safe and well. The moral of the story is never to use the same passwords for different accounts. It was worryingly easy to get into her email account."

It should also be noted that a larger percentage, 22%, admitted trying to hack a partner’s social media or email for dishonest reasons at least once—and one in three of those guessed the right password.

Also, the study uncovered that two in three (62%) are accidental hackers, having inadvertently logged into someone else’s account on a shared computer or finding the account already logged in. Fair enough but…90% of accidental hackers failed to log out immediately, and half (48%) who stayed logged in performed at least one action in the account.

Those actions include checking the inbox (31%); checking notifications (26%); opening messages (24%); posting from the account (15%); and copying or forwarding a message (4%).

Only one in 10 (12%) immediately realized their mistake and logged out.

For all of these categories—“honest,” deliberate and accidental hacking—Facebook was the most common target, representing 76% of the incidents.

Steve Roberts, a former close protection and surveillance operative who now runs Online Spy Shop, believes Britain has a big issue when it comes to protecting and respecting digital privacy.

“It’s so easy to leave yourself open to invasions of privacy,” he said. “Either by leaving yourself logged in, or just by allowing your browser to save your password. You become reliant on the honesty of others to protect your privacy.”

He added, "It’s shocking to think that only one in 10 of us can resist the temptation to log out right away when we find ourselves looking at someone else’s private information, but it’s even more shocking that some people think it’s OK to breach another person’s online privacy because the ends justify the means."

Photo © Myimagine

Source: Information Security Magazine

API Security Significantly Lacking for Enterprises

API Security Significantly Lacking for Enterprises

In this age of app-centric working and the cloud, the majority of companies are running some form of an API management platform, either developed in-house or from a commercial provider. However, the security features included in these API management platforms are inconsistent, with many lacking basic rate limiting functionality.

According to a study from Ovum, about 87% of respondents were running an API management platform, with 63% using a platform developed in-house. The purpose behind using APIs is varied. Half (51%) of respondents said that their rationale for API deployment was to enable their external developer ecosystem. Meanwhile, 67% said partner connectivity was the main goal, while 62% cited mobility and 57% cited cloud integration. While these are worthy goals, the study reveals that they come with API security woes.

“The use of APIs to enable applications to interact across single and multiple infrastructures is skyrocketing and innovation is being fueled by companies finding new ways to monetize their software assets by exposing APIs to outside developers,” said Rik Turner, senior analyst at Ovum. “However, exposing APIs to developers outside the company creates significant risk and APIs are becoming a growing target for cyber criminals. This study highlights an alarming lack of consistency and ownership in how API security is addressed.”

The majority (83%) of those surveyed said that they were concerned with API security—because API management platforms lack critical features and automation. For instance, rate limiting, considered to be a basic API security practice, was employed by less than half of respondents. Only 21.9% of respondents had protection from API malicious usage, API developer errors, automated API scraping, and web and mobile API hijacking.

And, more than two-thirds of respondents were spending over 20 hours a month managing API rate limiting, showing a deep lack of automation.

Further, one-third (30)% of APIs are spec'd out without any input from the IT security team and 27% of APIs proceed through the development stage without the IT security team weighing in. About a fifth (21%) of APIs go live without any input from security professionals.

 “APIs impact business and the world around us more than most people realize. The fact that API security is flying under the radar and not being adequately addressed should be a red flag prompting organizations to examine their own practices,” said Rami Essaid, co-founder and CEO of Distil Networks, which sponsored the survey. “CIOs and CISOs need to get a handle on how responsibility is addressed within their organizations and decide whether the process is sufficiently robust.”

Also of note is the lack of responsibility for API security. There is nearly an even split between those that give responsibility for API Security to their developers and those that allocate it to the IT security team: 53% of respondents feel security teams should be responsible for API security, while 47% believe the developer teams should hold responsibility.

Photo © kentoh

Source: Information Security Magazine

Unpatched Software, Misconfiguration Plague 1000s of Organizations

Unpatched Software, Misconfiguration Plague 1000s of Organizations

There are thousands of instances of companies using misconfigured systems or unpatched, outdated software, new analysis has revealed—offering a host of gift-wrapped attack vectors for cyber-criminals.

Leveraging its vulnerability scanner and management solution, Radar, F-Secure reviewed 85,000 security events of the 100 most common vulnerabilities. It found that the 10 most frequent vulnerabilities are of low or medium severity, but account for 62% of all weaknesses. About 7% of security events have high severity ratings according to standards used by the National Vulnerability Database, and 50% of these are exploitable and could be used by attackers to gain control over compromised machines via remote code execution.

Nearly all of these exploitable weaknesses are easy to fix with the right software patches or simple administrative changes.

All of this confirms to security experts that many companies don’t have enough visibility over their networks.

“It’s bad news for a company if an attacker finds one of these highly severe vulnerabilities,” said Jarno Niemelä, lead researcher, F-Secure Labs. “The fact that we found thousands of issues this severe suggests some serious security shortfalls amongst companies. Either they’re not implementing patch management programs, or they’re forgetting to include parts of their network in their maintenance practices. But no matter what the underlying cause is, it’s lots of opportunities for attackers, and lots of breaches waiting to happen.”

This finding reinforces previous warnings regarding the importance of implementing simple security measures. According to the United States Computer Emergency Readiness Team, following a few easy steps such as patching vulnerable software can prevent up to 85% of targeted cyber-attacks.

Crucially, misconfigurations or implementation issues with encryption protocols account for 44% of the most common issues—meaning that this is a far more common issue than the thousands of highly severe weak points.

“These issues aren’t particularly pressing if you think about them intrinsically, but hackers see non-critical issues as the cybersecurity equivalent of a ‘kick me’ sign,” said Andy Patel, senior manager, F-Secure Technology Outreach. “There’s lots of ways to stumble across these vulnerabilities just by casually browsing the web. Even hackers uninterested in doing anything bad could be tempted to pull at the thread and see what unravels. Companies that are lucky could get a helpful email informing them of the problem, but the unlucky ones are going to have professional criminals conducting reconnaissance in preparation for targeted attacks.”

Photo © Rawpixel.com

Source: Information Security Magazine