Tag Archives: Brian Krebs

The FBI and VPNFilter

Updates to Internet of (not necessarily necessary) Things

The Register: FBI to World+Dog: Please, try turning it off and turning it back on – “Feds trying to catalogue VPNFilter infections”

FBI alert: Foreign cyber actors target home and office routers and networked devices worldwide

Sophos commentary: FBI issues VPNFilter malware warning, says “REBOOT NOW” [PODCAST]

Comprehensive article (of course!) from Brian Krebs: FBI: Kindly Reboot Your Router Now, Please

Updates to GDPR page

Sophos: Ghostery’s goofy GDPR gaffe – someone’s in trouble come Monday!

 

David Harley

Advertisements

IoT resource/news updates

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

(1) Brian Krebs talks about the asymmetry in cost and incentives when IoT devices are recruited for DDoS attacks like one conducted against his site: Study: Attack on KrebsOnSecurity Cost IoT Device Owners $323K.

He observes: “The attacker who wanted to clobber my site paid a few hundred dollars to rent a tiny portion of a much bigger Mirai crime machine. That attack would likely have cost millions of dollars to mitigate. The consumers in possession of the IoT devices that did the attacking probably realized a few dollars in losses each, if that. Perhaps forever unmeasured are the many Web sites and Internet users whose connection speeds are often collateral damage in DDoS attacks.”

Some of his conclusions are based on a paper from researchers at University of California, Berkeley School of Information: the very interesting report “rIoT: Quantifying Consumer Costs of Insecure Internet of Things Devices.

(2) Product test specialists AV-Test conducted research into the security of a number of fitness trackers (plus the multi-functional Apple watch: Fitness Trackers – 13 Wearables in a Security Test. On this occasion, the results are fairly encouraging.

(3) Bleeping Computer: 5,000 Routers With No Telnet Password. Nothing to See Here! Move Along! – “The researcher pointed us to one of the router’s manuals which suggests the devices come with a passwordless Telnet service by default, meaning users must configure one themselves.”

(4) Help Net Security: Hacking for fun and profit: How one researcher is making IoT device makers take security seriously  Based on research by Ken Munro and Pen Test Partners.

David Harley

Social media memes and secret questions

Back in 2012, Virus Bulletin published an article of mine called Living the Meme about how meme-ish things shared on social media might be an invitation to give away information that could be useful to an attacker.

If I can quote myself (of course I can!)

Secret answers to security questions posed by banking sites and the like as a supplement to passwords, or for people who forget their passwords, are pretty stereotyped. Names of relatives, names of pets, first school, childhood address and so on are highly characteristic, so some security commentators suggest inventing answers to such questions rather than using real data. That’s a logical alternative to inventing your own challenge/response – which is rarely an option – and I’m all in favour of it, as long as it doesn’t contravene some legal or quasi-legal restriction.

In a recent article Brian Krebs makes a similar point, but cites a number of up-to-date examples where ‘seemingly innocuous little quizzes, games and surveys’ ask for information similar to that used for online accounts as ‘secret questions’: Don’t Give Away Historic Details About Yourself.

David Harley

Resources updates, 26 March 2018

Updates to Anti-Social Media

Updates to Specific Ransomware Families and Types

Updates to Cryptocurrency/Crypto-mining News and Resources

David Harley

22nd March Resources Update

Cryptocurrency/Crypto-mining News and Resources

Anti-Social Media

Mac Virus

Scammers using Dell support data?

If support scammers are using Dell customer data, as seems to be the case, Dell could certainly be more proactive in warning its customers, despite its own concerns about being seen as vulnerable to external or internal data leakage. But at least they’re now trying to gather info on the issue.

See my article here: Support Scammers Targeting Dell Customers with links to related articles by Brian Krebs, Dan Goodin et al.

Excerpt:

… not everyone who is [a Dell customer] has the technical grasp that Krebs’s correspondents seem to have. So perhaps it’s time Dell at least made more effort to notify people using its products (and especially its support services) that scammers may have such data, and that possession of such data shouldn’t be taken as some sort of validation of the bona fides of a cold-caller.

 Added to resources page, of course.

David Harley

Ransomware, the Cloud, and DDoS

Ransoming the Cloud

On the ransomware resources page, I recommended:

Back up your data to an external device. And to cloud services as well, if you like. Bear in mind, though, that if your data is backed up somewhere that’s ‘always on’ while you’re using your computer, there’s a risk that ransomware (or other malicious software) might be able to encrypt, delete or corrupt your backed-up data too. For the same reason, don’t try to reinstall backed-up files from an off-line resource (at any rate, a write-enabled offline resource) until you’re sure the malware is no longer present and active on your system.

In Ransomware a Threat to Cloud Services, Too Brian Krebs notes an instance where, when one of Children in Film’s employees opened an attachment passed off as an invoice: within 30 minutes, over 4,000 files on a cloud server, mounted as a local drive, had been encrypted by Teslacrypt. Fortunately, according to Krebs, the cloud hosting company kept daily backups and the company was able to use BleepingComputer’s TeslaDecoder to decrypt the files without paying the extortionists, but the inconvenience was still significant.

DDoS  Statistics

For Tripwire, David Bisson summarizes some of the detail from a report from cloud provider Akamai on trends in DDoS (Distributed Denial of Service) attacks, often associated with attempted extortion.

Cloud Security Alliance Survey

The Register reports that a CSA poll found that:

  • Some respondents would pay very large sums to extortionists to avoid data dumps
  • That gambling sites continue to be targeted with threats of DDoS attacks, often coinciding with major sporting events
  • That “… even police and law enforcement agencies [are] recommending organisations hit by the most water-tight ransomware encryption attacks to pay up to get their decryption keys.”

The article also suggests a link between the Hidden Tear open source code and the not-very-successful Linux.Encoder.

DD4BC

And here are a couple of items about the DD4BC (DDoS for BitCoin) gang:

  • ESET reports on Operation Pleiades in which several countries cooperated with Europol against the threat.
  • A related story from the BBC.

All items added to the ransomware resources page.

David Harley

iYogi tech support – sued by State of Washington

The name iYogi will not be unfamiliar to you, if you’ve been following how the tech support scam has been evolving over the past few years.

In Fake Support, And Now Fake Product Support I described how a legitimate and ethical AV company outsourced its support to the iYogi company  in India. This must have seemed at the time an entirely reasonable way of addressing a difficulty that faces security companies with a product version that is free to consumers: what happens when users of that product need support? Running a tech support operation is a significant cost even for companies that charge for all their products (time-limited trials excepted, of course). The idea was that Avast! customers would get free support for Avast!-related queries, but would then be offered an upgrade to a for-fee iYogi support package. However, the AV company’s understanding was that:

here at AVAST, we never phone our customers (unless they specifically ask us to of course) and none of the partners we work with do either.

Unfortunately, it seemed that iYogi’s understanding of the situation was rather different. According to Brian Krebs, reported incidents of tech support scam coldcalls from “Avast customer service” did indeed turn out to have originated with iYogi.

While someone describing himself as the co-founder and president of marketing at iYogi strongly denied any connection with the usual gang of out-and-out scammers, Avast! found it necessary to suspend its arrangement with the company. Avast!’s later arrangements for customer support are discussed on the company’s blog here.

iYogi’s recent activities seem to have continued to attract controversy.  A recent article from Help Net Security tells us that Washington State has announced a lawsuit against iYogi, alleging that ‘iYogi’s tactics are unfair and deceptive business practices that violate Washington’s Consumer Protection Act.’ The activities in which the company is alleged to have engaged have a familiar ring, involving deceptive online advertisements, misleading ‘diagnostics’, aggressive selling of support plans and the company’s own anti-virus software. In a twist I haven’t encountered before, the Washington suit filed in King County Superior Court claims that:

iYogi tells the consumer that upgrading to Windows 10 from Windows 7 or 8 costs $199.00 if the upgrade is done independently, but that the upgrade is “included” for free as part of iYogi’s five-year service package or for $80 as part of iYogi’s one-year package. In fact, an upgrade to Windows 10 is free for Windows 7 or 8 users who choose to do so independently. In addition, iYogi incorrectly tells consumers that their computers will stop working if they do not upgrade to Windows 10 soon.

Help Net quotes Microsoft as estimating that 71,000 residents of Washington lose $33m each year, a sizeable proportion of the 3.3m Americans who are estimated to lose $1.5b in a year.

 David Harley

Status Epsilon-icus*

Ok. That wasn’t the last update.

And very possibly the last update here (the target blog suggests why…): Epsilon Overkill and the Security Ecology

Update 3: Rebecca Herson evaluates some of the advice given by Epsilon customers for coping with the phlurry of phish anticipated post-Epsilon: http://blog.commtouch.com/cafe/email-security-news/advice-after-the-epsilon-breach/

Links and a little extra irony from me: http://chainmailcheck.wordpress.com/2011/04/07/epsilon-epidemic/

Update 2: a discomfiting suggestion that there was a longstanding problem that Epsilon were actually aware of: http://www.itnews.com.au/News/253712,epsilon-breach-used-four-month-old-attack.aspx (hat tip to Kurt Wismer, again)

Update: a few more articles you might find worth reading.

It’s reasonable to assume that the Epsilon fiasco will lead to an epidemic: at any rate, luminaries such as Brian Krebs and Randy Abrams are making that assumption, and publishing some excellent proactive advice accordingly. So rather than go over the same ground, I’ll just cite some of the more useful blog posts around that.

Two highly relevant posts by Brian Krebs:

And two relevant posts by Randy:

A list of companies known to have been affected from ThreatPost: http://threatpost.com/en_us/blogs/list-companies-hit-epsilon-breach-040511

And a characteristically to-the-point rant by Kurt Wismer on why it wouldn’t be an issue in a sane world: http://anti-virus-rants.blogspot.com/2011/04/why-epsilon-breach-shouldnt-be-issue.html

*Yes, a rather forced pun, I know. http://en.wikipedia.org/wiki/Status_epilepticus 

David Harley CITP FBCS CISSP
AVIEN Dogsbody
ESET Senior Research Fellow