STE WILLIAMS

In the past year or two, one of our most popular technical topics, for all the wrong reasons, has been ransomware.

Ransomware, as we’re sure you know, is the punch-in-the-face malware that scrambles your files, sends the only copy of the decryption key to the crooks, and then offers to sell the key back to you.

Even Linux has ransomware these days, although fortunately we’ve only seen one serious attempt at Linux-based extortion so far, presuambly because cybercriminals haven’t yet figured out how to make money in that part of the IT ecosystem.

Let’s hope it stays that way for Linux sysadmins, because the crooks are still attacking Windows users heavily, and are still raking in lots of ill-gotten gains.

THE CRYPTOLOCKER YEARS

Two years ago, one strain of ransomware known as CryptoLocker dominated the demanding-money-with-menaces malware scene.

The US Department of Justice (DoJ) suggested that the crew behind CryptoLocker raked in $27,000,000 in September and October 2013 alone, in the first two months that the malware was widely reported.

And a 2014 survey by the University of Kent in England estimated that 1 in 30 British computer users had been hit by CryptoLocker, and that 40% of those coughed up, paying hundreds of dollars each in blackmail money to recover their data.

But in mid-2014, the DoJ co-ordinated a multi-country takedown of a notorious botnet called Gameover Zeus that targeted victims while they were doing online banking.

And, would you believe it: while the cops were raiding the Gameover servers, they came across the CryptoLocker infrastructure as well, and took down those servers at the same time, pulling off a neat double play.

CryptoLocker doesn’t start its data scrambling until after it has called home for an encryption key, so killing its servers pretty much neutralised the warhead of the malware: it would get right to the very brink of detonation and then freeze, waiting for data that never came.

But any celebration about the damage done to the ransomware scene as a whole was short-lived.

RANSOMWARE REDUX

Cybercrime, if you will tolerate a clumsy metaphor, abhors a vacuum, and new ransomware soon appeared to fill the multi-million-dollar void left by the demise of CryptoLocker.

CryptoWall, and its close derivative CryptoDefense, were early pretenders for CryptoLocker’s throne, but many others have appeared, too.

Threats like TorrentLocker, CTB-Locker and TeslaCrypt are big names these days, joined by other intriguing threats such as VirLock, ThreatFinder (an ironic name, considering that it is itself the threat) and CrypVault.

WHAT TO DO?

When it comes to malware of this sort, the dictum “know your enemy” is worth remembering.

With this in mind, James Wyke and Anand Ajjan, who are Senior Threat Researchers in SophosLabs, have recently published a thorough and well-written paper entitled The Current State of Ransomware.

This paper is a highly-recommended read – and it’s a free download, no registration required.

You’ll learn about the history of ransomware, the latest threats, how they work, and what you can do to defend yourself.

Great stuff from SophosLabs!

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/__FMsc5FvSo/

The Australian government is urging its citizens to turn off two-factor authentication while abroad.

The official Twitter account for myGov – a portal for accessing government services online – told Aussies this week: “Going overseas this summer? If you’re registered for myGov security codes make sure you turn them off before you go.”

The startling tweets come complete with professional cartoon graphics, clearly suggesting that rather than a civil servant going rogue on an idle afternoon, the advice was produced as a matter of policy.

The myGov website allows Australians to tap into a broad range of government services including tax payments, health insurance, child support, and so on. Since this tends to involve sensitive personal information, it’s wise to protect one’s account with two-factor authentication – such as a one-time code texted to a phone that needs to be given to the website while logging in.

Going out of mobile range? Turn off myGov Security Codes so you can still sign in! Go to ‘settings’ in your account pic.twitter.com/9H11ZZWuC9

— myGov (@myGovau) December 22, 2015

There’s a fear that while citizens are overseas, they may not be able to reliably get these text messages (or be charged an extra fee to receive them) if they try to use myGov. So the advice is: turn off this protection when out the country, and turn it back on again when you return.

Except, of course, that rather misses the entire reason for two-factor authentication, and puts convenience above the actual security of your information.

What’s more, people are significantly more likely to be using online services in less secure settings when they are abroad, making the decision to remove a vital mechanism all the more likely that their accounts will be compromised.

In other words, this is really terrible advice.

Going overseas this summer? If you’re registered for myGov security codes make sure you turn them off before you go pic.twitter.com/4rUmG3M2TL

— myGov (@myGovau) December 14, 2015

The entire point of two-factor auth is to make it so that if someone manages to snatch a look at your username and password, they can’t automatically log into your account.

As such, the Australian government is doing is the exact opposite of what it should be doing, which is educating people about alternative ways to secure their accounts, rather than pushing the crazy message that security is about convenience and that you should simply drop it when it requires a little extra effort. ®

Sponsored:
Building secure multi-factor authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/22/australian_government_twofactor_auth/

In the wake of the Juniper router backdoor scandal, Cisco is reviewing its source code to make sure there are no similar nasty surprises lurking within.

“Our development practices specifically prohibit any intentional behaviors or product features designed to allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restrictions,” Cisco said in an advisory.

“These include, but are not limited to undisclosed device access methods or ‘backdoors’, hardcoded or undocumented account credentials, covert communication channels, or undocumented traffic diversion.”

Having said that, in light of the Juniper cluster-fsck, Cisco will, we’re told, conduct a thorough audit of its code to make sure no sneaky coder has been fiddling with its firmware to make its equipment less secure. This will include examining the source code, and hiring penetration testers to stage attacks and see if weaknesses can be found.

The networking giant has committed to publishing the results of the research and will let customers know if any holes have been found, once patches are available.

“Cisco launched the review because the trust of our customers is paramount. We have not been contacted by law enforcement about Juniper’s bulletin, and our review is not in response to any outside request. We are doing this because it’s the right thing to do,” the firm said.

That’s true, up to a point. But there’s also the fact that Cisco is keen to preserve customer confidence. Ever since the Edward Snowden leaks, Cisco has seen sales take a hit, particularly in Asia, over fears that it’s a stooge for the NSA.

Those fears are still causing problems, and Juniper’s woes will have further knock-on effects throughout the industry. ®

Sponsored:
Building secure multi-factor authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/22/cisco_code_review/

An IT manager in Manchester, England, says thieves stole his bikes after a smartphone cycling app pinpointed the location of his garage.

Mark Leigh, 54, of Failsworth, said his two bicycles – worth £500 ($750) and £1,000 ($1,500) – were nicked shortly after he made his address and details of his bikes public on the popular biking app Strava, the Manchester Evening News reports.

The app includes an optional privacy setting that conceals the exact location of your home, but Leigh was not aware of this switch when he shared details of his bike rides via the software. Strava encourages people to publish their routes and journey times to make the application more engaging among enthusiasts.

Unfortunately, doing so tips off crooks as to where bikes are kept and when they are not in use.

“I’d come back from a ride around the Saddleworth hills, which I tracked on Strava,” Leigh told the newspaper. “I locked my bike in the garage next to another one. The following morning my garage had been cleverly broken into and they were gone.”

Leigh notes that his garage is not very visible and is at the end of a narrow cul-de-sac. The fact that only the bikes were stolen, where there were lots of other valuable items in the garage, and there were no other break-ins nearby leads him to believe the thieves must have been using Strava as a way to find easy targets.

His fears were confirmed by an organizer of a local cycling club who told the paper that he had lots of reports in recent months where bicycles had been stolen and the owners suspected it was due to their use of cycling apps advertising their location.

All of which is a timely reminder to people over why they should be careful about what apps they use, what information they share, and why it’s worthwhile spending a bit of time digging into the privacy settings that many apps now offer. ®

Sponsored:
Building secure multi-factor authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/22/it_manager_loses_bikes_after_cycling_app_pinpoints_home/

A quarter of enterprises still see torrenting activity and among those, 43 percent of apps contain malicious elements.

Even though the typical corporate policy today forbids peer-to-peer file sharing, the reality is that many enterprises still bear the brunt of torrenting activity.  According to a new report out by security rating firm BitSight Technologies, nearly one in four firms today have P2P activity lurking on their networks. And that is bringing a lot of risk to the P2P party.

“While the sharing and downloading of copyrighted or pirated content and applications over peer-to-peer typically violates most corporate policies, the behavior continues to occur at a high rate,” says Stephen Boyer, co-founder and CTO of BitSight.

Across the more than 30,000 corporate networks that BitSight observes for security soundness, 23 percent of them were using the popular BitTorrent protocol for P2P file sharing.  

The high rate of enterprise P2P prevalence is disturbing if not surprising. According to a report out earlier this month from broadband management firm Sandvine, torrent traffic accounts for 29 percent of all upstream U.S. Internet traffic during peak hours. That’s four times as much as Netflix, Google Cloud or YouTube upstream activity. In fact, it is more than all three put together.

Digging deeper into the issue, Bitsight found that 43 percent of torrented applications contain malicious software. This is key, considering that the currency of enterprise torrenting is software, rather than the traditional media most people associate with P2P sharing.

“Movies and games often come to mind when organizations think about P2P file sharing; however, the majority of infected applications that we uncovered were either Adobe Photoshop, Microsoft Office or various versions of the Microsoft Windows operating system,” Boyer says.

Unsurprisingly, given the high rate of infections carried out through torrented applications, BitSight also found that a higher rate of botnet activity correlated directly to the detection of P2P use on a given network. Machines on networks exhibiting P2P use are far more likely to suffer from botnet infections.

“The high malware infection rates suggest that organizations with file sharing activity are more susceptible to machine takeover,” Boyer says. “File sharing activity can serve as one of many key risk indicators and should be considered not only internally, but also when assessing vendor risk, conducting MA due diligence, and underwriting cyber insurance.”

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/torrenting-still-a-thorn-in-enterprise-networks/d/d-id/1323665?_mc=RSS_DR_EDT

Here’s a rundown of the innovative ransomware that frightened users and earned attackers big bucks this year.

It’s been a banner year for ransomware operators…and a nerve-wracking one for anybody responsible for securing endpoints. 

Although some of the malware may issue empty threats, some of it has proven just as nasty as it claims. Researchers found that 30 percent of organizations admitted they’d pay ransom requests, and even multiple police departments have succumbed to them, when nobody was able to recover their encrypted files or their back-ups.

In 2015 ransomware operators were innovative not only with their code but with their business models – and estimates of their returns on investment indicate that business is booming.

Here’s a quick rundown of the new ransomware that hit the scene in 2015.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/endpoint/2015-ransomware-wrap-up/d/d-id/1323424?_mc=RSS_DR_EDT

Hello Kitty, and hello to the leaked details of 3.3 million of the cartoon’s fans.

Over the weekend, security researcher Chris Vickery told CSO’s Salted Hash security blog that he’d discovered a database for the official online community of sanriotown.com, home to Sanrio’s Hello Kitty and her many pals.

Vickery said that the breached data included full names, birth dates that were encoded but easily reversible, gender, country of origin, email addresses, unsalted SHA-1 password hashes, and password reset questions and answers.

The exposed database houses 3.3 million accounts and has ties to a number of other Hello Kitty portals.

Accounts registered at these portals are also involved in the breach: hellokitty.com; hellokitty.com.sg; hellokitty.com.my; hellokitty.in.th; and mymelody.com.

Beyond the main sanriotown database, Vickery also found two additional backup servers containing mirrored data, with the earliest logged exposure dating to 22 November.

Vickery said that he’s notified both Sanrio and the ISP on whose servers the database was hosted.

Hello Kitty is wildly popular, both with children and adults.

She’s a minimalist white creature (Hello Kitty is not a cat, Sanrio will tell you: she’s actually a London schoolgirl who herself owns a cat) that was originally marketed at pre-adolescent girls.

But at this point, Hello Kitty also has a sizable adult following in the subculture of kawaii – those who adore all things cute and Japanese.

The Hello Kitty breach is the second in a matter of weeks that’s involved the data of children.

At the end of November, electronic toy vendor VTech was breached, with the tally including names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birth dates of more than 200,000 children.

As if that wasn’t bad enough, the breach also included thousands of pictures of parents and kids, a year’s worth of chat logs stored online in a way that was reportedly easy to hack, as well as audio recordings, some of kids’ voices.

Chris Vickery, for his part, has been hella busy.

Last week, he discovered that Mac cleaning/performance-boosting/security-enhancing app MacKeeper is actually failing to keep 13 million Macs safe.

MacKeeper, found to be publicly exposing 13,000,000 customer records, runs on database software called MongoDB.

So too does Hzone, a dating app for HIV-positive people that was likewise found to be leaking sensitive user data, Vickery went on to disclose last week.

According to Softpedia, Vickery also reported data breaches for OkHello, a video chat app; Slingo, an online gaming site; iFit, a fitness app; Vixlet, a social network; and California Virtual Academies, an online school network.

MongoDB databases were blamed for all the breaches.

It’s unclear if the Hello Kitty database was also MongoDB.

But Vickery told Forbes on Monday that he’s found yet another MongoDB leak that also involves children’s details: this one’s reportedly at the Major League Baseball (MLB) Digital Academy site, where Little League kids can compare their swings and match data with the pros.

Vickery told Forbes that a mix of 20,000 accounts of parents and children were in the database he uncovered.

He’s apparently finding all these MongoDB databases by doing searches using a tool called Shodan, a search engine for internet-connected devices.

Soon after Vickery’s string of findings, Shodan founder Chris Matherly reported that there are currently 35,000 improperly configured MongoDB databases, leaking about 649 TB of data.

But back to Hello Kitty: just as with the VTech breach, those with registered accounts on the Sanrio sites should change their passwords immediately.

That goes for children too.

If those same passwords have been used on other sites, make sure to change them wherever else they’re used.

Also change any password-reset question and answer pairs that are reused elsewhere.

Remember: use a unique, strong password for every site or service.

Here’s an article that explains why that’s so important, and here’s another that walks you through creating a proper password.

Follow @NakedSecurity

Follow @LisaVaas

Image of Hello Kitty courtesy of dean bertoncelj / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Hz2l99zDoM0/

Facebook has joined a number of big web presences that are moving away from Flash, announcing on Friday that it’s switched to HTML5 for all its web videos.

That includes videos on News Feed, Pages and in its embedded video player.

This is not the ultimate death knell for Flash on Facebook, however.

Flash is going away for video, but it’s staying put in games.

Facebook Front End Engineer Daniel Baulig said in a post that Facebook will still work with Adobe to deliver “a reliable and secure Flash experience” for games.

But HTML5 has now supplanted Flash for video in all browsers by default, Baulig said.

The reason for the move, he said:

Moving to HTML5 best enables us to continue to innovate quickly and at scale, given Facebook’s large size and complex needs.

This isn’t surprising.

Soon after Facebook’s Chief Security Officer, Alex Stamos, joined the company in June, he declared that it was time to end-of-life Flash.

Specifically, he tweeted that…

It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.

Though Flash has seen its share of zero-days reported and exploited, including several extracted from the detritus of the breach at security company Hacking Team, Facebook didn’t mention security as a reason for switching its videos to HTML5.

What Baulig did mention as benefits of HTML5:

• Developmental velocity. Baulig said that web technologies allow Facebook to tap into what he called the “excellent tooling” that exists in browsers, among the open source community, and at Facebook in general. Freedom from recompiling code and being able to apply changes directly in the browser allow Facebook to move fast, he said.
• Testability. Baulig said that Facebook has an “excellent testing infrastructure”. By moving to HTML5 video, it can take advantage of the infrastructure’s web tools, like Jest (for “painless” Javascript unit testing) and WebDriver (for automating the testing of web applications and verifying that they work as expected).
• Accessibility. Baulig credits HTML5 with making it possible for Facebook to build a player that’s fully accessible to screen readers and keyboard input. Facebook can also leverage HTML5’s accessibility tools to make it easier for people with visual impairments to use its products.

What HTML5 did not do: work without a hitch. At least, not without a lot of tweaking, Baulig said.

After a lot of work to iron out browser bugs, getting the logging right, working out what turned out to be worse performance in older browsers, and overcoming a slowdown in how quickly ‘s site Facebook was loading, Facebook’s finally reached a level where it felt happy with its HTML5 switch, Baulig said.

Make that very happy:

Videos now start playing faster. People like, comment, and share more on videos after the switch, and users have been reporting fewer bugs. People appear to be spending more time with video because of it.

Facebook moved to HTML5 for newer browsers some time ago. But at this point, it’s all HTML5 for all browsers, all the time, for all your Facebook video needs.

After a good deal of work, Facebook has gotten to the point where it doesn’t need Flash for video. We should point out, as we have in the past, that neither do we.

We recommend turning it off – that’s actually number 7 in our list of advent tips.

Granted, some of us may find it difficult to entirely cut out Flash, given that some sites still depend on the technology.

But we recommend at least turning Flash off by default and enabling it on a case-by-case basis, as a way to reduce your browser’s attack surface.

Browser vulnerabilities existed before Flash, and others will exist after it’s gone, but turning it off is easy enough, and it’s worthwhile, given the bang for the security buck.

At any rate, YouTube already switched, Facebook’s now abandoned Flash for video (and will presumably abandon it at some point for games as well, given Stamos’s earlier remarks), and the BBC’s testing an HTML5 alternative for its iPlayer.

With those big web presences moving off Flash, people will find it even easier to live without it in 2016.

The wind is blowing in one direction.

It may not be only for security reasons, but we’ll all be a bit more secure because of it.

Follow @NakedSecurity

Follow @LisaVaas

Image of Facebook.com in browser courtesy of Pan Xunbin / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cswATHp-5Xo/

We’ve already reminded you about the importance of updates, back in Advent tip #10.

But it’s easy to forget that even new devices typically need updates right away, because they’re not really new as in “manufactured this morning and patched immediately” but new as in “packaged ready for first use by the customer, then shipped, stored and sold.”

For example, I recently bought a current-model MacBook which was shipped to the store before OS X El Capitan 10.11 came out, but was purchased by me just afterwards.

I dont know about you, but I like breaking that seal myself – OK, the transparent sticky tape – and doing the unboxing at home at my own, reverent pace. (Not that I’m a fanbuoy or anything, just to make that clear.)

Of course, that means I knew full well than when I fired up my new laptop for the first time, it was going to have OS X Mavericks 10.10 on it, which I’d need to upgrade and then update if I wanted the latest security fixes before doing anything serious on my own account.

Installing El Capitan is procedurally painless, but to do it online via the App Store requires waiting for a download of about 6GB, which can take hours on many household connections, for example if you use a mobile (3G/LTE) network.

So, the question is: do you have the will to wait?

Please do, no matter how enticing your new phone/laptop/router/digital kettle might look.

Sit back, relax, have another mince pie, and don’t get pwned on Christmas morning!

💡 LEARN MORE – When kettles need patching ►

💡 LEARN MORE – When routers need patching ►

💡 LEARN MORE – When TVs need patching ►

Follow @NakedSecurity

Follow @duckblog

Images of Christmas tree and Advent calendar courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2WvuqprPkuU/

As threats become more sophisticated, the industry is still playing catch-up.

New cyber threats materialize every day, getting more frequent and more sophisticated.  We all know about the game-changing Stuxnet cyberattack on Iran’s nuclear facilities back in 2010, but there’s no need to look that far back. A much shorter look back to 2014 will show us far worse: increasingly sophisticated attacks such as Flame, Shamoon and Havex that are as equally worrisome as “the Big S.” 

Let’s face it: malware today is quality stuff, polymorphic and highly intelligent. 

Unfortunately, targeted attacks on critical infrastructure rarely make it to the news, and so they are shrouded in mystery to the point where some may even call them mythic. 

There have been incidents, however — major ones. Within just the past year we’ve seen multiple cyber espionage campaigns, including Dragonfly and Black Energy. We’ve seen physical damage occur as the result of a cyber incident, in the case of a German steel mill, widely reported in Wired and other media early this year, where “massive” damage resulted from a cyberattack that prevented the proper shut down of a blast furnace, according to a German report .

The “advanced threat” continues to evolve.  Newer malware has even been able to successfully breach a leading cyber security research lab. Duqu 2.0, which was discovered earlier this summer by Kaspersky Lab, has taken the title and is now being lauded as the “the most sophisticated malware ever seen.”  The cyber-espionage tool was authored by the same team responsible for the original Duqu, which in turn is believed to be a variant of that original Iranian-enrichment-debilitating media darling that threated industrial control environments back in 2010.

We’ve seen three targeted espionage campaigns against industrial environments that I know of; undoubtedly there are more.  Why is espionage so scary? Because espionage is used to gather intelligence that is needed to engineer targeted attacks.

This year at the 2015 Black Hat USA conference, we heard about how to cause physical damage through cyber means from some of the best.  Jason Larsen of IOActive  demonstrated how compromising a process control system is only the start of the work: it’s the physics of the process that can translate cyber manipulation to physical damage. To engineer a cyber-physical attack, you need a lot of information about the control system itself: the assets, parameters and measurements.

Getting back to Dragonfly, it seemed harmless enough: it only scanned the control system, collecting data about the process including assets and parameters.

Even more disturbing, as cybercrime advisor Raj Samani, pointed out at a Honeywell User Group Conference in San Antonio, while information stolen from most espionage campaigns surfaces on the black market, the information stolen by Dragonfly doesn’t seem to have surfaced yet. There’s no way to predict what it’s being used for, if anything. But those who’ve worked in security for a while can’t help but speculate: if understanding the details of a compromised control system is the first step in a difficult attack process; a targeted attack therefore seems the inevitable end result.

The threats are getting more sophisticated as attackers  continue to attempt to manipulate compromised industrial control systems in order to cause physical damage.  Meanwhile, the industry is just playing catch-up.

If we continue to treat the industrial cyber threat as a thing of myth and legend, it will only make the problem more real.

Eric D. Knapp is Global Director of Cyber Security Solutions and Technology for Honeywell Process Solutions. Eric is a recognized expert in industrial control systems cyber security. He is the author of “Industrial Network Security: Securing Critical Infrastructure Networks … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/the-industrial-cyber-myth-its-no-fantasy/a/d-id/1323600?_mc=RSS_DR_EDT