STE WILLIAMS

Researchers have discovered a new variant of banking trojan that targets cryptocurrency wallets instead of traditional accounts.

Coinbase, the cryptocurrency exchange site targeted in part by the latest Trickbot variant, manages multiple currencies thus offering crooks a wider platform for abuse once they succeed in harvesting the account credentials. Coinbase has been added as a target to config files for the trojan, which already attempted to loot bank accounts with numerous providers worldwide, infosec firm Forcepoint Security reports.

Cybercriminals have been developing Trickbot since its creation, adding new regional banks (most recently in the Nordics) to its hit list. Security researchers recently unearthed Trickbot campaigns targeting PayPal wallets.

The switch to digital currency accounts matches the popularity of Bitcoin and the like as a form of payment.

Dodgy messages spreading the malware pose as a “secure message” from the Canadian Imperial Bank of Commerce. A booby-trapped attachment harbours a macro downloader that ultimately downloads and executes a Trickbot variant.

Malware targeting cryptocurrency wallets is uncommon but far from unprecedented. For example, variants of the Dridex banking trojan went down this route last year. F-Secure caught a trojan that searches for Bitcoin WALLET.DAT files way back in June 2011. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/30/trojan_targets_cryptocurrency_wallets/

A spambot operation has leaked 711m email addresses in a massive data breach.

A Paris-based security researcher, who goes by the pseudonymous handle Benkow, discovered an open and accessible web server hosted in the Netherlands. The “open and accessible” system stored dozens of text files containing a huge batch of email addresses, some passwords and a list of email servers used to send junk mail.

Many of the addresses are repeated, defunct or otherwise unusable, according to an initial analysis by Troy Hunt, the security researcher behind the haveibeenpwned.com breach notification service. However a number of the records come with passwords, credentials spammers abuse in the furtherance of junk mail distribution.

The latest leak rivals the River City Media spill from March as the largest ever breach involving a bulk mailer. Both spills leaked a witch’s brew of merged data from multiple sources, including the 2012 LinkedIn data breach among many others.

Jim Walter, senior research scientist at Cylance, said: “This is an important reminder of one aspect of the data-breach lifecycle. The threats outlined are not new or novel, nor is the credential harvesting/storage methodology. Data breaches don’t end after the public disclosure. Leaked/breached data can continue to live on and be used, reused, sold, resold, etc.”

James Romer, EMEA chief security architect at multi-factor authentication firm SecureAuth, added: “This latest Spambot leak highlights the fact that passwords are the root cause of many serious security problems for organisations today. 700m passwords and email addresses is a treasure trove for cybercriminals, but despite increasingly complex password use, data breaches continue to soar.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/30/spambot_leak/

A consortium of internet companies has disrupted a botnet called WireX that has plagued Content Delivery Networks (CDNs) with nuisance DDoS attacks in recent weeks.

There’s nothing special about DDoS attacks or botnets but we’re writing up WireX for several reasons, starting with the fact it was built from infected Android devices.

Given that researchers believe it might have infected 140,000 devices in 100 countries by its peak on August 17, that’s a big DDoS botnet by Android standards, perhaps the biggest ever.

The source of infection was any one of 300 apps downloaded from the Google Play Store that had somehow sneaked past the store’s much vaunted security algorithms.

Despite what Google says, it’s perfectly possible to do this, as demonstrated by a separate incident this month when 500 applications (with 100 million downloads) were yanked after a mobile security company discovered an embedded advertising SDK was being used to update them with spyware.

The WireX-infected apps, by contrast, hid their malevolent behaviour behind ordinary-looking media players, ringtones and storage managers. Designed to launch DDoS attacks in the background (in other words, when the device is turned on but not in use), it’s possible owners would have been unaware of anything untoward.

The companies believe it sprang into life around August 2, growing rapidly to its peak in the middle of the month when they decided to collaborate to track down what was behind this sudden DDoS spike.

It’s not clear whether it was the size of the attacks that caught their attention or the unusual way traffic from it was distributed across many countries. That WireX appeared suddenly would have stood out.

Probably built on the skeleton of an old click-fraud app, WireX isn’t even that sophisticated, relying on throwing lots of HTTP traffic at target websites until they choke.

It’s a simple tactic but also clever because the traffic looks legitimate. This makes it tricky to stop without taking servers offline, which is why researchers pooled resources to root out the botnet’s infected clients the hard way.

WireX did, at least, bring everyone together in a matter of days. Said participant Akamai:

In the wake of the Mirai attacks, information sharing groups have seen a resurgence, where researchers share situation reports and, when necessary, collaborate to solve internet-wide problems.

This would have meant sharing competitive data such as IP addresses, request headers and, in WireX’s case, DDoS ransom notes sent to CDNs. Privacy concerns mean that doing this isn’t always as simple as it might seem from the outside.

Which devices are vulnerable?

Given that infected apps were downloaded from the Play Store (their names haven’t been revealed), any version of Android they were compatible with could have been targeted. Devices running Android security software such as Sophos Mobile Security for Android will detect WireX, with some identifying it as generic click fraud malware.

Command and control domains are identified in the WireX advisory, published by researchers. It’s possible that a temporary defence against WireX would be to set “restrict background data”.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KYmM6X5K_H4/

It’s probably the most crucial patch of the year: Abbott Laboratories’ reworked firmware for its St Jude pacemakers has won Food and Drug Administration approval to ship.

According to the Administration’s (FDA’s) statement, the upgrade should go smoothly, nearly all the time.

Its statement says “installing the updated firmware could potentially result in the following malfunctions (including the rate of occurrence previously observed):. Here’s the risks to which users will be expoosed:

Problems with various pacemakers and the Merlin@Home control system, made by St Jude (which Abbott later acquired), first emerged when MedSec Holdings uncovered the bugs, shorted St Jude’s shares, and then went public with its findings.

The Merlin@Home patch landed in January.

The pacemaker firmware flaws covered by the patch “could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”

In approving the firmware, the FDA notes the upgrade means patients won’t need new devices replacement. Instead they will have to attend their specialist, but the patch is applied using the RF wand that programs the pacemaker.

Abbott’s letter (PDF) issued in conjunction with the FDA says the patch also includes data encryption, and disables network connectivity features. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/30/st_jude_pacemaker_patch_approved/

The ransomware that infected computers at the National Health Service’s Lanarkshire outpost, causing an outage that lasted most of the weekend, has been tagged as a ransomware that demanded 53 Bitcoin for files to be decrypted.

There’s no evidence that the NHS district paid up, which isn’t surprising because at current Bitcoin rates, that demand equated to nearly £190,000.

As we reported on Monday, the infection’s biggest impact was to take down a phone system and a staff rostering system. Hospitals hit by the ransomware had to cancel some surgical procedures and their emergency departments operated at reduced capacity.

Bitpaymer non-decryptable status* can’t be cracked without the attacker’s key, as was discovered back in July, when organisations like VirusTotal first started capturing and analysing samples.

Confirmed Bitpaymer #ransomware is not decryptable. 😞 CryptGenRandom RC4 per file + RSA-1024. Thanks for analysis @FraMauronz https://t.co/TUpzYUDbhT

— Michael Gillespie (@demonslay335) July 14, 2017

There’s also a detailed presentation of the ransomware in this Russian-language blog. That post says infection takes place after brute-forcing the Microsoft’s Remote Desktop Protocol on Internet-exposed endpoints.

Files encrypted by Bitpaymer have .locked appended to their filenames, and “Read Me” files containing the ransom note and payment instructions are dropped all over the filesystem. ®

Bootnote: Thanks to @MalwareHunterTeam and @FraMauronz for correcting the author about decrypting the malware: their intention in July was to say there isn’t a way to unlock files without the attacker’s key.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/30/lanarkshire_nhs_infection_named_as_bitpaymer_variant/

North Korea has emerged as the prime suspect in recent Bitcoin exchange hacks in South Korea, with threat intel experts warning that more attacks on digital currency services and even mainstream banks are likely to follow.

South Korea’s Cyber Warfare Research Center reportedly believes that at least one Bitcoin exchange was targeted in a hack pulled off using a carefully crafted email phishing campaign.

Threat intel firm Cybereason reckons the attacks are a reaction to the tighter economic sanctions prompted by North Korea’s recent missile tests.

The speed with which the DPRK conducted this operation demonstrates how seriously they’re taking this latest round of sanctions, according to Cybereason. Should China not ease up on its enforcement of the measures, we’re likely to see a significant priority shift in DPRK tactics to focus on making up the currency shortfall.

Despite brash pronouncements, this intrusion was not meant as retaliation for the ongoing War Games that have taken place on the Korean Peninsula, or to collect valuable intelligence. Instead, Pyongyang has already mobilised its defence of GDP. It appears that the first shots in the latest round of sanction fighting have been fired and are focused on Bitcoin exchanges – not on a major heist like we saw with the attempts to steal money through the SWIFT network. This rapid reaction to sanctions is likely to be the first skirmish before much larger operations requiring more planning, lead time and network reconnaissance.

“Banking, financial institutions and currency exchanges are likely to see a steady increase in malicious and sophisticated intrusion attempts,” warned Ross Rustici, senior director of intelligence services at Cybereason. “They will likely be focused on institutions in South Korea, the United States and Japan (to add a little political flavour to the currency generation). However, we could see the uptick also happen in countries where network security is largely weak – parts of south and southeast Asia, the Baltics and potentially even parts of Africa.”

Things have the potential to turn nasty and Bitcoin exchanges – in particular – would be well advised to batten down the hatches.

“To date, we have not seen a combination of destructive attacks and currency generation from the DPRK. Given current tensions and the potential desire to retaliate for perceived assaults on the regime, the DPRK has the latent capacity to conduct a heist and destroy the network on the way out,” Rustici added.

Cybereason’s analysis of the Bitcoin exchange hacks, and how they might affect the threat landscape for financial services, can be found here. ®

Bootnote

Attacks on the SWIFT network, including the high-profile theft of $81m from an account held by the Central Bank of Bangladesh, have been also been blamed on North Korea. More specifically Bureau 121, a division of North Korea’s Reconnaissance General Bureau intelligence agency, was recently fingered as the prime suspect in the cyber-raids by Moscow-based threat intelligence firm Group-IB.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/30/north_korea_bitcoin_exchange_hack/

Second-hand electronics dealership CeX says two million customers may have had their personal information swiped by hackers.

Several Reg readers dropped us a line after receiving an email from the Brit biz that informed them their personal details including first name, surname, address, email address and phone number had been illegally accessed by miscreants.

In some cases passwords were also stolen. The company says these were hashed, but warns – correctly – that weak passwords could still be cracked, so if you have reused one it’s time to make some changes.

“We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats,” CeX said in a statement.

“Clearly however, additional measures were required to prevent such a sophisticated breach occurring, and we have therefore employed a cybersecurity specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.”

Some credit and debit card data was also slurped, but CeX says that’s not a problem because the store stopped taking that data in 2009, and so all of the cards have likely expired. CeX says it can’t share more details while investigations are continuing.

The data loss came as part of an “online security breach” – its in-store terminals weren’t affected. That’ll be a relief to those using the stores, since credit card-slurping point-of-sale malware is becoming increasingly common, particularly in the US. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/29/cex_servers_hacked/

Lee Hadlington is a cyberpsychologist at De Montfort University. He researches how psychology plays a role in cybersecurity. He recently conducted a study to find out if personality characteristics such as impulsivity and “internet addiction” determine whether people are conscientious or risky in their cybersecurity behavior. The study’s paper was published in July.

For the study, 538 people in the UK who are employed completed an online questionnaire. The subjects ranged in age from 18 to 84, with 218 males and 297 females.

Some of the risky cybersecurity behaviors asked about in Hadlington’s study include:

• Sharing passwords with friends and colleagues
• Disabling antivirus software to access blocked content
• Using the same password for multiple websites
• Sending personal information to strangers on the internet
• Downloading digital media such as music and video files from unlicensed sources
• Entering payment information on websites that have no clear security information

Hadlington used Mark Griffiths’ criteria for internet use disorder in his definition of internet addiction. Griffiths defines internet use disorder as a compulsive need to engage in online activities to the detriment of other areas of a person’s life.

However, concepts such as “internet addiction” and “videogame addiction” are controversial in the psychological community.  Dr Anthony Bean, a clinical psychologist, was recently interviewed in Polygon about his skepticism about video game addiction.

One of the major concerns that we have is that we’re putting the cart before the horse on his one. We don’t know what videogame addiction is. The psychology and medical fields took the concept of addiction — whether it’s substance abuse or anything like that — and just switched it out with video games. The thinking was, ‘Oh, it’s a form of addiction. It’s like any other addiction.’ But it’s not the same.

You could do the whole process over again with football. Why are we not considering that an addiction? What about someone who really likes to go into a library and read books, and they just can’t put that book down because they’re at that great part that they want. You force them to put that book down, [and] their mind’s just going to be on it. Why isn’t that a form of addiction?

So is characterizing these as addictions an unnecessary pathologization? Says Hadlington:

I think there are two issues here – addiction is a clinical term, which requires a formal diagnosis, and in the context of my work I accept that this is an issue. I think we look at more the issue of problematic use – and internet addiction is an umbrella term through which other aspects of digital technology addiction are actioned – if that makes sense. I haven’t seen anything as of yet [for internet addiction in psychiatry’s DSM-V diagnostic manual], butthe very term is problematic – from a research perspective it’s used as a label at the moment.”

Nonetheless, according to the definition of internet addiction that Hadlington and Griffiths accept, the study found a correlation with risky cybersecurity behavior. Richard Davis’ Online Cognition Scale was used to determine if subjects in Hadlington’s study were addicted to internet use. From the paper:

The results demonstrated that internet addiction was a significant predictor for risky cybersecurity behaviors.

The study used Christopher Coutlee’s Abbreviated Impulsiveness Scale to determine if subjects were impulsive. Hadlington’s study found another correlation:

The measure of impulsivity revealed that both attentional and motor impulsivity were both significant positive predictors of risky cybersecurity behaviours, with non-planning being a significant negative predictor.

So how can businesses help their employees do better with cybersecurity? Hadlington responds:

I think first of all they need to understand what is going on within their organization. Rather than spending money on making password protection really good, they might already have this covered – then it is a matter of finding out what works. We know from research that online training and emails about cybersecurity really don’t work. You need to connect with employees, so focus groups and guest speakers appear to be most effective at changing behavior.

How could a focus group be implemented?

It takes very little time and money to get involved in academic research that could help a company identify the key risks, which could in turn save them millions in the long run. Focus groups are really easy to do, and you can introduce the topic (such as online security) and ask people about their concerns. Often you seen that groups have the same concerns, which the focus group lead can then offer advice on.

So it seems that people who engage in risky behavior in other areas of their life are more likely to also engage in risky behavior in their computer and internet use. Thankfully, people can learn to engage in better cybersecurity behavior, and teaching them in person and asking for feedback is more effective than indirect training methods such as sending them emails.

Follow @NakedSecurity
Follow @kim_crawley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/THlxrqaEXyo/

Your daily round-up of some of the other stories in the news

Alan Turing’s documents uncovered

A collection of letters from Alan Turing, one of the founding fathers of modern computing and a brilliant cryptanalyst, has been uncovered in an old filing cabinet at the University of Manchester – and reveal that the mathematician, who moved to the university after the second world war – was not a fan of the United States.

Turing, who had led the codebreaking efforts at Bletchley Park that was credited with helping shorten the war, became deputy head of the university’s computing lab in 1948, and it was one of his modern-day successors at the university, Professor Jim Miles, who found the letters. He explains: “I was astonished such a thing had remained hidden out of sight for so long. No one who now works in the school or at the university knew they even existed.”

The cache of correspondence includes Turing’s notes on artificial intelligence for a BBC programme, and correspondence about invitations to lecture in the US, which Turing turned down flat, saying: “I would not like the journey, and I detest America.”

The collection is available to researchers at the university’s library. Said Miles: “It really was an exciting find and it is a mystery as to why they had been filed away.”

Uber pulls controversial tracking feature

Uber is to pull a feature in its app that continued to track users for five minutes after they get out of their driver’s car, the beleagured ride-sharing company said.

The company, which has faced a series of crises that culminated in its founder, Travis Kalanick, leaving, will roll out the update to the app this week.

The update will restore users’ ability to limit its ability to gather data only when it’s actively being used. Since November, users have either had to consent to the app collecting their location data all the time, or not at all. The latter option meant users had to manually enter their location into the app when booking a cab.

Joe Sullivan, chief security officer, told Reuters that reinstating that option wasn’t connected to the C-suite upheavals at the company: “We’ve been building through the turmoil and challenges because we already had our mandate.”

Feathers ruffled as emergency number falters

Just when you thought you’re on top of your cybersecurity with your gateway protection, phishing mitigation, firewalls, endpoint protection etc comes a whole new threat, as Avon and Somerset Police in southern England found out on Monday: a stray owl.

The police force had to urge locals only to call the 999 emergency number if it really was urgent after the bird flew into power cables, taking out the power supply at the force’s HQ near Bristol. The force’s staff had to come in to help provide a back-up service on Monday, which was a holiday in the UK.

This isn’t the first time wildlife has proved a threat to critical infrastructure: the Cyber Squirrel 1 project tracks animal damage around the world, with birds the second most common agents of disruption.

The force said that full service was finally restored on Monday afternoon, and added: “We certainly hope our feathered friend escaped without injury and was unaware of the feathers he ruffled.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1Fm_I573BnE/

Second-hand electronics dealership CeX has warned two million customers their personal information may have been stolen.

Several Reg readers dropped us a line after receiving an email from the company that informed them their personal information including first name, surname, address, email address and phone number had been accessed by hackers.

In some cases passwords were also stolen. The company says these were hashed, but warns – correctly – that weak passwords could still be cracked, so if you have reused one it’s time to make some changes.

“We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats,” CeX said in a statement.

“Clearly however, additional measures were required to prevent such a sophisticated breach occurring, and we have therefore employed a cybersecurity specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.”

Some credit and debit card data is also missing, but CeX says that’s not a problem because the store stopped taking that data in 2009, and so all of the cards have likely expired. CeX says it can’t share more details while investigations are continuing.

The data loss came as part of an “online security breach” – its in-store terminals weren’t affected. That’ll be a relief to those using the stores, since credit card-slurping point-of-sale malware is becoming increasingly common, particularly in the US. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/29/cex_servers_hacked/