Skip to content

Nick L

Cisco security disable big distributor of “ransomware”

Quote

Cisco Systems Inc (CSCO.O) said it had managed to disrupt the spread of one of the most pernicious systems for infecting Internet users with malicious software such as so-called ransomware, which demands payment for decrypting users’ data.

The investigators from Cisco’s Talos security unit were looking at the Angler Exploit Kit, which analysts at several companies say has been the most effective of several kits at capturing control of personal computers in the past year, infecting up to 40 percent of those it targeted.

They found that about half of computers infected with Angler were connecting to servers at a hosting provider in Dallas, which had been hired by criminals with stolen credit cards. The provider, Limestone Networks, pulled the plug on the servers and turned over data that helped show how Angler worked.

The research effort, aided by carrier Level 3 Communications (LVLT.N), allowed Cisco to copy the authentication protocols the Angler criminals use to interact with their prey. Knowing these protocols will allow security companies to cut off infected computers.

“It’s going to be really damaging to the attacker’s network,” Talos manager Craig Williams told Reuters ahead of the release of the report.

Cisco said that since Limestone pulled the plug on the servers, new Angler infections had fallen off dramatically.

Limestone’s client relations manager told Reuters his company had unwittingly helped the spread of Angler before the Cisco investigation.

Often sold in clandestine Internet forums or in one-to-one deals, exploit kits combine many small programs that take advantage of flaws in Web browsers and other common pieces of software. Buyers of those kits must also arrange a way to reach their targets, typically by sending spoof emails, hacking into websites or distributing malicious advertisements.

Once they win control of a target’s computer, exploit kit buyers can install whatever they want, including so-called ransomware. This includes a number of branded programs, also sold online, that encrypt users’ computer files and demand payment to release them.

Talos estimated that if three percent of infected users paid the ransom averaging $300, the criminals that had used the Limestone servers to spread Angler could have made about $30 million a year.

Good job Cisco!

Verizon’s hidden Super Cookie to get larger role

Verizon_Hack
Verizon purchased AOL earlier this year and now is breathing new life in their invasive (lack of) privacy policy

Quote

The Relevant Mobile Advertising program uses your postal and email addresses, certain information about your Verizon products and services (such as device type), and information we obtain from other companies (such as gender, age range, and interests). The separate Verizon Selects program uses this same information plus additional information about your use of Verizon services including mobile Web browsing, app and feature usage and location of your device. The AOL Advertising Network uses information collected when you use AOL services and visit third-party websites where AOL provides advertising services (such as Web browsing, app usage, and location), as well as information that AOL obtains from third-party partners and advertisers.
We do not share information that identifies you personally as part of these programs other than with vendors and partners who do work for us. We require that these vendors and partners protect the information and use it only for the services they are providing us.

That is BS Verizon, you collect “postal and email addresses”… “gender, age range, and interests” what else do you, need to identify the user. His/her shoe size?

Quote

Privacy advocates say that Verizon and AOL’s use of the identifier is problematic for two reasons: Not only is the invasive tracking enabled by default, but it also sends the information unencrypted, so that it can easily be intercepted.

“It’s an insecure bundle of information following people around on the Web,” said Deji Olukotun of Access, a digital rights organization.
Verizon, which has 135 million wireless customers, says it is will share the identifier with “a very limited number of other partners and they will only be able to use it for Verizon and AOL purposes,” said Karen Zacharia, chief privacy officer at Verizon.

In order for the tracking to work, Verizon needs to repeatedly insert the identifier into users’ Internet traffic. The identifier can’t be inserted when the traffic is encrypted, such as when a user logs into their bank account.

Previously, Verizon had been sending the undeletable identifier to every website visited by smartphone users on its network 2014 even if the user had opted out. But after ProPublica revealed earlier this year that an advertising company was using the identifier to recreate advertising cookies that users had deleted, Verizon began allowing users to truly opt-out, meaning that it won’t send the identifier to subscribers who say they don’t want it.
Verizon users are still automatically opted into the program.

“I think in some ways it’s more privacy protective because it’s all within one company,” said Verizon’s Zacharia. “We are going to be sharing segment information with AOL so that customers can receive more personalized advertising.”

A recent report by Access found that other large carriers such as AT&T and Vodafone are also using a similar technique to track their users.
In order for Verizon users to opt-out, they have to log into their account or call 1-866-211-0874.

Remember, as a Verizon subscriber, you are paying Verizon to farm your data and use it make more money. Furthermore, the unencrypted streams leave you & your phone open to hacking and all the issues that can cause. Verizon and their ilk are despicable.

Not PCI DSS Compliant: Experian

Quote

Hackers broke into a server and made off with names, driver license numbers, and other personal information belonging to more than 15 million US consumers who applied for cellular service from T-Mobile.

The breach was the result of an attack on a database maintained by credit-reporting service Experian, which was contracted to process credit applications for T-Mobile customers, T-Mobile CEO John Legere said in a statement posted online. The investigation into the hack has yet to be completed, but so far the compromise is known to affect people who applied for T-Mobile service from September 1, 2013 through September 16 of this year. It’s at least the third data breach to affect Experian disclosed since March 2013.

“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,” Legere wrote. “I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.”

 

I am not sure where to file this: perhaps Cyber Hypocrisy? Wow, if the Credit Card companies do not take cyber seriously, then we are all in deep do do.

Spyware from Apple iTunes, Google Play, and Microsoft App Store

Quote

“Many trusted applications downloaded from Apple iTunes, Google Play, and Microsoft App Store are spying, snooping and stealing,” said Cybersecurity Expert Gary S. Miliefsky, CEO of SnoopWall, Inc.

See: https://www.youtube.com/watch?v=Q8xz8xKEFvU

This video has gone viral with nearly 6 million views, yet malicious flashlight app downloads have reached nearly 1 billion devices.

During FinDEVr, Miliefsky will demonstrate how popular apps are eavesdropping on bank accounts stealing PINs and credentials and monitoring check deposit from the largest banks in America. Consumers must be made aware of the fact that their smartphones are natural targets; that malware exists in trusted apps; and that ALL major mobile banking applications are susceptible to this exploitation.”

One of the big issues I see in the mobile space is the phone manufacturers & providers themselves. Their updates often contain spyware to sell more services, the operating systems themselves are not secure, especially with Android, and there is no easy application level control that allows users to select which apps can talk to the internet and which cannot (like a good workstation based firewall). Google Apps (GAPPS) are one of the biggest offenders. But they are not alone.

This is a big part of the Cyber Security problem and not just in mobile. Systems are insecure in many ways by design so manufacturers can collect as much data as they can and sell it advertisers and/or use it themselves to sell more. Windows 10 OS s a good case in point. Unfortunately, those same vehicles use by manufacturers to get user data are also used by nefarious actors to do the same and then use the data for identity and credit card theft and other criminal pursuits.

I think the ultimate solution for Mobile, at least in the non Apple market, will be a complete divorce from hardware and operating system. CyanogenMod and other open source projects have started in this direction. Will this take off? I think it will be very difficult as there is so much money at stake form both the Phone Manufacturers that want to sell more kit and the Phone Carriers that are in bed with them to sell more services and collect as much info as they can on users. I also think the average user will still want a turn-key easy to use solution. That said, a secure feature rich phone is not difficult, just at the moment not as profitable.

Internal actors responsible for 43% of data loss

Quote

Among companies experiencing data breaches (and that is to say, a majority), internal actors were responsible for 43% of data loss, half of which was intentional, and half accidental.

That’s a staggering amount of risk lingering inside organizations, especially when one considers that the report, from Intel, also revealed that security professionals have experienced an average of six significant security breaches each.

Interestingly, insider threats aren’t recognized as the gaping issue that they are. Breaches perpetrated by disgruntled employees and other forms of inside jobs come in at sixth place for most of the world in terms of security concerns, except in Asia-Pacific, where it’s No. 2. Cloud deployments, in contrast, brought with them increased anxiety of more security breaches, although there was no indication of increased risk with cloud applications.

Intel also found that in 68% of data breach incidents, the data exfiltrated from the network was serious enough to require public disclosure or have a negative financial impact on the company. The same was true for 70% of incidents in smaller commercial organizations, and in 61% of breaches in enterprises.

Is Windows 10 slurping too much data?

Seems like yes, despite assertions that it is not.

Quote

“We collect a limited amount of information to help us provide a secure and reliable experience. This includes data like an anonymous device ID, device type, and application crash data which Microsoft and our developer partners use to continuously improve application reliability,” Myerson wrote. “This doesn’t include any of your content or files, and we take several steps to avoid collecting any information that directly identifies you, such as your name, email address or account ID.”

Moving right along, Myerson confirmed that Microsoft would love to collect words and phrases that you type – something we’ve known about since the first Windows 10 Technical Preview shipped – but explained that it’s not about advertising. Rather, it’s about being able to “deliver a delightful and personalized Windows experience to you.”

The Windows 10 Privacy Statement gives examples of data that Redmond might collect, including “name, email address, preferences and interests; location, browsing, search and file history; phone call and SMS data.”

So basically, use Windows 10 and your life is an open book to Microsoft and their partners. No thanks!

Linux BotNet

A network of infected Linux computers that’s flooding gaming and education sites with as much as 150 gigabits per second of malicious traffic—enough in some cases to take the targets completely offline.

Quote

The XOR DDoS or Xor.DDoS botnet, as the distributed denial-of-service network has been dubbed, targets as many as 20 sites each day, according to an advisory published Tuesday by content delivery network Akamai Technologies. About 90 percent of the targets are located in Asia. In some cases, the IP address of the participating bot is spoofed in a way that makes the compromised machines appear to be part of the network being targeted. That technique can make it harder for defenders to stop the attack.

3D printed TSA Travel Sentry keys Open TSA Locks

Quote

Last year, the Washington Post published a story on airport luggage handling that contained unobscured images of the “backdoor” keys of the Transportation Safety Administration, along with many other security agencies around the world, used to gain access to luggage secured with Travel Sentry locks. These locks are designed to allow travelers to secure their suitcases and other baggage items against theft with a key or a combination, while still allowing the secured luggage to be opened for inspection—ostensibly by authorized persons only. The publication of the images effectively undermined the security of the Travel Sentry system, since the images were of sufficient quality to create real-world duplicate keys….

A few enterprising hackers (in the correct sense of the word “hacker”) have put together 3D printable model files of the TSA keys and uploaded them to a GitHub repository. Now, rather than needing specialized skills and tooling to craft a duplicate Travel Sentry key, all you need is a 3D printer that can handle STL files (and that’s basically any 3D printer)….

Is this disheartening news? Not particularly. Locking your luggage has never provided any real additional protection against all but the most casual theft attempts (as evidenced by the fact that almost any piece of luggage with a zipper can be opened with a screwdriver or a pen regardless of how many locks are hanging off of it). The spreading of 3D printable Travel Sentry keys is more of a criticism of any kind of “backdoor” cryptography—be it one that involves physical keys or mathematical. The backdoor itself undermines any and all trust in the system.

Anyone who thinks otherwise is fooling themselves.

Feeling safer yet?

Android 5 lock-screens bypassed by typing in a reeeeally long password.

Quote

If you’ve got an Android 5 smartphone with anything but the very latest version of Lollipop on it, it’s best to use a PIN or pattern to secure your lock-screen – because there’s a trivial bypass for its password protection.

The vulnerability, details of which were published here by University of Texas researchers on Tuesday, allows miscreants to sidestep lock-screens on Android 5 devices, unless they’ve been fully patched to version 5.1.1 including last week’s security updates.

“By manipulating a sufficiently large string in the password field when the camera app is active, an attacker is able to destabilize the lockscreen, causing it to crash to the home screen,” the researchers write.

Yes, by typing in too many characters, you can kill off the security mechanism and gain full access to the device, even if its filesystem is encrypted – miscreants can exploit this to run any application, or enable developer access to the device.