STE WILLIAMS

A new Facebook tool shares recent security-related emails so users can verify whether messages are legitimate.

Phishing attacks often attempt to trick users with fake login pages so they enter their credentials on a malicious site. Facebook wants to help users separate legitimate and fraudulent emails with a new tool intended to stop consumers from getting phished.

Starting today, users will be able to view “recent emails about security and login” from their Security Settings page (facebook.com/settings). There, Facebook will publish a list of security-related emails it has recently sent.

Facebook uses a domain called Facebookmail.com to send notifications when someone attempts to log into an account or change a password. Users who are suspicious of emails claiming to be from Facebook can access Settings to see if messages are legitimate before logging in.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/facebook-helps-users-detect-phishing-emails/d/d-id/1330692?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Non-malware attacks account for the majority of all attacks this year, and ransomware grows to a $5 billion industry, new data shows.

Fileless malware attacks using PowerShell or Windows Management Instrumentation (WMI) tools accounted for 52% of all attacks this year, beating out malware-based attacks for the first time, according to Carbon Black’s 2017 Threat Report.

“Attackers will use whatever is the cheapest and most effective method,” says Rick McElroy, security strategist for Carbon Black, explaining the shift to fileless malware from malware-based attacks.

Fileless malware attacks, also known as non-malware attacks, allow cybercriminals to skip steps that are needed to deploy malware-based attacks, such as creating payloads with malware to drop onto users’ systems. Instead, attackers use trusted programs native to the operating system and native operating system tools like PowerShell and WMI to exploit in-memory access, as well as Web browsers and Office applications.

Fileless attacks have been around since 2014, and surged last year as attackers became enamored with in-memory attacks and sought to perfect their malicious craft. That trend continued this year, with a 6.8% growth in monthly fileless attacks targeting Carbon Black’s protected endpoints.

All types of attacks – both malware-based and fileless – grew 13% per month overall this year, according to the report.

Kryptik, Strictor, Nemucod, Emotet, and Skeeyah were the five top malware families this year, according to the report. And the top three industries hit this year by malware authors included finance, healthcare, and retail.

Ransomware 

Ransomware soared to a $5 billion industry this year, up from $850 million in the previous year, according to the report.

“Both the volume of attacks and amount per attack were up,” McElroy says. “But it was also the crazy value of Bitcoin that increased it to $5 billion.”

Cybercriminals often demand ransom payments in Bitcoin, which has seen a sharp rise in value this year. According to CoinDesk, a single Bitcoin now carries a value of approximately $16,000, compared to January when it was $1,000 per coin.

Ransomware authors targeted the technology industry, followed by the government and non-profit sector, and legal industry, according to the report. The top five ransomware families in 2017 included Spora, Cryptxxx/Exxroute, Locky, Cerber, and Genasom.

In the future, Carbon Black expects the trend toward targeted ransomware attacks to increase. That feeling is shared by a growing number of research firms. Earlier this year, a handful of targeted attacks emerged that focused on specific industries, geographies, or company size, as cybercriminals seek a better return on investment, security experts says.

Cybercriminals are expanding beyond ransomware “spray and pray” attacks delivered by spam. Patrick Wheeler, director of threat intelligence for Proofpoint, says spray and pray campaigns were designed to infect as many machines as possible with the expectation that a certain percentage of the victims would pay the ransom.

Anton Ivanov, lead malware analyst with Kaspersky Lab, says ransomware will mostly involve targeted campaigns in the future because attackers know they can get more money with this method.

Financial organizations, higher-education institutions, and healthcare, manufacturing, and technology companies, are some of the industries that have been hit this year with targeted ransomware campaigns.

Carbon Black’s McElroy says ransomware authors are also expected to increasingly focus on Linux systems, because that is the operating system used by a large percentage of enterprises. In addition, ransomware authors will also be able to increase their mobile reach, McElroy adds.

The Android operating system found in a large percentage of smartphones and tablets across the globe uses a flavor of Linux, McElroy notes.

Related Content:

• Fileless Malware Attacks Continue to Gain Steam
• Fileless Malware Takes 2016 By Storm
• PowerShell Increasingly Being Used To Hide Malicious Activity

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/perimeter/fileless-malware-attacks-hit-milestone-in-2017/d/d-id/1330691?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The US Census Bureau says no personally identifiable information it collected was compromised in this week’s Alteryx leak.

Data analytics firm Alteryx made headlines this week when UpGuard discovered a misconfigured Amazon Web Services S3 storage bucket exposed sensitive information of 123 million households. The leak exposed information from Experian and the US Census Bureau.

The US Census Bureau today issued a statement following reports claiming Alteryx exposed personally identifiable information (PII) collected by the Bureau. The agency said Alteryx only had access to publicly available data from census.gov, including published data from the 2010 Census.

“The company implicated had no access to PII collected by the Census Bureau, nor did the reported data leak involve Census Bureau servers or Census Bureau data stored through cloud services,” the Bureau said.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/us-census-bureau-data-exposed-in-alteryx-leak-already-public/d/d-id/1330698?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Five people suspected of infecting Windows PCs with ransomware – and extorting money from more than 170 victims in Europe and the US – have been arrested.

In the past week, an international crimefighting task force led by Europol collared the quintet in Romania – and searched six homes, seizing a load of computer parts and cryptocurrency mining equipment as part of a criminal investigation dubbed Pperation Bakovia.

Below is Europol’s video of the raids:

Youtube Video

Three of the nabbed suspects allegedly used spam emails to infect victims’ computers with the file-scrambling ransomware CTB-Locker aka Critroni. The software nasty demanded money to restored encrypted files, and was orchestrated by its masters via the Tor anonymizing network.

The other two peeps, arrested in the Romanian capital of Bucharest, are accused of using the Cerber ransomware to extort people US.

All five are understood to be part of the same gang, and will be charged with unauthorized computer access, serious hindering of a computer system, misuse of devices with the intent of committing cyber-crimes, and blackmail.

Europol officials said this was another example of crime-as-a-service at play: the suspects allegedly bought the ransomware from another source and agreed to share 30 per cent of any ill-gotten gains.

The agency also insisted that ransomware attacks are “relatively easy to prevent if you maintain proper digital hygiene.” For instance, keep offline backups of your files, do not open suspicious email attachments, and keep systems fully patched and up to date.

If infected, netizens should not pay the ransom, as there is no guarantee the extortionists will decrypt the scrambled files, and the money will fund further criminal activity. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/12/21/five_romanians_ransomware_allegations/

The British government has refused to say how much new F-35 fighter jets will cost the nation – as it emerges that no fighting ships of the Royal Navy will be in foreign waters during the festive period.

The House of Commons’ Defence Committee, formed of MPs who supposedly scrutinise the Ministry of Defence’s activities, asked the question – and specifically asked for the cost per aircraft including spares, upgrades and retrofits.

The MoD did not answer, according to reports of the committee’s session earlier this week – while refusing to give even broad-brush cost estimates for the British F-35 programme beyond the year 2026.

Previously it emerged that F-35Bs for Britain would cost around $123m each, not including spares and so on. While the MoD is publicly committed to buying 138 F-35s, it has been ambivalent over whether it intends to buy all B-model F-35s, optimised for short takeoffs and vertical landings as required to operate from Britain’s two new aircraft carriers, or the A model, which is a conventional land-based jet fighter.

As more pressure is applied by MPs to the ministry, more is beginning to emerge on Britain’s F-35s dealings. Namely, we’ve ordered 48 for delivery up until the mid-2020s – and after that it’s anyone’s guess what will happen.

48 aircraft – that is, four squadrons’ worth – is just enough to operate a single aircraft carrier, taking into account land-based training and maintenance. It is not enough to operate two carriers at full squadron strength, though that is the ministry’s plan.

Home for Christmas

In other news, The Times reported that, for the first time in modern history, no Royal Navy fighting ships – destroyers, frigates, amphibious assault ships or carriers – would be operating away from Britain over Christmas and New Year.

This comes as a result of sensible guidelines that make it a priority for sailors to get home and see their families over the festive season. It is no bad thing from that point of view. On the flip side, thanks to Type 45 destroyer HMS Diamond breaking down en route to the Gulf, this is now a breach of the usual operational plan. There are no warships able to take her place until January at the earliest.

The Gulf deployment is a vital bit of peacekeeping (it stops troublemakers from closing off vital shipping chokepoints or interfering with merchant traffic, as Iran does from time to time) and keeps the British flag flying prominently on the doorsteps of oil-producing nations who we are very dependent upon.

While other, small, warships are at sea, no vessels designed for smiting Her Majesty’s enemies are out and about – illustrating the point that the RN is overstretched and the defence budget needs to grow. Key to British defence policy is credibility; if you don’t look like you can walk the walk, nobody’s going to take you seriously when you talk the talk. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/12/21/f35_uk_price_not_disclosed/

In 2016, Pro Publica released a study that found that algorithms used across the US to predict future criminals – algorithms that come up with “risk assessments” by crunching answers to questions such as whether a defendant’s parents ever did jail time, how many people they know who take illegal drugs, how often they’ve missed bond hearings, or if they believe that hungry people have a right to steal – are biased against black people.

Pro Publica came up with that conclusion after analyzing what it called “remarkably unreliable” risk assessments assigned to defendants:

Only 20% of the people predicted to commit violent crimes actually went on to do so.

What Pro Publica’s data editors couldn’t do: inspect the algorithms that are used to come up with such scores. That’s because they’re proprietary.

The algorithms that produce the risk assessment scores that are widely used throughout the country’s criminal justice systems aren’t the only ones that have been found to be discriminatory: similarly, studies have found that black faces are disproportionately targeted by facial recognition technology. The algorithms themselves have been found to be less accurate at identifying black faces – particularly those of black women.

It’s because of such research findings that New York City has passed a bill to study biases in the algorithms used by the city. According to Motherboard, it’s thought to be the first in the country to push for open sourcing of the algorithms used by courts, police and city agencies.

The bill, Intro 1696-A, would require the creation of a task force that “provides recommendations on how information on agency automated decision systems may be shared with the public and how agencies may address instances where people are harmed by agency automated decision systems.”

Passed by the City Council on 11 December, the bill could be signed into law by Mayor Bill de Blasio by month’s end.

The bill’s current form doesn’t go as far as criminal justice reformers and civil liberties groups would hope.

An earlier version introduced by council member James Vacca, of the Bronx, would have forced all agencies that base decisions on algorithms – be it for policing or public school assignments – to make those algorithms publicly available.

The watered-down version only calls for a task force to study the possibility of bias in algorithms, be it discrimination based on “age, race, creed, color, religion, national origin, gender, disability, marital status, partnership status, caregiver status, sexual orientation, alienage or citizenship status.”

The idea of an “open-source” version was resisted by Tech:NYC, a high-tech industry trade group that counts among its members companies such as Facebook, Google, eBay, Airbnb and hundreds of small startups, such as Meetup.

Tech:NYC policy director Taline Sanassarian testified at an October hearing that the group was concerned that the proposal would have a chilling effect on companies that might not want to work with the city if doing so required making their proprietary algorithms public. She also suggested that open-sourcing the algorithms could lead to Equifax-like hacking:

Imposing disclosure requirements that will require the publishing of confidential and proprietary information on city websites could unintentionally provide an opportunity for bad actors to copy programs and systems. This would not only devalue the code itself, but could also open the door for those looking to compromise the security and safety of systems, potentially exposing underlying sensitive citizen data.

But most of the technologists in the room didn’t agree with her, according to Civic Hall.

Civic Hall quoted Noel Hidalgo, executive director of the civic technology organization BetaNYC, who said in written testimony that “Democracy requires transparency; copyright nor ‘trade secrets’ should ever stand in the way of an equitable, accountable municipal government.”

Another technologist who spoke in favor of the open-sourcing of the algorithms was Sumana Harihareswara, who said that open-source tools and transparency are the way to get better security, not worse.

If there are businesses in our community that are making money off of citizen data and can’t show us the recipe for the decisions they’re making, they need to step up, and they need to get better, and we need to hold them accountable.

Joshua Norkin, a lawyer with the Legal Aid Society, told Motherboard’s Roshan Abraham that it’s “totally ridiculous” to say that government has some kind of obligation to protect proprietary algorithms:

There is absolutely nothing that obligates the city to look out for the interests of a private company looking to make a buck on a proprietary algorithm.

The argument over whether open source or proprietary technology is more secure should sound familiar. In fact, the same debate is taking place now, a year before our next US election, with regards to how to secure voting systems.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5U_BIh5076M/

Without much fanfare, negotiators crafting the Wassenaar Agreement earlier this month moved to make things easier for infosec white-hats.

As we reported last year, the Wassenaar talks have been proceeding at a glacial pace, which was bad news for the IT sector because of the treatment of tools used to find vulnerabilities and create exploits.

Tools like Metasploit (to pick just one example) would, if that interpretation stood, need to be supported by an export licence between signatories – a tedious process that leaves researchers at the mercy of bureaucratic whim.

Earlier this month, as recorded in this document [PDF], a few minor changes in wording were made that changes the picture.

At the December meeting, the parties agreed to add technical notes “for the local definitions [of] ‘vulnerability’, ‘disclosure’ and ‘cyber incident response’”, and adopt a revised statement of understanding for the section (4.E.1 of the dual use technologies list).

The most current version [PDF] of the controlled products list now explains that the two worrying items (4.E.1.a and 4.E.1.c) “do not apply to ‘vulnerability disclosure’ or ‘cyber incident response’”.

The list also defines vulnerability disclosure so as to allow individuals and organisations “responsible for conducting or coordinating remediation” to communicate and analyse vulnerabilities.

‘Cyber incident response’ also gets a definition, so individuals and organisations can exchange information to help them resolve incidents.

So what? According to this commentary published at The Hill, by Luta Security’s Katie Moussouris (a participant in the talks as a vulnerability expert), it’s important, because “the specific cross-border sharing activities around vulnerability disclosure and security incident response are exempt from requiring export control licenses as dictated by Wassenaar.”

According to the December plenary statement of outcomes [PDF], controls over computers were also relaxed, partly because performance-based export controls quickly fall behind the development of newer, bigger, and faster machines. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/12/21/infosec_controls_relaxed_a_little_after_latest_wassenaar_meeting/

Dell EMC has patched an SMBv1 bug in its Data Domain Deduplication and Data Protection software.

It’s probably worth your time running the patch in, if you can, because as the advisory explained, it’s a memory overflow that could open a system to remote code execution (RCE).

CVE-2017-14385 affects quite a few versions of the system: the Data Domain DD OS 5.7 family prior to 5.7.5.6; 6.0 versions prior to 6.0.2.9; 6.1 versions prior to 6.1.0.21; all versions of Data Domain Virtual Edition in 2.0, 3.0 prior to 3.0 SP2 Update 1, and 3.1 prior to 3.1 Update 2.

In its notice, Cisco expanded on the bug’s impact: “An attacker could exploit this vulnerability by sending crafted SMBv1 packets to a targeted system. A successful exploit could trigger a memory overflow condition that the attacker could leverage to execute arbitrary code on the system. In addition, the attacker could also leverage this vulnerability to shut down the SMB service and Active Directory authentication, resulting in a DoS condition.”

If you can’t patch immediately, external traffic to the system can be blocked at the firewall. Patches are available to registered users here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/12/21/emc_admin_plug_this_hole_before_the_holidays/

It can sometimes seem that Britain produces more than its fair share of teen hackers – or perhaps it’s just good at catching and prosecuting them.

Another, 19-year-old student Jack Chappell, was this week handed a suspended 16-month sentence for his “substantial” role in launching an extraordinary DDoS rampage against a who’s who of big-brand US and UK websites during 2015 and 2016.

Listing the victims offers an insight into an important theme that emerges from the case: how a single, relatively unsophisticated cyber-attacker can, at a stroke, cripple big websites hosted anywhere in the world by flooding them with unwanted traffic.

Commercial targets included Netflix, Amazon, Verizon, Sprint, Vodafone, O2, Virgin Media, and NatWest Bank and – just because – Pornhub.

Public-sector victims included the BBC, the Massachusetts Institute of Technology (MIT), the University of California San Diego (UCSD), and even Britain’s National Crime Agency (NCA).

Plus around 3,000 others, all of which found themselves on the receiving end of a DDoS-for-hire service called vDOS, which Naked Security covered in more detail last year.

The vast majority were carried out in return for a fee, but it’s Chappell’s reported role in this as a then 17-year-old that brings us to a second theme: how the young and impressionable can be drawn into cybercrime for the visible power and status it confers.

As suggested by the following sarcastic tweet directed at the UK Government:

Offline again? how come you can’t handle my 100GBPS of DNS traffic.

Or:

Yea I stopped the attacks – will start again later 🙂 #GetBetterProtection.

And yet behind all of this, we now know, were two Israeli teens, who pocketed almost all the money vDOS generated during its existence, using accomplices such as Chappell as remote low-wage helpers.

His defence argued that the fact Chappell received only £1,500 ($2,000) for his role, which included laundering the site’s proceeds as well as acting as DDoS admin, meant he deserved to be viewed as another of its victims.

On the other hand, Chappell’s earliest DDoS attacks were directed against colleges in his native Manchester, the court heard, which points to personal motives.

The case bears a startling similarity to previous examples of Brit teens running amok, such as that of Charlton Floate, who from 2012 onwards launched a series of DDoS-for-thrills attacks on UK Government websites. Like Chappell, Floate also took to Twitter to brag about his exploits, before being caught in 2014.

Or the 15-year-old Adam Mudd who created the Titanium Stresser/booter DDoS-for-hire service in 2012 and used it to attack 594 websites, mainly for profit.

Spot the pattern? Young British men using relatively simple services to launch DDoS attacks for money and perverse inverted glory, or both.

Inevitably, they were caught (largely because their attempts to hide their actions were incompetent), put on trial, and given a sentence that accepted the mitigating fact of their youth and immaturity.

When patterns like this emerge, it seems reasonable to ask whether simply legal sanctions are enough or whether more computer misuse education might be warranted at school level.

Instructing youngsters on how to use computers is a challenge, but teaching them how to stay away from the dark side with what they learn, even harder still.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/an_mG3b_C-0/

Database in unsecured AWS storage bucket owned by marketing analytics firm Alteryx included 248 data fields on each household, but no names.

On the heels of Equifax’s massive breach of American consumer data, researchers have discovered an even richer collection of personal data on 123 million American households left exposed online in an unsecured Amazon Web Services storage bucket.

Researchers at the Upguard Cyber Risk Team discovered the database of marketing and analytics firm Alteryx was configured to allow any AWS ‘Authenticated Users’ — in other words, anyone with an AWS account — to download its stored database. According to researchers, “Exposed within the repository are massive data sets belonging to Alteryx partner Experian, the consumer credit reporting agency, as well as the US Census Bureau, providing data sets from both Experian and the 2010 US Census.”

The exposed data sets included Experian’s “ConsumerView” marketing database, a product sold to other companies as “the largest and most comprehensive resource for traditional and digital marketing campaigns” claiming to have “thousands of attributes on more than 300 million consumers and 126 million households.”  

The leaked data includes 248 data fields on each household. It does not include name, but it does include a wide variety of data including contact information, ethnicity, education, income, the ages of the children in the household, the details of the mortgage, whether the house has a pool, whether the residents donate to religious groups, whether they buy sports magazines, whether they’re dog enthusiasts, and more. 

For more information, see here. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/census-records-leaked-in-marketing-firms-exposure-of-123-million-households/d/d-id/1330685?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple