STE WILLIAMS

A critical vulnerability found in Citrix Application Delivery Controller and Citrix Gateway (formerly known as Netscaler ADC and Netscaler Gateway) means businesses with apps published using these technologies may be exposing their internal network to unauthorised access.

Citrix (NetScaler) ADC is a load balancer and monitoring tech, while Unified Gateway provides remote access to internal applications. This can include desktop applications as well as intranet or web applications. “Any application on any device from any location” is the marketing pitch.

On 17 December, Citrix published an advisory stating that a vulnerability in these services “could allow an unauthenticated attacker to perform arbitrary code execution.”

According to Positive Technologies, the security company which discovered the flaw, no account details are required. Positive says the “first vulnerable version of the software was released in 2014”, and estimates that “at least 80,000 companies in 158 countries are potentially at risk.”

Since the whole idea of this technology is to enable remote access to internal applications, arbitrary code execution could give the attacker access to the internal network, making it a particularly critical flaw.

Citrix has published mitigation steps which block certain SSL VPN requests, suggesting that this area is where the flaw lies. This is a mitigation rather than a complete fix. An SSL VPN is a secure tunnel into a remote network which uses the SSL protocol.

The affected versions of Citrix ADC and Unified Gateway include 10.5, 11.1, 12.0, 12.1 and 13.0.

The problem has been assigned the ID CVE-2019-19781 and details will be available at this link when published.

Citrix said it is “notifying customers and channel partners about this potential security issue.”

Administrators are advised to apply the mitigation immediately. A full software fix will be made available in due course. ®

Sponsored:
What next after Netezza?

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/23/patch_now_published_citrix_applications_leave_network_vulnerable_to_unauthorised_access/

Fraudsters with social engineering skills are hijacking cell phone SIM cards to access victims’ bitcoin and social media accounts.

Every mobile phone sports a subscriber identity module (SIM) card that contains all sorts of unique information about the phone, the user, and their carrier. The critical element, however, is the subscriber phone number. If you’ve traveled from the US to Europe or Asia, you may have even done your own swapping out of SIM cards to be able to make calls on GSM cellular networks used just about everywhere outside North America.

That’s not the kind of SIM swapping we’re talking about.

What Is a SIM Swapping Attack?
By getting a mobile phone carrier to transfer a user’s phone number to a fraudster’s SIM card, the bad guys can access a variety of riches linked to a victim’s mobile phone.

They can compromise multifactor authentication (MFA) methods that use SMS as a second factor by tapping into those SMS authorizations. From there, they can take over victims’ accounts, from social media accounts to financial institutions to luxury retailers. (As a result, SMS is getting scrutinized as an element in MFA.)

While the point of SIM swapping often is to shame or humiliate, it has also been used to steal bitcoin.

How SIM Swapping Works
There are two ways to perform a SIM swap, explains Zack Allen, director of threat operations for security vendor ZeroFox.

The first method relies on social engineering of a mobile phone carrier’s service rep. The second method works with a rogue employee at a mobile carrier. “There’s been some SIM swapping by ‘turning’ an employee who performs the swap on the fraudster’s behalf,” Allen says.

Once disconnected from their original carrier, SIM-swap victims will no longer receive carrier-facilitated calls or text messages, notes Tanner Johnson, an analyst covering security for IHS Markit. Instead, all of those communications will be routed to the attacker. Wi-Fi will still function since that’s independent of the carrier, but telephony and carrier-provided Internet capabilities will be immediately impacted, he adds.

What’s the Impact?
The two most common outcomes of SIM swapping are theft of money (usually cryptocurrency) and control, which can also be monetized, according to Allen.

Most famously, a SIM swapping attack snared Twitter founder Jack Dorsey in August. The attackers remotely seized control of Dorsey’s device, subsequently his Twitter profile, and posted embarrassing tweets like a repost of “Nazi germany did nothing wrong.”

Further, “We’ve seen a lot of cryptocurrency figures attacked because of their influence,” Allen adds; losses have been reported in the six-figure range and higher. “The scariest thing about SIM swapping is the information you can get once you control someone’s accounts. With bitcoin, there’s no fraud department to investigate or refund you your money.”  

He also points to the scourge of “account takeover communities” that rely on SIM swapping to make money from social media accounts. Groups like Chuckling Squad that took over Dorsey’s account target important or influential users, take over their phones, and then resell the access.

So Should We Stop Using MFA?
The advent of SIM swapping has some experts questioning use of MFA and its partial reliance on unique codes delivered via SMS. Authentication, to review, relies on what you know, what you are, and/or what you have. SIM swappers found a weakness within the “what you have” part, according to ZeroFox’s Allen.

“What stinks about this is people preferred MFA for authentication,” he adds. “I still think MFA is great, but it’s preferable to go through an authentication app or use something that’s hardware-based.” However those authentication methods may not be as fast or as familiar as receiving an SMS with a unique code, which bumps up against an age-old tension in security of usability versus effectiveness.

“Do not stop using MFA!” Markit’s Johnson exclaims. “I cannot emphasize this enough.”

How Do We Combat SIM Swapping?
Johnson cautions users away from SMS as a method of MFA, and instead to password-generating apps like Google Authenticator, Microsoft Authenticator, and Authy. 

“As these are generated locally and not transmitted via text or email, they are far more robust MFA options,” Johnson says. “Additionally, these apps require physical access to the phone, which I hope has a password in place to unlock it to begin with.”

Johnson also likes using Google Voice as an antidote to SIM swapping since it creates a phone number tied to your Google account, not your carrier.

“Using this number as your contact for critical services will prevent any MFA text messages from being sent to a SIM-swapped device if the text/call forwarding option is inactive on the account, which is easily adjusted,” he explains. Instead, if forwarding is turned off, the messages will only go to a device with the Google Voice app installed, or the corresponding email address. But the settings must be properly configured, he warns.

Customers can also take the extra step of contacting their mobile carriers and requesting additional security features, like verbal passwords, to prevent any changes being made on their account. “I have gone one step further and asked that in addition to this, no SIM-related changes can be made unless they are requested in person at a physical store location, as this will require additional ID,” Johnson adds.

Mobile carriers are more aware of the threat posed by SIM swapping and are offering additional security features like verbal passwords to combat it. But mobile carriers need to significantly change their internal processes, according to Johnson. Effectively combatting SIM swapping “will require a concerted training effort to prevent their own customer service reps from falling for social engineering attempts on accounts without additional security hurdles in place,” Johnson says.

Related Content:

• Why Multifactor Authentication Is Now a Hacker Target
• 6 Small-Business Password Managers
• Escaping Email: Unlocking Message Security for SMS, WhatsApp
• The Myths of Multifactor Authentication

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain’s New York Business, Red Herring, … View Full Bio

Article source: https://www.darkreading.com/theedge/sim-swapping-attacks-what-they-are-and-how-to-stop-them/b/d-id/1336662?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers list the top 20 vulnerabilities currently exploited by attack groups around the world.

It’s an ongoing challenge for security practitioners: You want to keep all systems up-to-date and secure, but limited resources, legacy systems, and slow patching processes hold you back.

To aid in patch management strategy, researchers with Verint’s Cyber Threat Intelligence (CTI) Group analyzed the top 20 vulnerabilities currently exploited by global attack groups. Forty-five percent affect Microsoft products, and some bugs used in successful attacks date back to 2012.

The National Vulnerability Database (NVD) reports 16,514 vulnerabilities were disclosed in 2018, indicating an average of roughly 45 new bugs per day. Additional data shows nearly 60% of all flaws are classified as Critical or High severity, Verint researchers explain in a blog post. Further, 60% of breaches are linked to a bug for which a patch was available but not applied.

Each CVE is given a severity score, though these numbers don’t always represent the risk a bug presents. Consider CVE-2018-20250, a WinRAR bug with a CVSS base score of 7.8 in NVD (“High”) and 6.8 in CVE Details (“Medium”). Based on its scores, the vulnerability may not merit immediate patching, but Verint points out it has been exploited by at least five APT groups, from different locations, in attacks against the UK, Southeast Asia, Europe, and the Middle East.

Researchers analyzed more than 5,300 feeds and other threat intelligence sources over the past two-and-a-half years, covering at least 800 CVEs. Their list of 20 vulnerabilities to prioritize patching is based on the number of times they have been exploited by advanced threat groups.

Top of the list is CVE-2017-11882, a Microsoft Office memory corruption vulnerability that existed for 17 years before it was patched in November 2017. The flaw exists in Office when the software doesn’t properly handle objects in memory; if exploited, it could let an attacker run arbitrary code in the context of the user. A simple phishing attack could do it: Victims would need only to open an infected file with a vulnerable version of Microsoft Word or WordPad.

This flaw was the favorite malware delivery vector in the second and third quarters of 2019. As Verint points out in its writeup, it has also been used in attacks by advanced groups including APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), Cloud Atlas (Unknown), and FIN7 (Russia).

Second on Verint’s list is CVE-2018-8174, a critical vulnerability affecting all versions of Windows. This is a VBScript engine RCE vulnerability that exists in the way VBScript engine handles objects in memory. The bug, dubbed Double Kill, made an appearance in the RIG exploit kit in May 2018. It has been used by Silent Group (Russia) and Dark Hotel (North Korea).

CVE-2017-0199, a critical RCE flaw in the Windows Object Linking and Embedding (OLE) programming interface, is third. The vulnerability, which affects most or all versions of Microsoft Word, had been under attack for months when a patch was released in April 2017. Verint says it has been used by groups including APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Gorgon Group (Pakistan), and Gaza Cybergang (Iran).

Fourth is CVE-2018-4878, a critical vulnerability in Adobe Flash Player. The zero-day was being used in active attacks against victims in South Korea when it was reported in February 2018. Later the same month, it appeared in another campaign leveraging malicious Word files. Verint reports the flaw has been used in campaigns by North Korean groups APT37 and Lazarus Group.

CVE-2017-10271, a bug in the Oracle WebLogic Server component of Oracle Fusion Middleware, is listed fifth. The “easily exploitable” vulnerability, as CVE Details describes it, could let an unauthenticated attacker with network access via T3 compromise Oracle WebLogic Server and potentially take over the WebLogic server. This bug has been used by the Rocke Gang, a Chinese criminal group, Verint reports.

Read the full list here.

Related Content:

• Lessons Learned from 7 Big Breaches in 2019
  
• How Data Breaches affect the Enterprise
• Rethinking Enterprise Data Defense
• SIM Swapping Attacks: What They Are How to Stop Them

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/20-vulnerabilities-to-prioritize-patching-before-2020/d/d-id/1336691?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As new technologies disrupt the industry, remember that security is a process, not a goal. Educate yourself on how you can best secure your corner of the Web.

Cybersecurity should be top of mind for any Internet user, professional or otherwise. But security is a process, not a goal, and web developers, DevOps professionals, and security professionals alike need to be informed of changing industry standards as we head into the new decade. The Internet might have become safer in 2019, but there’s still more to do. Here’s a sneak preview of the changes and innovations coming to the world of cybersecurity in 2020.

First things first — old encryption protocols will fade away. Given that all major browsers now support TLS 1.3, and the increase of the websites using SSL certificates has been huge in the past years, it’s logical to expect that by next year, over 90% of traffic will move to the latest Transport Layer Security update, TLS 1.3. TLS provides secure communication between entities, and TLS 1.3 makes these connections take place more efficiently and safely, something that cannot be overlooked when it comes to securing any website.

It’s no secret that past encryption protocols are more susceptible to attacks, and even though some of those attacks are extremely difficult to implement, it is arguably safer for systems to be upgraded to the latest TLS versions whenever possible. It should be noted, though, that most of the attacks targeting the TLS protocol focus on finding hash function collisions.

As we move into the new decade, the majority of web hosting companies will announce support for new protocols such as Quick UDP Internet Connections (QUIC), a general-purpose transport layer network. QUIC provides built-in security and performance features like authentication and encryption that are usually provided by higher-layer protocols. By replacing the TLS record layer with its own framing, QUIC ensures quick connections, no pun intended, all while maintaining authentication and encryption — two things that all Internet users benefit from.

The newest version of the HTTP protocol (HTTP/3) is based on QUIC. HTTP/3 is faster than its predecessors because it skips all the packets exchanged between browsers and servers to establish a secure TCP + TLS connection. Secure connections are the lifeline of the Internet, so it’s no surprise that developers will be striving to create the safest environment possible.

Next, DevOps and DevSecOps professionals will continue to focus on continuous integration and continuous deployment. These innovations will accelerate the feedback loop with customers and take the pressure off of development teams meeting hard deadlines as all changes are immediately released to customers as long as no production test flags an error. The best part? There’s no human intervention required, a significant shift from the tedious updates previously required to fix security issues. With releases happening automatically, software developers can focus on building the best products they can.

Additionally, functions-as-a-service will remove huge overhead from developers.

In late November, RIPE NCC ran out of IPV4 addresses, showing that the time to adopt IPv6 is here. Many people still confuse IPv6 as just an updated IPv4 — this is incorrect. IPv6 is not just IPv4 with longer address space; it also offers new attributes for addresses as well as many more things. For example, a single interface can have multiple IPv6 addresses and those addresses can change over time. The adoption of IPv6 will increase and with that happening in the near future network and systems architects will have to get more familiar with the IPv6 vulnerability surface.

Finally, the adoption of DNSSec will increase, requiring systems administrators and developers to better understand the complexities of the system. Essentially, DNS is the phone book of the Internet. The DNS system is used by all applications on the Web — think sites, mail servers, browsers, etc., to find out how information should be routed. The problem with DNS is that it offers no authentication mechanisms, thus, records can be changed and traffic can be intercepted by attackers. DNSSec adds a layer of security on top of DNS. It guarantees users that the DNS records they’re receiving and sending are the real ones that should be used.

The next decade will be a momentous one for cybersecurity innovation from small businesses to big corporations — it’s no shock that security will play a key role in the future of the Internet. As new technologies continue to disrupt the industry, it’s important to remember that security is a process, not a goal; everyone should take the time to educate themselves on how they can best secure their corner of the Web.

• Lessons Learned from 7 Big Breaches in 2019
• How Data Breaches Affect the Enterprise
• Assessing Cybersecurity Risk in Today’s Enterprise
• 2019 Online Malware and Threats: A Profile of Today’s Security Posture

Daniel leads the enterprise hosting team at SiteGround. He is responsible for developing, shipping, and monitoring complex cloud-hosting solutions for WordPress and other open source systems and for clients with custom requirements or large-scale websites. With over 10 years’ … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/2020-and-beyond-the-evolution-of-cybersecurity/a/d-id/1336631?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Richard Liriano pleads guilty to compromising hospital computers and co-workers’ email accounts, as well as stealing personal files and photos.

The former IT employee of a New York City-area hospital has pled guilty to stealing colleagues’ credentials and logging into various accounts to steal private and confidential files, the Department of Justice reports. He used this access to view photos, videos, and other data.

Between 2013 and 2018, the allegations state, Richard Liriano abused his administrative access to log into employee accounts and copy his colleagues’ personal documents, including tax records and personal photographs, onto his own machine. To do this, he installed malicious programs, including a keylogger, onto victims’ machines so he could capture their credentials.

Over the course of this time frame, Liriano stole the usernames and passwords of about 70 or more email accounts belonging to hospital employees or people associated with them. He then obtained unauthorized access to password-protected email, social media, photography, and other online accounts where the victims were registered.

“Liriano’s disturbing crimes not only invaded the privacy of his coworkers; he also intruded into computers housing vital healthcare and patient information, costing his former employer hundreds of thousands of dollars to remediate,” US Attorney Geoffrey Berman said in a statement. Liriano’s intrusions into the hospital networks caused more than $350,000 in losses.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/former-ny-hospital-employee-admits-to-stealing-colleagues-data/d/d-id/1336693?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Lithuanian Evaldas Rimasauskas has been sentenced in a Manhattan court to five years in jail for successfully defrauding two large US companies out of $122 million.

The frauds, which happened between 2013 and 2015, involved sending those companies fake invoices that appeared to come from a legitimate Taiwanese company, Quanta Computer Inc.

Not realising the payments were the sharp end of an elaborate invoice fraud executed using spoofed email addresses, the companies’ accounts departments paid up.

But the most arresting aspect of this fraud isn’t the large sums Rimasauskas stole but the companies he is reported to have conned – Facebook (to the tune of $99 million) and Google ($23 million).

Whaling

Rimasauskas was originally arrested in 2017 for what the FBI described then as Business Email Compromise (BEC) but which others might describe as a form of whaling (highly targeted phishing attacks on senior members of an organisation). The victims were identified only as ‘company 1’ and ‘company 2’.

Last March, he pleaded guilty to charges including fraud, identity theft, and several counts of money laundering, and still the victims remained anonymous.

Even during this month’s trial and sentencing, the names remained, officially at least, a matter of conjecture.

Luckily, we know Google and Facebook were the companies involved because both decided to come clean within weeks of Rimasauskas’s arrest after Reuters got hold of a Lithuanian court order.

Said Google in April 2017:

We detected this fraud against our vendor management team and promptly alerted the authorities. We recouped the funds and we’re pleased this matter is resolved.

And Facebook:

Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation. We are confident that we have the proper controls in place to prevent such attacks in the future.

Both companies were obviously embarrassed by the incident but the fact it happened at all tells us something important about this kind of fraud – it can happen to any company, including the biggest, cleverest names one might assume would have numerous checks to counter fraud.

The FBI recently estimated that in the three years to July 2019 BEC and email account scams account for 166,000 incidents globally and an estimated $26 billion in losses.

As well as five years in jail – a modest term against the 20-year sentence that could have been handed down – Rimasauskas will serve an additional two years of supervised release, forfeit $49.7 million and pay restitution of $26.5 million.

Stay vigilant

Wire transfer fraud is just one of the ways that crooks attempt to part businesses from their money. To defend against email scams here are some tips for avoiding this kind of email threat:

• Revisit your outbound email filtering rules to prevent sensitive information from going out to inappropriate destinations.
• Require multiple approvals for overseas wire transfers.
• Have strict controls over changes in payment details or the creation of new accounts.
• Use strong passwords and consider two-factor authentication (2FA) to make it harder for crooks to gather intelligence from your network in the first place.
• Consider a “back to base” VPN for remote users so their online security is kept up, even on the road.
• Have your own central reporting system, in the manner of the US IC3, where staff can call in suspicious messages to prevent crooks trying different employees with the same scam until a weak spot is found.
• Think twice about publicly posting personnel information that could be abused in phishing attacks.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/D5CAYrR74gs/

Happy Holidays! We’ll be a bit quieter over the next couple of weeks while we pack up our keyboards, have a rest and eat lots of festive food.

But before we go, we thought we’d do our annual Sophos Home plug. So here it is…

If you or your family are lucky enough to find a new laptop under the tree this Christmas, you’re going to need to secure it.

Chances are you’re the most technically minded in your family, and that makes you the go-to IT support person in your home when something goes wrong. Nobody wants to work a full-time job for a part-time problem, but luckily Sophos is currently offering 50% off Sophos Home Premium over the festive season.

Sophos Home Premium takes all the best bits from Sophos’s award-winning Intercept X business-grade security product and puts them all in an easy-to-use, easy-to-manage product that fits perfectly into your home network.

And it works on both Windows and Mac computers.

You get:

• Artificial Intelligence threat detection. Leveraging next-gen AI with deep learning, Sophos Home detects and blocks never-before-seen malware before it executes.
• Real-time threat prevention. Sophos Home protects against new and developing viruses, malware, Trojans, worms, bots and more.
• Advanced ransomware security. Anti-ransomware technology protects your personal files and photos from being encrypted and held for ransom.
• Advanced malware scan and clean. Sophos Home kicks off with a deep scan and clean, removing the traces and remnants of malware that previous security software may have left on your computer.
• Remote security management. Easily view and manage computer security for anyone in your life – whether they’re in the same house or in another country.

Get 50% off Sophos Home Premium now!

There’s also a free version too. It doesn’t have all the features Sophos Home Premium has but it still packs a punch and protects your home network. You can use our comparison chart to decide which version is best for you.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5_PUjyBweRQ/

A pharmacy that left around half a million documents, including customers’ personal information and medical data, in unlocked storage at the back of its premises, has been fined £275,000 – a financial penalty the ICO has issued under the General Data Protection Regulation.

UK data watchdog, the Information Commissioner’s Office, said London-based Doorstep Dispensaree Ltd, which supplies medicines to both individual customers and care homes, failed to secure the records. The data also contained addresses, dates of birth, NHS numbers and prescriptions pertaining to an unknown number of people.

Some of the documents – dated between June 2016 to June 2018 – were exposed to the elements and as a result were damaged by rain water, the ICO claimed.

Failing to process the data in a secure state to prevent unauthorised or unlawful access, loss, destruction or damage infringed GDPR, said the ICO. This was factored into the size of financial penalty, which the watchdog claimed was its first since the introduction of GDPR on 25 May 2018.

GDPR: Four letters that put fear into firms’ hearts in 2018

READ MORE

Steve Eckersley, director of investigations at the ICO issued a statement:

“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”

The ICO was tipped to the shoddy physical security of the documents by the Medicines and Healthcare Products Regulatory Agency, which was undertaking its own enquiry into the pharmacy.

In addition to the £275k fine, Doorstep Dispensaree has been issued with an enforcement notice (PDF) to up its data protection processes within three months or face further enforcement action.

Come Jan 31, if the UK leaves the EU as planned, Brexit will trigger a statutory instrument that changes some text to create a “UK GDPR”. The little kingdom’s Data Protection Act 2018 will also get tweaked. You can see the expected changes here. ®

Sponsored:
How to get more from MicroStrategy by optimising your data stack

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/23/rain_falls_on_london_pharmacy_stung_by_icos_first_fine_under_gdpr/

Roundup Here’s a catch-up of security news beyond everything else we’ve covered.

Nearly 300 million Facebook profiles scraped, dumped online

Once again a huge number of Facebook users have had their details lifted from their profiles, a fact that came to light when security researchers were scanning for open databases online.

Germany-based researcher Bob Diachenko and UK security shop Comparitech found an Elasticsearch cluster online containing the unique Facebook IDs, phone numbers, full names, and other metadata of 267,140,436 users of the antisocial, predominantly in America.

The database has now been taken down, though Diachenko noted that the information was advertised on hacker forums. He suspects it was collected by Vietnamese operators. Facebook data isn’t very valuable in and of itself, usually about $3 per account, but Diachenko noted that this kind of material is red meat for phishers and SMS scammers.

Waaa-waaa Wawa

If you’ve brought groceries from the US chain Wawa in the past nine months you might want to check your bank statements: the biz has admitted card-sniffing malware has been on its payment systems since early March.

Discovered on December 10, the software nasty fed credit and debit card numbers, expiration dates, and cardholder names on payment cards, from in-store checkouts and gas pumps to crooks. The store’s ATMs were unaffected, it seems.

“I apologize deeply to all of you, our friends and neighbors, for this incident,” said CEO Chris Gheysens this week. “You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously.”

Those affected by the infection will get the now-traditional one year of credit monitoring from Equifax (so long as you’re a US citizen with a social security number) and won’t be liable for false charges on their cards.

Tracking President Trump

The scale of the cellphone-location data market was on show this week when the New York Times obtained a three-year-old database of 50 billion phone location pings for more than 12 million Americans.

The journalists analyzing the data found one phone that appeared to belong to a Secret Service agent on President Trump’s team, and showed the course of the agent’s progress during a trip to the commander-in-chief’s Mar-a-Lago resort, then to a golf course where Trump was playing golf with the Japanese prime minister.

The NYT team were able to track other phones into Congress, the Pentagon, and many other sensitive areas. By following where the phones spent the night, they could also get a good idea of a target’s home address and when they were out.

The case highlights the egregious way in which telcos in the US are profiting from selling off location data to almost anyone with the money. The telco-friendly FCC chairman Ajit Pai promised to look into the matter 18 months ago but so far appears to have done nothing.

“We want our people to understand,” a senior Defense Department official told the Times. “They should make no assumptions about anonymity. You are not anonymous on this planet at this point in our existence. Everyone is trackable, traceable, discoverable to some degree.”

Like Greta Thunberg? Then get infected

The Emotet malware is doing the rounds again, this time by exploiting the popularity of climate activist Greta Thunberg.

According to security shop Proofpoint a spam campaign this week was pushed out across Europe and Asia aimed at installing the banking trojan in as many computers as it could find. The malware is contained in a faux Word document and the emails are typically headed with the subject “Support Greta”.

Interestingly the campaign is heavily focused on .edu domains used by educational institutions and their pupils. Given Thunberg’s popularity with youngsters who will have to deal with adverse climate change, rather than the older generation that helped cause it, the operators know their targets well.

Mac malware surges

So much for the “Macs don’t get malware” argument.

MalwareBytes says it saw a significant bump in detections of macOS malware this year. In total, the antivirus maker says Mac infections accounted for 16 per cent of all malware it detected this year.

“Perhaps 16 percent doesn’t sound impressive, but when you consider the number of devices on which these threats were detected, the results become extremely interesting,” notes MalwareBytes.

“Although the total number of Mac threats is smaller than the total number of PC threats, so is the total number of Macs. Considering that our Mac user base is about 1/12 the size of our Windows user base, that 16 percent figure becomes more significant.”

Microsoft patches SharePoint bug

SharePoint admins will want to be sure they test out and install this out-of-band patch from Microsoft before clocking out for the holidays.

Redmond has cleaned up CVE-2019-1491, an information disclosure flaw in SharePoint Server that would potentially allow an attacker to read arbitrary files. While it’s not a massive security risk, the bug is significant enough that it could not wait to January’s Patch Tuesday.

Trustwave posts instructions for DIY Magecart scans

In case you find yourself doing some last-minute Christmas shopping and want to be sure you’re not stumbling onto websites with card-swiping Magecart code, the team at Trustwave has posted these instructions for checking sites against possible infections.

It’s not the most practical, though the process could allow you to spot a malicious script before it swipes your bank card details.

Visa security team dissects gas pump malware

It turns out card skimmers aren’t the only game in town when it comes to compromising gas pumps.

Visa has issued a security alert on three different gas pump malware infections. Unlike the physical skimmers that are affixed over the card readers and keypads, these attacks are entirely software-based and are installed over networks, like traditional point-of-sale malware infections.

The report notes a number of security mishaps that allowed hackers to exploit systems, including defective chip readers, disabled encryption, and embedded systems that don’t comply with PCI standards. ®

Sponsored:
From CDO to CEO

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/21/roundup_dec_20/

Movie fans eager for an early peek at the new Star Wars installment are putting themselves at risk of malware infection.

This according to the crew from Kaspersky Lab, who warn that criminals are disguising malware as free streams of The Rise of Skywalker in hopes of scoring a few easy infections on unsuspecting users.

The tactics themselves are nothing new. Malware operators have long used popular movie and film franchises as a way to convince users to open the trojans and exploit files that download malware. Such is the case here, where torrent and file-sharing sites are offering malware that presents itself as a copy of the new film.

In this case, however, the attacks are proving particularly effective – possibly due to the hype around the film. Despite criminals targeting 25 per cent fewer users and offering up 30 per cent fewer unique files than last year, Kaspersky says its detected malware attacks have risen 10 per cent, an indication that hackers are having more success.

Das Reboot: Uni forces 38,000 students, staff to queue, show their papers for password reset following ‘cyber attack’

READ MORE

What’s more, the team also found that phishing sites are also taking advantage of the movie hype by pretending to be streaming services that show bootlegged copies of the film.

“Kaspersky researchers found over 30 fraudulent websites and social media profiles disguised as official movie accounts (the actual number of these sites may be much higher) that supposedly distribute free copies of the latest film in the franchise,” the security shop said of its findings. “These websites collect unwary users’ credit card data, under the pretense of necessary registration on the portal.”

Fortunately, avoiding these attacks is easy enough if users follow some basic best practices. Avoiding unknown sites and suspicious links, maintaining up-to-date security software and system patches, and not downloading any untrusted or suspicious files should be enough to avoid these attacks.

Or, you could always just buy a ticket to watch the movie in a theater…

Given the number of people who will be on holiday, travelling, and meeting with family this time of year, however, there will be plenty of unwary victims for the attackers. For this reason it is also worth keeping an eye on the devices of less-savvy friends and family and making sure they know to avoid shady streaming sites. ®

Sponsored:
Beyond the Data Frontier

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/19/kaspersky_star_wars/