The FBI and VPNFilter

Updates to Internet of (not necessarily necessary) Things

The Register: FBI to World+Dog: Please, try turning it off and turning it back on – “Feds trying to catalogue VPNFilter infections”

FBI alert: Foreign cyber actors target home and office routers and networked devices worldwide

Sophos commentary: FBI issues VPNFilter malware warning, says “REBOOT NOW” [PODCAST]

Comprehensive article (of course!) from Brian Krebs: FBI: Kindly Reboot Your Router Now, Please

Updates to GDPR page

Sophos: Ghostery’s goofy GDPR gaffe – someone’s in trouble come Monday!

 

David Harley

Advertisements

26th May updates

Updates to Cryptocurrency/Crypto-mining News and Resources

(1) Malwarebytes put up an interesting analysis of a new Mac Cryptominer: New Mac cryptominer uses XMRig.

Cryptomining malware targeting Mac users isn’t something we hear a lot about, but in his article Thomas Reed points out that: “Mac cryptomining malware has been on the rise recently, just as in the Windows world. This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate.”

Commentary from Pierluigi Paganini: Many users reported in the past few weeks their Macs have been infected with a new Monero Miner

(2) Help Net Security reports on How security pros see the future of cryptocurrencies and cryptomining: “Data gathered by Lastline at RSA Conference 2018 reveals security professionals’ perspectives on the future of cryptocurrencies and cryptomining, response to ransomware attacks, and security impact of IoT devices.”

(3) Help Net: How a URL shortener allows malicious actors to hijack visitors’ CPU power – “URL shorteners are often used by malware peddlers and attackers to trick users into following a link they otherwise wouldn’t. But Coinhive’s URL shortener carries an added danger: your CPU power can be surreptitiously hijacked to mine Monero.”

(4) Interesting analysis, also from Help Net: Crypto Me0wing attacks: Kitty cashes in on Monero

(5) ZDnet: Verge blockchain comes under attack, again – It seems the same attack vector used to steal cryptocurrency reserves only just over a month ago is at fault.

Updates to Meltdown/Spectre and other chip-related resources

(1) The Register: Epyc fail? We can defeat AMD’s virtual machine encryption, say boffins – Evil hypervisors can lift plaintext info out of ciphered memory, it is claimed

(2) For ESET, Aryeh Goretsky’s Meltdown and Spectre CPU Vulnerabilities: What You Need to Know has been updated.

(3) The Register: Within Arm’s reach: Chip brains that’ll make your ‘smart’ TV a bit smarter – “Get ready for a future where everything from phones to CCTV recognizes faces, things”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

(1) Help Net Security reports on How security pros see the future of cryptocurrencies and cryptomining: “Data gathered by Lastline at RSA Conference 2018 reveals security professionals’ perspectives on the future of cryptocurrencies and cryptomining, response to ransomware attacks, and security impact of IoT devices.”

(2) Bleeping Computer: Z-Shave Attack Could Impact Over 100 Million IoT Devices –

“The Z-Wave wireless communications protocol used for some IoT/smart devices is vulnerable to a downgrade attack … the attack —codenamed Z-Shave— relies on tricking two smart devices that are pairing into thinking one of them does not support the newer S-Wave S2 security features, forcing both to use the older S0 security standard.”

(3) Eurekalert: Bitcoin estimated to use half a percent of the world’s electric energy by end of 2018

Updates to Mac Virus

(1) Malwarebytes put up an interesting analysis of a new Mac Cryptominer: New Mac cryptominer uses XMRig.

Cryptomining malware targeting Mac users isn’t something we hear a lot about, but in his article Thomas Reed points out that: “Mac cryptomining malware has been on the rise recently, just as in the Windows world. This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate.”

Commentary from Pierluigi Paganini: Many users reported in the past few weeks their Macs have been infected with a new Monero Miner

(2) The Register: Apple will start coughing up government app takedown demand stats – “But applications the iGiant removes on its own won’t be included”

(3) Sophos: Google in court over ‘clandestine tracking’ of 4.4m iPhone users, plus TeenSafe phone monitoring app leaks teens’ iCloud logins in plaintext

(4) Appknox: Appknox M-Commerce Security Report Finds High Level Vulnerabilities in 84% Apps. Commentary from Help Net: High-level vulnerabilities discovered in 84% of Android shopping apps

David Harley

Anti-social media updates

(1) Graham Cluley for ESET:  Woman says Alexa recorded and shared the private conversation she was having with her husband – “It’s every Amazon Alexa owner’s worst nightmare – your private conversations not just being listened to, but shared with random contacts without your knowledge.” Here’s Amazon’s curious explanation of how it happened:

“Echo woke up due to a word in background conversation sounding like ‘Alexa.’ Then, the subsequent conversation was heard as a ‘send message’ request. At which point, Alexa said out loud ‘To whom?’ At which point, the background conversation was interpreted as a name in the customers contact list. Alexa then asked out loud, ‘[contact name], right?’ Alexa then interpreted background conversation as ‘right’. As unlikely as this string of events is, we are evaluating options to make this case even less likely.”

(2) Also from ESET: Facebook refines 2FA setup, adds authenticator app support

(3) The Register: Welcome to your sci-fi dystopia: Sonic firewalls to crumble inaudible ad-tracking phone cookies – “Ultrasonic packets of data to and from your handheld killed

(4) The Register: New Facebook political ad rules: Now you must prove your ID before undermining democracy – “The horse is a speck on the horizon – but at least the barn door now has a bolt on it … Facebook has rolled out its promised disclosure regime for political and issue advertising, heralding a new age of transparency and civic responsibility. Or so Facebook folks suggest…”

(5) Sophos: Google in court over ‘clandestine tracking’ of 4.4m iPhone users

(6) Sophos (again): Facebook’s counterintuitive way to combat nonconsensual porn

(7) ‘Facebook takes data from my phone – but I don’t have an account!’ – “Reg reader finds mobile apps can’t be cut or quieted”

(8) Gizmodo: Facebook and Google Accused of Violating GDPR on First Day of the New European Privacy Law – “So what are Facebook and Google allegedly doing to violate the GDPR? Privacy advocates in Europe say that instead of adhering to the letter of the law, companies aren’t really giving consumers a choice; you can either agree to let Facebook and Google collect enormous amounts of data on you, or you can delete their services. There is no middle ground.”

David Harley

New GDPR page

You might think that the day after the General Data Protection Regulation goes into effect in EU member states is a bit late in the day, but it seems there’s so much last minute panic and uncertainty around I thought I might at least put up some relevant links while the dust settles. These links are posted to the new page here.

Here’s a sensible article by Mirko Zorz for Help Net Security – GDPR: Today is the day – echoing a point I’ve been making to anyone who insisted on getting my opinion. “The other big misconception is that GDPR is forcing companies to think about something new. Legislation in the EU and UK to protect data has been around years before GDPR. What’s new in GDPR is the potential size of the fine and the fact that it can affect non-EU companies. Getting companies to think seriously about how they protect data has been an ongoing effort for many years.” The point I’ve been trying to make (though not previously in any sort of article) is that if you’ve been compliant with the Data Protection Directive  that GDPR supersedes and harmonized legislation like the UK’s Data Protection Act (updated for 2018 in order to conform with GDPR), then GDPR shouldn’t be such a big deal. Yes, many organizations have needed to tweak their policies and practices, but the broad focus of the legislation, in the words of the Data Protection Act, is still along these broad lines:

The GDPR, the applied GDPR and this Act protect individuals with regard to the processing of personal data, in particular by—

(a)requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis,

(b)conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and

(c)conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.

Even organizations outside the European Union but engaged in transactions with member states should not be strangers to the need to address these issues, which have been addressed with regard to external states for decades by the EU directives and legislation. Remember Safe Harbour? Of course, not all organizations have shown equal enthusiasm and prompt action. Microsoft, for instance, has announced that:

…we will extend the rights that are at the heart of GDPR to all of our consumer customers worldwide. Known as Data Subject Rights, they include the right to know what data we collect about you, to correct that data, to delete it and even to take it somewhere else. Our privacy dashboard gives users the tools they need to take control of their data.

(This is also a neat summary from Microsoft: In case you missed it: 10 of your questions from our GDPR webinars.)

Help Net also notes that “Apple has set up a Data and Privacy portal where users can make a request to download all the data Apple has on them, correct their personal information, deactivate or delete their account.”

Sounds good to me, in principle at least. No doubt we’ll have lots of fun seeing what happens in practice.

Facebook has been more equivocal, while claiming to be singing from the same hymnsheet. While ICANN has been noticeably wrong-footed in its belated attempts to tweak DNS and WHOIS in order to achieve conformance. And there is no need for me to even try to name and shame all the services that are currently suspended while the providers try to sort themselves out.

Meanwhile, ESET offers to tell us Why GDPR affects companies around the world (video) and also offers a free guide and compliance check here. And here’s more advice from Jon Fielding of Apricorn for Help Net: It’s time to embrace GDPR

Gizmodo: Facebook and Google Accused of Violating GDPR on First Day of the New European Privacy Law – “So what are Facebook and Google allegedly doing to violate the GDPR? Privacy advocates in Europe say that instead of adhering to the letter of the law, companies aren’t really giving consumers a choice; you can either agree to let Facebook and Google collect enormous amounts of data on you, or you can delete their services. There is no middle ground.” No surprise there, then…

And, from the Guardian:

Most GDPR emails unnecessary and some illegal, say experts “Many firms have the required consent already; others don’t have consent to send a request”

David Harley

21st May 2018 update

Updates to Anti-Social Media 

Bleeping Computer: The Facebook Android App Is Asking for Superuser Privileges and Users Are Freaking Out

New Scientist: Huge new Facebook data leak exposed intimate details of 3m users  – “Data from millions of Facebook users who used a popular personality app, including their answers to intimate questionnaires, was left exposed online for anyone to access, a New Scientist investigation has found.” And some commentary from The Register: How could the Facebook data slurping scandal get worse? Glad you asked – “Three million “intimate” user profiles offered to researchers”

And commentary from Sophos: Facebook app left 3 million users’ data exposed for four years

Updates to Cryptocurrency/Crypto-mining News and Resources

US Securities and Exchange Commission: The SEC Has an Opportunity You Won’t Want to Miss: Act Now! – “The SEC set up a website, HoweyCoins.com, that mimics a bogus coin offering to educate investors about what to look for before they invest in a scam. Anyone who clicks on “Buy Coins Now” will be led instead to investor education tools and tips from the SEC and other financial regulators.” Commentary from Sophos: Don’t invest! The ICO scam that doesn’t want your money

ZDNet: Brutal cryptocurrency mining malware crashes your PC when discovered  – “…the cybersecurity firm said the cryptomining malware aims to infect PCs in order to steal processing power for the purpose of mining the Monero cryptocurrency.”

Help Net Security: 25% of companies affected by cloud cryptojacking

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page may indeed be necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

Updates to Tech support scams resource page

Malwarebytes: Fake Malwarebytes helpline scammer caught in the act – Given how much work Malwarebytes have done on these scams, not good targeting on the scammer’s part.

Updates to Specific Ransomware Families and Types

Bleeping Computer: New Bip Dharma Ransomware Variant Released

ArsTechnica: All of Mugshots.com’s alleged co-owners arrested on extortion charges

Updates to Mac Virus

Bleeping Computer: The Facebook Android App Is Asking for Superuser Privileges and Users Are Freaking Out

Help Net Security: Google will force Android OEMs to push out security patches regularly

Kaspersky: WHO’S WHO IN THE ZOO. CYBERESPIONAGE OPERATION TARGETS ANDROID USERS IN THE MIDDLE EAST

Symantec: Malicious Apps Persistently Appearing on Google Play and Using Google Icons
– “Seven apps have been discovered reappearing on the Play store under a different name and publisher even after these have been reported.”

Sophos: The next Android version’s killer feature? Security patches “…the next version of Google’s mobile OS will require device makers to agree to implement regular security patches for the first time in the operating system’s history.’

Updates to Anti-Malware Testing

I worked with Symantec’s Mark Kennedy for some time when I was on the AMTSO Board of Directors. He knows much more than most about the organization and product testing in general, and this is an excellent and informative article: AMTSO Testing Standards: Why You Should Demand Them – “When it comes to security product testing, a good test in one context can turn out to be meaningless in another.”

Updates to Chain Mail Check

US Securities and Exchange Commission: The SEC Has an Opportunity You Won’t Want to Miss: Act Now! – “The SEC set up a website, HoweyCoins.com, that mimics a bogus coin offering to educate investors about what to look for before they invest in a scam. Anyone who clicks on “Buy Coins Now” will be led instead to investor education tools and tips from the SEC and other financial regulators.” Commentary from Sophos: Don’t invest! The ICO scam that doesn’t want your money

Malwarebytes: Fake Malwarebytes helpline scammer caught in the act – Given how much work Malwarebytes have done on these scams, not good targeting on the scammer’s part.

David Harley

Devices on the dark side of your network

Infoblox have a very interesting report on What is Lurking on Your Network – Exposing the threat of shadow devices.

In his foreword, Gary Cox says:

“For IT departments, the complexities and security issues around managing BYOD schemes and unsanctioned Shadow IT operations have long been a cause for concern.

“In an increasingly complex, connected world, this challenge has now been exacerbated by the explosion in the number of personal devices individuals own, as well as the plethora of new IoT devices being added to the network.”

More reasons to feel uncomfortable with the unfettered enthusiasm for BYOD.

Commentary/summary from Help Net Security: Exposing the threat of shadow devices: “Employees in the US and UK admitted to connecting to the enterprise network for a number of reasons, including to access social media (39 percent), as well as to download apps, games and films … These practices open organizations up to social engineering hacks, phishing and malware injection.”

David Harley

May 12th resources update

Updates to Anti-Social Media 

Updates to Cryptocurrency/Crypto-mining News and Resources

Updates to Meltdown/Spectre and other chip-related resources

Updates to Mac Virus

Updates to Chain Mail Check

Palo Alto’s Unit 42 announces its report ‘Silverterrier: the rise of Nigerian business email compromise’ in the blog article SilverTerrier Update: Increasingly Sophisticated Nigerian Cybercriminals Take Bigger Part of $3B BEC-Related Losses

Springer: Leaving on a jet plane: the trade in fraudulently obtained airline tickets

David Harley

Tech support scams article for ESET

Update to Tech support scams resource page

Article by me for ESET: Tech support scams and the call of the void

“Christopher Burgess for Security Boulevard on what happens When Scammers Fill the Tech Support Void … says: “I still haven’t figured out why those companies that provide tech support tend to hide the connectivity to these saviors of their brand in the weeds of the website, but they do, and we search—and sometimes we strike gold.”

However, I don’t think the reluctance of companies to draw attention to their support services is too much of a mystery…”

There may be persuasive reasons why providers are reluctant to engage directly with their customers, but the consequences may be grim for both provider and customer.

David Harley

Ransomware/Wiper-related updates

Updates to: Ransomware Resources

Help Net Security: Organisations across the UK are still struggling with ransomware

F-Secure: The Changing State of Ransomware

Updates to Specific Ransomware Families and Types

In response to this useful article by Kaspersky, this page now includes information on wipers, which often resemble or masquerade as ransomware but are essentially just destructive.

Kaspersky Threat Post: 

Secrets of the Wiper: Inside the World’s Most Destructive Malware. “Shamoon, Black Energy, Destover, ExPetr/Not Petya and Olympic Destroyer: All of these wiper malwares, and others like them, have a singular purpose of destroying systems and/or data, usually causing great financial and reputational damage to victim companies.”

ESET has previously published quite a lot of material on Black Energy which can be found here. Of course, other articles are available, but I get to see most of the ESET articles before they’re published, so I’m more aware of them.

Added to the WannaCry (WannaCrypt, WannaCryptor etc.) resources page: 

Bleeping Computer: One Year After WannaCry, EternalBlue Exploit Is Bigger Than Ever

ESET:

David Harley

IoT resource/news updates

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

(1) Brian Krebs talks about the asymmetry in cost and incentives when IoT devices are recruited for DDoS attacks like one conducted against his site: Study: Attack on KrebsOnSecurity Cost IoT Device Owners $323K.

He observes: “The attacker who wanted to clobber my site paid a few hundred dollars to rent a tiny portion of a much bigger Mirai crime machine. That attack would likely have cost millions of dollars to mitigate. The consumers in possession of the IoT devices that did the attacking probably realized a few dollars in losses each, if that. Perhaps forever unmeasured are the many Web sites and Internet users whose connection speeds are often collateral damage in DDoS attacks.”

Some of his conclusions are based on a paper from researchers at University of California, Berkeley School of Information: the very interesting report “rIoT: Quantifying Consumer Costs of Insecure Internet of Things Devices.

(2) Product test specialists AV-Test conducted research into the security of a number of fitness trackers (plus the multi-functional Apple watch: Fitness Trackers – 13 Wearables in a Security Test. On this occasion, the results are fairly encouraging.

(3) Bleeping Computer: 5,000 Routers With No Telnet Password. Nothing to See Here! Move Along! – “The researcher pointed us to one of the router’s manuals which suggests the devices come with a passwordless Telnet service by default, meaning users must configure one themselves.”

(4) Help Net Security: Hacking for fun and profit: How one researcher is making IoT device makers take security seriously  Based on research by Ken Munro and Pen Test Partners.

David Harley