STE WILLIAMS

Updated Friday, Aug. 11 at 7:30 a.m. ET: The significant thing about Emotet is its habit of dropping so many different malware families as payloads wherever it travels. Malware dropped on infected systems by Emotet so far include:

• Troj/Agent-*
• Mal/EncPk-ACW
• Troj/inject
• Troj/injecto
• Troj/Wonton
• Mal/Slenfbot-G

But Dridex is by far the most prevalent payload, and Sophos Global Malware Escalations manager Peter Mackenzie believes the main goal of Emotet’s creator is to get Dridex on as many endpoints as possible. He said:

It’s the equivalent of dropping a cluster bomb of mines onto a target, some will explode right away because of people not watching what they are doing. Most, however, will be removed safely, with a few left over for years in places people forgot to check, waiting for that unlucky victim to step on them.

The fact that most detections occurred because of a few generic accounts with weak passwords is proof the damage a weak password can do especially when the account has admin access.

 We’ll continue to update this article as new details emerge.

***

Network worms and Trojan malware are back with a vengeance. A good example is WannaCry, which infected hundreds of thousands of computers across the globe in May. Now comes Emotet – malware with worm and trojan characteristics that exploits weak admin passwords to spread across a victim’s network.

SophosLabs has seen a surge in Emotet cases in the past week and has blocked it from customer computers. Its payload is a form of banking Trojan designed to steal a user’s online banking details. Labs researcher Tad Heppner described it this way:

Emotet is a trojan although it also contains the functionality necessary to be classified as a worm.  The primary distinction is that a trojan requires some degree of social engineering to trick a human into enabling the spread of the infection whereas a worm can spread to other systems without the aid of a user. Emotet downloads then executes other payloads, so even though its core component is not directly a worm, it does have the potential to download and execute another component to spread itself to other systems.

How it works

The initial infection is distributed via email spam.  Researchers pieced together the following sequence of events:

• A spam email containing a download link arrives in the victim’s inbox.
• The download link points to a Microsoft Word document.
• The downloaded document contains VBA code that decodes and launches a Powershell script.
• The Powershell script then attempts to download and run Emotet from multiple URL sources.

The Emotet components are contained in a self-extracting WinRAR archive bundled with a large dictionary of weak and commonly used passwords. (Note: WinRAR is a Windows file compression tool.)

The password dictionary is used to gain access to networked systems. Once it gains access, it copies itself to hidden C$ or Admin$ shares.  The copy is often given the filename my.exe, but other filenames have been used.

Emotet contains an embedded list of strings from which it chooses two words to meld into the filename it will use at the time of initial infection.  The strings chosen are seeded using the hard disk volume ID. As a result, the same hard disk will always result in the same filename for each infected system.

It also downloads a self-updating component capable of downloading the latest copy of itself and other modules.  This component is saved as %windows%filename.exe, where the filename is comprised of 8 hexadecimal digits.

Some of the other modules this component downloads are used to harvest credentials from other known applications or to harvest email addresses from outlook PST files for use with targeted spam.

When the updater component updates the main Emotet component, it replaces the parent file using the same filename comprised of the same strings chosen earlier.  It then installs and runs the updated exe as a Windows service.

Recent Dridex and Qbot infections have also been discovered on Emotet-infected machines. It’s possible that Emotet’s ability to download and execute other payloads is currently being used to deploy geotargeted payloads.

Defensive measures

The attacker behind this outbreak has reacted to Sophos’ detections by creating new variants as the attacks persisted, taking advantage of the Emotet updating feature. They also changed the IP addresses they were downloading payloads from.

Nevertheless, Sophos is protecting customers from the threat and has created a Knowledge Base Article with a full breakdown of variants detected.

SophosLabs detects Emotet components as:

• Mal/Emotet
• HPmal/Emotet
• Troj/EmotMem-A

To guard against malware exploiting Microsoft vulnerabilities in general:

• Stay on top of all patch releases and apply them quickly.
• If at all possible, replace older Windows systems with the latest versions.

Other advice:

• If you receive a Word document by email and don’t know the person who sent it, don’t open it.

• Block macros in Office documents.

• Lock down file sharing across the network.

• Make sure users do not have default admin access.

• Enforce password best practices.

• Use an anti-virus with an on-access scanner (also known as real-time protection).

• Consider stricter email gateway settings.

• Never turn off security features because an email or document says so.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/B9xL-RBXMJo/

Back in 2003, an engineer called Bill Burr wrote the official guidance on password security for the US National Institute of Standards and Technology (NIST), since widely referenced as the last word on the subject for government departments, large organisations and, latterly, consumers.

Fourteen years on, and a year after NIST overhauled the document from scratch, Burr has told the Wall Streel Journal he regrets flaws in his advice, an unusual and brave admission for any professional to make.

Burr sums up his 2003 approach:

It just drives people bananas and they don’t pick good passwords no matter what you do.

We think Burr is being hard on himself, but let’s do him the courtesy of outlining what he thinks was wrong with the influential but oft-mangled eight-page NIST Special Publication 800-63, appendix A.

At its core was the simple orthodoxy that users should choose alphanumeric passwords sprinkled with capitals and special characters. These should be changed regularly.

The first part of this advice forms the basis of almost every password policy in existence, along with a requirement that passwords be at least X (usually now eight) characters long.

This wasn’t bad advice back in 2003 given that many users chose comedy passwords such as “password123”. Applying NIST’s rules, they could change that to the 12-character “P@ssW0rd123!” and congratulate themselves on how easily they had boosted their security.

Except, we now know, they hadn’t, for reasons that are reminiscent of what economists call the tragedy of the commons. To simplify, this states that what appears a good idea for an individual stops being so if everyone does the same thing.

If one person chooses a “P@ssW0rd123!”, in theory it’s secure. But when lots of people use a similar pattern, attackers have something predictable to aim at.

Realising that imposing generic password rules makes people gravitate towards common patterns, NIST now recommends that people focus more on length while checking existing passwords against a dictionary of known bad (ie, common, guessable) combinations.

The second part of Burr’s advice – changing passwords regularly – probably became one of the biggest banes of professional IT because it generated work and often wasn’t effective when people made only minor tweaks. The advice today is to change passwords only when necessary (such as after a breach), which is good news for the vast number of people who’ve never bothered anyway.

Burr and NIST were still right to offer some advice because the alternative of offering no or heavily qualified advice wouldn’t have saved the world from bad passwords. Indeed, large numbers of users still ignore even the baseline of Burr’s 2003 rules and use hopeless passwords where they are allowed to – any number of bad passwords revealed in data breaches tells us this.

A fundamental challenge is that what constitutes a secure password changes over time as attackers up the ante. There’s also a need to balance usability. Make a password too easy (short, predictable) and attackers will uncover it, but make it too hard (long, complex) and users will take shortcuts.

What, then, has really changed for password security between 2003 and now?

Ironically, it’s the realisation that passwords, no matter how well crafted, are no longer enough on their own. A single phishing attack can grab even the best password as can the breaching of a poorly secured database. Even the best get re-used over and over.

The world still uses passwords but increasingly supplements them with systems of authentication and identity that take decisions out of users’ hands, something that is at the heart of NIST’s revised guidelines.

Anyone who still wants some password-crafting advice without ploughing through NIST’s document might start with how to pick a proper password or Naked Security’s busting password myths podcast but only after reading how difficult it is to craft a password that can withstand even 100 guesses.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JZC27KgekOQ/

Evidence of app developers’ insuppressible optimism can be found in the ever-growing subgenre of apps that let you rate things. And by “things” what I really mean is “people”.

In spite of the swamps of vitriol, cattiness and cyberbullying that pool around their apps, and in spite of getting banned both in schools and by entire countries, app devs keep pumping out new flavors of anonymous feedback/non-anonymous personality rating/secret sharing anonymously except it’s with friends and friends of friends so of course they know it’s you.

It’s all done with starry-eyed promises of e-nirvana: this one will be different, this one will be a “positivity app for positive people!”

And now, there’s a new one. It’s called Sarahah.

Its premise is that you can get “honest feedback from your coworkers and friends”. The app lets your friends be honest with you, it says, because of course people are nice when they’re anonymous NOT!!!, particularly because they’re vindictive, back-stabbing spew-holes your “friends”.

By the way, the “real names = civility” notion  — a notion that’s been making the rounds since at least the last 30 years — is wrong. Research has actually found that on average, the less identifiable we are online, the more sensitive we are to group norms, whether those norms are to be civil or otherwise.

And — this won’t surprise members of minority ethnic groups — real names often lead to discrimination and harassment. One study found that Uber drivers more frequently cancelled the fares of people with African American names, for example.

At any rate, there are more reasons to be anonymous than to air your authentic feelies. Sarahah was actually created by a Saudi Arabian developer, Zain al-Abidin Tawfiq, with the aim of giving employees a forum in which to offer their bosses feedback without fear of retribution. (Sarahah means “candor” or “frankness” in Arabic.)

Tawfiq, who works full-time as a business systems analyst at an oil company in Saudi Arabia, told Mashable that there’s an issue in the workplace that his app is designed to overcome:

People need to communicate frankly to their bosses.

People in the Arab world are, in fact, quite frank, he said. They’re honest and well-connected to family and friends, and they freely spill their true feelings. Still, Tawfiq says, like anywhere, there can be social barriers:

There are barriers like age, sometimes it’s the position, you can’t go to someone who is a grandfather and tell them everything you think about them. Breaking these barriers, that’s what everybody wanted.

Well, that’s one app developer who sure must know whereof he speaks. As Mashable reports, Sarahah has become a viral sensation. The app took off after Tawfiq expanded the user base to the general public and then on to Snapchat users.

By late July, it had spilled out of the Arabic-speaking world and into the English-speaking world to surge to the top of Apple’s App Store’s list of free apps in regions including Australia, Ireland, the US and the UK.

Sarahah essentially allows users to send completely anonymous comments to other users, with no way of the recipient replying or knowing who sent it to them. It’s certainly not the first app to go this route: other anonymous apps such as Yik Yak, Secret, Whisper and ask.fm have all tried it.

Those apps’ approach to anonymous comments has taken off like a flock of lead pigeons. Lead pigeons who leave cyanide droppings.

Take Yik Yak: it was banned in schools that got polluted by toxic anonymous chat. It reacted by mandating the use of handles, after which its popularity nosedived. Yik Yak was shut down in April.

Unlike some of its brethren anonymous rating apps, Sarahah allows users to block messages from nonregistered users and doesn’t publicly post responses without your permission. That’s actually more or less where the Peeple app is at. As in the oh, so this isn’t actually vaporware or a stunt to film a Silicon Valley reality show? Peeple app.

In fact, Peeple, the people-rating app, also known as the Yelp for people, bowed down to its howlingly bad reception. The app had initially been designed to allow users to rate anybody, even if they weren’t registered on the platform, offering them 48 hours to dispute a bad review … which they could only do if they registered on the platform.

Let’s not mince words: registering on Peeple is a horrific idea, given that a) buried deep in its terms and conditions is the fact that Peeple can do anything it wants with any data any user forks over, and b) the Peeple creators have said in a press release that they’re considering profiting off of negative reviews, whether they’ve been publicly posted or not. The product they’re mulling is a subscription called a “Truth License”.

…as if all ratings contained nothing but truth: a mind-bogglingly naive notion.

So, how’s Sarahah’s approach to anonymity working out? Well, there are haters and lovers to be found in the App Store reviews.

Some say that they’re receiving heartwarming messages from their classmates … and then again, there are reviewers who call the app a “breeding ground for hate”, adding this:

My son signed up for an account and within 24 hours someone posted a horrible racist comment on his page including saying that he should be lynched.

Let’s put this all into perspective.

Sarahah is an app. Like other apps, it can be used to support people, or it can be used by mobs and trolls to attack them. Anonymity doesn’t dilute the potential for venom. Neither does the use of real names.

To hell with rating people. To hell with giving “feedback” that can turn into a pecking order where some get pecked to death. (If you haven’t yet watched Netflix’s Black Mirror, the Nosedive episode, it’s being called something like the filmed version of the Peeple app. It’s a brilliant enactment of the criticisms that these apps rightly accrue; it’s a dystopian take on where all this people rating could someday take us, and it ain’t pretty: disallowing people with low ratings from entering certain venues, for example, or being allowed to move to a particular neighborhood. Highly recommended.)

Sarahah is just an app: one in a long line of people-rating apps.

If you get some warm and fuzzies out of it, great.

If it gets toxic, delete it. Wipe it off your phone and out of your life.

Sooner or later, if cyberbullying takes over the app as it has done with similar apps, that’s what the internet/governments/schools will do anyway: add it to the junk heap along with the apps (or, at least, their policies) Yik Yak, Formspring, Lulu and Secret.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/sHBVz3if7Zs/

Deoxyribonucleic acid, otherwise known as DNA, carries the genetic instructions for all living things, human beings included. You can think of it as biological data storage. Genetic researchers have actually used DNA to store data, such as Amazon gift cards, GIFs, and books. Now University of Washington scientists Peter Ney, Karl Koscher, Lee Organick, Luis Ceze, and Tadayoshi Kohno have been able to use DNA to store and transmit malware in a move that sounds like a plot from a William Gibson novel.

We needn’t worry about the DNA we leave behind in our saliva or hair strands infecting computers with malware. Not yet, anyway. The University of Washington researchers were able to make the execution of their DNA-encoded malware work by introducing a vulnerability into the FASTQ compression utility, a DNA data file analysis application. That may sound like cheating, but cybersecurity professionals know that there’s the possibility of security vulnerabilities in all types of software.

DNA contains units called nucleotides. Those nucleotides can have one of four different types of nucleobases- thymine (T), adenine (A), guanine (G), and cytosine (C.) The researchers were able to assign binary 1s and 0s to the nucleotides of the DNA they composed in order to create computer executable malware.

Part of the motivation for the University of Washington scientists’ malware DNA research is to prepare the cybersecurity field for the new malware methods of the future. Tadayoshi Kohno explained:

We want to understand and anticipate what the hot new technologies will be over the next 10 to 15 years, to stay one step ahead of the bad guys. It’s an emerging field that other security researchers haven’t looked at, so the intrigue was there. Could we compromise a computer system with DNA biomolecules?

The process described in the researchers’ paper begins with DNA strands in a test tube. With that, they experimentally evaluate if DNA can be used to contain malicious software. They did that by synthesizing DNA strands which contain computer security exploits. Then they observed a side channel resulting from fundamental properties of DNA sequencing technologies, and considered how the side channel could be exploited. Next, they evaluated the security of DNA processing applications. Finally, a threat model for the DNA sequencing pipeline was derived.

In a nutshell, malware is decompiled into binary data, then those 1s and 0s are assigned to the C, G, A, and T nucleobases in physical DNA. A DNA data file is made from that physical DNA. They executed the DNA data file with the FASTQ compression utility with the vulnerability they introduced to it. Through the modified FASTQ compression utility, they were able to execute malware on a computer.

I spoke to Dr Kat Arney, science writer, occasional Naked Security contributor and broadcaster, for her perspective. She’s the author of the genetics books Herding Hemingway’s Cats and How to Code a Human, and presenter of the monthly Naked Genetics podcast.

Back in the very early days of DNA sequencing, researchers would use huge slabs of gel and radioactively labelled chemicals to obtain the sequence of a piece of DNA, writing down each ‘letter’ with a pen and paper.

Then, once the process became automated from the 1980s onwards, DNA sequencing machines and analyzing programmes started to store DNA sequences as computer files. So although it’s not new to convert DNA sequences into computer files that can be read and analysed, this is the first time that someone has tried to deliberately generate a piece of malicious code that messes with those files and turns them into executable malware.

In this case, it looks like the ‘hackers’ have made a lot of workarounds to get this to work- introducing a vulnerability into the analyzing program and doing a lot of optimization of the DNA sequence encoding the malware to make it work. So it’s not something that any random bad person could go and do next week.

But it does expose important security vulnerabilities. Nobody expected someone to do this, but given the sensitive personal nature of DNA information, you could see why someone might want to hack a DNA sequencing facility. It should be a wake-up call to DNA sequencing companies and facilities to make sure this can’t become a practical reality.

Working with DNA has become a lot more affordable recently. Costs to sequence the human genome have dropped from about $100,000 in 2009 to a mere $1,000 in 2014. Maybe at some point the price will go down to less than $100, and if that happens, using DNA synthesis to do harm may be very attractive for cyberattackers.

Follow @NakedSecurity
Follow @kim_crawley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EbPmz0c2lyw/

A middle-aged Ukrainian has been arrested on suspicion of acting as an agent in distributing the infamous NotPetya ransomware.

Sergey Neverov, 51, a video blogger and computer enthusiast from Nikopol, was cuffed by Ukrainian police on August 7 (official statement in Ukrainian here). Neverov is accused of posting a video explaining how to infect a computer with Petya-A as well as sharing a download link for the malware through a social media account.

Neverov is not suspected of writing NotPetya nor of being behind the initial ransomware attack that severely disrupted numerous businesses in Ukraine and across the world in late June. His alleged offences are crimes of facilitation. Police reckon at least 400 computers got infected by malware they’ve alleged the suspect uploaded.

Ukrainian businesses are normally required to file tax returns by June 30 but authorities extended this deadline until the end of December as a result of the NotPetya outbreak.

Investigators reckon the malware samples distributed in the case were used by some to deliberately infect systems to avoid paying taxes on time without incurring a late penalty. The suspect, who made no attempt to hide his identity, would not have benefited directly from this Machiavellian ruse, as The Hacker News notes.

Neverov has been charged with hacking offences punishable on conviction by up to three years’ imprisonment. ®

Bootnote

Ukraine has previously blamed Russian intel agencies for NotPetya, so although the arrested man potentially faces big trouble, he’s unlikely to get blamed for the whole mess.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/11/notpetya_ransomware_suspect_arrested/

A former boss at UK domestic spy arm MI5 has cautioned against a crackdown on encrypted messaging apps.

Lord Evans, who retired in 2013, told BBC Radio 4’s Today programme (link here) that he did not support encryption restrictions despite acknowledging cryptography had been an obstacle in investigating terrorist cases, saying that capabilities to access comms had been “eroded”.

“I’m not personally one of those who thinks we should weaken encryption because I think there is a parallel issue, which is cybersecurity more broadly,” Lord Evans said.

“Whilst understandably there is a very acute concern about counter-terrorism, it is not the only national security threat that we face. It’s very important that we should be seen and be a country in which people can operate securely – that’s important for our commercial interests as well as our security interests. Encryption in that context is very positive.”

Lord Evans’ comments follow along the same line as former GCHQ director Robert Hannigan’s earlier criticism against building backdoors into end-to-end encryption (e2) schemes as a means to intercept communications by terrorists.

Hannigan argued at the time that the best and most practical solution would be for security services to “target the people who are abusing” encryption systems and go after the devices themselves – ie, the smartphone or laptops they are using.

Both perspectives stand in contrast with UK Home Secretary Amber Rudd’s criticism of mobile messaging services which offer end-to-end encryption, such as WhatsApp, in the wake of recent terror outrages such as the Westminster Bridge attack.

In a wide-ranging interview, Lord Evans also said that the Snowden revelations had had a negative effect on law enforcement investigations. Child abusers, for example, have adopted more advanced tactics in streaming abuse via dark net chatrooms. He also commented on the need to secure the IoT and allegations of Russian interference in foreign elections.

“It would be extremely surprising if the Russians were interested in interfering in America and in France and in various other European countries but were not interested in interfering with the UK, because traditionally I think we have been seen as quite hawkish,” he said. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/11/ex_mi5_backs_crypto/

An amateur photographer has reportedly landed his £475 drone aboard the largest warship ever built for the Royal Navy – without permission and completely unchallenged.

The unnamed photographer gave an interview to local paper the Inverness Courier, detailing how he landed his drone aboard HMS Queen Elizabeth in spite of “police in small boats who were waving at the drone.”

Neither the photographer nor the newspaper had responded to us by the time of publication but we’ll update this article if we hear back from them.

Operating under the Facebook nom de guerre Black Isle Images, the photographer reportedly used a Parrot Bebop drone to land on the flight deck, where he took some photos before taking off again.

Although he was mainly motivated to land by the absence of personnel on the carrier’s flight deck, the photographer said he landed because his drone’s software gave him a “high wind warning”, advising him to land.

Identical drones, equipped with first-person view live streaming cameras, can be bought from your internet souk of choice for around £475. The manufacturer claims they have a range of 1.24 miles (2km).

“There was absolutely no one around when I landed, it was a ghost ship,” the photographer told the paper. After flying away from the warship and recovering his drone on Newhall Point, on the Highlands’ Black Isle peninsula, he was seized by a fit of conscience and drove round to the carrier’s Invergordon moorings to ‘fess up. There a group of “heavily armed” police met him: “No one seemed too concerned, but the officer I spoke to said he would pass it up the chain of command.”

“In the last week commercial drone operators have discussed if they’d be able to find a location where they could capture some video of the aircraft carrier, with most feeling it would be impossible as the military would likely misinterpret any video drones flying as potentially being a threat,” Ian Hudson, a licensed British drone operator, told The Register.

“ISIS have a proven track record in Syria of weaponizing DJI’s Phantom [drone] and its professional platform the Matrice 100 to drop grenades on troops, so a drone flying over the aircraft carrier without permission, as opposed to alongside, should be considered a potential threat,” he added.

Although at first glance it seems entirely likely that the drone should have been shot down, HMS Queen Elizabeth is not actually armed at the moment. Strictly speaking, she is a civilian ship at the moment and is still the property of her builders, the Aircraft Carrier Alliance. The armament, such as it will be, will be fitted once she is accepted by the Ministry of Defence and fully commissioned into the Royal Navy. Sharp eyes will have noticed the aircraft carrier currently flies the Blue Ensign, as worn by non-commissioned ships on government business.

We have asked the MoD for comment on the mildly embarrassing stunt.

The carrier is due to arrive at Portsmouth, her home port, late next week. El Reg will be attending her grand entry to the south coast city at the invitation of the MoD. Curiously, we were specifically warned not to bring along any drones or fly them around the ship as she enters port. Perhaps the Navy is more prepared for trouble down south than it is in the sleepy waters of Scotland? ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/11/hms_iqueen_lizziei_impugned_by_cheeky_scots_drone_landing/

Scientists from the University of Washington have created synthetic DNA that produced malware of a sort.

Detailed in a paper titled “Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More”, the authors explain that they decided to “synthesize DNA strands that, after sequencing and post-processing, generated a file; when used as input into a vulnerable program, this file yielded an open socket for remote control.”

To make it work, the authors got their hands on the source code of open-source DNA compressor fqzcomp and “inserted a vulnerability into version 4.6 of its source code; a function that processes and compresses DNA reads individually, using a fixed-size buffer to store the compressed data.”

“This modification lets us perform a buffer overflow with a longer than expected DNA read in order to hijack control flow.”

Readers may at this point think that it’s pretty easy to break software when you feed it data that you know in advance will cause it problems. The researchers recognise this, writing that they know their crocked code is “in many ways the ‘best possible’ environment for an adversary.”

But they also not that the vulnerability they created already exists, as “fqzcomp already contains over two dozen static buffers. Our modifications added 54 lines of C++ code and deleted 127 lines from fqzcomp.” The Register imagines that kind of modification could go un-noticed in many-a-lab.

But the paper also points out that synthesising any DNA, never mind stuff designed to disrupt bioinformatics software, is hard and prone to error. Even if you can do the job, you need to get the right sample into the right lab, and need to know what software that lab is running. Or get mal-formed software into that lab.

All of which is hard. But so was getting Stuxnet across an air-gap into an Iranian centrifuge.

The authors’ main recommendation is that bioinformatics software just hasn’t been written with this kind of attack in mind, but seeing as DNA is information encoded in chemicals the authors of such software should wise up to the risks they’ve demonstrated.

You can find the paper here [PDF] and the University’s explainer and FAQ here. The second document tries hard to point out that this is all theoretical. “We have no evidence to believe that the security of DNA sequencing or DNA data in general is currently under attack,” the primer says. “Instead, we view these results as a first step toward thinking about computer security in the DNA sequencing ecosystem.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/11/malware_in_dna/

Network worms and Trojan malware are back with a vengeance. A good example is WannaCry, which infected hundreds of thousands of computers across the globe in May. Now comes Emotet – malware with worm and trojan characteristics that exploits weak admin passwords to spread across a victim’s network.

SophosLabs has seen a surge in Emotet cases in the past week and has blocked it from customer computers. Its payload is a form of banking Trojan designed to steal a user’s online banking details. Labs researcher Tad Heppner described it this way:

Emotet is a trojan although it also contains the functionality necessary to be classified as a worm.  The primary distinction is that a trojan requires some degree of social engineering to trick a human into enabling the spread of the infection whereas a worm can spread to other systems without the aid of a user. Emotet downloads then executes other payloads, so even though its core component is not directly a worm, it does have the potential to download and execute another component to spread itself to other systems.

How it works

The initial infection is distributed via email spam.  Researchers pieced together the following sequence of events:

• A spam email containing a download link arrives in the victim’s inbox.
• The download link points to a Microsoft Word document.
• The downloaded document contains VBA code that decodes and launches a Powershell script.
• The Powershell script then attempts to download and run Emotet from multiple URL sources.

The Emotet components are contained in a self-extracting WinRAR archive bundled with a large dictionary of weak and commonly used passwords. (Note: WinRAR is a Windows file compression tool.)

The password dictionary is used to gain access to networked systems. Once it gains access, it copies itself to hidden C$ or Admin$ shares.  The copy is often given the filename my.exe, but other filenames have been used.

Emotet contains an embedded list of strings from which it chooses two words to meld into the filename it will use at the time of initial infection.  The strings chosen are seeded using the hard disk volume ID. As a result, the same hard disk will always result in the same filename for each infected system.

It also downloads a self-updating component capable of downloading the latest copy of itself and other modules.  This component is saved as %windows%filename.exe, where the filename is comprised of 8 hexadecimal digits.

Some of the other modules this component downloads are used to harvest credentials from other known applications or to harvest email addresses from outlook PST files for use with targeted spam.

When the updater component updates the main Emotet component, it replaces the parent file using the same filename comprised of the same strings chosen earlier.  It then installs and runs the updated exe as a Windows service.

Recent Dridex and Qbot infections have also been discovered on Emotet-infected machines. It’s possible that Emotet’s ability to download and execute other payloads is currently being used to deploy geotargeted payloads.

Defensive measures

The attacker behind this outbreak has reacted to Sophos’ detections by creating new variants as the attacks persisted, taking advantage of the Emotet updating feature. They also changed the IP addresses they were downloading payloads from.

Nevertheless, Sophos is protecting customers from the threat and has created a Knowledge Base Article with a full breakdown of variants detected.

SophosLabs detects Emotet components as:

• Mal/Emotet
• HPmal/Emotet
• Troj/EmotMem-A

To guard against malware exploiting Microsoft vulnerabilities in general:

• Stay on top of all patch releases and apply them quickly.
• If at all possible, replace older Windows systems with the latest versions.

Other advice:

• If you receive a Word document by email and don’t know the person who sent it, don’t open it.

• Block macros in Office documents.

• Lock down file sharing across the network.

• Make sure users do not have default admin access.

• Enforce password best practices.

• Use an anti-virus with an on-access scanner (also known as real-time protection).

• Consider stricter email gateway settings.

• Never turn off security features because an email or document says so.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/B9xL-RBXMJo/

We were recently asked to comment on a suggested new internet standard proposed in a document with the intriguing title Let ‘localhost’ be localhost.

At first glance, we assumed this would either be humorous, like the many internet RFCs dated 01 April, or benignly pedantic…

…but we investigated anyway (pedantry may be unpopular, but that is often because it is righteously correct and annoyingly important).

Here’s what the story is all about.

You’ve probably heard of DNS, short for domain name system – in technical terms, it’s a redundant, distributed, dynamic, hierarchical database responsible for telling you which computers actually correspond to what domain names.

Simply put, it’s the internet fabric that turns human-friendly server names such as facebook.com into computer-friendly network numbers such as 157.240.1.35 or 2a03:2880:f11b:83:face:b00c::25de.

Sometimes you want to access network resources directly on your own computer, using network-oriented software, even though you could just access everything directly if necessary.

For example, you might want to manage the files on your own computer by connecting locally with an FTP client, simply because you prefer the user interface, or you might want to manage the local firewall settings from your browser instead of typing cryptic commands into a console window.

When you use network protocols to access local data and services, you don’t want to risk exposing any of that network traffic to the outside world by mistake.

That’s because some network servers and services give special privileges to local traffic, so the sort of data you send locally is often much more interesting to crooks, and more dangerous to your privacy, than the traffic you’d usually allow onto your work LAN or out over the internet.

Mistakes happen

But mistakes can easily happen if you use regular internet names or numbers to access your local computer.

For example, if you are at home, you might accidentally type in your work IP number out of habit, so that traffic intended for local consumption might leak out onto the internet, trying to find its way to a remote location where your computer isn’t.

That’s why there are special IP numbers reserved to mean “this always refers to your local computer, wherever you are at the moment, so this traffic must never leave this device”.

For example, the network addresses 127.0.0.1 (on old-style IPv4 networks with 32-bit addresses) and 0.0.0...0.0.1, abbreviated to ::1 (on new-style IPv6 networks with 128-bit addresses), always and only refer to “this computer, right here, right now”.

For human-friendly simplicity, the internet name localhost means exactly the same thing, and you’re supposed to be safe using that name, too.

Unfortunately – and this is the main issue covered in Mike West’s “Let ‘localhost’ be localhost” proposal – the relevant internet standard only actually says that localhost should refer to your current computer, and doesn’t insist that it must.

(The internet standards documents make heavy use of MAY, SHOULD and MUST, and only when something gets a MUST do you have to do it. Otherwise, you’re officially allowed to cut corners, as it were.)

In other words, sloppily-written client software or sloppily-written server software could – accidentally or by design – subvert the understood meaning of localhost, and direct you to some unknown computer out there on the internet.

This could compromise security by allowing local-only data to leak out and be stolen…

…and yet the sloppy software that made the breach possible could nevertheless claim to be compliant with the relevant standards.

That’s a bit like insisting that your users set a password on their mobile phones, but allowing it to be blank.

Let SHOULD be MUST

Mike West wants the standards gurus to change the wording, so that we do indeed have an unequivocal name that refers to “this computer, right here, right now” – he wants to swap out several SHOULDS and replace them with MUSTS.

Very simply, he wants localhost to be your local host, officially, by design and unequivocally.

This won’t automatically make the internet more secure – non-compliant or malicious networking software could still break the rules – but it will make things more tidy, by removing any argument about what localhost is supposed to mean.

This, in turn, means it’s easier to detect non-compliant or malicious software, because there is a simple definition by which risky implementations can be detected, condemned and avoided.

What to do?

The devil really is in the details in matters like this.

The existing internet standard for localhost already permits applications to recognise it as a special name, and to force it to refer to the local host, without relying on any other software further down in the system to make that choice for you.

In other words, you can already and easily make your software compliant with both the letter and the spirit of both the current standard and the proposed new one…

…so why not do just that?

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/09YJc8aswiU/