STE WILLIAMS

For a while, Facebook and Google have been warning users if they think they’ve been the victims of state-sponsored cyberattacks.

Twitter’s now doing the same.

On Friday, Twitter emailed a small group of users to inform them that their accounts may have been hacked by “state-sponsored actors”.

We received a warning from @twitter today stating we may be “targeted by state-sponsored actors” pic.twitter.com/oZm83eVFC5

— coldhak (@coldhakca) December 11, 2015

Twitter doesn’t think the intruders got at account info, but it offered suggestions – such as using Tor – to anyone worried that the privacy of their personal data might be jeopardized.

From Twitter’s emailed warning:

As a precaution, we are alerting you that your Twitter account is one of a small group of accounts that may have been targeted by state-sponsored actors.

We believe that these actors (possibly associated with a government) may have been trying to obtain information such as email addresses, IP addresses, and/or phone numbers.

Twitter didn’t specify which “state” these “actors” hail from, be it one of the usual suspects – China, North Korea, Russia, or even the US, for example – or not.

The warnings all went out around the same time: between 5:15 and 5:16 PM EST on Friday.

Twitter says it’s now investigating.

The first warning to receive attention was sent to @coldhakca, a group in Winnipeg, Canada that describes itself as “a nonprofit dedicated to furthering privacy, security and freedom of speech.”

Others who got warnings included security researcher, activist, and writer Runa Sandvik, who used to work for the Tor Project and now trains journalists in privacy and security.

In fact, some believed, at least at first blush, that involvement in Tor might be a common link between those targeted.

The @coldhakca group had this to say about it in an email exchange with Motherboard:

Colin Childs, one of the founding directors of coldhak, is a contractor for Tor Project and, as such, is a likely target for this type of attention. It could also be because of the Tor relays coldhak operates, or the coldkernel project that coldhak is currently developing.

Childs’ personal account also received a warning from Twitter.

Another recipient was Cassie, an activist who runs cryptoparties in Minnesota.

Others who received notices describe themselves as security researchers in their bios or know/follow/interact with the security community.

In fact, being a warning recipient is practically a security badge of honor, quipped Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU).

The only thing worse than being targeted by state sponsored attackers is not being targeted because you aren’t interesting enough.

— Christopher Soghoian (@csoghoian) December 12, 2015

But while activism in encryption, privacy and/or anti-surveillance might seem like a neat thread that would suggest that state actors want to undermine those activities (or at least find out more about who’s behind them), there are plenty of people who received warnings but who don’t fit that mold at all: one who describes herself as just a “mild lefty”, for example.

At any rate, many users are grousing about the irony of Twitter recommending that warning recipients think of using Tor, given that it locks some Tor users’ Twitter accounts.

Twitter suggests I use Tor to protect my online identity, yet frequently blocks accounts accessed over Tor. pic.twitter.com/5ChKERPscC

— Runa A. Sandvik (@runasand) December 11, 2015

But as Twitter spokesperson Nu Wexler told Motherboard in September, the blocks aren’t related to Tor; rather, they have to do with “spam-like behavior” that can result in requests for phone verification:

Twitter does not block Tor, and many Twitter users rely on the Tor network for the important privacy and security it provides. … Occasionally, signups and logins may be asked to phone verify if they exhibit spam-like behavior. This is applicable to all IPs and not just Tor IPs.

Follow @NakedSecurity

Follow @LisaVaas

Image of Twitter bird courtesy of rvlsoft / Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GcO-F85bmv4/

These five user education strategies will turn employee bad behavior into bulletproof policies that protect data and systems.

Most computer security folks have probably experienced the feeling that their primary jobs are finger-wagging and dispensing punishments. It can be disheartening to feel like you’re perceived as the wet blanket that’s slowing down the advance of innovation, and knowing people dread interacting with your department.

Are there ways to change the prevailing mindset so that security isn’t viewed as a stick to beat people into compliance, but rather as a carrot to entice people into habits of safer behavior? It’s often said that the best way to train desired behavior is to reward people for doing things they’re already inclined to do. With this in mind, you can use people’s existing behaviors to make your systems and data more secure.

Here are five ways to redirect user behavior toward the common security good:

Reward timely maintenance
In the days when users had to initiate regular AV scans on their own machines, one company I’d heard from used to pick a user’s machine each week on which to hide a test file. Any users who performed a scan and detected the test file by the end of the week would be entered into a drawing for a prize. While this specific scenario would be a bit outdated today, there are plenty of other opportunities to reward users for performing timely, routine security maintenance on their machines or accounts: This would include almost any action that would otherwise require nagging emails or locking people out of their accounts, or any security technology that is currently considered optional.

Drill for mastery
Many companies do a periodic security test, the most common of which is to send a fairly obvious phishing email to see how many users bite. In most companies, about a third of users fail the test, and a handful of that portion inevitably sends furious emails about how unprofessional and unfair these tests are. But these same people would never complain about a fire drill; this is because they fully understand that those drills are meant to protect their own safety as well as that of coworkers, and they know what skillful behavior entails.

In reality, fires and phishing are much more unpredictable and complicated than we can simulate. The idea is still the same: Give people regular exercises that allow them to perform a given set of steps even when a stressful event occurs, so that they won’t do something in an emergency that could cause more harm. It may feel like “teaching to the test,” but having ubiquitous posters and reminders about proper email hygiene may give users a sense of mastery over phishing drills, rather than feeling duped. You can also “gamify” these activities so that individuals or departments who perform well consistently get a small gift.

Enlist employees to help in intelligence gathering
Have you ever wondered what attack attempts made it past your technological defenses and into your employees’ inboxes? One security practitioner I spoke with asked her users to submit any emails they received that they suspected were phishes, spam, scams or malware. This allowed her to see how attackers were probing their defenses, to improve education and to enhance network filters. This could also include incentives for users who are most prolific and accurate in their submissions.

Hunt for security fails
Even with the most thorough of searches, it can be exceptionally difficult to root out all the assets that need protecting, and discover how people use them. Most security groups don’t have the personnel power to sit with every single employee to see if the existing products and procedures are the best way to secure their workflow. But most employees are happy to identify ways in which security fails, if they’re not penalized for it. Indeed, if you reward that sort of behavior, you’ll have those corner cases and security end-runs identified in no time, so that you can work together to fix them.

It’s ok to break things
As anyone who’s done technical support can tell you, users are exceptionally skilled at breaking things in unexpected (and often perplexing) ways. While this could be considered problematic, it can also be a great way to root out software and system vulnerabilities. If you offer people incentives to report those vulnerabilities, you can then correct configuration errors and disclose product problems to the appropriate vendor.

While there is a time and a place for applying negative consequences for security lapses, there are plenty of ways to increase positivity, and to share a feeling of mutual assistance. If there is too much blame and shame associated with security, you may miss major areas of weakness that are common knowledge to your users.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/making-security-everyones-job-one-carrot-at-a-time/a/d-id/1323533?_mc=RSS_DR_EDT

The German cyber crime market is an overlooked but unique beast that works in lockstep with Russian veterans to serve fraud-flinging newcomers and hardened carders alike, researchers say.

In one of the few examinations into German crime forums a team of Trend Micro threat bods say the scene is the most developed in the European Union, besting mature hacking hangouts in Spain and France.

Researchers canvassed 10 large crime forums housing some 70,000 registered users of which 20,000 were considered active, and covered the findings in the paper U-Markt: Peering into the German Cybercriminal Underground (PDF).

“The German cyber criminal underground is well-developed-and-managed by cyber criminals even though it remains a small community in number compared with the Russian and Brazilian underground markets,” researchers say.

“[It] is indeed a newcomer that offers everything cybercriminals need to start in the cybercrime business

“In many ways, we believe German and Russian cybercriminals collaborate with one another.”

Ads on Crimenetwork.biz

Malware including remote access trojans, bank-stealers, and backdoors can be bought alongside stolen password dumps, credit cards from across Europe, and all manner of drugs.

Fake identities, databases of ripped personal information, and bulletproof hosting are also on offer.

The German scene however offers so-called “packstation” services where the country’s postal service can be used as dead drops. Here criminals can leave packages for buyers and remove the need for droppers, the name given to criminals who for a fee will cash out stolen credit cards through buying goods.

The service is more secure and convenient than the riskier dropper services used in other crime forums.

“Users’ addresses cannot be tracked though they need to apply for the service using a home address and a mobile phone number, which are easy to fake, so they can receive short messaging service notifications along with their pTANs to claim their parcels,” researchers say.

German crime sites are also unique for the high number of coders offering their skills to build web apps and malware.

Researchers say the older forum models are being replaced by slicker Silk Road-esque marketplaces. Those off-the-shelf offerings make it easier for newcomers and those interested in standard fare web crime, while forums are still the net den of choice for custom services and wares.

The most developed German crime sites offer mirrors on the Tor hidden service network.

Trend Micro has also dumped a laundry list of hacker usernames for specific forums which will be treat for other crime investigators. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/14/trend_micro_umarkt/

Companies across Northern Europe are being smashed by the TeslaCrypt ransomware as net scum switch from extorting individuals to targeting deeper–pocketed organisations.

Those worst affected are located in the United Kingdom, France, Italy, and Spain, where a highly capable phishing campaign regularly tosses out juicy baits.

TeslaCrypt was detected in March, targeting gamers with threats that their game progress would be annihilated unless they paid attackers $500 to $1000 in Bitcoin.

The malware’s perps bagged some US$76,522 from 163 victims from February to April this year, a significant haul even if rather smaller than the $3 million CryptoLocker scum pocketed in the nine months to 2014.

Heimdal Security bod Andra Zaharia says the ransomware is spreading as attachments in overdue invoice phishing emails, among others.

“In the past few days our team has seen a considerable increase in TeslaCrypt infections, a file-encrypting ransomware discovered in early 2015,” Zaharia says.

“The group behind TeslaCrypt focused on individual users at first, but in this campaign the targets are mainly companies in Northern Europe.

“This time cyber criminals have decided to diversify their infection vector portfolio.”

TeslaCrypt will be pulled down from external malicious websites once the JavaScript attachment is activated.

It will infect the victim’s machine and impressively all those attached to the same network, encrypting files using any of 187 extensions.

The independent ground-up build of TeslaCrypt appears to be solid and as-yet resilient to reverse engineering attempts.

Only three of 55 antivirus products detect the ransomware through static VirusTotal analysis, however this is not necessarily indicative of real-world dynamic scanning results. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/14/gamer_ransomware_grows_up_now_popping_uk_euro_businesses/

North American cyber criminals are so blatantly thumbing their noses at law enforcement that their forums have been nicknamed “glass tanks”.

The selling of malware, stolen credentials, and other crime services are so open they can be found using Google, Trend Micro researchers Kyle Wilhoit and Stephen Hilt say.

Moreover, the forums post advertisements across web sites and post YouTube videos in a bid to gain more users.

This stands in stark contrast to almost every other serious crime forum which attempts to hide from police and vet the criminal bent of registered users.

“In effect, the North American underground is more like a glass tank where business goes on in full view of both cyber criminals and law enforcement,” the researchers write in the paper North American Underground: The Glass Tank [PDF].

“Unlike other underground scenes, a lot of North American cybercrime operations don’t shy away from peddling its goods in the open.

“Underground sites have a short life span, and they can easily disappear within a short span of time, which makes tracking the illegal activities and the people behind them very tricky for law enforcement, who has to keep up with the cat-and-mouse game on every takedown operation.”

Threat bods found the typical scattering of malware and services on sale; keyloggers, remote access trojans, botnets, and spamming tools. Bulletproof hosting services that are used in malware attacks for command and control, among other uses, are also on offer, alongside distributed denial of service attack services, and virtual private networks.

Crims are also flogging remote desktop protocol access to hacked sites, including root access, which serves as helpful hop proxies during attacks.

A string of hacked accounts are on offer too including, as El Reg reported, bargain Netflix, Spotify, and Origin accounts.

Drugs, fake identities, and other spurious offerings are also flogged alongside weapons and claimed murder-for-hire services.

“Although several criminal transactions are done out in the open, they are very fickle. The lifespan of most underground sites is short. They could be up one day and gone the next. Investigations will have to keep up with this fast pace.”

It is the latest analysis for Trend which has so far examined the German, Chinese, Brazilian, and Japanese criminal undergrounds.®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/14/trend_micro_glass_tank/

A stealthy strain of malware resident only in memory has been quietly pwning victims around the world for two years.

The backdoor, dubbed Latentbot, that has been well hidden on the web since at least mid-2013 if not earlier. The payload never touches the victims’ hard disks and stays only in memory, according to security researchers at FireEye.

“It has managed to leave barely any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless,” FireEye’s Taha Karim and Daniel Regalado explain in a blog post.

Latentbot infection cycle

Companies in US, UK, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland have all been targeted by Latentbot this year alone. FireEye detected the attacks from logs held by its Dynamic Threat Intelligence platform. Prime targets include firms in the financial services and insurance sectors.

“Although the infection strategy is not new, the final payload dropped – which we named Latentbot – caught our attention as it implements multiple, new layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organisations,” according to FireEye.

“The use of custom encryption algorithms and well-known protocols – such as the recent implementation of Diffie-Hellman in the Angler Exploit Kit – makes it more difficult to detect at the network level, thus raising the bar of sophistication,” it adds.

The modular design of the malware allows crooks to easily update malicious code on compromised machines and install secondary infections, such as the Pony infostealer that comes outfitted with modules for Bitcoin theft.

Latentbot won’t run in Windows Vista or Server 2008. The malware platform uses compromised websites as command infrastructure, making infection easier and detection harder. And command and control communications are encrypted.

One of the main vectors of infection is malicious emails containing an old Word exploit created with Microsoft Word Intruder (MWI) builder. When the attached Word document is opened, an embedded malicious executable runs, beaconing to the MWISTAT Server. This malicious code is a full-featured RAT that has the ability to steal passwords, record keystrokes, transfer files and enable attached microphones or webcams.

Most malware infections would stop there because the infected box is already comprehensively pwned. However FireEye researchers discovered another payload is being downloaded from a secondary Command and control server. This new module is Latentbot which, in turn, downloads further malicious payloads.

“Although Latentbot is highly obfuscated; due to the multiple process injection performed, it is noisy enough to be easily detected in memory with a proper behaviour-based solution,” according to FireEye. “Outbound callback tracking and blocking is also mandatory in cases when the malware was able to bypass the security controls in place.” ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/14/latentbot_memory_resident_malware/

Crooks appear to be taking advantage of the recent sale of the UK Ministry of Defence’s IPv4 address space to run more convincing scams.

Fraudsters have seemingly bought blocks of IP addresses with previously pristine records to distribute scams. This malfeasance was enabled, in part, because the relevant Whois database entries were not updated. The issue surfaced via a thread on Reddit.

Fraudsters appear to be attempting to boost the credibility of scams and maybe get past web filters (at least temporarily) by using a previously trusted and clean IP range to pump out invoice scams.

Fraudsters are asking people to pay invoices into accounts under their control, apparently maintained at a pre-paid cashcard firm.

Advanced Payment Solutions (APS) told El Reg that it was investigating the apparent abuse of its payment facilities.

“As an FCA-regulated institution, APS follows the same robust compliance procedures as a high street bank, when carrying out due diligence on every individual or business customer,” Rich Wagner, chief exec of Advanced Payment Solutions, said in a statement. “We take any claims of fraud extremely seriously, and will conduct a thorough investigation of the accounts in question.”

An expert in spam and phishing quizzed by El Reg noted that hackers had previously rerouting legitimate IP addresses using BGP (Border Gateway Protocol), then using the addresses to conduct their nefarious activities before releasing it again. “It may not be quite the same thing, but definitely sounds like a means of bypassing block-lists,” the expert told us.

Tests using an IP address-looking tool suggest the IP address at issue is still allocated to the Ministry of Defence, at Woodstock in Oxfordshire.

The Redditor who reported the problem is adamant that the address isn’t faked and that “it shows in the Exchange tracking logs”, as he put it.

El Reg flagged up the issue to the MoD via its official Twitter profile (@DefenceHQ) but is yet to receive any reply. We’ll update this story as and when we hear more.

UK small businesses are increasingly in the line of fire when it comes to fake invoice scams. The growth in this class of fraud prompted a warning from Action Fraud, advising firms to be on their guard, back in August.

Botnote

Possible motivations for crooks getting hold of second-hand IP addresses with a good reputation cover a range of possibilities from boosting credibility to minimising the chances of the IP being blocked on a blacklist, so that they can send spam, host phishing, or even command and control servers.

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/14/mod_ipv4_addresses_invoice_scam/

Linux Lord Linus Torvalds says the fourth release candidate of Linux 4.4 contained “a fairly bad core bug” that’s since been squashed, but may not have rung many alarm bells anyway.

“Another week, another rc,” Torvalds writes on the Linux Kernel mailing list, before going on to say that development work is progressing as usual save for “… a fairly bad core bug that was introduced in rc4 that is now fixed in rc5”.

Torvalds declares that bug “a bit embarrassing” but added “I don’t think that many people actually ever hit the problem.”

Problem? What problem? Maybe this was the problem.

Torvalds’ next problem is deciding when to schedule the release of version 4.4. He’s tossing up pausing things for a week to let people enjoy the season, or proceeding at the usual pace and waiting a week before opening the version 4.5 merge window.

Either way, kernel coders will get a week or so off at a time of year it makes lots of sense to down keyboards. Speaking of which … ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/14/fairly_bad_core_bug_crushed_in_linux_44rc5/

Lots of us have friends in the new-school sense of people that we think we know pretty well, but whom we’ve never actually met.

We “know” them via email, Twitter, Instagram, or in any of a number of online ways.

Unfortunately, some internet friendships aren’t what they seem – because it’s easy to pretend to be someone different from what you really are online.

And there is a whole school of cybercrookery that devotes itself to relationship-based scams.

Sometimes these unfold at the level of a full-blown online romance, but the internet is also full of horror stories about fraudulent business relationships and personal friendships.

It could be a work-from-home job offer that requires you to accept deposits through your bank account and pay on on the money to a third party, less a cut for your troubles.

It could be a casual online friendship where money will suddenly enter the equation, with the other person starting to put the pressure on for you to help with expenses, join in an investment scheme, or similar.

It might even be an urgent but bogus electronic message from a real-world friend whose account has been hacked, unexpectedly asking for an urgent money transfer because they’ve been mugged while on holiday, or had their hotel room cleaned out, or any of a number of variations.

We’re not suggesting you need to be ruthless and hard-hearted this holiday season…

…but please be careful when an internet relationship moves into the “about the money” stage.

As carpenters like to say, “Measure twice, cut once.”

Follow @duckblog

Follow @NakedSecurity

Images of Christmas tree and Advent calendar courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fLmnzatiSpg/

During the holiday season, you, along with many other people, may use your credit card more than usual.

You might well end up buying various unusual items while you’re about it, by way of getting that perfect gift – something sought-after that you can’t just walk into any old shop and buy, or order online in the normal way.

And if you and the seller can’t figure out a conventional way to handle the payment, you may be tempted to fall back on emailing them your card details so they can process the transaction at their end.

It’s easy to convince yourself that “it’ll probably be OK.”

After all, if you’ve ever done a credit card transaction over the phone, you’ve taken a calculated risk:

• What if the other end writes the information down and doesn’t securely dispose of the paper once they’ve used your data.
• What if they process the transaction on their own PC, unseen, untrusted, and perhaps unpatched?
• What if they just type the data into an email to a third party anyway?

All of those scenarios are worth avoiding, but at least in the case of the first two, you can ask the seller how they plan to process the transaction, and decide whether to risk it on that basis.

On the other hand, no matter how much you trust the seller, you can’t reliably control an email once it leaves your email program or your browser.

That email could end up in the hands of cybercrooks, even if the seller handles it with care once they’ve received it.

Remember: if in doubt, don’t give it out!

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NQUECAJqkz4/